Fiscal bandwidth hog: the disproportionate growth of Knuckles 2

Strange as it might seem, the disproportionate growth of the Executive Council budget as a share of overall government spending is attributable to the Office of the Chief Information Officer.

The Executive Council went from 0.8% of the annual capital and current account budget to 1.6% in the space of two years, 2004 to 2006. It climbed up again in 2007 and 2008.

OCIO - or NLCS v. 2 - is the controller of all computer resources and personnel within government. Over 200 employees, mostly in St. John's, and a budget which is twice that of the entity to which it nominally belongs. Big Brother, it seems, is a fiscal bandwidth hog like few others.

To be fair, ICIO's budget includes the budgets that used to be distributed around various government departments; it's not surprising it is a huge cash sucker.

But to be even more fair, like all bureaucracies, OCIO will continue to accumulate staff and budget allocations using every advantage that comes from being the information controller for all government working directly for the most central of central agencies.

The cash levels and the staff allocations are - after all - the only performance indicators any bureaucracy worthy of the name actually understands.

-srbp-

Public body breached new privacy law

Is everyone in government ready to protect personal privacy?

Apparently not.

The section of the Access to Information and Protection of Personal Privacy Act, known by appealing acronym ATIPPA, dealing with personal privacy came into force on January 16, 2008.

Given the five year delay in implementing the new privacy protections, it came as something of a surprise on Friday to learn of the possible leak of an undisclosed amount of private information held by a government agency. Someone on contract to the Workplace Health, Safety and Compensation Commission operated a file sharing program that gave access to files on the computer's hard-drive, including confidential records related to the commission.

It's taken a while to get the whole act into force, something on the order of five years. The delay was apparently due to a need to get government departments ready to deal with the implications of the new legislation. In the meantime, the old Privacy Act, circa 1981 was in force. The Privacy Act was far from perfect but at least it was something.

Workplace Health learned of the security problem on January 22 but it took three whole days for the provincial government to inform the public of the problem. The entirely self-serving news release spent more time trumpeting the actions taken to deal with the problem and to praise the Office of the Chief Information Officer [OCIO] for all its fine work in protecting information than it did in disclosing what government knew about the extent of the breach and whether or not information had actually been obtained illegally by anyone.

In fact, the only thing clear through the release is that the provincial government actually knows - or appears to know - very little about the breach beyond some very rudimentary details.

There's even a rather interesting quote from the newly minted chief executive of Workplace Health;

"The Commission shares the Provincial Government’s view that private and confidential client information must be safe guarded both at the Commission and with service providers. Until the forensic investigation is complete, the extent of the exposure is not known and we are unable to determine how many, if any, of the Commission’s clients may be affected," said Leslie Galway, Chief Executive Officer, Workplace Health, Safety and Compensation Commission. "The Commission was not the source of the breach but nevertheless has taken measures to ensure the integrity of its network system was intact, as well as address the network system concerns with the private company involved."

How comforting.

The commission shares the provincial government's view that private information must be safeguarded.

Unfortunately for the commission, this is not merely a "view", an opinion of the sort one might wish to be associated with like, say, "My goodness that was a lovely sunrise this morning."

It is the law.

36. The head of a public body shall protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.

And there's nothing in the law that restricts the legal obligation of a public body to protect private information only to computers owned by the public body itself.

It's a blanket obligation.

That's what makes the provincial government news release so interesting. In the quote above, Leslie Galway talks about securing the commission's own network and refers vaguely to addressing "network system concerns." Heaven knows what that means, but it is entirely irrelevant since the actions were taken after the fact.

The story gets more interesting when one reads the coverage in the Saturday Telegram, sadly not available online.

Justice minister Jerome Kennedy says the consultant was "doing some work for justice" [presumably the department] occupational health and safety assessments. Kennedy repeated that there are government policies in place that prohibited the use of file sharing programs on government computers. He pronounced himself satisfied with that: "I'm comfortable ...that this issue with government-owned computers has been addressed very expeditiously and thoroughly."

Just so that we can all share the minister's sense of comfort, go back and wander through the OCIO website. try and find a policy statement on file sharing and the handling of records. There isn't even a link to the ATIPPA in the links section of the website, even though ATIPPA is a key part of records management within government.

But of course, this is the second such incident in a handful of months. A similar case came to light in November involving 1420 medical files. The Telegram reports that 370 files were accessed - by whom is not disclosed - and that the files belonged to 151 patients and two employees of Eastern Health.

The Telegram also states - erroneously - that provincial government policies do not extend to the private consultant. While a public body is able to disclose personal information to a consultant doing legitimate work for the agency or a government department, section 36 of the ATIPPA doesn't limit the obligation of the department or agency to take reasonable security measures.

The crux of this story is that for the second time since November, a provincial government agency is involved in a breach of privacy. This second case is all the more serious since it comes less than a week after new legislation took effect which obligates public bodies to protect information from disclosure.

No surprise, in that context, that the provincial government delayed disclosing the existence of a security breach and at the same time focused its attention - in the news release - in endless self-praise, rather than acknowledging the gravity of what had occurred.

That's not accountability or transparency, as the justice minister professed when announcing the privacy legislation was in force. And frankly, the people of the province should view with some suspicion this pronouncement by the justice minister.

"I want to assure the people of Newfoundland and Labrador that their personal and confidential information is treated with respect and in accordance with the Access to Information and Protection of Privacy Act."

The subject of his news release - a second security breach involving an undetermined amount of confidential, personal information on an undisclosed number of individuals or corporations - is evidence that information is not being handled "in accordance with" the ATIPPA. If the minister is not prepared to acknowledge a problem exists, it's highly unlikely a proper solution will be implemented, let alone found.

Up-data: Seems the CBC version of this story has some variations from the telegram version.

"The investigation is very early on," said Leslie Galway, the commission's chief executive officer.

"We are not aware of whether our clients are actually involved with the information on that computer specifically, and what sort of information may be there."

Three days later and no one knows what was on the computer?

"At this stage, we don't know the extent or nature of the breach," Kennedy said, "nor the types of information that may have been exposed."

Now there's a familiar line. It popped up in November as well, and right behind came the assurance that there was absolutely nothing to worry about.

The real value of the CBC story though is the link to a follow-up on the November security leak. on November 27, health minister Ross Wiseman said there were only 49 people involved in the first leak. The Telly now has the figure at 153.

Which number is right?

-srbp-

Another OCIO triumph

How do you deal with a government computer system that is hopelessly out of date it wants you to “update” your Internet browser to a version that is actually three version older than the one you are using?

You don’t really.

You just shake your head and laugh.

This picture is the screen that appears when you try and access some provincial government websites.  In this case, it’s the lobbyist registry set up after 2004.

Note the dates:

“Copyright 2000”

“Last updated January 12, 2003”… that is the year before the lobbyist registry bill passed the House of Assembly and long before the bill was even thought of.

The version of Firefox that screen appeared on is 3.0.12.

The government computer won’t let that higher version to access the registry because supposedly it doesn’t meet the minimum “security and compatibility requirements.”

The truth is the Firefox version currently in use by your humble e-scribbler exceeds the security requirements but in order to use it, the version it will accept is two full iterations old.

The alternatives are no better. 

There are still lots of people out there using Internet Explorer 6, but more and more of us users have upgraded to version 8.

Netscape Navigator was last updated in 2007.  The only thing you can get these days is an archive for it. That last iteration was version 9 which, as you can see, is two full iterations beyond the current government-supported version.

What about Chrome?

You get the same silly blocking screen recommending you use antiquated software.

The Office of the Chief Information Officer is the giant bureaucracy created by the current administration to manage all provincial government computing services.  The thing has been a pretty spectacular  - and expensive - failure, at least when it comes to ensuring the public face of government is functioning at something reasonably approaching modernity. 

This mess at the lobbyist registry website is a case in point. Incidentally, the companies registry is no better.  The only thing it will accept is IE.

So what’s a body to do? 

Try Internet Explorer.  For some inexplicable reason, the OCIO system still supports IE no matter version you are using.

One suspects, therefore, that security isn’t really the issue.  Rather the issue is likely that giant , expensive unwieldy bureaucracy cannot deliver what it should be delivering to government and especially to the public.

Running into this little annoyance time and again makes you wonder, though, if the current hardware standard throughout government is a 286 hooked to a dot matrix printer.

Oh.

One last thing.

That contact link at the top of the page people are supposed to use if you download the old browsers and still can’t get through?  it takes you to a list of telephone numbers that are only available during government working hours.

There’s no e-mail contact address at all, anywhere.

Welcome to the 21st century, courtesy of the provincial government.

-srbp-

Busy work

Otherwise known as shuffling deputy ministers around.

1.  We’d be remiss if we didn’t note that the provincial government’s recycling program – complete with the used tire mess – is now being run, albeit on an acting basis, by the same guy who runs the provincial government’s fire and disaster response crowd.

2.  The acting minister of environment/acting deputy minister combo that’s been in place since last summer has been replaced by an acting minister/confirmed deputy minister.  The guy’s been in the job six months and is only now confirmed as the deputy minister.  Bet a lot got done in that department with all the acting going on.

3.  What exactly is a deputy minister of special projects which, the release notes, includes collective bargaining?  Since when is collective bargaining a “special project”?  Not so very long ago that was handled by the person who is now called the deputy minister of the Public Service Secretariat, which, incidentally, also got a new deputy minister.

4.  That deputy minister came from education which got – you guessed it – an acting deputy minister in her stead.

5.  Jerome Kennedy mumbled something over the Christmas holidays about inefficiency in the public service.  Well, he might take note of his boss’ habits in promoting inefficiency.

Firstly, too many people are appointed to too many positions in an acting capacity.  As such, they have a limited ability to get down to work since they might be shuffled off to some other part of the The Hill before they know what hit them.

Secondly, sometimes people get stuck with two things that are unrelated.  Like Mike Samson, a very capable fellow, who must now juggle bottles and cans as well as fire extinguishers.  One of those jobs is – you are too quick – on an acting basis, so don’t expect anyone to be sorting out the mess of the cans and tires until the Premier gets around to putting a full-time boss at the recycling board.

Thirdly, in his own case, Jerome has reporting to him no less than four deputy ministers where there used to be two.  That’s right. Four people doing the job that used to be handled by two.  That’s four if we include the special projects DM since contract negotiations used to be the responsibility of the person running Treasury Board.

Fourthly, let’s not forget there’s still a staffing thing out there called the Public Service Commission  - as opposed to a “secretariat” - with its own bureaucracy that does a whole bunch of other human resource-related stuff.

Fifthly, let’s notice the number of appointments where people just traded offices.

How confusing is this mess?  Well consider that Jerome has been in finance/treasury board/OCIO/public service secretariat since well before Christmas.  His name appears as the minister responsible on the index page for the Public Service Secretariat space on the government website. 

Scan down the page, though, and you see this tidbit:

The Public Service Secretariat is headed by Deputy Minister David Gale who reports to the Minister of Finance and President of Treasury Board, Hon. Tom Marshall.

Now Gale just got shifted so the web-nerd for finance or treasury board or the public service secretariat or the office of the chief information officer (Knuckles Two) can be forgiven for not being right on the ball.

But Marshall?  He’s been gone for months.

It would all make you laugh if it wasn’t your own cash supporting it.

-srbp-

Transitory Records #nlpoli

In dealing with one aspect of the business of getting Carla Foote from Executive Council to The Rooms,  deputy minster Ted Lomond suggested to The Rooms CEO that he delete the email in which Lomond had forwarded a proposed draft of a letter.

cbc.ca/nl ran a story on it Monday based on the report from the Citizen's Representative into allegations against Lomond's minister, Chris Mitchelmore.  The CBC story included this quote:

"I talked to Mr. Brinton a number of times and I said to him that in light of everything that is happening, I would suggest you delete your transitory records," Lomond told the Office of the Citizens' Representative. 

Brinton said he knew their conversation would be subject to requests under the Access to Information and Privacy Protection Act [ATIPPA], and said he wanted to make sure his emails were in order.

"You knew this was going to get ATIPP'd," he told the citizen's rep. "So I would like to have my records neat and tidy, final versions lined up."

Transitory records are not described in ATIPPA.  They are covered in the law that governs how government maintains its records.  It's called the Management of Information Act. Anyone submitting requests for government documents under ATIPPA should know both pieces of legislation inside out.  For those who are interested,  the Office of the Chief Information Officer has a tidy little description of "transitory records".