In 2022, the Government of Canada, under the leadership of the Chief Information Officer of Canada, published Digital Ambition 2022.1 The document outlines a vision for the government of Canada to leverage modern digital technologies to transition the nation’s digital enterprise to 21st century standards. In 2023, an update was provided that noted that while progress had been made, “there is much more work to be done”. Despite the best efforts and tremendous commitment of leadership, this vision will be a challenge to realize because of the security classification framework that Canada adopted over 40 years ago.In the 1980s, when the classification framework was adopted, the only considerations for the security of digital data were physical. The classification of the data dictated whether the floppy disk, hard disk, laptop or USB was to be locked in a filing cabinet with a lock, a filing cabinet with a locking bar and lock, or a special filing cabinet with a Sargent and Greenleaf lock. Although it could be argued that the security classification framework made sense when it was originally implemented, the unfortunate reality is that it has become the biggest impediment to realizing Canada’s Digital Ambition. Furthermore, the framework is responsible for the culture of over classification that permeates the public service and Defence, it precludes leveraging affordable industry standard security technologies that Canadians use every day, and it drives up the costs of providing digital services to Canadians. The current framework also adversely impacts procurement, the contract security program, and interoperability with our allies and partners. Suffice it to say that it is no longer fit for purpose, if it ever was.Ensuring the safeguarding of personal data is exceptionally important in both the private and public sector. It is important, not only from the perspective of the individuals affected, but equally so, from an organization’s reputational risk perspective. In all instances, the compromise of personal information is a lose/lose situation. In Canada, the legislation that determines the framework for how private-sector organizations collect, use, and disclose personal information in the course of for-profit commercial activities across Canada and the personal information of employees of federally regulated businesses is the Personal Information Protection and Electronic Documents Act (PIPEDA).2 In the act personal information includes age, name, ID numbers, income, ethnic origin, blood type, evaluations, social status, employee files, loan records, medical records, opinions and credit records. For businesses subject to the act they must follow the 10 fair information principles to protect personal information. The relevant principle for the purposes of this paper is principle 7 – Safeguards. In accordance with PIPEDA, businesses are responsible to protect personal information “in a way that is appropriate to how sensitive it is” and “regardless of how it is stored, protect it against loss, theft or any unauthorized access, disclosure, copying, use or modification.”3 The act does not specify particular safeguards but places the onus on organizations to ensure personal information is adequately protected as technologies evolve and new risks emerge. The private sector continues to leverage modern and innovative digital solutions to provide better security, improved services, higher customer satisfaction, and more intuitive and convenient features while concurrently ensuring personal information is protected regardless of the type of device, the application or how the information is transmitted. The challenge for government is that because of the security classification framework, they are significantly constrained in how they treat personal information. For example, if a Canadian citizen were to upload personal information that is not commonly found in the public domain to a digital application and then provide it to the Canadian government, that information would be given a security classification of Protected B. In accordance with government policy, the level of injury associated with the compromise of Protected B information is the same as that for the compromise of secret information. It is difficult to believe that personal information that Canadians share digitally in the private sector, if compromised, would have the same level of injury to the nation as the compromise of our nation’s most closely held secrets. However, once that same information is provided to the Government of Canada that is how it is treated. The fact that none of our closest partners and allies have the same level of injury for two different security classifications substantiates the belief that the level of injury is considerably different. The implications in the 80s and early 90s weren’t significant because everything was stored in a filing cabinet. Fast forward to today, because of the artificially high level of injury associated with Protected B information, it must be transmitted digitally using government infrastructure and with additional encryption. If the information needs to be communicated outside of government mailing and faxing are also permissible, just as it was in the 80s.To understand how Canada got out of step with our allies, partners and industry we need to examine Canada’s security classification framework. In so doing, it will also become evident that all that is required to address the issue are Treasury Board policy amendments. As easy as the solution is, there would still be a requirement for significant internal and external stakeholder engagement as well as a great deal of education and change management required before, during and after the adoption of a new security classification framework.
Authors
- Published in
- Canada
