Skip to main content Start of content

INDU Committee Meeting

Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.

For an advanced search, use Publication Search tool.

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

Previous day publication Next day publication
Skip to Document Navigation Skip to Document Content






Standing Committee on Industry, Science and Technology


NUMBER 054 
l
1st SESSION 
l
42nd PARLIAMENT 

EVIDENCE

Tuesday, April 4, 2017

[Recorded by Electronic Apparatus]

  (0845)  

[English]

     Welcome everybody to meeting number 54 of the Standing Committee on Industry, Science and Technology. We are continuing our study of Bill C-36, an act to amend the Statistics Act.
    Today, from 8:45 to 9:45, we have with us, from Shared Services Canada, Ron Parker, president; Graham Barr, acting senior assistant deputy minister of strategy; and Raj Thuppal, assistant deputy minister of cyber and IT security. I like that title.
    We're going to get right into it as we have limited time.
    Mr. Parker, you have 10 minutes.
    Thank you.

[Translation]

    Good morning.
    Thank you for this opportunity to discuss our role and the strong relationship we have established with our customers, such as Statistics Canada.
    As the chair mentioned, I am accompanied today by Raj Thuppal and Graham Barr.

[English]

    I would just like to start with a few words about the mandate of Shared Services Canada.
    We deliver the IT infrastructure backbone for the programs and services that Canadians get daily from the government. Whether at the border, or for their pensions or benefits, we meet a very broad spectrum of infrastructure requirements.
    The department is mandated to provide a range of services essential to government operations. This includes the delivery of email, data centres, network and workplace technology devices, as well as cyber and IT security.
    Protecting and securing the integrity of the government of Canada's systems, networks, and information from cyber-threats is a top priority for us. We carry out this work with lead security agencies such as the Communications Security Establishment. We also benefit from strategic partnerships such as the international Five Eyes security and intelligence network, which includes the U.S., the U.K., Australia, and New Zealand.

[Translation]

    More than ever, cybersecurity requires a collaborative approach. We are therefore committed to working together to share solutions on how best to protect our information and citizens. I would add that, with the creation of Shared Services Canada, or SSC, the government is better positioned to take swift, preventative, and corrective actions.

[English]

    A great example occurred recently when we successfully managed a vulnerability that affected computer servers worldwide, including those of government departments such as Statistics Canada.
    The vulnerability was identified in March. It affected specific servers running on a software called Apache Struts 2. SSC worked collaboratively with Statistics Canada to identify and rectify the situation. Though some services were not available during certain periods, no data was lost or altered in any way. We were able to react quickly, in large part because the government's IT infrastructure is managed as an enterprise rather than in silos, which was the practice in the past. This approach gives us an overall view of government networks and the ability to respond quickly to common threats facing departments and agencies within our security perimeter.
    As a service organization we understand that our customers, such as Statistics Canada, hold us accountable for the services we provide. This is why our number one duty is to understand and meet their business and security requirements.

[Translation]

    We are proud of the work we have achieved over the past several months to respond to the expectations of all our customers, who acknowledge the benefits of the enterprise model.
    I would emphasize that our IT infrastructure does not impact or compromise, in any way, the independence of Statistics Canada or any other partner organization.

[English]

    With respect to Statistics Canada, we have a strong partnership and have achieved a great deal together. This includes, for example, the fact that Canadians were able to participate in record numbers in the 2016 census using Shared Services IT infrastructure.
    The IT services provided by SSC for the census consisted of data-centre, network, security, and communications systems. I would add that there were no IT infrastructure issues for the duration of the census.
    To reinforce our working relationship with the agency, the chief statistician and I have made a joint commitment to continue to modernize the information technology services the agency relies upon to deliver programs to Canadians. I meet with him on a regular basis to ensure that business requirements are well-identified, captured, and processed in a timely fashion.
    These efforts are part of a strong governance structure between our two organizations. The chief statistician and I share a committee overseeing all of Statistics Canada's information technology projects.

  (0850)  

[Translation]

    In the coming months, SSC will continue to work closely with Statistics Canada to respond to the agency's immediate and longer-term requirements. Planning for the 2021 census has already begun.
    In the short term, we will continue addressing the agency's expanding program requirements by augmenting computing and storage capacity, among other initiatives.

[English]

     We have already significantly increased the available memory in the legacy data centre as well as its computing capacity. This is to meet the agency's growing business needs.
    Medium- and longer-term needs are being addressed through a second phase that includes closing a legacy data centre and moving the workload to a state-of-the-art enterprise data centre.
    To date, SSC has opened three modern, highly efficient enterprise data centres to eliminate duplication, increase security, and better manage costs. SSC is also committed to meeting the strict security requirements established by Statistics Canada. For example, employees working at the data centre serving Statistics Canada are secret cleared and take an oath to meet the requirements of the Statistics Act.
     In addition, this data is stored using infrastructure that is dedicated to Statistics Canada, and the encrypted data for the census, which resides in the enterprise data centre, is controlled through the use of electronic keys. Currently, no Shared Services Canada employees have access to that data.
    Shared Services Canada also works with lead security agencies such as the Communications Security Establishment and the RCMP to ensure the overall security posture of its data centres from both physical and IT security perspectives and to ensure that this meets or exceeds Government of Canada requirements. This collaboration is instrumental in providing secure services to Canadians.

[Translation]

    Let me be clear—Statistics Canada continues to have full control over its data, as it always has.
    Let me close by emphasizing that maintaining the confidentiality and security requirements of our customers has always been, and will continue to be, of paramount importance to Shared Services Canada.
    Thank you. My colleagues and I are pleased to answer your questions.

[English]

    Thank you very much, Mr. Parker.
    We're going to jump right into questions.
    Mr. Arya, you have seven minutes.
    Thank you, Mr. Chair.
    Mr. Parker, it's nice to see you again. The last time we met was at the public accounts committee to discuss the Auditor General's report.
    Very briefly, can you tell me how the relationship with your clients is now, compared to what it was the last time we met?
    I benchmark our relationship in terms of how we are perceived in providing service to the clients. I'm happy to report that the customer satisfaction survey, which we conduct on an annual basis in December, and the monthly pulse surveys reflect an improvement in customer service. From the very first time we did it, we received 2.79 from our customers, and then in December we achieved 3.06, and that trend continued in the pulse surveys of January and February. From that perspective, our customers recognize improvement in services.
    I also look to the participation of the deputy community in the various governance fora that we have for Shared Services Canada. There my sense is that the deputy community is very supportive, understands the importance of our mandate, and is helping us.

  (0855)  

     Thank you.
    The former chief statistician, Mr. Smith, resigned because he had concerns in regard to Shared Services Canada. I'm sure you had interactions and meetings with him.
    How often were those? What were his concerns? Have you addressed them?
    There were a number of concerns that he flagged, involving the provision of services going forward beyond the census. We discussed those, and by April he had indicated that there were no outstanding operational concerns. He was still concerned about the forward plan, and that's what I've talking about in terms of the work that's been done since September 19. We have put into place a very strong forward plan as well as a lot of new capacity for Statistics Canada.
    As the chief statistician indicated when he was here, we are meeting their business needs and are working extremely collaboratively in an integrated fashion to make sure those needs are met going forward.
     Cybersecurity is a real threat today for me. Being part of a bigger organization is better when it comes to cybersecurity. Can you address what Shared Services is doing to protect the integrity of Statistics Canada's data?
    First of all, Statistics Canada sets its security requirements. There is a series of controls and measures that it expects to have in place. Those are in place.
    More broadly, the benefit of bringing into existence Shared Services Canada is that we've been able to bring together in one place the expertise and the capability to monitor, to take preventive action, and to remediate any types of threats that occur. That's one benefit and one aid to Statistics Canada.
    In addition, we have established a security operations centre that has 24-7 operations and that constantly monitors the threats and traffic coming into our overall system, so there are substantial benefits.
    If you want, I can ask Raj to address that.
    Not right now, sir. I have some other questions for you.
    Sure.
    Mr. Arora mentioned the service level agreement between Stats Canada and you. What are the parameters? What is covered? Can you highlight that, please?
    Sure. We're actually in the midst of renewing the business arrangements, and in that set of documents are the understandings, the service level expectations across all of the services that we offer, as well as potentially annexes for the different customers, which deal with their special requirements. Those are the types of services that include all the data centre services, email, and their networking, as well as the communications side of the equation.
    Let me ask this very clearly: are there still any challenges between Statistics Canada and Shared Services? Are there any concerns that are still outstanding?
    I do not believe so. I think the relationship we've established is extremely solid and we have established an integrated team. The integrated team we had for the census at the working level was extremely productive.
    We have a situation in which the leadership has signalled clearly the desire to make this relationship work. I think that's the single biggest thing in moving forward that will help with the success of the initiative.
    Stepping back from Statistics Canada and Shared Services for the last minute that I have, when should expect everything to be good at Shared Services Canada?

  (0900)  

    As I mentioned, the customer satisfaction survey is on an improving trend. There is a lot of work to do. It is a big job. I wouldn't want to predict when everything will be good.
    The important thing for me is that we will have a forward plan that establishes that the Government of Canada infrastructure is in a state to continue to provide the vital services that Canadians are looking for.
    I'm sure we'll be meeting you again at the public accounts committee on the Auditor General's recommendations.
    Thank you very much.
    Mr. Dreeshen, you have seven minutes.
    Thank you very much, Mr. Chair.
    Welcome to our guests this morning.
    I had the pleasure of being at the OECD's Blue Sky Forum on Science and Innovation Indicators. Of course, in that particular forum there was a lot of discussion not only on statistics and how business manages, but also on how governments manage, information. I think one of the critical things, when you see all of the data points that are important to business and to government, is just how significant this is.
    Of course, one of the things they spoke about was security issues. You hear so many different stories about how many times the Government of Canada has been hacked, and, of course, that's the concern that people have. I mean, if we have one particular organization that says, “don't worry, we've got this aced”, but you keep hearing this from all of these other actors, how confident are you that because it is in-house and you have very limited access among different departments that the security is what it should be in order to maintain confidence for Canadians?
     The cyber-threat world is ever-changing, growing, expanding, and becoming more sophisticated. Would I ever say that we have it aced? No. The nature of the threat is so dynamic that you need to constantly evolve your own operation to stay on top of it.
    I'm going to ask Mr. Thuppal to take on the substance of the question.
    Thank you, Mr. Chair.
    At Shared Services Canada we take a holistic approach to applying security practices to support our partners. The functions vary, and include prevention, prevention techniques, detection techniques, and then response and recovery.
     We do put a lot of effort into ensuring that we do have preventative capabilities, from both technology and a combination of processes and governments, but there is a lot of emphasis on detection as well. When we do get breached, we detect it very rapidly and then can respond and recover very quickly, as evidenced by Ron's comments on the recent worldwide threat, to which we responded very effectively, prevented any data loss, and then came out very quickly to restore the services for our partners.
    We work in very strong collaboration with our security partners, especially the Communications Security Establishment. There are capabilities they bring that support us in ensuring that we provide security capabilities for our customers.
    Thank you.
     Again, I assume that you have thousands of people working for you, and you're dealing with background checks or security from the individual side as well, to make sure there's no concern about something inside that is causing problems. What process do you use with personnel as far as those backgrounds checks are concerned?
    We use the Government of Canada security policies and procedures to bring in people. Most of our administrators are cleared to a secret level, using the clearance process that we have within government. For departments such as the RCMP, FINTRAC, and other special departments, there is additional security done, personal security checks, before they get access to those environments. That's from the people clearances side.
    We do have some technical controls in our infrastructure to ensure that people who have access to a particular thing are doing only that and are not trying to do something they're not supposed to do. We are continuously investing in that kind of automation, using the funding that we received in the last budget, to improve the administrative access controls so that we can detect any of these internal breaches and can take action immediately.

  (0905)  

    Mr. Parker, you also mentioned that you were closing a legacy data centre and taking that to a new data centre. In Vegreville, we had a legacy immigration centre that got moved to a new data centre in Edmonton. I'm wondering if you could talk about where this is at, the displacement of individuals—if that is the case—and what the scenario was.
    The closure of that legacy data centre has not yet occurred. We're beginning to plan to close it. It's a multi-year exercise to move something of that magnitude. This particular one is located in Ottawa. In terms of displacement of people, there are not a lot of people who work in data centres these days. Most of the data centre control is remote and is done through networking, as opposed to the physical on site location of employees.
    For the new data centres, for example, they call them “dark” centres. A number of people are there, but typically they're not present all the time and are otherwise deployed on other activities.
    For the people who are working remotely, then, you're simply saying that they're all working off-site, and from some other area. Are they all working in Canada?
    All of our employees reside within Canada, so yes.
    There's one other thing when we talk about computers and information issues and so on. These issues have nothing to do with you; however, if I don't ask this question.... It's about the Phoenix pay system that we have. I still have people who are tearing their hair out because of the issues associated with that.
    I don't know whether there is a distinction to be made here, or whether you're engaged in any way, shape or form in this, but people put it all together and say, “All right, here's a bunch of computers, and there's a bunch of people, and all you have to do is spit out the right cheque at the end of the day, so why isn't that happening?”
     Do you have any comment to make so that a person could go back and say, “We know this is an issue”, or “This is how this can be solved”?
     You have about 15 seconds.
    As a deputy, I very much have those same concerns broadly for my employees. Shared Services' specific responsibility around Phoenix resides with the infrastructure upon which the Phoenix software is running. That infrastructure has been solid. There haven't been substantial issues with it. The work continues on improving the application.
    Okay. Thank you very much.
    Thank you very much.
    Mr. Masse, you have seven minutes, please.
    Thank you, Mr. Chair.
    Thank you to our witnesses for being here today.
    With regard to Shared Services, it's been a rather disruptive start, from 2011 until even today. If you look at some of the history, the genesis of Shared Services was rather turbulent, to say the least. In fact, when the announcement was made, only temporary offices were provided to staff at that time.
    In terms of where we are today, how confident are you that the chief statistician will be able to work with Shared Services with a sense of independence—ensuring that informetrics, for example, will not be interfered with? That seems to be one of the largest things to take care of with regard to the relationship you have.
    Mr. Chair, I'm extremely confident that the chief statistician will be able to carry out all of his responsibilities as per the Statistics Act and the new legislation. Shared Services Canada in no way impinges on those duties in terms of the operations and scope of what Statistics Canada undertakes to obtain and publish the data that Canadians depend upon.
    I guess the legislation, the way I understand it, still gives Shared Services a veto over that. Is that true, to your knowledge?
    Mr. Chair, could the question be clarified? A veto over...?
    Over requests or informetrics that might be used.

  (0910)  

    Statistics Canada is responsible for the identification of its business needs. We have identified many requirements, and we have put in place, through our governance processes, the work that's needed to meet those business requirements.
    Okay. That's one of the biggest things. One of the suggestions has been to potentially look at other standards for Shared Services in terms of review. With regard to international standards, where do you at Shared Services rank with other developing nations in terms of information, protection of privacy, and so forth?
    Mr. Chair, in terms of a ranking, I'm not aware of an international comparison around this type of service. I do know that what we're undertaking is one of the largest transformations across governments in this field. It's an ambitious undertaking, and we are looking for that expertise from a wide number of folks. The independent review that's been done brings evidence to bear with respect to how we compare with industry standards. That's what we'll be benchmarking to on an ongoing basis.
    That's fair. What people often forget is that the Department of Homeland Security, for example, which is the largest bureaucratic organization in the world, just came about in recent times. Your evolution from almost more than 100 different elements into one single thing is quite difficult, to say the least, but the process has been fraught. I think there was some politics as well.
    One of the things I am asked, though, is the following. As you go through this process, will there bonuses still be provided to executives and managers during this time? This issue was raised before, and I'm just wondering whether in this current fiscal year bonuses will be provided to executives for Shared Services activities.
    Mr. Chair, we follow the performance pay regime of the Government of Canada. Part of that regime is to have a base salary, a performance-related set of criteria, and, for exceptional performance, bonuses. We're part of the overall Government of Canada system, and we continue to adhere to that.
     So the answer to that is yes.
    Mr. Chair, we follow the Treasury Board guidelines with respect to the application of pay standards.
    Okay, maybe we can have the researchers bring back to us the Treasury Board structure for performance bonuses for departments. That would be something I would be interested in having, in particular for Shared Services but also for other comparable government agencies.
    How much time do I have, Mr. Chair?
    You have a minute and a half.
    Thank you.
    To go further on potential privacy and other issues, what are some of the improvements you have made in response to past criticisms? For example, in the past the RCMP and other organizations have levelled criticisms in that regard. What improvements have been made since those criticisms were levelled—most recently in February of this year?
    Mr. Chairman, I would ask Raj Thuppal to take on that question and to focus on the enterprise data centre capabilities and the part that's set aside for Statistics Canada.
    Thank you, Ron.
    With regard to the privacy concerns for the data, we do work very closely with the customer organizations to identify the data security needs, and we employ security measures commensurate with the classification of data or the privacy impact assessments of the data. For example, for the census project that we did with Statistics Canada, we did employ additional security measures to ensure that none of the SSC employees, even though they might have access to the infrastructure, could actually see the data that is in the infrastructure. We used some special techniques and some processes when we worked with Statistics Canada.
    We do take measures, when we are working with the departments, to ensure that privacy is well protected and that people who don't need access to the data won't see the data.

  (0915)  

    With that, do you do any outsourcing whatsoever?
    Thank you. Sorry, the time's up.
    That's okay. Thanks, Chair.
    We're going to move to Mr. Longfield.
    Mr. Longfield, you have seven minutes.
    Thanks, Mr. Chair. I'll be sharing my time with Mr. Sheehan.
    Thanks to all the witnesses for coming here. I am really interested in seeing how we're looking for efficiencies by sharing IT infrastructure, but I'm also interested in the service agreements that you have in place. During the chief statistician's appearance on March 23, we talked about the formal agreement between your organizations. Could you comment on what it covers, how the priorities are decided, and what your agreed upon service levels are?
    You mentioned customer service, but are there other measure you have put in place to track success?
    Graham, do you want to take that on?
    I will just reiterate from the start that Statistics Canada is completely in control of its census and survey programs as well as its statistical methods. Our role at Shared Services Canada is to provide the IT platform to ensure the delivery of Statistics Canada's important programs, and to do that in a secure way.
    We have 24 different services in our service catalogue at Shared Services Canada, and we have established service level expectations for each one of those services so that our customer departments know what level of service to expect from us. We've been working, as the president said, since about October with the chief statistician on a plan to reduce the risk in the IT infrastructure that is supporting Statistics Canada. It's a two-phase plan. The first phase was to address immediate areas of concern, and we're wrapping up that phase, and, as the chief statistician noted at this committee back a couple of weeks ago, he is satisfied that the level of risk has been substantially reduced.
    The longer-term plan, as my colleagues alluded to, is to transfer Statistics Canada data holdings out of their old data centre and into the new one, but at every stage of this project, Statistics Canada retains ultimate control over the classification of its data and where that data is stored.
    So they are really driving the priorities and communicating those to you, and you're saying whether those are possible.
    Absolutely. That's the basis of our governance, not just with Statistics Canada but with all our customer departments. We respond to their business requirements, which are determined solely by them.
    Is that a change from the past?
    No, it's not.
     Okay. Terrific. Thank you.
    Mr. Sheehan.
    Thank you very much.
    Thank you for the presentation. It was very informative.
    About 20 years ago my business did business with the first commerce-enabled website in northern Ontario, and the data was housed in Winnipeg. I remember at that particular time, just 20 years ago, that it was a challenge getting people to make transactions on the Internet. We used the approach, “When you use your credit card on the Internet, it's much safer than going to a restaurant where you're giving your credit card to an individual, who gives it to someone else, who gives it to someone else. You've been exposed so many times.”
    Fast-forward to today, and I'll use my father as an example. He makes all transactions on the Internet. People trust it. There are so many transactions going on, from his banking, to purchases, to planning his trips. The reason I say that is some of the models that have been put in place are quite amazing.
    Instead of doing individualistic modelling, in which people are working in silos within governments, why is this better? The chief statistician mentioned in one of the presentations a model similar to what's happening now. Shared Services is responsible for cybersecurity, and in particular the prevention—because prevention is really important in this—of cyber-attacks. Could you comment on prevention and how you would deal with anything that slipped through the cracks?
    In terms of the model overall, given the scarcity of really skilled resources in the cyber and IT security fields, it's important that we have a critical mass of people with this expertise in the government of Canada. That would be my starting point. Also, that's at the heart of being able to provide the protection and prevention services.
    I'm going to ask Mr. Thuppal to elaborate again on the prevention side.

  (0920)  

    On the prevention side we have many controls that form the overall preventative system. For example, we have security technology in place to block certain types of attacks and certain types of emails from going through. We also conduct a number of assessments on the infrastructure to ensure that it is hardened, that it has all of the preventative mechanisms in place, and closes vulnerabilities. Also, we do supply-chain integrity checks. We have processes in place for that. There are quite an elaborate number of preventative tasks that we do, including identity management and ensuring access controls.
    When things do slip, we have very good detection capabilities. As Ron mentioned, we have the security operations centre monitoring 24-7. As soon as we detect a breach, we act swiftly, respond to it, and then recover from the breaches. We have a holistic approach to security, working very closely with our security partners, and also the customers.
    I would just like to add that one really key benefit from pulling everyone together on one common network has been the perspective that you can have across the whole system, the great visibility that you have of what's coming in from the Internet and what's going out to the Internet. That is also supported by the Communications Security Establishment, with the application of tools that previously could not have been in place to help provide security to the government of Canada's network.
    I have a very quick question. Throughout this process, is Shared Services able to see any of Statistics Canada's data?
    In the legacy data centre, Shared Services Canada staff have taken an oath of secrecy and are secret cleared. In the way that this network has been established, they can see the data. As Mr. Thuppal said, in terms of the census, however, Shared Services Canada employees cannot see that data. One of the questions or design issues as we go ahead with Statistics Canada in looking at the new data centre and its security requirements is to what extent you would want to apply that same standard for statistically sensitive information.
     Thank you.
    We're moving to Mr. Lobb.
    You have five minutes.
    Thanks very much.
    Mr. Parker, you said that the rating from your customer feedback went from 2.79 to 3.06. What range or scale is that on? Is that out of 10?
    Mr. Chair, it's on a scale of five, and across 43 different partners, moving the results on that index is not an easy thing to do.
    Right. Of all the 43 that you provide services to, what department has the biggest spike in traffic bandwidth? Would it be Stats Canada?
    Mr. Chair, on a point of clarification, do you mean a spike in traffic or an improvement in the rating, or...?
    Sorry, I'm on a different topic now.
    Okay.
    Of the 43 that you provide services to, which department sees the biggest spikes in traffic? Is it Stats Canada?
    Mr. Chair, I don't have particular data on the traffic flows to each of the departments at this point. We have some extremely large clients, ranging from Employment—
    That's fair. I would think that we might know the top three that are of high risk, and I would think that Stats Canada could possibly be one of them, specifically in terms of labour reports and censuses, etc.
    When you see those spikes in traffic, whether at the CRA or Stats Canada, are you able to provide the additional bandwidth required by those agencies? Are you able to add capacity?
    Mr. Chair, we work with the customer departments very closely as they determine their business requirements. Their forecasts of bandwidth requirements are instrumental in determining the amount of bandwidth we provide them. That's the core basis for going forward. We also have an ongoing dialogue with customers. If they anticipate that because of an event, there will be additional bandwidth or compute requirements, we will action that as well.

  (0925)  

    Say, in the last year, how many times have you maxed out and had to either have a complete shutdown of a site or it has slowed to the point where someone couldn't even move to the next screen? How many times would that have happened in the last year?
    Mr. Chair, I'd have to get back to you in terms of the bandwidth maximization across this system. At the moment I can recall one incident that was at play. But this is quite a difficult area, because it's a combination of bandwidth, compute capacity, the memory storage capability of the infrastructure, and the application as well, and how all those things work together. You can get stalls in the functioning of an application for many reasons.
    If you can forward that information to the clerk as soon as possible, that would be great. Thank you.
    Another question I had for you would be about competition with the private sector, because you will be competing to retain those 6,000 employees and to hire new people all the time. Are there currently issues with trying to retain your employees or hire new employees?
    Mr. Chair, one of the most important challenges we have is the attraction and retention of talent. The rate of turnover at Shared Services Canada has been commensurate with the rate of turnover in the Public Service as a whole. But we know that for the skill sets we're looking for, there's a lot of demand. We have had good success attracting employees to Shared Services. We're running a lot of competitions and processes now in terms of looking to hire folks. We have more than 2,000 applications that we're processing.
     Before my time runs out, I have a question on your customers, which are federal department agencies, that have red classifications. I think it was reported that you had nine at the end of February. I would think that's probably around the number you usually have. What are those issues, and are they recurring month after month after month? Is this leading to frustration? Can you tell us a little more about that situation?
     Be very quick.
    Mr. Chair, in regard to the project base that we have, as the member mentioned, it is roughly nine projects. We have a portfolio of about 110 projects, so it runs at about 6%, 7% of the total portfolio of projects. We review those issues regularly. They tend to be project specific.
    Thank you.
    Mr. Sheehan, you've got five minutes.
    Thank you very much.
    I'm going to share a little of my time with Majid as well because I had some opportunity.
    Picking up on cybersecurity in particular, we're delving into it, but it's a concern for many people in today's world. As I mentioned earlier, the transactions are happening at an enormous rate. The preventive stuff you have in place is really important. I worked with the Ministry of Training, Colleges and Universities for the province, so I know some of the checks their shared services go through.
    Very quickly, is employees' access to things like Facebook, social media, outside websites, including Hotmail, or whatever, still a potential risk, because sometimes that's where a lot of the cyber stuff comes through? They go to their Hotmail and are targeted by some sort of phishing scheme and they hit the button and their screen goes blue. What steps and policies are in place to prevent that kind of stuff?

  (0930)  

    We work very closely with the departments. Some departments, especially people in the communications area, need to access social media, so we work with individual customers to ensure that they are aware of the security risks and what needs to be done to ensure they are not clicking on these malicious emails. Also, departments run some tests on phishing and how to train people to ensure that they're not going through websites and clicking on links that could be malicious—and the same with the emails.
    There are TBS guidelines and policies related to employees accessing the Internet and private emails and sites, so we do work very closely with TBS as well in ensuring that the controls we put in at the perimeter can catch any of the malicious activities. It's a balance between enabling the business and securing it to the extent possible.
    Thank you very much.
    I'll split my time now.
    Thank you, Mr. Chair.
    Thank you all for coming here today.
    Let's go back to what we're really here for. We're here to assess Bill C-36, which focuses on the independence of StatsCan. When I look at this in general, I see three key stakeholders, which I call the three legs of the stool. I see a ministry or department, I see Shared Services, and I see StatsCan. If we look at a day in the life of any of these three departments, certain business requirements identified by a ministry are passed on to StatsCan, and it needs to assess them to be able to satisfy that. Within that process, can you explain to me Shared Services' role and what controls are in place to ensure that the independence of StatsCan is met?
    Mr. Chair, the question is good. The departments that Statistics Canada serves, or other entities that it serves, are the heart of what drives Statistics Canada's business. They take those inputs in demands for statistics and data, and at what they call their “field level” they consolidate them and prioritize them from a business priority perspective. They then work with their internal IT people who are responsible for the applications and interfacing with us to prioritize that across a set of business requirements that are translated into what Shared Services is required to deliver.
    That's what we've been very actively working on with the chief statistician and his entire IT leadership team. We sit down about every two weeks and run through those prioritized business requirements, the clarity of those business requirements, and bring together that demand side and mesh it with the services we're providing and the growth in those services that Statistics Canada requires.
     I'm running out of time, but if I get a chance, I want to come back and ask some very specific questions.
    Thank you.
    Mr. Lobb, back to you, for five minutes.
    Thank you.
    On Stats Canada specifically, are there any current projects with Statistics Canada in the red zone?
    There are no projects at the moment with Statistics Canada that are in the red zone.
    Are there any in the step prior to entering the red zone? I don't know how you classify it—yellow or cautionary or whatever—but are there any in that zone right now?
    The next gate we're looking at in terms of the first phase of the project that Mr. Barr has referred to is yellow tending green. We're working with Statistics Canada on prioritization within that suite of projects.
    If I remember correctly, there are over 500 business requirements that we're looking to have delivered over that period of time. The integrated plan is being put together to enable the delivery of not only that phase, but also a number of ongoing projects that require resources as well.

  (0935)  

    On what date did you sign the new service agreement with the new chief statistician?
    The very first one?
    No, the one where the new chief renegotiated—
    With the new chief, it was October 12.
    In that time, have there been any violations or failures of the service agreement?
    Statistics Canada has indicated that we've met the requirements under that service agreement.
    Have there been any hacks—and forgive me, I was a bit late—of Stats Canada data or information?
    Mr. Chair, I'm going to ask Mr. Thuppal to talk about the recent experience that I referred to in my opening remarks with Apache Struts 2.
    There was one recent event related to the Apache Struts 2, which is a web application developmental framework. StatsCan services were impacted by that particular vulnerability. There has been no data alteration or data breach. We were able to detect it very fast, and then took the services offline until the system was patched and brought it online again.
    I guess your competition going forward is going to be cloud computing, correct? I have read that there are already six federal organizations that have transferred some or all of their data to cloud computing.
    Do you work with them on their transitioning data out of your data centre to the cloud computing systems?
    Mr. Chair, cloud computing will be a very important part of our strategy going forward. Cloud computing will provide elasticity that we require in order to meet changeable demands from departments.
    We are in the process of running an RFP that will identify a number of vendors for cloud-based services for unclassified data. We are looking to establish Shared Services Canada as the broker for those services. We will put in place the supply contractual arrangements for departments. Departments will identify their needs and then look to one of those venders that are on the supply arrangements to provide the service.
    So from the date that a department determines that it wants to transition its data and computing to a cloud, how many years do you estimate it will take from the date they make that decision to their going live with whoever they select as the vendor?
    Mr. Chair, I believe the issue here is that there can be a very short time between the identification of the requirement by a customer and going to the cloud. Some of the applications that are being used are not complex.
    As the member noted, some departments are already using the cloud. A lot depends on the nature of the current application and whether the department wants to start a new application or ultimately transfer. There is going to be a huge variance in how long that is given the complexity of the data and the application.
     What percentage—
    Thank you.
    We have to move on.
    It's back to you, Mr. Jowhari. You have five minutes.
    Thank you, Mr. Chair.
    Are you sharing it?
    Yes.
    I'm want to go into further detail on the question I put to you already. You basically said that business requirements are identified and that StatsCan has the independence to assess those requirements. Based on the methodology, they have control over the prioritization of those requirements.
    Let's take as an example the effort to develop a labour market report. Do they have control over the design of that report?

  (0940)  

    Statistics Canada, Mr. Chair, has complete independence over the design of any methodology, its internal operations—
    Perfect. A yes would be good.
    Do they have control over who gets access to run that report?
    Mr. Chair, we meet the security requirements and the access requirements that Statistics Canada—
    So you grant them, and they decide who is going to run this report.
    Do they have control over the data that's in the multi-relational or multi-dimensional database that you have?
    Mr. Chair, Statistics Canada has complete control over the data.
    Okay, so they have control over the data, the development of the report, the way they want to see the report, and who gets access to it. They have IT resources at Stats Canada that work with you. Shared Services basically provides the infrastructure that's needed to ensure that Stats Canada can maintain its independence.
    Is that a fair statement?
    That's a very fair statement, Mr. Chair.
    Okay.
    Going back, I want to compare August, 2016 to now. Under the two different leaderships, has there been any change in terms of the statement that was just made regarding the independence of Statistics Canada?
    There has been no change in the conditions around which we operate with Statistics Canada.
    Okay, it's fair to say that your relationship with Stats Canada under the two leaderships has not changed. Is it fair to say that the independence has been maintained?
    Mr. Chair, I would say the criteria around the services we provide to Statistics Canada have not changed since September 19.
    Okay. I have two minutes.
    Going back again to the concerns around security and external access by anybody aside from Statistics Canada, what steps are in place to ensure that the data that's in the infrastructure—the databases—as well as the reports that are in the process of being developed, the data and the analysis, are protected internally from other departments or externally from any type of cyber-attack?
    How do you partner with Statistics Canada to ensure that?
    Mr. Chair, I'm going to ask Mr. Thuppal to address that question.
    Thank you, Ron.
    In terms of external access, the StatsCan network is well protected behind firewalls. People from outside who are trying to access StatsCan have to breach the firewall. We do have protective mechanisms and detective mechanisms. Also, there is a layer of defence that we have employed for StatsCan wherein the servers that hold the particular information are not exposed to these firewalls, so there are multiple layers of defence before somebody can access the servers. That takes care of the external entities.
    From the internal entity side, as our president has mentioned, we have people who are cleared to the secret level. We have taken an oath as per the Stats Canada act, and we have additional technical controls through the systems in place for identity management to ensure access controls for individuals who need access. Then if they do breach the protocols, there are some detection mechanisms in place so that we can take action.
    In terms of the other departments, again, StatsCan has firewalls and layers of defence in place so that other departmental networks can't easily access the StatsCan environment.
     That [Inaudible] the security, as well.
    Thank you.
    Thank you very much.
    Mr. Masse, you have the final two minutes.

  (0945)  

    Thank you, Mr. Chair.
    With regard to decision-making on prioritization, this is one of the things I'd like to figure out in different departments. Currently how does Shared Services allocate its resources in making decisions in response to multiple significant requests coming in? How do you decide which ones to prioritize? Are you meeting all information requests right now and uses of service, or is there a matrix that you use to determine what is a priority and what is not?
    Mr. Chair, this area is evolving. Under the leadership of the Secretary of the Treasury Board, we've established a deputies committee to undertake enterprise planning and prioritization, starting with the collection of all the anticipated business requirements across the whole Government of Canada. That's in its initial phases of collecting the data and beginning that exercise to look at what the year ahead is going to bring. It's an important observation. We need to bring this. It was one of the issues, as you mentioned, that wasn't properly addressed in the establishment of Shared Services Canada. We need to have a demand prioritization exercise and mechanism.
     Shared Services currently allows all business requests to come in, and we process those largely as they arrive, unless there is a special flag on them and then we will work with the departments and the overall Government of Canada system to decide the priorities.
    Thank you very much.
    With that we come to the end of the first round. Thank you, gentlemen, for appearing today. It was very informative.
    We're going to take a quick one-minute break while we change panels. Let's keep it very brief, please, because we are tight on time.

  (0945)  


  (0945)  

    We're back. We're going on to round two.
    I'd like to welcome Mr. Wayne Smith and Mr. Ivan Fellegi, former chief statisticians of Canada.
    Mr. Smith, you have up to 10 minutes.

  (0950)  

    I would like to thank you for this opportunity to address the committee as it studies Bill C-36, a bill that seeks to establish the professional independence of Statistics Canada in law. Ivan Fellegi and I have played a significant role internationally in the articulation of the need for professional independence of national statistical offices. I think Dr. Fellegi is going to speak to this a bit. He participated in the writing of the United Nations Fundamental Principles of Official Statistics and their adoption by the United Nations Economic Commission for Europe, while I, as chair of the Conference of European Statisticians, helped to obtain their approval at the UN General Assembly. As a member and vice-chair of the executive of the Committee on Statistics and Statistical Policy of the OECD, I proposed and helped develop the OECD's recommendations on good statistical practice, which were ultimately adopted by the OECD council of ministers.
    A key notion behind both of these documents is that the professional independence of national statistical offices should be protected in national statistical legislation. It has always been somewhat ironic that while Canada played such an important role in developing this notion, Canadian legislation has been among the worst in the developed world in terms of affording protection to Statistics Canada's independence. In Canada, professional independence, until recently—until now if this bill is adopted—has been a matter of convention rather than law, and has relied on the good graces of successive governments, and the determination of successive chief statisticians to protect that independence. While independence has been generally maintained, preserving it is not a game for weak-willed chief statisticians.
    This requirement for professional independence is rooted in the need to protect the credibility of national statistics that, in the democratic process, provide a report card to the nation on the performance of successive governments and a reliable information base for public policy debate. If the national statistical system is subject to political or other external interference, credibility is eroded, and debate becomes about the statistics themselves, rather than the substantive issues of public policy. If the system of national statistics is credible, then one can truly say that a person is entitled to their own opinions, but not to their own facts.
    So it's gratifying to see Bill C-36 brought before Parliament. I had the opportunity to contribute to the building of the legislation prior to my resignation.
    I'd like to say at the outset that while I consider the legislation to have three major flaws, even if it's passed in its current state, the legislation would materially improve the independence of Statistics Canada and should be welcomed. But there are flaws.
    The first flaw is that the legislation does not include provisions for a merit-based, transparent selection process for the chief statistician, one that would engage a selection committee of stakeholders in the statistical system in that process.
    The government has argued that it now has a general merit-based selection system for Governor in Council appointments, but this system is not transparent and not binding on the current government, let alone future governments. This point was demonstrated when my successor was selected through a completely opaque process and was appointed to a lower level deputy minister position without adequate public explanation. The chief statistician of the moment is very beholden to the government and on a very short leash. This demonstrates how independence can be undermined by the selection process.
    The second flaw is that Bill C-36 will in no way alter the provisions of the Statistics Act with respect to the census of population. This means that there will be no guarantee that every five years a comprehensive census will be conducted that is mandatory in all respects. The decision of the previous government to make the long form of the census of population voluntary was the principle reason for wanting to reinforce the professional independence of Statistics Canada, so it is surprising that the bill does not address the issue.
    Even if Bill C-36 is passed, the cabinet is still required and authorized to approve the questions for each census, and can decide to reduce the content to any number of questions it desires. Under existing case law, the interpretation of the Statistics Act is that the long form is not part of the census proper, and therefore can be conducted on a voluntary basis, and this problem has not been addressed.
    Through deft manipulation of the provisions of the amended act, any future government will still be able, once again, to make the long-form census voluntary without going before Parliament.

  (0955)  

     The third flaw is the one that led to my resignation in September 2016. Bill C-36 does not address the serious intrusion on Statistics Canada's independence arising from its new forced dependence on Shared Services Canada for informatic hardware infrastructure. This dependence, created under the previous government, gives an outside organization the ability to interfere with or even prevent, through malice, incompetence or disinterest, the delivery of Statistics Canada's programs.
    We are living a case in point at this very moment. Statistics Canada has been working for some time now to modernize its data dissemination systems, which rely on now obsolete software. Statistics Canada has done its part. It has developed modern programs to replace these systems, but requires new hardware infrastructure to introduce them. Shared Services Canada has repeatedly failed to deliver the required, operationally-ready infrastructure to allow Statistics Canada to implement the new systems. The first date that was missed was in May 2015, and the structure still isn't there. The 2016 census of population program, which intended to make use of the new software platform, was forced to retreat and incur some non-negligible costs to patch up the old programs. Commitments made to the previous government to improve the usability of online census data could therefore not be honoured. More significantly, over two weeks ago—actually at the time of the release of the last labour force survey dated early in March—significant portions of Statistics Canada website were taken offline due to security vulnerabilities in the old software, which is still in use, contrary to Statistics Canada's desires, intentions, and plans. Major components of the website are still not available today. To my knowledge, this is the worst outage of online data access in Statistics Canada's history and a serious loss of access to data for Canadians. It shows why Statistics Canada must have full management control over its informatics operations.
    It is my sincere hope that this committee will bring forward amendments to address these flaws in Bill C-36 when it is returned to the House.
    With that, I will end my comments. Thank you.
    Thank you very much.
    We are going to move to Mr. Fellegi. Thank you.
    It is a double personal pleasure to appear before your committee to discuss proposed changes to the Statistics Act. After a period of formal association with Statistics Canada extending fully over 60 years, 23 as chief statistician of Canada and another nine as chief statistician of Canada emeritus, I am very happy to welcome this major step forward.
    Second, as Mr. Smith mentioned, I was one of the authors of the United Nations Fundamental Principles of Official Statistics. It is very gratifying to see several of its principles incorporated into the new Statistics Act.
    You will notice, incidentally, that my comments overlap Mr. Smith's, but we haven't collaborated, let alone colluded.
    Voices: Oh, oh!
    Dr. Ivan Fellegi: It's just a similar analysis that we have carried out.
    While I celebrate the improvements, I think it would be a great loss if a once-in-a-generation opportunity like the present one were not exploited to bring in a truly model Statistics Act. I would like to recommend for your consideration six possible improvements. I'm less modest than Mr. Smith. He only had three.
    First, I would suggest that you give careful consideration to the United Nations Fundamental Principles of Official Statistics. It has a very important preamble that sets out the reasons why trust in official statistics is crucial for the sound functioning of democratic processes and why the professional independence of the national statistical office is a critical element of this trust. It would set a context for the act and could play a major role in guiding its interpretation by the courts and by others.
    Second, I think the proposed method of appointment of the chief statistician leaves a lot to be desired. Here I'm fully echoing what Mr. Smith said. This is a position requiring a deep knowledge of the quality issues of official statistics and what makes them trustworthy, an understanding of the multiplicity of information needs of governments and society, and a demonstrated ability to manage a complex, multidisciplinary organization.
    I strongly urge you, in case of a vacancy, to consider requiring the establishment of a search committee of eminent and knowledgeable people for the purpose of searching for and putting forward to the Prime Minister a short list of qualified persons. Such a search committee could be composed of retired governors of the Bank of Canada, retired clerks of the Privy Council, retired chief statisticians, the president of the Statistical Society of Canada, and so on. The search committee should be required to not only review applications for the position but to also conduct an active search. This is a highly specialized position, and I am asserting, based on my long experience, that an essentially passive application process without an active search component will often not work well, and has not worked well in the past.
    Still on the appointment process, I welcome the establishment of term appointments to be served during good behaviour and the fact that the term is renewable, but suggest that you consider more than just renewal. Perhaps after one renewal...subject to a review by a search committee. If you have an outstanding person in the job, why should you preclude at least the possibility of reappointment?
    Four, as I mentioned before, giving the chief statistician control over the statistical methods to be used and over the timing and methods of dissemination is at the heart of the proposed changes. It is, however, a major flaw, in my view, that Bill C-36 leaves open the possibility of the chief statistician being overruled, on a methodological issue, by the responsible minister. I would underline “on a methodological issue”. The proposed safeguard of transparency would not have worked in the case of the 2011 census.
    This aspect of the proposed Statistics Act also explicitly violates the United Nations Fundamental Principles of Official Statistics, of which the Government of Canada is a foremost signatory. As I mentioned, it leaves the door wide open for the repeat of the 2011 voluntary long-form census by calling the long form a “survey”, and overruling the chief statistician on its mandatory character.

  (1000)  

     I left five copies of those fundamental principles with your clerk.
    Fifth, the problem is exacerbated by the fact that the scope of the census is not specified, and this leaves the door even more widely open for a future government to opt for a short-form census, with perhaps a voluntary long form that would be called a survey.
    Sixth and finally, and perhaps less importantly, I suggest that you specify some skill requirements for the members of the proposed Canadian statistics advisory committee. I also suggest that you increase its size. It needs to represent a variety of disciplines, skill sets, client groups, and geographical locations.
    I thank you for your attention, and I'll be very happy to answer your questions.
    Thank you very much.
    We're going to jump right into questioning. Just be bear in mind that we are behind, so we won't get through the entire round of questions.
    We're going to jump right to Mr. Longfield.
    Thanks, Mr. Chair, and thank you both for being here and providing some balance to our discussions today.
    I'm going to be sharing my time with Mr. MacKinnon at the end, but I just have a quick question for Mr. Smith.
    In the last testimony, we were hearing about the review and the number of meetings between Shared Services and the chief statistician. How did that go during your tenure? How frequently were you meeting with Shared Services and working on the new approaches with them?
    There were numerous meetings, some of which I was involved in, and far more extensive meetings with my staff and the staff with Shared Services Canada. There was ongoing discussion and consultation.
    Okay, thank you.
    I'll turn it over to Mr. MacKinnon.

[Translation]

    Thank you, Mr. Chair. Thank you, Mr. Longfield.
    I'm glad to be here today.
    Mr. Fellegi and Mr. Smith, I think Statistics Canada is a leader in the statistics community, and the two of you have helped build that reputation.

  (1005)  

[English]

    I want to thank you both for your service to the agency and to Canada.
    I am concerned, Mr. Smith. You dealt a lot with—can we call them—IT issues. Do you consider yourself an IT expert?
    Mr. Chair, I consider myself to be very knowledgeable in the area of IT. I'm certainly not an IT expert. I employ people to do that for me.
    But you did make a very serious move in tendering your resignation on the grounds that the progress—or your perceived lack thereof—of IT projects at Statistics Canada was undermining its very independence.
    Mr. Chair, there were three essential reasons I tendered my resignation.
    The first reason was that I felt that the fact that Shared Services Canada was handling confidential respondent information under the terms and conditions that existed was in fact a violation of the Statistics Act, and that's still my view.
    The Statistics Act requires that confidential information be held by employees of Statistics Canada or people that the chief statistician voluntarily and not as a matter of obligation deems to be employees of Statistics Canada. That's not the case today. I've actually filed a complaint with the Privacy Commissioner to see how he views that matter.
    The second issue was that, in principle, when Statistics Canada needs hardware infrastructure to carry out its programs, which it doesn't have today, it has to request that from Shared Services Canada.
    Shared Services Canada is not obliged to provide it, which means that they have meaningful control over Statistics Canada's ability to operate. That is inconsistent with independence in principle, regardless of whether a specific case has occurred.
    The third issue was that the reality of those two factors together meant that Shared Services Canada was making decisions and failing to make decisions in a way that was hobbling Statistics Canada's ability to operate. My resignation was meant to draw attention to that issue, and I understand that at least it had the effect of getting a lot of attention from Shared Services Canada for a short space in time.
    Your view is that Statistics Canada should be enabled to engage whatever experts—you said you're not an IT expert—are required, and to expend whatever resources, financial and human, are required to do its own IT planning and execution, and to queue jump, in essence, over any other client departments or agencies of Shared Services Canada. To fail to do so, to fail to provide you with resources to do those things, on your own and independently, undermines the independence of the agency.
    Is that your view? Please provide a short answer.
     I'm comparing the situation now to what it was ex ante. Ex ante, Statistics Canada made the decisions regarding its informatics infrastructure. When it needed infrastructure, as long as it had the budget, it could proceed. It has lost that ability. Therefore, it has less independence than it had in the past. I'm not saying that Statistics Canada should do everything itself, but I am saying that it should have full management control, which means that it should control its own budget. It should be able to make a decision to implement some aspects of hardware infrastructure. If Shared Services Canada is not able or willing to do it, it should have the alternative of going to some third supplier, or doing it itself. That will assure the most efficient and effective operation of the national statistical system.
    You refer to cybersecurity in your presentation and the existence of legacy software, if I can call it that, that was vulnerable—I presume you inferred it was vulnerable to attack—and that the system in fact proved vulnerable to attack. Is it your view that Statistics Canada should or can or is capable of developing its own siloed cybersecurity to conform to world standards—and we know of the risks that are inherent in that world—as opposed to that being within the Government of Canada's perimeter, including organizations like the Canada Revenue Agency, Elections Canada, and other obviously critical data sources? It's your view that Statistics Canada should exist outside of that?
    I would note that Statistics Canada's data is supposed to be protected not only from people outside the federal government, but also from other people within the federal government itself. The CRA, RCMP, CSIS, and CSEC's having access to Statistics Canada's data is as much a violation of the Statistics Act.... So pooling that data in the shared data centre constitutes a new risk for Statistics Canada.
    In reality, Statistics Canada has been gradually pushed towards a world that's putting our data at greater risk, not less risk. Historically, we've maintained a wall, and we actually have not linked our databases and systems to the outside Internet world. There's no physical link. In order to participate in the Shared Services Canada and other government-wide initiatives, we're being forced to open that up for no reason of our own. There's no business reason for us to open up access to confidential respondent data. It's because of the models that are being adopted.
    I would argue first that this movement is actually enhancing and increasing the risk of hacking Statistics Canada's information, but at the same time the number of incidents that we've had, as we've tried to go down this path, has actually been more than any hacking we've ever experienced.

  (1010)  

    How much time do I have?
    That's it.
    I'm all out of time. Okay.
    Thank you, Mr. Smith.
    Sorry.
    We're going to move to Mr. Lobb for seven minutes.
    Thanks a lot, and thank you, gentlemen, for appearing here today.
    I must say, I pretty well agree with everything you had to say, and that spans both a Liberal government and a Conservative government, so I appreciate what you say. Sometimes hindsight is a valuable tool to look at.
    The third component that you mentioned, Mr. Smith, has to do with performance around Shared Services Canada. At a time when software companies—I won't say every—in North America are transitioning from their own internally managed data centres to cloud computing, it only seems logical to me that this be an option for us. We heard from Mr. Parker from Shared Services Canada that some government departments and agencies are in fact transitioning to that, so they are better able to respond to peak demands on bandwidth. I asked Mr. Parker if he could name me a couple of departments that have huge bandwidth spikes, and he either wouldn't or he couldn't name them.
    Both of you gentlemen have been at Stats Canada and know there are huge spikes, and you know that Shared Services Canada has absolutely no ability to handle those huge spikes. That's my opinion, and I'm not an expert, but based on what I saw a couple of weeks ago and when the census was launched, I believe that is the case. I wonder if you could comment on your experiences with them in just being able to react to something basic that a data centre should be able to provide to its customer.
    Well, the census isn't a good example, because it was a huge spike, absolutely, probably one of the biggest spikes the government has ever seen in terms of demand for informatics, but we knew exactly when it was going to happen and were able to build the capacity to face it.
     The problem that happened at the very beginning of the 2016 census, which we recovered from very quickly, was actually caused by a bug in the commercial software. It wasn't Shared Services Canada and it wasn't Statistics Canada that caused us the problem; it was actually the third leg of the stool.
    One of the problems that Shared Services Canada is facing is that they're trying to build new infrastructure at the same time they're operating the legacy system. They had no funding to allow them to do these two things simultaneously.
     Their strategy has been to run down the legacy data centres. They've cancelled service contracts. They're not replacing the obsolete servers. They're hoping that these servers will stay on their feet until such time as they get their new systems up and running, but they have no reason to believe that. There is no evidence that this will be the case.
    Just before I left Statistics Canada, there was a major outage caused by the fact that one of these old pieces of equipment failed. At the very moment we needed it to disseminate a major release, it brought down the entire data centre. It didn't just bring down the web server. It brought down our entire data centre. That was a consequence of the strategy of running obsolete equipment into the ground: causing an unnecessary lapse in the service for Canadians.
    I know that both of you gentlemen are still involved a bit around the world with developed countries, inside their own statistics offices. For their platforms, are they looking at cloud computing? What are they looking at to make sure they have the independence that's required?
    The United Kingdom and Australia also have launched these kinds of cross-government informatics consolidations. In the U.K., the issue was raised about the independence of the statistical office. Ultimately, the statistical office was given a waiver to not participate because of the issues of independence and confidentiality of respondent information. The same issue occurred in Australia. In Australia, they were given a pass, again because of those issues.
    The New Zealand government took a completely different approach to this. Instead of trying to build a government cloud computing capacity, such as Shared Services, they simply said that they would go to the private sector. While there's pressure on the national statistical office in New Zealand to move in that direction, there is provision for an exception if they apply for it—which they haven't yet, but they have full management control. They hold their own budget and they make their own decisions. They have to work with private sector suppliers. It's different in character from Shared Services Canada, because they still have full management control.
    There is some discussion in the United States about moving in a similar direction, but it hasn't been acted on yet. In the U.K. system, the general government issue is unravelling to some extent. Other than that, I'm not aware of any other developed country—Dr. Fellegi might be aware—where the national statistical office has been required to turn its hardware infrastructure over to a central agency.

  (1015)  

    I'll provide a comment and ask another question. It just seems that the reason why these software companies in North America and probably around the world are making this decision is not because they're afraid of any security risk, but because they know it's a huge capital cost to launch a data centre, to maintain it, and to then compete for labour to maintain it. It seems to me that it would be prudent for a government to look at those, because you flip the switch and you get more bandwidth.
    I want to talk briefly about your issues in resolving outstanding performance issues with Shared Services Canada. Maybe you have a couple of anecdotal stories about the time an issue was identified, the time that it was ever fixed or solved, and the time frame around that.
     I didn't prepare to answer that question, so I don't have the details. The most flagrant example is the one I mentioned in my speaking notes, in regard to what we call at Statistics Canada a new dissemination project, or major overhaul of the way we disseminate information. It was supposed to replace all of the obsolete software that might be vulnerable. For this project, the idea was that we would develop it and would deploy it first for the census of population. Part of the agreement with the cabinet was that we had to improve the usability of our website, and this was part of that strategy.
    We did the work. We wrote the programs, but we required delivery of the hardware infrastructure to run them on. That infrastructure was supposed to be.... Actually very early in the process, in 2012 I think, I wrote to the previous president of Shared Services Canada highlighting the census. This project was among the highest possible priorities of Statistics Canada that had to be delivered. The census got delivered because they got a whole whack of additional money for that purpose, but in terms of this other project, the new dissemination model project, the date set was May 15, and they missed it completely.
    There are tremendous issues inside Shared Services Canada. There are silos, and people don't talk across silos. We would discover such things as one person telling us that the equipment had been ordered and they were going to have it momentarily, and then three months later we discovered that the equipment hadn't been ordered because the person who was supposed to order it didn't know where the money was supposed to come from. There were those kinds of issues.
    Sorry, we are tight on time and are going to have to move on.
    Mr. Masse, you have seven minutes.
    Thank you, Mr. Chair.
    Thank you to our witnesses for being here.
    I think it's important to note that Shared Services Canada is exactly that: it's involved in the dissemination of information and the collection of information into one central site from other sites. I guess its very nature creates that vulnerability. We've seen that. All you have to do is do a little review of it. A cabinet order created Shared Services Canada. It wasn't run through Parliament. Historically it has had all kinds of budgetary issues related to it. In fact, as it was being formed, it was being cut for savings, so there are all kinds of issues with regard to it. I think it needs to be commended that if we're going to protect our census and Stats Canada, first and foremost is the independence and solidarity of the information gathered and the dissemination of its use for public purposes.
    That said, I do want to drill down. One of the things that is important is the independence of the chief statistician. With regard to our current selection process versus what's being proposed, what have other countries moved towards? My concern is that we still seem to lack the ability to recruit the best, and we also have to make sure that their own independence is secured. I think in the current age of alternative facts being used for all kinds of different reasons, having a fact-based, independent chief statistician could be an economic advantage in many respects and a social responsibility. I'd like to hear from that vantage point, because I do believe it is probably going to be one of the most key appointments that we make for many, many years to come.

  (1020)  

    Thank you for the question.
    I mentioned that I had personal experience with how the currently proposed process wouldn't work. That was in the late seventies when Statistics Canada—and this is forgotten now—was in deep trouble and was a public scandal-ridden organization. All the tremendous reputation that it has acquired since was quite in ruin at that time. It was essential to find a chief statistician who could turn the agency around.
    The government did appoint a search committee, but it couldn't find anybody it could recommend for the task. In the end, it undertook an active courtship of the vice-president of AT&T at the time, who agreed to take an enormous salary cut for the public service that he was intrigued to provide to Canada. That was Martin Wilk, my predecessor, who actually did turn the agency around. The government would not have been able to find anybody like him through the passive application process, and in fact it didn't find anybody like him until a formal search committee was created. The search committee engaged in an almost courtship with the most promising candidate. That's the kind of person one needs to attract to the extremely complex position that the chief statistician is. It's a manager, a professional, a public spokesperson for the agency, and ultimately the defender of its independence.
     Mr. Smith, with regard to that, will we be able to track somebody with the current legislation, or would it be enhanced by ensuring that the position is outside of cabinet, independent of political influence, and is accountable to a wider body that is able to fully review and renew the position in the future?
    I wouldn't be concerned about ability to attract candidates, but I would be concerned about the ability to attract the very best candidates. The person assuming that role will want to know that they would be empowered to do the job to the very best of their ability and that they wouldn't be hamstrung by political interference, and all forms of external interference. I think it's really the question of whether you'll get the very best candidates.
    One of the things that has been raised by both of you was regarding the alteration of the census by cabinet order or by decision without Parliament's approval—effectively going back to a short-form census without Parliament's being able to determine that—or having the census questionnaires determined without scientific methodology. I worry about the comparables. For example, how do we look at the most recent bump that we have and how do we compare data from before?
    How do we protect and make sure that there's going to be integrity in that process? Do we simply write it in the legislation so that the chief statistician has that, and cabinet cannot interfere with it?
    I've thought a lot about the provisions. There are a number of things that have to happen. One is that a definition of the census needs to be inserted into the act that will ensure and make clear that even questions asked on a sample basis are part of the census. That's not there right now, and the courts have used that absence to say that this isn't part of the census; it must be a separate survey. If you clarify that particular point and stipulate in law that the census must be mandatory, you've solved part of your problem. Now this whole census has to be mandatory. No part of it can be made voluntary.
    The next issue you have to deal with is whether it's going to be a comprehensive census. You need to set some kind of reference point. In a bill that was developed in the previous Parliament by Ted Hsu, the idea was to say that the content should be commensurate in scope to the.... I don't remember what the reference was. I think it was the 1981 census. That would mean that you would have a census that contained a large number of variables. The government could not decide to truncate it to only 10 questions, just do a basic head count. That would solve your second problem.
    There's a third problem, because there has been a history of political intervention on census content, and there is a precedent in Australia for the chief statistician's having the authority to fix the census content after extensive consultation. That's an alternative. I am of two minds about that. When you're going to ask questions of the entire population and force people to respond, you might want parliamentary oversight, but you need to think about that.
    The fourth piece is to be careful in the wording not to prevent Statistics Canada from using the most efficient mechanisms to get the data, which may not be the classic survey.

  (1025)  

    Yes.
    So those four pieces need to be there. They're not there today, and as a result, as both of us have said—
    Thank you.
    —a government in the future will be just as capable of doing what happened in 2011.
    Thank you.
    Sorry to cut you off. We are tight on time.
    We're going to move on to Mr. Baylis.
    You have seven minutes.
    Thank you, Mr. Chair.
    Mr. Fellegi, I'd like to understand. You talked about the advisory council and, to my understanding, the existing council is being cut from 40 people to 10. You think that's a drastic cut. When there were 40 people, was the council functional? What would be the right number, and what should it be doing?
    There isn't a single right number, but I think that 10 goes quite far if one wants to incorporate in that statistics advisory committee or council the variety of disciplines that Statistics Canada is active in and that need to be considered in terms of priorities. Here I refer to the variety of geographical areas, the variety of client groups needed—
    Were you happy when it was 40?
    I was happy when it was 40.
    And it was working when it was 40.
     It was working. It didn't try to vote on anything. It came to consensus, and sometimes with dissenting views, which is quite appropriate, but it provided extremely valuable advice—
     Understood.
    —to me throughout my tenure.
    Mr. Smith, do you have any comments on that?
    I share Dr. Fellegi's view.
    It could be somewhat smaller than 40, but still, 10 is too small.
    Yes, I agree.
    Ten is too small, so give us a number.
    You've worked with the councils, so what would work for you?
    The thought that comes to mind is about 20 to 24, somewhere in there.
    That would give you broad enough—
    Regional representation, sectoral representation, a wide range of views.
    You called on this council in your roles. It was valuable to you in your roles.
    Very much so.
     They meet twice a year, and they are invaluable in ensuring that our program evolves in line with the interests of Canadians.
    It also provides service in the case of a crisis. There are knowledgeable spokespersons in a variety of locations and disciplines who can actually defend, from an independent perspective, outside of Statistics Canada's perspective, when Statistics Canada needs defence. It's a very important support group.
    I totally agree with the 20 to 25.
    Interestingly, when you push that number—
    Okay, that's fine.
    —those are the numbers that you—
    And I guess regional representation would be simply one of those factors.
    Exactly.
    One factor would be regional representation. You mentioned sectoral representation too.
    You're concerned that 10 is going to be very tight, then, to get that expertise in. You're saying we need 24 or 25.
    Yes.
    There is a next set of questions on issues I would like to understand.
    With my reading—and I'm not a lawyer—it was my belief that although a previous government sabotaged the long-form census, if Statistics Canada were given sufficient power of independence, that could not happen. However, you have both raised this as an issue.
    I would like to understand what should be done. If I understand you correctly, Statistics Canada does not have what I thought was sufficient freedom to make sure the long-form census takes place.
    If that is the case, what should be done?

  (1030)  

    As I was enumerating a minute ago, in order to avoid the confusion that the courts have introduced in ruling that the long-form census can be voluntary, you need to define that the questions to be be asked on a 100% basis or on a sample basis are all part of the census. That would take it out of the hands of the courts.
    Do you want to put actual questions into the law?
    No, no, no, I simply want the law to define that the census of population is all of those questions that are approved, by whatever the approval process is—which at the moment is by cabinet—and that the questions to be asked of the Canadian population on a sample, or on a 100% basis, constitute the census of population. That avoids a problem with the courts, which has happened. The courts decide that the long form, because it's on a sample basis, is not a census, so therefore it doesn't have to be mandatory.
    The first thing is to change that. The second thing depends on what level of political engagement you think there should be in determining the questions.
    If I understand, one is to ensure right now that that setting goes to cabinet, and your second one is to say it shouldn't even go to cabinet, but to the statisticians.
    I'm saying that's a choice.
    Okay.
    At the moment, if Statistics Canada comes forward with a census of the magnitude of the 2016 census, the current act says that the government can decide that, no, we're only going to ask five questions, and say, “Sorry, the rest of it's not necessary”.
    And this amendment does not correct that?
    This amendment does not correct that.
    The scope of the census is entirely in the hands, not of the chief statistician but of the government under this legislation.
    Understood.
    Is that your understanding too, Mr. Fellegi?
    Yes.
    My concern is particularly with the government's ability, or the minister's ability subject to Governor in Council approval, to overrule the chief statistician on a methodological issue on how to take a survey with a census.
    There is no national interest that should allow this to happen. The current drafting says that in the case of overriding national interest, the minister can do this, that, or the other, including overruling the chief statistician on a methodological issue.
    It's quite appropriate, necessary, and fundamental for the minister to have authority over management and budgetary issues, but not at all over—
    So you would like to see wording added, management issues aside, to address the concern that statistical methodology should remain with the chief statistician.
     It's there now, but it can be over-ruled by the minister....
    And you'd like that part taken out—
     I'd like that to be removed, the over-ruling—
    You'd like that to say the government cannot over-rule—
    —on methodological issues.
    Would you agree with that, Mr. Smith?
     I certainly agree with that, but whether it's—
    It might seem—
    My understanding of this issue is that it's tied into the whole Westminster system and is not quite so easy to carve out, but ideally that should be the case, yes.
    I think I have three seconds left.
    You've used them all up. Thank you very much.
    Mr. Dreeshen, you have five minutes.
    I knew someone had five minutes. Thank you very much, I appreciate that.
    Certainly, from listening to what has taken place here, I'm going to go over the transcript of the testimony quite carefully and I would hope that everyone can do that, because I think it's really critical.
    Mr. Smith, you had gone through three basic themes, and then you said you had three amendments. I'm not sure whether we could tighten that up a bit, and maybe I could get some commentary from you as to what you think might be amendments, the succinct points that you could make that would tie in, that would help us again on the testimony side.
    I do want to ask this one question because I've asked it of others as well. The discussion is that after 92 years, whether a person has said they wanted it or had that option of opting out of it or not, this information should therefore be public. Really, most people look at the census and say, okay, it says in here it's not going to be shared with anybody and so we can be comfortable with what we put down.
    I'd like to have your comment on that. There are a couple of questions that are asked, on religion and so on, that I'm thinking of. I'll mention the story of the number of people who have chosen the Jedi religion. Those kinds of things, after 92 years, might seem insignificant, but where do you pick the number when we don't know what life expectancy is? We don't understand the scenarios in there.
     Is it something that needs to be in that legislation, or can it simply be left out? That's my first question on that part, and then maybe you could flesh out what you think the amendments would be.

  (1035)  

    The issue of the 92 years is not really a statistical issue. This is an issue for genealogists and historians. The tradition has been in Canada that after 92 years, generally speaking, public records become accessible, and that used to apply to the census.
    A long time ago, the 1918 Statistics Act applied to the censuses conducted prior to it. Then the Statistics Act came along and said that all data was confidential and gave the impression that it would be in perpetuity.
    The issue was raised about whether the data from Statistics Canada should be made public. There was strong lobbying by genealogists and historians that this data were important, and in making data public after the normal life expectancy shouldn't be that controversial. Proposals were adopted in the Statistics Act that asked for consent. They've been ineffective in getting people to respond to them, let alone whether they.... Some people won't respond for their children, because they want to wait until they're adults. Other people won't respond for their spouse. Other people never get to that question and stop before they get there.
    Even the noes aren't necessarily noes and the result is that genealogists have lost a significant level of access. It's no longer a 100% record. They would like to see it restored.
    We thought there might be an impact on Statistics Canada's operations if, in fact, we did not ask for consent. It was seen that that's not the case, so we, Statistics Canada, during my appointment when I was there, were of the view that we saw no harm in accommodating the genealogists and the historians in making the data available without bothering to ask for consent after 92 years, or any other period that Parliament might want to adopt: 108, 114, the maximum life expectancy of a Canadian.
    In terms of the ability of Statistics Canada to carry out its mandate, this is not critical to Statistics Canada's operations, so it really is a decision for Parliament to decide whether they would like to continue with consent, whether they'd like to go back to the case where Statistics Canada information is no longer available ever, or whether Parliament wants to adopt the 92-year rule and automatically make the data available to the public archives after a fixed period of whatever length.
     Quickly, on amendments to that potential—
    On the amendments, I think Dr. Fellegi and I both indicated the key elements. We need amendments around the selection process absolutely, in my view. It needs to provide for a selection committee. The selection has to be based on merit, on demonstrated ability to run large organizations, knowledge of officials, and demonstrated experience with official statistics to create a short list for consideration by the government. Appointments and those kinds of provisions need to be there.
    The census provisions need to be altered. If you look at the transcript, you'll find that I did enumerate the various pieces that need to be done.
    The last piece from me doesn't require any change to the Statistics Act. The government could easily remove Statistics Canada from Shared Services Canada or alter its arrangement. It has done so already with respect to the Federal Court system. The same approach would apply to restore Statistics Canada's meaningful control. It doesn't require an amendment to the Statistics Act. It requires a small change to a schedule of the Shared Services Canada Act, which can be done by the Privy Council in isolation.
    Thank you. We're going to have to end it right there.
    Before everybody leaves, just hang on.
    Thank you, gentlemen, for sharing your time with us today. You leave us with a lot of questions that we need to answer.
    Gentlemen, before we go, I have a couple of things to deal with, just quick housekeeping. On Thursday for those who are interested in staying, we have Clare Adamson coming from Scotland. She will likely sit in toward the end, and then we'll do an informal session from 10:45 to 11:15. Some people have expressed interest in staying. We'll send her bio to your email addresses.
    I'm going to pass around another thing. For our trip to Washington, I want to make sure that we are going with a specific goal in mind, so we worked with the clerk. This is just an example. It has already been passed around. Take a look at it. Be prepared to have a chat if there is more in there that you want, but we want to be able to come back with very specific—rather than just going willy-nilly and doing whatever.
    Brian.

  (1040)  

    Just on this, I think it is important to note this is coming from a parliamentary secretary outside this committee—
    No, sir.
    I know, but the initiative to have committees go to Washington comes from a parliamentary secretary outside this committee. In terms of all committees in the House engaging with the United States, and also parliamentary associations, I just want to make sure that if we are going to do this, we are cognizant of the fact it's going to be with this committee in mind.
    Absolutely, we're going down as a committee. That's what we discussed previously, and that's why I want to make sure that we have a clear objective for going down.
    Is there any way we can officially tie this to our manufacturing report, which is still pending? Is there any process by which that can take place, or is that the will of the committee? I have never gone down this road for procedure, so I don't know if that was possible.
    We can ask those questions. Whether we're going to add anything to a study that we ended in December, I can't speak to. That's a conversation we should have at a later date.
    Again, we want to be able to have a clear mandate when we go down.
    Right.
    My fear is that we have so many people going down to the States that the Americans are going to get tired of us, or that we will all be seeing the same people.
    That's what I thought. Yes, you're seeing it as I am.
    Are there any further questions?
    Thank you.
    We will send these out by email, so if you have any comments, please respond.
     The meeting is adjourned.
Publication Explorer
Publication Explorer
ParlVU