The Nova Scotia Legislature

The House resumed on:
September 21, 2017.

HANSARD

NOVA SCOTIA HOUSE OF ASSEMBLY

COMMITTEE

ON

PUBLIC ACCOUNTS

Wednesday, December 1, 2010

LEGISLATIVE CHAMBER

Service Nova Scotia and Municipal Relations

Registry Systems

Printed and Published by Nova Scotia Hansard Reporting Services

PUBLIC ACCOUNTS COMMITTEE

Ms. Diana Whalen (Chairman)

Mr. Leonard Preyra (Vice-Chairman)

Mr. Clarrie MacKinnon

Ms. Becky Kent

Mr. Mat Whynott

Mr. Howard Epstein

Hon. Keith Colwell

Hon. Cecil Clarke

Mr. Chuck Porter

[Hon. Cecil Clarke was replaced by Mr. Allan MacMaster.]

WITNESSES

Department of Service Nova Scotia and Municipal Relations

Mr. Kevin Malloy, Deputy Minister

Mr. Rob Doiron, Executive Director - Information Management Services

Ms. Michelle MacFarlene, Acting Director - Vital Statistics

Mr. Norman Hill, Registrar General - Business Programs

Ms. Hayley Clarke, Director - Business Programs

Mr. Scott Farmer, Acting Executive Director - Strategy, Integration and Registries

Chief Information Office

Ms. Miriam O'Brien, Executive Director - Infrastructure Services Management

In Attendance:

Mrs. Darlene Henry

Legislative Committee Clerk

Ms. Kim Leadley

Legislative Committees Office

Mr. Alan Horgan

Deputy Auditor General

Ms. Janet White

Audit Principal

[Page 1]

HALIFAX, WEDNESDAY, DECEMBER 1, 2010

STANDING COMMITTEE ON PUBLIC ACCOUNTS

9:00 A.M.

CHAIRMAN

Ms. Diana Whalen

VICE-CHAIRMAN

Mr. Leonard Preyra

MR. CHAIRMAN: We will begin. Good morning. It's a little after nine o'clock and we have a full house today - certainly on the witness side - so I think we should begin. I'm Leonard Preyra, and I'm chairing the meeting today because Diana Whalen, the chairman, is away - she will be joining us later. We'll start with just a brief introduction.

We're beginning a series of hearings on three chapters of the Auditor General's Report. Today we're looking at Service Nova Scotia and Municipal Relations, particularly the registries; on January 12th we'll be looking at rental housing supplements and Community Services; and on January 19th we'll be looking at services for people with disabilities, the Department of Community Services again. So let's begin with introductions.

[The committee members and witnesses introduced themselves.]

Thank you very much to all of you for coming. We'll begin with a brief introduction from the Deputy Minister, Mr. Malloy.

MR. KEVIN MALLOY: Good morning. Although we've just done introductions, I'll just reintroduce my team with a bit more detail, so the members have an idea of who we have here. Thank you for the opportunity to discuss our registry systems that were reviewed in the Auditor General's Report.

1

[Page 2]

With me today are: Rob Doiron, Executive Director of Information Management Services - Rob is responsible for the department's information management and technology operations; Scott Farmer, Acting Executive Director, oversees our Strategy, Innovation and Registries Division - this includes the Registry of Motor Vehicles, the Land Registry, Business Registries, and Vital Statistics; Norman Hill, Director of Land Programs and Registrar General of Land Titles - Norman is responsible for the land registry; Hayley Clarke is Director, Business Programs, whose responsibilities include the Registry of Joint Stock Companies and the Nova Scotia Business Registry; Michelle MacFarlane, Deputy Registrar General for Vital Statistics, is responsible for the Vital Statistics Act and is Acting Director for our Vital Statistics Office; and Miriam O'Brien with the Chief Information Office - Miriam is the Executive Director, Infrastructure Services Management, responsible for corporate IT operations, including the Provincial Data Centre. Together, we should be able to answer all of the committee's questions on our registry systems.

Service Nova Scotia and Municipal Relations handles 90 per cent of Nova Scotians' routine interactions with government, everything from renewing your driver's licence to registering your new business. We process 5.4 million client transactions a year. Our department takes pride in all our registries, and we continually work to ensure that the information they contain is safe and secure. We don't take this responsibility lightly. I can assure you that staff at Service Nova Scotia and Municipal Relations understand how important it is to protect the personal information we have in our care, as well as providing efficient and effective client services.

Technology is always improving and our security systems are always improving. Our staff are always looking for ways to make our databases more secure - feedback from an objective third party helps us to do that job even better, and that's why the Auditor General's comments are so valuable. I'd like to thank Mr. Lapointe and his staff for their report and for their comments during the testimony before you last week.

Even before the Auditor General's Report was released we were working to improve our internal security, and I am happy to tell you that we are already about halfway through the recommendations. We have ensured that employees only have access to the information they need to do their jobs, we have located our databases inside the Provincial Data Centre which has restricted-employee access, we have limited access to our databases to only a few employees and encrypted that access for maximum security, and we now require criminal record checks on new staff and we train them well on security when they start work. These are just some of the actions we have taken to improve our security, and very soon we will complete the rest of the Auditor General's recommendations.

Our staff is committed to protecting the privacy of those who provide us with information. They will take all the necessary steps to enhance our security systems and protect our databases from unauthorized use, but our staff also knows that they must continually explore new ways of doing business to help make transactions with our

[Page 3]

department easier for Nova Scotians, while keeping security top of mind. An example is Vital Statistics Bundled Birth Service. In partnership with Service Canada and the Canada Revenue Agency, the bundled birth service enables parents to register their newborn's birth and apply for their child's Social Insurance Number and Canada Child Benefits using one application form. One form, not three.

We were the first province to introduce this service, which makes life a bit easier for new parents who have more important things on their minds than filling out government paperwork. I'm proud to say that Vital Statistics received the Premier's Award of Excellence in 2010 for the Bundled Birth Service.

I'm also proud to add that the Auditor General and his staff identified Vital Statistics as a standout in government and one that all branches of government can emulate. I greatly appreciate the praise of the Auditor General and his staff. All of our employees who work in very challenging areas of data collection and protection do an excellent job in a landscape that changes every day. They search for innovative ways of doing business, and they understand the importance of working with other organizations to help make interactions with government easier for our clients, but they know they must never put our security at risk. Technology is, and will always be, a complex and powerful tool for governments in all jurisdictions. I commend our staff for staying ahead of the curve, for doing their best to protect public information and also improve service to all Nova Scotians.

At this point, we would be happy to answer your questions. Thank you.

MR. CHAIRMAN: Well thank you, Mr. Malloy, I'm sure we'll have a lot of questions and we have a lot of people here to answer them. It is 9:09 a.m. and we'll begin with our first round of 20 minutes each, starting with the Liberal caucus.

HON. KEITH COLWELL: Thank you, Madam Chairman - I'm so used to saying Madam Chairman. I apologize for that, Mr. Chairman . . .

MR. CHAIRMAN: I've been called worse. (Laughter)

MR. COLWELL: I'm very pleased to see everybody here today. Before I start these questions, I know how important all your staff feel that security is in the system and how hard you work to ensure that it is there - and I have a few questions.

You've already indicated that you've taken a lot of the steps that the Auditor General indicated you probably should consider. Could you briefly outline the ones you've taken and the ones you haven't?

MR. MALLOY: I"ll refer that to Rob Doiron, please.

[Page 4]

MR. ROB DOIRON: Yes, with respect to the twenty-three recommendations, we have eight of those completed. Things that were relatively simple to implement, like one of the recommendations around contractor passwords - those now expire based on how long they're working for us. Also, we've introduced things like industry standard secure coding for the Web applications. As well, we have reviewed the access accounts that were pointed out to us in the audit and, in a number of areas, we've strengthened those passwords. I would say that another ten we're actively working on as we speak, and I would say by the end of the fiscal we'll be in pretty good shape with respect to having those implemented.

There are another five that may take some more time, that require some CIO involvement and things like configuration and corporate standards and things like that - I may actually defer to Miriam, perhaps, to update us on some of those ones with CIO involvement.

MS. MIRIAM O'BRIEN: There are five recommendations that had responsibility, either shared, or solely, with the Office of the Chief Information Officer. Two of those we're working jointly on with the Department of Service Nova Scotia and Municipal Relations. Certainly we're working now on restoration times and services, and priorities of those, as part of our continuous disaster recovery planning efforts. The disaster recovery plan for the data centre has been, and will continue to be, part of our long-range multiple parallel efforts to increase our disaster recovery resiliency as a corporation.

The patches and the timely implementation of fixes and so on in software is part of our change management process, which we're adopting as part of our ITIL best practice methodology. The Chief Information Office is only a year old, so we are looking at all of our corporate standards in this way and we'll be working with Service Nova Scotia and Municipal Relations on that one particularly. Recommendation 4.12 on unique temporary passwords, we are implementing that one immediately.

MR. COLWELL: It appears that you've got this well underway and I commend you for the work you've done. This is a very serious issue, of course, and I don't have to tell you that. The whole problem with this is we, as elected officials and the staff - I think it's very important that we ensure that Nova Scotians feel they're safe when they give you information. I haven't heard that they don't feel safe and with the changes you're making, you're going to be even more secure than you were in the past. I think that's very positive and I'm positive the Auditor General picked up on some of these things before, potentially, it could have become a problem, and maybe there never would have been, but it's good to see that.

I asked before, do you have a hacker hired now to hack into your system?

MR. DOIRON: We don't per se. What we will do is, if we put a new system in place, one that's outward facing, we will, as normal practice, hire a third party before we put that

[Page 5]

in place to see if they can come in and hack and get at that. It's a way of testing the security but it's based on something new. We do make our third-party service providers now - there's one major one in this area - we do make them come in periodically and do an audit of that type where they will engage a third party or come in to see what they can hack. So there are different measures in place to accommodate that and there's also, I believe, some activity on a corporate level in terms of getting into the wider area network that perhaps Miriam might be able to comment on.

MS. O'BRIEN: Yes, my division - the Infrastructure Services Management division of the Chief Information Office - is responsible for the provincial data network. There is a wide area network security policy that has been in place for some time and in support of that, the administration of it and oversight of it, we do have a full-time security authority. His role is to safeguard government's network environment. He is the one who is involved with any threat risk assessments that are done, with any vulnerability assessments, so that is something that's a normal course of business for us and is a priority.

MR. COLWELL: But you don't have, per se, someone hired all the time to try to get in your system, just to test it continuously?

MS. O'BRIEN: For the Chief Information Office, I will say we have tools and techniques, a variety of things in our arsenal, so as far as hiring someone solely with that purpose, not to my knowledge, but we do have a number of techniques that are used that do try to challenge and monitor our current environment.

[9:15 a.m.]

MR. COLWELL: It is the sort of the thing that one hopes never happens, but you hear once in awhile that someone has hacked into something and caused all kinds of grief for a lot of people. It would be good if the hackers were internal, not external - at least you would know where your weaknesses are. I know when I was on regional council, they had identified a problem with one of the very senior officials. As soon as I identified and let them know about it, they corrected it immediately and there was no more problem, but it was quite easy to hack into a very high level computer system with someone who didn't have very much skill. So I could imagine what would happen if someone had the skill and the ability, how easily they could have got in and what damage they could have done.

It's difficult to ask questions about this because I don't want to ask questions that you can't answer for security reasons. Based on what you've been telling us - and I'm very pleased with your response that you're really going after this to get everything fixed that you can identify, and I'm sure that you'll identify other operational things as you go forward. How has the password weakness been addressed? How have you addressed that?

[Page 6]

MR. MALLOY: This is a three-part answer and so I appreciate your bearing with us for a second. I'll do a very quick introduction. At a corporate level, when a new employee is hired, one of the first things we have them do is to sign a confidentiality agreement. Right from the outset of their employment it is expressed upon them the importance of the type of data they're going to be exposed to and the level of support we need to ensure that our policies - whether they be privacy or whatever - are adhered to. We also make sure the staff know that the penalties associated with any type of inappropriate use of our data or our systems is immediate and fairly severe. That way we can ensure that they are very clear on the seriousness on which we manage that database.

There are then two levels that we take that down, and I'm going to ask Michelle MacFarlane to speak, for example, to the Vital Stats world from a business process perspective and then turn it over to Rob, just quickly, to talk from an IT perspective. Michelle?

MR. CHAIRMAN: Ms. MacFarlane.

MS. MICHELLE MACFARLANE: So from a business perspective, as far as passwords and security in general, there are a number of things that we do when an employee comes on board. We generally have a checklist that we go through for security measures and what has to be done for that checklist, and one person is responsible for doing that.

Management-wise, the other things that we look at are on a periodic basis throughout the year. We take the opportunity of staff meetings to hold discussions on security and on access to information and why it's important to have different levels within Vital Stats of who can access what information. For example, within Vital Stats we have 24 employees all in one location. There are 11 different levels of security for getting into the system, so it's important for us to explain to our staff why it's important to have access to the information to do your job but not so much to the whole system.

There is also password security, emphasizing from a management level and a supervisory level a general understanding of the seriousness of leaving your work station with your computer on and what protocol is expected within that work environment. It is very much an environmental thing within the office and staff need to be aware of what's expected of them.

MR. DOIRON: There are a couple of things on the technology front. Michelle mentioned that we make sure that on these registry systems, the security is built right into the application and that there are various levels of access. It's all based on the employee's need to know and restricting them to just the information they need to do their job.

One of our biggest things we're doing around password management is really looking at and integrating it with what's happening at the corporate level around what we call identity

[Page 7]

management. We call it "single sign-on," where what we're doing is that password management is being managed at a corporate level through the CIO where they have a system whereby you're issued a password to get onto the network. There will be certain privileges with that password so that you can get into whatever parts of the system we need. That's a better way of doing things because it's centrally managed. It's easier to revoke passwords when people leave. What we're doing on all our new systems that we put in place is, they're being integrated and taking advantage of that corporate work so that we're more efficient and our security is strengthened around password management.

In Vital Stats and some of our newer systems we have that integrated now, and in some of the other systems we'll be doing that over time. Some of them will have to wait for the systems to be redeveloped. Where we don't have it integrated into that corporate piece, what we're doing is strengthening processes and implementing some of the suggestions, certainly, that came out of the audit report, as in actually reviewing these accounts on a periodic basis. This takes time, but it needs to be done. We're also strengthening passwords in terms of how we manage those within the different applications, doing things like having expiries on them so that we force you to change your password after a certain period of time and those will expire after a while. These are all things that we're doing.

Right now in the Land Registry, for example, in the next release of that system, there will be at least two or three features that strengthen passwords, how we manage it through that application. So we're working on a number of fronts. They're all intended to strengthen how we issue and manage passwords over time. I'm confident that we'll be in much better shape than we are now and it's a process of continuous improvement.

MR. COLWELL: Does all your staff have non-disclosure agreements with the province?

MR. MALLOY: Yes, we call them confidentiality agreements. They're signed when they first get hired and that agreement basically says that they're not to disclose any information whatsoever that they become aware of in the course of their normal duties.

MR. COLWELL: Have you had any violations of that?

MR. MALLOY: Any violation of those is reason for immediate discipline, possibly dismissal. As I indicated earlier, one of the most serious issues we have in this department is the confidentiality, protection and privacy of data. We make sure employees understand that right from the get-go.

MR. COLWELL: Have you had any times when anyone has had to be disciplined because of non-disclosure?

[Page 8]

MR. MALLOY: In the registries we're talking about here today, no, not that I'm aware of.

MR. COLWELL: I'd be surprised if you did. The land registry - as it goes online, have you identified any issues there that are unique to them that you've had to address so far?

MR. MALLOY: I'd like to ask Norman Hill to answer that.

MR. NORMAN HILL: The land registry system is a little different from the vital statistics, for instance, in that our information is available on a much broader basis, as Ms. MacFarlane referred to. In vital statistics the data is only accessible by a very limited number of staff members, a couple of dozen or barely more than that.

With land, particularly with respect to property online, there are several thousand subscribers to that service including the legal community, authorized lawyers have access to that system as well as real estate agents, employees of government, property appraisers, a wide variety of professionals have access to that. Indeed, anyone who pays the subscription fee would have access to that.

This is in keeping with a long-standing tradition in legal requirement that Registry of Deeds information be publicly available. It's public record information in the same way that, traditionally, a person could go to a Registry of Deeds and pay a fee, get in and look at the books and find out anything they wanted to about the title of properties in the province, or in the particular county in which they're searching. Property online allows that access to the same information, electronically.

Our system has a much broader access than the other registry systems, similar in some ways to the Registry of Joint Stocks, but, again a much broader access even than that. We have sort of two different types of access to our information - there is a general query access, which is available to virtually anyone who subscribes. A subscriber has passwords and those passwords meet the corporate standards and have quite rigorous controls. The system is unique in that there are so many of them.

We did find, after receiving the Auditor General's Report, that there were some dormant accounts that we weren't aware of. Those, for the most part, have been tracked down and shut down. Likewise, there were duplicate accounts, some of which had a legitimate purpose, like a lawyer who might have worked out of a law office and also for a title insurance company might have two separate accounts. Some of those properly had duplicate accounts, others were redundant and were shut down.

The other thing that's unique about land is in the type of access we allow to people outside of government. There are two very different levels of access. The query access I'm talking about, which is sort of the equivalent to the ability to go into the Registry of Deeds

[Page 9]

and search a title, that type of access is very broadly available. There's also a more rigorously controlled type of access, which only authorized lawyers have to the system. That allows the online registration of documents and registration of titles under the land registry system.

As you'll see from the Auditor General's Report, that type of access requires the lawyer have certain credentials, to be a practising member of the Bar and to have completed a course to allow them to have submission access to our system. The controls around that were found by the Auditor General to be quite rigorous, and although they investigated a number of lawyer accounts, they couldn't find that in any case the proper criteria weren't met for that access.

The land registry does have a very different system. It has broader access and different types of public access by people outside government, but similar sorts of controls to those described by Ms. MacFarlane. I don't know if I've answered the question or not. I rambled a little bit there.

MR. COLWELL: That gives me a general idea, thank you. I know it's complex.

MR. HILL: It is.

MR. COLWELL: One of the things, one security issue there - reported problems not analyzed. Now, has that been addressed?

MR. DOIRON: That refers to what we call instant management and analysing problems with security systems to really get to the root problem of that. That's a process that we've definitely been looking at and we want to get there, but we may have to direct some additional resources into that. We're looking at that now and trying to figure out how we can implement that recommendation. It will be dependent on resources, really, and how we're able to step up to that. We're really looking at that right now. We'd like to get there. It will be dependent on what it is going to take with respect to resources.

MR. COLWELL: Any of those problems that have been reported, that you're aware of, those aren't things that are - how can I put it - serious security risks? Were they minor, typically?

MR. DOIRON: No, any serious security risk would be addressed immediately. This is more about getting to anything that might impact security and looking at a computer problem or at something in the system that in some way, shape, or form may impact security down the road. It's around doing some deep analysis around that and having resources that analyze all this stuff, especially from a security perspective. Anything we would find immediately that had any security issue with it, that we knew was compromising our security, would be addressed immediately.

[Page 10]

[9:30 a.m.]

MR. CHAIRMAN: Thank you, Mr. Doiron. Mr. Colwell, your time has expired. We'll move to the Progressive Conservative caucus. It is now 9:30 a.m. You have 20 minutes.

MR. ALLAN MACMASTER: Thank you, Mr. Chairman. I was pleased to hear about the bundled birth service in your introduction to your remarks. Could you tell us a little more about how that works?

MR. MALLOY: I'd like to ask Michelle to give you more details on that, please.

MS. MACFARLANE: Bundled birth services were initiated last summer, the summer of 2009, actually. That is a partnership between Vital Statistics and Service Nova Scotia and CRA - the Canada Revenue Agency - and Service Canada, specifically Service Canada in the social insurance area. When a mother is in the hospital having a baby, that is the time where we at Vital Statistics get our registration information. It's a process that has been in place for many years and works well. That hasn't really changed. What has changed is that now, when the mother fills out the birth registration process, at the bottom there is an area where they can say, yes, I would like to apply for my baby's social insurance number and I would like to apply for my child's benefits through CRA, so they tick and sign that.

When we receive that registration, we input it just as we always have. Only now, once we have the authorization and the consent from the parent, we send the information to both of those organizations. We send the information to CRA, what they need and what they are entitled to, electronically, and we also send what Service Canada is entitled to, to them. When we register the child, when we hit that button, it automatically goes to CRA and SIN. It's a relationship that has worked really well, the partnership. It was a significant project to undertake because of the technology alone but also you are dealing with virtually three levels of government. It was challenging in some areas but very successful.

We constantly monitor the information going back and forth and, of course, if there are glitches on either end we have people in place who get on the phone or through e-mail and I'm pleased to say that it is working very well. We are getting a very positive response from the parents and our uptake, almost from day one, has been 94 per cent.

MR. MACMASTER: That's great. Just about a month ago I was talking to a woman, I remember her saying it's too bad they didn't have a system set up so that when you are in the hospital and you have a child, that all this stuff, that there's a way to get it all looked after and now there is. Perhaps if she finds herself in that position again, she'll find it much easier to get the SIN and all the other information set up for her child. I commend you for that, I think it's a good example of the department being proactive to help people make things easier, I think that's great.

[Page 11]

MS. MACFARLANE: Thank you very much. I should mention that we are continuing to look at what other ways, from that point in contact, we can make it easier for parents. As we get different partners, just like Service Canada and CRA, we will look at the service level agreements and the memorandums of understanding and have those signed off from security and information protection point of view.

MR. MACMASTER: That's great, thank you. Somewhat related to that, I know there are a lot of- and I think this is probably not a good example because I think it would fall under the Motor Vehicle Act. I'm not sure if it would fall under Service Nova Scotia and Municipal Relations to do this but for instance, when people need to renew their vehicle permits, put a new sticker on their license plate, there used to be a practice where people would get reminders. I don't know if that still exists or not.

MR. MALLOY: At this point in time, certainly it does. There is a renewal reminder, in the event of a licence renewal or a vehicle renewal, about three months in advance, I believe we send them out, yes.

MR. MACMASTER: That's probably something that goes out in letter mail, is it?

MR. MALLOY: At this point in time it is, yes.

MR. MACMASTER: Have you looked at making that or allowing people to have the option to use e-mail reminders instead?

MR. MALLOY: Yes, we've had that conversation and I know there is at least one other province that is using an e-mail data base. Unfortunately the one thing we didn't do when we went through the RMV modernization process was to establish a field for your e-mail address. Now it's not a substantial project, mind you - I say that and the IT folks always give me a different response. It is something we can add to the information so that when we interact with our clients they can give us that information and we can have that on file for future use.

We're looking at it, I guess, from a couple of perspectives. First, it is an opportunity to reduce costs because we don't have to mail out those hard copy forms and the second is that it's just simply more convenient. The only other issue with it is people tend to do a pretty good job of changing their address when they move. They may not always do a good job of changing their e-mail address when they go from one subscriber to another. The one province that has had this system in place for some time has experienced a fair amount of kickbacks; they will send out e-mails and they will come back as undeliverable. So I think we're still trying to perhaps work on how we could implement that in a way that it would be a minimal amount of effort on our side and best serve the client.

[Page 12]

MR. MACMASTER: I notice that Revenue Canada, when you're doing income tax, you can have an online account where you can see the latest, whether you're getting a return coming back to you or if there's - you can look at information on your past filings. Have you ever considered having something like an account for Nova Scotians where they could go to a Service Nova Scotia and Municipal Relations Web site and see if they need to renew their birth certificate or if they need a new copy of a birth certificate, that type of thing? Has that ever been explored?

MR. MALLOY: We've spent many hours talking about those types of things and I'll just flip to the business side for a second because I think it's an easier example to start off with. The one unique characteristic on every business in Nova Scotia is they have a single business identifier and so, therefore, we're able to associate all, for example, elevator lift permits, inspection requirements and everything with a single business because we have that unique identifier.

The business registry, that's one of the projects that we have in that area that we're starting to work on - an access to business portal, we're calling it. It's still very early days but the image is where you would be able to sign on and get all that information, much like your bank account, you know, for banking information where you sign on and you have access to your mortgage and your savings account, and all that. So that's very much a reality and the technology is being worked on pretty much as we speak to allow that.

On the individual side, the one challenge that we have is we do not have a single unique identifier in Canada that is readily attributable to everyone. So not everyone has a social insurance number, not everyone has a health card in Nova Scotia, and although you could still build that type of tool and make, I guess, membership voluntary from the perspective of requiring someone to have that unique identifier whether it be a health card, SIN, or whatever.

One of the other things, though, which is an issue there is clearly privacy and protection of data and on the personal side is a bigger challenge than it is on the business side. There's a lot of business information that is fairly accessible and already resides in public databases and now we can manage that because we've got the systems to do it.

On the other side of it, we've got to be extremely cautious of how we manage individual data. It's interesting, a recent survey I was looking at, people were asked if they supported government sharing their data and the overwhelming response came back, no. Then the second question was do you support government using that data internally to help expedite transactions in other areas of government for you and the answer came back overwhelmingly, yes. So, there's a very thin line that you have to walk between providing better service and ensuring the privacy and confidentiality of their data.

[Page 13]

I think most businesses are more accustomed to sharing data and understanding the risks around that. Most individuals aren't that sophisticated around that and the level of nervousness is obviously a bit higher.

MR. MACMASTER: I also notice it seems to be higher if a person is older, they seem to have less trust. I know even with Visa card use, a lot of younger people don't bat an eye to use their Visa for on-line shopping but I've heard different comments from people who may not have maybe grown up with that same level of trust and technology.

MR. MALLOY: Well, I think you're bang on with respect to that. I don't want to be stereotypical in my comment because that's certainly not the case, there are people of all ages who are extremely proficient with the use of Internet and their willingness to accept risk and manage risk on-line. Myself, you know, I get exposed to these systems every day, I'm still cautious on where I put my credit card information and I suggest all Nova Scotians continue to be that way and make sure, you know, there are ways to double-check that the security of the Web site you're working with is in fact using encrypted information and meeting the appropriate standards for credit card use and so on.

MR. MACMASTER: Land transfer tax - does this cover the cost of the services to do the administration behind transfer of land?

MR. MALLOY: I would like Norman to respond to this, please.

MR. HILL: The deed transfer tax is a municipal tax. The province facilitates collection of it through the land registry system but it's not, in fact, a tax that's earmarked for provincial use; that's a municipal tax. You may be thinking of the fees charged to register a deed or other document in the land registry system and those fees by our most recent calculation almost exactly pay the costs of running the land registry system. It's intended to be a cost recovery fee and it seems to be just about exactly the right amount for that.

MR. MACMASTER: I don't have too many other questions here so, Mr. Chairman, I won't be tying up our resources but I do have a couple more. One is, I was looking at a document you had provided here on the service volumes, certificates issued and registrations, and there was something that caught my eye. The numbers don't appear to be consistent and there's probably a reason for it. I'm sure if people may be getting a birth certificate but they might not be - I don't know why - maybe their birth isn't registered. Perhaps you could explain why the numbers appear like that. This would be on Page 2 of the Background Material on Vital Statistics.

MR. MOLLOY: In that case, I'd like Michelle to answer that.

MS. MACFARLANE: The Vital Statistics legislation indicates that every child born in Nova Scotia must be registered with Vital Statistics. There are a little over 9,000 children

[Page 14]

born, generally, in Nova Scotia per year and so we register that amount every year. Typically what will happen is, especially prior to the birth bundling, parents wouldn't necessarily get a birth certificate. The big rush for the birth certificate would be at about the age of four or five when the child was going to school. Then you have people who are applying for passports and they need an updated birth certificate, or they've misplaced their birth certificate, there's lost and stolen, so the amount of birth certificates we issue is much larger than the number of births we register.

Some other areas within the birth certificate area are that we have three types of birth certificates. We have what we call the short form, which is probably what most of you have and it will suffice for most things. We have a long form which shows parentage, so the parents' names are on the birth certificate. That's required for school and as well, Passport Canada is changing their policies so they will be requiring the parentage for children under 16 for a passport. Then we have the certified copy of birth and that's very rarely issued, it's mostly for adoption and areas like that.

There are a number of people who are applying for birth certificates, however, the finite number is the birth registration, so I hope that answers your question.

[9:45 a.m.]

MR. MACMASTER: It does, that's great. Just on the births and deaths, so the registration figures would be the ones we would want to look at if we were trying to see how many people were born, how many people had passed away in the past year. This is showing me a little bit of a positive here because I think it was in 2006 that we had more deaths than births in the province. I wouldn't expect you to recall that offhand but I had kind of thought that we were starting to move in that direction, as a trend as a province, but it appears that we're starting to see more births than deaths again. Would that be the case, do you think? Would these figures be accurate to assume that's the case?

MS. MACFARLANE: I don't have the trending data with me but I know in 2008 and 2009 that was the case.

MR. MACMASTER: Okay, thank you, that's good. Thank you, Mr. Chairman, I will return it to you.

MR. CHAIRMAN: Thank you, the time is 9:46 a.m. and we will move to the government caucus, Mr. Whynott.

MR. MAT WHYNOTT: Thank you, Mr. Chairman, and thank you for coming today, giving us the opportunity to question some of the findings from the Auditor General's Report. I just want to make a few comments and then I'll get into some questioning. Two weeks ago my sister-in-law had a baby at the IWK and the first thing she said to me when

[Page 15]

she got out was what a great service the bundled birth service was for her. She had a baby only two years previously and that service didn't exist, so it was her experience that it was very easy to have done and certainly benefited her family.

I have a question around what potentially are the next steps for the bundled birth service for Nova Scotians. In particular, I want to ask a question about marriage licences versus certificates. I just got married in the summer and I don't quite remember how it worked but . . . (Laughter)

MR. CHAIRMAN: How it happens. (Laughter) The question, Mr. Whynott?

MR. WHYNOTT: That's not what I meant - we digress. (Laughter) You have to go get your certificate and then you have to go register it. Is there an opportunity to bring those services together? Has that been talked about?

MR. MALLOY: I'm going to hand it over to Michelle because there are some specific questions you had in there. One of the tracks we're going down with individuals - and it goes back to the conversation of our inability to have a unique identifier that we can necessarily work with an individual. The alternative approach to that is what we call bundling of activities or bundling of services. So the first question was, is there an opportunity or are we looking at areas for expansion of that program? We actually are.

One of the areas - we hired four, I think, Dal MPA students for the summer, and one of their jobs was to identify for us some areas where citizens could benefit from bundling of these types of services. Not surprisingly, one of their priorities came back as the whole area of bereavement upon the death of an individual in the family. That is an extremely complex area where there are a lot of reporting requirements, so that's one of the priorities we're working on.

Again, we're looking at using the same process that Michelle used at Vital Statistics to look at the circumstances around bereavement, around death. That area is something that I think people appreciate upon birth. They would certainly appreciate it when they're dealing with that situation in their family.

Some of the other questions, the more specific ones around your permitting and licencing process, I'm going to hand over to Michelle to address.

MS. MACFARLANE: Just a brief overview on the marriage process. When two people decide to get married . . .

MR. CHAIRMAN: You asked for it. (Laughter)

MR. WHYNOTT: Yes, let's relive that. (Laughter)

[Page 16]

MS. MACFARLANE: The first step is to apply for a marriage licence. This is all through legislation. They apply for the marriage licence, and what that does is it determines the eligibility to marry in Nova Scotia. There are qualifications. For example, one of the common things is, have you been previously married, and if so, are you legally divorced? At that point, documents will be shown and you will be signing an affidavit, et cetera.

Once that is determined, that you are in fact legally able to marry in Nova Scotia, you leave with your marriage licence. At that point you decide whether you want a cleric wedding, whether you want to go through a religious ceremony or a civil wedding. You decide and approach whoever you want to marry you. At that point you hand that documentation over and the cleric and/or the JP who is performing the wedding has certain criteria that they have to do to legally marry you in Nova Scotia. They will fill in that documentation, send it in to us, and at that point we will register the marriage.

For example, some people may get a marriage licence and not get married, and there is a 12-month expiry. What would happen there is we would have on our records that you applied for a marriage licence, but indeed, we would never have registered you. It's a two-step process because of the importance of making sure you are eligible to marry and not putting that on the clergy or the JP. It is a system of doing that.

MR. WHYNOTT: Okay, thank you for that. Next, I wonder if you can just lay out the mandate for Vital Statistics, land programs, the business registry, and joint stocks?

MS. MACFARLANE: The mandate of Vital Statistics is three prong. First is maintaining the registry of all births, deaths, stillbirths, marriages and domestic partnerships in Nova Scotia. That is a very important part of our mandate because we are legislated to provide that to Statistics Canada who use it for a variety of reasons including health analysis, etcetera, so that's our first mandate.

The second is to issue certificates for proof of legal status. The birth certificate, as you probably are aware, is the foundation document for the Canadian identity so it is the door really of who is eligible and entitled to Canadian benefits and travel documents within Canada. So our certificates are the proof that, indeed, you were born in Nova Scotia, if you died in Nova Scotia, married in Nova Scotia, etcetera.

The third mandate is to collect and maintain the data for the vital events that are happening in Nova Scotia for other agencies throughout the world, world health organizations, because on the death certificate we have the medical certificate of death, which the doctors and the medical examiner fill out saying how they died, what they died of, etcetera. That information is crucial for organizations such as Statistics Canada and our own provincial health organizations to look at some of the trending and some of the proactive things that we can do within the health world.

[Page 17]

Those really are the three main things that we do. We register all the vital events and make sure that they're accurate and they're registered timely; we issue certificates, making sure that it's issued to the right person and that they are entitled to those certificates; and then we share information with trusted sources and partners.

MR. WHYNOTT: Statistics Canada would be one?

MS. MACFARLANE: Statistics Canada is one of our main trusted partners. Hayley?

MS. HAYLEY CLARKE: With respect to the business programs that were subject to the audit and which I'm responsible for, the Registry of Joint Stock Companies mandate is we facilitate the formation and registration of businesses and not-for-profit agencies in Nova Scotia. We maintain a database of that information and update the filings received from those businesses and not-for-profit organizations - director and officer information, registered agent information. We provide the public with access to that information through an on-line database and our registry office.

With respect to the Nova Scotia Business Registry, that is in relation to the program that Deputy Minister Molloy referenced earlier with the unique identifier, the business number that is assigned by the Canada Revenue Agency on the formation of your business. We use that unique identifier to enable different programs to share the corporate profile data within the Nova Scotia Business Registry. There are 50-odd programs that issue licences or permits and registration with that as a unique identifier.

MR. WHYNOTT: Thank you. So Land Programs.

MR. HILL: The Land Programs mandate is mainly three things. Firstly, we regulate the modern land titles system, which provides for a limited provincial government guarantee of basic land ownership and most of you would be familiar with that. That's the system whereby if a property since 2005 is sold or mortgaged, it has to be brought under the new land registration system, which is provided for by the Land Registration Act. We regulate that process and run that land registration system.

We also are responsible for the traditional Registry of Deeds, which is the registry system that has existed since 1749 when land started to be granted and transferred in Nova Scotia. That system remained relatively unchanged from then until the present time. We continue to run that system until every single piece of property in the province is brought under the new system. So we have to run those two systems in parallel for the foreseeable future.

The other thing, or the third aspect of our mandate is to provide the electronic land registry which was instituted coincident in time with the land title system and this is the system that allows for electronic searching of titles rather than going into Registries of Deeds

[Page 18]

and looking through the dusty old books. This allows for searches to be conducted from anywhere there's Web access so that you can search a title in Yarmouth County from Sydney if you wish.

We look after the creation of and the maintenance of that electronic land registry and that includes digital property mapping. We've mapped every piece of property in the province and each property is identified by a unique property identification number which is linked to the land registration system. Of course, this has involved scanning of every paper document of which there are millions, every paper document in every registry, in the 18 registries around the province. Some 30 million documents, plans, deeds and other title documents have been electronically scanned and brought into this electronic registry system. We're also responsible for maintaining that and that's the system the access to which we talked about earlier in the discussion about passwords.

MR. WHYNOTT: Wow, a lot of work. The auditors have indicated that they did not find any instances of unauthorized access by either government staff or contractors to these registries. Are you aware of any instances of inappropriate access to any of these registries?

MR. DOIRON: No, we are not aware and have no reports of any inappropriate access across any of these registries.

MR. WHYNOTT: Based on audit findings, what are the most significant things that you'll be focusing on to protect the registry information?

MR. DOIRON: Well, we've accepted all of the recommendations so we'll be moving. on all of those. In terms of areas that we'll be focusing on, we'll be looking at the ones that we can always see a fix right away and move on. We'll be also looking at the ones that we think pose the greatest risk of any kind of inappropriate access.

[10:00 a.m.]

That being said, I think there are three areas when I look at the audit that really we'll be focusing on. One is the staff awareness piece. We do a lot of stuff to get in front of staff and make them aware of security, you've heard some examples of that. What the audit indicated is that there is some staff who are not aware of certain pieces of that. So we're going to have to look at that, come up with some different ways of doing that perhaps, of communicating that information. Maybe looking at some different tools like videos and that type of thing. Just generally getting in front of staff probably on a more frequent basis and in a way that it makes it easier to understand all the components around security and what their accountabilities are.

I would also say that it has come up, this has come up also at a corporate level. I know there's some work being done at the CIO. It came out of a previous audit with respect

[Page 19]

to whole of government security. There was a recommendation in there around increasing staff awareness generally across government for that and I know that there's some work being done there. We will certainly work with the CIO and certainly try to take advantage and to use anything that's developed corporately. So there's a whole thing around staff awareness.

I think there's another area where we have a lot of, one of the messages out of this audit to me is the fact that we have a lot of policies, procedures. We have practices in place to protect our security but we need to spend some more time going in and monitoring those to make sure that things are actually happening that way. We have almost 900 employees. We have many, many systems, we're talking about four today. There's a lot of activity to monitor and this requires some energy. We need to develop some means to go in and look and assure ourselves that these practices are being followed across all of our systems on an operational and daily basis and be able to report on that. So those are sort of the two major areas.

I think definitely on the third area around password management, we've done some immediate things on that and that's a continuous thing that we're working on in order to strengthen how we manage passwords and how those are implemented within each registry and each system that we manage.

MR. WHYNOTT: Thank you very much. Mr. Chairman, I'm going to share a few minutes with my friend from Pictou County.

MR. CHAIRMAN: Mr. MacKinnon, you have four minutes.

MR. CLARRIE MACKINNON: Mr. Chairman, just a couple of quick questions. Ms. MacFarlane explained how the marriage system works for Mr. Whynott, the two steps involved there. One of the situations that I'm wondering about is the domestic partnerships and the steps involved for registry of those. There are so many domestic partnerships that exist in this province. Can you explain how that works? You went through the two steps on the marriage, so what about this?

MS. MACFARLANE: Domestic partnership registration is a fairly new registry that we have. It's a registration process that, when two people want to register a domestic partnership they have to provide the documentation, the same as the marriage licence, but it's one process. They come into our office, they're asked if they were previously married, and if they have been, they need the documentation to prove that they are now legally able to marry. Both need to sign identification. It's a fairly simplified process, and what the domestic partnership does is it registers them in the Domestic Partnership Registry and entitles them in other areas of their life - legal and property, for example - to be considered the same as marriage without having to go through a marriage ceremony and marriage licence process.

[Page 20]

MR. MACKINNON: Are many people coming in for this service? It is a new service, but are you getting quite a response? There are so many domestic partnerships that would not be registered in this province.

MS. MACFARLANE: Yes. I think you're referring to common-law versus actually coming in and registering as a domestic partnership. We get about 100 a year, so not a high volume of domestic partnership, but it is meant to be a fairly simplified process to register for those who do not want to take the marriage route.

MR. MACKINNON: For Mr. Hill, the migration situation in this province - I remember a few years ago that there were a number of constituency queries and concerns and so on and that has dissipated. I think there must be an acceptance of this system and it must be functioning very well. Could you perhaps comment on that?

MR. HILL: As with anything new, some people are slow to embrace change. We found that quite quickly after the Land Registration Act was proclaimed and gradually implemented around the province, people recognized the very significant advantages of not only the new land registration system but also the electronic registry. People recognized the benefits of this over the traditional system, and as people became familiar with it, it was quite quickly embraced and we've had much less of that kind of resistance or negative feedback.

There certainly was some at the very beginning, as I understand it - that was before my time, but I was aware of that - but now, it's embraced by the legal community and by the public to a very large extent and it has been quite successful.

MR. MACKINNON: There were some concerns about the expense involved and I don't even hear that anymore. I think for the expense, there is an acceptance that there is a good service being provided.

MR. CHAIRMAN: Mr. Hill, I'll give you time for a short answer, but Mr. MacKinnon's time has expired.

MR. HILL: Yes, people are often confused about the expense and thought that was a government fee. In fact, there is no government fee whatsoever to register property. It was the legal fees that were the problem, to the extent that they were a problem, and the forces of competition have brought those fees down considerably and there's much less resistance to that now.

MR. MACKINNON: Thank you very much.

MR. CHAIRMAN: Thank you very much, Mr. MacKinnon. We'll move back to the Official Opposition caucus. You have 12 minutes, Mr. Colwell.

[Page 21]

MR. COLWELL: Back on land registration, this is sort of off of where we are here today but I have a couple of questions around that because it has come up several times in my office. How do you protect against people filing wrong information, in other words, taking the wrong information to a lawyer and the lawyer accepts it on face value and then it is registered? When that is identified, how is it corrected?

MR. HILL: When you say wrong information, if you're talking about a forged document, for instance, under any land registration system there's always a risk that someone will forge a document. Under the traditional registry system if a forged document was brought in, someone paid the fee, it was accepted, it was put on the registry records for what it was worth and there was really no check of that at all. Now, under the new system of course, most documents have to be registered through a lawyer so there's sort of an extra level of review of that document and more opportunity to uncover a fraud.

There have been very few examples of that actually happening. There's always a risk that someone will forge a document or forge someone's signature or whatever. It's more likely for that sort of thing to be picked up in the new system, particularly when a property is migrated. There is a great deal of rigour around the searching of the title and there are audit processes to ensure that everything is properly done.

For that type of wrong information it's very, very difficult to get that in. If it is uncovered, and there was a case just very recently where an apparently forged document came to the attention of the landowner. That was resolved through a court process and ultimately, as I understand it, an order was granted which will - hasn't yet been - be filed in our system which will remove the effect of that apparently fraudulent deed.

I'm not sure that's the type of erroneous information you were talking about. If it's a different type, perhaps you can tell me what type of erroneous information you are referring to and I can probably respond more specifically to that.

MR. COLWELL: It's actually one particular case I've had. An individual made up a drawing that went with a deed that didn't exist before and filed it.

MR. HILL: I wouldn't be aware of the particular case but that sounds like a filing under the old Registry of Deeds system. Under that system most anything that is presented at a registry office is accepted for filing, without any particular review, except to meet proof of execution requirements and things like that.

I don't know a sketch of the sort you describe, I'm not sure how that would make it to the system. Normally a survey plan would have to be certified by a Nova Scotia land surveyor. Unless it was attached to a deed or something like that, I'm not sure how a document like that would get on record. All I can tell you, in a more general way, is that

[Page 22]

there's more checks and balances under the new land registration system than there was under the Registry of Deeds system.

When frauds or errors are uncovered, there's a number of ways they can be corrected. I hesitate to even try to comment on a particular situation without knowing the complete story. There certainly are a number of ways in which erroneous information would be found out, hopefully before it is registered and if not, then after. There are certainly systems for an error to be corrected.

MR. COLWELL: Just in general terms, how are those things addressed? What can I tell my constituent, in other words, where will they go from there? I don't have any idea how to handle this.

MR. HILL: Well I can say that if the particular situation is referred to my office, we'll certainly look into it. I hesitate to talk in detail in this forum about how we would deal with that but we certainly do receive referrals from members of the Legislature with respect to constituent concerns. We look into them and address them as they come up. I'd encourage this particular constituent to either see a lawyer and have the lawyer contact my office, or if your office wants to forward the details along, we'll look into it. Beyond that, I'm not sure I could say how we'd respond to that particular concern without knowing the complete details.

MR. COLWELL: That's the answer I needed, that's all I need for that. Thank you very much. At least someone will have a look at it, that's really what I care about. I've handled a lot of things since I was elected an MLA a long time ago and this is one I had no idea how to tackle. Anyway, I've got an idea now and that's all I needed.

I'm going to go back to hackers again. Are you aware that the banks have a big reward up for anyone who will hack into the password system?

MR. DOIRON: I'm not aware of that action by the banks, no.

MR. COLWELL: I can't remember if it's $1 million or $3 million, if anyone could break their access code and get into the system. No one has ever cracked it but it is there. It is quite an inexpensive way for them to check, continuously, their password system.

Security really bothers me because I used to do a lot of military work and it was very secure, the stuff we worked on. It is so easy to get into a system if you know how to do it, if you are a hacker. I wouldn't have any idea how to do it but I have some friends who are very capable people with computers - and they are honest people so they are not anyone you have to worry about, but there are a lot of people out there who aren't honest and who, for all kinds of reasons, would like to hack into our system. That's why I'm curious because one

[Page 23]

way to find out about this - the Canadian military has permanent hackers and they hack all the time, that's their job. I actually know one of them, quite an interesting person to talk to.

Have you ever given consideration to something like this, to really test your system solidly all the time? I'm not saying it's not secure at all, I'm not even insinuating that at all.

MR. DOIRON: Well I would say that there's work going on continuously. I know the CIO has monitoring tools and periodically engage outside companies to come in and try to get into the network or try to identify any vulnerabilities to the network. I will tell you, in our department, when we put any major change to a system or we develop a new system to put in - you've heard some reference to the bundled birth service . There's a lot of security built in around that right from the very beginning.

[10:15 a.m.]

There are some very formal things that we do around that. The first thing we do before we even develop any of the technologies, we do a privacy impact assessment. We're going to change our business model. We're going to do things a little big differently. We're going to collect information and we're going to move it around electronically. We want to go in and look at that from a security perspective, so we actually go in and look at every piece of information that is involved in that change. We identify where it moves as we move it around electronically, whether it is coming from the hospitals into our system, then it is electronically flowing to the federal government, we look at all aspects of that.

Then, based on that, we come up with a design that ensures that the security is in there, to make sure that is not compromised in any way through that entire process. It will identify how we are going to design the system, from a security perspective, it will talk about all of the things that we're doing to protect the privacy. There are also things in there around the business processes themselves. This is the first thing we do. We are obligated to do that and we do a lot of those privacy impact assessments in any one year because there's a tremendous amount of change in these registries.

The second thing that we'll do, and we have done this on a number of occasions, especially when it is around very sensitive information like is contained in the Vital Statistics Registry, we'll go another level with that - we will do what we call a threat risk assessment. This is where we go in and we actually - again, we will hire an outside company to make sure that we have the latest expertise and the best expertise. What we will do is we will have them identify, first of all, look at the information we're looking at here, to identify how sensitive it is and we'll put some type of score on that to define how sensitive it is. Then we'll look at all the potential risks we have, including hackers. We'll look at who potentially would want to get access to that information and then we do some assessment around the risk of that. That would identify any additional things we need to do to reduce the risk. Based on that assessment, we would implement those before we put the system in place.

[Page 24]

If this is any kind of outward-facing system that people can access, we will also do what we call a penetration test. I think that's what you're getting to, in that we would hire a company based on us introducing this, that in a test environment we would ask them to see if they could figure out any way to get into this. They would use whatever sophisticated tools that they had at the time. There are many different ways that we do that and we do get the outside companies to come in, especially when we're introducing something new or putting something new into the system.

MR. MALLOY: Could I ask Miriam to add to that, please?

MS. O'BRIEN: I just wanted to add, from a corporate perspective, a lot of people have heard the term "firewall." In my lay view, I picture a big circle and those that are in are protected and those that aren't, aren't - either coming in as friends or potentially are trying to get in more hostilely. Actually, our firewall technology and our network operations group have a series of firewalls in place that together make a much more robust and resilient environment.

For instance, we have a firewall around the provincial data network, then behind that we have firewalls around an application, around a server, and in lay terms, kind of sub-pockets of firewalls. It's actually very complicated to get through a series and to get to where information is safe-guarded. I wanted to mention that.

I also wanted to mention that - without referring specifically to hacking - there is a concept called a vulnerability assessment. The Auditor General has actually recommended and we have accepted that work be done on an annual basis. That is a series of scans that go in and challenge the network and identify risks. Combining that with our monitoring of logs with hackers in general, you can look for patterns of inordinate activity or high levels of traffic that don't make sense. We have a number of layers of human intervention, technical tools and so on, that I think together are fairly proactive in identifying if there are risks and identifying areas that collectively both our department partners like Service Nova Scotia and the Chief Information Office would take action.

MR. COLWELL: I'm pleased to hear that. I'm not going to ask any more questions. I just want to close with, I'm very pleased with the work that you're doing. I'm pleased to see that you're following up with the Auditor General's request to change things. You must be one of the only departments in government that's actually doing that, based on the reports we get back from the Auditor General, and I want to commend you for that. I feel more secure after talking to you today, and Nova Scotians should as well. Thank you.

MR. CHAIRMAN: Thank you. We have Mr. MacMaster next - 12 minutes.

[Page 25]

MR. MACMASTER: Mr. Chairman, I actually don't have any further questions today, but if I might ask for a written response on the trending data for births and deaths, that would be helpful.

MR. CHAIRMAN: Is that for the period 2000 to 2010?

MR. MACMASTER: Yes, if we could look back over the last 10 years, that would be great.

MS. MACFARLANE: Certainly, I'll have that for you.

MR. CHAIRMAN: Thank you. We'll have another 12-minute round for the government caucus, Ms. Kent.

MS. BECKY KENT: Mr. Chairman, I'm not going to have too much. I think that we've covered a lot. I think that we have such a good outcome on the audit, we have much to be proud of, and I certainly appreciate hearing more about it through the questions. Keep up the good work.

I do have a situation as an MLA that has sort of been on my mind since I've had to deal with it. Mr. Malloy, you noted the complications and perhaps the challenges around bereavement statistics, bereavement process and such. I just want to describe a little bit about what came to me, and it's related to what my colleague from Pictou noted as well, which is domestic partnership, common-law.

The particular situation was associated with a long-term 20-plus years common-law type of relationship with a military family who had a death, and the common-law wife struggled significantly with the identification or the validity of their relationship in relation to the release of a death certificate. The release of the death certificate then held up every other benefit related to that partnership, that life, at a very difficult time.

It was a little while ago, when I first became an MLA, so the details of it aren't 100 per cent clear, nor do they really need to be, but my point here is, I know you referenced the whole domestic partnership element is fairly new and you comment on the uptake of it. My question is, we do have people who have lived in very long-standing relationships, whether it be common law or certified or I guess on record, domestic, but we have an awful lot who aren't.

I would hate to think that there is still an element out there of people who may end up in a situation like that. Again, we all know it's a difficult time at best, and then to have that complication thrown in. Has there been some improvement? Was that an anomaly? Have there been things that could have already improved that type of situation or are we looking at going in a direction that would?

[Page 26]

Again, my thoughts are, if it's so new, what do we need to do to help people, whether it's education, create a full strategy on making sure people who are in that relationship, that type of living arrangement, are provided the information they need so that they don't have to deal with that later?

MS. MACFARLANE: I do acknowledge that in the bereavement area. It is a tough area to accommodate, when you hear the stories, and we do whenever we can. One of the things that we do have is a very good relationship with our funeral directors who are actually our division registrars for death. This is an example, perhaps, where we would work with division registrars to try to work some things out. We have worked many things out in the past.

Specifically, the death certificate or what we call the long form - which is the death certificate where the medical certificate of death is on - that is very restricted as to who has access to it, for obvious reasons of cause of death and other information on it is very private. That said, it's very specific in our Act who can access that. One of the things that we try to leverage in cases such as yours is the executor of the will and the next of kin are eligible, in certain circumstances, to get that.

In cases where it's not a marriage, they aren't married, we try to work around looking at those types of things and going from an angle looking at the authentication of whom the person is and are they the executor of the will and/or the next of kin. That's one area of how we deal with the current legislation and the current policies and the current protection of that death information.

The other area that you're talking about in the domestic relationship, that's an area that the uptake is fairly low but it's a very specific audience that is attracted to that service. It's mostly people who are not - they don't wish to get married, but they do indeed want to get the benefits in the legal area, for example.

Unfortunately, a lot of people don't think about that prior to, and are not proactive. There are certain situations where we do come in, especially in the bereavement area, but as I said, we really have to look at each one of those individually, work with our funeral directors. The most important thing is that they contact us so that we can work with them to see what their specific examples are and to get what they need. For example, if it's insurance purposes, which most are, that type of information is required for, we can often work directly with the insurance agency.

MS. KENT: The only other question I have is - I think clearly the message that I can see of the data that we have and the information you're sharing is that we are on the right track. We certainly seem to be acknowledging that even through some of the recognition that you've received recently in our province, that you have a good record of performance and such. I wonder if you can comment on how that compares to other provinces? The other part

[Page 27]

of that is how well, I guess it's not necessarily related but I'll throw them both out there, how well aligned are we with our counterparts in the federal departments ?

As far as the client is concerned, when there has to be connectivity between what we produce and help them move forward with in relation to forms that they might need or be contingent upon something related to Nova Scotia that they need to produce and they then have to file with a federal department, how well aligned are we? Are we hitting the mark on those kinds of things? Do we have a good process in place for that?

MR. MALLOY: Yes, I'll begin. First of all, with respect to the Province of Nova Scotia, we have a few advantages I would say. Number one is we're a smaller province and by that very nature we seem to implement things a little quicker than a province like Ontario or B.C. can. So in many respects when, you know, if you look at the time frame from idea to implementation in Nova Scotia, we seem to be very quick out of the gate and we've had a lot of success.

Secondly, I would say we are really blessed here in Nova Scotia in that we've got a truly innovative leadership-oriented team at Service Nova Scotia and Municipal Relations in many of the ideas that we have had. Take the Nova Scotia Business Registry which was launched back in the late 1990s or early 2000 time frame, or the birth bundling piece - a lot of that stuff is the very first time it has been delivered in Canada.

So the federal government, and I've heard this firsthand from a number of senior officials with the federal government - they like to work with us because they feel that we are - I don't want to use the word less bureaucratic, but we are more willing to get to the end solution quicker. I think the whole birth bundling piece really only took about a year and a half from start to finish which in government terms is reasonably good, given the nature of the information that had to be worked back and forth and the processes and the technology and everything. So I think federally, or nationally I guess, we are looked at as a province that is held in very high regard.

[10:30 a.m.]

Recently there was an individual came over from New Zealand to look at - he wanted to see what Canada's best was from the provision of services to citizens. There's an organization in Toronto called Institute for Citizen Centred Service, which is a national body, and the first stop they had him make on his trip to Canada was Nova Scotia. He spent about four or five days with us, walked through all of our services, and we received very, very high accolades from him with regard to our services and our general attitude towards serving Nova Scotians. So, you know, it's that type of thing that I take a lot of solace in.

Our comparison to the rest of Canada, I would say every government is a little different. Some governments are ahead of us in certain areas and we're ahead of other

[Page 28]

governments in certain areas. Manitoba I know has done some amazing work that we're starting to go down the route of on working with the business customer. Where models are different, government priorities are different, staffing, everything is different, it's hard to do a real comparison but I'm very pleased to say that I think Service Nova Scotia and Municipal Relations and Nova Scotia generally is certainly among the leaders in that area.

MR. KENT: Mr. Chairman, at this point my colleague, the member for Halifax Chebucto, would like to share and take a question or two.

MR. EPSTEIN: A small point, I think, for Ms. MacFarlane. In the first round of questioning when my colleague - the member for Inverness - was asking you about newborns, and the registration of newborns, I thought I heard you say that you had 94 per cent uptake. Did I hear that correctly and, if so, could you explain what that meant?

MS. MACFARLANE: I did say 94 per cent uptake. What I meant by that was, prior to the birth bundling being launched, the registration document that the mother signed and filled out and went to us didn't have the CRA and the social insurance number option. From the first time we put it in, that first week, we were almost up to 94 per cent of mothers who were in the hospital who had babies actually said yes, I would like those two services. It has been very consistent since. So almost 94 per cent of the mothers who are having babies in the hospital, we know that they are doing that rather than filling out three application forms.

MR. EPSTEIN: Right, so the 94 per cent was the bundling, I guess, that you're talking about, not the original registration of the birth. That's mandatory for everybody, yes?

MS. MACFARLANE: That's 100 per cent, yes.

MR. EPSTEIN: That's what I thought. Good. I just wanted to sort that out.

I guess the next point that I'm wondering about has to do with a safety feature. I'm assuming that the data is not kept in one place. I'm assuming that there are multiple locations and what for a regular user of a PC would be some kind of backup. I'm wondering if I could just hear what would happen if one of your main places in which you are keeping your data were to be destroyed in some unfortunate way. What are the backup arrangements to make sure that this doesn't represent the complete loss of the data?

MR. DOIRON: Firstly, all the information from our registries is physically located in the Provincial Data Centre, which is managed by the CIO, and there's no data really stored operationally on any of the desktops or any things that people use to access that.

What happens is at the data centre this information is also backed up periodically and is transferred offsite, so that if there ever was anything that was to happen to the data centre itself, we would be protected and we would be able to go back and get that data.

[Page 29]

The other thing we do to protect our data is we have logs of every time that data has changed, so if we had an older version located somewhere we could take that and then we could reconstruct anything that would have happened between the time we stored it offsite and when we're restoring it. There's a lot of measures in place around disaster recovery to ensure that we're protected on any of these registries and, in fact, any of our systems if anything like that was to happen.

I don't know if Miriam would like to comment more around the data centre side of that.

MS. O'BRIEN: The data centre itself, we have a number of disaster recovery types of activities going on. Really, it's about resiliency, our ability to safeguard the services to clients and certainly the services our client departments are delivering. So yes, the province undertook a multi-year investment in the data centre a few years ago to increase its robustness. There are now dual generators, there are redundant batteries and that kind of thing, so some hardcore infrastructure has been upgraded to protect the services that are housed there.

In addition, we have a data centre vision project that is looking at what the strategy should be for the province in the long term. As far as the second data centre, a hot swap site and so on, we do have other sites in play now, but the time is right to look at what is an overall corporate vision for where that should be in the future. Recommendations will be going forward to government on that topic. So combined with the data protections of backups and so on, the physical protections are in place.

We do have a corporate disaster recovery plan, which was one of the first initiatives our newly-minted Chief Information Officer activated when that position came into play. Again, it is an iterative, constant investment of our time and priority to make sure we get stronger and build on the strength we have today.

MR. EPSTEIN: That's a help, thank you. I think the time is up, thanks.

MR. CHAIRMAN: Thank you, Mr. Epstein. Thank you, Ms. O'Brien. We've come to the close of our formal rounds of questions. Traditionally we've given the deputy minister, or whoever would like to speak, a chance to summarize and have some closing comments. Mr. Malloy.

MR. MALLOY: Thank you very much. I'd like to begin by thanking my colleagues here today. I know it's somewhat inordinate to have this number of people, but when I considered the diversity and the complexity of the work that was being considered in this case, I felt it more than appropriate to bring the people here today who could answer your questions - and I think we've been able to do that. I also felt it an opportunity to demonstrate to yourselves and to Nova Scotians the great people that we have and the great work that

[Page 30]

they're doing, so I'd like to begin by thanking my colleagues here today who have been part of this process.

I'd like to thank the Auditor General. He probably doesn't hear that a lot, but the work that's being done there really, truly is in the best interests of Nova Scotians and our organization. It's a lot of work when they come in to facilitate the audit and to provide them with the material that they require, but at the end of the day we know, collectively, that what we're doing is strengthening the systems that Nova Scotians have and rely on and none of us would disagree that it's a good investment of our time and energy. So thank you very much.

I'd also like to thank the members for their interest and their questions in this area. Holding us accountable for what we do is part of democracy and we support that. We think the questions here today help us enable you to have better information on providing answers to your constituents and gives comfort to yourselves that we're doing the right things.

My closing comment is - and I believe this from my heart - that Nova Scotians can rest assured that their information is safe at the Department of Service Nova Scotia and Municipal Relations, and we will only continue to improve upon that. Thank you very much.

MR. CHAIRMAN: Thank you, Mr. Malloy. On behalf of the committee I, too, would like to thank you for being here and for bringing your senior staff here. I think your responses here have been very thorough and reassuring. We may well have you back a year from now to look at some of the follow-up that the Auditor General has recommended. I would like to thank your department and, in particular, Vital Statistics for the great report you got from the Auditor General. I hope the rest of the registries here are taking notes and will be similarly blessed - if I can use that word - when we next look at the department. Thank you very much for coming in and thank you for your responses.

Before you go, Ms. MacFarlane, Mr. MacMaster had asked for data from 2000 to 2010 on trend lines on births and deaths and, if you wouldn't mind sending that to the committee whenever you have that data ready, we would appreciate it.

MS. MACFARLANE: I will indeed.

MR. CHAIRMAN: Thank you. We have a few minutes of committee business, so we'll let our witnesses leave and then we'll get down to it.

Just a very little committee business. We have received, and all of you should have a copy, of correspondence from the Department of Energy with regard to information we requested on October 20th. Also just for the future, we do have a meeting of the Subcommittee on Agenda and Procedures on December 8th and at that meeting we will be picking topics for February.

[Page 31]

In January, we have two meetings. The Department of Community Services, Ms. Judith Ferguson will be here to talk about housing supplements in Community Services - it's one of the chapters of the Auditor General's Report - and on January 19th, the Department of Community Services will be back to talk about services for persons with disabilities.

Do we have any other business?

Is there a motion to adjourn?

AN HON. MEMBER: I so move.

MR. CHAIRMAN: We are adjourned.

[The committee adjourned at 10:41 a.m.]