HANSARD
NOVA SCOTIA HOUSE OF ASSEMBLY
COMMITTEE
ON
PUBLIC ACCOUNTS
Wednesday, April 1, 2015
LEGISLATIVE CHAMBER
Department of Community Services
Integrated Case Management System
Printed and Published by Nova Scotia Hansard Reporting Services
Public Accounts Committee
Mr. Allan MacMaster, Chairman
Mr. Iain Rankin, Vice-Chairman
Ms. Margaret Miller
Ms. Suzanne Lohnes-Croft
Mr. Brendan Maguire
Mr. Joachim Stroink
Mr. Tim Houston
Hon. Maureen MacDonald
Hon. David Wilson
In Attendance:
Ms. Kim Langille
Legislative Committee Clerk
Mr. Gordon Hebb
Chief Legislative Counsel
Mr. Michael Pickup
Auditor General
WITNESSES
Department of Community Services
Ms. Lynn Hartwell, Deputy Minister
Ms. Vanessa Chouinard, Executive Director, Policy & Information Management
Ms. Dale MacLennan, Executive Director, Finance & Administration
Department of Internal Services
Ms. Sandra Cascadden, Chief Information Officer
HALIFAX, WEDNESDAY, APRIL 1, 2015
STANDING COMMITTEE ON PUBLIC ACCOUNTS
9:00 A.M.
CHAIRMAN
Mr. Allan MacMaster
VICE-CHAIRMAN
Mr. Iain Rankin
MR. CHAIRMAN: Good morning, everyone. I call this meeting to order. We'll begin with the introduction of committee members, starting with Mr. Maguire.
[The committee members introduced themselves.]
MR. CHAIRMAN: This morning we will be discussing the Integrated Case Management system. We have the Department of Community Services with us, as well as the Department of Internal Services, since both departments are involved.
Ms. Hartwell, perhaps you could introduce yourself and allow your colleagues to introduce themselves.
MS. LYNN HARTWELL: Good morning, Mr. Chairman. Thank you. To my far right is Sandra Cascadden, who is the Chief Information Officer of the province with the Department of Internal Services. To my immediate right is Vanessa Chouinard, who is the Executive Director of Policy and Information Management for Community Services. To my left is Dale MacLennan, who is our Executive Director of Finance and Administration for Community Services.
1
MR. CHAIRMAN: Perhaps you could begin with some opening comments.
MS. HARTWELL: Thank you for inviting us to appear before you. I am always appreciative of any opportunity to talk about the work that the Department of Community Services does. We are here specifically to talk about the audit of the IT controls of our Integrated Case Management system - ICM. I would also like to thank the Office of the Auditor General for their report and recommendations. The audit has brought important focus and validation to the work we do and the work we do in concert with our colleagues at ISD. We are constantly monitoring and doing our best to maintain and improve all controls related to all of our IT systems.
I'll give you a little bit of background on the system. It is used by over 1,450 users province-wide. It's a very important tool - our most important case management system. We use it to deliver our social services programs.
I will say that we understand, because of the nature of the work we do, that we are often in receipt of incredibly confidential and intimate information about people. We take all steps to make sure that we are maintaining that privacy and confidentiality and treating it with respect. So any insight into ways that we can improve that, whether it's on the IT side, which was the focus of this audit, or whether it's our own additional business processes that help to protect that information, we're always happy to receive that information.
In the report we did learn of some risks and vulnerabilities that were associated with information. I think it's important to note that the risks and vulnerabilities exist within the protection of the wider government system, so only individuals who have specific authorized access would be able to access it. We did provide such access to the Auditor General's staff so that they were able to probe our system, including giving them a blueprint of the system so that they were able to poke around.
The findings were very valuable. They identified a couple of areas where we were able to act quickly and make an immediate change, and others where we've been able to put in place longer-term processes to respond to them. We've accepted all recommendations and have completed work on two of them and are acting on the remaining, both at a departmental level and in concert with our colleagues at ISD.
We are expecting the time frame for completion to be at the end of this - I want to say at the end of this winter but now we're in Spring, although it doesn't really feel like it, but certainly before summer. As the Department of Internal Services is working to develop a shared-services model, we will continue to work very closely with them to make sure that the specifics related to the clients that we serve and the systems that we use to serve those clients will continue to align with best practices both at a government level and at a higher international IT standard.
I will take the opportunity to say that we have within the department a significant transformation agenda. We are looking at how we deliver all of our services, including the nature of the supports we provide, the outcomes we are achieving and wanting to improve on, and also how we do that. So there will be an important IT component to all of that work. We will be asking ourselves, what are the tools that we need to best deliver? And protection of information and making sure that we have tools that protect confidentiality as well as provide us with a way to seamlessly support clients will be a huge focus.
As I said earlier, because of the nature of the work, I would say the staff of the department are hypersensitive to the nature of the information that we have, and so in addition to the IT processes, which were the focus of this audit, we do have significant business processes that we put in place through a number of controls. I'd be happy to provide further information outside of the realm of IT, if that's of interest to this committee.
With that, thank you, and I will welcome your questions.
MR. CHAIRMAN: Thank you, Ms. Hartwell. We will move to Mr. Houston of the PC caucus for 20 minutes of questions.
MR. TIM HOUSTON: Thank you, Ms. Hartwell, for those introductory comments. In preparing for today, it wasn't lost on me that the Department of Community Services has been in the news quite a bit lately in terms of some office closures. I'm just wondering about those office closures - were they the result of some instruction from the minister?
MS. HARTWELL: Well, our role, of course, as public servants is to work to deliver on the direction from the minister. However, in the case of office closures, we monitor our caseloads and our distribution of resources very closely. So if we're able to determine that we could deliver services better and more effectively in a different way, we will bring that to the minister's attention and have a conversation with her.
In this case we were able to identify, at a staff level, that there were some changes that if we made we believe we'd be able to deliver services more effectively without in any way diminishing the quality of that service. So it was our advice to the minister to do so.
MR. HOUSTON: Did the minister give instruction to go and find these type of efficiencies to reduce head count?
MS. HARTWELL: The minister did not give any direction to specifically reduce head count. Her direction has been consistent - find ways to improve service delivery, improve outcomes for clients in a way that does not in any way diminish the services that they are receiving or put them at risk. There has never been a conversation about head count. From the minister, it has always been about can we do better service.
MR. HOUSTON: Do you expect that, all things considered, it would be more effective to deliver the services to those people who were utilizing those offices - it would be more effective, but is it going to save money to get those services to those people without those offices?
MS. HARTWELL: None of the reductions in size or closures that we've made have reduced the end service to the client. The service may be being delivered differently, it may be from a different location, but by changing how we're delivering we're taking our precious resources and making sure that they are going where we need them to go, which is ultimately all about front-line delivery. It's not to redirect them into another area or - God forbid - to leave the Department of Community Services; it is, in fact, for us to be able to focus our mandate specifically.
Again, it has always been improved service that has been the reason why and, if we believed that there would be a diminishment, it wouldn't be an option that we would bring forward to the minister.
MR. HOUSTON: So you have a plan to deliver services to those people in those communities that will be affected. Would part of that plan be, like do the people go to the new offices or do the new offices go to people - commute - the staff commute to the people who need services?
MS. HARTWELL: I mentioned the transformation, and that certainly is part of it. What we've learned, not surprisingly, is that the way that people want to receive service from the Department of Community Services is different than it was 20 years ago. We often hear from clients that when they want a service they want to be able to pick up the phone and get an answer over the phone, they don't necessarily want to have to go to an office.
We've recently done some consultation with youth and youth are saying they don't even want to pick up the phone. They would much prefer to have electronic services available, which we actually don't have a strong electronic presence right now.
So we have to adapt our services to meet the needs of clients. There will be some clients of course who may be more remote, who may have mobility issues, may have transportation issues - we need to be responsive and deliver services to them in a way that meets their needs. Overall, I would say that for the most part people just want to know that when they need us they can pick up the phone, or contact us in some way, and there will be someone who will get what they need to them, and not that they have to come and sit in an office.
Occasionally some of our services are counselling-based and office conversation is required, but we have offices around the province and we can facilitate that. There are some places where we're meeting with clients in community organizations if that's what their comfort level is. I think as we move forward with our transformation we will be exploring how we can be more flexible and responsive to what people need.
MR. HOUSTON: You mentioned in your opening comments you are undergoing significant transformational change within the department. I think you said you were looking at all the programs that are provided and trying to find out if they are serving the intended purpose. That's a project that's ongoing in the department, I guess. I just wonder, could you shed any light for the committee on whether or not you've found some programs that aren't meeting their intended purposes?
MS. HARTWELL: We have a wide array of programming, as you know, and I will focus a little bit on income assistance because it's a program that affects - we currently have a caseload of just under 30,000 in the province. We know that our model, which is based on people identifying that they have significant need, often comes with a stigma, often comes with people having to really be at their lowest point before we're able to step in and intervene and provide supports.
We want to examine how we can do earlier interventions so that people don't have to deplete all assets, don't have to be at the lowest. The system is very much designed to be a social safety net and we have to safeguard that, but I think we can be more than that - be a system that provides support rather than simply just a place when everything falls apart. That's sort of the tenor of it. It's not that our income assistance system isn't working - there are people who are receiving income and I get the pleasure of hearing stories where, on an individual basis, we have been able to do incredible things for people.
However, as a system, we continue to have a large number of people who cycle back into income assistance. At any given month our rate of return is probably about 80 per cent. We know that we need to take steps to make sure people who are able to leave income assistance are able to remain off of income assistance and they're provided with supports outside of that system. That's an example.
MR. HOUSTON: So that would be an example of a program that kind of needs to be expanded to a certain extent I guess - what about in terms of programs you might have identified that are just not meeting a need any more?
MS. HARTWELL: We have, I think it's a fair comment from me that we don't have a lot of superfluous programming in the department because we're a department that is focused on basic need. I think there are some elements of some programs, for example, we currently in our continuous supports for people with disabilities in a residential system, we currently have some larger facilities and some types of facilities that individuals don't want to live in any more. They would prefer a smaller option, they would prefer something that's a bit more individualized.
We have to, as part of our transformation, find a way to move away from facilities that people are not interested in living in, or not providing the supports that people are looking for, and move to a system where we can have a different range of options. But we currently have a fair bit invested - both resource-wise and policy-wise - in those other facilities. That's really the whole purpose of our transformation in our Services for Persons with Disabilities program is how we can have a continuum of options that people can choose from that are actually responsive to the needs now and not designed 40 years ago.
MR. HOUSTON: Fair enough. Have you made some recommendations to the minister about those types of programs?
MS. HARTWELL: We have. There is a document, the Services for Persons with Disabilities roadmap, that was released just before this government and has been adopted by this government, so that is truly a roadmap document. So we're continuing with that, and we continually have conversations with the minister about how we can progress further along and what areas we need to focus on.
Our systems, as you can imagine, are very intertwined, so understanding how our income assistance system needs to work and how our disability system needs to work - we're moving forward big pieces at the same time.
MR. HOUSTON: The roadmap is one that I'm familiar with, because it has had some implications in my constituency. I'll leave that as it is, but I think that there are a lot of considerations as you transition from one idea to another through the roadmap.
Getting back specifically to - or I guess, starting to focus on - the Integrated Case Management system, how many names would be in that system? You mentioned 1,450 users, but I wonder how many actual Nova Scotians have information in there, roughly?
MS. HARTWELL: On a rough number, as I said, we have just under 30,000 people who are on income assistance, and that's the primary case management system. There are pieces of it that are used by some of our other programming, so I would say there would be no more than 40,000. That would be my rough estimate.
MR. HOUSTON: In the entirety of the Integrated Case Management? Because somewhere I read that roughly 20 per cent of Nova Scotians have at one point touched the department, so that would be close to 200,000 people.
MS. HARTWELL: Not all of our programs use ICM for their case management. For example, child protection and child welfare areas do not use ICM, so that system wouldn't necessarily touch that. We have lots of clients who are served by family resource centres, by transition houses, and we are not the case manager. They are case managed by a third party, so it would be inappropriate for us to have their information. So we don't have that. ICM is really about those individuals that we are the case managers of their progress.
MR. HOUSTON: More so on the financial side? Would it be fair to say, then, that there is some kind of monetary involvement with the program?
MS. HARTWELL: Yes, the reality is that most people come to us because there is a monetary issue - in income assistance, absolutely. However, there would be people who may no longer be a client in receipt of income assistance but may be receiving transitional Pharmacare support, so they would remain in our system until they have eased off. Generally speaking - this is where I'll look at the IT folks to make sure I'm describing it in accurate terms - the financial back of ICM is actually our SAP system, so ICM truly is about the client information that we can then marry to the financial system.
MR. HOUSTON: Okay. So, did you say less than 40,000? I think in your opening you talked about the staff being hypersensitive to the importance of the information. I have no doubt that that is true. The Auditor General's Report did note that the department has not provided any security awareness training to staff since 2011. Obviously that would have been the time of the audit. It's important for staff to always be reminded of different things they can do to keep information safe and to be on the lookout for certain things. I'm wondering if that training has been reinstituted. Are you doing any type of training in that respect for staff?
MS. HARTWELL: We do training of various types. Certainly when new employees come on and are introduced to the ICM system - which is a designed system for us, not something that they would know if they worked other places - they receive training in that. We do also have both a privacy protocol for the department as well as a privacy officer who spends time working with staff and working with managers around the province to ensure that staff are aware of their privacy obligations. I do believe that as we move forward with some - any time that we make a change to an IT system, we use one of our trainers to go forward and do some training. So as we make any changes, yes, we will continue to have staff roll out for new training.
MR. HOUSTON: Okay. Work in progress, it sounds like.
MS. HARTWELL: Yes, always a work in progress. And we do have it in our action plan that we are going to continue to move on that.
MR. HOUSTON: Now in terms of those 40,000 or less people who would be in the system, a good portion of those people would be receiving funds from the province or did receive funds from the province at some point in time, so it's safe to say then that the ICMS contains their banking information?
MS. HARTWELL: Yes.
MR. HOUSTON: So there are social insurance numbers and stuff like that?
MS. HARTWELL: Yes.
MR. HOUSTON: So that's all in the system and if it was a client who had children in foster care and those types of family circumstances, probably in the system or most certainly in the system?
MS. HARTWELL: If it was relevant to the determination of their eligibility or anything under the program then yes, there would be information about their particular family situation.
MR. HOUSTON: Okay, so we can't overstate the importance of the information that's in this system.
MS. HARTWELL: Absolutely not.
MR. HOUSTON: It's extremely important information about very vulnerable people in some situations, in a lot of situations. That being the case, the Auditor General identified some weaknesses where unauthorized people could access this information. We've had a bit of discussion at different times as to how big that population of people is who would have had unauthorized access but suffice it to say that there are people who had unauthorized access to this system, through the weaknesses identified by the Auditor General.
My question would be, were the individuals who have their information in the database notified that their personal information may have been compromised?
MS. HARTWELL: There was no privacy breach so there was no breach of private information. What there was, through the course of an audit, the identification of a security weakness. It was Auditor General staff who saw the information, not unidentified users. We are not aware of any information that the information was actually accessed and used by anyone inappropriately, so there was no breach.
MR. HOUSTON: I think that's important there, if I may. We are aware that the AG's staff accessed the information; we're not aware whether anyone else did or not.
MS. HARTWELL: That's right.
MR. HOUSTON: But there was certainly a breach. There was a hole in the system that people may have accessed that information that shouldn't have. Do we have any way to sit here and definitively say that nobody else accessed that information?
MS. HARTWELL: What we can say is we can understand the parameters of which there was that breach. If you think of the ICM system as a building, it's a building that's inside a wall that has barbed wire on it, which is the government security system. What happened is people were allowed inside the wall, they were allowed inside the building; we gave them a map and told them where everything was. Then they kicked at a couple of doors and they were able to find one that opened or two that opened.
I don't want to - I'm not trying to diminish it at all. That actually helps me understand the nature of it. People were allowed significant entry into the larger system and then from that platform were able to get into places that we wouldn't want them to get into.
Once we identified that, through the report with the Auditor General, we immediately shut that down. There was no one from outside of government, there was not a risk identified that there was someone outside of government who could have followed that path. They would have had to get through the wall . . .
MR. HOUSTON: So what you are saying is you believe the risk was contained.
MS. HARTWELL: Yes.
MR. HOUSTON: And the containment was limited to x number of people. If it's the case it was limited to everyone who has access to the government system, that's probably 10,000 people. Nonetheless, you have a sense of security that you know the size of the risk.
MS. HARTWELL: Yes.
MR. HOUSTON: But the risk still exists. My point is that - well I'll ask another question, do you have a log? Is there any information that you have captured about access to the system logging of what users entered, what records they accessed that you could review?
MS. HARTWELL: I'll turn it over to Ms. Cascadden in a second. My understanding is that we are able to determine if anyone - I'll back up for a second. My understanding is it's not all of government employees who are able to access; it is people who have access in accordance with their role. Occasionally, staff will move on and we will not have removed their access as quickly as we could have, and so we've put processes in place to catch that, in part as a result of the audit.
However, of the 1,400-plus users, I believe the audit found that there were three people who were in a role to access that information and then no longer required it. So again, it's not someone who is totally unrelated - it's someone who may have moved on and therefore should have that access removed.
We are then able to determine who has gone in and altered any kind of a record; made any kind of change. That is the log that we can see, so we know if someone has been in and done something to that file.
MR. CHAIRMAN: Order. We will now move to the NDP caucus and Ms. MacDonald.
HON. MAUREEN MACDONALD: Thank you, and good morning. I, too, want to start with a few more general questions outside of the audit before we get into the specifics of the audit.
I was interested in hearing you indicate that the department monitors what's going on with caseloads very closely and that doesn't surprise me. Perhaps you could tell us what you were seeing that contributed to the decision to closing Barrington as well as - I believe you also closed an office on the Eastern Shore and in Guysborough. Have I missed any?
MS. HARTWELL: No, Guysborough wasn't closed. We reduced the size of the staff and the hours, but the office remains open.
I'll talk about Barrington first. We were able to identify in Barrington, and look at the caseloads, that we would be able to move the staff; move the work that was being done in the Barrington office to Liverpool and to Yarmouth within an acceptable caseload. More than that, in Barrington we had been having significant issues of recruitment of social workers, in being able to both attract and retain social workers.
So what was happening is that families were getting a changeover in their social worker every six months - well, too frequently - so there wasn't able to be the build-up of a strong, supportive social work practice in the way that you might want. So we knew that we wanted to make sure that the social workers that we have are part of a team, where there is a bit more stability and they're able then to have their practice monitored but also be part of that team, which they can be if they're part of the Liverpool and Yarmouth office. So that was another factor. It was looking at the whole picture of the region and understanding some of the pressures that we've been facing there.
Sheet Harbour - the services that were being provided there were, I believe, largely IA. They were workers who were travelling from Cole Harbour to Sheet Harbour to provide services. What we were finding was that - we monitored it quite closely - people just weren't coming to the office. There was always of course the occasional drop-off or drop-in, but by and large people were contacting their workers by phone and were looking to access services in a different way.
We did take a hard look at that and then determined again that rather than have the staff driving, it would be better to have them in the office available to take calls and respond to the requests from clients.
MS. MACDONALD: In Guysborough, although it wasn't a closure, it was a reduction in . . .
MS. HARTWELL: It was. The caseload numbers in Guysborough were among the lowest in the province. We knew that, again, people were not using the office; they were not coming to the office to receive services. They were looking to receive services from workers over the phone or in other ways, so it just simply wasn't an office that was being used. That model of delivery was no longer working, so we took a look at that and determined that we could do with less and then reallocated the resources to other services that we provide.
MS. MACDONALD: Was the review part of the directive from the Minister of Finance and Treasury Board that departments find a 1 per cent reduction in their budget because those targets had been missed?
MS. HARTWELL: No, this was not. This was a separate departmental initiative.
MS. MACDONALD: Okay, so perhaps you can elaborate on how you met your 1 per cent target from the Department of Finance and Treasury Board.
MS. HARTWELL: I am going to turn it over to Dale MacLennan who is our Executive Director of Finance. We spent a significant amount of time meeting our 1 per cent and determining how we could do so in a way that would not affect outcomes. There were some places where we (Interruption)
MR. JOACHIM STROINK: On a point of order. We're here for the ICM stuff and this line of questioning doesn't deal with the topic on hand. Is that a fair comment?
MR. CHAIRMAN: Do you want to elaborate on what you're asking me to do?
MR. STROINK: I'm asking you to bring the questioning back to the ICM.
MR. CHAIRMAN: Ms. MacDonald, your question was about the budget which is not necessarily about policy. With this committee we have to stick to policy - so unless you have a comment that expresses how it's about policy and not about the budget.
MS. MACDONALD: The role of this committee is to look at policy but it's also to look at how the government has spent money. I'm looking back on the previous budget - I'm not asking questions on the budget that's coming up, I'm asking questions about how the department met its 1 per cent reduction and how money is spent. I believe that's well within the mandate of this committee, absolutely.
MR. CHAIRMAN: The challenge is the budget hasn't been released yet. Are you referring to last year's budget?
MS. MACDONALD: Yes.
MR. CHAIRMAN: If it's last year's budget and it is about expenditure, that is what the committee is - the purpose of the committee is to review past expenditure so I will allow the question. Mr. Stroink.
MR. STROINK: We all agreed on the topic, the topic is on the agenda. The agenda is about this issue, not about the budget, not about anything else so I'm asking that the chairman keep it on topic.
MR. CHAIRMAN: Well the topic is the Integrated Case Management system. The focus of this committee is to look at past expenditures of government. The member is asking a question related to last year's budget on this subject, so I will allow the question. Ms. MacDonald.
MS. MACDONALD: I've made my question and I'll wait for the department's response.
MS. HARTWELL: I would characterize our 1 per cent as saying we did not find it by changing what we do, we accomplished it by determining how we do it so we looked for efficiencies throughout. For example, our administrative budgets, we took a hard look at those and everything we could, anything that was non-essential we didn't purchase - travel, all of that stuff for example.
It was really about understanding because we're at the point of really doing some, I would think, transformational changes in the department. It was important that we not act quickly and cut, or look to find an efficiency in what we do because clients - we didn't want to do anything that would quickly affect clients or have a negative outcome without us understanding the larger picture. We very much focused on can we do things more efficiently within that envelope, so staff have been focused very much on - I don't want to say counting pennies, because we don't have them, but counting nickels in our expenditure lines. That's really how we managed it. Did you want to add anything?
MS. MACDONALD: Before Dale responds, can you tell me how much the 1 per cent is?
MS. HARTWELL: Our overall budget is over $900,000. We looked for $9.1 million.
MS. MACDONALD: Okay, thank you.
MR. CHAIRMAN: Ms. MacLennan, did you wish to comment?
MS. DALE MACLENNAN: I don't have the list but I'm happy to provide it, we can provide it without any difficulty at all. What I would say is the same way that other departments managed two ends of the budget, one was to be able to reflect any of our utilization pressures so those things that are contractually driven or that are driven by the existing line of business and we were no different than other departments. We actually saw a significant increase in the DCS budget related to those types of utilization - what is the cost of doing business now in some of those areas like Services for Persons with Disabilities, that area in particular, but a few others as well.
So we did have to identify the $9.1 million. A portion of that was related to housing so about $8.6 million was what the department had to find. We found that in a context where we were able to manage some of our utilization pressures. There was almost $30 million of utilization pressures that the department saw as an increase last year, which didn't let us do anything new, but what it did is it let the department focus on those few areas where we needed to find some efficiencies - and how - as the deputy has said, so that we didn't have to go after the actual front line of the service delivery.
So there were a number of things. We had some boringly technical things like HST recoveries. We would have had about $1 million on things like that. We had a number of savings that flow from an expenditure trend. We used some of those. So we had, for instance, in some programs where there might be clients who are aging out of a particular program offering, it's declining, so we capture that. We were very hard-working and earnest to make sure that we focused on those things that related to how we do things and if there were efficiencies to be found, we tried to initiate some of those.
Those present a bit of a challenge for us just in terms of capacity, like everyone else, but I'll happily get you a list that summarizes that $8.6 million.
On the housing side, I will say - I know it is part of DCS, but on housing, their reductions were related to some very specific initiatives within their housing programs, again, to diminish the impact on the front-line client because they were also interested in making additional investments in properties and things like that.
MS. MACDONALD: Excellent, so we will get the detailed features. You say that you had to manage the utilization pressures of almost $30 million. That's enough to give people a bit of a heart attack. Can you tell me a bit about those pressures - the utilization? Are we talking about IA and housing - persons with disabilities?
MS. MACLENNAN: Primarily.
MS. MACDONALD: This is the wait-list for small options and those kinds of things - or people who are already in the system?
MS. MACLENNAN: I'll address the finance piece of it and the deputy might want to address some of the challenges that are actually driving the transformation. It's not at all unrelated to some of the why of transformation from a sustainability perspective.
Currently, the expenditure trend on the Disability Support Program is a sharp increase year over year and that is primarily to support the existing clients. There is some small number of increasing clients, but it is not significant. Mostly those cost increases have to do with the cost per case. Some of that has to do with our inability to have clients in the most appropriate type of placement. While we have some clients we'd like to serve who are on a wait-list, we have other clients who are arguably over-served, who are in some of these older types of facilities.
That expenditure trend is enormous. It's actually all there in the Public Accounts to see over the last 10 years - just enormous. I think we've cleared $300 million this year in Disability Support Program.
Much of that utilization had to do with either the cost per case of the Disability Support Program or it had to do with some of the wage pressures within, again, not new wage costs, but the existing that were driving a deficit. So some of it is simply converting a deficit into what it actually costs to deliver the programs.
MS. HARTWELL: I just want to add that the number of people on income assistance did have an increase. For several years in a row, probably a decade, the number of people on income assistance was continuing to drop year by year as the economy was strong. When there was a recession several years ago, we saw an increase in people returning to income assistance. Over the last year, in particular, we have had a real focused effort to provide people with employment support so that they are able to exit income assistance. As I said earlier, we know there are a significant number of people who loop back in, so we know we need to have interventions that will allow people to stay off of income assistance.
We are still dealing with that increased number of people on income assistance, which - again, for that decade we were able to fund some of the other programs because our income assistance amount was declining. Now we don't have that buffer.
MS. MACDONALD: To what extent has that number increased? By how much has that increased the IA caseload?
MS. HARTWELL: I can get the exact number. At one point, the caseload was - maybe 10 years ago, at the beginning, it was probably well over 40,000. Now we're down to 29,000. We have dipped so that we've been lower, closer to just above 20,000. Of course, there's never just one thing. It's not just the economic situation. There was also the introduction of the Nova Scotia Child Benefit and other things that have changed our caseload.
We do know that we have significant work that we can do to try to support people to achieve independence, but sometimes we're dependent on the economy.
MS. MACDONALD: Earlier, in your opening remarks, you made reference to the shared service model, the work that is being done by government with respect to the shared service model. One of the things I'm curious about is whether the potential for even more people to have access to the ICM database is possible or not under that model? And whether or not that also means that people outside the department - in other departments, let's say - conceivably could have access?
MS. HARTWELL: I don't foresee a significant increase or even a nominal increase of people being able to use ICM. Current users of ICM are caseworkers and casework supervisors. There are a handful of folks who work in IT who need access to the system as administrators or just to make changes. There may then be one or two new people at ISD who provide us with that service, but it would really be nominal. The users of ICM have not moved to ISD. They remain in our department, so there shouldn't be an increase there.
MS. MACDONALD: I want to go back for a second to the income assistance situation that you were making reference to. You have these increased numbers of people in receipt of that particular program, and it brings with it certain pressures for the department, or it changes your ability to provide funding support in other areas.
One of the things that I, as an elected person, see a fair amount - a growing amount, I would say - in my office is the numbers of people who receive special-needs support, who increasingly have to provide more and more documentation, especially physician documentation, and sometimes I wonder about how sensible some of that policy is that requires, for example, an individual who is on assistance who is HIV positive to return on an annual basis to a physician to fill out a medical saying that this person is still HIV positive. That's not something that going to change, so can you explain to me why this continues to be the practice with respect to the income assistance program?
MS. HARTWELL: A current regulation and legislative scheme requires an annual reassessment, and that's important from the perspective of ensuring eligibility. But I would agree with you that when there are continued medical issues in others that is something that we should be looking at and that, frankly, is the whole purpose of our benefit reform work - to have a fair conversation about what eligibility, what is required for continued eligibility, what amount of oversight and monitoring is truly required and what amount is actually standing in the way of people being able to achieve some independence and empowerment. We are absolutely looking at exactly that mix of what is the right policy for a new income assistance approach.
MR. CHAIRMAN: Order. We will now move to the Liberal caucus and Mr. Rankin.
MR. IAIN RANKIN: I just have a few questions and then I will pass it along to my colleagues, but I think what the last two questions were trying to get at is the effectiveness of the program in ICM, and I do see relevance there. My questions are somewhat similar and it does tie into ICM.
You mentioned cost per case - do you have a figure for that? I'm sure it varies in terms of category, but is there any?
MS. HARTWELL: It does vary greatly. So income assistance, the average cost per case I would say is in the range, a month, of $767-ish. There would obviously be significant variance on that. For children who are in the care of the minister, which is another area where we've had significant increase in the cost, it would be more than that. I don't have the number off the top of my head. For a client in the SPD program, it varies significantly, we have some clients who receive $1,000 a month to provide respite to a family member, and we have clients who require significant three-person staffing around the clock where we are talking in the range $0.5 million. So it varies significantly.
MR. RANKIN: In my opinion I think this would be one of the most challenging departments to measure effectiveness because of the wide range of types of incidents and things that you are dealing with but, after all, this committee does have to look at this.
That increase of caseload, you approximate that's $30,000 on income assistance and the figure you use was 80 per cent - so was that the recidivism figure? So has that number increased simultaneously with the amount of caseloads? Is that figure, 80 per cent, historic over time - has that changed over the last five, ten years, or is that typical or atypical of what we'd see in the system?
MS. HARTWELL: It is typical of what you see in the system when you look across Canada - we do have conversations with colleagues across the country and that is a typical rate. I've been monitoring it, since I've been in this role, on a monthly basis and it has really gone between 75 and 80 per cent, and that's where it is now. It isn't surprising in the fact that people wouldn't be on income assistance if they didn't have significant barriers and challenges, so often those barriers and challenges may only be slightly ameliorated and then they leave and they're still at risk for things going south really easily.
So they are on the edge and so one of our focuses is how do we change our support so that when people are maybe looking to leave that we're there in the background able to prevent them from falling back into the need for income assistance. It is, yes, about employment, but it's more than that - it's about providing stability and a bit of community. Currently we have pieces of success in that, but we aren't really oriented to that. It's once you get off - we have some transitional support, but then if things go south, your only response is to come back on the system. So we need to actually say no, you don't actually have to come back on the system - we can provide supports in a different way, so that's very much our focus in benefit reform.
MR. RANKIN: I think my colleague, the member for Halifax Needham, makes a very important point there. When they're all lumped in and you have different cases in this group, how is that really a true outcome measurement if you have people with disabilities and you have people that maybe they go into training for a job and all those different categories - is that part of the transformational change? I believe it is.
The case with the disease, are they really in that number? How do we normalize the number to really be able to have a true measurement of how the system is working? Further to that, how does ICM come into that? Does ICM have the technology to be able to distinguish categories and cohorts of groups and how are we going to be able to use ICM effectively to get a better, truer number?
MS. HARTWELL: I agree with you that it is complex and we're serving clients who would have varying needs, and as much diversity as there are people are the clients that we serve. We do have, though, a significant focus on outcomes and evaluation in the department. We're in the process of developing an outcome framework for all of our programs that will lead us back to, what is the outcome we're trying to achieve and how will we know?
I'll give you a very small example of a program that I'm particularly proud of. We have a program called the Alternative Family Support Program, for people with disabilities. It is when an adult with a disability lives with a family other than their own who are compensated. It's not a generous - it's people who have a particular calling, I think, but they are compensated for that. We've put in place a wonderful measurement of, what is the financial implication, but also, what's the quality of life implication? How often are they accessing medical services? Are they getting the right medical services? How are they describing their lives?
By looking at how we are - not just looking at numbers and not just looking at caseload and not just looking at cost per case, those are all really important metrics, but also looking at client satisfaction and the matching of what people are looking for and what they're receiving. We're adding that in. We may not be able to meet every need, but we should certainly know what we're moving towards and if we're actually moving clients in the right direction.
We actually have a significant outcome focus and our IT folks then will be using - we have a lot of raw data, so how we can build IT models based on the client information that we have so that we can actually report out on that.
MR. RANKIN: So the system will reflect that? I understand that nothing has to be numerical, but in terms of a return on it - maybe it's a social return on investment or whatever you want to call it, but that would be within the ICM system?
MS. HARTWELL: The data is there now. What we're building is our capacity to actually be able to take that data, analyze it, extrapolate from it and be able to show. So in this particular case, the Alternative Family Support Program, we were able to take a very small sample of people who have moved from a different setting into this setting and we were able to demonstrate, mostly for our own information, that we're moving in the right direction, and we were able to serve more people at less cost through this model. So being able to pull that was just the beginning, I think, of us being able to use data in that way.
MR. RANKIN: Just another question - and I see you nodding your head and maybe I'll give you a chance, Ms. Chouinard, to answer a question. Relative to the transformational agenda and the recent audit, what types of policies and procedures have changed to address what has been identified in the audit? Is there a need to change anything specifically to the policies and procedures within the department?
MS. VANESSA CHOUINARD: Absolutely. Certainly there were some recommendations that the Auditor General provided that we gladly accepted. In particular, there were some recommendations related to user accounts and how we monitor those, so we have implemented new reporting and new monitoring schedules and processes to make sure that we're shutting down any inactive accounts or folks who haven't accessed the system over a period of time, so that's something that is new.
As well, we're now annually reviewing all of the users of ICM to ensure that everybody is in the appropriate roles, even if they are still a staff member. That's an example of something we are doing.
We also have a few other processes that are more control in nature that we have implemented as well, similar to bank account forms and things like that, and reviewing situations where we may have people who care for clients in a trustee relationship. So we are making sure and we're auditing ourselves to ensure that those relationships exist appropriately and we're making sure there is nothing going on that shouldn't be going on. The Auditor General's Report certainly helped us with that.
MR. RANKIN: Correct. So I would assume it's an iterative process and it's not something that you would wait for an Auditor General's Report to come out to react on. I only say that because I think past Auditor General Reports have identified similar types of security issues and things like that. The department does continuously look at the policies and procedures and modify and evolve them, I would assume.
MS. CHOUINARD: Absolutely. Continuous improvement is really important. In fact, it's certainly not a situation where we didn't monitor those things in the past, we did, we just took this as an opportunity to improve how we do it and strengthen our processes to help ensure that everybody's information is protected and that everything is happening as it should.
MR. RANKIN: Okay, thank you.
MR. CHAIRMAN: Mr. Stroink.
MR. STROINK: I guess I want to touch on the roadmap to your breach that you so eloquently described as giving the keys to the door and go and try to break in, well you can break in. With that, I have to commend you guys on recognizing those weaknesses and then dealing with those weaknesses in a very timely manner. That is going to help everybody within government.
What I would like to touch on is your whole shared services model and how that will affect the whole security. My thought with this would be that you guys are very good at community services but maybe not so strong on the IT and now being able to reach into that service - can you walk me though how that's going to benefit your department and how it's going to flow through to ensure the policies are safe, the security is safe but staff still has access and not access to certain areas because it is coming from outside?
MS. HARTWELL: The staff who have moved to ISD through shared services remain physically located with us and are focused on us and they have been DCS staff in the past. I think it's fair to say that we've had an incredibly high quality of IT support in the past, not just supporting ICM but I would say general IT support.
Our hope and belief with the shared services model is that now those staff will be able to be part of a larger community with staff that have complementary skill sets, knowledge of other systems. They know how DCS works and they know the systems, they know what we need. Now they'll have access to a whole group of other people who will bring different skill sets.
I think for what was our IT group, now their IT group, there can only be a benefit in that. That being said, the director of Information Technology, who reports into ISD, will continue to meet with Vanessa Chouinard's team because the IT systems are such an integral part of how we do business. We know that there is so much more we want to do, whether it's in terms of analytics and reporting or whether it's in terms of having a better electronic presence and maybe getting to the point where people can actually access some services online, our services online.
We know there is a lot we want to do so that continued partnership - right now it feels like we're going to have the best of both worlds, people who know business intimately and who are able to be part of a larger IT, I would say structure and rigour, that will be great.
MR. STROINK: When I hear that, that is just more hands in the cookie jar sort of thing. How is security and policies going to be put in place to still ensure limited accesses into that? There are a lot more people working on it, so how are we going to secure the security of that?
MS. HARTWELL: There will only be a nominal increase in IT staff who would have access for the purposes of maintaining the system or changing the system or anything to do with that. The core users of ICM will always remain our staff: caseworkers, casework supervisors. That is not going to change with the shared services model.
We are very focused on ensuring that people only have access and the ability to either view or do something which is in alignment with their role.
MR. STROINK: Great, thank you very much. I'll pass it over.
MR. CHAIRMAN: Ms. Miller.
MS. MARGARET MILLER: Thank you very much for your presentation and I really want to commend both the department and the minister for acting so quickly to address these concerns around the ICM system. It's great that the priority is making sure of that, that the clients are looked after and that the privacy and security is paramount.
I know if you're listening to our Opposition members, a lot of people listening might think that they have something to be worried about. Bottom line, how safe do you think people's private information really is on ICM?
MS. HARTWELL: I am very confident in ICM. The audit identified some weaknesses that we could address immediately. Those weaknesses were in a very controlled environment and as I said earlier, the controls within this IT system are just one set of controls. We also are continuing to work on an improved, larger control framework with business practices - what we expect staff to do, how we expect information to be shared.
We're also wrapping that and how we work generally in a much tighter atmosphere, making sure we really understand where the risks are and responding appropriately. I am very confident that ICM, which was an in-house developed system, is very responsive to our needs and really is designed to protect the most confidential information.
MS. MILLER: Wonderful, thank you.
MR. CHAIRMAN: Ms. Lohnes-Croft.
MS. SUZANNE LOHNES-CROFT: Thank you for being here this morning. No changes can take place overnight and that quickly. I know things evolve and as you become more aware but you've made a lot of changes which is positive but I know there must be more that needs to be done. Can you give me a picture of where you are, timelines that you have for goal setting and following through on achieving these goals?
MS. HARTWELL: Thank you for the question. We do have a very full agenda. The nature of the work that we do, which we've talked about, about helping people when they are often their most vulnerable and making change in people's lives, in their families. We often talk about generational change so I know that we will not be able to flip a switch and make the changes that we want but we are very much invested in having for the next five years an intensive transformative agenda in all of our programs.
We've already started work in both the benefit reform project, which is about income assistance, moving forward our disability roadmap and also in our children, family and youth around our Children and Family Services Act. We know that in the three main areas as well as Housing Nova Scotia we've identified where we are doing really significant reform. We have chosen to take what we're calling a gated approach. Because our system is so big and because we touch so many people, we want to only go so far to gate one and then we want to go and actually check in to make sure we're going in the right direction.
We are now coming to the end of our first phase which is really about planning and getting set up to do the transformation and then we're going to go to the next phase which is where I'm hoping to have a whole lot more engagement and opportunity to talk about the future of social services in the province.
We are definitely on the path. In the SPD system in particular, I would say that the system that we have is one that's developed over decades and the change there will take a significant amount of time to move. In all of our systems, I expect we will see some great changes and transformation and great conversation within the next year but I know the effects of that, the real outcomes of that, may be many years to come.
MS. LOHNES-CROFT: I just want to pick up on something that you said that child protection is not part of your system?
MS. HARTWELL: It's not part of the IT Integrated Case Management system. It has its own system.
MS. LOHNES-CROFT: So when you have to share information - I know within Community Services you do have to share a lot of information amongst caseworkers and different departments within departments. How do you go about doing that and keeping things secure?
MS. HARTWELL: We have protocols in place so staff from one program, they are able to share in many cases only with the consent of the client, because it has to be relevant. All of our security is role-based - if you need to know it then you can know it, but if you don't need to know it you can't just go in the system and look around to see what's happening with people in your community.
If there is staff working with a client in one area and they believe that it would be beneficial to have a conversation about another with a caseworker, or someone in another area, then there are protocols on how they would share that information. It's not IT-based, they would choose to share it in another way but, again, always based on what people really need to know.
MS. LOHNES-CROFT: Okay, thank you.
MR. CHAIRMAN: Are there any further questions? There is one minute remaining.
MS. LOHNES-CROFT: We'll let it go over to the Opposition.
MR. CHAIRMAN: Okay, we'll move back to Mr. Houston for 14 minutes.
MR. HOUSTON: Thank you, Mr. Chairman. I want to go back to the discussion we were having just before we left off and it had to do with we kind of agreed - the Auditor General identified some security weaknesses. We were having a discussion about, let's say, how significant that weakness was and what was the size of the population that might have actually been able to exploit the weakness. That was kind of the nature of the discussion we were having at that time.
I did hear you; I appreciated the response where you said you felt comfortable that data was secure and I respect that, but it's an opinion. The reality is that the Auditor General, through his exercises, identified weaknesses. Those weaknesses could have been exploited by other people. I just want to circle back to how would you know or would you not know if those weaknesses were exploited by other people besides the Auditor General's staff.
MS. HARTWELL: Given the nature of the work we do, the IT system is a tool we use. We have people who work in the Department of Community Services who have access to the most intimate information of people's lives, how they parent their children, if they've been a victim of abuse and so on. We have staff, who obviously are well-trained, who have signed a code of conduct, whom we hold to a high standard.
The IT system in itself is just one place where someone could get information. If there was someone who wanted to get information and use it for nefarious purpose, they wouldn't necessarily just need the IT system. We work in an environment where there's lots of confidential information, like a doctor or a nurse in a hospital, the nature of the work is in itself a confidential role.
MR. HOUSTON: Right, but it's behind literal locked doors and in locked cabinets. Those are physical risks that we all accept and understand. IT risks are a little softer, a little more behind - out of sight, let's say. In this case here there was a risk identified, a weakness identified that could have been exploited by anyone. It could have been exploited by who knows, maybe somebody who is sitting in their parent's basement in some foreign country and that we just don't know - that's the nature of IT risks. So when weaknesses are identified, they should be taken very seriously.
We can talk about how big or small the risk may have been, but I am fixated, I guess, on the fact that the risk was there. Now, my question would be, what's the reaction to the knowledge that there was a weakness?
Did you have any discussions with the minister about whether or not individuals should be notified that their information may have been compromised - was that something that was discussed with the minister?
MS. HARTWELL: What I will say again - and I'm glad you brought up the locked cabinet because essentially that's what we have, we have information inside a locked virtual cabinet. I am confident, there's no evidence - I can't prove that nothing happened but there's no evidence from either a government-wide notification which monitors if there are people trying to hack in - there's no evidence at all that anyone from outside government was able to get into our system, and . . .
MR. HOUSTON: Would there ever be evidence of that? How would that evidence manifest itself?
MR. CHAIRMAN: Ms. Cascadden.
MS. SANDRA CASCADDEN: When it comes to an external potential - an external trying to get into our systems, the first gate is through something called the firewall. Those firewalls have all sorts of logging on them - different types of logging - everything ranging from where the request is coming from - is it coming from a friendly country?
MR. HOUSTON: This breach here - I appreciate the levels of security. These breaches could have happened from inside the firewall. I don't think we should debate whether or not there was a weakness or a risk. I don't believe there would be any way to know whether or not that weakness was exploited by somebody except bad things happening to the people whose information got out there.
So in many cases something might happen to them because somebody used their information for nefarious purposes. If that happens to somebody, they are going to start to think - well, how did my information get out there? The last person on that list they would suspect that might have put them at risk would be their government. That's why I find this a little more egregious and a little more serious and that's why I'm wondering what type of discussions happened inside the department that somebody reached the conclusion - or some group of people reached the conclusion - yes, there is a risk, but we don't need to tell anyone for these reasons. I'm wondering if that went all the way up to the minister that the minister said, don't worry about that, it's not a big deal.
MS. HARTWELL: We certainly took the audit very seriously because we are well aware of the confidentiality of the information that we have and the vulnerability of the clients we serve. So internally, we immediately took the audit, began to develop an action plan. Certainly the minister was briefed and aware. The minister also received strong advice from us that at this point there has not been a privacy breach. There are definitely identified weaknesses in a couple of areas, which we have moved to fix, but there is no evidence that would require a system-wide notification of 30,000 people that their information has been breached. It hasn't happened.
MR. HOUSTON: I see in private enterprise it is not uncommon for large companies to notify people. Even in the Government of Canada, they'll notify people that if you were a user of this system between these days, please call or whatever the case may be. Large, private companies will come out with - they'll go to the public and say, we may have had a breach, keep an eye on your personal online financial data. Who knows - there are all kinds of things.
It's a pretty serious decision to decide that is not necessary. Are there criteria that the department - do you have a checklist that you go down and say this is how we're going to reach this decision?
MS. HARTWELL: We do have both an internal Department of Community Services privacy protocol, which would determine what we would do if there is a breach of any private information. As well, there is a government-wide privacy protocol that Ms. Cascadden can speak to, if interested.
We certainly would assess both the reality of the risk and also the possible impact on clients. We would never downplay that. By the nature of gathering and using electronic system, in theory, at any given time there could be a risk and so we want to make sure that we're having an informed risk conversation about what is likely and what the implications could be. That's certainly what is found in our privacy policy.
MR. HOUSTON: Did the department have, let's say in the past year, any privacy breaches that it reported to the users of the system?
MS. HARTWELL: No, not that I'm aware of. We have had specific privacy breaches so the example would be a person inadvertently puts the wrong person on an email.
MR. HOUSTON: Do you log those number of events?
MS. HARTWELL: Yes.
MR. HOUSTON: How many privacy breaches did the department have in the past year?
MS. HARTWELL: I can get you the exact number. There may be minor ones. I'm only aware of one.
MR. HOUSTON: One breach. That would have been a . . .
MS. HARTWELL: It was an email. Someone just put the wrong last name - I think it might have been a MacDonald - wrong MacDonald on an email and then it popped up and they had to identify; they had to reach out to the person and say I'm sorry you received that in error, which is part of our process, and they handled it within the first hour of realizing the mistake and then we heard back that it was . . .
MR. HOUSTON: So there's a known protocol amongst the staff that if this happens that you tell your supervisor who - okay so that happens and you are only aware of one but you can double-check on that.
MS. HARTWELL: I'm only aware of one but we can go back again. There may be more minor ones that don't necessarily come to the deputy minister.
MR. HOUSTON: Is that a province-wide system? Does every employee of the province understand that if they, in this case, misaddress an email address that they have certain responsibilities?
MS. HARTWELL: I would say yes. I'll leave the IT perspective on privacy to the side for a moment but I've worked in other departments that it's certainly understood that if there is any breach of information, no matter what, that you can actually see, you would notify and follow the appropriate protocol. There are, of course, in all departments, as part of shared services now, privacy officers who support each department who are able to determine what the proper course would be.
MR. HOUSTON: Ms. Cascadden you're aware of those
policies? Would that fall under you?
MS. CACADDEN: Each individual department is responsible for their own privacy policy. With formation of shared services the information access and privacy group is going to, I'll say, mature our privacy program across government to create greater awareness and education to create greater processes and part of the maturing of a privacy program would include reporting of privacy breaches. I think with the advent and us moving forward on the shared services side of the house, it will actually increase our privacy program across the government so that we have greater standardization.
MR. HOUSTON: I think I have three minutes left. I'll probably finish with Ms. Cascadden, just some lob-ball questions to round out the day. No, they're technical questions in nature so you're probably the appropriate recipient.
Two of the servers that the Integrated Case Management system uses, and I assume there are number of servers, but two of those servers did not meet the password standards that are required and I'm wondering if that has been fixed. Maybe you can shed a little bit of light on what the password standards are. Do you need a capital letter and a character and stuff and are they universal across the province?
MS. CACADDEN: The password standards are established by the Internal Services or the IT group. For us, it is really easy to implement the password standards on corporate information systems, so something like email is a corporate system which we have direct governance over. Those password standards are pretty internationally known password standards. All passwords can be no shorter than eight characters. You must have an upper case character. It has to be numeric plus alphanumeric, and you can also use signs and symbols in there, so there is some combination of those. There is a minimum requirement that is an industry standard. Those standards are communicated to the various IT groups who are located in the departments who are actually providing the support to the systems and they make sure their systems are programmed to adhere to those standards.
Passwords are one line of defence and as of today we have more governance over the departmental information systems because of shared services so some of the questions that have been asked previously about do we think shared services is going to support or weaken the governance over systems, I would say that shared services will actually strengthen the governance over systems because the application people are now co-located with the infrastructure people and that creates a better line of communication.
As it pertains to the two servers, the two servers were servers that were what was called Windows 2003 vintage. Two of those servers have been completely removed from the system so any issues or concerns associated with that particular technology was removed from the system. One server remains and we have a program in place to upgrade all those servers across government.
MR. CHAIRMAN: Order, thank you. We'll move to the NDP caucus and Ms. MacDonald.
MS. MACDONALD: Mr. Chairman, before I ask my next set of questions I just want to read into the record the mandate of the Public Accounts Committee so we're all clear about this. "The Public Accounts Committee is established for the purpose of reviewing the public accounts, the annual report or other report [sic] of the Auditor General and any other financial matters respecting the public funds of the Province." - just so we're all clear and we're all on the same page.
Now I want to ask some questions around an issue that has been in the public domain for a while. Today it's reported that the case of, I believe her name is Joellan Huntley, has been settled with the department. I think this was a case that was initiated by the department to recover or to gain access to an insurance settlement with this particular individual and her family. I know that over some time the minister did her best to avoid having to answer questions about this or be accountable for this.
I want to ask you around the pursuing of this case and the settlement of this case, what discussions did you have with the minister and what direction did she give with respect to either pursuing the case or settling the case?
MS. HARTWELL: Yes, it has been reported in the news today that we've reached a settlement which will allow - I think it has been weighing on everyone's mind, including the minister and this will allow everyone to focus on the care and support now for Ms. Huntley.
The minister has been very supportive of the family's concerns, very interested in the family's concerns and certainly instructed us to make sure that she understands the issues and to really understand and bring to her advice and options on all aspects of the case.
As it has been reported, the settlement agreement itself is confidential so I can't talk to any specifics around that or direction that was provided. But certainly the minister has maintained that this is a priority and making sure that we've explored both the issues around this very rare case and the issues around how we support people with disabilities generally. She certainly has asked us to make sure this is a priority.
MS. MACDONALD: Initially when this first became known to the public, the minister presented it as a decision essentially of the staff to pursue rather than have any ministerial oversight or accountability. I'm just curious about that, was this a decision that was never discussed with the minister? Was she never briefed on the pursuance of this case?
MS. HARTWELL: The pursuance of this case was consistent with policy so we don't normally brief the minister on things that are the normal course of business following policy. However, certainly it's my job and the job of senior staff that when we're aware there are things that are challenging us because they are either challenging an ethical issue or challenging a financial issue, any of those things, then we could normally, through the course of our briefings with the minister, make sure she's up to date on that.
In this particular case what staff did has been congruent with our policy all along so they were not seeking direction at a ministerial level. They certainly sought direction, appropriately, through the senior management of the department.
MS. MACDONALD: Earlier, just two minutes ago, you said this was a unique case. So this isn't routine because the ability to do this is in law. It doesn't mean that it's something the department does on a regular basis.
MS. HARTWELL: I believe what I said was "rare." That may seem like a nonsensical difference, but it actually is. It's unusual for people with a disability to have an asset or income that is available to defray the cost of their care. We serve many people with disabilities who have their disability throughout their entire life and so therefore never really earn assets or income, so there's no place to go to defray.
When there is someone who receives an injury, a catastrophic event, an accident of some sort and has money available for their care and, in some cases, specifically for their care, then that's rare for us to actually have that. Certainly it has happened, we would have a handful of situations over the last decade, so that would be the norm in our policy, but our experience generally is that the people we serve, the nature of their disability is such that they do not have an asset or income base.
MS. MACDONALD: How much did it cost the department to pursue this case?
MS. HARTWELL: I don't have that number at hand; I can certainly provide that. We used the services of our Department of Justice solicitor and lawyer in this - we already pay for them.
MS. MACDONALD: Why is there a confidentiality order, a gag order, on the settlement of this case - is there not a public interest in knowing the outcome of this case?
MS. HARTWELL: In this case, both parties agreed to a confidentiality agreement.
MS. MACDONALD: I'm not at all surprised that both parties would be in agreement, what I'm asking is why did the department and the government agree to a confidentiality order, a gag order, in a case that they initiated and pursued and for which there is a public interest in knowing from start to finish what the consequences are of this process?
MS. HARTWELL: The minister has committed publicly to exploring the issues around insurance settlements and the recovery of money under insurance settlements. It's in that context that we are finishing our work and will be providing her with some options and then she will take that forward. So that part, the larger context, which is certainly reflective of the public interest, will be forthcoming.
MS. MACDONALD: I don't really understand what you're saying. On the one hand you tell me that a settlement has been reached, but there's a confidentiality agreement that prohibits any discussion about what that settlement actually is, whether the government is receiving any money from the insurance claim or whether the government is picking up any of the legal costs, for example, of the family to have to fight this action. On the other hand you're telling me that there will be information coming. So I need clarification around that.
MS. HARTWELL: As it pertains to the particular case of this young woman, the government has entered into a confidentiality agreement and so the details of that will not be discussed. However, the policy issue of whether in future should a similar situation arise where there is a person with a disability who is receiving services from our department, should they have an asset through the course of an insurance settlement should we or how should we pursue that? That's the matter that the minister has asked us to look at, and that's what we're bringing forward, recommendations.
MS. MACDONALD: So there has been no decision made with respect to the policy, which I understand is not just a policy, it's part of the Act, is it not? It's the Statute. It's a statutory right, I guess, that the department is able to pursue these assets.
MS. HARTWELL: For us, it remains in policy. For health matters, Health and Wellness has the ability to have a subrogated claim. So if someone receives an insurance settlement for the cost of medical costs, they are able to pursue. We don't have the same ability in legislation.
MS. MACDONALD: Okay, that's interesting. I didn't realize that. I thought probably, because a certain part of the old Social Assistance Act has never been repealed and it still has that authority in it that would allow the Department of Community Services to pursue this case. But you're telling me that that isn't the case?
MS. HARTWELL: The Social Assistance Act does remain in force to support the Persons with Disabilities Program. My understanding is that underneath that Act we have developed policy that is congruent with that policy at Health and Wellness, but doesn't have the same - we use different legislation.
I think I can't stress enough that it is very unusual to have clients in our disability program who have any income or assets. We've been reliant on that legislation. As part of our go forward, in disability and in all of our programs, we'll certainly be looking at what the legislative foundation we need is. The minister has asked us, as I've said, to compile all options for her to consider, so that's what we've done.
MS. MACDONALD: Without asking you to disclose the actual settlement or agreement, my final question is whether or not the province has to pay anything, if there is any public money involved in the settlement agreement. I'm not looking for an amount. I'm looking for a yes or a no. Is there public money in the settlement agreement?
MS. HARTWELL: Mr. Chairman, I have to say I'm not comfortable at this point disclosing anything to do with the settlement agreement. I can certainly go back and receive legal counsel on whether or not, under the terms of the settlement agreement, I'm able to even provide a high-level answer, but at this point I'm not comfortable with disclosing that.
MR. CHAIRMAN: Thank you, and perhaps when you consult with your legal counsel, if it's something you can provide, you can provide it in writing to the committee.
MS. HARTWELL: Thank you.
MR. CHAIRMAN: We'll now move to the Liberal caucus and Mr. Maguire.
MR. BRENDAN MAGUIRE: Mr. Chairman, my first question is for the Auditor General. We're hearing the word "breach" quite a bit. There is a giant difference in the IT community between a breach and a weakness. In your opinion, was this a breach or is this a now-known weakness, a perceived weakness?
MR. MICHAEL PICKUP: A couple of answers to that question. In the audit we point out in Paragraph 2.16 on Page 14 that prior to the audit, users connected to the government network would have been able to access these confidential files. When we notified the department, management addressed the weakness that was putting the security of the system at risk.
We didn't say we noted cases where there were breaches. What we said was this risk existed, and they addressed that risk.
The other risks that were identified and weaknesses that were identified, they responded to in the report. Some of these things are taking action now.
MR. MAGUIRE: So this is an internal thing? You're saying that there is potential internal access to files that people should not be able to access. But externally, I mean, there are programs out there right now that do 8 million password combinations a second. These are some of the tools that are being used to access secure networks but we're not seeing an external breach in information.
MR. PICKUP: In this audit we strictly looked at it as if we were inside the government network - could we gain access to this information? That's what we looked at. We weren't looking at the access controls over the government wide network outside of that. That was outside the scope of this audit. It really was if we were inside of government could we get unauthorized access.
MR. MAGUIRE: My next question is for Community Services. This is something that when I heard it, it was quite personal to me. I have about 15 years of personal records within DCS as a ward of the court so it kind of hit me hard that there is potential for my information to be looked at. One of the questions I have is, quite a while back I requested my own information, I think it was about 300-400 pages of documentation. Somebody went through it, for legal purposes, and I'm going to guess painstakingly marked out a lot, about 75 per cent of the document. So, somebody would have had to go through that line by line and determine what could be released externally. How is it that we see this kind of oversight on documentations that are going to be released to the public but internally there is access to this documentation?
I just think that the standards are - and not that I disagree or agree with either one, I'm just saying that someone took a lot of time to make sure that information was not released to the public or to somebody, even though it pertained to them, could've possibly resulted in some other things - but internally.
MS. HARTWELL: Thank you. You're right. The balance of providing stuff with the tools and the information for them to do their job and not giving them access to any information other than what they need is a balance for internal staff that we constantly are considering and revising. As Ms. Chouinard said, we've set annual reviews to make sure that people are only seeing what they should see and more frequent reviews that if people are moving on or if accounts are dormant for example, we're moving in so that they can't be taken advantage of.
As you've identified through the freedom of information process, when someone from the outside does request information there is a lovely soul who sits in an office and redacts everything that relates to a third party, literally, to protect the information of parties other than that who are requesting the information. If the request also involves case information that is stored electronically, the same thing happens with the electronic information. However, that is on the assumption that it's going out the door to the individual and that will be made public and that's why we take all of that precaution. Internally, our control really is about ensuring that there's clarity of roles and people are only allowed to see what they are really meant to see to do their job.
MR. MAGUIRE: So for myself and the 40,000 individuals in Nova Scotia, when these changes are implemented you are confident that our information is secure from people. There are a lot of people who work for DCS. I know a lot of people who work for DCS. I have friends who work for DCS. The truth of the matter is, I don't have anything to hide but when you're young and things like that you don't want people knowing your information and there should be a perception that these are secure. These people aren't just DCS workers, they are our neighbours, they're our friends, so when these are implemented, are we safe? Is our information safe?
MS. HARTWELL: Yes, I believe we will have taken all steps that we can to safeguard information and we will hold staff to a very high standard. If there is staff who are using information, even just for interest purposes, that would be something that we wouldn't condone and my experience has been that staff do treat the information very privately because they understand the nature and wouldn't want to take advantage, but if there was ever a time where we felt someone was taking advantage, we certainly would not condone that and there would be consequences.
MR. MAGUIRE: My next questions are to Internal Services. There are 1,400-plus users on the system. For my own record, or thoughts here, how many of these users are moving around annually? How many are changing positions? How many are changing departments within DCS? Are you seeing a lot of movement?
MS. CASCADDEN: At this point I don't have a view into the system, because I don't manage the information system. I'd like to have the question redirected to the deputy minister.
MS. HARTWELL: I can't give you an exact number, but I do know that we have a fair amount of turnover. I would be happy to provide you with an answer in writing with a little bit of a flavour.
MR. MAGUIRE: Is it safe to say, of the 1,400, it's not 1,000? It might be a handful of people? I'm going to redirect back to Internal Services, because - I've said this on this topic a few times - my background is programming and networking. I've worked for large corporations where we had to track users and user groups to make sure that when you change a position, you have the proper rights and accesses to the network. If we don't have every single member moving every year, it would seem to me that somewhere along the way it was either miscommunication between departments or - I just don't understand, if a handful of people are changing jobs or changing positions, how their rights on the network are not being tracked and followed.
Honestly, from someone with an IT background, this is screaming in my ear that someone is changing positions and somebody is not changing their rights, and that's why they still have access to files. If we're assuming that well under 50 per cent of the people are changing positions on a yearly basis, what happened?
MS. CASCADDEN: I will speak in general terms about how we govern the corporate networks - so email services or access to the SAP system - and then I'd like to direct the specific question around the governance of access and user names and the changing of access associated with people's roles changing back to the Department of Community Services, because they govern that within their own system.
The processes will probably be very similar. From an IT perspective, we put in a process where the individual departments and/or the Public Service Commission have to let us know that people are changing, because we as IT people managing the systems in the back end don't know that someone has moved from position one to position two. The departments have that information, and it's the departments' responsibility to make sure that information flows in to the people who are managing the systems.
The people who are managing the systems put the policies and processes in place to help the departments make those changes and make sure the departments understand that they need to communicate their employees' changing different roles and responsibilities. So from a corporate system perspective, we have a robust way of tracking, and the relationships with the departments are very strong to make sure that when someone is moving from one position to another, we know from a corporate perspective whether they left government and their email account should be removed or access from their email account removed - access to the network removed. We have a process on the corporate side of the house.
Many of the individual departments who have their own line of business systems would also have a similar process in place. Those processes are as strong as the weakest link, which is usually the human communicating the information to the IT people that someone has changed their role and responsibility.
MR. MAGUIRE: I understand there has to be communication between departments - and I'm not trying to point fingers, I'm just trying to understand what happens - but at some point, somebody's rights on the network have been changed, so there has been communication that John Doe has changed a role, but John is still able to access files or drives that he had been able to access in the previous position he was in. So it's not just a communication thing, something was done to change the rights and the accesses to that individual on the network, yet the rights and access that should have been taken away from him were not taken away. There's still an email group and things like that.
MR. CHAIRMAN: Ms. Cascadden.
MS. CASCADDEN: So there are two things: one is when the department is communicating back with information technology people, they have to communicate all the rights that need to be changed, so the person no longer has access to this system, they shouldn't have access to these drives; there needs to be a checklist and in most instances there is a checklist that all the rights change, based on the person's role.
If, for some reason, the department does not communicate a change to a drive but indicates a change that is required in a system, then the IT people will make the change to the system but not necessarily make the change to your shared drives, for example, if those two aren't connected in the communication back to IT.
Now there are times that the IT folks will look at it and they will see something very obvious in a disconnect of the level of access granted in the system and the level of access granted in other systems. An example of that would be someone leaving the government, so take the big case, and the department communicates back that they should no longer have access to an information system but IT knows that they also have access to the VPN, email and everything else. IT will then query back to the department and say, should all these other accesses be removed as well? There's that communication that has to take place.
One of the things that tends to be one of the harder things to track is when someone moves within a department, doing a similar role, but they may have had different access in the system. Sometimes the systems people aren't informed of that difference. People can, as they progress through their career, continue to have some of the accesses that they had while they had other roles in the department.
Usually the big changes of somebody leaving the government, somebody moving from one department to another, those are very, very easy to manage. It gets a little harder to manage when people are moving within a department because sometimes all the parameters of those changes are not communicated to the IT folks who are managing the systems.
MR. MAGUIRE: This came to light to the Auditor General but what are we doing to ensure that this isn't just a stand-alone issue in DCS and this isn't an issue in Health and Wellness or Culture and Heritage or any other departments? What is your department doing to review to make sure that the proper rights and accesses are matching up?
I know it's probably nearly impossible to know every single job description, like every individual who is taking care of these issues, to know every job description and what rights and accesses, so that's where the communication is very important, that when they call in and say so and so is now in this department or this part of the department, these are the rights they have.
MR. CHAIRMAN: Order, time has expired. I was trying to give you extra time there.
With that, I offer the departments some time to offer some closing comments.
MS. HARTWELL: Mr. Chairman, first I would like to thank you for having us here today. I am completely sincere when I say I always welcome an opportunity to talk about the work Community Services does. We do very challenging work and there are always opportunities for us to improve and grow, so thank you for that.
I would also like to thank the Office of the Auditor General for the report and recommendations. We have found them to be very helpful and certainly allow us to continue to strengthen our controls in both our IT systems and otherwise.
I want to correct something that I said earlier, which was in response to a question about office closures. I should have reiterated that the Barrington office did not completely close; the IA workers still remain in that office. So while we've moved Social Work, the Child Welfare staff, IA still remains. I wouldn't want people in Barrington to think that somehow I was signalling something that hasn't happened, nor would I want to.
I would like to offer a reassurance that we do take responsibility and take our responsibility for protection of people's information very seriously. We will always look at ways to modernize and strengthen our system and we are absolutely committed to doing everything we can to safeguard the privacy of our clients.
As I've said and as you know from your own experience, we support some of the most vulnerable Nova Scotians and we want to be part of improving their lives and helping them achieve and prosper in our province. The last thing we would want is in any way for the services that we provide to add to any issues that they have. We do take that responsibility very seriously.
We will continue to move forward on addressing all of the issues that were raised with the audit and I will make sure we respond to the questions and issues that have come up in this committee in a timely manner so we will provide that. Please know that our top priority is always the well-being of Nova Scotians in need and we'll continue to work to try to make their life better. Thank you for this opportunity and good morning.
MR. CHAIRMAN: Thank you Ms. Hartwell. I just want to mention a couple of things. There was some question around some of the questions that were being asked today. The purpose of the committee is to look at past expenditure in government. Traditionally, from my experience in the committee, there has been freedom to ask questions and that freedom does exist for every member. Some of the questions today may have skirted around the exact topic we were discussing. That is something I will have a look at and offer more comment in the next meeting. I would like to say, from some of the training we received as a committee, the importance of staying on the topic, but I also respect members' freedom to ask questions as well. If that's something that exists for everyone, that's fairness as I see it. It is something I will have a further look at and offer further comment at our next meeting.
The other matter is recognizing speakers. One of the reasons why I don't recognize people every time is to keep the flow of the questions and answers moving along. But I would ask members to allow people who are responding to questions to give their response before asking another question. I also know you are mindful of the time and you are restricted to the amount of time you have to ask questions but I think it's important to give our guests time to answer a question and when you do ask a question at the end of your statement, make sure it's a clear question so that our guests know exactly what to answer.
With that, our next meeting is on April 8th where we will have Service Nova Scotia and the subject is services for businesses. We also have one piece of correspondence from the Department of Education and Early Childhood Development that you all have.
If there are no other questions or further business, we are now adjourned.
[The committee adjourned at 10:53 a.m.]
