Language selection

Government of Canada / Gouvernement du Canada

Search


National Security and Intelligence Review Agency Annual Report 2021

Backgrounder

Ottawa, Ontario, October 7, 2022 – The third Annual Report of the National Security and Intelligence Review Agency (NSIRA) was tabled in Parliament today, October 7, 2022.

NSIRA’s 2021 Annual Report focuses on our progress and activities in our second full year of operation. During this time, we pursued the reform of our processes and methods for doing review and investigations, both of which helped us improve the consistency and efficiency of our work.

This report highlights key findings and recommendations. The report also presents our intention to use future annual reports to publicly assess and track the implementation of previous recommendations, in accordance with our continued commitment to transparency and public engagement. Review highlights include:

  • Four reviews of important areas of CSIS activities, notably CSIS threat reduction measures (TRMs) and technical capabilities, as well as the manner in which CSIS seeks and receives legal service from de Department of Justice and prepares and executes the warrants it needs to collect information. An annual compliance review of CSIS’s activities was also completed;
  • CSE activities, notably CSE’s governance framework that guides the conduct of active and defensive cyber operations, internal information sharing, and CSE disclosures of Canadian-identifying information (CII);
  • DND/CAF Defense Intelligence Enterprise and a follow-up review of the Canadian Forces National Counter-Intelligence Unit;
  • Two specifically mandated multi-departmental reviews with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act and sharing of information within the federal government under the Security of Canada Information Disclosure Act; and,
  • One multi-departmental review relating to the collection and use of biometrics in the “border continuum”.

In 2021, NSIRA saw its complaints investigation caseload increase significantly as a result of 58 complaints referred to NSIRA by the Canadian Human Rights Commission pursuant to subsection 45(2) of the Canadian Human Rights Act. NSIRA also completed its investigation process reform initiative after consultation with multiple stakeholders. NSIRA investigations under this new model are already showing improved efficiency.

NSIRA’s 2021 Annual Report also discusses our organization’s underlining goals and values, and highlights how the organization continued to grow in size and capacity throughout the year, and sought to enhance its technical and subject-matter expertise.

Date of Publishing:

Dear Prime Minister,

On behalf of the National Security and Intelligence Review Agency, it is my pleasure to present you with our third annual report. Consistent with subsection 38(1) of the National Security and Intelligence Review Agency Act, the report includes information about our activities in 2021, as well as our findings and recommendations.

In accordance with paragraph 52(1)(b) of the National Security and Intelligence Review Agency Act, our report was prepared after consultation with relevant deputy heads, in an effort to ensure that it does not contain information the disclosure of which would be injurious to national security, nation al defence or international relations, or is information that is subject to solicitor-client privilege, the professional secrecy of advocates and notaries, or to litigation privilege.

Yours sincerely,

The Honourable Marie Deschamps, C.C.

Chair // National Security and Intelligence Review Agency

Message from the members

The National Security and Intelligence Review Agency (NSIRA) is pursuing its mission of enhancing accountability for national security and intelligence activities in Canada. In 2021, our agency continued to grow in size and improved its ability to fully take advantage of its broad review and investigations mandate covering the national security and intelligence activities of departments and agencies across the federal government.

It is our pleasure to present to you our third annual report in which we discuss our progress and activities in our second full year of operation. Despite the recurrent challenges posed by the COVID-19 pandemic and delays caused by a cyber incident, we completed a wide array of reviews and investigations, and continued improving our processes across the agency. Indeed, we pursued the reform of our processes and methods for doing reviews and investigations, both of which helped us to improve the consistency and efficiency of our work tremendously. These reforms, in conjunction with our growing experience, have allowed us to implement and deliver on our review plan. All of this was made possible by the development of a much stronger corporate policy framework backed by a corporate group that really cares about service delivery and the health of the agency.

In accordance with our continued commitment to transparency and public engagement, this report will present our intention to use future annual reports to publicly assess and track the implementation of previous recommendations. In the same spirit of holding us and the reviewed organizations accountable, we also formalized standards that will allow us to assess the timeliness of responses. It is our hope that these initiatives, in addition to the stringent verification process to assess our confidence in each review that we are currently developing, will inspire confidence and trust in our recommendations and findings.

We would like to thank the staff of NSIRA’s Secretariat for their efforts, patience and resilience throughout this challenging year and we hope you share our enthusiasm for what we can accomplish in the year ahead.

Marie Deschamps
Craig Forcese
Ian Holloway
Faisal Mirza
Marie-Lucie Morin

Executive Summary

The National Security and Intelligence Review Agency (NSIRA) marked its second full year in operation in 2021. With the agency’s broad jurisdiction under the National Security and Intelligence Review Agency Act (NSIRA Act), it reviewed and investigated national security and intelligence matters relating to not only the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), but also several federal departments and agencies, including:

  • the Department of National Defence (DND) and the Canadian Armed Forces (CAF);
  • the Royal Canadian Mounted Police (RCMP);
  • Immigration, Refugees and Citizenship Canada (IRCC);
  • the Canada Border Services Agency (CBSA);
  • Transport Canada; and
  • all departments and agencies engaging in national security and intelligence activities in the context of NSIRA’s yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act.

In 2021, NSIRA continued to grow in capacity and sought to enhance its technical and subject-matter expertise.

Review highlights

Canadian Security Intelligence Service

Over the course of 2021, NSIRA completed four reviews that strengthened its knowledge of important areas of CSIS activity:

  • a review of the cultural, governance and systemic issues arising in the context of the manner in which CSIS seeks and receives legal services from the Department of Justice and prepares and executes the warrants it needs to collect information;
  • a survey of CSIS’s suite of technical capabilities, along with its associated governancestructure, and areas of interest or concern to which NSIRA may return in future reviews;
  • the second annual review of CSIS’s Threat Reductions Measures (TRMs) that expandson findings from the previous review by examining a larger number of TRMs; and
  • an annual compliance review of CSIS’s activities.

Communications Security Establishment

In 2021, NSIRA completed two reviews of CSE activities, and directed CSE to conduct one departmental study:

  • a review of CSE’s governance framework that guides the conduct of active and defensive cyber operations, including whether CSE appropriately considered its legal obligations and the foreign policy impacts of operations;
  • a review focused on internal information sharing within CSE between the foreign intelligence aspect and the cybersecurity and information assurance aspect of its mandate; and
  • a departmental study on whether CSE disclosures of Canadian-identifying information were conducted in a manner that complies with the Communications Security Establishment Act, and were essential to international affairs, defence, security or cybersecurity.

Department of National Defence and the Canadian Armed Forces

In 2021, NSIRA completed two reviews of the DND/CAF:

  • a scoping exercise to gain foundational knowledge of the Defence Intelligence Enterprise, where a significant part of intelligence functions of the DND/CAF are located; and
  • a follow-up review on the previous year’s examination of the Canadian Forces National Counter-Intelligence Unit, with emphasis on operational collection and privacy practices.

Multi-departmental reviews

NSIRA conducted two specifically mandated multi-departmental reviews in 2021:

  • a review of directions issued with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act; and
  • a review of information sharing within the federal government under the Security of Canada Information Disclosure Act.

NSIRA also completed a multi-departmental review under its general mandate to review any activity carried out by a department that relates to national security or intelligence:

  • to map the collection and use of biometrics across several federal government departments and agencies in security and intelligence activities related to international travel and immigration, that is, the “border continuum.”

Complaints investigations

In 2021, NSIRA saw its complaints investigation caseload increase significantly as a result of 58 complaints referred to NSIRA by the Canadian Human Rights Commission pursuant to subsection 45(2) of the Canadian Human Rights Act.

Further, the COVID-19 pandemic contributed to delays in NSIRA’s investigations by reducingparties’ responsiveness in providing access to information and evidence.

In 2021, NSIRA completed its investigation process reform initiative after consultation with multiple stakeholders. NSIRA investigations under this new model are already showing improved efficiency.

Introduction

1.1 Who we are

Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities. Prior to NSIRA’s creation, several gaps existed in Canada’s national security accountability framework. Notably, NSIRA’s predecessor review bodies did not have the ability to collaborate or share their classified information but were each limited to conducting reviews for their specified department or agency.

By contrast, NSIRA has the authority to review any Government of Canada national security or intelligence activity in an integrated manner. As noted in the 2019 annual report, with NSIRA’s expanded role, Canada now has one of the most extensive systems for independent review of national security.

1.2 Mandate

NSIRA has a dual mandate to conduct reviews and investigations of Canada’s national security and intelligence activities. Annex B contains a financial and administrative overview of NSIRA.

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice.

Further, NSIRA reviews any national security or intelligence matters that a minister of the Crown refers to NSIRA. Annex C contains summaries of the reviews completed in 2021.

NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.

Reviews of CSIS and CSE will always remain a core part of NSIRA’s work since the entire focus of these organizations is to address national security and intelligence matters. Unlike its predecessor review bodies, however, NSIRA has an all-encompassing review mandate. NSIRA will thus continue to prioritize and examine how other departments engaging in national security and intelligence activities meet their obligations. NSIRA reviews help keep Parliament and Canadians informed about the lawfulness and reasonableness of Canada’s national security and intelligence activities.

Investigations

In addition to its review mandate, NSIRA is responsible for investigating national security- or intelligence-related complaints. This duty is outlined in paragraph 8(1)(d) of the NSIRA Act, and involves investigating complaints about:

  • the activities of CSIS or CSE;
  • decisions to deny or revoke certain federal government security clearances; and
  • ministerial reports under the Citizenship Act that recommend denying certain citizenship applications.

This mandate also includes investigating national security-related complaints referred to NSIRA by the Civilian Review and Complaints Commission for the RCMP (the RCMP’s own complaints mechanism) and the Canadian Human Rights Commission.

Reviews

2.1 Canadian Security Intelligence Service reviews

Overview

NSIRA has a mandate to review any Canadian Security Intelligence Service (CSIS) activity. The NSIRA Act requires NSIRA to submit a classified annual report to the Minister of Public Safety and Emergency Preparedness on CSIS activities each year, including information related to CSIS’s compliance with the law and applicable ministerial directions, and the reasonableness and necessity of the exercise of CSIS’s powers.

In 2021, NSIRA completed four reviews of CSIS, summarized below. NSIRA also began two more reviews: one of CSIS’s Justification Framework and the other of CSIS’s Dataset Regime. Several other ongoing NSIRA reviews contain a CSIS component.

In a 2020 decision (2020 FC 616), the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.” Based on that recommendation, the Minister of Public Safety and Minister of Justice referred the review to NSIRA pursuant to paragraph 8(1)(c) of the NSIRA Act. Acting on this reference and relying on its own jurisdiction, NSIRA therefore reviewed the manner in which CSIS seeks and receives legal services from the Department of Justice and prepares and executes the warrants it needs to collect information.

This review found an intelligence service and its counsel who struggle to organize themselves in a manner that enables them to meet their legal obligations, including to the Federal Court. NSIRA also found a failure at CSIS to fully and sustainably professionalize the warrant application process as a specialized trade requiring training, experience and investment. This review also demonstrated the need to transform the relationship between CSIS and its legal counsel.

This review was led by NSIRA members Marie Deschamps and Craig Forcese. One or both members were directly involved in every aspect of the review including review process management, briefings, interviews and document review. This included dozens of confidential interviews with Department of Justice and CSIS employees whose perspectives were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal briefings.

In organizing these interviews, NSIRA ensured robust representation covering the range of functions in the warrant and legal advice giving processes. The interviews raised issues and concerns that would have otherwise been unavailable to NSIRA. This assisted NSIRA in making recommendations on governance, systemic and cultural issues that contribute to inefficiencies threatening the ability of CSIS and the Department of Justice to fulfil their mandates.

NSIRA heard repeated concerns from interviewees that these problems put at risk the ability of the intelligence service to meet the mandate Parliament has assigned to it. Addressing these challenges urgently is in the public interest. Though CSIS and the Department of Justice have made improvements, difficulties are still evident.

NSIRA grouped its findings and recommendations into three overarching areas:

  • the Department of Justice’s provision of legal advice;
  • CSIS’s and the Department of Justice’s management of the warrant acquisition process; and investment in people.

CSIS operates in often rapidly evolving and legally challenging environments. Timely, nimble and actionable legal advice is critical. The Department of Justice provides CSIS with legal advice on national security matters via the National Security Litigation and Advisory Group (NSLAG). This review highlighted factors that prevent NSLAG from providing CSIS with the legal advice it needs.

The Department of Justice has employed a centralized “one voice” model for delivering its legal services. The one voice model reflects a desire for uniform and consistent legal advice delivered on behalf of the Attorney General of Canada. Although the premise for the one voice approach is sound, NSIRA found that NSLAG struggled to provide timely, responsive and useful legal advice in the CSIS context. The way the Department of Justice provides advice has often not been responsive to CSIS operations. For example, NSLAG presents its advice as a legal risk assessment using the Department of Justice-wide Legal Risk Management grid. This grid uses a colour-coded risk rating that can be compared to a “traffic light” system: a green risk rating represents a low legal risk to CSIS, a red risk rating represents a high legal risk, and, more ambiguously, a yellow risk rating represents an intermediate legal risk. Yellow light responses are reportedly the most common and the most frustrating for CSIS, especially when unaccompanied by discussions on how to mitigate the risk, the inclusion of which NSIRA heard is not currently common practice.

Therefore, some at CSIS perceive the Department of Justice as presenting a roadblock because of its bureaucracy, its perceived operational illiteracy and its unhelpful approach to communicating legal advice.

However, the problems with timely, responsive and useful legal advice do not stem from the Department of Justice alone. NSIRA heard that CSIS has not always shared all relevant information with the Department of Justice, prompting a degree of mistrust. The internal process for requesting legal advice at CSIS also contributes to delays and lack of relevance. The advice that sometimes comes back to operational investigators at CSIS filtered through bureaucratic hierarchies may be of limited relevance.

NSIRA heard that the laborious advice-seeking and -receiving process has sometimes caused [discussion of detrimental effects on and risks to operations].

CSIS and the Department of Justice often operate in a situation of legal doubt because of lack of clarity in the law. Clarifying legal standards often requires judicial case law. However, an unwieldy warrant process, discussed below, makes that prospect more difficult.

The Department of Justice is aware of the need for change. Broad, recent initiatives include the Vision Project, which promises client-centric strategic partnerships. New procedures have been implemented at NSLAG to address internal silos between advisory and litigation counsel, and to improve training, improve access to legal advice and facilitate consistent legal opinions. NSLAG also appears to recognize the desire for a different approach to providing legal advice, including moving toward legal advice that promotes collaborative and iterative engagement with CSIS in order to achieve its operational goals, within the bounds of the law. However, as of fall 2021, it did not appear that CSIS and the Department of Justice had systematically put this model into effect.

To facilitate proper advice-giving, CSIS needs to provide NSLAG with all the facts, and to engage NSLAG early on, at the operational level. Earlier and ongoing involvement throughout the stages of an investigation or operation would enable counsel to provide informal legal nudges that allow CSIS to course-correct before too much time has been spent. A more iterative process of incorporating legal advice over the full course of an operation could address the reported challenge of operations halted due to untimely or ambiguous legal advice.

Management of the warrant process

CSIS organizes the process of seeking a warrant around a system of internal preparation and approvals before proceeding to the statutory step of seeking ministerial approval of the warrant application. A number of legal concepts and expectations enter into the warrant process, including the “duty of candour” owed to the Court.

The Federal Court duty of candour concerns fit into two categories: disclosure of information material to the credibility of the sources who supply information used in the application; and disclosure of information material to matters of potential concern about the broader context of the warrant and how it will be executed.

Despite past attempts at reforms, the current warrant process adopted by CSIS and supported by the Department of Justice has repeatedly failed to meet these candour obligations. Many reforms appear to have contributed to the bureaucratic complexity of the warrant process, without addressing candour issues.

CSIS has especially struggled to ensure that all information material to the credibility of sources is properly included in warrant applications. NSIRA heard repeatedly that CSIS officers involved in the early stages of preparing warrant applications do not clearly understand the legal expectations surrounding the duty of candour. Deficient information management systems related to human sources at CSIS have also resulted in important omissions, violating duty of candour obligations. These challenges produce what NSIRA calls the “recurring omissions” problem.

In 2019, CSIS sought to professionalize affiant work by creating an Affiant Unit. CSIS’s establishment of the Affiant Unit is a critical development and, properly resourced and staffed, it would be well positioned to respond to long-standing problems with the duty of candour. However, when created, the Affiant Unit was placed [Name of Branch]. [Name] has a broad mandate that does not align with the Affiant Unit’s functions in preparing legally robust warrant applications. This governance anomaly may explain the Affiant Unit’s present administrative and human resource challenges. The Affiant Unit’s sustainability is in question, and indeed NSIRA heard that the unit could currently be described as being in a state of crisis. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission.

Warrants counsel at NSLAG have several key roles in the warrant application process and are intimately implicated in ensuring adherence to the duty of candour. Fostering a strong, collaborative and productive relationship with CSIS is key. Morale among NSLAG warrants counsel may have suffered in light of the recent Federal Court decision that prompted this review. With recent staffing increases, it appears that NSLAG currently has the requisite complement to manage the number of annual warrant applications expected from CSIS, but recruitment challenges remain an ongoing issue. NSLAG should be staffed to ensure that CSIS’s operations are not stalled due to the lack of availability of warrants counsel.

The warrant application process is meant to be strengthened through a review of the near- final affidavit by an “independent counsel” (IC) – in practice, a lawyer drawn from the Department of Justice’s National Security Group. The role was originally envisioned as performing a rigorous challenge of the warrant application. However, the primary role of the IC appears to be more clerical than substantive, designed to cite check rather than assertively perform a devil’s advocate function.

NSIRA believes that the presence of a rigorous challenge function performed by a knowledgeable, adequately supported lawyer distant from the warrant application is valuable and necessary. However, NSIRA proposes that the current IC model be abandoned in favour of a challenge function performed at Public Safety Canada, whose precise role is that of oversight of the CSIS warrant application process.

Working with the Public Safety Canada unit charged with warrant review, an experienced and specialized warrant counsel could perform a genuine challenge role to the warrant, analogous to the role a defence lawyer would play were warrants subject to an adversarial process. NSIRA believes that a testing review of this sort will help forestall duty of candour shortcomings stemming from a failure to disclose fully information material to matters of potential concern about the broader context of the warrant and how it will be executed.

Once a judge issues a warrant, CSIS may execute the warrant. That execution must comply with the scope and terms of the warrant. However, the CSIS regional warrant coordinators have not received sufficient training to enable the contents of warrants to be translated into advice on proper execution.

Investment in people

Concern about inadequate training at CSIS was a recurring theme in this review. This concern was noted in internal CSIS documents. CSIS acknowledges that it is currently not a learning organization and does not have a learning culture. There are too few training opportunities required to sustain a modern professional intelligence service operating in a complex environment.

Conclusions

This report concluded with observations on cross-cutting cultural and governance challenges that stem, at least in part, from challenges characterizing the provision of legal advice and the warrant process. NSIRA divides these broad, cross-cutting phenomena into two categories: morale and attitudes; and performing the mission.

Low morale at CSIS was a common theme throughout this review. The systemic problems in the warrant application process are likely one cause of this problem: morale is affected when a warrant acquisition system repeatedly prevents CSIS officers from performing their mandated duties and is the source of regular reputational crises stemming from failures to meet the duty of candour.

Meanwhile, a failure to correct problems with the warrant process impairs CSIS’s and the Department of Justice’s abilities to fulfil their mandates. The Department of Justice must go from being perceived as a roadblock to a frank and forthright advisor fully attuned to operational objectives.

Within CSIS, the warrant application process was sometimes likened to winning a lottery — not because the Federal Court declines to issue warrants, but because of the resources required to prepare and complete the application. The current, laborious warrant application process is preventing some collection activities from moving forward.

In sum, this review was sparked by a compliance failure in a duty of candour matter. It concludes that repeated failures in this area are both caused by, and cause, deep-seated cultural and governance patterns. This vicious cycle has compounded the challenges of reform in the warrant acquisition process.

Cherry-picked or paper-based reforms that mask without addressing the overarching systemic, cultural, and governance challenges will suffer the fate of prior reforms: the problems will continue.

NSIRA intends to launch a follow-up review within two years that will measure progress at CSIS, the Department of Justice and Public Safety Canada in resolving the systemic problem with the warrant process addressed by this review. Moreover, in other regular reviews implicating warrants, NSIRA will document recurrences of systemic problems. In the meantime, since this review originated with a decision of the Federal Court, it is vital that the Minister and CSIS share it in its full form with the designated judges of that court. NSIRA’s full redacted report can be read on its website.4

Response to NSIRA’s recommendations

NSIRA’s recommendations, the management response of CSIS, Public Safety Canada and the Department of Justice, and other details about this review are found in Annex D of this report.

Study of CSIS Technical Capabilities

Canada’s national security threat landscape is constantly evolving and changes in technology present CSIS with a variety of new investigative opportunities. Consequently, CSIS must develop and acquire new technical capabilities, as well as adapt (repurpose) existing tools to support its mandated collection activities. This process presents potential compliance risk, as CSIS’s existing governance and legal frameworks may not capture the new deployment or adaptation of these technical capabilities. Furthermore, certain personnel and supporting legal counsel may not fully understand how these tools are used operationally, impacting their ability to advise whether or not CSIS has the legal and policy framework required to support use of the technology. These risks require NSIRA to maintain up-to-date knowledge of CSIS’s technical capabilities and related warrant powers.

NSIRA’s survey of CSIS technical capabilities offers a first step in this endeavour by surveying CSIS’s suite of capabilities, along with its associated governance structure, and identifying areas of interest or concern to which NSIRA may return in future reviews.

Reality of the risks

NSIRA’s review of CSIS’s use of a geolocation tool found that the lack of “developed policies and procedures around the assessment of new and emerging collection technologies” directly contributed to the risk that CSIS had breached section 8 of the Canadian Charter of Rights and Freedoms while testing the tool.

– NSIRA Study 2018-05

The full range of technical capabilities CSIS currently employs in support of its intelligence collection operations was examined. NSIRA reviewed relevant policy and legal frameworks as communicated by CSIS but did not conduct an independent verification or audit of the claims or activities themselves. NSIRA also examined the tripartite information/knowledge sharing and support nexus that exists between CSIS’s operational branches, technological branches and CSIS’s Department of Justice counsel with regard to the deployment of capabilities in support of operations.

In addition to the foundational knowledge NSIRA gained of CSIS’s technical capabilities, NSIRA made several observations identifying areas of interest for possible future reviews. For example, NSIRA noted, and CSIS agreed, that the main policy suite related to the use of technical capabilities is outdated and under revision, though the timeline for completing this task is unclear.

In the interim, the policy suite is buttressed as required by directives from senior leadership and other relevant policies and practices. The lack of up-to-date policies and procedures may result in heightened compliance risks, an issue of interest to future NSIRA reviews.

In addition, CSIS is currently reworking the framework it uses to assess compliance and risk in this area. CSIS indicated that greater efficiencies in addressing stakeholder needs and compliance gaps could be achieved through new initiatives such as the creation of the Operational Technology Review Committee, which was created in May 2021. This committee’s objective is to review all new technologies used to collect intelligence and existing technologies that will be used in a new or different manner. The creation of the Operational Technology Review Committee suggests a positive step toward mitigating the risk of compliance breaches related to the deployment of technologies in support of operations. Most obviously, it presents a forum in which potential risks can be proactively identified and mitigated. The evolving nature of how compliance is monitored in relation to technical capabilities will be of interest to NSIRA moving forward.

Further questions exist regarding how CSIS monitors the operational value of technical capabilities. CSIS needs to strengthen its performance metrics program with regard to its deployment of technologies in support of operations. A performance measurement regime, currently under development, will become an important feature of the governance framework, with attendant compliance implications for possible future NSIRA reviews.

Overall, it will be important for NSIRA to remain up to date with respect to the technical aspects of CSIS intelligence collection operations, particularly given the speed with which technology and associated technical capabilities evolve.

As part of this effort, it may be possible to leverage existing reporting requirements already undertaken by CSIS. For example, Section 3 of the Ministerial Direction to the Canadian Security Intelligence Service: Accountability (September 10, 2019) requires CSIS to inform the Minister of Public Safety of operational activities in which “a novel authority, technique or technology is used.” These notifications could provide NSIRA with ongoing and up-to-date knowledge of CSIS’s capability suite and how/when technologies are deployed operationally. Furthermore, sharing the notifications would bolster CSIS’s efforts toward proactive transparency, which are in line with commitments to provide explanatory briefings to the Federal Court on new technologies used in warranted operations.

NSIRA has recommended that the full, unredacted, version of this technical survey be shared with the designated judges of the Federal Court.

Review of CSIS Threat Reduction Activities: A Focus on Information Disclosure to External Parties

Under the Anti-terrorism Act, 2015, CSIS was granted the authority to undertake threat reduction measures (TRMs). NSIRA is required to review, annually, at least one aspect of CSIS’s performance in the use of its threat reduction powers. NSIRA recognizes that CSIS’s threat reduction powers can be an effective tool to diminish a national security threat; however, these powers also command heightened responsibility, given their nature and ability to profoundly impact, not only the subject of a given TRM, but others potentially captured by its scope.

This year, NSIRA produced its second annual review of CSIS’s TRMs. This review sought to expand on findings from the previous review by examining a larger number of TRMs, wherein CSIS disclosed information to external parties, and in doing so, provided the external party the opportunity to take action, at their discretion and pursuant to their authorities, to reduce identified threats. This review studied the characteristics of these particular TRMs but focused its examination on the extent to which CSIS appropriately identified, documented and considered any plausible adverse impacts that these measures could have on affected individuals.

NSIRA observed that several different kinds of external parties were involved in the TRMs. These external parties had varied levers of control through which they could take action to reduce a threat.

NSIRA found that CSIS’s documentation of the information disclosed to external parties as part of TRMs was inconsistent and, at times, lacked clarity and specificity. NSIRA also found that CSIS did not systematically identify or document the authorities or abilities of external parties to take action, or the plausible adverse impacts of the TRM. NSIRA also found that CSIS did not always document the outcomes of a specific TRM, or the actions taken by external parties to reduce a threat.

Without robust documentation, CSIS is neither capable of assessing the efficacy of its measures nor appreciating the full impact of its actions related to these measures.

NSIRA recommended that when a TRM involves the disclosure of information to external parties, CSIS should clearly identify and document the scope and breadth of information that will be disclosed as part of the proposed measure. NSIRA recommended that CSIS should also fully identify, document and consider the authority and ability of the external party to take specific action to reduce a threat, as well as the plausible adverse impacts of the measure. Beyond recommending that CSIS comply with its record-keeping policies, NSIRA recommended that CSIS amend its TRM policy to include a requirement to systematically document the outcomes of TRMs, including actions taken by external parties. This practice should inform post-action assessments and future decision-making.

In addition, NSIRA found that the current assessment framework employed as part of the TRM approval process is overly narrow and does not sufficiently consider the full impact of CSIS TRMs. NSIRA recommended that CSIS consider plausible adverse impacts resulting not only from CSIS disclosures of information, but also from the actions of external parties as part of TRMs.

The variety of impacts observed in this year’s review, combined with the gaps identified in CSIS’s understanding and assessment of these impacts, highlights the salience of a number of NSIRA’s recommendations made in 2020. NSIRA reiterated its 2020 recommendation that CSIS consider more comprehensively the plausible adverse impacts of these types of measures on the affected individuals, even when they are carried out by the external party and not CSIS. These impacts should be considered not only when assessing the reasonableness and proportionality of a proposed measure, but also when determining whether a warrant is required.

The Canadian Security Intelligence Service Act (CSIS Act) is clear that when a proposed TRM would limit a right or freedom protected in the Canadian Charter of Rights and Freedoms, or would otherwise be contrary to Canadian law, CSIS must seek a judicial warrant. NSIRA fundamentally disagrees with CSIS’s understanding of and approach to the legal analysis of determining whether a warrant is required for proposed TRMs. In 2020, CSIS responded to this recommendation by stating, “the Department of Justice will consider this recommendation and factor it into its work related to TRMs under the CSIS Act.”

Going forward, NSIRA recommended that CSIS seeks a warrant when a proposed TRM could infringe on an individual’s Charter rights, or where it would otherwise be contrary to Canadian law, regardless of whether the activity would be conducted by CSIS directly, or via an external party to whom CSIS discloses information.

NSIRA was able to use its direct access to CSIS information repositories to confirm information that it needed to verify and pursue necessary additional inquiries. For that reason, NSIRA has a high level of confidence in the information used to complete this review. NSIRA would also like to recognize CSIS’s timeliness in responding to NSIRA’s requests for information throughout the course of this review.

Response to NSIRA’s recommendations

NSIRA’s recommendations, the management response of CSIS and other details about this review are found in Annex D of this report.

NSIRA’s annual review of CSIS activities

In accordance with the CSIS Act, CSIS is required to provide information to NSIRA on specific activities. In response, NSIRA has developed a process to examine this information throughout the year and highlight any significant observations as part of NSIRA’s annual reporting obligations to the Minister of Public Safety. This process aims to keep NSIRA informed of key CSIS activities so that it can identify emerging issues and compliance gaps in a timely manner, and plan reviews and annual reporting obligations. Furthermore, this process facilitates additional scrutiny of these activities, as necessary, to assess for compliance, reasonableness and necessity.

In 2021, NSIRA formalized this process and initiated an annual review pursuant to its review mandate (paragraph 8(1)(a) of the NSIRA Act). To enhance transparency, NSIRA requested additional categories of information from CSIS, including approved warrant applications, compliance reports, internal audits and evaluations, and communications between CSIS and the Federal Court and CSIS and the Minister of Public Safety. These additional categories sought to ensure that NSIRA has the benefit of specific policy and governance information beyond that which CSIS is legislatively required to provide.

NSIRA found that CSIS met its legislated reporting requirements; however, these requirements do not always translate into information that can be used for assessments by NSIRA. Notably, CSIS did not provide information on the additional categories of activities requested by NSIRA. Conversations to address these gaps will continue in 2022.

In 2022, NSIRA will continue its review of CSIS activities with the support of the information from CSIS as required under the CSIS Act and the NSIRA Act.

Statistics

NSIRA requested that CSIS provide for publication statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSIS operations, as well as display the evolution of activities from year to year.

Warrant applications

Section 21 of the CSIS Act authorizes CSIS to make an application to a judge for a warrant if CSIS believes, on reasonable grounds, that more intrusive powers are required to investigate a particular threat to the security of Canada. Warrants may be used by CSIS, for example, to intercept communications, enter a location, and/or obtain information, records or documents. Each individual warrant application could include multiple individuals or request the use of multiple intrusive powers.

NSIRA is aware that difficulties with the warrant acquisition process within CSIS persist. NSIRA’s Review on Rebuilding Trust: Reforming the CSIS Warrant and Justice Legal Advisory Process found that the current warrant process continues to be overly burdensome, despite attempts at reform. The review found a failure at CSIS to professionalize the warrant application process fully and sustainably. The lack of clear accountability and clear communication combined with excessive complexity have contributed to the problems facing this process. The review made a number of findings and recommendations related to systemic problems with CSIS’s warrant process.

Section 21 warrant applications made by CSIS, 2018 to 2021

2018201920202021
Approved warrants Total24231531
New warrant109213
Replacements1112814
Supplemental3254
Denied total0100
Threat reduction measures (TRMs)

Section 12.1 of the CSIS Act authorizes CSIS to take measures to reduce threats to the security of Canada, within or outside Canada. CSIS is authorized to seek a judicial warrant if it believes that certain intrusive measures (outlined in subsection 21 (1.1) of the CSIS Act) are required to reduce the threat. To date, CSIS has sought no judicial authorizations to undertake warranted TRMs.

NSIRA’s first two reviews of CSIS’s use of threat reduction measures found that CSIS did not sufficiently consider the full impact of the measure as part of the approval process for these activities. More specifically, these impacts were not explicitly considered when determining whether a warrant may be required. As already noted, NSIRA expects that when CSIS is proposing a TRM where an individual’s Charter rights would be limited or the TRM would otherwise be contrary to Canadian law, whether CSIS is undertaking the TRM directly or whether it will be executed by an external party, CSIS will seek a warrant to authorize the TRM.

Threat reduction measures approved, executed by CSIS and warranted, 2015 to 2021

2015201620172018201920202021
Approved TRMs1081523241123
Executed108131719817
Warranted TRMs0000000
CSIS targets

CSIS is mandated to investigate threats to the security of Canada, including espionage; foreign-influenced activities; political, religious or ideologically motivated violence; and subversion. Section 12 of the CSIS Act sets out criteria permitting CSIS to investigate an individual, group or entity for matters related to these threats. Sub jects of a CSIS investigation, whether they be individuals or groups, are called “targets.”

CSIS targets, 2018 to 2021

2018201920202021
Number of targets430467360352
Datasets

Data analytics is a key investigative tool for CSIS, providing it with the capacity to make connections and identify trends that are not possible through traditional methods of investigations. The National Security Act, 2017, which was passed by Parliament in June 2019, gave CSIS a suite of new powers including a legal framework for the collection, retention and use of datasets. The framework authorizes CSIS to collect datasets (sub- divided into Canadian, foreign and publicly available datasets) that have the ability to assist CSIS in the performance of its duties and functions. It also establishes safeguards for the protection of Canadian rights and freedoms, including privacy rights. These protections include enhanced requirements for ministerial accountability. Depending on the type of dataset, CSIS must meet different requirements before it is able to use the dataset.

The CSIS Act also requires CSIS to keep NSIRA apprised of certain dataset-related activities. Reports prepared following the handling of datasets are to be provided to NSIRA, under certain conditions and within reasonable timeframes. While CSIS is not required to advise NSIRA of judicial authorizations or ministerial approvals for the collection of Canadian and foreign datasets, CSIS has been proactively keeping NSIRA apprised of these activities.

While this new framework has provided opportunities to execute CSIS’s mandate to investigate threats, CSIS noted in its 2020 Public Annual Report that the current legislative framework is not without its challenges. NISRA is currently reviewing CSIS’s implementation of its dataset regime. The results of this review will inform Parliament’s review of the National Security Act, 2017.

Datasets evaluated by CSIS, approved or denied by the Federal Court or Intelligence Commissioner, and retained by CSIS, 2019 to 2021

201920202021
Publicly available datasets
Evaluated8114
Retained811215
Canadian datasets
Evaluated1002
Retained by CSIS00016
Denied by the Federal Court000
Foreign datasets
Evaluated800
Retained by CSIS01117
Denied by Minister000
Denied by IntelligenceCommissioner000
Justification Framework

The National Security Act, 2017, also created a legal justification framework for CSIS’s intelligence collection operations. The framework establishes a limited justification for CSIS employees, and persons acting at their direction, to carry out activities that would otherwise constitute offences under Canadian law. CSIS’s Justification Framework is modelled on those already in place for Canadian law enforcement. The Justification Framework provides needed clarity to CSIS, and to Canadians, as to what CSIS may lawfully do in the course of its activities. It recognizes that it is in the public interest to ensure that CSIS employees can effectively carry out its intelligence collection duties and functions, including by engaging in otherwise unlawful acts or omissions, in the public interest and in accordance with the rule of law. The types of otherwise unlawful acts and omissions that are authorized by the Justification Framework are determined by the Minister and approved by the Intelligence Commissioner. There remain limitations to what activities can be undertaken, and nothing in the Justification Framework permits the commission of an act or omission that would infringe a right or freedom guaranteed by the Charter.

According to subsection 20.1 (2) of the CSIS Act, employees must be designated by the Minister of Public Safety in order to be covered under the Justification Framework while committing or directing an otherwise unlawful act or omission. Designated employees are CSIS employees who require the Justification Framework as a part of their duties and functions. Designated employees are justified in committing an act or omission themselves (commissions by employees) and they may direct another person to commit an act or omission (directions to commit) as a part of their duties and functions. NSIRA is currently reviewing CSIS’s implementation of the Justification Framework. The results of this review will inform Parliament’s review of the National Security Act, 2017.

Authorizations, commissions and directions under the Justification Framework, 2019 to 2021

201920202021
Authorizations83147178
Commissions by employees173951
Directions to commit3284116
Emergency designations000
Compliance

CSIS’s internal operational compliance program leads and manages overall compliance within CSIS. The objective of this unit is to promote a “culture of compliance” within CSIS by investing in information technology (IT) to support the process around warrants, designing an approach for reporting and assessing potential non-compliance incidents, embedding experts in operational branches to provide timely advice and guidance, and producing internal policies and procedures for employees. This program is the centre for processing all instances of potential non-compliance related to operational activities.

NSIRA’s knowledge of CSIS operational non-compliance and associated violations of the Charter is limited to what is contained in the CSIS Director’s Annual Report on Operations to the Minister of Public Safety. NSIRA notes with interest that CSIS reports Charter violations as operational non-compliance. NSIRA will continue to monitor closely instances of non- compliance that relate to Canadian law and the Charter, and to work with CSIS to improve transparency around these activities.

Non-compliance incidents processed by CSIS, 2019 to 2021

201920202021
Processed compliance incidents19539985
Administrative5364
Operational40201921
Canadian law1
Canadian Charter of Rights and Freedoms6
Warrant conditions6
CSIS governance     8   

CSIS review plan

In 2022, NSIRA is commencing or conducting five reviews exclusively focused on CSIS, one review focused on CSIS and CSE operational collaboration (See 2022 CSE review plan, below), one focused on threat management by CSIS and the RCMP of ideologically motivated violent extremism, and a number of interagency reviews that contain a CSIS component.

In addition to NSIRA’s three legally mandated reviews of the Security of Canada Information Disclosure Act, the Avoiding Complicity in Mistreatment by Foreign Entities Act and CSIS’s TRMs, NSIRA has initiated or is planning the following CSIS reviews:

Justification Framework
This review will assess the implementation of CSIS’s new Justification Framework for activities that would otherwise be unlawful, authorized under the National Security Act, 2017.
Datasets
This review will examine the implementation of CSIS’s dataset regime following the coming into force of the National Security Act, 2017.
CSIS Cover Program
This review would be the first review of CSIS Cover Operations. It will survey the full range of CSIS cover activities and concentrate on building foundational knowledge to allow NSIRA to select specific activities for detailed review in future years.
Ideologically Motivated Violent Extremism
This is a joint CSIS-RCMP review of their respective and joint threat management of ideologically motivated violent extremism. The core of the review will be the interplay between CSIS and the RCMP in the context of ideologically motivatedviolent extremism, and an assessment of whether activities complied with the law, applicable ministerial directions, operational policies, and whether activitieswere necessary and reasonable.

Beyond 2022, NSIRA intends to explore reviews of CSIS on topics including, but not limited to:

  • the lifecycle of warranted information;
  • CSIS’s section 16 mandate;
  • “Strictly Necessary” retention policies; and
  • CSIS’s Internal Compliance Framework.

Access to CSIS information

Throughout 2021, NSIRA faced differing levels of access and responsiveness in relation to CSIS. COVID-19 related restrictions resulted in considerable delays with receiving requested information and briefings and impeded direct access to NSIRA’s dedicated office space within CSIS Headquarters.

In response to NSIRA’s requests for information, CSIS was transparent in its ability to respond and communicate anticipated delays. When access and staffing levels were no longer restricted, CSIS responses to formal and informal requests related to the Study of Technical Capabilities and the TRM review were timely and complete, and briefings were well administered and provided the requested information.

As mentioned above, throughout 2021, NSIRA did not have consistent access to its dedicated office space within CSIS Headquarters, which is used by NSIRA review, legal and investigation staff. As a result, NSIRA’s direct access to CSIS’s information systems was notably limited. NSIRA was provided various temporary accommodations within CSIS headquarters during this time.

CSIS was able to continue to provide NSIRA members access to its regional offices across Canada throughout 2021, however. This access supported NSIRA members not based in the National Capital Region, whose work often requires secure facilities where they can safely and securely access information relevant to reviews and investigations. NSIRA greatly appreciates the willingness and efforts of CSIS and its regional colleagues in this regard.

2.2 Communications Security Establishment reviews

Overview

NSIRA has the mandate to review any activity conducted by CSE. NSIRA must also submit a classified annual report to the Minister of National Defence on CSE activities, including information related to CSE’s compliance with the law and applicable ministerial directions, and NSIRA’s assessment of the reasonableness and necessity of the exercise of CSE’s powers.

In 2021, NSIRA completed two reviews of CSE, and directed CSE to conduct one departmental study, all of which are summarized below. NSIRA also began five new reviews focused on CSE’s activities that are scheduled for completion in 2022 (see 2022 CSE Review Plan, below). Furthermore, CSE is implicated in other NSIRA multi-departmental reviews, such as the legally mandated annual reviews of the Security of Canada Information Disclosure Act (SCIDA) and the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA), the results of which are described below (see Multi-departmental Reviews).

Although the pandemic and other priorities precluded NSIRA from advancing its previous commitments to redacting, translating and publishing reviews of the former Office of the CSE Commissioner, NSIRA remains committed to releasing this material, resources permitting.

Review of CSE’s Governance of Active and Defensive Cyber Operations

The Communications Security Establishment Act (CSE Act) provides CSE with the authority to conduct active cyber operations (ACOs) and defensive cyber operations (DCOs). As defined by the CSE Act, an ACO is designed to “degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.” A DCO helps protect Canadian federal government systems, or systems deemed by the Minister of National Defence to be important to Canada against foreign cyber threats. ACOs and DCOs are authorized by ministerial authorizations and, due to the potential impact on Canadian foreign policy, require the Minister of Foreign Affairs to consent to an ACO ministerial authorization or be consulted on a DCO ministerial authorization.

In this review, NSIRA assessed the governance framework that guides the conduct of ACOs and DCOs, and whether CSE appropriately considered its legal obligations and the foreign policy impacts of operations. NSIRA analyzed policies and procedures, governance and operational documentation, and correspondence within and between CSE and GAC. The review scope included the earliest available materials pertaining to ACOs and DCOs and ended concurrently with the validity period of the first ACO and DCO ministerial authorizations (2019–2020).

NSIRA incorporated GAC into this review, given the role of the Minister of Foreign Affairs in the ACO and DCO governance structure. As a result, NSIRA gained an understanding of the governance and accountability structures in place for these activities by obtaining unique perspectives from the two departments on their respective roles and responsibilities.

The novelty of these powers required CSE to develop new mechanisms and processes while also considering new legal authorities and boundaries. NSIRA found that both CSE and GAC made considerable efforts in building the ACO and DCO governance structure. In this context, NSIRA has found that some aspects of the governance of ACOs and DCOs could be improved by making them more transparent and clearer.

Specifically, NSIRA found that CSE could improve the level of detail provided to all parties involved in the decision-making and governance of ACOs and DCOs, within documents such as the ministerial authorizations authorizing these activities and the operational plans that are in place to govern their execution. Additionally, NSIRA also identified several gaps that CSE and GAC need to address, and recommended improvements relating to:

  • engaging other departments to ensure an operation’s alignment with broader
  • Government of Canada priorities;
  • demarcating an ACO from a pre-emptive DCO;
  • assessing each operation’s compliance with international law; and
  • communicating with each other any newly acquired information that is relevant to the risk level of an operation.

The gaps observed by NSIRA, if left unaddressed, could carry risks. For instance, the broad and generalized nature of the classes of activities, techniques and targets comprising ACOs and DCOs could capture unintended higher-risk activities and targets. Additionally, given the difference in the required engagement of GAC in ACOs and DCOs, misclassifying what is truly an ACO as a pre-emptive DCO could result in a heightened risk to Canada’s international relations through the insufficient engagement of GAC.

While this review focused on the governance structures at play in relation to ACOs and DCOs, of even greater importance is how these structures are implemented and followed in practice. NSIRA made several observations about the information contained within the governance documents developed to date and will subsequently assess how they are put into practice as part of NSIRA’s forthcoming review focused on the operations themselves.

Response to NSIRA’s recommendations

NSIRA’s recommendations and other details about this review are found in Annex D of this report.

Review of Information Sharing across Aspects of CSE’s Mandate

This review examined CSE’s legal authority for sharing information obtained in the course of one aspect of its mandate for the purposes of fulfilling another aspect of its mandate. Specifically, the review focused on internal information sharing within CSE between the foreign intelligence aspect and the cybersecurity and information assurance (cybersecurity) aspect of CSE’s mandate.

NSIRA examined whether CSE’s internal sharing of information relating to a Canadian or a person in Canada (IRTC) is consistent with the Privacy Act, which limits how collected personal information can be used by a federal institution, and the CSE Actwhich applies to CSE’s incidental collection and use of IRTCNSIRA concluded that from the descriptions of the aspects in sections 16 and 17 of the CSE Actsometimes information acquired under one aspect can be used for the same, or a consistent purpose, as another. This would satisfy Privacy Act requirements for sharing information internally. However, this principle cannot simply be assumed to apply as the purposes of the aspects differ within the CSE Act. CSE must conduct case-by-case compliance analysis that considers the purpose of the collection and sharing.

NSIRA considers it necessary for the Chief of CSE’s application for a ministerial authorization to fully inform the Minister of National Defence of how IRTC might be used and analyzed by CSE, including the sharing of IRTC to another aspect, and for what purpose. With one exception, the Chief’s applications for the period of review appropriately informed the Minister that retained IRTC might be used to support a different aspect. Moreover, the foreign intelligence applications appropriately informed the Minister how CSE assessed “essentiality” for IRTC collected under the foreign intelligence aspect.

Under CSE policy, an assessment of IRTC’s relevance, essentiality or necessity to each aspect is required for sharing information across the aspects. CSE policy offers definitions and criteria for assessing and applying these thresholds to the information. NSIRA found that CSE’s policy framework with regards to the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is compliant with the CSE Act.

Response to NSIRA’s recommendations

NSIRA’s recommendations, CSE’s management response and other details about this review are found in Annex D of this report.

CSE Departmental Study on Disclosures of Canadian Identifying Information

Following a 2020 review of CSE’s disclosures of Canadian identifying information (CII),21 NSIRA concluded that CSE’s implementation of its disclosure regime under the National Defence Act may not have been in compliance with the Privacy Act. On November 25, 2020, following the release of the review, NSIRA submitted a compliance report to the Minister of National Defence. NSIRA was of the opinion that CSE, as the custodian of incidentally collected CII, has the responsibility to assure itself and to document that both a collection and disclosure authority exist before sharing it with third-party recipients. NSIRA then directed CSE to conduct a departmental study of its disclosure of CII from August 1, 2019, to March 1, 2021.

The purpose of the departmental study was to ensure that disclosures of CII conducted by CSE were conducted in a manner that complies with the CSE Actand that all disclosures of CII were essential to international affairs, defence, security or cybersecurity.

CSE provided the completed departmental study to the Minister of National Defence on October 8, 2021, with a copy to NSIRA, on November 1, 2021. NSIRA is satisfied that CSE provided a complete accounting of its disclosure regime for the requested period of review and provided a report that meets the objectives detailed in NSIRA’s terms of reference. In doing so, CSE defined its process for assessing and disclosing CII requests to Government of Canada and foreign clients under the CSE Act while also providing an update on relevant changes that have been made to its disclosure regime based on NSIRA’s recommendations from the last CII review.

The production of the departmental study also provided an opportunity for CSE to review the CII disclosure regime from CSE’s own perspective. This process provides NSIRA with a clearer understanding of how CSE manages its program and evaluates its relevant legal authorities. In addition to contributing to NSIRA’s current understanding of CSE’s disclosure regime, the study will also assist in identifying avenues of inquiry for the planned follow-up review of CII scheduled for 2023.

Statistics

To achieve greater public accountability, NSIRA recommends that CSE publish statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSE operations, as well as display the evolution of activities from year to year.

Ministerial authorizations and ministerial orders

Ministerial authorizations are issued by the Minister of National Defence and authorize specific activities conducted by CSE pursuant to one of the aspects of the CSE mandate. The following table lists the ministerial authorizations issued between 2019 and 2021.

CSE ministerial authorizations, 2021

Type of ministerial authorizationEnabling section of the CSE ActNumber issued in 2019Number issued in 2020Number issued in 2021
Foreign intelligence26(1)333
Cybersecurity — federal and non- federal27(1) and27(2)212
Defensive cyber operations29(1)111
Active cyber operations30(1)112

Note: This table refers to ministerial authorizations that were issued in the given calendar years and may not necessarily reflect ministerial authorizations that were in effect at a given time. For example, if a ministerial authorization was issued in late 2020 and remained in effect in parts of 2021, it is counted above solely as a 2020 ministerial authorization.

Ministerial orders are issued by the Minister of National Defence and designate people or organizations with whom CSE can work and share information. For instance, a ministerial order designating non-federal information infrastructures as being of importance to the Government of Canada is required for CSE to carry out certain aspects of its cybersecurity and defensive cyber operations mandate. A ministerial order is also required to designate recipients of CII. The following table lists the three ministerial orders in effect in 2021.

CSE ministerial orders, 2021


Nameof ministerial order
In effect in 2021Enabling section of the CSE Act
Designating electronic information and information infrastructures of importance to the Government of Canada121(1)
Designating recipients of information relating to a Canadian or person in Canada acquired, used or analyzedunder the cybersecurity and information assurance aspects of the CSE mandate144(1) and45
Designating recipients of Canadian identifying information used, analyzed or retained under a foreign intelligence authorization pursuant to section45 of the CSE Act143 and 45
Foreign intelligence reporting

Pursuant to section 16 of the CSE Act, CSE is mandated to acquire information from or through the global information infrastructure, and to use, analyze and disseminate the information for the purpose of providing foreign intelligence in accordance with the Government of Canada’s intelligence priorities.

According to CSE, it released 3,050 foreign intelligence end-product reports to 1,627 clients across 28 departments or agencies of the Government of Canada in 2021.

Information relating to a Canadian or a person in Canada

As discussed in NSIRA’s Review of Information Sharing Across Aspects of CSE’s Mandate, IRTC includes information about Canadians or persons in Canada that may be incidentally collected by CSE while conducting foreign intelligence or cybersecurity activities under the authority of a ministerial authorization. According to CSE policy, IRTC is any information recognized as having reference to a Canadian or person in Canada, regardless of whether that information could be used to identify that Canadian or person in Canada.

CSE was asked to release statistics or data about the regularity with which IRTC or “Canadian-collected information” is included in CSE’s end-product reporting. CSE responded that “as this type of information has not previously been disclosed publicly, CSE is carrying out an injury assessment to determine if information can be provided for publication.” CSE subsequently advised that “The impact assessment for disclosure of information requested … is a longer-term endeavour that is unlikely to be resolved in time for the 2021 NSIRA public annual report. Please consider [CSE’s response] as ‘no releasable information’ for the purpose of this year’s report.”

Canadian identifying information

CSE is prohibited from directing its activities at Canadians or persons in Canada. However, given the nature of the global information infrastructure and CSE’s collection methodologies, such information may be incidentally acquired by CSE. When used in CSE foreign intelligence reporting, incidentally collected information potentially identifying a Canadian or a person in Canada is suppressed in order to protect the privacy of the individual(s) in question. CSE may release unsuppressed CII to designated recipients when the recipients have the legal authority and operational justification to receive it and when it is essential to international affairs, defence or security (including cybersecurity).

The following table shows the number of requests CSE received for disclosure of CII in 2021.

Number of requests for disclosure of Canadian identifying information, 2021.

Type of requestNumber
Government of Canada requests741
Five Eyes27 requests90
Non-Five Eyes requests0
Total831

CSE was also asked to release the number of instances where CII is suppressed in CSE foreign intelligence or cybersecurity reporting. CSE indicated that “as this type of information has not previously been disclosed publicly, CSE is carrying out an injury assessment to determine if information can be provided for publication.” CSE subsequently advised that “The impact assessment for disclosure of information requested … is a longer-term endeavour that is unlikely to be resolved in time for the 2021 NSIRA public annual report. Please consider [CSE’s response] as ‘no releasable information’ for the purpose of this year’s report.”

Privacy incidents and procedural errors

A privacy incident occurs when the privacy of a Canadian or a person in Canada is put at risk in a manner that runs counter to, or is not provided for, in CSE’s policies. CSE tracks such incidents via its Privacy Incidents File, Second-party Privacy Incidents File and Minor Procedural Errors File.

The following table show the number of privacy incidents and procedural errors CSE tracked in 2021.

CSE privacy incidents and procedural errors, 2021

Type of incidentNumber
Privacy incidents96
Second-party privacy incidents33
Minor procedural errors18
Cybersecurity and information assurance

Pursuant to section 17 of the CSE Act, CSE is mandated to provide advice, guidance and services to help protect electronic information and information infrastructures of federal institutions, as well as non-federal entities which are designated by the Minister as being of importance to the Government of Canada.

CSE was asked to release statistics or data characterizing CSE’s activities related to the cybersecurity and information assurance aspect of its mandate. CSE responded that:

  • Generally, the Canadian Centre for Cyber Security does not comment on specific cyber security incidents, nor do we confirm businesses or critical infrastructure partners that we work with or provide statistics on the number of reported incidents. Statistics on cyber incidents, including cybercrime, are predicated upon victims coming forward, which is not an accurate reflection of the Canadian environment.
  • CSE and its Canadian Centre for Cyber Security work every day to defend Government of Canada systems from cyber attacks. On any given day, CSE’s dynamic defence capabilities block up to seven billion reconnaissance scans on these systems.
Defensive and active cyber operations

Pursuant to section 18 of the CSE Act, CSE is mandated to conduct DCOs to help protect electronic information and information infrastructures of federal institutions, as well as non- federal entities that are designated by the Minister of Defence as being of importance to the Government of Canada from hostile cyber attacks.

Pursuant to section 19 of the CSE Act, CSE is mandated to conduct ACOs against foreign individuals, states, organizations or terrorist groups as they relate to international affairs, defence or security.

CSE was asked to release the number of DCOs and ACOs approved during 2021. CSE responded that it is “not in a position to provide this information for publication by NSIRA, as doing so would be injurious to Canada’s international relations, national defence and national security.”

Technical and operational assistance

As part of the assistance aspect of CSE’s mandate, CSE receives Requests for Assistance from Canadian law enforcement and security agencies, as well as from the DND/CAF.

The following table shows the number of requests for assistance CSE received and acted on in 2020 and 2021.

CSE requests for assistance received and acted on, 2020 and 2021

Requests for assistance20202021
Number received2435
Number acted on2332

2022 CSE review plan

In addition to NSIRA’s two legally mandated reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, both of which implicate CSE, NSIRA has initiated or is planning the following five reviews of CSE:

Review of CSE’s Internal Security Program (Safeguarding)
This review will examine how CSE safeguards its employees, information and assets. It will explore the ways in which CSE mitigates internal security risks through inquiries and investigations, and in particular, the use of the polygraph as a tool in the security screening process. This review will alsoassess CSE’s compliance with Treasury Board security policies and directives, as well as the adequacy of, adherence to and effectiveness of CSE’s internal processes used to address potential or actual security incidents, violations and breaches of security.
Review of Cybersecurity — Network-Based Solutions
This will be NSIRA’s first review focused on the cybersecurity and information assurance aspect of CSE’s mandate. It will explore the use of a specific tool: Network Based Solutions as outlined within the cybersecurity ministerial authorization.
Review of Active and Defensive Cyber Operations — Part 2 (Operations)
This review is the continuation of NSIRA’s examination of CSE’s active and defensive cyber operations conducted prior to July 30, 2021. The first review focused on the internal policies and procedures governing CSE’s use of active and defensive cyber operations. This review builds on NSIRA’s previous work and will focus on the implementation of these governance structures in actual operations.
Review of a Program under the Foreign Intelligence Mandate
This is a review of a classified program under the foreign intelligence aspect of CSE’s mandate. Thisprogram is authorized by a ministerial authorization, which also sets out its parameters.
Review of CSE-CSIS Operational Collaboration
This review will examine operational collaboration between CSE and CSIS, both under the assistance aspect of CSE’s mandate, but also as it relates to joint operational activities coordinated between them under each agency’s respective mandates.

Beyond 2022, NSIRA intends to review topics including, but not limited to:

  • an annual compliance review of CSE;
  • CSE’s signals intelligence(SIGINT) retention practices;
  • a CSE collection program conducted under a ministerial authorization; and
  • CSE’s Equities Management Framework.

Access to CSE information

In its 2020 Public Annual Report, NSIRA noted that it was seeking to formalize CSE’s provision of specific categories of information on a regular basis, such as ministerial authorizations, orders and directives, which would be used to ensure compliance of activities and to inform the conclusions NSIRA provides in the annual classified report to the Minister of National Defence. NSIRA will commence this review, called the annual compliance review of CSE, in 2022. NSIRA is pleased to report that CSE has already begun the process of providing the requested information.

NSIRA also previously reported that a lack of comprehensive and independently verifiable access to CSE’s information repositories posed a significant challenge to NSIRA’s ability to review CSE’s activities. In 2021, this challenge persisted.

In 2021, NSIRA sought to develop direct access to CSE information repositories, further to NSIRA’s “trust but verify” review model. With the exception of dedicated office space, which NSIRA continues to utilize at CSE’s Headquarters, NSIRA and CSE have been unable to achieve a workable trust-but-verify model for any reviews of CSE to date, despite several proposals for test cases brought forward by NSIRA throughout the year. NSIRA remains committed to developing a greater degree of verifiable access to CSE information so as to ensure the robustness of its findings and recommendations and, in turn, provide greater transparency of CSE activities to Parliament and the Canadian public.

In lieu of direct access to CSE information repositories, NSIRA has to rely on CSE External Review staff to collect relevant information held by CSE on its behalf. CSE External Review organizes briefings by subject matter experts, solicits responses to specific questions, and coordinates searches by CSE staff through information repositories for documents and other materials relevant to reviews. NSIRA recognizes the work of CSE External Review staff and thanks them for their contribution to the work of review.

However, reliance on CSE to locate, collate and curate information for NSIRA is not a proper long-term alternative to direct access. Currently, and on receipt of a request for information, CSE conducts a lengthy process to locate and collect information, followed by an internal review of this information to determine relevance prior to releasing materials to NSIRA. CSE’s predetermination of relevance of information undercuts NSIRA’s authority to decide whether information relates to its reviews and contributes to significant delays in the provision of information to NSIRA. Furthermore, this process creates a burden on CSE staff to coordinate responses to NSIRA’s information requirements. This workload could be substantially reduced by allowing NSIRA to conduct its own searches in CSE’s information repositories. Concurrently, it would serve as an element of verification that could strengthen NSIRA’s confidence in the completeness of information reviewed.

Beyond the issues related to limitations on NSIRA’s ability to trust but verify are ongoing concerns related to CSE’s responsiveness. As mentioned above, significant delays in the provision of information continued to pose a disruptive challenge to all NSIRA reviews of CSE activities in 2021. Although the COVID-19 pandemic interrupted life everywhere, it alone could not account for the extent of delays experienced during 2021. The timely provision of information required for a review not only facilitates the work of NSIRA, but is a legal requirement to which NSIRA expects CSE to adhere.

The sole exception to NSIRA’s right of access to information under the control of CSE is a confidence of the Queen’s Privy Council for Canada, otherwise known as a Cabinet confidence. Information subject to the Privacy Act, or any other act of Parliament, for that matter, as well as highly classified or Exceptionally Controlled Information (ECI) must be made available to NSIRA in a timely manner, when it relates to a review. This was not always the case in 2021.

In light of the ongoing challenges to NSIRA reviews of CSE activities, NSIRA continues to be of the opinion that the only mechanism to ensure a high degree of confidence, reliability and independence in its work is to have direct access to information relevant to its reviews. One important way by which CSE can continue to increase the level of transparency for its activities is to facilitate greater direct access for external review. For NSIRA to be able to conduct its work with a high degree of confidence, it must be able to verify the accuracy and completeness of the information on which it bases its findings and recommendations. NSIRA will continue to work with CSE to identify ways it can begin to implement additional elements of NSIRA’s trust but verify methodology in a more comprehensive and meaningful manner.

2.3 Other government departments

Overview

Beyond CSIS and CSE, NSIRA initiated reviews of the following departments and agencies in 2021:

  • the Department of National Defence / Canadian Armed Forces (DND/CAF);
  • the Royal Canadian Mounted Police (RCMP);
  • Immigration, Refugees and Citizenship Canada (IRCC);
  • the Canada Border Services Agency (CBSA); and
  • Transport Canada.

As well, through the annual reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has engaged with all departments and agencies that make up the Canadian national security and intelligence community.

The following sections outline reviews completed or initiated in 2021, by department or agency, as well as some planned future reviews.

Department of National Defence and the Canadian Armed Forces

Study of the Defence Intelligence Enterprise of the Department of National Defence and the Canadian Armed Forces

The purpose of this study was threefold. The primary objective focused on understanding the concept of the Defence Intelligence Enterprise (DIE), the umbrella under which DND/CAF conducts its intelligence activities. The second objective focused on developing an understanding of the compliance and oversight functions within the DIE, as well as the reporting of instances of non-compliance. Finally, the information gathered through the two primary objectives of this review provided NSIRA with prerequisite knowledge to help design future reviews.

Although comprising only a small percentage of the work of DND/CAF, the intelligence function is growing both in how DND/CAF perceives its importance, as well as in resource allocation. All of DND/CAF’s intelligence activities and structures fall within the DIE and without an understanding of this enterprise, NSIRA’s review plan would lack focus and organization. The DIE represents a large and complex structure with widely varied activities and functions. Successive reviews will build on NSIRA’s knowledge and experience, as well as developing the required expertise to proactively identify areas of future review. In addition, having a more complete understanding of the DIE will help NSIRA better situate DND/CAF in the broader security and intelligence community, so it can identify more opportunities for horizontal review activities.

This study also helped to highlight and identify some of the challenges NSIRA may face in reviewing DND/CAF moving forward. Notably, DND/CAF represents a large and complex structure with widely varied activities and functions. Reporting structures are complex. For example, DND senior management structures report directly to the Deputy Minister, CAF Commands report directly to the Chief of the Defence Staff, and some accountability structures require reporting to both. NSIRA also observed that information collection and storage procedures vary across the organization and that it has over 180 independent electronic repositories. The combination of these elements emphasizes the importance of maintaining strong working relationships with DND/CAF to help navigate access to timely information and assets. NSIRA is working closely with DND/CAF on how to overcome these challenges, including the possibility of providing detailed search strings and follow-up briefings to attest to the reliability, completeness and specificity of the provided documentation.

Review of the Canadian Forces National Counter-Intelligence Unit — Operational Collection and Privacy Practices

This review was a follow up to last year’s review of the Canadian Forces National Counter- Intelligence Unit (CFNCIU). This year’s review focused on how IT searches were used to support counter-intelligence investigations. NSIRA assessed whether IT searches and the collection of information in support of counter-intelligence investigations interfered with individuals’ reasonable expectation of privacy in the circumstances.

Over the course of the review, NSIRA identified three areas of concern tied to the requests for, and conduct of, counter-intelligence internal IT network searches. These are arranged under the following categories: (1) CFNCIU’s search of a subject’s email, internet and removable device activity; (2) the CFNCIU checklist used to identify and restrict search parameters, and how applicable stakeholders define search parameters; and (3) the use acquired information to expand supplementary searches.

NSIRA believes that DND employees and CAF members have a reasonable expectation of privacy when using work computers for personal use. CFNCIU requires the assistance of police or security agencies to obtain search warrants or technical intercept services, under Level II and Level III investigations. NSIRA found that CFNCIU may be inappropriately relying on DND/CAF policies as lawful authority to interfere with a subject’s reasonable expectation of privacy.

NSIRA observed that information obtained by CFNCIU via the checklist has the potential to capture intimate and personal information that touches on a subject’s biographical core. NSIRA found that the checklist risks capturing information that is protected by section 8 of the Charter. NSIRA also found that DND/CAF is applying a definition of metadata that captures information that could be subject to a reasonable expectation of privacy.

NSIRA observed that CFNCIU IT inquiries used broad search parameters, which may include information not relevant to the investigation. These parameters were applied as broad approvals with no specific internal controls or oversight at both the operational and working levels. Collection techniques, due in part to the limitations of IT audit tools and broad search parameters, resulted in a wide net being cast. NSIRA found that the investigative IT system practices observed in the context of CFNCIU’s counter-intelligence investigations have insufficient legal oversight to ensure that they are as minimally invasive as possible.

As a result of these findings, NSIRA recommended that DND/CAF suspend investigative IT system practices in the context of CFNCIU counter-intelligence investigations until a reasonable legal authority has been established. Once a reasonable legal authority has been established, DND/CAF should create a new policy framework that is reflective of the noted findings.

Response to NSIRA’s recommendations

NSIRA’s recommendations, DND/CAF’s management response and other details about this review are found in Annex D of this report.

Reviews planned or in progress

NSIRA has several reviews planned for DND/CAF and will conduct further work on two in 2022. The first one in progress is NSIRA’s review of DND/CAF’s human intelligence (HUMINT) program. This review will examine the entirety of the human source handling program used by DND/CAF.

Second, NSIRA is currently examining the domestic open-source collection activities of DND/CAF. More specifically, this review will take a closer look at legal authorities and the policy framework, program support and training, information and technology management systems, collection activities, intelligence production and dissemination, and oversight and accountability mechanisms.

Access to DND/CAF information

DND/CAF is the largest federal government department, both in terms of personnel (127,000 including regular and reserve forces) and number of physical locations occupied (42 in the National Capital Region alone). Given its domestic and international breadth, information collection and storage varies across the organization, with 180+ independent electronic repositories. NSIRA primarily accesses information through DND/CAF’s liaison body, the National Security and Intelligence Review and Oversight Coordination Secretariat (NSIROCS).

To help ensure that NSIRA receives timely and complete access to requested information, DND/CAF has formalized processes for responding to requests for information that includes a Level 1 (assistant deputy minister or equivalent) approval and attestation. Therefore, when NSIROCS receives a request for information, it coordinates with internal stakeholders to provide the requested information and submit it for Level 1 approval, after which the assistant deputy minister (or equivalent) provides a managerial attestation verifying the completeness and accuracy of the information provided.

NSIRA has also established direct access to specific DND/CAF IT systems for an ongoing review, and is working on a “proxy access” model for future reviews. Ultimately, the nature and scope of the review will dictate the access and verification model to be applied. NSIRA remains committed to working with NSIROCS to ensure that access and verification processes meet review requirements.

Royal Canadian Mounted Police

Reviews in progress or planned

NSIRA is currently working on three reviews focused exclusively on the RCMP. One of these reviews assesses the RCMP’s use of human sources in national security criminal investigations. Another review examines how the RCMP bypasses encryption when it intercepts private communications in national security criminal investigations. Lastly, NSIRA’S review of the Operational Research Unit of the RCMP will be examining the unit’s access to and use of security intelligence. The RCMP is also implicated in one multi- departmental review that is discussed below.

Access to RCMP information

NSIRA began reviewing the RCMP in 2020 and does not yet have direct access to the RCMP’s IT systems. The decentralized nature of the RCMP’s information holdings, COVID-19- related restrictions, and limitations resulting from other emergencies have resulted in delays in the RCMP providing NSIRA with requested information. NSIRA is committed to working with the RCMP’s National Security External Reviews and Compliance (NSERC) team to establish approaches for the timely provision of information.

In lieu of direct access to RCMP IT systems, NSIRA currently relies on the RCMP’s NSERC team to collect relevant information. NSIRA thanks the NSERC team for its contribution to the work of review but looks forward to working toward direct access to RCMP IT systems or alternate independent verification processes that provides NSIRA with independent confidence in the reliability and completeness of the information it has access to.

Canada Border Services Agency

In 2021, NSIRA completed its review of the Government of Canada’s use of biometrics in the border continuum that, while also examining IRCC and Transport Canada, had a strong CBSA component. The summary of this review can be found in the multi-departmental review section below.

NSIRA also made considerable progress on two CBSA -focused reviews. The first review is of air passenger targeting and examines the CBSA’s use of predictive analysis to identify inbound air travellers for further scrutiny in relation to national security threats. The second review assesses the CBSA’s use of confidential human sources, building on prior work in this area by National Security and Intelligence Committee of Parliamentarians.

Financial Transactions and Reports Analysis Centre of Canada

NSIRA is currently working on its first review of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). NSIRA will examine FINTRAC’s existing regime for sharing information with its domestic and international partners by looking at queries and disclosures to foreign financial intelligence units.

2.4 Multi-departmental reviews

Study of the Government of Canada’s Use of Biometrics in the Border Continuum

Biometrics play a fundamental role in the border continuum, which includes the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air. In the course of this review, NSIRA examined activities conducted by the CBSA, IRCC and Transport Canada. The review also extended to the RCMP, which plays a supporting role in one of the major IRCC-led programs using biometrics.

Biometrics are sensitive personal information. The identification of persons by virtue of their biological characteristics raises privacy and human rights concerns. There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. At the same time, identifying individuals entering the country — and consequently determining whether they have a right to enter, or what risks they might pose — serves a national security function. In this way, the use of biometrics requires an assessment of the balance between security and privacy.

The immediate objective of this review was to map the nature and scope of biometric activities occurring in this space. This included examining the collection, retention, use and disclosure of biometric information, as well as the legal authorities under which these activities occur. This review also considered the reasonableness and necessity of these activities, studying the accuracy and reliability of biometrics.

This review identified a set of observations linked to nine overarching themes:

  • Biometrics and national security. The centrality of national security as a justification for biometric activities has waned over time relative to other objectives, such as identity management and traveller facilitation. This makes it challenging to assess biometric activities in general as national security activities. Future NSIRA reviews may focus more narrowly on biometric activities that directly engage national security.
  • The steady-state activities. The steady-state biometric activities in the border continuum are generally well-supported by current legal authorities and are consistent with international practice.
  • Expanding use of biometrics over time. The use of biometrics in the border continuum has significantly expanded over the last three decades and is likely to continue expanding in the future. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for particular, intended objectives.
  • Pilot projects. Pilot projects and initiatives raise more concerns than do steady-state activities, as they risk being implemented without sufficient legal analysis or policy development. Despite the temporary or experimental nature of a project, NSIRA expects that departments will conduct the analysis necessary to ensure that legal authority is in place for the conduct of the activity, and that the attendant collection, use, retention and disclosure of personal information is well-governed by policy.
  • Evolving legal and societal norms. The public debate surrounding legal authorities questions whether existing standards and protections are sufficient for regulating biometric activities or whether new standards and protections are required. The border is, comparatively, a space in which greater intrusiveness is considered reasonable — but the boundaries of those justifications are not limitless, and will require careful calibration moving forward.
  • The dual use of biometrics. NSIRA observed several instances of possible dual use of biometric information in the activities examined in this report. Even where new uses of biometrics offer demonstrable benefits, new uses must be carefully considered to ensure their reasonableness and proportionality. In addition, all new uses must be justified and well-authorized in law. The principle of “purpose limitation” may be a way of guarding against dual use in the context of biometric activities.
  • Technical systems. There is significant overlap between the technical systems and databases used across the steady-state biometric activities. The overall architecture of the systems is complex, though not necessarily problematic.
  • Visibility into algorithms. Departments and agencies have limited ability to see how the algorithms they use for biometric analysis operate. Each department and agency did, however, demonstrate that performance metrics are known and tested, and that custom thresholds are used when appropriate.
  • Preventing bias and discrimination. IRCC and the CBSA have conducted preliminary analyses to explore how their biometric activities may impact diverse groups of people, though the implementation of possible mitigation strategies was not always apparent. In some contexts, technological advancements have helped to reduce, but not eliminate, differential impacts. More work remains in terms of mitigating differential impacts on segments of the population. At the same time, the departments and agencies under review have demonstrated their awareness of possible systemic inequalities and their commitment to addressing them.

Public debate about the government’s application of biometric technology will continue to evolve, driving change in the legal and regulatory frameworks associated with such activities. As such, continued scrutiny from NSIRA is warranted, particularly in those instances where the collection and use of biometric information is justified by explicit reference to national security outcomes.

Review of Federal Institutions’ Disclosures of Information under the Security of Canada Information Disclosure Act in 2020

In November 2021, NSIRA and the Office of the Privacy Commissioner of Canada (OPC) completed a joint review of the 215 disclosures made under the Security of Canada Information Disclosure Act (SCIDA) in 2020 — NSIRA’s first joint review with another review body.

SCIDA encourages and facilitates the sharing, or disclosure, of information within the federal government to protect against activities that undermine or threaten national security, subject to certain conditions. SCIDA permits disclosures of information where the disclosing federal institution satisfies itself that the information will contribute to the exercise of the recipient federal institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than is reasonably necessary. This is called the disclosure test.

The review found that 212 of the 215 disclosures (approximately 99%) appeared to meet both parts of the disclosure test. In the remaining three disclosures, the information appeared speculative, with no clear connection to activities that undermine the security of Canada. All three of the disclosures of concern were proactive disclosures by the RCMP. Of particular interest was the RCMP’s disclosure of the identities and biometric information about approximately 2,900 individuals to the CAF. NSI RA and the OPC recommended that the RCMP update its policies and practices to support compliance with the disclosure test, that the institution that received the disclosure of concern from the RCMP delete or return the information unless they can demonstrate a valid reason not to,and that any institution disclosing personal information about a large number of individuals (bulk disclosure) exercise heightened due diligence.

The records reviewed also highlighted one case of a verbal disclosure made to CSIS months prior to a formal SCIDA disclosure and without an apparent source of legal authority. NSIRA and the OPC recommended that institutions with national security expertise ensure that when they request personal information for national security purposes from other federal institutions, they make it clear that their request, in and of itself, does not constitute or confer authority on the other institution to disclose personal information.

Based on CSE’s and IRCC’s information-sharing patterns under SCIDA, NSIRA and the OPC recommended that these two institutions enter into an information-sharing arrangement, and that GAC and CSIS update their information-sharing arrangement to incorporate SCIDA’s guiding principles.

Finally, the review examined the federal government’s SCIDA policies. The review found that Public Safety Canada developed a SCIDA guide for federal institutions, led an interdepartmental working group, and provided training that included all 17 of the federal institutions listed in SCIDA. The review also found that 16 of the 17 federal institutions listed in SCIDA — the exception being the Canadian Food Inspection Agency — have policies to support compliance with SCIDA. NSIRA and the OPC recommended that the Canadian Food Inspection Agency develop a similar framework to implement a SCIDA policy.

Response to NSIRA’s recommendations

NSIRA’s recommendations, the management response of reviewees and other details about this review are found in Annex D of this report.

Review of Departmental Implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2020

The Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA) and directions issued according to the ACA seek to prevent the mistreatment of any individual as a result of information exchanged between a department of the Government of Canada and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated. To do this, the ACA and the directions lay out a series of requirements that need to be met or implemented when handling information.

This review covered the implementation of the directions sent to 12 departments and agencies from January 1, 2020, to the end of the calendar year, December 31, 2020. It was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the ACA.

This was the first ACA review to cover a full calendar year. Many of the reviewed departments noted that the COVID-19 pandemic impacted their information-sharing activities, such as the number of cases requiring further review as per the ACA. As such, NSIRA found that from January 1, 2020, to December 31, 2020, no cases under the ACA were issued to deputy heads in any department.

While NSIRA was pleased with the considerable efforts made by many departments new to the ACA in building their frameworks, the CBSA and Public Safety Canada had not finalized their policy frameworks in support of the directions received under the ACA within the review period.

Mitigation measures used by departments were also reviewed this time, since they are an integral part in the information-sharing process for departments.

NSIRA believes that it is now in a position to conduct in-depth case study assessments of individual departments’ adherence to the ACA and directions, irrespective of whether a department reported any cases to its deputy head. Finally, future reviews will follow up on the ongoing implementation of NSIRA’s past recommendations.

Reviews planned or in progress

In the future, NSIRA intends to continue to take advantage of its mandate to “review any activity carried out by a department that relates to national security or intelligence” by pursuing more multi-departmental reviews and avoiding examinations in siloes. In addition to the mandated annual SCIDA and ACA reviews, NSIRA plans to work on two more reviews involving multiple departments. The first one is a review of how CSIS and the RCMP manage threats posed by ideologically motivated violent extremism. The second review will study the relationship between CSE and CSIS on operational activities.

2.5 Technology in review

Integration of technology in review

Traditionally associated with the systems and software responsible for the administrative support of an organization, IT plays an increasingly large role in the operational activities of Canada’s national security and intelligence community. By taking advantage of rapid advances in cutting-edge technologies, Canada’s security and intelligence community is operationalizing advancements in technology to a degree greater than ever before. Modern national security and intelligence agencies must not only use new technologies to enhance their respective mandates, but they also do so to keep abreast of new opportunities, as well as new threats.

These advancements happen quickly, are complex and are often unique to each institution. Furthermore, emerging technologies, while ostensibly developed for one purpose, often have unforeseen implications on civil liberties and privacy, especially when used in an intelligence or security capacity. It is essential for an accountability body like NSIRA to keep pace with the use of developing technologies in Canada’s national security and intelligence community to ensure that the organizations it is responsible to review are discharging their mandates lawfully, reasonably and appropriately.

The vision for NSIRA’s Technology Directorate is to enhance the review landscape to incorporate an appropriate focus on the use and implementation of technology by security and intelligence agencies in Canada. By extending its reach into the practical applications of technology, and by entrusting this new focus to an in-house team of engineers, computer scientists and experienced review professionals, NSIRA will be well placed to ensure that the departments and agencies are held accountable for the decisions they make in leveraging the various aspects of emerging technology.

The development of this capacity at NSIRA will also provide a unique opportunity to build a review model that will put us on equal footing within the Five Eyes and the international review community. Without dedicated in-house technology expertise, NSIRA’s work will not stay current with contemporary national security legal and compliance risks or issues.

To that effect, NSIRA’s Technology Directorate will:

  • lead the review of IT systems and cutting-edge technical advancements;
  • conduct independent technical investigations;
  • support assigned NSIRA members in the investigation of complaints against CSIS, CSE or the RCMP requiring technological expertise to assess the evidence;
  • produce reports explaining and interpreting sophisticated technical subjects;
  • assess the risk of a reviewed entity’s IT compliance with applicable laws and policy;
  • recommend IT system and data safeguards to minimize the risk of legal non- compliance;
  • lead the integration of technology themes into yearly NSIRA review plans; and leverage external expertise in the understanding and assessment of IT risks.

Future of technology in review

In 2022, NSIRA will continue to increase the number of employees working in the Technology Directorate as it takes an increasingly active and significant role. It will also lead the first technology-focused reviews of the lifecycle of CSIS information collected by technical capabilities pursuant to a Federal Court warrant. NSIRA is also scheduled to review CSE’s SIGINT retention practices in 2023.

In terms of important considerations for ongoing reviews, NSIRA Technology Directorate has identified the following three technology-related topics as priorities for consideration:

  • dual-use technologies;
  • data warehousing, bulk data and data analytics; and
  • automated decision-making.

As Canada’s security and intelligence community continues to grow its technical collection and analytic capacity, NSIRA must develop its own expertise in technical review in tandem. Over the next year, NSIRA intends to establish domestic and international partnerships and develop working relationships with academics, civil society and commercial leaders to ensure key technological issues factor into its approaches. NSIRA’s Technology Directorate will also support the NSIRA complaint investigations team to understand where and when technology advancements could be applied to NSIRA investigations.

2.6 Review policies and processes

Method for assessing timeliness

Guidelines for assessing timeliness in reviews​​​​​​​

To ensure greater accountability and predictability, NSIRA will be using the following guidelines to assess the timeliness of reviewee responses to requests for information (RFIs) during the review process, and will comment both privately and publicly on the outcomes. Notably, NSIRA’s annual report will track timeliness each year. These guidelines provide clear, standardized expectations on this important aspect of the review process.

Standard request for information (RFI) timelines

Much of the information requested by NSIRA falls into two categories: “off-the-shelf,” readily available material, and material requiring additional work to compile. Off-the-shelf material may include items such as policy documents, ministerial directives, operational policies, legal opinions and standard operating procedures. Information that requires additional work to compile may include things such as material that requires data manipulation or explanations and material in certain specialized databases and emails. RFIs will clearly state which type of material they pertain to, and standard timelines of 15 or 30 days, respectively, will be provided for responses.

Non-standard RFI timelines

NSIRA may deem it necessary to provide longer response times for information requests, for example, when the review covers new subject matter, the request is expected to return a large amount of information or documentation, or the reviewee has other ongoing reviews or other operational considerations. Non-standard timelines are at NSIRA’s discretion and will be applied based on the judgment of the review team.

NSIRA recognizes that extraordinary factors and extenuating circumstances may affect responses to requests for information and documentation. To accommodate this, reviewees may present, with significant justification, an alternative RFI timeline to the one originally provided. This should be done on receipt and review of the request, if possible. The decision to grant an extension is made by the NSIRA review team, and other arrangements, such as providing the requested information in tranches, can be considered. Regardless, RFI’s will always have an associated response timeline attached to them. This timeline will determine whether subsequent remedial steps are required.

Remedial steps

NSIRA will implement a three-stage approach to engage reviewees when no response is received to an RFI within the associated timeline. When a deadline is missed with no satisfactory response, NSIRA will escalate its concerns progressively by sending a series of letters to the assistant deputy minister, deputy minister and, finally, the responsible minister.

The letters will be attached as an annex to the related review and will inform an overall assessment of timeliness of the reviewee in NSIRA’s public annual report. The above guidelines will also be reviewed annually and may be updated based on the outcome of their ongoing implementation to ensure they meet their objectives.

Implementation of recommendations

The key outcomes of the work flowing from NSIRA’s review mandate are typically captured and distilled in the recommendations NSIRA provides based on its findings. In most NSIRA reviews completed since its inception, NSIRA has issued recommendations to the departments and agencies under review. In turn, reviewees have provided responses to these recommendations, which may include a plan for implementation. With a little over two years since recommendations for the first NSIRA reviews were issued, NSIRA believes enough time has elapsed to begin seeing the results of the implementation of these recommendations reflected in reviewees’ activities and policies. Therefore, NSIRA will begin considering the most appropriate means to track and evaluate the implementation of the recommendations issued in past reviews.

NSIRA will discuss with agencies and departments that were reviewed how to evaluate the implementation of past recommendations. For example, if issues and challenges remain unaddressed, NSIRA may initiate follow-up reviews. NSIRA’s public annual report may also raise issues in the implementation of recommendations as needed.

Verification

As noted above, verification is a fundamental component of credible and professional independent review. NSIRA must be able to test the completeness or accuracy of information it may receive as a matter of course during every review. This component is key to NSIRA’s ability to assure its stakeholders that it has confidence in the information it receives during a review, and thereby in the findings and conclusions of the review.

During a review, NSIRA is entitled to receive all information it deems relevant, except for Cabinet confidences. This feature of the NSIRA Act is critical for the success of NSIRA’s mandate. For NSIRA to assure Parliament and Canadians that it has a high level of confidence in the information it receives, departments and agencies under review are expected to support processes that satisfy NSIRA’s requirement to independently verify the completeness and accuracy of information provided by the department or agency. For example:

  • provide NSIRA, in support of each review, an index of documents provided, and an indication as to whether any information has been altered or removed and why; and
  • include a record of how searches of information are conducted, including which search terms were used, and which databases were queried.

Reviewees should always expect an element of verification as a regular part of each review. In keeping with its commitment to transparency and methodological rigour, NSIRA reviews now contain a “confidence statement.” This statement reflects NSIRA’s ability to verify information during a review. The confidence statement also provides important additional context to the review, apprising readers of the extent to which NSIRA has been able to verify necessary or relevant information during the review, and whether its confidence was impacted as a result of this exercise. 

Complaints investigations

3.1 Overview

In the course of the year, NSIRA continued to adapt in conducting its complaints investigations by using innovative approaches. This included the use of videoconference technology for its hearings and investigative interviews, as well as finding procedural efficiencies such as proceeding with some investigations in writing. In part due to challenges inherent to the COVID-19 pandemic, NSIRA experienced delays in its investigations stemming from reduced responsiveness in accessing information and evidence. Annex E contains statistics for NSIRA’s complaints investigations in 2021.

Advancing the investigations and obtaining evidence presented issues for both NSIRA and the federal government parties to investigations that were obligated to provide information to NSIRA. In several ongoing matters, NSIRA granted adjournments and extensions of deadlines for procedural steps, including the filing of submissions and evidentiary material. In addition to pandemic-related delays, NSIRA notes that federal government parties to investigations cited other reasons for their requests for extensions of deadlines to file material, such as issues related to availability of witnesses and shortage of resources. Furthermore, NSIRA had to ask for additional information in response to incomplete initial disclosures in more than one investigation, which also created delays.

As to NSIRA’s investigation caseload in 2021, NSIRA dealt with a continued substantial increase in its inventory of cases. This increase resulted from 58 complaints referred in April 2021 to NSIRA for investigation by the Canadian Human Rights Commission, pursuant to subsection 45(2) of the Canadian Human Rights Act. This high-volume caseload has impacted NSIRA’s overall management of its cases.

NSIRA has also been focusing on strengthening its program delivery by working on strategies for the collection, analysis and use of race-based and demographic data in the context of the complaints investigation process. Working closely with its partner, the Civilian Review and Complaints Commission for the RCMP, NSIRA has been developing strategies of common interest in improving procedures to take into account considerations of diversity and inclusion. The specific objective is to improve access to justice by improving awareness and understanding of the investigation process. The intent is also to document the different racial groups among civilian complainants and determine:

  • whether there are significant racial disparities;
  • whether there are racial differences with respect to the types of complaints made against national security organization members based on different groups;
  • the frequency of complaints that include allegations of racial or other forms of bias; and
  • whether complaint investigation outcomes vary by racial group.

Looking to the year ahead, NSIRA will analyze procedural data with respect to the timelines of its investigations in order to inform the establishment of new service standards, continuing its efforts to ensure efficiency and transparency in the process. NSIRA is mindful that service standards are based on time commitments in normal circumstances. As the public health situation with respect to the COVID-19 pandemic continues to improve, NSIRA looks forward to the cooperation of federal government parties in increasing their responsiveness to advance investigations. In light of NSIRA’s objective of developing service standards, it will be adopting a measured approach to requests for adjournments and extensions of deadlines, which will be permitted in exceptional circumstances. Also for the year ahead, NSIRA will continue to improve its website to promote accessibility to and relevance of processes in the investigation of complaints.

3.2 Status of complaints investigation process reform

In 2021, NSIRA completed its investigation process reform initiative after a complex consultation with multiple stakeholders. In July 2021, NSIRA launched its new process that included the implementation of its new rules of procedure, aiming to provide greater accessibility as well as greater efficiency in NSIRA’s investigation mandate. Investigations under this new model show early signs of efficiency in that NSIRA has set timelier dates for the conduct of investigative interviews.

3.3 Investigations

Final report summaries

Investigation Concerning Allegations Against the Canadian Security Intelligence Service (1500-516)

Background​​​​​​​

The Complainant filed a complaint against the Canadian Security Intelligence Service (CSIS) regarding its involvement in different incidents with airport authorities while the Complainant was travelling.

In addition, the Complainant alleged harassment, possible interference with employment opportunities, interference with a passport application, intercepting and reviewing mail, and disrupting personal relationships.

Investigation

During the investigation, the Complainant raised several separate incidents that led to the filing of their complaint. NSIRA reviewed the evidence before it to determine whether CSIS’s actions were reasonable and proportionate in the circumstances; whether CSIS’s actions constituted harassment; and whether it had acted lawfully.

NSIRA considered the evidence given by witnesses, the documentation submitted by the parties, as well as other relevant material made available during the course of the investigation of the complaint. NSIRA also heard evidence provided by the Complainant.

With respect to one specific incident in dealing with airport authorities while travelling, NSIRA heard evidence by witnesses regarding section 8 of the Canadian Charter of Rights and Freedoms (Charter). Section 8 of the Charter provides that everyone has the right to be secure against unreasonable search and seizure.

Conclusion

With respect to all allegations, NSIRA determined that the complaint is unsupported. However, concerning events related to CSIS participating in a Canada Border Services Agency search of the Complainant’s cell phone at an airport on one occasion, NSIRA found that CSIS breached section 8 of the Charter.

NSIRA concluded that CSIS did not take the Complainant’s privacy interests casually and did not deliberately disregard privacy considerations in relation to the search. The breach of section 8 of the Charter was not egregious and constituted an error in judgment.

Reopened Investigation Concerning Allegations Against the Canadian Security Intelligence Service (1500-471)

Background

NSIRA issued a supplemental final report resulting from a reopened investigation that was concluded by its predecessor, the Security Intelligence Review Committee (SIRC).

The Complainant alleged that CSIS had violated his constitutional rights due to his race and religion as well as his refusal to work as a human source. He further alleged that CSIS agents were harassing him by stopping him in airports and following him. Lastly, the Complainant alleged that CSIS had disclosed false information to a foreign entity, which resulted in him being held for eight hours without food in a foreign country’s airport.

In SIRC’s final report, SIRC concluded that the Complainant’s allegations of discrimination and harassment were unsupported. SIRC also concluded that the actions of CSIS officials had violated section 12 of the CSIS Actministerial directions, policies and operational procedures, and that these actions resulted in adverse consequences for the Complainant.

NSIRA’s reopened investigation was strictly limited to two questions of law: (1) whether the reasonable grounds to suspect standard under section 12 of the CSIS Act must be met when CSIS makes initial inquiries of its operational holdings; and (2) whether CSIS was required to obtain an individual targeting authority against the Complainant.

Investigation

The investigation of the reopening was deemed to be continued before NSIRA pursuant to subsection 11(1) of the National Security Act. NSIRA considered the documentation submitted by the parties, including classified submissions and documents filed by CSIS. NSIRA also considered the submissions filed by the Complainant as well as any other relevant material made available during the course of the investigation of this reopening.

With respect to whether the reasonable grounds to suspect standard under section 12 of the CSIS Act must be met when CSIS makes initial inquiries of its operational holdings, CSIS conceded during the investigation that it requires reasonable grounds to suspect that activities constitute a threat to the security of Canada, as described in section 2 of the CSIS Act, to conduct such initial inquiries of its operational holdings.

On the facts of this case, NSIRA determined that SIRC had correctly found that CSIS did not possess objective facts about activities that met the requisite reasonable grounds to suspect standard.

With regard to whether CSIS was required to obtain an individual targeting authority against the Complainant, NSIRA concluded that SIRC’s findings of fact regarding the extent and manner in which CSIS investigated the Complainant would not be revisited by NSIRA. NSIRA found that SIRC’s conclusion that there is a point in the CSIS investigation where CSIS agents were specifically investigating the activities of the Complainant was unequivocal, and, therefore, it was clear that CSIS should have obtained an individual targeting authority against him, yet failed to do so.

Conclusion

NSIRA determined that SIRC’s report and the findings were affirmed.

Conclusion

In 2021, NSIRA delivered on its mandate by completing reviews on a wide array of federal departments and agencies involved in national security and intelligence activities. Similarly, despite the challenges of the COVID-19 pandemic for complaints investigation proceedings and a large increase in its workload, NSIRA adapted its methods and continued its efforts to improve its program delivery.

NSIRA aims to increase its capacity to review technology and its practical use in national security and intelligence activities. The ongoing growth in NSIRA’s staff complement will also help the organization review a greater variety of national security and intelligence activities and continue to progress in its investigation of a large number of complaints.

NSIRA remains committed to engage with non-government stakeholders. NSIRA took note of feedback on its prior annual report and will continue to aim to improve its usefulness.

Once again, NSIRA members are very grateful for the excellent work of the Secretariat staff and their dedication to the organization’s mission of promoting greater accountability in the Canadian security and intelligence community and improving the confidence of Canadians in their oversight institutions.

Share this page
Date Modified:

Quarterly Report: For the quarter ended June 30, 2022

Date of Publishing:

Introduction

This quarterly report has been prepared by management as required by section 65.1 of the Financial Administration Act and in the form and manner prescribed by the Directive on Accounting Standards, GC 4400 Departmental Quarterly Financial Report. This quarterly financial report should be read in conjunction with the 2022–23 Main Estimates.

This quarterly report has not been subject to an external audit or review.

Mandate

The National Security and Intelligence Review Agency (NSIRA) is an independent external review body that reports to Parliament. Established in July 2019, NSIRA is responsible for conducting reviews of the Government of Canada’s national security and intelligence activities to ensure that they are lawful, reasonable and necessary. NSIRA also hears public complaints regarding key national security agencies and their activities.

A summary description NSIRA’s program activities can be found in Part II of the Main Estimates. Information on NSIRA’s mandate can be found on its website.

Basis of presentation

This quarterly report has been prepared by management using an expenditure basis of accounting. The accompanying Statement of Authorities includes the agency’s spending authorities granted by Parliament and those used by the agency, consistent with the 2022–23 Main Estimates. This quarterly report has been prepared using a special-purpose financial reporting framework (cash basis) designed to meet financial information needs with respect to the use of spending authorities.

The authority of Parliament is required before money can be spent by the government. Approvals are given in the form of annually approved limits through appropriation acts or through legislation in the form of statutory spending authorities for specific purposes.

Highlights of the fiscal quarter and fiscal year-to-date results

This section highlights the significant items that contributed to the net increase or decrease in authorities available for the year and actual expenditures for the quarter ended June 30, 2022.

NSIRA spent approximately 12% of its authorities by the end of the first quarter, compared with 9% in the same quarter of 2021–22 (see graph 1).

Graph 1: Comparison of total authorities and total net budgetary expenditures, Q1 2022–23 and Q1 2021–22

Graph: Variance in authorities as at June 30, 2022 - Text version follows
Comparison of total authorities and total net budgetary expenditures, Q1 2022–23 and Q1 2021–22
  2022-23 2021-22
Total Authorities $28.3 $30.2
Q1 Expenditures $3.3 $2.8

Significant changes to authorities

As at June 30, 2022, Parliament had approved $28.3 million in total authorities for use by NSIRA for 2022–23 compared with $30.2 million as of June 30th, 2021, for a net decrease of $1.9 million or 6.3% (see graph 2).

Graph 2: Variance in authorities as at June 30, 2022

Graph: Variance in authorities as at June 30, 2022 - Text version follows
Variance in authorities as at June 30, 2022 (in millions)
  Fiscal year 2021-22 total available for use for the year ended March 31, 2022 Fiscal year 2022-23 total available for use for the year ended March 31, 2023
Vote 1 – Operating 28.5 26.5
Statutory 1.7 1.7
Total budgetary authorities 30.2 28.3

*Details may not sum to totals due to rounding*

The decrease of $1.9 million in authorities is mostly explained by a gradual reduction in NSIRA’s ongoing operating funding.

Significant changes to quarter expenditures

The first quarter expenditures totaled $3.3 million for an increase of $0.5 million when compared with $2.8 million spent during the same period in 2021–22. Table 1 presents budgetary expenditures by standard object.

Table 1

Variances in expenditures by standard object(in thousands of dollars) Fiscal year 2022–23: expended during the quarter ended June 30, 2022 Fiscal year 2021–22: expended during the quarter ended June 30, 2021     Variance $ Variance %
Personnel 2,345 2,312 33 1%
Transportation and communications 44 13 31 23*
Information 5 2 3 150%
Professional and special services 846 196 650 332%
Rentals 10 0 10
Repair and maintenance 31 8 23 288%
Utilities, materials and supplies 16 3 13 433%
Acquisition of machinery and equipment 9 216 (207) (96%)
Other subsidies and payment (2) 12 (14) (117%)
Total gross budgetary expenditures 3,304 2,762 541 20%

Transportation and communications

The increase of $31,000 relates to increased travel, as travel restrictions due to COVID-19 are no longer in place in Canada.

Professional and special services

The increase of $650,000 is explained by a change in the timing of invoicing for the maintenance and services in support of our classified IT network infrastructure.

Rentals

The increase of $10,000 is explained by rent for temporary office space and software support licenses.

Repair and maintenance

The increase of $23,000 is explained by office accommodation fit-up costs.

Utilities, materials and supplies

The increase of $13,000 is explained by the acquisition office supplies.

Acquisition of machinery and equipment

The decrease of $207,000 is explained by a one-time bulk purchase of monitors and other computer equipment made in the first quarter of 2021-22.

Other subsidies and payments

The decrease of $14,000 is explained by a reduction in emergency salary advances and payroll system overpayments. NSIRA is showing a negative balance here because of the acquisition card rebates.

Risks and uncertainties

The ability of NSIRA to access the information it needs to conduct its reviews and complaints investigations is closely tied to the capacity of the reviewed or investigated departments and agencies to respond to NSIRA’s demands. While most pandemic constraints have subsided, there continues to be recruitment challenges in a tight labour market. To address this challenge, NSIRA is experimenting with hybrid workplace approaches, launching internal career development programs and focusing on onboarding practices to attract and retain talent.

NSIRA is closely monitoring pay transactions to identify and address over and under payments in a timely manner and continues to apply ongoing mitigating controls.

Mitigation measures for the risks outlined above have been identified and are factored into NSIRA’s approach and timelines for the execution of its mandated activities.

Significant changes in relation to operations, personnel and programs

There have been two new Governor-in-Council appointments during the first quarter, Dr. Foluke Laosebikan and Mr. Matthew Cassar. Existing member, Mr. Craig Forcese, has been named Vice Chair of NSIRA.

There have been no changes to the NSIRA Program.

Approved by senior officials:

John Davies
Deputy Head

Pierre Souligny
Chief Financial Officer

Appendix

Statement of authorities (Unaudited)

(in thousands of dollars)

  Fiscal year 2022–23 Fiscal year 2021–22
  Total available for use for the year ending March 31, 2023 (note 1) Used during the quarter ended June 30, 2022 Year to date used at quarter-end Total available for use for the year ending March 31, 2022 (note 1) Used during the quarter ended June 30, 2021 Year to date used at quarter-end
Vote 1 – Net operating expenditures 26,523 2,872 2,872 28,490 2,3 5,647
Budgetary statutory authorities
Contributions to employee benefit plans 1,728 432 432 1,705 426 426
Total budgetary authorities (note 2) 28,251 3,304 3,304 30,195 2,762 2,762

Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.

Note 2: Details may not sum to totals due to rounding.

Departmental budgetary expenditures by standard object (unaudited)

(in thousands of dollars)

  Fiscal year 2022–23 Fiscal year 2021–22
  Planned expenditures for the year ending March 31, 2023 (note 1) Expended during the quarter ended June 30, 2022 Year to date used at quarter-end Planned expenditures for the year ending March 31, 2022 Expended during the quarter ended June 30, 2021 Year to date used at quarter-end
Expenditures
Personnel 13,245 2,345 2,345 13,222 2,312 2,312
Transportation and communications 597 44 44 673 13 13
Information 372 5 5 375 2 2
Professional and special services 3,506 846 846 5,904 196 196
Rentals 271 10 10 188 0 0
Repair and maintenance 9,722 31 31 8,737 8 8
Utilities, materials and supplies 173 16 16 103 3 3
Acquisition of machinery and equipment 232 9 9 991 216 216
Other subsidies and payments 133 (2) (2) 0 12 12
Total gross budgetary expenditures
(note 2)
28,251 3,304 3,304 30,195 2,762 2,762

Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.

Note 2: Details may not sum to totals due to rounding.

Share this page
Date Modified:

Study of the Government of Canada’s use of Biometrics in the Border Continuum

Review Backgrounder

The Government of Canada (GoC) uses biometrics to identify individuals with a level of confidence beyond what is possible absent such techniques.

Biometrics play a fundamental role in the border continuum, which includes the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air. In the course of this study, the National Security and Intelligence Review Agency (NSIRA) examined activities conducted by the Canadian Border Services Agency (CBSA), Immigration, Refugees, and Citizenship Canada (IRCC), and Transport Canada (TC). The study also extended to the Royal Canadian Mounted Police (RCMP), which plays a supporting role in one of the major IRCC-led programs in this area.

Biometrics are sensitive personal information. The identification of persons by virtue of their biological characteristics raises privacy and human rights concerns. There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. At the same time, identifying individuals entering the country – and consequently determining whether they have a right to enter, or what risks they might pose – serves a national security function. In this way, the use of biometrics requires an assessment of the balance between privacy and security.

This report informs, contextualizes, and contributes to this conversation by presenting NSIRA’s foundational study of the GoC’s biometric activities in the border continuum.

Date of Publishing:

1. Executive Summary

The Government of Canada (GoC) uses biometrics to identify individuals with a level of confidence beyond what is possible absent such techniques.

Biometrics play a fundamental role in the border continuum, which includes the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air. In the course of this study, the National Security and Intelligence Review Agency (NSIRA) examined activities conducted by the Canadian Border Services Agency (CBSA), Immigration, Refugees, and Citizenship Canada (IRCC), and Transport Canada (TC). The study also extended to the Royal Canadian Mounted Police (RCMP), which plays a supporting role in one of the major IRCC-led programs in this area.

Biometrics are sensitive personal information. The identification of persons by virtue of their biological characteristics raises privacy and human rights concerns. There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. At the same time, identifying individuals entering the country – and consequently determining whether they have a right to enter, or what risks they might pose – serves a national security function. In this way, the use of biometrics requires an assessment of the balance between privacy and security.

This report informs, contextualizes, and contributes to this conversation by presenting NSIRA’s foundational study of the GoC’s biometric activities in the border continuum.

The study identified a set of observations linked to nine overarching themes:

  1. Biometrics and National Security. The centrality of national security as a justification for biometric activities has waned over time relative to other objectives, such as identity management and traveller facilitation. This makes it challenging to assess biometric activities in general as national security activities. Future NSIRA reviews may focus more narrowly on biometric activities that directly engage national security.
  2. The Steady-State Activities. The steady-state biometric activities in the border continuum are generally well-supported by current legal authorities and are consistent with international practice.
  3. Expanding Use of Biometrics over Time. The use of biometrics in the border continuum has significantly expanded over the last three decades, and is likely to continue expanding in the future. This trajectory is driven partly by advancing technological capabilities, partly by evolving challenges in identity management. It is reflected in other jurisdictions around the world. Exploiting the possibilities created by technological developments and keeping pace with other jurisdictions cannot justify the expanded use of biometrics in their own right. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for particular, intended objectives.
  4. Pilot Projects. Pilot projects and initiatives raise more concerns than do steady-state activities, as they risk being implemented on an experimental basis, without sufficient legal analysis or policy development. These projects represent an area of continued interest for NSIRA. Despite the temporary or experimental nature of a project, NSIRA expects that departments will conduct the analysis necessary to ensure that legal authority is in place for the conduct of the activity, and that the attendant collection, use, retention and disclosure of personal information is well-governed by policy.
  5. Evolving Legal and Societal Norms. The public debate surrounding legal authorities questions whether existing standards and protections are sufficient for regulating biometric activities or whether new standards and protections are required. The border is, comparatively, a space in which greater intrusiveness is considered reasonable – but the boundaries of those justifications are not limitless, and will require careful calibration moving forward.
  6. The Dual-Use of Biometrics. NSIRA observed several instances of possible dual-use of biometric information in the activities examined in this report. Even where they pose demonstrable benefits, new uses of biometrics must be carefully considered to ensure their reasonableness and proportionality. In addition, all new uses must be justified and well-authorized in law. The principle of “purpose limitation” may be a way of guarding against unjustified dual-use in the context of biometric activities.
  7. Technical Systems. There is significant overlap between the technical systems and databases used across the steady-state biometric activities. The overall architecture of this system – biometric collection, transmission, and storage in the course of the GoC’s activities in the border continuum – is complex, though not necessarily problematic.
  8. Visibility into Algorithms. Departments and agencies have limited visibility into how the algorithms they use for biometric analysis operate. Each department and agency did, however, demonstrate that performance metrics are known and tested, and that custom thresholds are used when appropriate.
  9. Preventing Bias and Discrimination. IRCC and CBSA have conducted preliminary analyses to explore how their biometric activities may impact diverse groups of people, though the implementation of possible mitigation strategies was not always apparent. In some contexts, technological advancements have helped to reduce, but not eliminate, differential impacts. More work remains in terms of mitigating differential impacts on segments of the population. At the same time, the departments and agencies under review have demonstrated their awareness of possible systemic inequalities and their commitment to addressing them.

These observations are intended to contribute to Canadians’ understanding of the complex and evolving use of biometrics in the border continuum, and to shape how NSIRA as an organization engages with this area in future work.

Public debate about the government’s application of biometric technology will continue to evolve, driving change in the legal and regulatory frameworks associated with such activities. As such, continued scrutiny from NSIRA is warranted, particularly in those instances where the collection and use of biometric information is justified by explicit reference to national security outcomes.

List of Acronyms

Glossary of Terms

2. Authorities

The National Security Review Agency (NSIRA) conducted this study under section 8(1)(b) of the National Security and Intelligence Review Agency Act.

3. Introduction

Background

Biometrics enhance the government’s ability to know who you are. The measurement and analysis of unique biological characteristics – including, inter alia, fingerprints, iris patterns, and facial features – facilitates the identification of individuals to a level of confidence beyond what is possible absent the use of such techniques. Biometrics can be layered with traditional identifiers – such as name, date of birth, place of birth, gender etc. – to enhance the government’s identification process.

Knowing who you are – including verifying that you are who you claim to be – has benefits for national security. At the border, in particular, questions about identity are paramount: who has the right to enter the country, who does not, and who might pose a threat to the security of Canada and Canadians?

At the same time, the identification of persons by virtue of their biological characteristics raises acute privacy and human rights concerns. Biometrics are intrinsically personal information, and are largely immutable (i.e., they cannot be easily changed, as can passwords or other identifiers). There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. As biometric technology is increasingly integrated into public spaces, it will be important for government and for Canadians to consider the associated calibration of security, privacy, and human rights.

This report informs, contextualizes, and contributes to this conversation by presenting NSIRA’s foundational study of the Government of Canada (GoC)’s biometric activities in the border continuum, with a focus on activities relating to the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air.  The immediate objective of the study was to map the biometric activities occurring in this space. This includes examining the collection, retention, use, and disclosure of biometric information, as well as the legal authorities under which said activities occur. The baseline for an informed public discussion is accurate information about which activities are being pursued by the GoC and whether/how they are authorized in law.

The study also considered the reasonableness and necessity of these activities, studying the accuracy and reliability of biometrics, including the possibility of discrimination on the basis of identity factors like race and gender; the proportionality of their collection, retention, use and disclosure; and the transparency with which the GoC discusses its use of biometrics and their contribution to national security.

NSIRA’s ability to look across departments and agencies and to make both specific and general observations – to examine the forest as well as the trees – was particularly valuable in assessing a wide and growing biometric landscape.

In addition to informing an important public conversation, the report’s broad treatment of biometric activities in the border continuum advances NSIRA’s work in two ways. First, it identifies several more narrow areas of interest or concern, to which NSIRA may return in future targeted reviews. Second, it defines a set of criteria against which NSIRA may review the GoC’s use of biometrics in national security and intelligence activities – both within and beyond the border continuum.

The Study

Scope

The border is distinct from other public settings. There are security imperatives that arise when individuals cross sovereign boundaries, such that the state is justified in taking measures not permissible in other contexts. While privacy rights and civil liberties do not disappear, expectations of privacy and of free movement are significantly lower. In considering the GoC’s biometric activities, therefore, it was practical to separate the border continuum from other settings; what might be overly intrusive in the latter may be justified in the former. Further, the border can serve as a testing ground for new biometric techniques and technologies, which then spread to other areas. If there are public concerns about biometric technology more generally, the border may serve as a harbinger of things to come and ought to be scrutinized accordingly.

In this study, we examine the collection, retention, use, and disclosure of biometric information and evaluate, where applicable, said activities against the criteria outlined below. We reviewed relevant policy and legal frameworks as communicated by departments and agencies, to inform our assessment of reasonableness and necessity, and to establish foundational knowledge that will inform future compliance assessments in the biometrics space. Our assessment of reasonableness and necessity was conducted at a high-level, reflecting on the themes, trends and issues manifest in considering the GoC’s biometric activities in the border continuum as a whole. We did not conduct independent verification or audit of the claims or activities themselves.

In the course of this study, NSIRA examined activities conducted by the Canada Border Services Agency (CBSA), Immigration, Refugees, and Citizenship Canada (IRCC), and Transport Canada (TC). The study also extended to the Royal Canadian Mounted Police (RCMP), which plays a supporting role in one of the major IRCC-led programs in the border continuum.

NSIRA also surveyed the history, and possible future, of biometric activities in the border continuum. The biometric landscape is not static, nor are practices in traveler facilitation and border security. Much of the public concern regarding biometrics (in particular over something like facial recognition technology) has to do with what lays just over the horizon, rather than simply any activity currently taking place. To this end, discussion of past activities, programs, and pilot projects illustrate the expansion of biometrics that has culminated in the present moment. Similarly, several pilot projects and initiatives known to be in development serve as examples of what may be to come. This wider lens contextualizes present activities and thus helps fulfill the broader objectives of the study.

Criteria

A set of basic criteria guided NSIRA’s assessment of the GoC’s present biometric activities in the border continuum:

  • Compliance. NSIRA examined the legislative and policy framework governing departments’ and agencies’ collection and use of biometrics. It examined the enabling legislation’s compliance with the Canadian Charter of Rights and Freedoms and Privacy Act; considered the safeguards and features of the departments’ or agencies’ enabling statutes and regulations as applies to their biometric programs; and reviewed applicable departmental and Treasury Board policies.
  • Proportionality. Proportionality, in this context, weighs the government’s objectives in using biometrics against any impacts on individuals’ privacy or human rights. Generally speaking, NSIRA expects that any intrusions on the rights and freedoms of individuals be readily justifiable and offer important benefits to pressing and substantial objectives.
  • Accuracy. Because biometrics are fundamentally designed to identify individuals, it is important that they do so accurately, such that they can effectively contribute to the government’s objectives in a given activity/program. Biometric analysis (including the use of algorithms) is subject to error rates and false-matches that can have significant consequences for individuals. Relatedly, algorithms used for biometric analysis are susceptible to demographic performance variables which could give rise to bias or discrimination.
  • Transparency. In light of the GoC’s National Security Transparency Commitment of 2017, this criterion generally assessed the public transparency of biometric activities in the border continuum. It emphasized the availability of information regarding the type of biometrics collected and the connection of biometrics to GoC priorities, including national security.
  • Data Security. Given the sensitive nature of biometric information, protection of said data throughout the so-called “privacy lifecycle” (collection, storage, transmission, and destruction) is particularly important. As such, NSIRA assessed the policy frameworks of the activities under review for data security protections, such as encryption, access limitations, and privacy-by-design principles.

Collectively, these criteria informed NSIRA’s assessment of the lawfulness, reasonableness and necessity of the departments’ exercise of their powers as concerns the use of biometrics in Canada’s border continuum. Our observations highlight potential issues and areas of concern, which may serve as a basis for subsequent in-depth review of particular activities.

Methodology and Information Requirements

NSIRA received information from departments and agencies in the form of briefings, written responses, and documents. The latter included policies, procedures, project reports, technical studies, operational bulletins, manuals, correspondence, websites, and relevant legal opinions.

In addition to information obtained from departments and agencies, the nature of the study – dealing with a broad category of information widely used and heavily scrutinized across the globe – meant that a significant volume of open-source research was pertinent. As such, NSIRA examined media reports (both domestic and international), industry reports, academic research, think tank reports, government reports/documents from other jurisdictions, and intergovernmental and non-governmental organization research on biometrics and related technology. What emerged was a sense of the common standards, themes, risks, and even lexicon associated with biometrics, all of which helped inform NSIRA’s observations regarding the GoC’s biometric activities in the border continuum.

The Report

The body of the report is organized into three descriptive sections, presented in chronological order:

  • Biometrics Past: a discussion of the history and evolution of the use of biometrics in the border continuum, including relevant pilot projects and key expansions along the way;
  • Biometrics Present: a description of current, steady-state biometric activities; and,
  • Biometrics Future: a discussion of the role biometrics are likely to play in the border continuum moving forward, based on present trajectories.

The concluding section unpacks overarching themes and observations pertinent to the study objectives outlined above. While some of these observations are specific to a particular program or activity, others apply horizontally across various aspects of the study. The mélange reflects both the nature of a foundational study and the unique, crosscutting mandate that NSIRA enjoys. Our observations are intended to contribute to Canadians’ understanding of the complex and evolving use of biometrics in the border continuum, and to shape how NSIRA as an organization engages with this area in future work.

4. Biometrics Past

IRCC began collecting fingerprints from asylum claimants and deportees in 1993, partly as a consequence of the rise in global migration volumes following the end of the Cold War. Canada received 37,000 refugee protection claims in 1992, up from just a few thousand annually for the balance of the 1980s. The resulting pressure on the system led, in part, to the introduction of Bill C-86 in June 1992, which included several provisions designed to enhance the efficiency and integrity of Canada’s immigration and refugee system, among them the fingerprinting of asylum claimants and deportees. This provision generated public criticism, with the government eventually amending it to include the deletion of fingerprints if/when an individual became a Canadian citizen. Ultimately, the purpose of the collection was to introduce processing efficiency into the system and to enhance both fraud detection and fraud deterrence through rigorous identity management.

Over the subsequent years, the collection and use of biometrics in the border continuum has steadily expanded, such that nearly everyone entering Canada by air – whether a foreign national or Canadian citizen – now has their biometric information collected and/or analyzed in some way. How did we get from there to here? The present section addresses this question by describing the evolution of the GoC’s activities over time, highlighting key moments, programs, and projects that animate it along the way.

9/11

The terrorist attacks of September 11, 2001, dramatically altered Canada’s national security landscape. The 2001 budget reflected the new priorities of the day, with $7.7 billion over five years allocated to security measures, including $1 billion to immigration screening and enforcement and $1.2 billion to border security initiatives.

These outlays came on the heels of explicit recommendations from a parliamentary committee to, among other things, “modernize border management to accommodate future security and trade needs” and “test and implement […] advanced technologies in […] border processing operations.” The latter recommendation included the suggestion that “biometric technology in the form of fingerprint or retina scanners could […] be considered to identify individuals […] crossing the border.” The report also called for the reactivation and full implementation of the NEXUS program, which had been a cross-border travel pilot project between the US and Canada launched in November 2000 but suspended in the wake of the attacks.

The central plank of post-9/11 US-Canada border security cooperation, however, was the Smart Border Declaration, signed on December 12, 2001. Accompanied by a 30-point Action Plan, the declaration guided US and Canadian efforts to enhance border security. The very first item on the Action Plan was the introduction of “biometric identifiers”, calling for the two countries to “develop on an urgent basis common biometric identifiers in documentation such as permanent resident cards, NEXUS, and other travel documents to ensure greater security.” Also of note were the provisions to expand information sharing in the visa and refugee/asylum context.

The two countries explicitly framed the Smart Border Action Plan as an effort to “develop a zone of confidence against terrorist activity”. In the US, the Final Report of the National Commission on Terrorist Attacks Upon the United States (more widely known as the “9/11 Commission Report”) expressed this logic, calling for a “biometric screening system” that would encompass the entire border continuum, from passport and immigration application to arrival at ports of entry, along with information sharing between jurisdictions. Canada’s 2004 National Security Policy (NSP) similarly foregrounded biometrics in its chapter on border security. The NSP noted that Canada would “work toward a broader use of biometrics” and “examine how to use biometrics in [its] border and immigration systems to enhance the design and issuance processes of travel and proof-of-status documents and to validate the identity of travellers at [Canada’s] ports of entry.” For both countries, biometrics were seen as a means of identifying possible terrorists crossing the border. 9/11 had fused border security to national security, turning identity management – hitherto primarily associated with efficiencies and fraud – into a national security priority.

In Canada, the NSP set the basic outline of the GoC’s current steady-state biometric activities: facial recognition in the issuance and use of travel documents (Passport Program) and fingerprints and the validation of identity at ports of entry (Immigration Program). We return to these in Section 5.

In the balance of this section, we briefly describe the key biometric activities and programs adopted in the years following 9/11.

ePassport

Though standard in the document for decades, passport photographs were not considered “biometrics” until passports became machine-readable. The 2003 International Civil Aviation Organization (ICAO) guidelines on ePassports, also commonly referred to as “biometric passports,” therefore mark the introduction of biometric identifiers to the document on the international stage. Canada committed to the ePassport in 2004, though actual implementation unfolded in stages over subsequent years, with the full rollout occurring in 2013. Hundreds of other jurisdictions adopted the ePassport during this period, gradually establishing it as an international recommended practice for official travel documents. Canada’s current iteration of the ePassport is discussed in paragraphs 95-112, below.

In addition to the “smart chip” embedded in the ePassport and containing the facial photograph, the government also pursued facial recognition in the passport application/issuance process. The first Privacy Impact Assessment (PIA) for what was then known as the “Facial Recognition Project” was crafted in 2003, though full implementation under the guise of the “Facial Recognition Solution” (FRS) did not occur until 2010. The system used facial recognition to help assess entitlement to a Canadian passport or other official Canadian travel document. The specific objectives of the program were: to detect fraud, support the authentication of identity, and prevent passport issuance to ineligible applicants. We discuss the current iteration of the FRS, which is a key component of the steady-state Passport Program, in paragraphs 95-112, below.

Temporary Resident Biometrics Program (TRBP) (2009-2018)

The “Temporary Resident Biometrics Program” (TRBP) – initiated in 2009 and operational by 2013 – marked a significant expansion of the collection of biometrics in the immigration context. Under the TRBP, biometrics (fingerprints and a digital photograph) were collected by IRCC (then-Citizenship and Immigration Canada [CIC]) as part of temporary resident applications from 30 nationalities. The fingerprints were screened “against fingerprint records of known criminals, past refugee claimants, persons previously deported, and previous immigration applicants” held by the GoC. Once the application was approved and the applicant arrived in Canada, the CBSA verified the biometrics ensuring that the person presenting was the same individual that had applied. In 2014, biometrics collection was expanded beyond temporary resident applications to include overseas refugee and resettlement applications.

According to the GoC, biometrics were adopted as a means to access more complete and accurate information, so as to inform admissibility decisions made under the Immigration and Refugees Protection Act (IRPA) regarding temporary resident applicants. The TRBP’s use of biometrics therefore supported identity management goals, with national security – the identification of individuals who might pose a security threat – constituting a supporting feature of the larger program.

Beyond the Border (2011) and Immigration Information Sharing (IIS) (2013-2016)

In 2011, Canada and the US issued the joint declaration Beyond the Border: A Shared Vision for Perimeter Security and Economic Competitiveness and its accompanying “Beyond the Border Action Plan”. The plan made a commitment to increase information sharing between the two countries. Canada and the US had shared immigration information on a case-by-case, ad hoc basis since 2003, but the process was labour intensive and consequently limited in volume.

The resulting program was the Immigration Information Sharing (IIS) initiative, which made it possible for Canadian and American authorities to systematically exchange immigration information on the basis of a biometric match between their respective immigration databases – a capability that became fully operational in August 2015. For example, all biometric-required applicants to Canada had their fingerprints systematically checked against US fingerprint holdings at the time of enrolment. In the event of a match, the US returned relevant immigration information (e.g. biographical information to confirm identity, the outcome of any previous immigration applications, etc.) to IRCC, to help inform decisions about admissibility. The arrangement was reciprocal, meaning the US similarly queried Canadian immigration fingerprint holdings, with Canada returning immigration information in the event of a match. As characterized by a 2015 implementation report, this capability helped to “counter identity fraud, strengthen identity management and provide valuable information to inform respective admissibility determinations.”

The IIS was, in many ways, the natural extension of TRBP. Whereas TRBP made it possible to screen an applicant’s biometrics against domestic databases, IIS extended this capability to US databases, thereby increasing the range of information obtainable through biometric querying.

Information-Sharing Pilot between CBSA and IRCC/CIC (2013-2016)

Beginning in 2013, a two-phase pilot project between CBSA and IRCC/CIC explored the benefits of leveraging facial recognition through information sharing. The impetus for the project was the experimental querying of 72 photographs of individuals wanted by the CBSA against IRCC/CIC’s passport database. The querying was intended to verify whether any passports had been issued to individuals subject to CBSA warrants for arrest under the IRPA (under genuine or false identities), thus helping protect the integrity of the passport system, while also facilitating enforcement of the IRPA. The CBSA and IRCC rely on sections 7, 8(2)(a) and 8(2)(e) of the Privacy Act for the use and disclosure of this information.

Using facial recognition, the one-to-many identification of these 72 individuals identified three individuals who had fraudulently acquired travel documents. On the strength of these results, the organizations drafted a Memorandum of Understanding (MOU) in December 2013 to share photographs of 1,000 individuals wanted on active CBSA warrants and ran a one-to-many identification against the passport database using facial recognition. This time, 15 individuals were found to have submitted fraudulent passport applications.

In 2015, another round of the project was initiated under a subsequent MOU, raising the number of queries to 3,000 individuals. Also expanded was the scope of information that could be returned as a result of a positive match. Whereas the 2013 MOU only authorized the sharing of information related to document fraud, the 2015 MOU authorized the sharing of any derogatory information relevant to the enforcement of the IRPA. Appendix III of the Information Sharing Annex to the 2017 IRCC-CBSA MOU established this information sharing on a permanent basis.

Research into Facial Recognition

In addition to the expansion, refinement, and leveraging of biometric activities associated with passports and immigration, the GoC explored additional uses of biometrics, including facial recognition, through research into emerging technologies and pilot initiatives, testing possible applications in the border continuum.

Pilot and Research on Operational Video-based Evaluation of Infrastructure and Technology: Face Recognition in Video (PROVE-IT: FRiV) (2011-2013)

In 2011, CBSA led the “Pilot and Research on Operational Video-based Evaluation of Infrastructure and Technology: Face Recognition in Video” (PROVE-IT: FRiV) project. PROVE-IT: FRiV examined, in a lab setting, the possible use of live-capture facial recognition in a controlled environment, such as an airport. Researchers evaluated commercial products and tools available for this purpose, and determined that “face-based surveillance” was ready for live use in “in semi-constrained environments.”

Faces on the Move (FOTM) (2014-2017)

Building on the findings and results of PROVE-IT: FRiV, CBSA launched the “Faces on the Move” (FOTM) pilot project in 2014. FOTM involved the live video capture of the facial images of travellers as they passed through Toronto Pearson International Airport Terminal 3 for a six-month period between June 2016 and November 2016.

Project-specific video cameras were installed to capture facial images in the immigration arrivals area, primary inspection, and toward the exit following primary processing. Facial images were checked in real time using facial recognition against two image databases: a “control” watchlist comprised of 65 CBSA volunteers, and an “operational” watchlist of 4,860 previously deported individuals, generated by CBSA. The CBSA volunteers conducted over 1,200 test walkthroughs over the course of the six-month demonstration. At the same time, approximately 15,000 to 20,000 travellers per day were screened against the operational watchlist, of which forty-seven were correctly detected by the system. All records of personal information were to be destroyed at the end of the project, save those that served an administrative purpose, which would be retained for two years following the date of their last use in keeping with section 6(1) of the Privacy Act and section 4(1)(a) of the Privacy Regulations.

The immediate purpose of FOTM was to raise the technology readiness level of facial recognition to the point of being ready for live, real-time implementation in a controlled environment. Further objectives included the establishment of privacy and security protocols governing the deployment of facial recognition and the development of Canadian industry offerings in the facial recognition space through partnership with CBSA and access to the CBSA’s operational environment (i.e. the border). Longer-term strategic goals included promoting the “efficient flow of people across Canada’s borders” and addressing “evolving threats to public safety at or before the border…while respecting Canadian values including the right to privacy.” Ultimately, FOTM was couched as a building block toward future applications of facial recognition in the border continuum and “similar security scenarios (transportation facilities, shopping malls, stadiums, mass public events).” The lessons from FOTM were to inform a “roadmap” for the use of “science and technology […] for face surveillance, specifically at the border.”

According to the project’s final report, FOTM experienced several policy challenges, “including concept of operation, deployment constraints, public notification, data security, data retention/purging rules, and legality of enforcement based on face recognition and privacy issues.” These and other challenges were likely to “influence face surveillance future deployments and/or technology road maps.” Nonetheless, it recognized that the combination of advancing capabilities and relaxing public resistance to facial recognition technology “will drive the need for continual investment in both the science and the application of face recognition based surveillance.”

Prior to the demonstration period, a PIA conducted for FOTM in consultation with the OPC had brought additional issues to light. This resulted in certain changes to the project, including dropping plans to use watchlist photographs from multiple government agencies and foregoing plans to advise enforcement agencies of a previously deported person’s presence if the individual was not intercepted by the CBSA before leaving the port of entry. The consultants’ final report for the project “recognized that should facial recognition be deployed for long-term, operational use, the PIA would have to be redone and updated to identify potential ongoing risks that did not affect the short-term FOTM project.” Furthermore, CBSA recognized that, were FOTM to become a permanent program, the use of facial recognition would require an update to its Policy on the Overt Use of Audio-Video Monitoring and Recording Technology, and to the description of the related CBSA Personal Information Bank57 (PIB), PPU 1104, which did not include “biometric information.”

Indeed, public signage and notice about the cameras was limited during the demonstration period. Signage at Terminal 3 of Toronto Pearson’s International airport stated that “[t]his area is under video surveillance,” but made no mention of facial recognition. Similarly, the November 19, 2012, version of the CBSA’s Privacy Notice on Video Monitoring and Recording, referred to in the PIA for FOTM, discloses that “[c]ameras may […] monitor the movement of travelers and goods from one point of CBSA operation to another, for example, from primary to secondary,” but does not provide notice of a facial recognition capability. These lacunae in the notice provisions appear to have been acknowledged in the final report on FOTM, however, which notes that the machine learning component “may require an extension to the current [privacy and security] protocols.”

To date, FOTM or similar use of facial recognition has not been adopted as an ongoing activity. Other operational priorities, including the deployment of Primary Inspection Kiosks (PIKs) at select airports, took precedence at the time the project was completed, and CBSA has not indicated plans to revive FOTM. The technology for FOTM was removed from the airport at the end of the pilot.

The CBSA relied on its powers of examination under sections 15-18 of IRPA to authorize the FOTM project, explaining that “[t]hese sections require all persons seeking entry to Canada to submit to an examination of their persons and documents” and “allow for the presentation of photographic evidence of an applicant’s identity.” Indeed, section 15(3) of IRPA authorizes “an officer [to] … examine any person carried by [a means of transportation bringing persons to Canada],” and to examine “any record or document respecting that person.” Section 16 of IRPA further specifies that “[a] person who makes an application must answer truthfully all questions put to them for the purpose of the examination and must produce [at this examination] a visa and all relevant evidence and documents that the officer reasonably requires.” In the case of a foreign national, this evidence includes “photographic and fingerprint evidence.” The CBSA did not request legal assessment from the Department of Justice (DOJ) as to whether these authorities would support the FOTM pilot program.

The CBSA’s reliance on these general powers of examination to conduct facial recognition on travelers as they make their way to the point of processing is of concern to NSIRA. The legislative authorities relied on by the CBSA presume an overt interaction between the traveler and CBSA officials, and the knowing presentation by travelers of their individual documents, fingerprints and photographs during their examination. NSIRA is not satisfied that sections 15-18 of the IRPA provide clear authority for the collection of travellers’ facial biometrics, particularly prior to – and away from – the point of formal examination. NSIRA is of the opinion that further legal advice would be required in order to ensure that the use of facial recognition in Canadian airports (or elsewhere at the border) is well-founded in the CBSA’s legislative authorities.

Moreover, with respect to the pilot’s compliance with section 8 of the Charter, the CBSA explained that a legal opinion from the Department of Justice (DOJ) was not required because “no information [was] being collected above and beyond the CBSA’s current use of CCTV technology.” The pilot used “the existing surveillance infrastructure” and “did not introduce any additional (audio or video) at ports of entry.” As such, the CBSA was of the opinion that FOTM did not engage privacy or other concerns that would necessitate legal consultation.

As described in paragraph 39, however, project documents indicate that new cameras were installed for the demonstration period. Moreover, these arguments under-value the effects of facial recognition technology on individuals’ privacy. The important fact is not the installation or absence of new cameras, but rather their ability to conduct facial recognition. This new aspect of what is being collected arguably changes the subject-matter of the search. As the OPC has recommended, PIAs (and, in NSIRA’s view, assessments of lawful authority) should be renewed when new technologies are used, in order to ensure that the subject-matter of the search – and its privacy implications – are well-understood. Notices should also be updated to ensure that the use of facial recognition is clearly made known to the public, unless operational imperatives justify a lower degree of transparency.

The deployment of such technology, whether on a short-term or long-term basis, must be carefully studied and be fully supported by legal authority and a sound policy framework. The FOTM demonstrated genuine benefits for the execution of the CBSA’s duties at the border, specifically the identification of individuals of concern. Individuals previously deported for inadmissibility are known to attempt re-entry into Canada under assumed or false identities. The 47 “real hits” during the six-month demonstration window of FOTM attest to this fact. As noted in other contexts, of course, national security is one among many interests supported through better identity management. Further, findings of inadmissibility on security grounds (s. 34 of the IRPA) constitute a comparatively small portion of overall inadmissibility decisions. At the same time, rare events can have extreme consequences. National security cases are, by their nature, infrequent but serious.

FASTER-PrivBio Project (2015-2017)

FASTER-PrivBio was a ‘proof of concept’ project that developed a prototype mobile application that facilitated the application and approval of electronic travel authorizations (eTAs). It was led by IRCC in conjunction with CBSA and other partners (including the University of Ottawa and Ryerson University). The application captured a digital photograph (selfie), extracted the digital photograph contained in the ePassport chip, compared the two using facial recognition (one-to-one comparison), and validated the authenticity of the travel document. Upon successful enrolment, the application would then create a ‘client token’ facilitating movement through the travel continuum for low-risk travellers. The project incorporated a ‘Privacy-by-Design’ framework, with a specific emphasis on addressing the privacy concerns raised by the use of biometrics.

Two basic security benefits were envisioned: first, the facilitation of low-risk travellers would allow resources and attention to be applied elsewhere, including toward higher-risk travellers in manual processing. Second, the application would automatically check enrolled travellers against CBSA, IRCC and other applicable (e.g. International Criminal Police Organization [INTERPOL]) biographic watchlists, thereby identifying individuals of concern. This latter function, however, would largely replicate existing screening in the eTA process.

The project closed in 2017 having successfully demonstrated its intended deliverables. Its key takeaways included the viability of mobile (smartphone-based) biometric credentials (including adequate data security protections, according to project participants), compatibility with ePassports and related IRCC systems and infrastructure, and the robust identity verifications possible through such a system. The next phase of the project was to work toward live implementation, set to occur under the “Chain-of-Trust” (CoT) initiative. CoT development continues at present and is covered in Section 6, paragraphs 151-155, below.

Biometrics Expansion Project (2015-2020)

Initiated in 2015, the Biometrics Expansion Project (BEP), as its name suggests, marked another significant increase in the collection of biometrics in the immigration stream. Building on the TRBP, the BEP expanded the collection of biometrics to all persons (unless exempted) making a claim, application or request under the IRPA. The BEP incorporated the IIS initiative and extended automated immigration information sharing, including through biometric querying, to other international partners in the Migration 5 (M5) group, which comprises the immigration agencies of the United States, Australia, New Zealand, and the United Kingdom. The BEP also broadened the capacity for fingerprint verification at Canadian ports of entry (POE) through the introduction of automated Systematic Fingerprint Verification (SFV) at eight international airports (see paragraph 73) and the addition of discretionary fingerprint verification at secondary inspection at an additional 11 airports and 40 land POE.

The BEP closed in 2020 and the biometric activities it established were transferred to steady-state operations. As such, the activities described here are addressed in Section 5, paragraphs 63-94, below.

Assessing Biometrics Past

This section surveyed the development of biometric activities in the border continuum over the past several decades, highlighting key moments, programs, and pilots along the way. Taken collectively, several themes emerge.

First, the GoC’s collection and use of biometrics has steadily expanded. In the immigration context, for example, what began with deportees and asylum claimants in 1993 culminated in 2018 with all persons (unless exempted) making a claim, application or request under IRPA.

Second, the commitments and priorities established in the wake of the 9/11 attacks spurred the adoption of biometrics in the early part of the millennium, setting the foundation for the basic architecture of biometric activities in the border continuum today. In this context, the rationale for biometric adoption was national security. Identifying individuals meant possibly identifying terrorists.

Third, identifying individuals is also (and increasingly) about broader identity management. For CBSA and IRCC, biometrics contribute to overall organizational goals, not just national security objectives. As the immediacy of 9/11 receded, broader identity management became a relatively larger part of the rationale for collecting and using biometrics. This shift reflected a more balanced logic for biometric adoption, embracing their overall utility rather than emphasizing the smaller – though important – national security subset.

Fourth, as biometric activities have expanded, so too has the overlap and/or shared responsibility between organizations in their design and implementation: between government departments/agencies (e.g. IRCC and CBSA); between jurisdictions (e.g. Canada and the US, and Canada and other international partners); and between the public and private sector (as the GoC engages industry partners). Such closer cooperation may have implications for individuals’ privacy rights, for possible future uses of biometrics, and also underscores the importance of sound data security across these various institutions.

Fifth, traveller facilitation has emerged as another force behind biometric adoption, to improve efficiency at the border and to reflect evolving societal norms about the use of technology. As the FASTER-PrivBIO project suggests, the development of new biometric activities takes for granted traveller familiarity with digital devices. At the same time, individuals are likely to be more comfortable adopting relatively intrusive technologies when they do so voluntarily and consensually. This tension – between expectations of convenience and expectations of privacy – is likely to shape public dialogue over biometrics moving forward.

Sixth, and related to the above, the expansion of biometrics has coincided with a growing emphasis on privacy and privacy protections. Many of the pilots and projects described in this section explicitly addressed such concerns, including by adopting so-called “Privacy-by-Design” principles, which are intended to proactively protect personal information. This dynamic reflects the development, over time, of the wider understanding (whether on the part of government, industry, the legal community, or academia) as to the particular risks associated with the collection and use of biometrics. Some applications of biometric analysis – for example the facial recognition used in the FOTM project – carry more risks than others, and ought to be scrutinized accordingly.

5. Biometrics Present

This section focuses on the GoC’s steady-state biometric activities in the border continuum. The balance of the section examines the role of biometrics in the immigration and Passport programs, respectively. For each, we examine how biometrics serve program objectives (noting, as relevant, their collection, use, retention, and disclosure) and consider the criteria outlined in Section 3. The end of the section examines the process of “arriving into Canada”, which includes the analysis of traveller and NEXUS member biometrics by automated kiosks at Canadian airports. Throughout, we highlight the relevant national security considerations.

Immigration Program

IRCC is responsible for screening the admissibility of potential permanent and temporary residents coming to Canada. As part of this process (hereafter the “Immigration Program”), IRCC employs biometrics, in cooperation with CBSA and the RCMP. As IRCC characterized it to NSIRA, for biometrics in the Immigration Program: “IRCC collects, the RCMP stores, and the CBSA verifies.”

IRCC collects (all ten) fingerprints and a digital photograph in support of applications for temporary resident visas or status, work permits, study permits, temporary resident permits, and permanent residency, and in support of refugee and asylum claims. The collected biometrics are stored in two databases: photographs are stored in the IRCC’s Global Case Management System (GCMS) and fingerprints are stored in the RCMP’s Automated Fingerprint Identification System (AFIS). The digital photograph, while ICAO compliant, is not used for facial recognition and may not be of sufficient quality for that type of analysis. As such, we focus primarily on fingerprints in our description and analysis of activities.

Biometrics are collected and enrolled at multiple service points, both in Canada and abroad, with the vast majority (approximately 90%) occurring at Visa Application Centres (VACs). VACs are commercial service suppliers, managed by private companies, contracted by IRCC to deliver biometric enrolment overseas.

The collection phase is a sensitive juncture given the personal nature of biometric information. The primary concerns here relate to privacy and the security of biometric data. Media reports have highlighted concerns about VACs, questioning whether adequate privacy protection can be maintained given the central role of private contractors based outside of Canada. Possible links between the subcontractor administering Canada’s VAC in Beijing and Chinese security forces have also been scrutinized. Foreign governments have an interest in knowing who is applying to come to Canada – the information can be leveraged to monitor, suppress, harass, coerce, threaten or otherwise harm an individual. The possible interception or theft of biometric data is especially concerning, given its possible use in monitoring, surveillance, and identification.

IRCC has taken steps to ensure the flow of biometric information (including collection and transmission) at VACs is controlled. Contracts with VAC providers stipulate that they must abide by Canadian privacy laws. IRCC further states that oversight of VAC contractors occurs through audits and site reviews, conducted by Canadian officials, at VAC locations. All biometric information collected outside of Canada is said to be encrypted before being transmitted back to IRCC servers located in Canada (photographs in GCMS) and to the RCMP (fingerprints in the AFIS). Once successfully transmitted, IRCC states that the information is deleted from the point of collection.

Given the nature of operating in certain foreign jurisdictions, however, there remain challenges to securing the information provided by applicants at VACs. Some VACs are located in countries with national interests inimical to those of Canada – the national security consequences of security breaches at these VACs may therefore be particularly acute. While the scope of the present study precluded in-depth examination of the security arrangements at VACs, NSIRA may wish to revisit the issue at a later date.

In the border continuum, Canada leverages (or uses) the collected biometrics in three ways: for screening at enrolment (with any returned information informing decisions about an application), for verification upon arrival at a Canadian POE, and for ongoing assessment of admissibility (or immigration status) once an individual is present in Canada.

Screening at enrolment is automatic, and includes both domestic (Canadian) and foreign databases. For enrolment, IRCC or CBSA submits the collected fingerprints to the RCMP. Fingerprints and biographic information are then compared against the RCMP’s criminal and immigration fingerprint repositories (the latter includes fingerprints collected as part of previous applications). Fingerprints are also queried against the immigration databases of Canada’s M5 partners.

Information returned from domestic and foreign screening informs decisions on admissibility – including possible inadmissibility on IRPA s. 34 security grounds. Biometric immigration information sharing with the M5 partners includes sharing of derogatory alert codes. Information that indicates a potential national security concern may be referred to the Public Safety portfolio (including CSIS and CBSA) for additional security screening. While foreign screening also occurs using biographical information, biometrics confer the additional advantage of identifying matches to previous applications associated with different names and/or with discrepant biographical information.

Following the screening process, biometrics are used by the CBSA to verify the identity of enrolled foreign nationals arriving at a Canadian POE. This ensures – to a level of confidence beyond what is generally possible absent the use of biometric information – that the individual granted a visa or permit is the same individual entering Canada.

The mode of verification varies between POE. At eight international airports, Systematic Fingerprint Verification (SFV) occurs through Primary Inspection Kiosks (PIKs). PIKs are automated kiosks used to process travellers through customs and immigration at major Canadian airports (for more on the PIK see paragraphs 125-137, below). The PIK captures fingerprints and transmits biometrics to the RCMP for one-to-one matching against the traveller’s reference fingerprint in the RCMP database. Where SFV is not available, Border Services Officers (BSOs) verify identity by comparing the traveller’s enrolled photograph with the individual presenting in front of them, while fingerprint verification occurs on a discretionary basis at secondary inspection using CBSA’s LiveScan device.

Biometrics are also used to assess ongoing admissibility. That is, they serve as a means to connect individuals to information that could affect their immigration status and/or future immigration applications (for example interaction with law enforcement that might indicate inadmissibility).

The retention period for biometrics collected is partially contingent on the application’s outcome. For both temporary resident and permanent resident applications refused on the grounds of what the IRCC considers “serious inadmissibility” (sections 34-37 of the IRPA), biometrics are retained until the individual’s 100th birthday.

This extended retention period provides security benefits as biometrics can help identify an individual should they submit a subsequent application at any (realistic) point in the future, even if submitted under a different name. Extended retention also makes such identification possible for domestic and/or foreign partners with querying access to the immigration database. Should the individual receive a record suspension, criminal rehabilitation, or ministerial relief, the retention period reverts to the typical 15 years from the date of biometric enrolment. This caveat is important, as it realigns the retention of an individual’s biometrics beyond the resolution of the underlying circumstances which warranted the extended retention.

At the end of the retention period, biometric information is disposed of by IRCC according to disposition authorizations issued by Library and Archives Canada. With respect to fingerprints held by the RCMP, an automated electronic purge transaction request is transmitted by IRCC and a confirmation of the purge returned.

In 2021, IRCC discovered a privacy breach related to the retention of immigration fingerprints and photographs beyond their prescribed retention period. The information belonged to individuals who attained Canadian citizenship meaning that, according to IRCC biometric retention policy, fingerprints and photographs associated with their immigration file should have been deleted. IRCC notified the OPC in February 2021 about the issue, and notified affected clients, by email, in March 2021. A public notification was placed on the IRCC website.

The disclosure of biometric information raises privacy considerations and calls for attentive consideration of their subsequent use. Given that biometrics are personal information, the current legal framework requires that the GoC only use them for the purposes for which they were obtained (namely, determining an individual’s admissibility to enter, or remain in, Canada); for a use consistent with that purpose; or as otherwise authorized by law.

The automated querying that occurs between Canada and its M5 partners involves an anonymous biometric (fingerprint) search, with no identifying biographic information included; if a match is detected, relevant immigration information is returned; if there is no match, the receiving country sends a nil result. In either case, the receiving country is required to purge and not retain the fingerprint. The system is designed, ultimately, with the intention that no biographic and/or immigration information is exchanged unless both parties already possess the biometric in their databases – an important privacy protection measure. Further, the automated agreements specify that any information exchanged will pertain to third-party nationals only; that is, Canada will not send or receive information on Canadian citizens or, with the exception of asylum claims, permanent residents.

Less frequent case-by-case (or ad hoc) exchanges may result in the actual exchange of underlying biometric information (whether photographs or fingerprints) if the information is deemed, by the requesting party, relevant to enforcing that party’s immigration and citizenship laws. Such exchanges are subject to caveats regarding use, onward disclosure, and retention, which apply to any information disclosed (not just biometrics), but which are not legally binding on the participants. IRCC further indicated that ad hoc exchanges of biometric information may also occur with international partners beyond the M5, “with either the consent of the individual to whom the information pertains, or pursuant to section 8(2)(a) [i.e. the consistent use provision] of the Privacy Act.”

The primary sources of authority for the collection, use, and disclosure of biometric information in the Immigration Program are the IRPA and the Immigration and Refugee Protection Regulations (IRPR). Specifically, s.10.01 of the IRPA authorizes the collection of biometrics for the purposes of enrollment and verification pursuant to an application under the Act. Under s. 10.02 of IRPA, the Minister may issue regulations respecting the implementation of these processes, through the IRPR. The Regulations specify to whom the biometrics requirements apply, the type of biometrics at issue, and guide their collection, processing and verification. Section 16(1) of the IRPA requires that individuals making an application under the Act submit truthfully to examination and produce “relevant evidence and documents” while 16(2), which applies only to foreign nationals, specifies that such evidence includes “photographic and fingerprint evidence”. IRCC also cites s. 4 of the Privacy Act as authorizing their collection of biometrics, given that the information relates “directly to the administration of [IRCC’s] immigration programs.” They note further that, consistent with s. 7 of the Privacy Act, biometrics “will only be used for the purposes for which it was collected, or for a use consistent with that purpose.”

In terms of the IRCC’s disclosure of biometrics to international allies, s. 7 of the IRPA authorizes the Minister, with the approval of the Governor in Council, to enter into an agreement(s) with the government of a foreign state(s), for the purposes of the IRPA. Multiple such agreements are part of the IRPR, which cover Canada’s information sharing activities with each M5 partner including: the ‘Agreement between the Government of Canada and the Government of the United States of America for the Sharing of Visa and Immigration Information’; the ‘Annex Regarding the Sharing of Information on Asylum and Refugee Status Claims to the Statement of Mutual Understanding’; and the bilateral automated exchange arrangements with the Governments of Australia, New Zealand and the United Kingdom. These agreements provide for the disclosure of biographic and biometric data between the parties to the extent “necessary, relevant and proportionate to achieve [the administration and enforcement of the parties’ citizenship and immigration laws].” Provisions in each agreement also govern the destruction of the information, the correction of previously disclosed information, and grant the Minister a discretion to refuse to disclose information detrimental to Canada’s national interests.

Such disclosures would also be consistent with s. 8(2)(f) of the Privacy Act, which allows for the disclosure of personal information under an agreement or arrangement between the Government of Canada and a foreign state, for the purpose of administering or enforcing its laws. Ad hoc exchanges with partners beyond the M5 are conducted pursuant to the consistent use provisions of s. 8(2)(a) of the Privacy Act.

Canadian law enforcement may also access fingerprints collected by IRCC during the immigration application process for law enforcement purposes. Section 13.11 of the IRPR allows the RCMP to use – or disclose to other law enforcement agencies in Canada – any biometric information and specified, related personal information for the purpose of establishing or verifying a person’s identity in order to prevent, investigate or prosecute an offence. This information may also be used to establish or verify the identity of a person whose identity cannot reasonably be otherwise established or verified because of a physical or mental condition or because of their death. In other words, when law enforcement agencies submit fingerprints collected in the course of its duties to the RCMP — or the RCMP itself verifies a fingerprint — both criminal and immigration repositories, containing the fingerprints of foreign nationals and permanent residents, are included in the search. Section 13.11(2) of the IRPR allows the following personal information to be used or disclosed: the individual’s fingerprints and the date on which they were taken; their surname and first name; their other names and aliases, if any, their date of birth, their gender, and any file number associated with the biometric information or related personal information.

Assessing the Immigration Program

Biometrics facilitate identity management in the Immigration Program. First, the enrolment of biometrics ties an application to an individual. Second, biometric querying screens applicants against domestic and foreign databases, with the information returned as part of these queries informing decision-making regarding their admissibility into Canada. Third, biometrics are verified upon arrival at a Canadian POE to ensure that the individual presenting is the one to whom a visa or permit has been granted. Finally, biometrics are retained for a specified period (varying between application streams) so as to both assess continuing admissibility (status) under the IRPA and allow foreign nationals to submit subsequent applications without having to re-enrol their biometrics.

National security benefits are a consequence of robust identity management. National security is a component of, rather than the sole impetus behind, the use of biometrics. Enrolling biometrics at the application stage serves as a potential deterrent to individuals who might otherwise apply for mala fide purposes. Biometric screening of domestic and foreign databases helps identify individuals who are inadmissible (including, potentially, for reasons of national security). Verifying biometrics upon arrival ensures that the individual authorized to enter and not an individual posing as that person is the individual who does enter. The retention of biometrics which includes the retention of biometrics tied to applications denied for reasons of national security allows for the ongoing assessment of admissibility under the IRPA (including s. 34) and facilitates the reciprocal querying of foreign databases. Without biometrics, such exchanges would rely on biographical information, which is more susceptible to fraud and/or error.

Unique to each individual and easily captured by digital technology, fingerprints are generally regarded as accurate and reliable means of identification. However, both CBSA and IRCC noted potential concerns in relation to Gender Based Analysis Plus (GBA+), which is an analytical process designed to assess how diverse groups of people may experience policies, programs and initiatives. Specifically, some groups have more difficulty than others having their fingerprints captured, including individuals working in certain trades (which may indicate lower socio-economic status) and women (due to a biological difference in finger ridges). Mitigation strategies at the collection stage included training for operators, and operational guidelines as well as a regulatory provision (R12.8 of the IRPR) that allow the application process to continue if fingerprint capture is not possible.

Similarly, research has shown that fingerprint-matching algorithms – such as those used during SFV – may be less accurate for certain ethnic, gender, age, and socio-economic groups. Examples include individuals of East Asian origin, women, those working in certain trades, and older individuals. These groups may be subject to higher error rates when their fingerprints are verified (e.g. compared to an existing fingerprint holding). Mitigation strategies identified by CBSA included hardware and software adjustments that would improve the ability of PIKs (the kiosks used for SFV) to capture and analyze fingerprints.

In terms of transparency, there is significant material available to the public regarding biometrics and the immigration application process. Much of this content is practical in nature, intended to guide prospective applicants in the provision of their biometric information. IRCC also explains the program benefits of using biometrics, including that they help facilitate entry into Canada, ensure that the person seeking entry is the same as the one who was granted a visa, permit, or permanent residence, and to help prevent the use of stolen, borrowed, or altered visas and/or permits to enter Canada. While national security justifications are provided, the emphasis is on service delivery and the broader imperatives of identity management.

Overall, fingerprints appear to be a reasonable, appropriate choice of biometric to use in the immigration system. They can be collected relatively easily, with little intrusion, and while they are reliable identifiers, they offer comparatively little extrinsic evidence about individuals’ lifestyles or personal choices. Moreover, they offer a vital inter-operability across domestic immigration and law enforcement systems, as well as with those of nearly all foreign jurisdictions. The privacy costs of relying on biometrics for immigration screening therefore appear to be reasonable and proportionate to the benefits they convey to the state and the integrity of its immigration system.

Once collected, the use of biometrics for screening and verification are proportionate to the objective of identity management. From a national security perspective, decisions about admissibility – who may and who may not enter the country – are fundamental. So, too, is the desire to prevent fraudulent entry. At the screening stage, biometrics are particularly helpful in linking information across databases – e.g. in connecting information about an individual held in domestic or foreign repositories. The ability to make such linkages even in the face of multiple names or biographical profiles – perhaps cultivated for mala fide purposes – is largely unique to biometrics as a class of information. Likewise, verification – confirming that an individual is who they say they are when presenting at the border – is significantly enhanced through biometric analysis.

The activities are not without risks, however. The availability of immigration biometrics to Canadian law enforcement, for example, has the potential to stigmatize the immigrant population by associating them with criminality. In 2015, the European Union’s EURODAC (European Asylum Dactyloscopy Database) was heavily criticized by civil rights groups for “criminalizing” asylum seekers by making their fingerprints available to European law enforcement agencies. While held in different repositories, immigration and criminal fingerprints exist within the same RCMP system, and both are searchable by law enforcement, including when attempting to identify latent fingerprints taken from crime scenes.

There are benefits to making immigration fingerprints available to law enforcement, most immediately in assisting police with the enforcement of Canadian criminal law and, consequently, in returning information to IRCC and CBSA which may be relevant for enforcing the IRPA. At the same time, if the fingerprints of all Canadian citizens were in the possession of the government and searchable by Canadian law enforcement, that too would benefit the enforcement of Canadian law, though few – if any – would consider such an arrangement proportionate or desirable. It is therefore legitimate to question whether the availability of immigration fingerprints – collected in the course of applying to come to Canada – to law enforcement is proportional in all circumstances, or whether it should be limited to certain serious offences.

Passport Program

The Passport Program, led by IRCC, is responsible for “issuing, refusing to issue, revoking, withholding, cancelling, recovering and providing instructions on the use of Canadian passports and other travel documents.” The program’s ultimate purpose is to enable the travel of eligible Canadian citizens, permanent residents, and refugees. Preventing individuals who are ineligible or not entitled to a passport from obtaining and travelling under official documents is the obverse of this goal. A subset of applicants will be ineligible for reasons related to national security. Established pursuant to the royal prerogative on passports, the Canadian Passport Order (CPO) constitutes the main legal framework for the issuance of regular and temporary passports by the Passport Program. It provides the authority for IRCC to collect and use personal information, including biometrics, for the processing of applications and determining an individual’s entitlement to a passport. IRCC maintains that this collection is consistent with s. 4 of the Privacy Act, given that collection relates directly to the administration of a lawfully authorized program.

Specifically with respect to biometrics, s. 8.1(1) of the CPO allows IRCC to convert an applicant’s photograph into a digital format and insert it on the electronic chip in the ePassport. Section 8.1(2) facilitates the use of the FRS by authorizing the conversion of the photograph into a biometric template “for the purpose of verifying the applicant’s identity, including nationality, and entitlement to obtain or remain in possession of a passport.” This provision similarly authorizes the use of the System Lookout-Facial Recognition System (SL-FRS) described below.

As with the Immigration Program, the full range of benefits associated with biometrics extend beyond national security outcomes. According to IRCC, the “use of biometrics in the Passport Program does not per se constitute a security and intelligence activity.” Rather, as in the immigration context, biometrics serve identity management, with potential national security benefits downstream of that broader ambit.

Two identical, printed facial photographs, meeting certain International Civil Aviation Organization (ICAO) standards, must be submitted as part of applications for all Canadian travel documents. According to IRCC, all application information is transmitted via secure systems, and all facial recognition data traffic is secured through encryption.

The collected photograph is used for two purposes. First, it is screened using facial recognition to help establish identity and inform an assessment of the applicant’s eligibility and entitlement to Canadian travel document services. Second, it is embedded in the document and used by border officials to validate the identity of the holder when crossing an international border.

The applicant’s digitized photograph is transferred to the Facial Recognition Solution (FRS) application. The FRS then converts the image into a biometric template using a proprietary algorithm and stores it in an accompanying database. If the application is linked to a previous application, such as renewals or the replacement of lost or stolen passports, one-to-one facial verification is performed against the applicants’ previous template(s). For both renewals and new applications, one-to-many facial identification is performed against existing templates (approximately 55 million, from previous applications) in the FRS database from adult (age 16+) applicants and photographs supplied as part of the Passport System Lookout (SL). The SL-FRS , as it is called, is effectively a watchlist comprised of individuals who are considered high-risk for identity fraud, including those known to have a history of using false identities or multiple aliases, or who have otherwise been identified by security partners – including CSIS and the RCMP – as high-risk for such behaviour. The precise criteria or circumstances for inclusion on the list are not clear, and appear to be highly discretionary. IRCC caveats, however, that “only a small number of IRCC Passport Program officers have the ability to add entries to the list.” The list has been in operation since February 2018, and currently includes fewer than 100 individuals.

According to IRCC, the use of the FRS protects the integrity of the Canadian passport. IRCC cites 2016 ICAO guidelines on security in the issuance of travel documents noting that the issuance phase – or the “beginning of the chain” – is becoming the primary target for fraud given “the rapid development of new technologies and new security techniques” which make forgery increasingly difficult, including, for example, the security features associated with the ePassport.

The authority to refuse passport applications for national security reasons lies with the Minister of Public Safety, as per the CPO. Biometric screening through FRS may inform that decision-making process by detecting identity fraud or flagging individuals from the SL-FRS. No such decisions are automatic; individuals on the SL-FRS may still be entitled to a passport or travel document following review.

Preventing fraud (whether through deterrence or detection) in the issuance of official travel documents offers clear national security benefits. The movement of mala fide actors across borders threatens both international and Canadian security. While identity fraud is committed for a host of reasons – including criminal, financial, or personal – the possibility that terrorism, espionage, or other national-security threats may involve the misuse of passports is well documented. Again, rare events can have significant consequences.

The second fundamental usage of the collected biometric is by way of the ePassport itself during the course of international travel. When the passport is issued, the facial photograph is both printed on the biographical page and embedded as a digital image on an electronic chip within the document.

The embedded digital photograph enables three-way verification between the image on the passport, the image on the chip, and the person presenting the passport. Certain countries – including Canada (see the discussion of the PIK in paragraphs 125-137, below) – leverage facial recognition technology for this purpose. The result is greater confidence in a) the integrity and authenticity of the document, and b) that the individual presenting the document is the individual to whom it was issued. The chip is digitally signed using Public Key Infrastructure (PKI) techniques allowing for the verification of the document against the issuing country and to ensure that the data contained within has not been modified.

Photographs submitted as part of passport applications, as well as the biometric templates derived therefrom, are retained until an applicant has reached 100 years of age. IRCC assesses that this retention period is consistent with the practices of international partners (e.g., the United Kingdom and Australia), and balances, in their estimation, the need to issue secure, trusted travel documents with the requirements of the Privacy Act to retain personal information only for as long as necessary. Hard paper copies of the passport applications, including photographs, are retained for six weeks following conversion to digital format, and subsequently shredded.

The length of the retention period facilitates identity management as individuals renew their passports over the course of their lifetime. Each returning adult applicant (e.g. renewal, replacement, etc.) can be verified through the FRS against previous applications from the same individual. Similarly, one-to-many FRS screening includes templates from most adult applicants, maximizing the scope of detecting possible identity fraud.

IRCC discloses photographs and related biographic information collected by the Passport Program to other government departments (OGDs). Unlike in the Immigration Program, these disclosures are not systematic. Rather, they come in response to ad hoc requests from OGDs with criminal, national security, and intelligence mandates. The OGDs make the requests pursuant to their own legislation, and their scope is circumscribed by s. 4 of the Privacy Act. According to IRCC, the context of many of these requests is often the need for information regarding Canadians travelling abroad to engage in foreign conflicts or unlawful acts.

Such requests can involve confirmation or validation of biometric information provided by the OGD against passport records, or identifying individuals of security concern by processing a photograph provided by the OGD through the FRS. For example, the RCMP may identify a person of national security concern, but have only a photograph of the person (e.g. from their social media presence); CSIS may provide IRCC with a photograph of an individual they are investigating but cannot identify. Alternatively, the RCMP and CSIS may share photographs of known individuals with the IRCC. The purpose of these checks is to ensure the person has not obtained a passport under another identity. The IRCC states that, for the RCMP, the scenarios described herein may require the RCMP to obtain a Production Order, depending on the particular circumstances of the request.

In both cases, the IRCC converts the photograph provided by CSIS/RCMP into a biometric template and runs it through FRS. In the first instance, in the event of a possible match, the IRCC would return limited biographic and/or biometric information to the RCMP or CSIS to assist in confirming the person’s identity. In the second instance, the IRCC may validate the person’s previously known identity and confirm whether the person’s photograph is associated to any other identities logged by the Passport Program. The scope of information disclosed by the IRCC, in both cases, depends on the nature of the investigation and its authorities to disclose.

The IRCC discloses this information pursuant to s. 5 of the Security of Canada Information Disclosure Act (SCIDA), if applicable, or may rely on s. 8(2)(e) of the Privacy Act in the case of specific requests. Section 5 of SCIDA allows the IRCC to disclose information to the RCMP, CSIS and other specified institutions where it is satisfied that the disclosure will contribute to the exercise of the recipient institution’s jurisdiction in respect of activities that undermine the security of Canada. To disclose under SCIDA, the IRCC must also be satisfied that the disclosure will not affect a person’s privacy interest more than is reasonably necessary in the circumstances. In contemplating such disclosures, the IRCC affirms that it first obtains sufficient details to ensure these conditions are met. In other instances, such as when the disclosure is to assist a law enforcement investigation, the IRCC may rely on s. 8(2)(e) of the Privacy Act to provide specific investigative bodies with information they have requested in writing, for the purpose of enforcing Canadian law or carrying out a lawful investigation. Where a production order or warrant supports the OGD requests, section 8(2)(c) of the Privacy Act authorizes the disclosure of information for the purpose of complying with the warrant.

In addition to these disclosures to assist national security or law enforcement investigations, the IRCC may disclose information to the Department of Public Safety, where necessary to assist the Minister of Public Safety in rendering a decision under the CPO. Sections 10.1 and 11.1(2) of the CPO authorize the Minister of Public Safety to decide that a passport should not be issued, or that a current passport should be revoked or cancelled, when such action is necessary to prevent the commission of a terrorist act or protect the national security of Canada or a foreign state. By virtue of this authority, the IRCC may collect information on an ongoing basis to verify an individual’s continued entitlement to possess the document. The IRCC also relies on the CPO to disclose, to the Minister of Public Safety, information necessary to support his decision on such matters. In practical terms, this includes IRCC’s disclosure of the relevant passport application, including the digitized photo, to Public Safety. Section 5 of SCIDA and section 8(2)(a) of the Privacy Act (on consistent use) further support these disclosures.

Assessing the Passport Program

A significant source of public concern regarding the use of facial recognition is the possibility that the technology will be inaccurate. In the passport context, false positive identification could lead to inconvenience and/or additional investigative attention for individuals. False negatives, by contrast, worry operators, as they potentially undermine the security benefits of the system.

The FRS has certain natural advantages with respect to accuracy. First, it predominately uses high-quality probe images (templates extracted from passport photographs taken according to ICAO specifications) and searches them against the same (a gallery populated by templates extracted from passport photographs). Exceptions are the images on the SL-FRS and images supplied by OGDs for checking against FRS, which may be of lesser quality. Second, the matching process is not time sensitive (as would be the case in a live environment such as a POE). Adjudication – triage, analysis, and investigation – of possible matches (one-to-many) or non-matches (one-to-one) can be conducted thoroughly before any decisions are made which affect individuals.

A related concern is that certain groups will be disproportionately affected by system inaccuracies. Extant research has demonstrated that age, gender, and ethnicity, among other factors, may influence the ability of a facial recognition system to accurately identify individuals, leading to possible bias and discrimination.

IRCC employs several mitigation measures. First, enrolled templates are stored in one of six separate galleries according to age (adults 16+ and children under the age of 16) and self-identified gender (male, female, or other). Age and gender are known to be confounding factors in facial recognition; separating the database into galleries according to these characteristics allows thresholds to be adjusted as necessary to improve the performance of the system.

In January 2021, IRCC completed an evaluation of a next generation algorithm for possible use in FRS. The results were favourable in terms of the accuracy observed in testing, and implementation of the new algorithm is set for 2021-22. Specifically, the new algorithm demonstrated superior performance in terms of age and gender disparity as compared to the algorithm currently in use. The new algorithm demonstrated improvement in matching photographs taken at lengthy time intervals (e.g. 15 years), which is directly relevant to passport renewals. The testing did not evaluate, however, the algorithm’s performance with respect to race and ethnicity.

IRCC provides public information regarding the use of facial recognition in the passport application process. The photograph guidelines posted on the IRCC website state that “The [ICAO] recommends that passport photos be taken with a neutral expression. This lets us use facial recognition systems to help prevent fraud.” Similarly, a Privacy Notice Statement is included on passport application forms, describing the collection, use, disclosure and retention of personal information, including biometrics.

The biometric embedded on the electronic chip in the ePassport does not constitute a significant risk or expansion beyond what was included in analog passports prior to the ePassport’s implementation. What is on the chip – the facial image and biographical information – is also on page 2 (the biographical page) of the physical document itself.

By contrast, the issuance process – including the use of FRS – directly implicates both biometric information and national security considerations. Preventing mala fide actors – including those posing a threat to national or international security – from obtaining bona fide travel documents warrants stringent processes and security measures during the issuance phase. At the same time, information collected and used in the context of the issuance process will impact all individuals – millions of Canadians and individuals living in Canada – who apply for a passport or other official travel document.

The key consideration is whether the privacy impact of the FRS is commensurate with the benefit to national security associated with its collection, use, retention, and disclosure of biometric information.

The OPC’s recent investigation into the RCMP’s use of facial recognition services supplied by the private firm Clearview-AI is worth considering in this context. In that case, the OPC found that the RCMP’s leveraging of biometric information collected by Clearview-AI from social media and other internet sources violated the Privacy Act because Clearview-AI’s collection of that information had been unlawful. More relevant for the present discussion, however, is the OPC’s characterization of the practical effect of law enforcement’s use of Clearview AI, which meant that “billions of people essentially found themselves in a ‘24/7’ police line-up.” That is, the existence of their biometric information in a database available to law enforcement meant they were subject to identification by law enforcement at any time.

In national security investigations, there may be different policy justifications, security benefits, and disclosure limitations that render use of the IRCC’s passport database proportionate. The disclosure of this information by the IRCC to the RCMP is also supported by law (see paragraph 111). The connection between passport biometrics and the investigations and activities of the RCMP, CSIS and CBSA remains a striking example, however, of the connections made possible by biometrics. Moving forward, NSIRA may wish to review these arrangements, to assess their reasonableness and necessity in terms of balancing individual interests (privacy, liberty, etc.) and the state’s security goals.

Arriving into Canada

The Passport and Immigration programs are the major programs governing Canada’s border continuum. Together, they help manage the processes by which individuals enter the country, largely by providing the documentation that makes international travel possible. Related to these larger programs is the actual process of arriving at a POE and going through Canadian customs and immigration. While the above discussions of both Immigration and Passport touched on these processes, this section discusses two additional activities that involve the analysis of biometric information to verify the identity of individuals arriving into Canada.

Primary Inspection Kiosks (PIKs)

Primary Inspection Kiosks (PIKs) are automated, self-serve kiosks present at ten major Canadian airports. The kiosks facilitate the immigration and customs process for international arrivals into Canada.

As discussed in relation to the Immigration Program, biometrically-enrolled foreign nationals are subject to biometric verification upon arrival into Canada. At airports equipped with Systematic Fingerprint Verification (SFV), this occurs through PIKs. Additionally, PIKs validate ePassports and help verify the identity of ePassport holders (including Canadians) using facial recognition (one-to-one matching) technology.

In 2019, PIKs processed 21,853,422 individuals, an average of 59,872 travellers per day. This means that most individuals – whether Canadian or foreign – arriving in Canada by air have their biometrics analyzed in some way (either as biometrically-enrolled foreign nationals, ePassport holders, or both). CBSA derives its authority to collect information from individuals as they arrive in Canada from s. 11 of the Customs Act and ss. 15 and 18(1) of the IRPA.

The PIK facilitates risk assessment by sending passport and biographical information to CBSA for processing in real time. CBSA uses the information to check the traveller against existing traveller processing systems. This includes the Interdiction and Border Alert System and the Integrated Customs Enforcement System.

According to CBSA, all information passes between the PIK and CBSA through an encrypted tunnel and is purged prior to the next traveller using the device.

The use of the facial photograph embedded on the ePassport’s electronic chip is for identity verification at the kiosk and during primary inspection. Facial recognition – or facial “matching” as it is called by CBSA in this context – occurs on a one-to-one basis by extracting the digital photograph from the chip and comparing it to a live photograph of the traveller captured by the kiosk. A match score is generated, based on the vendor’s proprietary algorithm, and the score is sent to the CBSA to determine whether it is above or below a pre-determined threshold. The result is printed on the PIK receipt. The CBSA itself defines the match/no-match threshold; it is not determined by, nor shared with, either the vendor or Airport Authorities.

The PIK receipt also includes the facial photograph taken by the kiosk. The traveller presents the receipt to a Border Services Officer (BSO); in the event of a no-match, the BSO may correct obvious non-technical errors (for example, one individual was photographed twice as part of a group of two travellers) through visual verification, ask additional questions, and/or refer the individual to secondary inspection on a discretionary basis.

The inclusion of the photograph on the receipt was a significant issue in the 2012 PIA conducted for the PIK project. CBSA justified the practice on the basis of efficiency (quicker processing by the BSO collecting receipts) and security (preventing receipt swapping prior to egress at primary inspection). The PIK receipt – including the printed photograph – is retained by CBSA for seven years. The OPC expressed concerns regarding this retention period given the presence of the traveller’s photograph. In essence, the retention of these photographs constitutes a database of (nearly) all travellers who enter Canada. While CBSA asserted that the photographs are not searchable nor used for facial recognition purposes, OPC noted the sensitivity of retaining biometric information in centralized databases and has urged CBSA to consider mitigation strategies.

The CBSA details the necessary specifications and requirements for PIKs, but relies on Airport Authorities to procure both the hardware and software (including the algorithm used for facial matching). This means that different versions exist at different airports across Canada. The accuracy of the facial matching process consequently varies between locations. The algorithms are proprietary, meaning CBSA does not have visibility into precisely how they operate, though it does have access to data on accuracy and performance through the US Department of Commerce’s National Institute of Standards and Technology (NIST) as well as from in-house performance testing.

In 2020, CBSA evaluated the performance of the four face-matching algorithms integrated in the three kiosk designs currently in use, and determined that opportunities existed to improve performance in certain airports by adjusting facial matching thresholds. The testing similarly examined issues of possible demographic bias. The results suggested that small discrepancies along the lines of gender (lower matching rates for females) and age (lower matching rates for younger and older) did exist in airports using a particular algorithm. Recommendations for mitigation included shifting vendors and/or setting gender-specific match thresholds, though the latter option was considered potentially problematic in terms of inviting higher false positive match rates.

Public reporting has expressed concern that higher facial matching error rates for certain ethnicities might result in more frequent referrals from PIKs to secondary inspection. It has been observed, for example, that rates of referral are higher for nationals from Iran and Jamaica, as compared to countries such as Iceland and Denmark. The CBSA indicated to NSIRA that no referrals to secondary inspection occur as a result of the facial matching process (i.e. there are no referral codes associated with facial matching leading from the PIK to secondary inspection). In practice, however, a failed match will lead to greater scrutiny as a BSO at primary inspection assesses the reason for the failed match. It is possible that discretionary referrals to secondary occur as a result; the CBSA does not track statistics associated with this scenario.

CBSA is aware of concern regarding possible bias associated with higher facial match error rates for certain ethnicities, and points to improvements in the overall accuracy of algorithms that will help close any gaps in performance across demographic categories. Further, CBSA notes that its “work in this area is nascent and is not yet conclusive with significant work still to be conducted.” Given the significance of the public interest and concern associated with possible bias, NSIRA encourages CBSA to continue its work in this area. In addition to technical solutions aimed at further closing identified gaps, an examination of the implications of facial matching errors on travellers might suggest policy solutions to mitigate any possible disparate impacts.

The PIK will continue to play an integral role in future applications of biometric technology at Canada’s international airports. As noted in the CBSA’s 2021-22 Departmental Plan, the agency is set to integrate the PIK into new applications of mobile technology with the aim of further streamlining the customs and immigrations arrival process.

NEXUS

NEXUS is a voluntary trusted traveller program intended to expedite border crossing between the US and Canada for preapproved, low-risk travelers (“NEXUS”). Section 11.1(1) of the Customs Act authorizes the Minister to administer such programs, by allowing him to authorize persons to present themselves at the border “in an alternative manner.” The program is jointly managed by CBSA and US Customs and Border Protection (CBP). As mentioned in Section 4, although NEXUS began as a pilot initiative prior to 9/11, it was expanded and implemented following the attacks with an eye toward robust identity verification and traveller facilitation in the context of enhanced border security.

In 2019, NEXUS underwent a “modernization” process, which saw the adoption of the PIK facialmatching model into NEXUS-dedicated kiosks for air arrivals, replacing iris scans with facial matching as the biometric modality for identity verification. In order to facilitate facial matching, CBSA collects the biometric from electronic passports, stores it in the NEXUS database, and uses the photograph to verify identity during travel. The process is similar to how the PIK operates in other traveller streams and produces roughly similar outcomes. The main difference here is that the photograph taken at the kiosk is matched against the traveller’s image in the NEXUS database. NEXUS’ purpose in using the passport photograph is the same as in the regular PIK process: to verify the individual’s identity prior to allowing them admission into Canada. NEXUS’ use of the passport photograph was preferred because the image provides better facial recognition matching (given that it was taken according to ICAO specifications) as compared to the membership photograph (taken by border services officers under varying conditions – light, background, distance, etc.). NEXUS participants are informed of the extraction of their passport photograph for facial matching purposes.

NEXUS’ voluntary nature, and the consistent purpose of using the passport photograph within NEXUS to facilitate identity verification and travel, renders this second use of the ePassport photograph reasonable in NSIRA’s view. The consistency of purpose between the programs also respects the norms and the requirements of sections 7 and 8 of the Privacy Act.

The use of the passport photograph for facial matching within NEXUS is nevertheless noteworthy as an example of when it has been beneficial to use an existing biometric in an additional program. The dual-use of biometrics in this case is relatively benign, but the dynamic which produced it – that is, the convenience, availability, and possible value-added (accuracy in identification) of existing biometric information – is likely to be common to scenarios which may be of more concern, as discussed below (see paragraphs 191-201, below).

6. Biometrics Future

We expect the landscape detailed in the preceding sections of this report to change significantly in the short-, medium-, and long-term. In this section, we highlight select projects and initiatives to illustrate how biometrics in the border continuum are likely to evolve, and to mark key points of consideration for Canadians – and NSIRA – as we move into this unfolding technological future.

The GoC has publicly committed to continued research, development, and deployment of biometric technologies in the border continuum. For instance, Budget 2021 allocates $656.1 million over five years (beginning in 2021-22) and $123.8 ongoing to the CBSA for the “modernization” of Canadian borders. CBSA “proposes to utilize new technologies, such as facial recognition and fingerprint verification” as part of such efforts.

The agency has announced the creation of an Office of Biometrics and Identity Management (OBIM) under a newly formed Biometrics Transformation Directorate (BTD) within the Chief Transformation Officer Branch (CTOB). CBSA indicated to NSIRA that the purpose of the BTD is to coordinate biometric initiatives (including design, implementation, and operation) across the agency. In addition to its coordination role, OBIM will act as a Centre of Expertise and focal point within CBSA for guidance on the appropriate use of biometrics. This will include developing and managing CBSA’s biometrics governance, risk and compliance framework. A June 2021 Notice of Proposed Procurement (NPP) solicited proposals from contractors for aid in establishing the OBIM and “to work with the [CBSA] in researching, planning for and rapidly developing a strategy and roadmap related to the use of Digital [sic] solutions enabled by supporting technologies in biometrics, in response to the COVID 19 situation and other operational priorities.” The proposal further specified that the successful contractor would aid in “the development of a comprehensive approach and plan to manage, evolve and adapt in using biometrics” to fulfill CBSA’s mandate and objectives. As part of this coordinating function, the OBIM will review current steady-state biometric activities and make recommendations where necessary for aligning them with overarching CBSA standards and objectives.

With respect to immigration, CBSA’s Departmental Plan 2021-22 commits to “explor[ing] measures to standardize the collection of biometric information on potentially inadmissible travellers to strengthen compliance verification at the border.” In July 2021, IRCC released a tender notice soliciting industry information regarding the procurement of a next generation Canadian Immigration Biometric Identification System (CIBIDS). The new system will “take advantage of the latest technologies […] to modernize [IRCC’s] biometric technology solution” and may include the “design and development of a new IRCC custom Biometric Collection Solution.”

“Next generation” development is occurring in the Passport Program as well, with “a new passport booklet, incorporating advancements in technology to enhance the document’s durability and security features” aimed, in part, at “alignment with documents issued by our Five Nations Passport Group partners.” Phased rollout of the new ePassport will occur between 2023 and 2024.

Passport issuance, similarly, is undergoing “modernization”, as part of an ongoing process initiated in 2013 to facilitate the transition of the Passport Program from the Department of Foreign Affairs, Trade and Development to CIC (now IRCC). The Passport Program Modernization Initiative (PPMI) is a multi-year project that is scheduled to be completed in 2023. PPMI intends to streamline “all aspects of Passport Program operations” and “keep pace with evolving international passport issuance and identity management best practices.” The initiative also aims to systematize passport services across intake locations, and lay “the foundation for online passport services and automation to improve the service experience.”

In June 2020, IRCC issued an NPP for a “Passport Digital Services Project” that “will allow Canadians to apply online for passports, using a computer, tablet or mobile device, as a convenient alternative to mail-in or in-person service options.” The procured platform will transmit passport applications – including digital photographs – from individuals to IRCC. Media reporting in early 2021 indicated that IBM was selected as the successful bidder. The proposed system has generated privacy concerns, particularly with respect to transmitting biometric information (digital photographs) over a private platform. We can expect the tension illustrated here, between convenience and privacy, to be a key theme in public conversations surrounding new biometric activities in the coming years.

In this vein, CBSA’s Department Plan 2021-22 highlights several experimentation and innovation initiatives involving mobile technology (e.g. smartphones), including “explor[ing] digital identity concepts and opportunities to pilot digital identity in the travel continuum from a border management perspective.” Digital Identity refers to paper-less identification, whereby trusted and secure digital proof of one’s identity replaces traditional, physical documentation (e.g. passports, driver’s licenses, etc.).

A Digital Identity is typically linked to an individual through biometrics. ICAO’s first iteration (Type 1) Digital Travel Credential (DTC), for example, “binds” a traveller to their Digital Identity by way of the biometric embedded in the ePassport, limiting the need to produce the physical document during travel. The DTC is an international project that, while coordinated by ICAO, includes input from jurisdictions around the world and encompasses several future iterations (Types 2 and 3). IRCC and CBSA are currently members of ICAO’s New Technology Working Group (NTWG) and the NTWG’s Digital Travel Credentials (DTC) sub-group. Ultimately, the long-term vision of the DTC project is to replace physical passports with Digital Identity “tokens” (which would include the facial photograph from the ePassport) stored on mobile devices.

As discussed in Section 4, IRCC and CBSA’s FASTER-PrivBIO Project (2015-2017) also explored the use of identity “tokens,” stored in a mobile application, in the context of Electronic Travel Authorizations (ETAs). FASTER-PrivBIO closed in 2017, and “Phase II” of the project became the Chain-of-Trust (CoT) initiative, led by CBSA in collaboration with IRCC, Defence Research and Development Canada (DRDC), the University of Ottawa, and industry partners.

CoT further explored the adoption of mobile technology in the eTA process, while also expanding to include other steps in the travel continuum. As described in CBSA’s Blueprint 2020 Report (published in December 2018):

[t]he Chain of Trust process would require travellers to download an app to their smartphone and create an account including a unique identifier built from their biometrics. At every stage of the trip – from flight reservation, to obtaining a boarding pass, to disembarking the plane – the traveller’s data would be collected and used to speed up the traveller’s passage. Just before landing, the traveller would create an e-declaration and digitally sign it using biometric facial verification. Upon arrival, cameras would match the biometric face to the traveller’s unique identifier.

The purpose of the process, ultimately, is to enhance risk assessment. Linking traveller information to traveller identity throughout the travel continuum (including by using facial recognition as an individual moves through the airport) facilitates the flow of low-risk travellers (including by minimizing touch-points with border control, a feature that will take on additional significance in the context of post-COVID 19 travel), while enhancing the detection of possible high-risk travellers.

In 2018, a simulated prototype demonstrated the basic features and process flow of the CoT to Canadian government officials. While the prototype project closed in 2019, the overarching CoT initiative continues, as per CBSA’s 2021-22 Departmental Plans, through the deployment of “small-scale minimum viable products to assess feasibility in a live environment and obtain user experience feedback.” The stated goal of CoT remains the streamlining of “traveller identification through the use of digital travel credentials and biometrics.” Notably, CoT is explicitly aligned with other international initiatives and projects, including ICAO’s DTC, reflecting the extent to which coordination exists in the broader ecosystem of biometric experimentation.

To be clear, the features of CoT described above do not reflect current practice at the border, nor do they represent commitments from CBSA (or any other GoC entity) regarding what the traveller experience will look like in the future. By the time the CoT, some version of it, or a new project operating in similar terrain, is implemented, the specifics of how biometrics verify identity or travellers move through the airport may have significantly changed. Nonetheless, the trend lines are apparent, as Digital Identity, mobile technology, and biometric verification converge on the traveller experience.

An additional example is the Known Traveller Digital Identity (KTDI) pilot project, led by Transport Canada (TC) in collaboration with the World Economic Forum (WEF), the government of the Netherlands, and commercial partners. In 2018, Canada announced its participation in the WEF’s broader KTDI vision and, in 2019, committed to a proof of concept pilot project which would operate between Canadian (Toronto-Pearson and Montreal-Trudeau) and Dutch (Amsterdam-Schiphol) airports on Air Canada and KLM Royal Dutch Airlines flights.237 This project may access required funding under Budget 2021, which proposes $105.3 million over five years to develop an approach to digital identity for air travellers.

KTDI will combine blockchain technology and facial recognition to “provide a seamless and secure air travel experience facilitated via a mobile application.” Travellers will have their facial photograph captured for one-to-one matching against their ePassport photograph at different touch points in the travel continuum (e.g. boarding and customs). They will be able to “push” their information (including their facial biometric) to relevant partners (e.g. airlines or Dutch or Canadian customs) at their own discretion, or revert to conventional identity verification (e.g. ePassport) at any time. While TC will interface with CBSA to conduct checks on ePassports at enrolment (to verify authenticity and ensure that the document is not lost or stolen) no passenger risk assessments will be conducted.

At the time of writing, the pilot is not yet live. The COVID-19 pandemic has impacted both the project’s timelines and its operational context. Originally, part of the rationale for KTDI was to accommodate increasing traveller volumes; although the pandemic has led to a decrease in travel volumes, it has also amplified the need for low-contact, ‘touchless’ travel. Indeed, the budget commitment noted in paragraph 156 was linked to the GoC’s investment in “safe air travel […] that limits transmission of COVID-19 and protects travellers.” For present purposes, the KTDI is important for what it suggests about the general trajectory of biometrics in the air travel and border continuum.

The Canadian KDTI pilot traces its origins to the broader KDTI vision articulated by the WEF. In the WEF’s KTDI concept, passports would effectively be replaced with digital credentials stored on mobile devices, while facial recognition-enabled gates (often referred to as smart gates or egates) would allow passengers to transit through airports from arrival to boarding to customs and exit with little to no interruptions. Other elements of the travel experience – for example hotel and car rentals, or shopping at duty free – would also be incorporated. Over time, travellers would compile a trail of interactions – or “attestations” – from various entities (border control, commercial entities) that cumulatively built trust in that individual. Risk profiles, supplemented by security screening, would help determine the level of scrutiny applied to a traveller by relevant authorities. Further, the Digital Identity “wallet” (encrypted mobile application) would include more than just passport information and biometrics, storing bank information, health records (including proof of vaccinations), educational degrees, credit scores, etc.

This broader vision is ambitious. The Canadian KTDI pilot – even as it evolves to reflect post-COVID priorities – is decidedly more circumspect in its aims. TC was clear in communications with NSIRA that the pilot (while including the WEF as a partner) is distinct from, and not beholden to, the broader WEF vision. Yet the sheer ambition of the latter indicates a probable trend in the future of international travel. As this report has demonstrated, the use of biometrics tends toward expansion over time. Concomitant advances in mobile technology – including the development of secure Digital Identity platforms, predicated on biometrics – find natural application in the border continuum, where identification is key and, increasingly, so is convenience.

However, enhanced convenience continues to rub up against privacy concerns, particularly with respect to facial recognition technology. A robust public debate is emerging regarding the legal authority for the use of facial recognition in public spaces. Jurisdictions around the world are grappling with how to manage the proliferation of facial recognition technology, in some cases issuing moratoriums or outright bans on new applications of the technique until its implications are properly considered and new legal and/or regulatory frameworks governing its use are established. The OPC’s recent investigations into the use of Clearview-AI by the RCMP reflect the Canadian salient of this broader conversation.

The basic contours of the debate are whether existing frameworks for the handling of personal information (in some cases drafted decades ago, before the advent of facial recognition and other biometric technology) are adequate or whether specific legislation is required, designed explicitly for facial recognition. Greater specificity in legislation would enable standards to be set as to when the use of facial recognition is appropriate and proportional. It would also enhance the transparency of the norms set by Parliament and provide public information about the circumstances in which Parliament considers facial recognition to be lawful and reasonable in promoting security and convenience in Canadian society.

The OPC is currently drafting new privacy guidance on biometrics, for both the public and private sector, intended to shape how the technology is applied moving forward. While the border context is distinct from other public settings when it comes to privacy, applications of biometric technology at the border cannot be exempt from emerging legal and societal norms. The development of new activities must be aware of such challenges, and account for shifts in the legal and regulatory landscape.

Public concern is likely to be most acute with respect to live capture facial recognition, in the vein of the FOTM pilot discussed in Section 4. Static, one-to-one verification of identity at mobile kiosks – for example as currently takes place at PIKs – is well-established, and allows travellers to know when facial recognition is being used. Roving, one-to-many identification – in which biometrics are captured at a distance – are the source of more anxiety. Consider, for example, the legal challenge to the use of this type of facial recognition in the UK and the multiple calls for moratoriums with respect to the use of facial recognition in public places.

Given the developments described above, NSIRA expects that biometric information will be systematically incorporated into the traveller experience across the border continuum moving forward. Security considerations and general identity management will remain important, but so too will traveller convenience and, in the wake of COVID-19, ‘touchless’ or decongested travel. The use of mobile technology and Digital Identities reflect broader societal trends that are particularly well-suited for application in the border continuum. Informed consent, and/or specific, transparent legal authorities are important considerations for ensuring that such applications occur lawfully and with sound public understanding surrounding when biometrics are collected, how they are used, and how they are protected when in the possession of the government.

7. Observations

This report has documented and described the GoC’s use of biometrics in the border continuum. The scope of these activities is large and growing. For government, biometric information offers a firm foundation for identity management. At the same time, civil society groups, academics, and other concerned Canadians worry about the privacy implications of the government collecting, using, retaining, and disclosing information about immutable physical characteristics. The fundamental purpose of the present study was to inform this ongoing conversation, to both demystify present government activities and evaluate them from NSIRA’s unique, crosscutting perspective. In this final section, we leverage that perspective to articulate our observations according to nine general themes.

1. Biometrics and National Security

Biometrics enhance identity management; identity management at the border in turn serves national security. As outlined in Section 4, the impetus for the expanded collection and use of biometrics, particularly post-9/11, was their purported national security benefits.

Nonetheless, the centrality of national security as a justification for biometric activities has waned over time relative to other objectives.

First, there were the broader benefits associated with identity management, including assessing admissibility and entitlement, preventing fraud, and introducing efficiencies into service delivery. Of note, the CBSA and IRCC do not currently characterize their steady-state biometric activities primarily in national security terms. The Passport Program’s purpose is to enable the travel of eligible Canadians, while the Immigration Program’s purpose is to manage the flow of foreign nationals into Canada, the vast majority of whom arrive for legitimate reasons. Biometrics are information about individuals that facilitate these functions. The benefits to national security, in each instance, are a consequence of the robust identity management to which biometrics contribute. More recently, traveller facilitation has risen to the fore, with programs and pilots incorporating biometrics and mobile technology in pursuit of “seamless” and “touchless” travel (the latter of particular interest given COVID-19).

Although biometrics extend beyond the national security domain, the national security outcomes they support are undeniable. Part of identity management is identifying mala fide actors, including possible terrorists, Canadian extremist travellers, and other national and international security threats. Biometric screening for both immigration and passport applications, for example, includes querying databases (domestic and foreign) that may return information pertinent to national security (e.g. presence on a watchlist, suspected terrorist activity, previous national security convictions, multiple identities, etc.).

The assessment of these programs’ proportionality must therefore be done in light of the full panoply of benefits that biometrics contribute to Canada’s activities at its border. This includes their benefits for identity management in admissibility and passport decisions, traveller screening, and also national security.

As pertains to areas for future NSIRA review, the present study’s overview of the border continuum highlighted several possibilities:

The collection of biometrics at Visa Application Centres (VACs). Here the national security concern stems from personal information – including biometrics – passing through VACs operating in high-risk jurisdictions and run by private contractors and sub-contractors. A review of VACs would include the risks associated with the collection and transmission of biometric information, but also cover the broader security arrangements and national security implications pertaining to the overall operation of such locations.

Instances where biometrics link information across databases for national security purposes. For example, when automated querying occurs with M5 partners in the immigration context, what are the statistics and other metrics associated with national security outcomes (e.g. information that leads to a decision of inadmissibility on IRPA s. 34 grounds)? What about case-by-case exchanges with M5 and other partners that occur because of national security concerns? Finally, what role, if any, has biometric information played in cases where the Minister of Public Safety has denied, revoked, or cancelled a Canadian passport for reasons of national security? These examples illustrate the potential for review of national security activities made possible by biometrics. In such instances, the balance between privacy and security – between protecting sensitive personal information and the security objectives of the state – suggests a clear role for NSIRA in terms of reviewing lawfulness, reasonableness, and necessity.

Other situations where biometrics collected for one purpose are subsequently used for any other program or purpose (see the discussion of dual-use in paragraphs 191-201, below).

2. The Steady-State Activities

Overall, the GoC’s steady-state biometric activities in the border continuum are well-supported by current legal authorities and are consistent with international practice.

The IRCC and CBSA’s use of biometrics in their steady-state programs is well-established and supported by detailed, statutory authority. Canada’s collection and verification of fingerprints and facial photographs in the immigration context is also consistent with that of other M5 members. By design, the use of fingerprints facilitates information sharing with the M5, who similarly collect fingerprints in support of their own immigration programs and to enforce domestic immigration law.

The Canadian ePassport, similarly, adheres to standards established by the International Civil Aviation Authority (ICAO), which mandates the use of facial photographs as a biometric measurement. Globally, more than 140 countries currently use ePassports based on ICAO specifications, making the system interoperable and facilitating international travel for Canadian passport holders. The use of facial recognition in the passport application process is consistent with ICAO guidelines and best practices on the issuance of travel documents.

The legislative framework for the steady-state activities provides a solid basis for the collection, use, retention and disclosure of biometrics as part of the GoC’s immigration and passport programs. Nonetheless, there may be more targeted areas of concern, as articulated below.

3. Expanding Use of Biometrics over Time

The use of biometrics in the border continuum has significantly expanded over the last three decades, and is likely to continue expanding in the future. The trend is driven, in part, by advancing technological capabilities and evolving challenges in identity management.

Beginning with asylum claimants and deportees in 1993, the collection of biometrics now covers all non-exempt foreign nationals entering Canada and, through the passport program, all Canadian citizens who apply for a passport as well as permanent residents who apply for a Certificate of Identity and refugees who apply for a Refugee Travel Document. The Biometric Expansion Project was initiated with the expressed aim of widening the scope – collection, sharing, and use – of biometrics. The M5 partners meet regularly in working groups to refine and enhance (frequently, to extend) the immigration information that is shared between them. Pilot and research projects conducted within the last several years have examined the use of facial recognition technology in airports, while others have explored the integration of mobile technology into biometric identity management in the travel continuum.

Undoubtedly, developments in technology drive some of this momentum. We can do more, so we do. Leveraging new capabilities to enhance program delivery is a legitimate objective. At the same time, however, such technological determinism cannot justify the collection of sensitive information in its own right. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for intended objectives.

Also at play is the impetus to keep pace with other jurisdictions. As countries around the world expand their biometric activities, it is natural for Canada to do the same; doing so facilitates global travel for Canadians, makes it easier for non-Canadians to travel to and through Canada, and helps Canadian officials identify possible security risks (as in M5 information-sharing). Yet keeping up with others, even Canada’s close international partners, is not on its own a valid justification for the expanded collection and use of sensitive personal information. Again, each new activity must be assessed, and justified, independently.

Exploiting the possibilities created by technological developments and keeping pace with other jurisdictions cannot justify the expanded use of biometrics in their own right. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for particular, intended objectives.

4. Pilot Projects

Pilot projects and initiatives raise more concerns than do steady-state activities, as they risk being implemented on an experimental basis, without sufficient legal analysis or policy development. These projects represent an area of continued interest for NSIRA.

Pilots are vehicles of expansion: a forum for new techniques and technologies that may strain the proportional balance between the government’s goals and intrusions on personal privacy. Furthermore, there tends to be less public information available to Canadians about pilot activities. In this report, we describe several such projects, though it was beyond the scope of our emphasis on current activities to determine whether any single pilot was proportionate in terms of its collection and use of biometrics.

Nonetheless, an illustration of the challenges and possible concerns associated with pilots is provided by the Faces-on-the-Move (FOTM) project. The pilot relied on legislative authority under sections 15-18 of the IRPA; yet, these provisions were drafted before facial recognition technology was contemplated. NSIRA is not satisfied that sections 15-18 of the IRPA provide clear authority for the collection of travellers’ facial biometrics, particularly prior to – and away from – the point of formal examination. In the future, legal advice should be sought to ensure that any similar activities are well-founded in the CBSA’s legislative authorities and consistent with the requirements of s.8 of the Charter. Attention must also be paid to the policy framework governing pilot activities to ensure the proper characterization of the affected personal information. Privacy notice statements and public signage should also ensure an appropriate degree of public transparency about the deployment of new technologies and the purposes for which they will be used.

Pilot projects that entail the collection of private or personal information must receive commensurate legal and policy attention. Despite the temporary or experimental nature of a project, NSIRA expects that departments will conduct the analysis necessary to ensure that legal authority is in place to conduct the activity, and that the attendant collection, use, retention and disclosure of personal information is well-governed by policy.

The public debate surrounding legal authorities questions whether existing standards and protections are sufficient for regulating biometric activities or whether new standards and protections are required.

This debate is growing, especially as relates to facial recognition technology. Biometrics are personal information, but they have particular features that may set them apart: they capture immutable personal characteristics, they allow for reliable identification at a distance, and they act as unique identifiers that can be used to discover and connect information about individuals across multiple datasets. The question is whether it is appropriate to treat biometrics as being commensurate with other personal information collected by the government in the course of its programs and activities. Are specific legal regimes necessary to create standards that appropriately reflect the potential intrusiveness and sensitivity of certain biometric data, and ought there be specific use limitations beyond those currently applicable by virtue of the Privacy Act?

The Office of the Privacy Commissioner (OPC) commented on this issue in the context of its recent investigation into the RCMP’s use of facial recognition via the private firm Clearview AI. “Canada’s privacy laws were designed to be technology neutral”, wrote the OPC, “which is positive, given the pace of technological change compared to that of legislative modernization. However, the risks of [facial recognition] technology are such that […] specific rules may be warranted.” The report further noted that many jurisdictions around the world have developed privacy laws which specifically regulate biometric activities. Quebec is presently the only Canadian jurisdiction to have enacted a law that specifically addressed biometrics. Other jurisdictions are calling for, or implementing, outright bans on facial recognition technologies. The European Data Protection Supervisor, for example, has called for a ban on facial recognition in public spaces, arguing that such applications constitute a “deep and non-democratic intrusion into individuals’ private lives.”

Civil liberty organizations have been vocal in raising concerns about biometric activities, as have academia and the media. Governments, meanwhile, can benefit from new capabilities and innovation in pursuit of program objectives, but must do so in a way that respects fundamental human rights. The tension at the core of this debate – how to achieve government objectives efficiently and effectively, while safeguarding individuals’ privacy – is familiar. It is the tension manifest in national security activities more generally, as society balances individual rights against collective protection. In the present context, this evergreen dilemma is catalyzed by advancements in technology, which widen the government’s toolkit while also widening the scope of possible intrusion on individual privacy, specifically the collection and use of sensitive personal data. Moving forward, the question of how biometric activities are designed, implemented, and regulated will be determined, in part, by shifting societal norms, established legal principles (including Charter considerations), and long-standing Canadian values associated with democracy and individual rights.

While the border is, comparatively, a space in which greater intrusiveness is considered reasonable, the boundaries of those justifications are not limitless, and will require careful calibration. For NSIRA, as for other review bodies, evolving legal and societal norms will shape how considerations such as compliance and reasonableness ought to be applied.

6. The Dual-Use of Biometrics

Dual-use refers to when biometrics collected for one purpose are subsequently used for any other program or purpose. The logic is appreciable. Biometrics constitute robust identifying information about individuals; if they are useful in one context, they are likely to be useful in another. However, this dynamic constitutes one of the main privacy concerns associated with biometrics.

NSIRA observed several instances of possible dual-use of biometric information in the activities examined in this report.

First, photographs collected under the Passport Program are also used for facial matching purposes in NEXUS.

Second, fingerprints collected from foreign nationals as part of immigration applications become searchable by law enforcement in the course of criminal investigations. While the RCMP maintains separate repositories for immigration fingerprints and criminal fingerprints, both are searched when law enforcement submit fingerprints for identification purposes.

Third, CSIS, RCMP and CBSA can submit photographs to IRCC to have them checked against passport and travel document application photographs using facial recognition. This can occur in the context of national security or law enforcement investigations in an attempt to identify an unknown individual, to determine if a known individual has multiple identities, and/or to assist in the execution of a warrant.

Dual-use does not always present a compliance issue. Indeed, many such uses are well-supported in law given the “consistent use” standard in s. 8(2)(a) of the Privacy Act, the ability for certain institutions to request personal information under s. 8(2)(e) of the Privacy Act, and other sector-specific legislative provisions (see, for example, paragraphs 85, 109, and 112, which outline the authorities that govern the law enforcement uses discussed above). With respect to NEXUS, in particular, the use of passport photographs is a clear consistent use (see paragraph 140). Privacy concerns are further muted given the program’s voluntary nature and individuals’ prior consent.

However, even where they pose demonstrable benefits, new uses of previously collected biometrics must be carefully considered to ensure their reasonableness and proportionality. In addition, all new uses must be justified and well-authorized in law.

Though authorized by law, the situations in which biometrics collected in the border continuum are leveraged for purposes outside of that continuum (such as when investigative agencies use biometric information initially compiled for immigration or passport purposes) may be worthy of particular scrutiny. NSIRA may return to these cases as it contemplates future review of biometric activities.

Additionally, the principle of “purpose limitation” may be a way of guarding against unjustified dual-use in the context of biometric activities.

Purpose limitation involves explicitly stipulating the specific purpose for which the collected biometrics will be used, with a commitment to not use them for any additional purposes in the future. It is well established in UK and European jurisprudence and is more restrictive than “consistent use.” While the “consistent use” principle reflects the GoC’s standing commitment to limit the repurposing of personal information, the standard ought to be read as narrowly as possible for biometric information. Again, biometrics are unique compared to other personal identifiers because they are essentially permanent and immutable. This means that once they are collected, if they are not subject to clear retention/deletion policies and purpose limitations, the government has a ready repository of information for identifying individuals in the future – perhaps in activities that are less benign than the activities under which the biometrics were originally collected.

It is premature for NSIRA to make a finding on whether the possible instances of dual-use identified above are reasonable or proportionate. Future review, whether by NSIRA or another review body, may consider the question in greater depth.

7. Technical Systems

NSIRA reviewed high-level technical information about the activities documented in this study. This included information pertaining to the various systems and databases used in the course of the GoC’s biometric activities.

There is significant overlap between the technical systems and databases used across the steady-state biometric activities.

Both the Passport Program and Immigration Program use the Global Case Management System (GCMS), and IRCC, CBSA and RCMP have access to GCMS. In the immigration context, facial photographs are stored in GCMS, while fingerprints are sent to the RCMP and stored in one (immigration) of several repositories of the Automated Fingerprint Identification System (AFIS). The immigration repository is then searchable by domestic law enforcement and can be queried by Canada’s M5 partners for immigration purposes.

The passport and travel document applications in the Passport Program, meanwhile, are stored in both GCMS and in IRCC’s Central Index (see Annex A), though IRCC has communicated that a full transition to GCMS is planned moving forward. The digitized photograph from the application is sent to IRCC’s FRS, converted into a biometric template, sent for evaluation in the FRS database, and stored in the CI. In both the Immigration Program and Passport Program, the intake of applications – and biometrics – employ a range of systems at different intake locations around the world, all of which connect back to IRCC servers in Canada.

The overall architecture of this system – biometric collection, transmission, and storage in the course of the GoC’s activities in the border continuum – is complex, though not necessarily problematic.

In keeping with the foundational nature of the study, NSIRA makes these observations as a first step in mapping the relevant systems architecture. This mapping, summarized in Annex A, will support NSIRA should it choose to review in detail the various technical systems used for biometrics in the course of border activities, including how they overlap and what privacy or security issues, if any, might arise from the present structure.

8. Visibility into Algorithms

In addition to the public concern about governmental surveillance noted above, there is related apprehension about automated decision-making and about decision-making aided by automation, particularly when it occurs in conjunction with biometric identification. The general concern with respect to algorithms and automation is that the decision-making process is opaque, even to the human operators who rely on the algorithms or systems to do their work.

In the Immigration Program, Passport Program, and at PIK kiosks, IRCC, CBSA, and the RCMP have limited visibility into how the algorithms used operate.

The algorithms are procured from private vendors, and the details of how they work are proprietary. They are, in this sense, essentially a ‘black box’. NSIRA supports greater transparency in how algorithms work when analyzing personal information. Such transparency is necessary for third-party verification of the algorithms’ accuracy and reliability and would enhance public confidence in both the algorithms’ ability to function fairly and without discrimination and in the departments’ ability to mitigate any shortcomings in that respect.

Each department and agency did, however, demonstrate that performance metrics (e.g. error rates) are known and tested, and that customizations (such as adjusting match thresholds) are applied when appropriate.

Moreover, for IRCC’s FRS, and for the RCMP’s AFIS, human intervention occurs to either verify system results or complete matches if necessary. Facial matching at PIKs, by contrast, occurs without human adjudication, though any obvious errors may subsequently be corrected by BSOs through visual verification.

9. Preventing Bias and Discrimination

Related to the opacity of algorithms is the possibility that automated biometric analysis – e.g. facial recognition and fingerprint matching – may be subject to bias. It is well documented in the academic literature, for example, that many facial recognition algorithms are less reliable in identifying women, the very young and very old, and individuals with darker skin tones. Similarly, fingerprint capture and matching may be more difficult and/or less accurate for females, particular ethnic groups, and individuals working in certain trades (which may reflect socio-economic status). Given that important decisions in the border continuum – including the issuance of official travel documents, the granting of visas, asylum, and/or residency status, and possible referral for additional questioning/inspection during the immigration and customs process – are informed by automated analysis, the possibility of systematic bias is of concern.

IRCC and CBSA have conducted preliminary analyses to explore how their biometric activities may impact diverse groups of people, though the implementation of possible mitigation strategies was not always apparent.

For example, CBSA’s GBA+ for the PIK, completed in May 2016, suggested that the agency apply gender-specific thresholds for facial matching; an October 2020 analysis on possible gender bias at PIKs made a similar recommendation. For facial recognition in both FRS (IRCC) and PIK (CBSA), recent performance testing explicitly addressed the possibility of demographic bias. This analysis noted minor imbalances in terms of gender accuracy, but emphasized that advancements over time (updated algorithms) have steadily reduced, though not eliminated, the gap.

In some contexts, technological advancements have helped to reduce, but not eliminate, differential impacts.

The work to comprehensively address these issues – beyond noting that small discrepancies do exist – remains to be done. CBSA noted, for example, that its “work in this area is nascent and is not yet conclusive with significant work still to be conducted.” This includes GBA+ on facial recognition technologies, work on the visibility of bias in data, and the development of possible policy mitigations. Similarly, IRCC stated that “further demographic bias assessments will […] be conducted” following the implementation of a new algorithm in the FRS.

This is not to suggest that efforts to mitigate possible bias have been insufficient to this point; rather, both IRCC and CBSA have demonstrated that they are aware of possible issues and committed to future work in this area. However, such efforts should not be confined to accuracy testing, and relying on improving algorithms. Solutions at the policy level should also be explored, including the implementation of previously identified mitigation strategies and the analysis of the possible consequences of biometric errors for the experience of affected individuals.

A commitment to continuing to minimize discrepancies in the algorithms’ function for diverse groups, and to ensure such differences are taken into account by the human decision-making that follows biometrics screening, will continue to be important in ensuring the reasonable use of these algorithms in the future.

More work remains in terms of mitigating differential impacts on segments of the population. At the same time, the departments and agencies examined in this study have demonstrated their awareness of possible systemic inequalities and their commitment to addressing them.

8. Conclusion

Biometrics play a fundamental role in the border continuum. The Government of Canada uses biometrics to verify and establish identity. The question of who is coming into the country – and whether they have a right to – is more confidently answered as a result. In the immigration context, this involves the screening, verification (at arrival), and ongoing assessment of admissibility of foreign nationals coming to Canada as temporary or permanent residents. Applicants for Canadian passports (and other official travel documents) are screened to confirm eligibility to passport services and entitlement to a passport, and subsequently use their biometric, embedded in the ePassport, during the course of international travel. These two streams converge at Canadian airports, where CBSA verifies the identity of travellers using facial recognition at automated kiosks.

The purpose of this study was to examine and contextualize these activities. We looked back, tracing the evolution of the GoC’s biometric activities in the border continuum, noting a shift from strict national security objectives to broader goals of identity management. We looked forward, to possible future biometric applications, including the adoption of Digital Identities, and even greater systematization of biometrics into the overall traveller experience.

Our observations are meant to inform both the Canadian public as it contemplates the government’s collection and use of biometric information, and NSIRA as it plans future review of the same. We noted that the steady-state activities are well-supported by current legal authorities, and are consistent with international practice. At the same time, certain areas raise potential concern. These include pilot projects, which are vehicles for experimentation and require careful legal consideration; the ongoing possibility of systemic inequalities across diverse groups of people resulting from algorithmic biometric analysis; and the possible dual-use of biometric information, including the availability of biometric information to investigative agencies.

Public debate about the government’s application of biometric technology will continue to evolve, driving change in the legal and regulatory frameworks associated with such activities. As such, continued scrutiny from NSIRA is warranted, particularly in those instances where the collection and use of biometric information is justified by explicit reference to national security outcomes.

Share this page
Date Modified:

NSIRA Review arising from Federal Court’s Judgment in 2020 FC 616

Review Backgrounder

This is a report about the manner in which the Canadian Security Intelligence Service (CSIS) seeks and receives legal services from the Department of Justice (Justice) and prepares and executes the warrants it needs to collect information. This review stemmed from a 2020 decision of the Federal Court (2020 FC 616). In that matter, the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.”

This review found an intelligence service and its counsel who struggle to organize themselves in a manner that allows them to meet easily their legal obligations, including to the Federal Court.

NSIRA also found a failure at CSIS to professionalize fully and sustainably the warrant application process as a specialized trade that requires training, experience, and investment. This report also demonstrates the need to transform the relationship between CSIS and its legal counsel.

This review was led by NSIRA Members Marie Deschamps and Craig Forcese. One or both Members were directly involved in every aspect of the review including review process management, briefings, interviews and document review. To conduct this review, NSIRA conducted dozens of confidential interviews with Justice and CSIS employees whose perspectives were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal briefings. In organizing these interviews, NSIRA ensured robust representation covering the range of functions in the warrant and legal-advice giving processes. The interviews raised issues and concerns that would have otherwise been unavailable to NSIRA. This assisted NSIRA in making recommendations on governance, systemic, and cultural issues that contribute to inefficiencies threatening the ability of CSIS and Justice to fulfil their mandates.

NSIRA heard repeated concerns from interviewees that the problems stemming from governance, systemic, and cultural challenges put at risk the ability of the intelligence service to meet the mandate Parliament has assigned to it. Addressing these challenges is in the urgent public interest. Though CSIS and Justice have made improvements, difficulties are still evident.

NSIRA groups its findings and recommendations into three overarching areas:

  1. Justice’s Provision of Legal Advice
  2. CSIS’s and Justice’s Management of the Warrant Acquisition Process
  3. Investment in People

In its conclusion, this report also makes comments and recommendations about the broader cultural and governance context.

Date of Publishing:

1. Executive Summary

This is a report about the manner in which the Canadian Security Intelligence Service (CSIS) seeks and receives legal services from the Department of Justice (Justice) and prepares and executes the warrants it needs to collect information. This review stemmed from a 2020 decision of the Federal Court (2020 FC 616). In that matter, the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.”

This review found an intelligence service and its counsel who struggle to organize themselves in a manner that allows them to meet easily their legal obligations, including to the Federal Court.

NSIRA also found a failure at CSIS to professionalize fully and sustainably the warrant application process as a specialized trade that requires training, experience, and investment. This report also demonstrates the need to transform the relationship between CSIS and its legal counsel.

This review was led by NSIRA Members Marie Deschamps and Craig Forcese. One or both Members were directly involved in every aspect of the review including review process management, briefings, interviews and document review. To conduct this review, NSIRA conducted dozens of confidential interviews with Justice and CSIS employees whose perspectives were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal briefings. In organizing these interviews, NSIRA ensured robust representation covering the range of functions in the warrant and legal-advice giving processes. The interviews raised issues and concerns that would have otherwise been unavailable to NSIRA. This assisted NSIRA in making recommendations on governance, systemic, and cultural issues that contribute to inefficiencies threatening the ability of CSIS and Justice to fulfil their mandates.

NSIRA heard repeated concerns from interviewees that the problems stemming from governance, systemic, and cultural challenges put at risk the ability of the intelligence service to meet the mandate Parliament has assigned to it. Addressing these challenges is in the urgent public interest. Though CSIS and Justice have made improvements, difficulties are still evident.

NSIRA groups its findings and recommendations into three overarching areas:

  • Justice’s Provision of Legal Advice
  • CSIS’s and Justice’s Management of the Warrant Acquisition Process
  • Investment in People

In its conclusion, this report also makes comments and recommendations about the broader cultural and governance context.

CSIS operates in often rapidly evolving and legally challenging environments. Timely, nimble and actionable legal advice is critical. This review highlighted factors that prevent the National Security Litigation and Advisory Group (NSLAG) of Justice from providing CSIS with the operational advice it needs.

Justice has employed a centralized “one voice” model for delivering its legal services. The “one voice” model reflects a desire for uniform and consistent legal advice delivered on behalf of the Attorney General of Canada. Although the premise for the “one voice” approach is sound, NSIRA found that NSLAG struggled to provide timely, responsive, and useful legal advice in the CSIS context. The way Justice provides advice has often not been responsive to CSIS operations. For example, NSLAG presents its advice as a legal risk assessment using the Justice-wide Legal Risk Management grid. This grid uses a colour-coded risk rating that can be compared to a “traffic light” system: a green risk rating represents a low legal risk to CSIS, a red risk rating represents a high legal risk, and, more ambiguously, a yellow risk rating represents an intermediate legal risk. Yellow light responses are reportedly the most common and the most frustrating for CSIS, especially when unaccompanied by discussions on how to mitigate the risk, the inclusion of which NSIRA heard is not currently common practice.

In consequence, some at CSIS perceive Justice as presenting a road-block because of its bureaucracy, its perceived operational illiteracy, and its unhelpful approach to communicating legal advice.

However, the problems with timely, responsive, and useful legal advice do not stem from Justice alone. NSIRA heard that CSIS has not always shared all relevant information with Justice, prompting a degree of mistrust. The internal process for requesting legal advice at CSIS also contributes to delays and lack of relevance. The advice that sometimes comes back to operational investigators at CSIS filtered through bureaucratic hierarchies may be of limited or little relevance.

NSIRA heard that the laborious advice-seeking and -receiving process has sometimes caused [discussion of the detrimental effects on and risks to operations] CSIS and Justice often operate in a situation of legal doubt, because of lack of clarity in the law. Clarifying legal standards often requires judicial case law. However, an unwieldy warrant process, discussed below, makes that prospect more difficult.

Finding no. 1: NSIRA finds that the legal advice-seeking and giving process, and resource constraints at NSLAG contribute to considerable delays, [description of timeline]

Finding no. 2: NSIRA finds that Justice legal opinions have sometimes been prepared without sufficient attention to the audience that needs to understand and act on them. Opinions have been focused on assessing legal risk, often late in the development of a CSIS activity, with limited effort made to propose alternative and legally sustainable means of arriving at the intended objective.

Finding no. 3: NSIRA finds that the Justice Legal Risk Management Framework is misunderstood at the working level at CSIS and further that it does not provide an appropriate framework for the unequivocal communication of unlawful conduct to CSIS.

Finding no. 4: NSIRA finds that difficulties in acquiring prompt and relevant legal advice have contributed to [discussion of the detrimental effects on and risks to operations] that may require legal advice. In consequence, the manner in which Justice has provided legal advice to CSIS does not always meet the needs of CSIS operations.

Finding no. 5: NSIRA finds that Justice does not generate the necessary business analytics to track its service delivery performance to CSIS.

Justice is aware of the need for change. Broad, recent initiatives include the Vision Project, which promises client-centric strategic partnerships. New procedures have been implemented at NSLAG to address internal silos between advisory and litigation counsel, and to improve training, access to legal advice and facilitate consistent legal opinions. NSLAG also appears to recognize the desire for a different approach to providing legal advice, including moving toward legal advice that promotes collaborative and iterative engagement with CSIS to achieve its operational goals, within the bounds of the law (a “road map”-style form of advice-giving). However, it does not appear that CSIS and Justice have thus far systematically put this model into effect.

To facilitate proper advice-giving, especially in a “road map”-style model, CSIS needs to provide NSLAG with all the facts, and to engage NSLAG early on, at the operational level. Earlier and ongoing involvement throughout the stages of an investigation or operation would enable counsel to provide informal legal nudges that allow CSIS to course-correct before too much time has been spent. A more iterative process of incorporating legal advice over the full course of an operation could address the reported challenge of operations halted due to untimely or ambiguous legal advice.

Finding no. 6: NSIRA finds that Justice has acknowledged that internal silos at NSLAG between the advisory and litigation wings have sometimes left warrant counsel unaware of emerging legal issues and that Justice has taken steps to resolve these issues.

Finding no. 7: NSIRA finds that Justice has committed to improve its advice-giving to CSIS, including moving toward “road map” style legal advice that involves working collaboratively and iteratively with CSIS to achieve operational goals within the bounds of the law.

Finding no. 8: NSIRA finds that CSIS has not always shared all relevant information with NSLAG, prompting a degree of mistrust and limiting Justice’s ability to provide responsive legal advice.

In view of these findings, NSIRA recommends that:

Recommendation no. 1: Justice pursue its commitment to reforming the manner of providing legal advice to CSIS, and its stated commitment to “road map”-style advice as a best practice. In support of this objective and the provision of timely, operationally relevant advice, NSIRA further recommends that Justice implement the following:

  • Whether through an expanded “office hours” and liaison counsel program or otherwise, NSLAG must develop a legal support service operating full time, staffed by experienced lawyers empowered to provide operational advice in real time on which CSIS officers can rely, on the basis of settled Justice positions on recurring legal issues, accessible directly to CSIS officers across all regional offices and at all levels.
  • NSLAG develop a concise reference tool with its position on recurring issues and most common legal authorities invoked and make the tool accessible to counsel to support their real-time advice.
  • To minimize the need to resort to the formalized legal advice-seeking process, NSLAG (in coordination with CSIS) must involve counsel with CSIS officers at the early stage of the planning of key or novel operations and throughout their entire operational lifecycle to case-manage an iterative legal guidance process.

Recommendation no. 2: NSLAG (in coordination with CSIS) develop Key Performance Indicators to measure the delivery of legal services to CSIS.

Recommendation no. 3: CSIS and Justice include in their training programs interactive scenario-based training developing the operational intelligence activities expertise of NSLAG counsel and the legal knowledge of CSIS operational staff.

Recommendation no. 4: To ensure Justice is able to give meaningful and responsive legal advice as recommended in recommendation #1, CSIS invite Justice counsel to sit at the table at all stages of the lifecycle of key and novel operations, and that it fully and frankly brief counsel on operational objectives, intent, and details.

Recommendation no. 5: Justice’s advice-giving must clearly and unequivocally communicate advice on the unlawfulness of client conduct, whether criminal or otherwise.

Management of the Warrant Process

CSIS organizes the process of seeking a warrant around a system of internal preparation and approvals before proceeding to the statutory step of seeking ministerial approval of the warrant application. A number of legal concepts and expectations enter into the warrant process, including the “duty of candour” owed to the Court.

The Federal Court duty of candour concerns now fit into two categories: disclosure of information material to the credibility of the sources who supply information used in the application; and disclosure of information material to matters of potential concern about the broader context of the warrant and how it will be executed.

Despite past attempts at reforms the current warrant process adopted by CSIS and supported by Justice, the warrant process has repeatedly failed to meet these candour obligations. Many reforms appear to have contributed to the bureaucratic complexity of the warrant process, without addressing candour issues.

Finding no. 9: NSIRA finds that CSIS has a history of quick reforms, followed by neglect, high turnover of personnel leading to a loss of institutional knowledge, and resourcing that did not match stated priorities. CSIS does not track or measure the outcome of past reforms adequately and has no performance metrics for assessing success.

Finding no. 10: NSIRA finds that CSIS policies have not kept pace with operational reality, as they are often vague, dated, overlapping and contradictory. The absence of clear policy creates legal doubt or concerns, and gives rise to disparate interpretations of legal and operational standards.

Finding no. 11: NSIRA finds that there is little common understanding regarding the process or basis on which a warrant is prioritized. Frequent shifts in this process of prioritization have added to operational uncertainty. The prioritization process has made it very difficult to bring novel issues to the Court with the goal of addressing legal ambiguities through court decisions.

Finding no.12: NSIRA finds that the actors involved in the warrant process do not have a common understanding of the rationale for each of the [multiple] of steps in the overarching warrant application scheme and are not always sure what role each approval step plays.

Finding no. 13: NSIRA finds that the proliferation of process in seeking warrants has created a system of diluted accountability widely regarded as slow and unwieldy, with delays caused by multiple levels of approval.

Finding no. 14: NSIRA finds that there is no regular feedback process in which explanations for warrant-related decisions made at one level filter back to other levels. The absence of feedback is especially acute for the regional investigators.

Finding no. 15: NSIRA finds that often, the sole means to address legal uncertainty is to bring legal questions to the Federal Court through warrant applications. In consequence, an unwieldy warrant process makes resolution of legal doubt more difficult.

CSIS has struggled especially to ensure that all information material to the credibility of sources is properly included in warrant applications. NSIRA heard repeatedly that CSIS officers involved in the early stages of preparing warrant applications do not clearly understand the legal expectations surrounding the duty of candour. Deficient information management systems related to human sources at CSIS have also resulted in important omissions, violating duty of candour obligations. These challenges produce what NSIRA calls the “recurring omissions” problem.

Finding no. 16: NSIRA finds that CSIS has struggled to ensure that all information material to the credibility of sources is properly contained in warrant applications. This “recurring omissions” problem stems from a misunderstanding of the Federal Court’s role in assessing the credibility of sources and from the presence of multiple, siloed information management systems. NSIRA acknowledges that CSIS has undertaken reforms, but work remains to implement successfully long term sustainable solutions.

In view of these findings, NSIRA recommends that:

Recommendation no. 6: CSIS adopt, and share internally, clear criteria for the warrant prioritization process.

Recommendation no. 7: CSIS establish a new warrant process eliminating steps that do not make a significant contribution to a more accurate application. The process should assign clear lines of responsibility for the production of accurate applications. The reformed system should ensure that delays associated with managerial approvals are minimized, and that time is reallocated to those steps contributing to the preparation of the accurate applications.

Recommendation no. 8: CSIS integrate the regional stakeholders (including the implicated investigators) at every key milestone of the warrants process.

Recommendation no. 9: CSIS adopt policies and procedures governing the reformed warrant process that clearly outlines the roles and responsibilities of each participant and the objective of each step in the warrant process and that these policies be kept current as the process evolves.

Recommendation no. 10: To address the seeming inevitability of “recurring omissions”, NSIRA recommends that CSIS prioritize the development of [an improved] system for human source information management. CSIS should also continue initiatives meant to ensure that source handlers are assiduous in documenting and then reporting in source precis information going to credibility. Even with these reforms, the Affiant Unit should adopt procedures for verifying the information prepared by the regions.

In 2019, CSIS sought to professionalize affiant work by creating an Affiant Unit (AU). CSIS’s establishment of the AU is a critical development and, properly resourced and staffed, it would be well positioned to respond to long-standing problems with the duty of candour. However, when created, the AU was placed under the [Name of Branch]. [Name] has a broad mandate that does not align with the AU’s functions in preparing legally robust warrant applications. This governance anomaly may explain the AU’s present administrative and human resource challenges. The AU’s sustainability is in question, and indeed NSIRA heard that the unit could currently be described as in a state of crisis. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission.

Finding no. 17: NSIRA finds that the Affiant Unit (AU) constitutes a vital and laudable reform within CSIS. However, the AU is currently at risk of collapse. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission. The benefits of the AU are currently in jeopardy because of governance, human resource, and training deficiencies.

Finding no. 18: NSIRA finds that the AU’s placement in the [Name] branch is not commensurate with its functions and importance. This governance anomaly most likely contributes to administrative hurdles and resource challenges faced by the AU.

Finding no. 19: NSIRA finds that without a functional AU able to produce timely and accurate warrant applications, CSIS puts at risk access to warrants and the information collected under them.

In view of these findings, NSIRA recommends that:

Recommendation no. 11: CSIS recognize the importance of the Affiant Unit by assigning affiants and analysts an employment classification congruent with their responsibilities.

Recommendation no. 12: CSIS create an Affiant Branch reporting directly to the CSIS Director.

Recommendation no. 13: CSIS urgently resource the Affiant Unit to meet its responsibilities and ensure its sustainability. In deciding the size of the AU, CSIS should assess how many warrants an affiant team might reasonably complete every year.

Recommendation no. 14: CSIS, in consultation with Justice, develop a comprehensive training course for all affiants and analysts, codifying best practices and methods for members of the AU.

Warrants counsel at NSLAG have several key roles in the warrant application process, and are intimately implicated in ensuring adherence to the duty of candour. Fostering a strong, collaborative, and productive relationship with CSIS is key. Morale among NSLAG warrants counsel may have suffered in light of the recent Federal Court decision that prompted this review. With recent staffing increases, it appears that NSLAG currently has the requisite complement to manage the number of annual warrant applications expected from CSIS, but recruitment challenges remain an ongoing issue. NSLAG should be staffed to ensure that CSIS’s operations are not stalled due to the lack of availability of warrants counsel.

Recommendation no. 15: NSIRA recommends that NSLAG be staffed by a complement of counsel and support personnel sufficient to ensure that CSIS operations are not impeded by resource limitations at NSLAG.

The warrant application process is meant to be strengthened through a review of the near-final affidavit by an “independent counsel” (IC) – in practice, a lawyer drawn from the National Security Group (NSG) of the Department of Justice. The role was originally envisioned as performing a rigorous challenge of the warrant application. However, the primary role of the IC appears to be more clerical than substantive, designed to cite check rather than assertively perform a “devil’s advocate” function.

NSIRA believes that the presence of a rigorous challenge function performed by a knowledgeable, adequately-supported lawyer distant from the warrant application is valuable and necessary. However, NSIRA proposes that the current IC model be abandoned in favour of a challenge function performed at Public Safety Canada, whose precise role is that of oversight of the CSIS warrant application process.

Working with the Public Safety unit charged with warrant review, an experienced and specialized warrant counsel could perform a genuine challenge role to the warrant, analogous to the role a defence lawyer would play were warrants subject to an adversarial process. NSIRA believes that a testing review of this sort will help forestall duty of candour shortcomings stemming from a failure to disclose fully information material to matters of potential concern about the broader context of the warrant and how it will be executed.

Finding no. 20: NSIRA finds that the “Independent Counsel” (IC) role as performed by NSG counsel falls short of creating a rigorous challenge function.

In view of this finding, NSIRA recommends that:

Recommendation no. 16: the function of the Independent Counsel as performed by NSG counsel at the Department of Justice be eliminated, in favour of a new challenge function, analogous to the role a defence lawyer would play were warrants subject to an adversarial process, situated at Public Safety and supported by the Public Safety vetting team, and performed by a knowledgeable lawyer from the Public Prosecution Service of Canada, the private sector, or elsewhere, who is independent from Justice management and not otherwise involved in CSIS warrant applications.

Once a judge issues a warrant, CSIS may execute the warrant. That execution must comply with the scope and terms of the warrant. However, the CSIS regional warrants coordinators have not received sufficient training to enable the contents of warrants to be translated into advice on proper execution.

Finding no. 21: NSIRA finds that the CSIS regional warrants coordinators have not received sufficient training enabling them to translate the contents of the warrants into advice on proper warrant execution.

In view of this finding, NSIRA recommends that:

 Recommendation no. 17: CSIS regional warrants coordinator positions receive adequate training, and that CSIS professionalize the position and enable warrant coordinators to more effectively translate the content of warrants into advice on warrant execution.

Investment in People

Concern about inadequate training at CSIS was a recurring theme in this review. This concern was noted in internal CSIS documents. CSIS acknowledges that it is currently not a learning organization and does not have a learning culture. There are too few training opportunities required to sustain a modern professional intelligence service operating in a complex environment.

Finding no. 22: NSIRA finds that CSIS lacks long-term training programs for Intelligence Officers.

Finding no. 23: NSIRA finds that CSIS has failed to provide systematic training programs for “non-Intelligence Officers”.

Finding no. 24: NSIRA finds that the CSIS’s Learning and Development Branch has not been sufficiently resourced to develop and administer comprehensive training programs, especially in specialized areas not covered by the training offered for Intelligence Officers early in their career.

In view of these findings, NSIRA recommends that:

Recommendation no. 18: CSIS adequately resource and regularly deliver evergreen scenario-based training programs for all CSIS employees, including;

  • annual, comprehensive, warrant training for all operational employees;
  • specialized onboarding training for all employees not part of the Intelligence Officer program; and
  • continued long-term training for all specialized personnel.

Conclusions

This report concludes with observations on cross-cutting cultural and governance challenges that stem, at least in part, from challenges characterizing the provision of legal advice and the warrant process. NSIRA divides these broad, cross-cutting phenomena into two categories: morale and attitudes; and, performing the mission.

Low morale at CSIS was a common theme throughout this review. The systemic problems in the warrant application process are likely one cause of this problem: morale is affected when a warrant acquisition system repeatedly prevents CSIS officers from performing their mandated duties, and is the source of regular reputational crises stemming from failures to meet the duty of candour.

Meanwhile, a failure to correct problems with the warrant process impairs CSIS and Justice’s abilities to fulfill their mandates. Justice must go from being perceived as a roadblock, to a frank and forthright advisor fully attuned to operational objectives.

Within CSIS, the warrant application process was sometimes likened to winning a lottery – not because the Federal Court declines to issue warrants, but because of the resources required to prepare and complete the application. The current, laborious warrant application process is preventing some collection activities from moving forward.

In sum, this review was sparked by a compliance failure in a duty of candour matter. It concludes that repeated failures in this area are both caused by, and cause, deep-seated cultural and governance patterns. This vicious cycle has compounded the challenges of reform in the warrant acquisition process.

Cherry-picked or paper-based reforms that mask without addressing the overarching systemic, cultural, and governance challenges will suffer the fate of prior reforms: the problems will continue.

Finding no. 25: NSIRA finds that CSIS and Justice are at risk of not being able to fulfill their respective mandates. No one reform is likely to succeed unless each is pursued as part of a coherent package. No package will succeed unless backed by prioritization at senior levels, and the stable provision of resources, including people with the means and institutional knowledge to see reforms through, and no reform initiative will succeed unless accompanied by clear performance indicators, measured and analyzed regularly to track progress.

In view of NSIRA’s findings above, and of prior unsuccessful reforms, NSIRA recommends that:

Recommendation no. 19: The recommendations within this review be treated as a coherent package and that progress and outcomes in implementing these recommendations be tracked, allowing management, the Ministers of Public Safety and of Justice, and NSIRA, to assess the efficacy of reforms and course-correct if necessary.

NSIRA intends to launch a follow-up review within two years that will measure progress at CSIS, Justice and Public Safety in resolving the systemic problem with the warrants process addressed by this review. Moreover, in other regular reviews implicating warrants, NSIRA will document recurrences of systemic problems. In the meantime, since this review originated with a decision of the Federal Court, it is vital that the Minister and CSIS share it in its full form with the designated judges of that court.

In recognition of the fact that this report was initiated following a recommendation of the Federal Court, NSIRA in turn recommends that:                                                             

(U) Recommendation no. 20: The full classified version of this report be shared with the designated judges of the Federal Court.

2. Authorities

(U) This review was conducted under the authority of paragraphs 8(1)(a), (b) and (c) of the NSIRA Act.

3. Introduction

(U) This review deals with how the Canadian Security Intelligence Service (CSIS) seeks and receives legal services from the Department of Justice (Justice) and obtains and executes warrants it needs to collect intelligence. In their current forms, these processes suffer from severe flaws due to systemic, governance and cultural issues. In this review, NSIRA found an intelligence service and its counsel who struggle to organize themselves in a manner that allows them to easily meet their legal obligations – towards the Federal Court in particular. NSIRA also found a failure to professionalize fully and sustainably the warrant process as a specialized trade that requires training, experience, and investment.

(U) This is not the first report on issues related to the warrant process. Since CSIS’s creation in the 1980s, there have been several independent and internal reviews of various aspects of this topic, which are described in Annex A. Many of the findings made in this review echo those made in earlier assessments. In response to these reviews, CSIS has planned many reforms, initiated some, but persisted with only a subset. Though CSIS (and Justice) have made improvements, difficulties are still obvious. The failure to effect sustainable solutions following the multiplicity of reviews and duty of candour breaches is indicative of organizational struggles with deep rooted cultural issues that risk the execution of their With each incomplete reform, CSIS faces change fatigue that makes future course corrections more difficult. Yet the stakes are considerable.

(U) This report demonstrates the need to transform the relationship between CSIS and its legal counsel. It also points to the urgency of CSIS succeeding in fully professionalizing the warrant process, a prospect that appears to be in jeopardy. When implemented, the changes that are recommended will help to reestablish the Federal Court’s trust in the warrant process. At the same time, legal support is not – and should not – be limited to the warrant process. As such, the review could not be restricted to the warrant process. It recommends reforms in the manner in which Justice gives legal advice to CSIS.

(U) The Federal Court’s “judicial control” in overseeing the issuance of warrants is a key accountability safeguard in a country governed by the rule of law and attentive to rights and liberties. The warrants the Court issues, meanwhile, are the lifeblood of CSIS’s functions as an intelligence agency – especially in an era where face to face interaction increasingly tends to be replaced by electronic communication.

(U) NSIRA heard repeated concerns from interviewees that the systemic problems rooted in governance and cultural issues risk creating an intelligence service incapable of meeting its intelligence mandate. These problems could also afflict other CSIS mandates potentially subject to judicial control, such as certain threat reduction measures. Urgently addressing challenges is therefore in the public interest. This review aims to recognize and encourage recent progress, while in some areas recommending new, essential reforms.

(U) This report first sets out the background to this review; the methodology NSIRA adopted for it; and the institutional and legal environment in which CSIS and Justice operate. The report then describes issues arising from Justice’s provision of legal advice to CSIS and the manner in which CSIS and Justice construct a warrant application, ultimately presented to the Federal Court, and if granted, executed by CSIS. It also examines the question of training and skills- development, a recurring issue in this review. In each area, this report notes shortcomings, while recommending reforms. The report ends with an examination of cross-cutting cultural and governance issues that are reflected in the warrant process, and which make change difficult.

(U) As the recommendations address the systemic, governance and cultural issues that are interrelated, a selective approach to their implementation will likely lead to the same outcome previous reviews have: repetition of the same problems, change fatigue and morale issues. The time has come for CSIS and Justice to face the harsh reality of potential failure to fulfill their mandates if they do not succeed with concrete governance, cultural and process change.

A. Review Background

(U) This review stemmed from a 2020 decision of the Federal Court (2020 FC 616). In that matter, the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.” As a matter of law, before issuing such a warrant, the judge must believe on reasonable grounds that statutory pre-requisites are met and that the court should allow the invasive CSIS, assisted by Department of Justice lawyers, must fully apprise the judge of all information material to this decision. Thus, the state must disclose to the judge, not just information supporting its application, but also information that weakens its case. The duty reflects the fact that a warrant proceeding is by necessity conducted in the absence of the proposed subject of the warrant, known as the “target”, and closed to the public so the target is not alerted to the state’s activities. The “duty of candour” in such proceedings aims to compensate for the absence of a party opposed to the state, by obliging the state to be especially frank and forthcoming about the merits of its application.

(U) At issue in 2020 FC 616 was whether CSIS should have told the Court about issues regarding the legality of CSIS human source activities that yielded information used in support of warrant applications. Some of these human source activities may have constituted terrorism offences in Canadian This was not the first instance of duty of candour problems – indeed, such problems have been a recurring feature of CSIS’s warrant practice. Because CSIS has repeatedly struggled with the duty of candour in its warrant applications, the Federal Court in 2020 FC 616 recommended an external review of both Justice and CSIS.

(U) In response, on June 23, 2020, the Minister of Justice and the Minister of Public Safety and Emergency Preparedness jointly referred the matter to NSIRA under paragraph 8(1)(c) of the NSIRA Act. NSIRA also chose to exercise its own independent jurisdiction under paragraph 8(1)(a)(b) to initiate this review.

(U) While the Federal Court of Appeal subsequently allowed the government’s appeal of the decision in 2020 FC 616, its holdings did not disturb – and indeed, reaffirmed — the lower court’s core preoccupation with the duty of candour.

B. Methodology

(U) NSIRA conducted this review during a pandemic that frequently impaired access to its facilities housing classified This reality presented challenges and inevitable delays for both NSIRA and the reviewed departments.

(U) NSIRA made this a “Member-led review”. Specifically, one or both of the two assigned NSIRA members (Marie Deschamps and Craig Forcese) managed the review process, reviewed the documents, participated in most of the CSIS and Justice briefings (and reviewed the transcripts of others), conducted most of the confidential interviews, and led the writing of this report. A specialized team at NSIRA participated in every aspect of the work.

(U) NSIRA drafted broad Terms of Reference to govern this review, with a heavy focus on the CSIS warrant application process and the manner by which Justice conveys legal advice to CSIS. As the review evolved, it became clear that the problems with the CSIS warrant process are more properly a symptom of broader systemic, governance and cultural issues at both CSIS and Justice, including Justice’s specialized legal services unit supporting CSIS, the National Security Litigation and Advisory Group (NSLAG). NSIRA therefore examined not only the operational provision of legal advice and the warrant process, but also information management, the use of technology, and related training programs. While the Terms of Reference indicate that the review covers the period of January 1, 2015 to September 30, 2020, NSIRA took into consideration information outside this period in order to fully understand the issues at play.

(U) This report does not revisit the specific circumstances of 2020 FC 616, nor does it conduct a forensic accounting of the events leading to it. From time to time, the report makes observations related to that case in order to contextualize findings. However, this review was intentionally forward-looking, reflecting the fact that CSIS and Justice have introduced (or proposed) reforms since the 2020 decision.

U) In conducting this review, NSIRA relied on both its regular process and confidential interviews. Under its regular protocols, it issued a number of requests for information, reviewed the documents provided, and received briefings from CSIS and Justice. In the case of CSIS, NSIRA also used its direct access to CSIS systems to retrieve information independently. Among other things, NSIRA examined the complete record of a recently filed complex warrant application. Most briefings involved CSIS and Justice managers describing their policies, governance structures, and practices. NSIRA heard about a number of initiatives – some that are planned, others underway or partially implemented, and still others abandoned.

(U) To supplement these briefings, NSIRA adopted an innovative approach to this review by also conducting dozens of confidential interviews with former and current management and staff at all levels from CSIS and Justice. These interviews were conducted in the absence of CSIS or Justice supervisors and without their knowledge. NSIRA conducted these interviews under a strict guarantee that it would protect the identities of those who participated. At the outset, the NSIRA Members leading the review met with both the Director of CSIS and the Deputy Minister of Justice. Following the meeting, both officials encouraged members of their management and staff to participate in confidential, in-person interviews with NSIRA. NSIRA thanks both leaders for their explicit support, including through their internal communications with their employees. NSIRA especially thanks all the individual employees who then participated in these confidential interviews and trusted NSIRA’s promise of anonymity.

(U) In some instances, NSIRA selected individuals to ensure it had full coverage of the warrant process and invited them to participate in a confidential Other interviewees contacted NSIRA and offered to participate. Some interviewees occupied operational positions at CSIS, while others worked on legal and policy matters. Some interviewees had daily exposure to the warrant process, while others had had more episodic exposure to the process. Since NSIRA conducted these interviews with the understanding it would protect the identities of interviewees, NSIRA has drafted this report carefully to honour this undertaking and has not identified interviewees by name or by position revealing their identity.

(U) The individuals who participated in confidential interviews with NSIRA were frank, professional, insightful about their experiences, and open. Interviewees did not come to voice personal grievances, nor were they inclined to defend past practices as ideal. Rather, the interviewees displayed a genuine commitment to their organizations’ mandates and a sincere desire to see positive, lasting change. Where they expressed dissatisfaction, it stemmed from earnestly (and often deeply held) concerns that their organization was falling short of meeting its mandate, and that the warrant process reflected certain organizational shortcomings. These interviews were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal They also raised issues and perspectives that would otherwise have been unavailable to NSIRA.

(U) NSIRA also consulted external experts on national security, organizational development, and human resources. These conversations contributed to NSIRA’s understanding of the systemic, governance, and cultural issues that often develop in organizations. NSIRA conducted a small number of discussions with foreign counterparts who have dealt with similar issues in the past. In addition, NSIRA consulted with experts who had been, in the past, involved in reviewing similar issues relating to NSIRA is grateful to these experts for their generosity in contributing to this review. All of NSIRA’s discussions with stakeholders external to the Canadian government took place at the unclassified level.

(U) Finally, as part of its standard protocol, NSIRA presented the draft report to both CSIS and Justice for factual accuracy verification. This part of the process provides reviewees with the opportunity to signal factual omissions or errors, if any. At the end of the factual accuracy verification period, the members met with the Deputy Minister of Public Safety and again with the Director of CSIS and the Deputy Minister of Justice. NSIRA thanks them for their time and

When examining the insights of its interviewees and throughout the finalization of this report, NSIRA was alive to the particular challenge of disaggregating legacy issues from contemporary concerns. During briefings and in comments received on the draft report, the departments noted projects, initiatives and reforms either being planned, scheduled for execution, or underway. NSIRA acknowledges the initiatives upon which it was briefed. However, this report focused on ascertaining the existing challenges with the provision of legal advice and the warrants process. NSIRA did not discount existing issues and challenges simply on account of promised (but not yet fully achieved) administrative reforms. NSIRA is confident that the issues described in this report persist as of the second half of 2021. As described at the end of this report, NSIRA intends to undertake a further review in two years’ time to assess progress in implementing the report’s recommendations. At that time, NSIRA will have an opportunity to assess whether any reform initiatives have been successful.

(U) Confidence Caveat: Some of the documents provided by the reviewed institutions have not been independently verified by NSIRA. However, to a large extent, NSIRA was able to verify much of the information relied upon in this review through NSIRA’s own confidential interviews. In addition to this direct access to staff, NSIRA was able to use its direct access to CSIS information repositories to confirm information that it needed to verify and to pursue necessary additional For that reason, NSIRA has a high level of confidence in the information on which it relied to complete this review.

C. Institutional Environment

1. Systemic, Governance and Cultural Issues

(U) In this review, NSIRA makes recommendations on systemic, governance, and cultural issues that contribute to inefficiencies and may threaten the ability of CSIS and Justice to fulfil their mandates.

(U) NSIRA defines “systemic” issues as ones affecting an organization as a whole, in the sense that they are not the consequence of a specific individual or isolated factor. “Governance” refers to the rules, practices and processes by which managers direct and control an organization. Governance addresses three key questions: how are decisions made; who makes the decisions; and who is accountable. Organizational “culture” is the way in which, over time, the members of an organization learn to work in a particular setting by developing a set of shared understandings. These understandings may be based not only on formal policies but also on assumptions and practices that members develop in response to the implicit rules and influences governing their organization.

(U) These three concepts operate together and are interconnected. For example, inadequate governance may be the source of deficiencies in training programs that may prompt increased requests for legal support, which in turn create resource management issues, delays in providing advice, and operational hurdles. These operational challenges may give rise to systemic issues, while imperfect workarounds to these problems may eventually become embedded as cultural practices.

(U) Systemic issues tied to governance and cultural issues may impede CSIS and Justice from fulfilling their mandates, while also meeting their obligation to adhere to the rule of law. In this last respect, Canada is a “rule of law” country. Among other things, the “rule of law” means that the state is subject to, and not above, the law. It only has the powers conferred upon it by law, and any exercise of state power must be traced to a law. Indeed, as discussed next, both CSIS and Justice operate in a highly legalized environment.

(U) The next section will briefly describe the basic legislative and operational framework of both CSIS and Justice.

a) CSIS

(U) The CSIS Act is the statute of Parliament that created CSIS, and confers upon CSIS certain powers to discharge its mandates. The key mandates implicated in this review are security intelligence (or “section 12 investigations”) and foreign intelligence (or “section 16 investigations”). Both of these types of investigations have their own distinct pre-requisites – not least, the conditions that CSIS must meet before it undertakes an investigation and then applies for a warrant under section 21.

(U) CSIS is one of several security organizations found within the portfolio of the Minister of Public Safety and Emergency Preparedness (Minister of Public Safety). CSIS is accountable to this minister, and this minister is in turn responsible to Parliament for CSIS.

(U) The manner in which CSIS discharges its mandates is governed by the CSIS Act and Ministerial Directions issued by the Minister of Public Safety. For instance, in 2015 and 2019, the Minister issued Ministerial Directions addressing issues of accountability. The 2015 Ministerial Direction (2015 MD) for Operations and Accountability states the fundamental principles that guide all of CSIS’s The 2015 MD is premised on the expectation that “the service will perform its duties and functions with due regard for the rule of law…”

(U) Other laws are pertinent to CSIS. Especially relevant for this review are Part VI of the Criminal Code of Canada, which governs the interception of private communications, and section 8 of the Canadian Charter of Rights and Freedoms, which protects the reasonable expectation of privacy against state searches and seizures. CSIS must acquire judicial warrants from the Federal Court before it embarks on investigative techniques that would otherwise violate these laws.

(U) Under the CSIS Act, CSIS is led by a Director who holds the status of deputy head of the organization. The Director performs the leadership function assisted by a team of executives responsible for specific business lines within CSIS, including the Deputy Director Operations (DDO). The DDO is responsible for CSIS’s operations across all active investigations. The CSIS management structure also includes an Assistant Director Legal (ADL), a position occupied by the NSLAG’ Executive Director (discussed below).

(U) CSIS converts legal requirements into administrative processes through Critically, it has struggled to do so. The CSIS operational policy suite has been incomplete and out-of- date for a number of years, a finding noted repeatedly by both NSIRA’s predecessor, SIRC, and by NSIRA. This issue was again pervasive in the course of this review, making it difficult to precisely describe the formal operational policy environment applicable to the warrant acquisition process throughout the period covered by this review. The consequences of this shortcoming are considerable. Policies are the building blocks of any organization. They guidethe conduct of its members from the bottom up to the senior leadership. Without clear policies, employees are likely to devise their own interpretations of how to act and of the limits of their powers, causing confusion and making legal compliance difficult.

b) Justice and NSLAG

(U) The Department of Justice provides legal services to departments and agencies on a broad range of issues across the federal Its mandate is to support the dual roles of the Minister of Justice and the Attorney General of Canada (AG).

(U) The Minister of Justice, as the official legal advisor to Cabinet, is responsible for the general management and direction of the department, and for ensuring that the administration of public affairs is in accordance with the The Minister is responsible for matters related to the federal administration of justice. The Minister exercises political judgment, except when providing legal advice, which must be independent and non-partisan.

(U) The Minister is also ex officio the AG, also referred to as the Chief Law Officer of Canada. The role of the AG is to provide legal advice and legislative services to government departments and agencies, and to conduct litigation on behalf of the government. Importantly, the AG represents the Crown and not individual departments or agencies, and therefore seeks to protect whole-of-government interests. Although departments generally act as the instructing clients, it is the Attorney General’s responsibility to facilitate, with these departments, adherence to the rule of law.

(U) The Deputy Minister (DM) of Justice, who is also the Deputy Attorney General of Canada, manages the work and operations of the department as its most senior public servant. The DM is supported by an Associate Deputy Minister who is entrusted to lead some of Justice’s specialized portfolios. This includes the Public Safety, Defence and Immigration (PSDI) Portfolio which is led by an Assistant Deputy Minister reporting directly to the Associate Deputy Minister.

(U) Justice delivers legal services to federal departments and agencies through a mix of three models, all of which apply to CSIS: (1) specialized centers of expertise, within the department; (2) a network of regional offices located across the country; and (3) dedicated legal service units (LSUs) that are physically located with the departments they advise.

(U) LSU counsel provide day-to-day advice on all issues. LSU counsel may consult or collaborate with counsel from the specialized branches, or at other LSUs as needed. Although co-located with client departments, LSU counsel are Justice employees, and in keeping with the status of the Attorney General, must remain independent from the client.

(U) The National Security Litigation and Advisory Group (NSLAG) is the LSU that supports and advises CSIS. It is located at CSIS headquarters and is part of the PSDI Portfolio. With approximately 50 counsel positions, NSLAG is led by an Executive Director and Senior General Counsel who reports directly to the Assistant DM of PSDI. The two meet every two weeks to discuss NSLAG’s work. The ADM, in turn, must report any matters of concern to the Associate DM.

(U) As mentioned previously, NSLAG’s Executive Director also occupies the position of ADL within the CSIS executive structure, reporting to the Director. Justice described this reporting relationship as functional only. In the ADL role, the head of NSLAG has confidential, bilateral meetings with the CSIS Director, to provide briefings on legal files and discuss issues that arise. This functional reporting relationship to the client co-exists with the formal reporting relationship within While at first glance this functional reporting role might seem to pose a challenge in terms of maintaining full independence from the client, Justice asserts that this structure is not unique to CSIS and does not create concerns regarding client capture.

(U) NSLAG provides both advisory and litigation services to CSIS on its security and intelligence Its advisory work involves matters related to the duties and functions of CSIS, including questions of legal authority, and advice related to the Charter, threat reduction measures, and the application of other legislation to CSIS operations. NSLAG’s litigation work consists mainly of representing CSIS in applications for warrants before the Federal Court and related matters, and representing both CSIS and other government departments and agencies in complaints investigations before NSIRA.

(U) CSIS also receives legal services from the National Security Group (NSG), a specialized legal branch located at Justice’s headquarters. As part of the AG’s National Litigation Sector, NSG leads the litigation of claims related to national security privilege under section 38 of the Canada Evidence Act. Its counsel are security cleared at the Top Secret level. NSG counsel also play a role in the CSIS warrant application process – namely, to conduct an “independent challenge” exercise as part of the internal approval process for warrant NSG’s role as Independent Counsel (IC) in the CSIS warrant application process is discussed in section 4e below.

(U) While the basic legislative and operational framework may seem simple, a closer analysis sheds light on many ongoing issues.

4. Analysis

(U) This review revealed governance and cultural challenges in both CSIS and Justice that contribute to systemic issues in the warrant process, including with respect to the duty of candour. NSIRA’s findings fall within three overarching areas:

  • Justice’s provision of legal advice;
  • CSIS and Justice’s management of the warrant acquisition process; and
  • Investment in people in terms of training.

The report concludes with comments on systemic, governance and cultural issues.

(U) In order to meet its obligations with regard to the rule of law, CSIS must know what the law is. An unwieldy, tardy or indefinite means of ascertaining the lawfulness of activities jeopardizes CSIS’s ability to fulfill its mandate while adhering to the rule of law. This review considered, therefore, the fashion in which Justice (and specifically, NSLAG) provides legal advice to CSIS in performing its mandated activities, and how it has organized itself to do so. NSIRA noted three specific issues: the bureaucratic manner of obtaining advice; its timeliness; and the usefulness of this advice to CSIS in meeting its mandate.

1. Giving Advice to CSIS

(U) CSIS operates in often rapidly evolving and legally challenging environments. Timely, nimble and actionable legal advice is critical. To meet these objectives, Justice has adopted “operating principles”, including a centralized “one-voice” model for delivering legal In this model, Justice counsel are described as speaking “with one voice”, reflecting a desire for uniform and consistent legal advice delivered on behalf of the AG. To this end, Justice seeks consistency in the legal advice provided and the legal positions taken across Justice, to ensure a “whole-of-government” approach. Its advice does not simply reflect the opinion of the assigned legal counsel. Rather, the advice provided has “all of Justice behind [it]”.

(U) The one voice approach responds to a prior era in which many federal government departments hired their own lawyers to provide them with legal These lawyers were not part of Justice. When difficult, cross-governmental legal issues arose, counsel representing the various ministries did not always agree, which would then place the AG in a difficult position in Cabinet. A decision was made to bring all such departmental lawyers together in a common legal service operating under the Justice umbrella.

(U) In support of its one voice approach, Justice now employs a number of tools, including:

  • establishing centers of expertise within Justice to provide consistent, “government-wide” advice, primarily to Legal Services Units, in key areas of public law, such as constitutional law, human rights law, and information and privacy law;
  • maintaining a legal knowledge portal called “Justipedia” to serve as a single, national, searchable repository for all legal opinions from Justice’s services;
  • fostering discussion of legal issues at various committees, such as the national and regional litigation committees and other ad hoc committees;
  • convening working groups to determine legal positions;
  • creating practice groups to exchange and share relevant knowledge; and,
  • applying a common legal risk management (LRM) framework when providing advice to client departments and agencies.

(U) While the premise for the one voice approach is sound, this review has noted some disadvantages in the current implementation of the model in the CSIS context. Importantly, because of the bureaucratic process required to complete a legal opinion, obtaining legal advice can be burdensome, inefficient, and a source of undue delay. Hierarchies in both CSIS and Justice have impeded fluid collaboration between Justice counsel and their CSIS client by limiting counsel’s ability to deliver advice rapidly. The pace of legal advice-receiving from Justice is slower than a CSIS intelligence operation, which leads to the advice not being delivered in a timely manner and in CSIS being [discussion of how collection activities are affected]

(U) In addition to the challenges of timeliness associated with bureaucratic hierarchies, there are also communication challenges associated with the different knowledge base involved in legal analysis versus operational expertise. NSIRA noted several critiques. Interviewees urged that Justice counsel would benefit from a greater understanding of CSIS’s operations. It was suggested that new or junior lawyers could participate in key operational training sessions to gain a better understanding of the CSIS Some discussed current initiatives to cultivate greater understanding between Justice and CSIS, voicing skepticism about their success. For instance, Justice was said to pitch its “lunch and learn” sessions with CSIS at the wrong level, and is too esoteric and theoretical when discussing, for example, section 8 of the Charter. Legal training of CSIS employees conducted by inexperienced counsel was also identified as a problem.

(S/C) These complaints are consistent with a 2018 client feedback survey on CSIS legal advisory That survey measured four dimensions of its service in comparison to those of the overall PSDI Portfolio. The survey found the overall quality of legal advisory services fell slightly below the departmental target, landing in the “moderate” category, with similar ratings from CSIS on the overall accessibility and responsiveness, as well as usefulness of its legal services. The survey results demonstrated satisfaction with legal risk management, which met the target standard. On the issue of timeliness, however, Justice scored poorly. Justice concluded that the survey indicated that CSIS users were, by and large, somewhat unsatisfied with the services provided and that there was room for improvement. Some comments from CSIS consistent with those frequently echoed in the interviews conducted by NSIRA included:

  • “I don’t get the impression that DOJ lawyers working within my organization actually comprehend what we do.”
  • “Responses take too long. Has impact on our operational abilities.”[discussion of how collected activities are affected]
  • “Justice staff were adept at pointing out…legal risks associated with initiatives, but were not adept at providing practical advice to mitigate risk (other than recommending cessation of the initiative)”
  • “There seems to be a lack of coordination.”

(U) The following sections describe more detailed and pointed CSIS preoccupations with the manner by which its officials seek advice from Justice and about the nature of the resulting advice.

a) Obtaining Advice

(U) Barriers to accessing legal advice were a common theme of interviews. CSIS must formally frame its questions as clearly as possible, to avoid “half-baked” inquiries. However, rather than a collaborative process between counsel and CSIS, the conventional advice- seeking system is a formalized, bureaucratic process. Formal advice requests generally appear to be funneled from CSIS investigators and related personnel in the regional offices through their hierarchies, sometimes (but not usually) up to headquarters, and then from there to Justice counsel.

(U) This process, and resource constraints at Justice, contribute to considerable delays, [description on timeline]. Apart from prioritized, urgent requests for legal advice, it can take [timeline] to receive legal advice. In situations involving novel or complex issues, advice may take [timeline].

(U) Once prepared, advice then filters back through the same hierarchy, sometimes never reaching the investigators in its full form. Some interviewees reported concerns about “broken telephones” in which advice requests morphed in their travels through the hierarchy without an iterative process between counsel and the investigators seeking the advice, resulting in legal advice of limited relevance.

(U) Since this conventional process implicates both CSIS and Justice, it can be difficult to ascertain how much of this reported delay stems from Justice’s advice-giving mechanics and how much from CSIS’s own internal bureaucracy. Moreover, statements by interviewees estimating delay in receiving advice are hard to corroborate since NSLAG does not track the time it takes to provide its advice. The absence of such data at Justice raises a separate issue of whether it is in a position to measure progress and improvements stemming from any reform initiative.

 (U) Regardless of precise cause, the lack of clear timely advice has reportedly had considerable impact on CSIS operations. With an increase in electronic communication and information, the need for timely, clear advice on investigative methods has become pivotal. The operational impact is notable: interviewees repeatedly described an [discussion of detrimental effects on operations] that may require legal advice. Managers have reportedly sometimes advised staff to seek alternative solutions where a matter may require legal advice [discussion of detrimental effects on operations]

(U) Clearly, the conventional legal advice process does not adequately support CSIS operations, both in terms of timeliness and relevance.

 (U) In addition to timeliness and relevance, NSIRA heard regular and often related concerns about the nature of the legal advice supplied by NSLAG to CSIS. NSIRA interviewees repeatedly described legal opinions pitched at an esoteric and legalistic level, without sufficient attention to the audience that needs to understand and act on them.

 (U) NSLAG has typically presented its advice as a legal risk assessment, in which NSLAG opines on the risk associated with a specific activity, in accordance with the Justice Legal Risk Management (LRM) Framework, described further below. The style of the resulting advice can be compared to a “traffic light” system, where an activity represents a low legal risk to CSIS (green light); a high legal risk (red light); or, more ambiguously, an intermediate legal risk (yellow light). Yellow light-style responses were reportedly the most common and the most frustrating to consumers of the advice, especially when unaccompanied with discussions of how risk could be mitigated.

(U) In this last respect, CSIS interviewees often described NSLAG opinions as not making efforts to propose alternative and legally sustainable means of arriving at the intended objective. That is, NSLAG reportedly does not always understand CSIS’s objectives, and then provide advice designed to guide CSIS on how it might lawfully meet that objective (if possible). Several CSIS interviewees emphasized the potential value of having Justice assist them by providing advice in the form of a “road map” to how an operation might reach its objective lawfully. They stressed, however, that this road map-style form of advice was not a regular part of the NSLAG advice-giving approach or practice culture. That said, NSIRA also heard that there may now be the beginnings of a shift from the conventional advice-giving approach, as discussed below. Because of the importance NSIRA places on it, this report returns repeatedly to the concept of road map-style advice.

(S) NSIRA heard that in instances where CSIS managers received advice indicating a medium level of risk (yellow light), they often [description within CSIS of an unwillingness to accept risk]. In other instances, managers expressed discomfort with assuming the risk and reportedly forwarded the decision up the hierarchy to diffuse responsibility. Operationally, such delays in decision-making often have detrimental effects on investigations.

(U) As a result, some at CSIS perceive Justice as presenting a road-block. This is not because Justice provides principled and clear positions reflecting the primacy of the rule of law over ill-advised operations, but rather as a result of the bureaucracy at Justice, its perceived operational illiteracy, and its unhelpful approach to communicating legal advice.

(U) There is, however, another dimension to these issues. Justice, and NSLAG especially, face challenges in giving advice to CSIS. Justice is not directly analogous to a private sector law It must perform a public law function tied to the roles of the Minister of Justice and the AG. In giving its legal advice, Justice must be especially attentive to the rule of law and the AG’s role in defending it.

(U) When interacting with its clients, Justice acts merely as an advisor and sees it as its client’s responsibility to make the ultimate decision, informed by the advice given. A factor that may explain Justice’s resistance to go beyond pure legal analysis is that Justice is necessarily wary of a reported tendency by CSIS to recast legal questions in an effort to get different answers. CSIS, it was said, sometimes resists the law as it is, hoping that the law will be what it wants it to be.

(U) Additionally, NSIRA heard that CSIS has not always shared all relevant information with Justice, prompting a degree of mistrust. NSIRA heard of instances in which CSIS provided Justice with partial information, but did not convey the full NSLAG has informed CSIS that to provide the most meaningful legal advice and to better support its operations, counsel need to have “all the facts”, and to be engaged “sooner and deeper”. NSLAG conveyed that earlier and ongoing involvement throughout the stages of an investigation or operation, with participation in CSIS meetings and discussions along the way, would enable counsel to gather facts more naturally, and permit a more nuanced understanding. If there is uncertainty as to the client’s true goals and current situation, it is understandable that Justice lawyers are sometimes reluctant to provide a road map.

(U) The provision of advice on highly classified matters also presents logistical challenges. NSLAG lawyers operate in an environment that may impede easy interaction with other components of Justice, including in the specialized practice groups, where top secret security clearance holders are few and information management systems are not approved for classified information storage. Further, Justice is not well structured to address the range of matters arising in national security, and other units may produce advice that is too late, or unhelpful. Specialized units struggle where they are excluded from relevant classified information, and have sometimes been consulted by NSLAG too late in the advice process. The process by which differences of opinion between these specialized groups and NSLAG are reconciled would appear not to be fully formalized. There are some joint committees, and strong disagreement on a high profile matter could be advanced to the deputy minister. It is unclear how much these processes are leveraged to overcome the identified challenges.

(U) Internal silos at NSLAG between the advisory and litigation wings also play a role. These internal silos were reportedly a contributing factor in the confusion and uncertainty surrounding the omission of information in the warrants in 2020 FC 616. Many of the unlawful activities at issue in that case involved sources and operations for which legal advice had been previously discussed within NSLAG in the advisory branch, where relevant opinions on matters such as crown immunity had been produced. However, warrants counsel reportedly were not always aware of this The breakdown of internal silos is thus essential for the avoidance of such sequences of events in the future.

 (U) Moreover, CSIS’s activities are sufficiently unique and unusual to impose a steep learning curve on counsel. This learning curve manifests itself in several ways. First, NSLAG lawyers must become familiar with the unique and classified CSIS operational environment, something that some interviewees on the CSIS side suggested counsel needed to better understand. Second, novel questions may require careful and collective consideration, ensuring that Justice “speaks with one voice” but also slowing the process of delivering advice.

(U) Finally, Justice cannot easily overcome the inherent uncertainty of some legal issues, and Justice lawyers may often be obliged to voice legal doubt; that is, the unhelpful “yellow light” concept. Legal doubt is anathema in a rule of law system – it is difficult to ask an organization to comply with a law when that law is unknown. The law in national security can be especially unsettled. The sometimes imprecise statutory law applicable to CSIS is rarely subject to judicial interpretation, creating considerable uncertainties. Meanwhile, case law on section 8 of the Charter mostly arises in the criminal law context, and Justice counsel are left to extrapolate from these decisions to the related, but still distinct world of CSIS operations. Often, the sole means to address legal uncertainty is to bring legal questions to the Federal Court through warrant applications.

(U) In sum, national security law is a highly specialized and constantly developing area. Nonetheless, CSIS needs efficient advice, a need that goes to the heart of both CSIS and Justice’s mandates.

2.    Reform Initiatives

This section addresses recent reform initiatives in the delivery of legal services at Justice.

a) NSLAG’s Recent Internal Protocols

(U) Justice told NSIRA that it is aware of the need for change in the organizational culture at NSLAG.A new NSLAG Executive Director took office in January 2020 and, since then, has reportedly participated in senior-level discussions with CSIS on cultural change management. NSLAG noted some resistance to change management within its organization, but reported a generally healthy appetite for change, including with an aim of addressing concerns about information silos.

(U) NSLAG has implemented several new internal procedures addressing internal silos by facilitating awareness among litigation counsel on emerging legal issues on the advisory side (and presumably vice versa). NSLAG has developed its own classified version of Justipedia to assist with knowledge management, with the aim of ensuring consistent legal opinions. NSLAG holds weekly practice group meetings in which participants provide “roundtable” updates on their work. If a practice group is unable to sort out a legal issue, the matter may escalate through several levels of management within NSLAG, to the Executive Director. While these reforms may assist in bridging internal silos, they may not be sufficient. NSLAG must develop a process whereby there is a method to communicate with, or brief warrant counsel where advice has been provided for an operation that subsequently becomes prioritized for a warrant.

(U) Justice sometimes issues practice directions to provide guidance to counsel on certain aspects of their practice. In 2019, Justice issued two practice directions related to the duty of candour in warrant applications. The first specified that warrant applications will not rely on information derived from unlawful activity, and where unlawful activity occurs, it must be brought to the Court’s attention. The second provided guidance on information that must be disclosed to the Court, including whether the human source has engaged in illegal activities, as well as issues that inform the credibility and reliability of a source.

(S/C) On September 22, 2020, Justice issued a practice note to NSLAG counsel [Description of contents of note]

(S) Not all interviewees thought these changes would suffice to address NSLAG’s internal silos, and worried that dots would not be connected between legal advisory opinions and operational legal One suggestion was to ensure that relevant advisory opinions are [IM solution suggested]

(U) Moreover, NSLAG’s range of expertise may not suffice to identify every latent legal issue. In addition, those components of Justice with that capacity may not appreciate the nature of CSIS’s mandate and operations. Some interviewees urged NSLAG’s litigation role needs to be supplemented by working more closely with Justice’s general litigation lawyers in their counsel role,80 requiring that information silos be overcome. NSIRA notes Justice recently implemented tools specific to its national security role. These include a number of DM-level committees that address broad policy and operational matters in national security and which involve other LSUs.

(U) NSIRA observes that Justice’s capacity to anticipate new issues depends on an alert client. Interviewees described an effort to be more proactive, and to raise to the CSIS Director legal issues requiring proactive resolution.  At a minimum, it will be important for the Director to work with Justice and Public Safety Canada to anticipate emerging legal issues, and organize effective means of resolving them.

b) Renewed NSLAG and CSIS Relations

(U) NSLAG acknowledged the need “to do a better job ensuring that the client understands the legal landscape”. It recognized client frustration with the law in some circumstances, since court cases may provide direction that is sometimes confusing in real world situations, including with respect to Charter issues and a person’s reasonable expectation of privacy. Although it does conduct some training for CSIS, NSLAG says it could be doing more outreach and engagement. As part of CSIS’s Project  [Name], discussed further below, NSLAG has indicated the need for more outreach training in both directions, including CSIS providing training for NSLAG.

(U) NSLAG also appears to recognize the desire for a different approach to giving advice, including moving toward road map-style legal advice that works collaboratively and iteratively with CSIS to achieve operational goals within the bounds of the law. NSIRA heard that NSLAG regards this approach as a best practice and is committed to it, although it was not clear at the time of the review how far Justice had moved toward a generalized, road map-style form of advice-giving.

(U) It was clear, however, that Justice generally does not support a solution of “embedded” legal counsel at CSIS regional offices. Justice interviewees regarded embedding as raising risks of client capture and posing challenges for internal staffing and consistency of advice. Instead, Justice and CSIS have recently launched a pilot project in which specific counsel were designated to support CSIS throughout a specific operational ‘mission’.

 (U) Moreover, NSLAG has piloted an “office hours” practice, relying on headquarters-based counsel serving as liaison counsel for the regions. Those regional liaison counsel who currently provide support make themselves available to the regions to receive informal queries. The office hours initiative was conceived as a means of permitting CSIS personnel to put forth “trial balloons” regarding operational possibilities before possibly formulating a request for formal legal advice, which would then be put through the conventional advice request process.

(U) NSIRA also heard that a revamped approach to the giving of advice would require cultural adjustments at both CSIS and Justice. The Justice practice of vetting advice through a hierarchy may be difficult to reconcile with more timely legal involvement. Novel questions may require careful and collective consideration, ensuring that Justice “speaks with one voice” but they will need to be mindful that delay may jeopardize operation or reach a point of uselessness. As noted, short of converting CSIS officers into legal experts, regular and timely access to legal advice is essential to meeting the standards of the rule of law without stymying operations. NSIRA would also note that even formal legal advice will need be geared to the consumer, and thus should avoid legalistic discussions largely meaningless to non-lawyers.

(U) In moving toward such a system, NSLAG will need to avoid client capture in order to meet the Attorney General’s obligation to honour and advance adherence to the rule of law, while also facilitating CSIS’s operational imperatives. A dominant theme of the interviews was the challenge of reconciling the Attorney General’s obligation to maintain the rule of law with client-centered service delivery models giving clear and consistent legal advice to CSIS in the execution of its lawful mandate. Lawyers do not easily reconcile these objectives, and interviewees were of the view that clearer instruction on the role of the AG and codified standards for giving advice were advisable. Thus, NSIRA heard support for the idea that NSLAG should have advisory service standards. Such standards are especially important if, as NSIRA heard, at the more senior levels in Justice, the border between legal advice and policy advice may begin to blur. Some interviewees indicated that at this level, there can be a strong cultural desire to give the client room to maneuver.

(U) For its part, CSIS will need to become more comfortable working closely with legal advisors, and in disclosing the full range of sensitive details needed for Justice counsel to provide useful advice. Generally, CSIS interviewees seemed to welcome the office hours approach, though some noted its usefulness will be dependent on the personality and experience of the counsel, and in any case, it is not a panacea. This reaction highlighted the reservations of some CSIS officers based on past unsatisfactory interactions involving inexperienced counsel.

c) Additional Steps at NSLAG

(U) Justice faces, therefore, the ongoing challenge of giving fearless, timely, consistent and clear legal advice while at the same time developing client-centered service models, in an area (national security) that is a niche, often highly-specialized concern for the department and fraught with legal uncertainties.

(U) In assessing current initiatives in future reviews, NSIRA will be especially concerned with how Justice embraces a road map-style of advice-giving. Based on the information collected for this review, NSIRA believes that useful advice must be offered during operational planning and execution, a prospect that NSIRA expects the pilot project involving an operational mission will explore. Advice should continue as the operation is evolving in response to unforeseen legal matters requiring immediate guidance. Based on its interviews, NSIRA believes the success of this system will depend on a number of features. First, the optimal delivery of legal services must rely on Justice counsel who are sufficiently experienced and attuned to the unique CSIS operating environment. While not embedded in the regions, it seems these counsel will need to be entrusted with the ability to interact directly with CSIS operational clients at all levels, including during live operations, and give advice on routine matters without delay. These counsel will also need to be familiar with Justice’s position on recurring issues so as not to jeopardize the one voice model. To this end, NSLAG would likely benefit from developing a concise reference tool with its position on recurring issues and most common legal authorities invoked and make the tool accessible to counsel to support their real-time advice.

(U) Not every legal issue will be routine. Yet, counsel participating in operational planning should be well positioned to anticipate and articulate more difficult legal issues, and then be responsible for resolving these legal questions in keeping with Justice’s one voice approach. Counsel involved in operational planning should serve as the entry to Justice for matters requiring additional internal consultation at Justice with either their NSLAG colleagues or those in centres of expertise. A counsel fully apprised of operational realities who is able to “case- manage” the provision of advice in this manner may avoid the problems of “broken telephone” and non-responsive legal advice associated with the conventional advice-giving model.

(U) Legal involvement in CSIS activities, as they are being planned and organized, should also allow Justice to provide informal legal nudges that allow CSIS to course-correct before too much time has been spent. Closer legal involvement during the early phases will minimize the need for legal opinions on operations that are late in the development cycle or that are already underway. Put another way, a more iterative process of incorporating legal advice over the full course of an operation could address the reported challenge of operations halted due to untimely or ambiguous legal advice.

(U) Critically, meeting these objectives requires CSIS to invite Justice counsel to sit at the table at all stages of the lifecycle of an operation, and for Justice counsel to be fully and frankly briefed on operational objectives, intent, and details.

d) Broader Department of Justice

(U) Justice has embarked on a “transformational change” initiative, in consultation with clients, to improve how it conducts its work and supports its clients. Launched in 2018, the VISION comprises four pillars: meaningful risk assessments; client-centric strategic partnerships; recognizing and building expertise; and, simplifying the funding model. One of the key priorities includes an overhaul of the existing Legal Risk Management Framework, which Justice has recognized for some time does not effectively communicate risk.

(U) Interviewees made clear that Justice’s manner of characterizing legal risk in the Legal Risk Management (LRM) Framework is not understood in the same way by its lawyers and its clients and is not always regarded as useful even by the lawyers applying it. For instance, something that is “high legal risk” is very likely unlawful under the LRM Framework, but this was not always understood by clients. Justice did not provide NSIRA with the full draft revised LRM Framework as modified in the context of VISION, as it is still under development. Justice did however provide and brief NSIRA on some working LRM documents. On the basis of these materials and briefings, NSIRA believes that two [aspects relating to the LRM Framework] need to be addressed.

(U) First, there will be instances in giving advice where Justice should describe activity not as “high risk”, but simply as unlawful. Certain legal questions can be answered unequivocally, even accounting for the cautious nature of lawyerly advice. In a system based on the rule of law, and given the role of the Attorney General, such questions should be answered in as definitive a manner as possible. That there may be some hypothetical possibility that the activity might not be unlawful does not mean that Justice should fall back only on the language of “high risk”, since this phrase may give a client the impression such activities, while “risky”, are still a viable option for risk-embracing officials. Justice should avoid such situations. Where an activity is very likely unlawful, Justice should tell the client exactly that and describe the consequences of proceeding, rather than simply couch its conclusions in a probabilistic formula.

(S/C) Some interviewees underscored this view in discussions with NSIRA. Further, NSIRA notes that Justice has proposed [discussion of Justice initative]

(S/C) [Discussion of operational aspects and purpose of Justice initative]

(U) In contrast [discussion of an NSIRA perceived gap in Justice initative]. In NSIRA’s view, this approach is [Discussion of NSIRA’s recommended approach to address the identified gap]

(U) Second, NSIRA notes that many of the [description of certain aspects of Justice’s tools] NSIRA regards these considerations as inappropriate,

(U) Justice believes that the draft [discussion of aspects of Justice initative]

(U) Still, without careful mitigation, NSIRA believes that there remains a risk [discussion of a concern relating to Justice initative]

(U) In sum, based on the role of the AG in advancing the rule of law, [discussion of a standard to address the identified concern in the Justice initative] In future reviews implicating Justice’s legal advice, NSIRA will be attentive to whether advice meets this standard.

Finding no. 1: NSIRA finds that the legal advice-seeking and giving process, and resource constraints at NSLAG, contribute to considerable delays, [description of timeline]

Finding no. 2: NSIRA finds that Justice legal opinions have sometimes been prepared without sufficient attention to the audience that needs to understand and act on them. Opinions have been focused on assessing legal risk, often late in the development of a CSIS activity, with limited effort made to propose alternative and legally sustainable means of arriving at the intended objective.

Finding no. 3: NSIRA finds that the Justice Legal Risk Management Framework is misunderstood at the working level at CSIS and that it does not provide an appropriate framework for the unequivocal communication of unlawful conduct to CSIS.

Finding no. 4: NSIRA finds that difficulties in acquiring prompt and relevant legal advice have contributed to the [discussion of the detrimental effects on and risks to operations] that may require legal advice. In consequence, the manner in which Justice has provided legal advice to CSIS does not always meet the needs of CSIS operations.

Finding 5: NSIRA finds that Justice does not generate the necessary business analytics to track its service delivery performance to CSIS.

Finding no. 6: NSIRA finds that Justice has acknowledged that internal silos at NSLAG between the advisory and litigation wings have sometimes left warrant counsel unaware of emerging legal issues and that Justice has taken steps to resolve these issues.

Finding no. 7: NSIRA finds that Justice has committed to improve its advice giving to CSIS, including moving toward “road map” style legal advice that involves working collaboratively and iteratively with CSIS to achieve operational goals within the bounds of the law.

Finding no. 8: NSIRA finds that CSIS has not always shared all relevant information with NSLAG, prompting a degree of mistrust and limiting Justice’s ability to provide responsive legal advice.

In view of these findings, NSIRA recommends that:

(U) Recommendation no. 1: Justice pursue its commitment to reforming the manner of providing legal advice to CSIS, and its stated commitment to “road- map” style advice as a best practice. In support of this objective and the provision of timely, operationally relevant advice, NSIRA further recommends that Justice implement the following:

  • Whether through an expanded office hours or liaison counsel program or otherwise, NSLAG must develop a legal support service operating full time, staffed by experienced lawyers empowered to provide operational advice in real time on which CSIS officers can rely, on the basis of settled Justice positions on recurring legal issues, accessible directly to CSIS officers across all regional offices and at all levels.
  • NSLAG develop a concise reference tool with its position on recurring issues and most common legal authorities invoked and make the tool accessible to counsel to support their real-time advice.
  • To minimize the need to resort to the formalized legal advice-seeking process, NSLAG (in coordination with CSIS) must involve counsel with CSIS officers at the early stage of the planning of key or novel operations and throughout their entire operational lifecycle to case manage an iterative legal guidance process.

(U) Recommendation no. 2: NSLAG (in coordination with CSIS) develop Key Performance Indicators to measure the delivery of legal services to CSIS.

(U) Recommendation no. 3: CSIS and Justice include in their training programs interactive scenario-based training developing the operational intelligence activities expertise of NSLAG counsel and the legal knowledge of CSIS operational staff.

(U) Recommendation no. 4: To ensure Justice is able to give meaningful and responsive legal advice as recommended in recommendation #1, that CSIS invite Justice counsel to sit at the table at all stages of the lifecycle of key and novel operations, and that it fully and frankly brief counsel on operational objectives, intent, and details.

(U) Recommendation no. 5: Justice’s advice giving must clearly and unequivocally communicate advice on the unlawfulness of client conduct, whether criminal or otherwise.

B. Warrant Process

(U) While the preceding section dealt with issues related to the provision of legal advice in the course of all of CSIS operations, the current warrant process is fraught with its own problems, as illustrated by numerous Federal Court decisions.

(U) Warrants are critical to CSIS’s success as an intelligence service. [Discussion of prior internal review]“The information obtained through their execution is the Service’s lifeblood”. At the same time, another, more recent review concluded that for many within CSIS, the warrant process is regarded as a “necessary evil” on account of its onerousness. This section examines the “warrants life cycle”, from prioritization to execution, in order to identify and assess the underlying factors that have made CSIS’s warrant process cumbersome.

(U) Section 21 of the CSIS Act provides the basic rules for warrant applications. If CSIS believes on reasonable grounds that a warrant is required to enable it to investigate a threat to the security of Canada (or collect foreign intelligence for section.16 purposes), it may, with the approval of the Minister, make an application to the Federal Court for a warrant. The affidavit supporting the application must provide the supporting facts demonstrating the reasonable grounds to believe that a warrant is needed to investigate the threat.

(U) In practice, CSIS organizes the process of seeking a warrant around a system of internal preparation and approvals before proceeding to the statutory step of seeking ministerial approval of the warrant application. In order to understand fully the warrant process, NSIRA has broken it down into several stages of a larger “warrant lifecycle”, each of which are discussed below.

(U) A number of legal concepts and expectations enter into the warrant process, including, in particular, the “duty of candour” owed to the Court. As noted, warrant proceedings are conducted in the absence of the target and are closed to the public in order to protect the covert nature of a search. To compensate, however, for the one-sided nature of such proceedings, courts (and the law societies that regulate the legal profession) impose elevated obligations of candour on the lawyers and party appearing before the court, also known as a duty of utmost good faith. The evidence presented by the party “must be complete and thorough and no relevant information adverse to the interest of the party must be withheld.” In consequence, the party must “conduct a thorough review of the information in its possession and make representations based on all of the information including that which is unfavourable to their case.”

(U) The concept of “materiality” guides which facts must be disclosed to the court. Thus, in CSIS warrant applications, CSIS “must present all material facts, favourable or otherwise”. “Materiality” simply means a fact relevant to an issue in the case. For CSIS warrants, “information is material if it is relevant to the determination a judge must make in deciding whether or not to issue a warrant, and if so, on what terms.” For instance, a material fact is one that is relevant to “the belief, on reasonable grounds, that a warrant… is required to enable” CSIS to investigate a threat to the security of Canada.

(U) The Federal Court has held, however, that materiality extends beyond facts relevant to the factors expressly listed in section 21 of the CSIS Act. For instance, materiality reaches “information about the broader framework in which applications for the issuance of CSIS Act warrants are brought”. This means the duty of candour includes information that is “material to the judicial exercise of discretion” to issue a warrant. It includes the flagging of “legal issues that could be of concern to the Court”. Legal issues do not, however, exhaust this broader category of materiality, as it also reaches disclosure of CSIS’s precise conduct under a warrant that may influence the Court’s exercise of discretion.

(U) This broader category of “material to the exercise of discretion” relates to the especially important role of the Federal Court as the primary source of independent control over CSIS activities conducted under warrant. Unlike a police warrant, which may be retrospectively scrutinized by a second judge in adversarial proceedings if a police investigation culminates in a prosecution, the Federal Court judge is often the only judge who ever examines a CSIS warrant. The target of the warrant or the broader public will usually never know the CSIS activities conducted under the authority of that warrant. In this context, the Federal Court has signaled a redoubled urgency to meeting a broad duty of candour.

(U) It is clear, however, from our interviews, that the broad conception of materiality has led to doubt and confusion within NSLAG and thus within CSIS. Those interviewees who addressed the issue appeared to agree that Federal Court candour concerns now fit into (at minimum) two categories, which we define as “material to credibility”, and “material to matters of potential concern”. NSIRA defines these categories as follows:

  • Material to Credibility: Facts relevant to an express statutory threshold that the court is asked to assess, most notably the statutory standards judges consider in issuing warrants. This category includes, especially, information that goes to the credibility of the sources whose information supports the warrant application.
  • Material to Matters of Potential Concern: Facts or legal issues concerning those aspects of the CSIS activity that might be unusual (or unanticipated) and that a judge will wish to know in exercising their discretion to issue a warrant and in imposing associated conditions. This category includes, for example, a failure to disclose tradecraft conducted to gather information supporting the warrant that may constitute illegal activity, the failure to disclose conduct under a warrant that might result in information sharing with other agencies, potentially imperiling the target, or circumstances in which the warrant will be implemented and that may not be obvious in the application.

(U) The first category of materiality should be well understood by CSIS and its lawyers. The contours of the second category are not as easily determined and require careful consideration by Justice counsel, assisted by a professional cadre of affiants who reach out to regions to determine how warrants will be executed.

2. Historical Initiatives

(U) As outlined in Annex A, incidents concerning CSIS’s observance of its duty of candour are almost as old as CSIS. Following each failure, CSIS Directors promised reforms. CSIS introduced new policies, but problems recurred. In other words, repeatedly, progress has been made on paper, but without genuinely correcting the underlying problems. CSIS appears to have a long history of quick reforms, followed by neglect, high turnover of personnel leading to a loss of institutional knowledge, and resourcing that did not match stated priorities. Some interviewees described reforms as typically focused on the minutiae of process rather than on achieving measurable outcomes. CSIS does not track or measure the success of past reforms. In the eyes of some, CSIS reforms often represented “band-aid” solutions rather than attempts to get to the core of issues, and often resulted in the creation of new bureaucracy. In NSIRA’s view, CSIS’s chief challenge is to break this cycle.

Finding no. 9: NSIRA finds that CSIS has a history of quick reforms, followed by neglect, high turnover of personnel leading to a loss of institutional knowledge, and resourcing that did not match stated priorities. CSIS does not track or measure the outcome of past reforms adequately and has no performance metrics for assessing success.

3. Description of the Warrant Process

(U) NSIRA notes that even determining how the warrants process works presents Internally, warrant requirements are not adequately codified in applicable policy. CSIS policies have not kept pace with operational reality, as they are often vague, dated, overlapping and contradictory. The gap in policy was evident when examining the warrants policies, which were last updated in 2018 prior to the warrant process undergoing substantial changes, including the implementation of the Affiant Unit (AU) in 2019. Given these issues, a basic question that arises is whether those CSIS officers conducting investigations are sufficiently attuned to when the law requires a warrant.

(U) NSIRA heard that there is a clear threshold for when a warrant process must typically be initiated for well-established collection techniques. However, absent clear policy, there was more legal doubt when at issue was the use of novel technologies with uncertain legal ramifications and requirements.

a) Prioritization of Investigations for Warrants

(U) Once a region or desk has identified the need for a warrant, the first step in the process is the internal prioritization at CSIS of a target case file or investigation for a warrant application. In practice, this prioritization amounts to a system of triage, assigning limited warrant application resources to specific files. However, it was evident to NSIRA that CSIS employees involved in the warrants process had little to no common understanding regarding the process or basis on which a warrant is prioritized. Even senior officials in the CSIS hierarchy regarded the prioritization process as a mystery.

(U) NSIRA heard that headquarters prioritization standards remain a work in progress, and sometimes a struggle among competing interests. The DDO meets weekly with a number of CSIS executives to discuss the investigations requesting a warrant and the possible operational, legal or process developments that could affect priorities for decision-making on warrants prioritization.  While NSIRA was informed that there is a record of decision produced after each prioritization meeting, it remains unclear what criteria are used to prioritize a warrant. Some information suggested prioritization has focused on security-related issues. Others speculated that prioritization also considered the perceived amount of work, availability of lawyers and affiants, and how long it would be until current warrant powers expired and needed renewal. Frequent shifts in this process of prioritization have reportedly produced situations where a warrant process starts and stops several times, wasting precious time and adding to operational uncertainty.

(U) Given the complexity and lack of clarity of the prioritization process, it has been very difficult to bring novel issues to the Court with the goal of addressing legal ambiguities through court decisions. NSIRA heard about activities that [discussion of detrimental effects on operations] over unresolved questions of law that could have been addressed by the Court. There appeared to be agreement among our interviewees that more matters should be taken to court – and whenever in doubt, seek a warrant.

(U) Given the current situation, however, NSIRA’s impression is that for CSIS to take a legal issue to Court likely requires the combination of a high priority investigation and the existence of just the right real-world scenario to illustrate the legal issue. Of course, any attempt to resolve legal uncertainty runs the risk of obtaining a legal ruling that constrains rather than empowers investigations. NSIRA heard from some interviewees that there may be a reluctance to take issues to court as there is always a risk of obtaining the “wrong answer”.

Finding no. 10: NSIRA finds that CSIS policies have not kept pace with operational reality, as they are often vague, dated, overlapping and contradictory. The absence of clear policy creates legal doubt or concerns, and gives rise to disparate interpretations of legal and operational standards.

Finding no. 11: NSIRA finds that there is little common understanding regarding the process or basis on which a warrant is prioritized. Frequent shifts in this process of prioritization have added to operational uncertainty. The prioritization process has made it very difficult to bring novel issues to the Court with the goal of addressing legal ambiguities through court decisions.

Recommendation no. 6: NSIRA recommends that CSIS adopt, and share internally, clear criteria for the warrant prioritization process.

b) The Complexity of the Warrant Acquisition Process

(S/C) Once CSIS decides to prioritize a warrant application for an investigation/case, CSIS begins the warrant acquisition process. This process has always been lengthy and bureaucratic. In 1992, the Honourable George Addy reviewed the CSIS warrant process and reported [number] steps spanning a total of [number] and involving from [number] people. Approximately [number] people knew the identity of the target before the warrant was issued, seemingly undercutting the “need to know” principle. George Addy commented adversely on the length of the warrant process. He wrote: “[w]hatever procedures might finally be decided upon, it is of paramount importance that, from the moment the decision to initiate the process is taken, the time required to obtain a warrant should never exceed [timeline], as an absolute maximum.”

(S/C) Yet, [discussion of prior internal review]

(S) At present, according to the documents provided to NSIRA, the process involves [Number] administrative steps in a security intelligence warrant request, [Number] which are internal to CSIS and Justice prior to the application’s filing at the Federal Court. For a foreign intelligence warrant, there [Number] steps. The timetable for the renewal of a security intelligence warrant anticipates a process of [Number] working days, or [timeline] (Annex B). The process involves  committees or units within CSIS (and possibly more if the warrant implicates more than one region), NSLAG, and Public Safety Canada. At least [Number] CSIS managers are named in the process, as are [Number] Justice employees and the Minister and Deputy Minister of Public Safety.

(U) NSIRA was unable to find any one person who could describe precisely the rationale of each of these [multiple] of steps in the overarching scheme; even those close to the process were not always sure what role each approval step played. Few of the steps are mandated by law, but rather they appear to have accrued over time despite repeated efforts at streamlining. Some steps appear to reflect older reform efforts triggered by concerns over compliance, not least with the duty of candour. And yet, as noted at the outset of this review, the candour issues at CSIS persist.

(U) In sum, the warrant process appears to be caught in a vicious cycle whereby duty of candour failures (or the fear of prospective failures) cause CSIS to add more bureaucratic fixes, which complicate an already lengthy and inefficient process without actually resolving the underlying issues that led to the duty of candour failures in the first place. Indeed, as discussed below, the complexity of the warrant process appears itself to contribute to CSIS’s candour issues. CSIS and Justice must break this cycle. A description of how best to do this will first require further discussion of the warrant process itself.

c) The Key Steps in the Process

(U) CSIS maintains five categories of warrant applications, the most common of which are new warrants, replacement of existing warrants159, and supplemental warrants. Each category has its initiating procedures.160 In all applications, the relevant desk at headquarters and the implicated CSIS operational region conducting the investigation prepare a [content of document]. Together, the [number] documents detail the threat, the targets, and set out the investigative powers CSIS proposes to use. Once approved, CSIS sends the [document] to NSLAG for a “threshold” determination; i.e., an assessment of whether there are reasonable grounds to believe that a warrant is required to investigate the threat. If NSLAG concludes that the proposed targets meet the threshold, then development of the rest of the warrant application begins. The key contributors to this process are the Affiant Unit, NSLAG and the Warrant Administration Unit.

(U) The Affiant Unit (with the advice and legal support of NSLAG) is responsible for preparing the affidavit used in support of the warrant application. The affidavit is the affiant’s sworn written testimony and includes a range of information required pursuant to section 21 of the CSIS Act. The affidavit is often laid out as follows.

  • Part 1 – Introduction: this section outlines the affiant’s work experience and introduces the sources of information and the exhibits used in the application.
  • Part 2 – The threat: this section provides information regarding the broader threat and how it relates to CSIS’s investigation and the specific list of target(s).
  • Part 3 – The subjects of the investigation: this section includes a thorough explanation of the threat posed by each target, based on information from human sources and other operational reporting.
  • Part 4 – Powers sought: this section describes the non-warranted (that is pre- or without the need for a warrant) investigative techniques used in the investigation thus far, as well as the powers requested in the application.
  • Part 5 – Other matters: this section includes the duration for which the warrant is sought as well as the required consultation with the Deputy Minister and Minister as per subsections 7(2) and 21(1) of the CSIS Act.

(S) The affidavit will also include a number of exhibits, the most important of which are the human source précis and the foreign agency précis. The human source précis is a summary of information from CSIS’s files that allows the court to assess the reliability and credibility of the human source without revealing the source’s identity. It comprises information pertaining to the source’s relationship with CSIS, [description of information] and motivation. The précis will also include a corroboration table used to support the source information contained in the affidavit. Where the application relies on information supplied by a foreign agency, the foreign agency précis includes background information regarding the mandate of that agency, the agency’s history with CSIS, and whether the information relied upon in the application may have been obtained as a result of mistreatment.

(U) Once approved and reviewed in keeping with several additional steps, including the Independent Counsel vetting discussed below, the application goes before the Warrant Review Committee (WRC) for approval. The committee comprises senior members of CSIS and the department of Public Safety Canada as well as observers from other government agencies such as CSE and the RCMP. At the WRC, the affiant provides a brief overview of the investigation, the application is discussed, and a decision is made regarding whether to proceed with the application, and if so, what changes are required. The application is then submitted to Public Safety Canada, where it is reviewed and passed to the Minister accompanied by a summary and advice as to whether the Minister should approve the application. Once approved, Justice files the warrant application package in court on behalf of CSIS.

4. Observations on the Warrant Process

a) A Lengthy, Bureaucratic Process

(U) The complexity of the CSIS warrant acquisition process is quite unlike the manner in which the police obtain their search warrants. The length of the process itself can pose operational risks, [it may affect the warrant].

(U) There are reasons why CSIS warrants are more administratively burdensome. Unlike police investigations, CSIS investigations rarely produce evidence culminating in criminal proceedings in court. They thus lack the prospect of retrospective challenge by a party with a vested interest in testing the propriety of the warrant. The safeguards in the CSIS warrant context are therefore prospective, and properly include a careful bureaucratic vetting, as well as executive control exercised by the Minister of Public Safety and judicial control by the Federal Certain steps, such as the Warrant Review Committee, discussed further below, are therefore desirable. However, beyond a certain point, more steps does not correlate with better quality. Indeed, NSIRA observed that many of the steps in the warrant process amount to a series of minor tweaks and clerical changes of limited importance to an application that often becomes an exercise in ‘drafting by committee’. What the proliferation of steps has done, however, is to create a process widely regarded as slow and unwieldy, with no clear lines of accountability.

(U) For many of our interviewees, the process had the following features:

  • Lack of clear accountability due to the proliferation of approvals: Some interviewees described the multiplicity of approvals as a symptom of a broader CSIS culture in which responsibility is diffused, ensuring that the locus of responsibility is never clear. Put more strongly, some interviewees saw the proliferation of approvals as reflective of a risk-averse culture in which officials employ a ‘safety in numbers’ approach to decisions and sign-offs. In this model, no individual is personally accountable; rather, accountability is diffused throughout the institution. Senior management disputed this characterization noting their support for the concept of shared accountability through approvals. Even so, there did not appear to be disagreement that accountability could be better defined.
  • Privileging sign-offs over substance: The long list of approvals over the course of the warrant process consume time; each level of approval means a pause in the work, meaning that the time available to do the substantive work of preparing the warrant application is often squeezed. Since it is not always clear what function each step performs, it is difficult to disaggregate substantive steps from various forms of managerial review, approval and vetting. However, by NSIRA’s estimate, only [timeline] associated with a warrant (renewal) application involve core substantive work. Many interviewees across varying levels favoured prioritizing time spent on preparation over that spent on managerial approvals. Although recent attempts to streamline the process have resulted in several steps being conducted concurrently, there is little indication that the time saved was reallocated to the preparation of the most complex portions of the application, such as the human source précis.
  • A process of black boxes: The warrant process involves a large number of people. Officials implicated at each stage often seemed unfamiliar with decisions made at other stages or the rationales for these decisions. Put another way, each official understood their piece of the puzzle, but had little sense of how the various pieces fit together. There appeared to be few (if any) regular feedback loops, in which explanations for decisions made at one level filtered back to other levels. This tendency to keep information ‘siloed’ meant that many employees felt that their knowledge of the warrant process was not as good as it should have been and wanted greater visibility on the process as a whole.
  • Lack of regional involvement: The ‘silo’ or ‘black box’ approach is most galling to the regional investigators. Even though the warrant requests originate from the regions and are made to support regional investigations, operational officials in the regions often have a very limited role in the warrant process. Some requests move forward and others do not, but it is not clear why. When warrants come up for renewal, NSIRA was told that headquarters has not typically sought input from the regions on new collection techniques, and that regions have struggled to obtain modifications in subsequent iterations of warrants to ensure that the warrant reflects operational needs. Interviewees regularly advanced the argument for feedback to and closer engagement with the regions (including on technical matters) throughout the warrant application. The region is best placed to flag issues of concern with the investigation and the sources involved, issues that could be important to the Court. To this end, NSIRA notes that the affidavit and source précis should be regularly shared with the source handler in the region. Likewise, the region should be consulted throughout the warrant application process, and should be represented at the Warrant Review Committee.
  • Excessive warrant scope and scale: One matter of concern was the sheer length of some of the affidavits CSIS has put forward in support of warrant applications. This was most pronounced in [type] warrants where requests are made in support of multiple investigations under one application. A related issue is CSIS’s tendency to include requests for a wide range of investigative techniques, regardless of whether there was an actual plan to employ them. This appears to be done on the theory that it was prudent to seek all possible powers rather than risk needing to return to court later on – particularly given the amount of time that such a process would involve. An alternative approach is more targeted and streamlined warrant applications, done in greater number and on a predictable annual schedule. This reform was repeatedly favoured in our interviews. Of course, this approach will only succeed if a higher number of warrant applications does not produce more warrant applications of the same length and complexity of the [type] warrants. If the administrative burden of approvals associated with the present system is applied to more warrants, it seems unlikely the system will work. That is, this reform may only succeed by relaxing what was described to us as a “one size fits all” approach to warrant applications, with length and complexity unconnected to the scale or degree of intrusiveness of the techniques at issue.

(U) NSIRA is therefore of the view that there are significant changes that CSIS could make that would materially improve the quality of warrant applications. NSIRA does not think that the bureaucratization of the CSIS warrant process as described above has improved matters; on the contrary, the lack of clear accountability, lack of internal communication, and excessive complexity have all contributed to the problems facing the process. NSIRA agrees fully with the view that time should be reallocated to those stages that make for a better warrant, including regular engagement with the regions.

(U) The warrant process should not be mired in steps that amount to the shuffling of paper between desks. These should either be eliminated, or conducted concurrently with more substantively meaningful steps, avoiding the reality or perception of pro forma involvement by officials who lack a clear and manifest need for involvement in the warrants process. Put another way, where there are steps that do not make a significant contribution to a more accurate application, CSIS should eliminate them.

Finding no.12: NSIRA finds that the actors involved in the warrant process do not have a common understanding of the rationale for each of the [multiple] steps in the overarching warrant application scheme and are not always sure what role each approval step plays.

Finding no. 13: NSIRA finds that the proliferation of process in seeking warrants has created a system of diluted accountability widely regarded as slow and unwieldy, with delays caused by multiple levels of approval.

Finding 14: NSIRA finds there is no regular feedback process in which explanations for warrant-related decisions made at one level filter back to other levels. The absence of feedback is especially acute for the regional investigators.

Finding 15: NSIRA finds that often, the sole means to address legal uncertainty is to bring legal questions to the Federal Court through warrant applications. In consequence, an unwieldy warrant process makes resolution of legal doubt more difficult.

In view of these findings, with respect to the warrant process, NSIRA recommends that:

Recommendation no. 7: CSIS establish a new warrant process eliminating steps that do not make a significant contribution to a more accurate application. The process should assign clear lines of responsibility for the production of accurate applications. The reformed system should ensure that delays associated with managerial approvals are minimized, and that time is reallocated to those steps contributing to the preparation of the accurate applications.

Recommendation no. 8: CSIS integrate the regional stakeholders (including the implicated investigators) at every key milestone of the warrants process.

Recommendation no. 9: CSIS adopt policies and procedures governing the reformed warrant process that clearly outlines the roles and responsibilities of each participant and the objective of each step in the warrant process and that these policies be kept current as the process evolves.

b) Incomplete Knowledge Management in the Regions

(U) When discussing the warrant process, NSIRA often asked who should be responsible for the accuracy and completeness of the warrant application. There are two clear points of responsibility. First, staff in the regional offices conducting investigations are responsible for feeding complete, correct and appropriately contextualized information into the warrant production process. Second, the individual most responsible for the final product is the affiant, whose sworn affidavit supports the warrant application and supplies the factual basis permitting the Court to conclude that the legal requirements for the issuance of a warrant have been met. After all, if there is to be a duty of candour failure, it will be because of an inadequate affidavit. Meeting these obligations is, however, unnecessarily difficult for both the regions and the affiant, for the reasons below.

(U) CSIS warrant applications often depend on information collected from confidential human sources. As discussed above, the reliability of this information – and the credibility of the source – constitute key material facts in warrant applications. A failure to apprise the court of information relating to credibility is a clear violation of the duty of candour.

(U) As noted, source information appears in the warrant application through the source précis and affidavit. The source précis and affidavit, in turn, stem from information that was originally collected by the regions, which handle human sources. In practice, therefore, the affidavit is no better than the quality of the information provided by the regions. If that information is incomplete, none of the [multiple] steps in the CSIS warrant acquisition process can compensate. Notably, omissions regarding human sources have occurred repeatedly in the past. This report calls this the “recurring omissions” problem.

i. Misunderstanding Concepts

(U) NSIRA detected several factors that heighten the risk that regions will omit information material to the warrant application. Indeed, some duty of candour breaches seem to be explained by these factors.

(U) NSIRA was told that police learn how to piece together a narrative that “shows their work”, and police informant handlers also are generally familiar with credibility and candour issues. CSIS is not culturally attuned to this same standard, despite the importance of the legal expectations it must meet. Indeed, CSIS officers, when writing intelligence reports, are trained to dissociate the substance of the intelligence from its provenance, in order to allow the resulting reporting to be disseminated to clients in government without permitting readers to infer the identity of sources.

(U) Indeed, there seems to be a disconnect between CSIS’s traditional understanding of reliability for intelligence purposes, and the broader concept of credibility for legal purposes. Intelligence reliability is based on the source’s track record as corroborated by other sources of information. Credibility, however, may depend on more information about the sources themselves, including their personal conduct and disposition. CSIS source handlers may, however, be inclined culturally to invest [ description of relationship between source handler and source ].  Moreover, NSIRA heard repeatedly that CSIS officers involved in the early stages of warrant preparation do not clearly understand the legal expectations associated with the duty of candour.

(U) For these reasons, it has sometimes not occurred to these officers that conduct exhibited by the source –   [example of source conduct]  – may constitute material information important to a court in assessing the credibility of that source. CSIS may have long ago noted these issues, but nonetheless concluded that the source’s reporting was generally accurate. Thereafter, officers may not realize that it is vital to put all such context before the Court. Officers may also misunderstand the implications of source shortcomings for the Court, fearing that their sources’ information will be discounted because of personal shortcomings. In fact, the Court has understood that a source’s moral shortcomings alone do not mean that the source cannot be believed; judges do not assume that sources in national security investigations will always be upstanding citizens, any more than they do in police organized crime investigations. This was recently reiterated by the Court, noting that “the fact that human sources live what some would consider unsavoury lives is something to be expected when assessing human source information provided in the context of a CSIS Act warrant application”.

(S) Under the current CSIS procedure on Human Source [name of procedure] every CSIS human source is assigned a a brief and standardized description of [Discussion of human source issues, including reliability and credibility]

(U) The role of a judge in issuing a warrant is different. The judge must independently conclude that the information before them is reliable. In conducting this independent assessment, the judge must have all of the information they need to be satisfied that the source of the information is reliable and credible, even if CSIS believes that the information is accurate. The Federal Court recently noted that:
“Judges of this Court expect a Human Source Précis to bring to their attention all information known to the Service that might be relevant to the Court’s assessment of the credibility or reliability of a human source. The Service must provide the Federal Court with a relevant and full picture concerning the credibility and reliability of a human source. This Human Source Précis must be relevant, full and complete if the Service is to comply with the duty of candour. The Service employee must not pull punches, conceal information, or convey half-truths, nor may he or she bring false or misleading information to the Court.”

(U) To this end, CSIS’s own assessment of a source’s reliability may be relevant but it is not for the Court to take it on faith. The best analogy presented to NSIRA was this: the affidavit must “show CSIS’s work” just as a math student shows the full calculation in computing an answer through long division. That is, the affidavit must contain the full range of considerations relevant to a source’s credibility, and then explain why CSIS considers the source’s information reliable. The judge can then make their own assessment, and not simply depend on CSIS’s pre-existing conclusion. Asserting that conclusion without “showing the work” and articulating the range of considerations tied to credibility amounts to a failure to be candid, particularly when CSIS has concluded that a source is reliable despite certain factors that, on their own, could give rise to doubts about the source’s credibility. NSIRA believes this analogy to be a helpful one so long as “showing CSIS’s work” includes the full range of information material to the issuance of the warrant, a point to which we return below.

(U) In summary, to avoid “recurring omissions” before the Court, CSIS must internalize a clearer understanding of the Court’s This is particularly crucial amongst those involved in the preparation of warrants, including source handlers compiling the initial information.

ii. Information Management Struggles

(S) Even if CSIS officers were fully conscious of the scope of the concept of candour to the Court, the way in which CSIS manages its information would likely still give rise to recurring omissions. In its interviews, NSIRA heard that CSIS’s management of information related to human sources creates problems. [Discussion of IM issues]

(S) Information is often situated in the (changing and variable) institutional memory of source handlers. [Discussion of IM issues] Any institutional knowledge not archived properly is lost, as Intelligence Officers (IOs) are rotated regularly under CSIS’s human resources model.

(S) Since source-related information [discussion of IM issues] the review process can be laborious. When connected to the first factor noted above – a limited understanding by CSIS officers of legal materiality – mistakes are inevitable. Moreover, as operational reports written by handlers are sent through a hierarchal chain of approval, there is no method of tracking any changes made by supervisors to the handler’s report, making it difficult to identify the origin of a problem should it arise.

iii. Fixing the Recurring Omissions Problem

(U) CSIS and NSLAG are alive to these problems. They have conducted more training on the need for adequate documentation in order to fulfill the duty of candour obligations to the Court. Justice counsel have more access now than in the past to source materials. Indeed, in the short term, in some cases, they have responded to the recurring omissions problem by involving warrant counsel directly in the review of source files. Counsel auditing of source files is, however, resource intensive and arguably displaces a responsibility for source information preparation that properly lies with CSIS itself. It is the affiant, working with the regions, who should guarantee and be answerable for the accuracy of the source information, not counsel.

(S) More generally, CSIS should ensure that source handlers are assiduous in documenting information going to credibility, no matter how seemingly unimportant. The lack of adequate documentation was a key finding in the Rosenberg report, an independent review commissioned following a breach of the duty of candour to the court. In response to it, CSIS set up Project [Name]. Its main objective was to encourage better documentation of the full picture of intelligence and operational activity with the goal of improving operational effectiveness. One identified quick win now associated with [Name] was the regional roll out of [discussion of an information gathering tool] NSIRA was advised that this approach is being prioritized for sources whose information supports active warrants.

(S) NSIRA heard, however, that completing [information gathering tool] is a considerable task, requiring a comprehensive and thorough review [requirements of the information gathering tool]. Furthermore, NSIRA heard there is a certain level of frustration by source handlers at the implementation of this stand-alone requirement rather than building on preexisting [category of] documents, [examples of preexisting documents]

(S) Indeed, CSIS acknowledges that it designed [information gathering tool] to be a temporary tool to address and mitigate the larger recurring omissions problem. One of the long-term goals of Project [Name] is to develop a system [objectives of the system] It is unclear if this system will be stand-alone, integrated into preexisting systems, or developed as part of a planned [Name] , designed to consolidate all the administrative processes and workflows required to manage a case and document its progression. The [Name] is due to be partially implemented [timeline] while the proposed [Name] human source information system appeared to be aspirational and only at the early stages of identifying a possible solution. This is unfortunate, as the [info.tool] represents a “band-aid” solution to issues that, in the long run, would be better addressed by deeper improvements to the management of human source information.

(S) Even setting aside longer-term considerations, a [info. gathering tool] process is not a panacea. For one thing, the [info. gathering tool] is only as good as the person completing it. Until recently, there was no formal [info. tool] training for source handlers. More than a year after it was implemented, CSIS’s Learning and Development Branch was unaware of the [info gathering] tool. Furthermore, it should be possible to audit the responses provided in the [info. gathering tool] In the past, prior to the creation of the Affiant Unit (AU), the facting was formally reviewed by the [name of branch and positions conducting review]. Only [postion] had access to the full range of human source information, however, as verification was considered a “side of desk” task. Now, the AU has access to the human source files and NSIRA was told it reviews the original documents referenced in the [info. gathering tool] as well as running queries through human source and operational databases and consulting with the source handler. To do this properly, however, the AU itself will need to be resourced and encouraged to audit the information prepared by the regions. This report discusses the question of the AU’s sustainability below.

(U) Finally, several of the interviewees noted that the reformed process is revealing a number of “legacy problems” with CSIS human sources; that is to say, additional duty of candour issues are coming to light as a result of CSIS’s more stringent review of human source files when preparing for warrants. This is indeed a regrettable consequence of CSIS’s former lax practices. For the next few years, therefore, the Federal Court can expect to receive further duty of candour submissions. For its part, NSIRA will need to distinguish between those duty of candour issues rooted in past practices and those that have emerged despite the recent changes.

Finding no. 16: NSIRA finds that CSIS has struggled to ensure that all information material to the credibility of sources is properly contained in warrant applications. This “recurring omissions” problem stems from a misunderstanding of the Federal Court’s role in assessing the credibility of sources and from the presence of multiple, siloed information management systems. CSIS has undertaken reforms, but work remains to implement long-term sustainable solutions.

Recommendation no. 10: To address the seeming inevitability of “recurring omissions”, NSIRA recommends that CSIS prioritize the development of [ an improved ] system for human source information management. CSIS should also continue initiatives meant to ensure that source handlers are assiduous in documenting and then reporting in source précis information going to credibility. Even with these reforms, the Affiant Unit should adopt procedures for verifying the information prepared by the regions.

c) The Affiant Unit

(U) As noted above, the individual most responsible for the final product is the affiant, whose sworn affidavit supports the warrant application and supplies the factual basis for concluding the legal requirements for the issuance of a warrant have been met. Yet while NSIRA’s interlocutors agreed that affiants are ultimately responsible for the affidavit, NSIRA notes that they have not been given a status and authority commensurate with this obligation.

i. The Traditional Approach

(U) Pre-2019, CSIS recruited affiants in security intelligence investigations on an ad hoc basis in support of a particular warrant application. There was no such thing as a professional affiant. The result was considerable unevenness in the caliber and skill-set of affiants. The employees assigned as affiants were, NSIRA was told, sometimes not the best possible candidate, but rather a person with down-time, surplus to immediate operational needs, and not necessarily experienced in the affidavit process. The seeming casualness of affiant selection surprised NSIRA; the affiant is effectively CSIS’s spokesperson to the Federal Court, which alone can authorize invasive investigative techniques. Ensuring a roster of excellent affiants should have been regarded as “mission critical” to CSIS.

ii. The Current Approach

(U) In 2017, in response to the Segal report recommendations (see Annex A), the Affidavit Working Group (AWG) at CSIS recommended the creation of an Affiant Unit of “experienced Intelligence Officers who would be dedicated full-time to the role of representing the Service in court”. The objective of this new unit was the creation of an actual centre of affiant expertiseThe AWG recommended that affiants be employed at Level 10 (typically a senior manager) in the CSIS employment hierarchy “indicating the seniority and importance vested in the role”, with ongoing training and professional development being key components to the unit’s success. The AWG also proposed a process and structure for the development of the unit.

.(U) CSIS ultimately created the Affiant Unit (AU) in 2019, after an order from the Director and during the Federal Court 2020 FC 616 matter.230 NSIRA was repeatedly told that the resources allocated to the unit were based on estimates by the project management team in 2019. The CSIS “End of Project Summary – Establishment of the Affiant Unit” identified the need for an AU structure that included [number] “ Affiants” in order to accommodate past averages of [number] section 12 warrant applications annually. For reasons that are not clear, the final approved structure cut the number of affiants in half, to [number]  The final structure therefore comprised [description of internal structure]. The mandate of the AU was later expanded to include warrant applications for section 16 investigations by adding [number] although this affiant is managed out of the [Name] Unit and the Affiant Unit. This report discuss the implications of how the AU has been staffed below.

iii. The Advantages of an Affiant Unit

(U) Professionalizing affiant work involves trade-offs. For instance, dedicated affiants are better placed to develop and implement consistent processes and standards regarding warrant preparation, but will often have less mastery of the operational details than an affiant chosen from an operational desk, thereby obliging the affiant to spend considerable time familiarizing themselves with the details of each application. Still, our interviewees were consistently of the view that despite the trade-offs, the dedicated affiants and the AU itself represented a significant improvement over the prior ad hoc approach, and noted that the new dedicated affiants have been well received by the Court. Indeed, NSIRA is of the view that a well-staffed AU should constitute a body of expertise on warrant preparation within Robust vetting by the AU could also replace many of the seemingly pro forma steps in the current warrant process that contribute little of substance.

(U) Justice counsel reported having effective working relationships with the affiants, whom they considered to be knowledgeable and professional. For reasons discussed below, however, some counsel were concerned that the affiants were at risk of burn out, and raised concerns regarding the sustainability of the AU.

(U) With regard to the regions, we heard that some affiants, on their own initiative, regularly communicate with regional partners, potentially creating links that could forestall future duty of candour problems. Indeed, NSIRA heard that investigators and their managers welcomed the AU as the path to obtaining warrants. NSIRA was told that AU/regions communication should be a standard practice given the current communication silos existing between headquarters and the regional units responsible for executing warrants. NSIRA agrees that affiants should consistently consult with the regions to understand how the proposed warrants will be executed and to understand generally what is working and what is not. NSIRA notes that experienced affiants could serve as critical sources of institutional knowledge while field officers in the region cycle in and out. Moreover, this interaction between affiant and regions should help counsel anticipate any possible candour matters that could arise were the Court not apprised of potentially controversial means of executing warrant powers.

iv. Challenges to Affiant Unit Sustainability

(U) As explored above, CSIS’s establishment of the AU is a critical development. It is thus all the more concerning that the AU’s sustainability is in question, and indeed NSIRA heard that the unit could currently be described as in a state of crisis. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission. Indeed, there may now be less support to affiants operating from the AU than existed under the prior regime of ad hoc affiants supported by other units in CSIS.

(S) The AU faces several overlapping challenges. Over the course of NSIRA’s review, AU staffing was in considerable flux, with personnel cycling through affiant, analyst and management posts. Indeed, by summer 2021, the key role of analysts – usually charged with compiling material from the region and the initial drafting of the affidavit and human source précis – was filled by  [number]  temporary analyst. Of the [number] new affiants hired by the AU during our review, [number] had left by the end of it. Meanwhile, the remaining affiants were cycling through a vacancy as [position] (of the AU). In the result, it would appear there were only [number] people able to act as affiants for and [type of warrant] summer 2021.

(U) NSIRA heard that joining the AU is an unattractive career choice, because CSIS’s human resources policies do not support the stated objective of professionalizing the warrant process. Affiants, much like many at CSIS who are not Intelligence Officers, do not gain the operational experience that is traditionally tied to status and advancement.

(U) At the time of writing, the AU was relying on “surge capacity” by drafting analysts available temporarily from other units of  NSIRA heard that these temporary analysts lack warrant experience. They thus need to be trained by the affiants, only to depart and be replaced. This has added to the burden on affiants, some of whom now complete the drafting process once led by analysts. This also contributes to the workload of NSLAG counsel, who must help fix draft products.

(U) Moreover, the benefits of the AU are currently in jeopardy because of governance and training deficiencies. The AU did not inherit an existing infrastructure or suite of policies and professional standards. The affiants at the time of our review were experienced CSIS officers who often had some prior affiant experience. Those affiants who have been in the AU for a length of time have deepened their expertise through learning on the job. However, none of the affiants or supporting analysts received formal training on their roles. CSIS has not yet put in place a training system to ensure continuity of a standard base of knowledge and skills in the AU. Even if it did, the AU is already under-resourced, fueling turnover, and NSIRA doubts whether the AU has the time and capacity to step back from the day-to-day work in order to build expertise and human capital. For instance, weekly meetings with NSLAG counsel have often been impossible due to time constraints, making it harder for the AU to stay apprised of legal issues.

(S) It is clear that the AU cannot continue to operate in its present manner, and that the risk of burnout for the remaining staff is real. As this review progressed, NSIRA became increasingly concerned that the AU [is in a state of crisis] . The apparent neglect of the AU’s human resources needs is alarming: the AU is not only a key element of CSIS’s response to its recurring candour problems, but it is also operationally vital. Without a functional AU able to produce accurate and compelling warrant applications in a timely manner, [discussion of how CSIS collection activities are affected]

v. Improving and rebuilding

(U) It is clear that the AU needs to be stabilized and expanded by an immediate infusion of new personnel. NSIRA asked how an expanded AU could function, and in response received remarkably consistent responses:

  • “Affiant Teams”: NSIRA heard that each affiant should be supported by [discussion of number of analysts, administrative assistants and paralegals required] –
    forming an expert team. Teams should specialize in counterintelligence or counterterrorism, and should be managed so not everyone leaves as the same time. Likewise, files should be managed so that inexperienced affiants and affiant teams are not paired with inexperienced lawyers.
  • Workload expectations: NSIRA heard that a professional affiant should be able to manage [numbers] affidavits annually, although others emphasized that [numbers] was
    feasible. The lower estimate is closer to CSIS’s own calculation that “given that each application takes approximately [timeline] one affiant could process [number] applications per year.” At this rate, the present roster [number] should be able to generate [number] warrant applications annually. This assumes that affiants are adequately supported, however, which was not the case as of summer 2021. [number] warrants annually would seem inadequate given CSIS’s investigative needs. CSIS will not be able to acquire more warrants without either sacrificing the quality of its applications – and risking new candour problems – or expanding the AU. Moreover, as discussed below, [number] warrants is fewer than the number of warrants that NSLAG is now equipped to support.

(U) Building bigger, skilled and stable affiant teams will require new people willing to join the AU and stay for a reasonable length of time. NSIRA believes achieving this objective requires two sets of reforms: first, changes to career development within the AU; and second, greater institutional commitment.

(U) Without human resources reform and firm prioritization of the AU, NSIRA doubts CSIS will be able to recruit and retain a talented cadre prepared to specialize as affiants and analysts. The ideal affiant, NSIRA was told, was a great analyst and writer, with advanced research skills and robust institutional knowledge about how CSIS operates and how, especially, source information is retained. They must, in addition, be comfortable in court and have an understanding of applicable law. Some affiants have handled sources, while others have not. Source handling experience was not regarded as essential by at least some interviewees, but it was felt that the affiant needed people skills and an ability to manage the affidavit process and relationships with the regions. A successful affiant should have gravitas and an ability to persuade other partners in the warrant process. Moreover, once these people are recruited, like any expert, affiants and analysts need to acquire institutional knowledge – and the AU will need to resist the level of turnover we were told is endemic in CSIS.

(U) NSIRA heard that retaining talent will require attention to several problems. Unlike with at least some police forces, CSIS assigns little prestige to this career path. Indeed, CSIS human resource policies risk orphaning affiants in career limbo, with no natural career progression and advancement path given that time in the Affiant Unit is not time spent gaining front-line operational experience. Specifically, affiants are classified as a “level 9” in the CSIS human resources hierarchy, but only temporarily (if not already level 9). If advanced from level 8 to be an affiant, they return to level 8 if they leave – or must compete for a permanent level 9 elsewhere in CSIS. Despite the considerable pressures on affiants to manage a complicated warrant process and represent CSIS credibly before the Federal Court, affiant work is reportedly not countenanced as meeting prerequisites for promotion into management. Being an affiant is, in other words, not a clear career progression so much as a career diversion.

(U) CSIS has also struggled to resource permanent analysts for the AU. Analysts, much like other non-intelligence officer (non-IO) employees at CSIS, are left with so few career progression options that they often feel like second-class citizens within the the organization.  In order to attract talented analysts, there must be incentives allowing for progression within the non-IO stream, including the AU.

(S) As this discussion underscores, the AU needs more resources, especially in the form of analysts and affiants. However, the AU is left to compete for resources as just another unit under the broad umbrella of the [Name] Branch [Name]. NSIRA heard that the AU’s functions in preparing legally robust warrant applications are not a natural subset of [Name and function of Branch] and that the AU is not well situated in the present structure. This governance anomaly may explain a number of administrative hurdles and human resource and sustainability issues. A new governance structure, with reporting mechanisms consistent with the importance of the function needs to be instituted.

(U) A new Affiant Branch needs to be created and situated in CSIS’s organizational hierarchy reporting directly to the CSIS Director. This would be consistent with the Director’s direct accountability as provided by CSIS Act and signal the AU’s importance to CSIS’s ongoing success and presumably ease the risk of neglect. This change would coincide with the elimination of the often-unnecessary hierarchy of approvals that exist as a result of the AU’s current status as part of [Name] branch. This change may also respond to another observation: that priorities not directly visible to the Director sometimes stall lower in the CSIS hierarchy, and that reform also stalls among managers who do not have a clear incentive to change.

(U) In sum, NSIRA believes that CSIS’s success in overcoming its long-standing difficulties with the warrant process will depend on a robust Affiant Unit. In our future reviews of the warrant process, NSIRA will be attentive to CSIS’s progress in sustaining a robust AU.

Finding no. 17: NSIRA finds that the Affiant Unit (AU) constitutes a vital and laudable reform within CSIS. However, the AU is currently at risk of collapse. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission. The benefits of the AU are currently in jeopardy because of governance, human resource, and training deficiencies.

Finding no. 18: NSIRA finds that the Affiant Unit’s placement in the [Name] branch is not commensurate with its functions and importance. This governance anomaly most likely contributes to administrative hurdles and resource challenges faced by the AU.

Finding no. 19: NSIRA finds that without a functional AU able to produce timely and accurate warrant applications, CSIS puts at risk access to warrants and the information collected under them.

In view of the above findings with respect to the AU, NSIRA recommends that:

Recommendation no. 11: CSIS recognize the importance of the Affiant Unit by assigning affiants and analysts an employment classification congruent with their responsibilities.

Recommendation no. 12: CSIS create an Affiant Branch reporting directly to the CSIS Director.

Recommendation no. 13: CSIS urgently resource the Affiant Unit to meet its responsibilities and ensure its sustainability. In deciding the size of the AU, CSIS should assess how many warrants an affiant team might reasonably complete every year.

Recommendation no. 14: CSIS, in consultation with Justice, develop a comprehensive training course for all affiants and analysts, codifying best practices and methods for members of the AU.

d) NSLAG Warrants Counsel

(U) Warrant counsel have several key roles anticipated in the CSIS warrant application process, and are intimately implicated in securing adherence to the duty of candour in warrant applications. As noted, the duty of utmost candour in warrant proceedings is a professional obligation that rules of professional conduct impose on lawyers. Crown counsel in police warrant cases have a redoubled incentive to test warrant applications – no Crown wishes to be the lawyer on a warrant that subsequently fails on ex post facto challenge in a criminal proceeding, jeopardizing a prosecution. While NSLAG counsel face different pressures, duty of candour failures still risk professional reputations, especially given the vigorous displeasure expressed by Federal Court judges in their judgments.

(U) It seems clear that, as a result of 2020 FC 616, NSLAG has weathered a difficult period. Counsel reasonably see themselves as both personally in the cross-hairs of the court’s discontent and dependent on CSIS managing its responsibilities in the warrant process in a way attentive to its legal obligations. From the counsel’s perspective, the process feels like a high risk enterprise, over which hangs a “sword of Damocles”. For its part, as noted, CSIS operational employees may regard Justice as inaccessible and unhelpful. Lawyers vary in their style and manner of operating, with no consistency.

(U) Some lawyers have responded to duty of candour failures by becoming more meticulously involved, in a way described by some CSIS observers as intrusive, micro-managing matters that CSIS feels it should handle. It is apparent that tensions have increased in the last several years between Justice and CSIS, shaped by these perceptions each has of the other. This tension was especially acute, NSIRA was told, at the more senior levels, with some noting that little had improved by the time of our interviews. NSIRA also heard about the need to correct this situation by building mutual trust. This section focuses on the structural sources of those tensions and the prospects of restoring confidence.

(S) First, CSIS interviewees urged that CSIS needed access to more lawyers, sometimes seeing lawyers as the bottleneck in the warrants process. Other interviewees contested this view. These different views may reflect change over time. It is clear that during a recent period, NSLAG had too few available warrant counsel. That situation appears now to be evolving, as new lawyers are recruited by NSLAG. NSIRA agrees, however, with the principle that NSLAG should be staffed to ensure that CSIS’s operations are not stalled due to the non- availability of warrants counsel.

(U) At present, a General Counsel is the strategic lead for warrants and Federal Court matters. In addition, the Senior Counsel warrant coordinator oversees the warrant applications led by NSLAG warrant counsel. The senior counsel warrant coordinator would ideally not manage their own files, and instead would maintain comprehensive visibility on the warrant practice, while assisting and mentoring new warrant counsel. These positions must also bridge the warrant and advisory side of NSLAG, ensuring that emerging legal issues are shared.

(U) The number of actual warrant counsel will affect how many warrants CSIS might seek at the Federal Court. NSIRA asked for views on a metric for determining the ideal number of counsel. Whereas an experienced warrant counsel might once have transacted [number] warrants annually, the scope and scale of applications is now such that the maximum number is [range]. Given this number, and with a roster of  [number] experienced warrant counsel (and several more junior) available by the second half of 2021, the maximum number of warrants NSLAG might support annually may be in the 30-60 range. Notably, this number is several multiples above the number of affidavits the AU is presently equipped to manage, assuming the calculations provided above. These calculations seem to affirm the views that resourcing issues at the AU now constitute the critical bottleneck, whatever may have been the case in the past.

(U) NSIRA also heard views about the importance of mentoring of new warrant counsel by experienced warrant counsel, and how NSLAG must make this a priority. This includes the need for junior lawyers to be trained on matters pertaining to CSIS tradecraft and technology.

(U) NSLAG recruitment also emerged as an issue in NSIRA’s discussions. NSLAG is regarded by other components of Justice as too close to its client and concerned with maintaining an ongoing relationship with the client, a characterization regarded as unfair by the interviewees who addressed it. Morale in NSLAG was badly affected by the 2020 FC 616 saga. NSLAG’s practice area is also, from the perspective of many lawyers, obscure and narrow, and not necessarily perceived as part of a Justice lawyer’s ideal career path. Employment at NSLAG requires enhanced security clearance, including a polygraph. The clearance process may be lengthy, and prospective employees may lose interest in the interim. These factors together contribute to NSLAG recruitment challenges.

(U) NSIRA notes that the range of professional backgrounds among counsel seems to be increasing, and more NSLAG warrant counsel have prior experience with NSIRA was told NSLAG has been encouraged to hone its public law expertise, as well as recruit lawyers with criminal law experience. NSIRA welcomes these developments and will consider NSLAG’s evolution in future reviews.

Recommendation no. 15: NSIRA recommends that NSLAG be staffed by a complement of counsel and support personnel sufficient to ensure that CSIS operations are not impeded by resource limitations at NSLAG.

e) Revamping the Independent Challenge Function

(U) The warrant application process is buttressed by a review of the near-final affidavit by an “independent counsel” (IC) – in practice, a lawyer drawn from the National Security Group (NSG) of the Department of Justice. “Independent” in this context means, therefore, at arm’s length from CSIS and NSLAG and otherwise not implicated in the warrant process.

 i. The Imperfect Independent Counsel Model

(U) The IC position was created in 1988 following the 1987 “Atwal” matter in which extensive errors were made in a CSIS warrant application (Annex A). In its 1986-1987 Annual Report, SIRC noted that the Solicitor General in consultation with CSIS should consider whether there ought to be a devil’s advocate position at some stage of the warrant process to argue the case against the warrant. The position of the devil’s advocate was described as an official appointed to ensure that all aspects of a matter are fully considered.  The following year, the “devil’s advocate” position had been established, yet, SIRC noted that, “at present the devil’s advocate does no more than ensure that the information CSIS intends to cite in a warrant application is accurate. We had in mind, rather, someone who would challenge the need for a warrant at all – someone to make the case that the proposed target (who does not of course even know a warrant is being sought) might make.

(U) Ultimately, very little has NSIRA was informed that the primary goal of the IC is to “ensure that, as much as possible, factual mistakes don’t make their way into the material that is submitted to the Court”. Scrutiny of the warrant is done through reviewing documents to ensure that factual assertions in the affidavit are accurately sourced.

(U) The IC is charged with playing a fact-checking function, described as largely a form of checking the characterization of facts in the affidavit and source précis against the source material. NSIRA was informed that NSLAG and CSIS were once more resistant to questioning by the IC. This situation has reportedly improved in the last several years, with counsel and CSIS described as now accepting of this querying.  In reality, however, changes proposed by the IC are usually very minor. Every once in a while, IC reported finding contradictions in the source material relevant to credibility issues, or treatment in the affidavit that were not justified.

(U) There will always remain inherent limits to the role of an IC coming at the end of the process. It cannot protect against all duty of candour shortcomings. Additionally, NSIRA noted a number of factors that have contributed to the inability of the IC to perform a robust challenge function:

  • Lack of policy and training: short of a two-page document outlining the description of the IC function, there are currently no up to date internal policies, guidelines, or criteria governing the expectation or mandate associated with the IC role – much depends on the individual expertise of, and investment of effort by, the IC. NSIRA was informed that typically new IC shadow senior IC counsel on their applications before being given their own. There is no official training program; counsel are given a binder of historical documents outlining the genesis of the IC role and where necessary may be given additional training on how the warrants process works. Mentoring may therefore be inconsistent due to the absence of a standardized training program and clear descriptions of the required functions of the IC.
  • Lack of knowledge: at NSG, counsel conduct their IC role as a supplement to their main legal work, involving among other things Canada Evidence Act s. 38 proceedings. By one estimate, IC work constitutes less than 5% of what NSG counsel do, and the NSG does not otherwise have any involvement in warrant-related activities. The IC have little visibility on developments in the Federal Court, including on the specific CSIS warrants they have challenged. There is no formal debrief mechanism, no proactive sharing of classified reasons, and NSG counsel neither convene their own best practices/issue sharing sessions nor participate in NSLAG’s sessions discussing emerging issues relevant to warrant practice. Some IC noted that this lack of exposure to warrant-related activities results in a lack of knowledge needed to perform a more probing review or address broader issues beyond fact checking. These knowledge constraints mean that it is extremely unlikely that the IC will be able to ask probing questions of the sort necessary to unearth the duty of candour issues stemming from possible issues on how a warrant might be executed – the second class of candour issues noted above. Meanwhile, counsel who may have this relevant experience, joining NSG from NSLAG, are required to wait a year before undertaking any IC functions. This means that often by the time they inherit a warrant file they are likely no longer current on recent CSIS practices.
  • Lack of access and time: the IC does not currently have timely access to the breadth of underlying information that would be required to play an authentic challenge role meaningfully. The IC does not receive important components of the warrant application in advance, including the source précis, and is often provided with very short deadlines for reviewing documents. While ICs have recently obtained some on-premise (CSIS) access to these other materials, this sort of advance review is uncommon. The IC is not encouraged or provided with sufficient time to fully test the theory of the case presented in an application as a form of “red team” exercise. Nor can they be expected to counter the recurring omissions issue, discussed above. It is unlikely, therefore, that the IC is fully effective in addressing candour issues resulting from failure to disclose information material to credibility.

(U) The result has been an IC role that is often regarded as more clerical than substantive, designed to cite check rather than assertively peer review. Indeed, the majority of interviewees involved in the warrants process regarded the IC as unhelpful as a form of quality control. Recent changes in the CSIS warrant process indicate that the IC “challenge” is to be completed one day prior to the WRC and once the affidavit has already been circulated to WRC participants. This change is further reflective of the general view that the IC serves only to fact check or that nothing substantial will arise from the challenge that necessitates changes prior to the WRC. Some interviewees doubted that the IC’s role was necessary – a good, well-supported affiant should suffice to guarantee the facing. NSIRA has commented above on how professionalized affiants are able to contribute to quality control.

(U) Still, NSIRA believes that the presence of an independent challenge in the system is necessary. NSIRA fears, however, that the current IC is largely a pro forma feature of the CSIS warrant process, giving the impression of a robust check and balance without accomplishing this objective. NSIRA remains unpersuaded that a robust devil’s advocate is best situated at Justice, drawing on lawyers from NSG. As noted above, while some individuals have a background involving warrants of various sorts, NSG lawyers are not, in their role, experts in warrants or necessarily knowledgeable about CSIS. Nor does NSG have any formal role in the warrant approval process. NSG would appear simply to be a convenient place to situate the IC, among lawyers who are security-cleared for very different functions. Put another way, a robust devil’s advocate function has yet to be created, and there is no reason to prefer it be situated in another branch of Justice. As discussed next, NSIRA would propose the creation of this function in the third agency of government whose precise role is oversight of the CSIS warrant process: Public Safety.

ii. Reconceiving Public Safety’s Oversight Role

(U) Public Safety Canada is the vessel through which the Minister exercises their oversight role, one intended by Parliament to be robust. The Minister’s role in the warrants regime is enshrined in legislation. Section 21 of the CSIS Act mandates that an application for a warrant may only be filed “having obtained the Minister’s approval”. The Minister’s role on section 12 warrants therefore requires that the Minister is aware of the full implications of the application, including determining if the intrusive methods to be used are justified by the gravity of the threat to the security of Canada.

(U) Yet, Public Safety has not had full visibility on the various aspects of the warrants application. There has traditionally been an information asymmetry favouring CSIS with whom the information resides. This challenge was further exacerbated by capacity issues at Public Safety, including limited ability to access information and knowledge necessary to assess risk for the Minister. The 2019 Ministerial Direction for Accountability (2019 MD) and the Framework for Cooperation between Public Safety and CSIS, sought to decrease the information asymmetry problems and increase ministerial oversight of CSIS. Pursuant to section 8 (i) of the Framework, CSIS must update Public Safety on reviews conducted by NSIRA. NSIRA interprets this obligation to mean an ongoing commitment by CSIS to provide periodic updates on the progress of reforms to the warrant process including the implementation of the recommendations in this review which will inevitably affect warrant applications.

(S) Functionally, Public Safety officials review all warrant applications with the support of legal counsel assigned to the Once the warrant application is received by Public Safety, officials will typically review the warrant for: clarity and logic; legal issues; candour issues; policy considerations; and additional considerations such as issues related to the impact on Canadians. The Public Safety delegate will attend the WRC. Following the WRC, and once the warrant has been reviewed, Public Safety officials draft a briefing note summarizing the nature of the threat posed by the target of the warrant, along with a recommendation memorandum for the Minister’s consideration. If approved, Public Safety sends the application back to CSIS to be filed in Court.

(U) Some Public Safety practices are of relatively recent vintage, prompted to some large degree by 2020 FC NSIRA cautions, however, that Public Safety is not well positioned to perform a thorough challenge of the warrant application. First, asymmetrical access to information means that Public Safety does not review the ingredients comprising the warrant application, including the source file materials or even the source précis. It would not be realistic, in our view, to expect Public Safety to audit the full information trail leading to the warrant application – it will never be able to cure a “recurring omissions” problem. Again, NSIRA believes skilled affiants in the AU validating information received from the regions and performing peer reviews of each other’s work product constitute the best means of verifying inclusion of the correct information.

(S) On the other hand, Public Safety should be positioned to solve systemic and governance issues giving rise to the second category of duty of candour issues noted in this review – those stemming from issues underlying the warrant and material to a judge’s exercise of discretion. As noted by Justice Brown in reference to the failure of CSIS to flag high-risk human source operations, which were subsequently the subject of a warrant application before the Court: “the responsibility for fully informed decision-making lies on every person participating in the decision”. Situated at some distance from CSIS and warrant counsel, an adequately staffed and expert Public Safety vetting team should contemplate the blind spots from which those closer to the process may suffer. Indeed, NSIRA learned that Public Safety, even as presently constituted, at times raises such issues. In this manner, Public Safety is in a much better position to anticipate lurking candour issues than is a lawyer at NSG, tasked with conducting an IC as a secondary function of their For this reason, NSIRA favours a new reform that would bolster Public Safety’s vetting process, and would replace the NSG IC, all in service to the Minister’s legislated oversight role.

(U) To this end, NSIRA favours a devil’s advocate model that helps meet the Minister’s own obligation to oversee the warrant process. That is, NSIRA recommends the creation of a role meeting the original vision proposed by SIRC in the report noted above: “someone who would challenge the need for a warrant at all – someone to make the case that the proposed target (who does not of course even know a warrant is being sought) might make”. The counsel should be as assiduous as a defence lawyer would be, defending a client in a fully adversarial process. They should know, and know how, to ask questions about the information supporting the warrant, its planned execution, and any relevant surrounding context that might escape the attention of a lawyer less familiar with warrants or CSIS procedures and functions, or might be lost to tunnel vision among those closer to the In this manner, NSIRA suggests that this person, working with Public Safety’s warrant vetting team, should be well-situated to anticipate the second category of candour issues discussed in the report.

.(U) Right now, Public Safety is supported by its own Justice departmental service unit. NSIRA suggests that unit should be supplemented by a seconded counsel with practical warrant experience employed at the Public Prosecution Service of Canada, the private sector or elsewhere, independent from Justice management, and not otherwise involved in CSIS warrant applications. This counsel would be deployed for the specific purpose of supporting a Public Safety warrant vetting team in its challenge function. This challenge and review of the warrant conducted by the seconded counsel must be documented in a manner that is visible to the Minister when considering whether to approve the proposed warrant application. NSIRA cautions that the purpose is not to increase the number of steps or the length of time the application takes. Rather, abolishing the current IC model entirely in favour of a true devil’s advocate conducted as part of ministerial oversight would thin the process in addition to reinforcing it with a built-in, thorough challenge function.

Finding no. 20: NSIRA finds that the “independent counsel” (IC) role falls short of creating a thorough challenge function.

Recommendation no. 16: NSIRA recommends that the function of the Independent Counsel as performed by NSG counsel at the Department of Justice be eliminated, in favour of a new challenge function, analogous to the role a defence lawyer would play were warrants subject to an adversarial process, situated at Public Safety and supported by the Public Safety vetting team, and performed by a knowledgeable lawyer from the Public Prosecution Service of Canada, the private sector, or elsewhere, who is independent from Justice management and not otherwise involved in CSIS warrant applications.

f) Submission to the Federal Court

(U) The final stage in the warrant process is the proceeding before the Federal Court. No warrant exists until authorized by the Federal However, trust between the Federal Court, NSLAG and CSIS has clearly been strained by the long history of duty of candour failures.

(U) The Court is perceived by interviewees as more assertive now than in the past. Some interviewees described doubts about the degree of control exercised by the Court, sometimes seeing it as more akin to a review function and less like the classic judicial control exercised by a court in issuing (or not) warrants. Others rejected any notion that Justice questioned the legitimacy of the Court’s approach. Still, the institutions implicated in the warrant process seem to have entered a cycle in which duty of candour failures have contributed to a climate of mistrust involving closer scrutiny and more searching judicial control, which inevitably heightens anxiety at the CSIS level about operational implications and reputational risk. It has also been the source of some uneasiness at Justice.

(U) Of particular note, interviewees told NSIRA that anticipating in advance the full range of considerations relevant to a judge in exercising their discretion is not easy, especially since judges reportedly focus on different concerns depending on the case before them. This creates a residual category of information that may have to be provided with the application. CSIS and Justice reportedly now err on the side of being over inclusive.

(U) Because of all of these factors, the warrant application process currently operates like a ratchet, as ever more detail is layered into the affidavit and supporting documents in an effort to anticipate and avoid a new duty of candour failure. There is some “cut and paste” possible for recurring issues, but this material must be tailored to each warrant, and then re-vetted through the bureaucratic warrant approval process. The resulting warrant applications become more lengthy, complex, and time-consuming to prepare.

(U) Breaking this cycle, however, requires restored credibility through change at CSIS and Justice, not resistance. NSIRA believes that doing so requires an embrace of the recommendations made in this review. It also notes other ways in which CSIS and Justice could show a commitment to candour, possibly alleviating the workload involved in warrant applications. NSIRA noted one approach suggested by our interviewees: warrant applications would describe information that is excluded (because it is believed not to be material) in sufficient detail that a judge might ask for its disclosure should they wish. Justice could also seek direction from the Court in the form of a practice direction or annotated standard warrant templates, or the bench and bar system recommended by the Segal report.

g) Doubts Arising on Warrant Execution

(S) Once a judge issues a warrant, CSIS may execute the warrant. That execution must comply with the scope and terms of the After the warrant’s issuance, CSIS and Justice conduct a debrief with the affiant, lawyer, the relevant headquarters desk and the responsible officials at the regions. This process includes a “reading of the warrant”, designed as NSIRA understands it, to help inform execution. NSIRA was told that this debrief is sometimes regarded as vague and unhelpful, and that those charged with overseeing warrant execution had no resources to translate “warrant language” into techniques and powers they could use.

(S) The warrant coordinators in the regions lack formal training, and learn their task on the job – existing training is too broad and abstract, unconnected to the practical scenarios arising in the execution of warrants343. In consequence, expectations accrue as myths rather than clearly understood legal standards. NSIRA was told there were perceived disparities between what seemed to be on the face of the warrant and what lawyers described as the judge’s intent. This sort of ambiguity reportedly gives rise to “invisible rules”. The regions are extremely uncomfortable with implied permissions, preferring tangible authorizations in warrants. [discussion of the detrimental effects on and risks to operations]

(U) Finding no. 21: NSIRA finds that the CSIS regional warrants coordinators have not received sufficient training enabling them to translate the contents of the warrants into advice on proper warrant execution.

Recommendation no. 17: NSIRA recommends that CSIS regional warrants coordinator positions receive adequate training, and that CSIS professionalize the position and enable warrant coordinators to more effectively translate the content of warrants into advice on warrant execution.

C. Investment in People: Training

(S) As the discussion in this report demonstrates, training and institutional knowledge are recurring themes in this Most interviewees noted that they had not received specialized training prior to assuming their specific role in the warrant process, instead learning through word of mouth from others doing the same function. Some interviewees clearly felt unprepared for their role, and regretted the absence of systematic training. Several others tied the lack of training and the paucity of modernized processes and policies to compliance failures. CSIS is to a certain extent alive to the shortcomings in its training programs and has itself noted that:
“CSIS is currently not a learning organization and does not have a learning culture. There are insufficient training opportunities to build and sustain a modern professional intelligence service that operates in a continuously evolving and complex environment, it is evident that the exponential needs across operational and corporate requirements has not kept pace with the current L&D staffing and funding allocation”.

(U) The inadequacies of training featured in a recent internal review of the warrant process. NSIRA embraces its recommendations on the need for reform in this area. NSIRA emphasizes especially, however, the need for education through scenario-based learning, and not simply training through the passive consumption of learning materials.

(S) CSIS’s Learning and Development (L&D) branch has considerably revamped both the intensive program taken when employees join CSIS as Intelligence Officers (IOs), and the intensive course IOs take after several years at headquarters, before deployment to the regions. For instance, the IO Entry Training (IOET) which is largely content and theory heavy, is being overhauled to include scenario-based learning. L&D has embraced learner-centered approaches, with high instructor to trainee ratios. In its most recent iteration, the [training program name] now trains IOs in scenarios relevant to the duty of candour, including [training program content] capturing details related to legal credibility and conditioning passing grades on responsiveness to these matters.

(U) Trainers – IOs themselves participate in train-the-trainers programs. These trainers may themselves cycle to operational roles, where they are well-positioned to transmit expertise and mentor others. Meanwhile, NSLAG will work with CSIS’s policy centres and provide feedback on learning modules raising legal issues. The [Name] will raise issues that may involve legal dilemmas. However, [Name] training does not address legal issues per se – rather the purpose is to train IOs in recognizing legal doubt, necessitating consultation with NSLAG. IOs are not trained, in other words, on answers to legal questions, so much as trained to recognize the existence of legal issues. Precise legal answers, it is feared, change with time, and a decision has been made to train a reflex to seek legal answers from NSLAG. NSIRA notes, however, that the IOET and the [Name]  come relatively early in an IO’s career and that CSIS has no ongoing, formal professional development requirements. NSIRA further notes that warrants- related training including duty of candour is of sufficient importance to necessitate annual mandatory warrant training for all operational personnel. This would allow operational personnel to remain apprised of changes in the warrants process as well as changes in the operational environment including technological advancements which may influence their assessment of when a warrant is required.

(S) Aside from IO training early in an IO’s career, specialized training in CSIS’s various specialized trades is uneven. Most of the interviewees indicated they had received no formal training beyond that at the beginning of their careers, with a few exceptions (such as [Branch Name]). Where there is in-house training, NSIRA’s view is that it is often relatively informal and lacks some of the experiential features that the modern has developed. L&D is not responsible for training in specialized sub-trades or units of CSIS, although they may be consulted on design such that unit wish to establish a training system. This creates a gap in training for individuals who are not within the IO career stream.

(S) Following 2020 FC 616, CSIS implemented organization-wide mandatory training for all operational employees on the duty of candour. The thirty-minute training was contained in an online module that employees complete.  The module contains 22 slides discussing the duty of candour, including prior breaches and the role of every individual in ensuring that duty of candour is met. The module contains only two theory-based questions, no scenario-based training and may be completed in half the time by employees. This type of training reflects concerns voiced during the review that CSIS cannot build a compliance culture by PowerPoint training, and complaints that training included too much pro forma box checking.

(U) In sum, the training culture at CSIS has been largely a “once and done” approach to formal skills acquisition. Moreover, NSIRA was led to believe that prior generations of the entry level and pre-regional deployment training courses were less robust than the present generation, and depended on more passive forms of education (such as PowerPoints). Bringing modernized training to more advanced IOs and standardized training of any sort to non-IOs appears to remain a challenge. L&D is not adequately resourced at present to expand a formal CSIS training footprint, despite considerable demand for specialized training. Noteworthy, L&D has recently received CSIS management approval for their business plain to establish three regional training hubs to incorporate modern training at the regional level and enhance the skill set of IOs whose training may predate the existing training curriculum.

(U) While both IOs and non-IOs noted the lack of training as a major issue, it was more pronounced with non-IOs. NSIRA heard from non-IOs including managers, analysts and technical experts that they did not receive the benefit of any form of formal training upon joining the organization. Many had to ask for specific mentorship, while others have found that they are regarded as the most senior subject matter experts, leaving them with no mentorship options.

(U) NSIRA observes that a commitment to training is only as real as the importance and resources devoted to Accordingly, training will succeed only to the extent that employee time is freed up to allow the acquisition of new skills and knowledge. In this respect, some interviewees expressed doubt that units already confronting personnel shortages will succeed in building human capital.

Finding 22: NSIRA finds that CSIS lacks long-term training programs for Intelligence Officers.

Finding 23: NSIRA finds that CSIS has failed to provide systematic training programs for “non-Intelligence Officers”.

Finding 24: NSIRA finds that the CSIS’s Learning and Development Branch has not been sufficiently resourced to develop and administer comprehensive training programs, especially in specialized areas not covered by the training offered for Intelligence Officers early in their career.

In view of these findings, NSIRA recommends that:

Recommendation no. 18: CSIS adequately resource and regularly deliver evergreen scenario-based training programs for all CSIS employees, including;                                                     

  • annual, comprehensive, warrant training for all operational employees;
  • specialized onboarding training for all employees not part of the Intelligence Officer program; and
  • continued long-term training for all specialized

5. Consequences Of Systemic Problems

(U) This report ends with an examination of, and associated observations on, cross-cutting governance and cultural issues that stem, at least in part, from challenges characterizing the provision of legal advice and the warrant process. NSIRA divides these broad, cross-cutting phenomena into two categories: morale and attitudes; and, performing the mission.

a) Morale and Cultural Resistance to Change

(U) NSIRA heard and read much about very low morale at CSIS — a central concern not only to individuals whom NSIRA interviewed but also in employees’ resignation and retirement exit. There are likely many reasons for this morale problem. The systemic and governance interviews issues in the warrant process are part of them. Morale is injured by a warrant acquisition system that seems to impede performance of the mandate while at the same time being the source of regular reputational crises stemming from duty of candour failures.

(U) At the same time, employees see themselves as participating in a rigorous process. Indeed, so rigorous is this process that employees are frustrated that too few warrants are being sought. They feel caught in a no-win environment compounded by the bureaucratic burden associated with having a warrant application reach the Court.

(U) NSIRA notes that those disillusioned by seemingly unending compliance issues reportedly fall into three categories, reflecting sometimes quite different perspectives: those viewing compliance measures as an inconvenience; those who do not understand the purpose of compliance measures; and, those who viewed them as a manifestation of diffused or insufficient governance responsibility.

(U) First, some interviewees stated that, while duty of candour failures at the Federal Court have resulted in further disclosure obligations and demanded additional undertakings, these failures are perceived as a risk to be managed rather than a problem to be solved. For this group, the implication is that the rule of law is not a grounding consideration. Indeed, some interviewees did doubt the existence of a compliance culture, or that compliance with duty of candour standards was embraced seriously as part of confidential source management.

(U) Others had very different views, and regarded compliance failures as tied to the lack of training and the paucity of modernized processes and policies. CSIS has historically under- resourced policy, compliance and training. Even where policies are changed, NSIRA was told that simply announcing new protocols cannot effect change – and indeed, they may go unread. Some interviewees reported, for example, that Project [Name] communications are ignored. CSIS is developing policy centres, but employees may have a foggy understanding of the role of these units, and may not be sufficiently attuned to issues to know when to seek expert input.

(U) With regards to the third category, NSIRA heard concerns about flawed governance in warrant and compliance matters. Some interviewees expressed concern about governance vacuums. In the eyes of some, managers have done too little to redress employee uncertainty about rules, and indeed even managers at the executive level reportedly sometimes lack understanding of applicable rules. NSIRA heard concerns that employees are reportedly not rewarded for compliance initiatives, and indeed some personnel implicated in poor compliance conduct have been promoted. CSIS was described by some as possessing a culture in which bad news does not travel upwards, and one in which managers resist lessons-learned analysis and reporting, and prefer positive spins on errors.

(U) For other interviewees, CSIS allegedly has a zero-fail approach to some compliance issues, producing a brittle, risk averse working For instance, within CSIS there is reportedly no attitude that in litigation, one wins some and loses some. A troubled warrant application is widely regarded as disastrous, and career impairing. Indeed, interviewees described an internal fear of making mistakes, and a punitive, “call out” culture when mistakes are made. The aim is “not to fail” in order to be promoted, leading to a cautious culture in which some people prefer not to act or ask questions. This culture likely undergirds the multiplicity of warrant steps, and the diffusion of responsibility. It may also be a partial explanation for why some legal doubts are not brought before the court for resolution through the warrant process.

(U) In crafting its recommendations, NSIRA aligned the core warrant responsibilities to the legislative accountability framework while ensuring that those controlling the process can set a careful watch over one of the drivers of morale within their organization.

b) Performing the mission

(U) In this report, NSIRA has identified several governance and cultural The lack of alignment in the way Justice provides legal services with the needs of CSIS, the delay inherent to the quest for legal advice, and the disconnect between the content of legal advice and the operational imperatives of CSIS may not completely explain the current climate. However, this situation can only have compounded other possible causes, if any, beyond the parameters of this review. The problems have resulted in a culture of distrust towards Justice counsel and a systemic reaction whereby CSIS sometimes avoids seeking legal advice.

(U) While NSIRA does not question the need for Justice to speak with “one voice”, the governance structure put in place to safeguard consistency cannot override another fundamental goal, which is to allow its client to comply with and to respect the rule of law.

(U) To become “client-centric” as promised in Justice’s VISION Project, Justice must go from being perceived as a roadblock, to a frank and forthright advisor fully attuned to operational objectives. To achieve that goal, several interconnected recommendations of this report need to be implemented. They reach into Justice’s governance and culture. On the governance aspect, they relate to training, to prompt and clear advice-giving, and to early and extended availability of counsel. On the culture aspect, they relate to the culture of support that goes beyond the mere provision of legal opinions constituting traffic signals – they call for counsel working as advisors opining in an iterative manner on how an intelligence operation might proceed in a manner that respects the rule of law. Providing road map-style advice does not mean Justice abandons its fearless defence of the rule of law, or its independence. It does mean that it situates this advice in a manner that best serves the shared goal of operations compliant with the rule of Changing the culture of distrust and avoidance can take time, but early, continued and consistent engagement in operations should contribute to rebuilding the relationship.

(U) The current governance of advice-giving is unnecessarily detrimental to If the course is not corrected, both organizations put at risk the fulfillment of their mandates.

(U) For CSIS, the risks to its fulfillment of its mandate arise on multiple fronts. NSIRA endorsed above the view that warrants are the “lifeblood” of CSIS. CSIS members may, however, vary in the degree to which they appreciate the significance of warrants. Many interviewees adhered to what may be called a national security culture, in which success is about leveraging CSIS’s mandate to contribute to Canada’s national security. The objective is to provide useable, lawfully-collected information of value to the government of Canada. In this view, the entire CSIS apparatus needs to understand the objectives behind the collecting of information, and see itself as engaged in a collective enterprise, rather than discrete, atomized endeavours. Disillusionment, NSIRA concluded, often reflected recognition of how warrants (and law) are increasingly important in intelligence operations, but at the same time hard to obtain. With the increasing dominance of electronic communications, what was once standard pre- or non-warranted tradecraft is now increasingly crossing the line into activities requiring warrants. Warrants, in other words, reach far into CSIS’s traditional tradecraft.

(U) It was, however, the considered opinion of a number of our interviewees that too many CSIS investigations are now stranded by the warrant process. That process was sometimes compared to winning a lottery, not because of lack of success at the Federal Court but because of the resource intensity of getting the application to the Court.

(S) NSIRA was also advised of investigators [discussion of how collection activities are affected] doing their best to advance investigations [discussion of effects on collection activity]. Leaving to individual interpretation which  [collection activity] may be used could result in boundaries being pushed, compounding grey zone legal issues and reputational risk if these practices then culminate in review or court proceedings. Further, while warranted collection might clarify whether CSIS’s reasonable belief that the individual is engaged in threat activities is well-founded, other techniques may leave the target in limbo. [discussion of how collection activities are affected]. At the same time, it risks focusing the state’s attention on people for greater periods of time because [discussion of how collection activities are affected]

(U) There was widespread support for the view that the warrant process should not be the bottleneck on warranted activities – that any bottlenecks should be driven by operational imperatives. NSIRA was told the metric of success for a reformed warrant process amounts to: more warrants, more closely tailored to the threat, with shorter and more detailed threat assessments that simultaneously meet the court’s expectations.

(U) As the calculations in the preceding sections show, the question of how many warrants CSIS should transact annually was not easily The near-consensus was, more than the number that have been sought in the recent past. The expectation is that operational imperatives in an era of complex threats and burgeoning electronic communication will require more warranted activities. The number of novel issues can only increase, compounding the need for legal advice, which highlights the need for cooperation with Justice.

(U) Given the challenges identified in this report, NSIRA could detect no clear path to achieving such an objective under the status quo. In these circumstances, the warrant process risks remaining the worst of all worlds: a system that makes it too hard for CSIS to perform the mandate given to it, while at the same time doing too little to safeguard against legal error.

(U) This report has identified many governance issues at both Justice and CSIS. The deficiencies in information management; the lack of training; the multiple steps in the warrant process; the absence of an efficient challenge function; the lack of understanding of the decision-making process; and the absence of clear accountability lines all go to the heart of the very questions that characterize the notion of governance: How are decisions made? Who makes them? Who is accountable for them?

(U) Reforms should allow for clear answers to these questions. Among other things, NSIRA has recommended that the CSIS Director assume more immediate responsibility for the Affiant Unit and that the Minister and Public Safety host a more immediate role in challenging warrants. These structural reforms, however, will only produce positive changes if accompanied by the implementation of the other recommendations, especially those sustaining the Affiant Unit.

(U) In sum, this review was sparked by a compliance failure in a duty of candour matter. It concludes that repeated failures in this area are both caused by, and cause, deep-seated governance and cultural patterns. This vicious cycle has compounded the challenges of reform in the warrant acquisition process. NSIRA agrees with the 2020 Rosenberg Independent Review that “a precondition to successfully implement the recommendations is to address the cultural issues around warrants”.

(U) The challenges communicated by many interviewees will not disappear unless widespread governance reforms facilitate an improved warrant process. Cherry-picked changes or paper reforms that mask governance and cultural issues, without addressing them, will suffer the ignominious fate of prior rounds of changes: they will not fix systemic issues. This will require a major effort. In this review, NSIRA has proposed a series of reforms. No single recommendation made here will alone resolve the source of systemic issues in the warrant process. CSIS and Justice shall need to pursue recommendations as a package.

(U) Finding no. 25: NSIRA finds that CSIS and Justice are at risk of not being able to fulfill their respective mandates. No one reform is likely to succeed unless each is pursued as part of a coherent package. No package will succeed unless backed by prioritization at senior levels, and the stable provision of resources, including people with the means and institutional knowledge to see reforms through. And no reform initiative will succeed unless accompanied by clear performance indicators, measured and analyzed regularly to track progress.

In view of NSIRA’s findings above, and of prior unsuccessful reforms, NSIRA recommends that:

(U) Recommendation no. 19: The recommendations within this review be treated as a coherent package and that progress and outcomes in implementing these recommendations be tracked, allowing management, the Ministers of Public Safety and of Justice, and NSIRA, to assess the efficacy of reforms and course correct if necessary.

(U) NSIRA intends to launch a follow-up review, within two years, which will measure progress at CSIS, Justice and Public Safety in resolving the systemic issues with the warrants process addressed by this review. Moreover, in other regular reviews implicating warrants, NSIRA will document recurrences of systemic problems. In the meantime, since this review originated with a decision of the Federal Court, it is vital that the Minister and CSIS share it in its full form with the designated judges of that court.

In recognition of the fact that this report followed a recommendation of the Federal Court, NSIRA in turn recommends that:

(U) Recommendation no. 20: The full, classified version of this report be shared with the designated judges of the Federal Court.

Share this page
Date Modified:

Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities

Review Backgrounder

In 2019-2020, NSIRA conducted its first interdepartmental review on the implementation of the 2017 Ministerial Directions on Avoiding Complicity in Mistreatment by Foreign Entities (2017 MD). The review set out to build NSIRA’s knowledge of the information sharing process adopted by the six departments that received the 2017 MD.

NSIRA conducted a case study for each department that had operationalized the 2017 MD. NSIRA noted significant differences in the six departments’ implementation and operationalization of information sharing processes. NSIRA found that CSE, CSIS and the RCMP had implemented the 2017 MD; DND/CAF was implementing the final elements of the 2017 MD; GAC had not yet fully implemented the 2017 MD; and, the CBSA had not yet operationalized the 2017 MD.

NSIRA examined and found differences in how high-risk decision-making is removed from operational personnel who may have a vested interest in the sharing. CSE and the RCMP had the most independent processes; GAC removed high-risk decision-making from front line personnel, while CSIS and DND/CAF decision makers had a direct operational interest in sharing information. NSIRA recommended that Departments ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.

NSIRA also found a lack of standardization in information sharing risk assessments for both foreign countries and foreign entities. This issue has been noted in other NSIRA information sharing reviews.

In 2019, parliament passed the Avoiding Complicity in Mistreatment by Foreign Entities Act, which in conjunction with the subsequent issued Orders in Council (OIC’s) codified many of the provisions of the 2017 MD and left the essential prohibitions and limits unchanged. Noteworthy, the six departments examined in this review are also the same departments for which there is an obligation to issue OICs pursuant to the Act. This review set out the foundation that has assisted and facilitated NSIRA’s subsequent mandated information sharing reviews.

Publishing this review aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work.

Date of Publishing:

1. Executive Summary

In 2011 and again in 2017, ministers issued direction (hereafter Ministerial Direction or MD) to a number of departments setting out how to manage the risks of mistreatment posed by the sharing of information with foreign entities. Most recently, Parliament passed the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA). In September 2019, direction under the ACMFEA was issued to twelve departments, six of which had never before received formal direction regarding information sharing with foreign entities.

This review set out to build NSIRA’s knowledge of the information sharing processes adopted by departments under the 2017 MD. The direction issued pursuant to the ACMFEA in September 2019 codified many provisions of the 2017 MD and left the essential prohibitions and limits unchanged. As such, this review provided a foundation that will expedite and facilitate NSIRA’s future information sharing reviews.

The review focused on the six departments that had received the 2017 MD: the Canadian Security Intelligence Service (CSIS), the Communications Security Establishment (CSE), the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CSBA), Global Affairs Canada (GAC), and the Department of National Defence and the Canadian Armed Forces (DND/CAF).

Observations and Recommendations

Degrees of implementation vary across departments

NSIRA noted significant differences between the six departments with regard to the level of implementation of information sharing processes. In summary:

  • CSE, CSIS and the RCMP have implemented the 2017 MD.
  • DND/CAF is in the process of implementing final elements of the 2017 MD.
  • GAC has not yet fully implemented the 2017 MD.
  • In practice, CBSA has not yet operationalized the 2017 MD.

The concept of “substantial risk” of mistreatment is not defined

Like the 2017 MD, the ACMFEA and its associated direction prohibit information sharing that would result in a “substantial risk” of mistreatment. Neither the ACMFEA nor its direction include a definition of substantial risk, however, despite the centrality of this concept to the regime. A definition of substantial risk existed in both the 2011 and 2017 MD; its absence now raises concerns about its interpretation in future.

Recommendation: The definition of “substantial risk” should be codified in law or public direction.

Departments vary with respect to the independence of their decision-making

  • CSE and the RCMP have the most independent processes.
  • The information sharing processes implemented by GAC to date remove high- risk decision-making from “front line” personnel.
  • At CSIS and DND/CAF, decision-makers typically have a direct operational interest in the sharing of information.
  • CBSA has not yet operationalized its information sharing processes.

Recommendation: Departments should ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.

Lack of standardized information sharing risk assessments

Under the 2017 MD, GAC, CSIS, CSE, and the RCMP all maintain their own sets of foreign country and/or entity profiles, while DND/CAF is currently developing its own as well. The existence of multiple different assessments is duplicative and unnecessary. It may also yield inconsistencies, as departments have at times come to quite different conclusions about foreign countries’ and entities’ human rights records and the associated risks of information sharing.

Recommendation: Departments should develop: (a) a unified set of assessments of the human rights situations in foreign countries including a standardized ‘risk of mistreatment’ classification level for each country; and (b) to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.

Benefits of internal information sharing process reviews

Finally, NSIRA noted that periodic internal reviews of information sharing policies and processes supported their successful functioning in the long term.

Recommendation: Departments should conduct periodic internal reviews of their policies and processes for sharing information with foreign entities in order to identify gaps and areas in need of improvement.

2. Authorities

This review was conducted under the authority of the National Security and Intelligence Review Agency Act (NSIRA Act), specifically paragraphs 8(1)(a) and 8(1)(b) as well as sections 9 and 11.

3. Introduction

Many departments and agencies in the Government of Canada routinely share information with foreign entities. Given that information sharing with entities in certain countries can result in a risk of mistreatment for individuals, it is incumbent upon the Government of Canada to evaluate and mitigate the risks that such sharing creates. This is particularly the case for information sharing related to national security and intelligence, where the information often relates to alleged participation in terrorism or other criminal activity.

Canada has made a number of binding commitments under the International Covenant on Civil and Political Rights (ICCPR), the Convention Against Torture and Other Cruel, Inhumane, or Degrading treatment or Punishment (CAT), and other international agreements. The prohibitions on mistreatment – including complicity in mistreatment – set out in these agreements are also considered to be customary international law. Some of Canada’s obligations have been incorporated into domestic law under section 269.1 of the Criminal Code.

In 2011 and again in 2017, ministers issued direction to a number of departments setting out how to manage the risks in information sharing with foreign entities. Most recently, Parliament passed Bill C-59, which included the ACMFEA. In September 2019, direction under the ACMFEA was issued to twelve departments, six of which had never before received formal direction regarding information sharing with foreign entities.

Subsection 8(2.2) of the NSIRA Act requires NSIRA to review annually every department’s implementation of the directions of the GiC issued under the ACMFEA. In 2020, the NSIRA will undertake its first such review. The purpose of the present review, however, was to build NSIRA’s knowledge and understanding of departments’ implementation of the 2017 MD. The direction issued pursuant to the ACMFEA in September 2019 codified many provisions of the 2017 MD and left the essential prohibitions and limits unchanged. As such, this review provided a valuable foundation that will expedite and facilitate NSIRA’s future information sharing reviews.

The review focused on the six departments that received the 2017 MD: CSIS, CSE, the RCMP, CBSA, GAC, and DND/CAF. NSIRA examined departments’ policies and processes as well as documents related to foreign arrangements. Where possible, NSIRA examined a single case study for each department in order to illustrate how information sharing works in practice. Given the high-level approach taken in this review, NSIRA opted to make a series of broad observations about the strengths and weaknesses of departments’ framework for information sharing with foreign entities, in the place of formal findings. Where NSIRA made recommendations, they were interdepartmental in scope.

This review focused on departmental policies and procedures for the disclosure and requesting of information involving a risk of mistreatment. It did not examine the use of information that may have been derived from mistreatment; NSIRA may review this topic in future.

4. Background

In 2011, the Government of Canada approved a general framework for “Addressing Risks of Mistreatment in Sharing Information with Foreign Entities”. The framework was the first multi-departmental set of instructions issued regarding information sharing and mistreatment. Its main aim was to establish a coherent and consistent approach across government when sharing information with foreign entities.

Later in 2011, a number of departments whose mandate related to national security and/or intelligence received Ministerial Direction on Information Sharing with Foreign Entities (the 2011 MD). Specifically, the 2011 MD was issued to CSIS, CSE, CBSA, and the RCMP. The 2011 MD, which was eventually released under the Access to Information Act, was subject to extensive criticism from non-governmental organizations, civil liberties groups, and others including the Canadian Bar Association. The main critique was that the 2011 MD did not clearly prohibit the disclosure or requesting of information entailing a “substantial risk” of mistreatment, but rather permitted departments to weigh the value of the information against the risk of mistreatment.

In 2017, the 2011 MD was replaced by a new Ministerial Direction on Avoiding Complicity in Mistreatment by Foreign Entities (the 2017 MD). The 2017 MD was received by CSIS, CSE, CBSA, and the RCMP – the departments that had received the 2011 MD – as well as by DND/CAF and GAC. The 2017 MD included numerous changes, but the most significant were clear prohibitions on the disclosure and requesting of information that would result in a substantial risk of mistreatment, as well as new limits on the use of information likely derived from mistreatment by a foreign entity. In addition, the new MD required departments to maintain policies and procedures to assess the risks of their information sharing relationships with foreign entities.

The 2017 MD further directed departments to cooperate in making assessments regarding foreign countries and entities. In response, Public Safety Canada (PS) established the Information Sharing Coordination Group (ISCG) comprised of PS and the six departments that had received the 2017 MD. The objective was to encourage interdepartmental discussions in support of a coordinated approach to the implementation of the MD.

On July 13, 2019, the ACMFEA came into force. The ACMFEA requires the GiC to issue direction to the six departments that had received the 2017 MD, and gives the GiC discretion to issue direction to other departments as well. On September 4, 2019, the GiC issued direction under the ACMFEA to twelve departments. In addition to the six mandatory departments, direction was issued to PS; the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC); Transport Canada; Immigration, Refugees and Citizenship Canada (IRCC); the Canada Revenue Agency (CRA); and Fisheries and Oceans Canada (DFO). These six new departments have now also joined the PS-led ISCG.

In practice, the information sharing regime set out by the ACMFEA and the subsequent GiC direction closely resembles the 2017 MD. The fundamental limits on Canadian departments’ scope to share information remain unchanged. Notably, however, the new regime omits certain aspects of the 2017 MD. The ACMFEA and its associated direction lack the 2017 MD’s requirement that departments maintain policies and procedures for assessing the risks associated with foreign information sharing arrangements, in collaboration with other departments. More importantly, the new system omits a definition of the threshold of “substantial risk”. The ramifications of this are discussed below.

5. Observations and Recommendations

Reporting

One of the new obligations placed on departments in the 2017 MD was a requirement that they provide an annual report to their minister that included:

All of the departments that were issued the 2017 MD fulfilled their obligation to report to their respective ministers by producing a report in late 2018 or early 2019 discussing the first year of activity under the MD. At the time of writing, however, not all of the departments have issued a public report. As this was a foundational review, NSIRA did not critically evaluate the reports.

Department Report to Minister Public report Cases approved Cases denied
CBSA Provided Published 0 0
CSIS12 Provided Published 1 1
RCMP13 Provided Published 25 4
CSE14 Provided Published 1 0
DND/CAF Provided Not Published 0 0
GAC Provided Not Published 0 0

Implementation of the 2017 Ministerial Direction

When the 2017 MD was issued, departments that had already built information sharing policies and procedures under the 2011 MD found themselves at a significant advantage. CSIS, CSE, and the RCMP in particular were able to quickly adapt their existing systems to the 2017 MD. Accordingly, for departments that had not received the 2011 MD – or had not implemented it – the arrival of the 2017 MD proved more challenging.

CSE: NSIRA observes that CSE has fully implemented all of the elements of the 2017 MD. The MD’s requirements have been integrated directly into CSE’s operational policies and processes. A detailed overview of CSE’s information sharing framework and the results of the case study examined by NSIRA can be found at Annex D.

RCMP: In response to the 2017 MD, the RCMP overhauled their information sharing framework and stood up a new Law Enforcement Assessment Group (LEAG) that, amongst other things, assesses country human rights records and maintains a system for streaming information sharing requests according to risk. The RCMP is currently working to integrate these processes into their comprehensive operational manual. A detailed overview of the RCMP’s information sharing framework and the results of the case study examined by NSIRA can be found at Annex E.

CSIS: Following the issuance of the 2017 MD, CSIS quickly updated their policies and procedures. In 2018, CSIS also created a new system to implement the MD’s requirement to restrict information sharing with foreign entities that engage in mistreatment, with three levels of restriction depending on the seriousness of the problem. CSIS has informed NSIRA that it is overhauling its current policies and procedures. A detailed overview of CSIS’s current information sharing framework and the results of the case study examined by NSIRA can be found at Annex F.

DND/CAF: Although DND/CAF did not receive the 2011 MD, DND/CAF has had internal directives in place governing information sharing with foreign entities since 2010. The DND/CAF policy and process suite for information sharing was updated following the issuance of the 2017 MD to bring it into compliance with the new requirements. While DND/CAF vets partner forces, it does not yet have a fully developed system for assessing and managing the risks of sharing information with foreign entities. DND/CAF is, however, currently developing more extensive country risk profiles and a standardized assessment process that will be used to assess the risks of information sharing prior to establishing information sharing arrangements. A detailed overview of DND/CAF’s information sharing framework can be found at Annex G.

GAC: Following receipt of the 2017 MD, GAC established a new Ministerial Direction Compliance Committee (MDCC) in December 2018. The MDCC’s objective is to review requests for information sharing that may engage the MD. This is the extent of GAC’s policies and processes pursuant to the MD, however. GAC lacks any policies or procedures setting out how employees are to assess instances of possible information sharing to ensure that all appropriate cases reach the MDCC. It is insufficient to merely inform employees that they are responsible for assessing a complex legal threshold – the concept of a “substantial risk” of mistreatment at the core of the 2011 and 2017 MD as well as the ACMFEA – without guidance as to how they should proceed. As such, NSIRA observes that GAC has not yet fully implemented the 2017 MD.

GAC (cont.): Of note, GAC produces human rights reports on countries that are widely used within government to assist in assessing the risks of sharing with foreign entities. Following the 2017 MD, GAC added a subsection specific to mistreatment to these reports. A detailed overview of GAC’s information sharing framework and the results of the case study examined by NSIRA can be found at Annex H.

CBSA: In October 2018, CBSA issued a revised high-level policy document in response to the 2017 MD. The document did not include concrete processes for identifying and handling instances of information sharing involving a risk of mistreatment, however. CBSA employees thus lack effective guidance with which to discharge their responsibilities under the MD. CBSA also has no process for assessing the risks associated with specific foreign countries and entities, as required by the MD. CBSA has since drafted processes and additional policies, but they have not yet been finalized or invoked. Given these significant gaps, NSIRA observes that CBSA has not yet operationalized the 2017 MD. CBSA has informed NSIRA, however, that it intends to introduce significant improvements over the coming year. A detailed overview of CBSA’s information sharing framework can be found at Annex I.

Additional observations are included in the department-specific annexes referenced above. It should also be noted that NSIRA examined departmental policies and processes at a high level, and as such future reviews may make additional findings and recommendations regarding policies and processes. Moreover, a number of departments are in the process of revamping their information sharing practices, including in particular CSIS and DND/CAF.

In its survey of departments, NSIRA noted varying levels of rigour and consistency with regard to record keeping. Accurate and detailed records of deliberations and reasoning in support of decision-making related to information sharing with foreign entities are necessary to support accountability, particularly in light of the Supreme Court’s recent decision in Vavilov. NSIRA may return to this subject in future years.

In June 2019, the RCMP conducted an internal review of the framework and policies in place for its information sharing policies and procedures. The review identified certain shortcomings with regard to policies, processes, training, and resourcing. Based on the draft provided, NSIRA observes that the review was candid and thorough. The review is currently being used to guide improvements. Periodic internal reviews – such as the one conducted by the RCMP – should be considered a best practice.

Recommendation no. 1: Departments should conduct periodic internal reviews of their policies and processes for sharing information with foreign entities in order to identify gaps and areas in need of improvement.

Independent Decision-Making

The concept of risk mitigation is key to the information sharing frameworks of departments. When information sharing would result in a substantial risk that an individual would be mistreated, the information can only be shared if the department takes measures to mitigate the risk of mistreatment such that the residual risk is no longer substantial. Much therefore depends on who, within departments, is authorized to make decisions regarding whether:

  • an instance of proposed information sharing would result in a substantial risk of mistreatment; and
  • the proposed mitigation measures are sufficient.

In looking at the various decision-making processes adopted by departments, NSIRA noted varying levels of independence from operational personnel. Of particular interest were processes where the individual making decisions has a direct operational interest in the sharing of the information, creating the potential for conflict between operational imperatives and departmental obligations to respect the MD.

At CSE, the complete Mistreatment Risk Assessment process is conducted by non-operational units. The centralization of information sharing decision-making in a single branch minimizes direct operational pressure while facilitating informed and objective decisions.

The RCMP process uses other mechanisms to ensure independent decision- making. Individual investigators, when they wish to share information, must consult a list of countries and types of information sharing that the RCMP has pre-determined as representing sufficient risk of mistreatment. If the proposed sharing matches the list, then the case is automatically referred to the Foreign Information Risk Advisory Committee (FIRAC). FIRAC comprises a range of senior officials from RCMP headquarters who are a step removed from the operational front-line. The RCMP’s system of referral to FIRAC based on clear criteria removes discretion from officers with a vested interest in the sharing of the information. These officers may not have a full understanding of the geopolitical context of the proposed information sharing and thus are not best-placed to assess whether a substantial risk of mistreatment would result.

GAC requests that Directors General and Heads of Mission refer all cases where proposed information sharing “presents the potential for substantial risk of mistreatment” to the MDCC. The decision as to whether the substantial risk can be mitigated is made centrally by the MDCC, which comprises senior officials from across the department as well as a legal representative. As noted above, however, GAC currently does not provide officials with guidance on how to determine whether the threshold for referral to the MDCC has been met.

Compared to CSE, GAC, and the RCMP, decision-making at CSIS and DND/CAF is much closer to operations. CSIS provides high-level guidance to desks on how to identify information sharing that may result in a substantial risk of mistreatment, but leaves final decision-making regarding whether the situation does in fact create a substantial risk, and whether the risk can be mitigated, to the Deputy Director General or the Director General of each branch. Only if CSIS has heavily restricted information sharing with the foreign entity in question – or else the branch is unsure whether the substantial risk can be mitigated – then the branch must refer the case to the Information Sharing Evaluation Committee (ISEC) for determination. As a result, most of CSIS’s information sharing decisions – even those involving a substantial risk of mistreatment – are made by officials with a direct operational stake in the outcome of the proposed information sharing.

Within DND/CAF, decisions regarding the sharing of information rest with officers within the military chain of command. NSIRA was informed that while routine information sharing is approved by designated lower-level officers in theatre, cases involving unusual circumstances, or where there is uncertainty as to whether a substantial risk of mistreatment exists or can be mitigated, are elevated to senior levels. Once passed up the chain of command, senior officers receive advice from a range of officials at headquarters.

CBSA, at the present time, does not have processes to assess substantial risk or to make decisions regarding whether such risks can be mitigated. In practice, therefore, the onus currently rests on CBSA officers, acting without guidance, to identify cases that invoke the 2017 MD and to manage the associated risks. CBSA has drafted a procedure for cases where there is uncertainty as to whether a substantial risk of mistreatment can be mitigated, but it has not yet been implemented.

Recommendation no. 2: Departments should ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.

Country Assessments

As noted above, a significant addition to the 2017 MD was the requirement that departments maintain policies and procedures to assess the risks of their information sharing relationships with foreign entities. Notably, the MD required departments to assess the human rights records of foreign countries generally and not just of specific foreign entities (i.e., police or intelligence services) within those countries. While the MD did not prohibit information sharing with foreign entities in countries with troubling human rights records, it implied that Canada’s relationships with such foreign entities could not be considered in isolation from the broader human rights environment in which these entities functioned.

In several instances, NSIRA noticed departments citing an absence of direct Government of Canada intelligence of mistreatment by a specific foreign entity in support of a proposed sharing of information, or else in support of a less restrictive information sharing policy towards the entity in question – despite ample reporting of systemic human rights abuses in the public domain. NSIRA observes that a lack of internal Government of Canada reporting of mistreatment by a specific foreign entity is not evidence that the entity does not engage in mistreatment. Departments must consider the full range of sources in assessing risk, including open sources such as the media and non-governmental organizations.

GAC, CSIS, CSE, and the RCMP all maintain their own sets of foreign country and/or entity profiles, while DND/CAF is currently developing its own as well. The existence of multiple different assessments is duplicative and unnecessary. and It may also yield significant inconsistencies, as departments have at times come to quite different conclusions about foreign countries’ and entities’ human rights records and the associated risks of information sharing. With the issuance of direction under the ACMFEA to twelve departments, this issue will likely grow. See Annex F for additional discussion of this point.

The ISCG seeks to guide departments in developing their human rights assessment processes by providing a forum to discuss best practices. PS informed NSIRA that the ISCG had not discussed plans to standardize these assessments.

Recommendation no. 3: Departments should develop:

  • a unified set of assessments of the human rights situations in foreign countries including a standardized ‘risk of mistreatment’ classification level for each country; and
  • to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.

The recommendation above does not preclude department-specific approaches to mitigating the risks of mistreatment. For instance, a department may be able to draw upon aspects of its relationship with a foreign entity to reduce the risk of mistreatment not available to other departments. These differences should not affect the initial determination of the underlying risk of mistreatment posed by information sharing with a foreign entity, however.

In India v. Badesha (2017), the Supreme Court of Canada recently provided guidance on contextual factors to be considered when assessing the reliability of assurances sought from foreign entities regarding mistreatment. Though not exhaustive, the decision provides departments with some guidance regarding the adequacy of assurances received.

Duty of Care

In reviewing GAC, NSIRA noted a tension between adherence to the 2017 MD and GAC’s duty of care with regard to the safety and security of mission staff abroad. Indeed, both cases of information sharing referred to the MDCC in 2019 involved threats to mission In one of the cases, information was shared with a foreign entity before the MDCC had had the chance to assess the risk of mistreatment. In this instance, the GAC official cited the need to protect the safety of mission staff (see Annex H).

NSIRA acknowledges the importance of mission security and the seriousness of the conundrums that can arise when the needs of mission security and GAC’s obligations with respect to information sharing collide. Yet the charged atmosphere of a mission under threat may not be the best venue for quick decision-making involving risks of mistreatment.

Substantial Risk

Like the 2017 MD, the ACMFEA and its associated direction prohibit information sharing that would result in a substantial risk of mistreatment. Neither the ACMFEA nor its direction include a definition of “substantial risk”, however, despite the centrality of this concept to the regime. A definition of substantial risk existed in both the 2011 and 2017 MD; its absence now raises concerns about its interpretation in the future.

In consultation with other departments, PS is developing a policy document that includes the same definition of substantial risk that was found in the 2011 and 2017 MD. The document also contains guidance on other requirements contained in the 2017 MD but that were omitted from the ACMFEA and its direction. When asked by NSIRA, the six departments that had been subject to the 2017 MD all stated that they intended to continue abiding by the established definition of substantial risk. This is reassuring, and should limit the potential for inconsistency between departments. Nonetheless, such a crucial definition should not be left up to individual departments to determine.

Recommendation no. 4: The definition of “substantial risk” should be codified in law or public direction.

The definition of substantial risk in the 2017 MD requires that mistreatment be “foreseeable”. As described in Annex G, DND/CAF’s assessment of foreseeability encompasses a number of factors, but a key component is that the risk of mistreatment be a “causal consequence” of DND/CAF information sharing. NSIRA observes that DND/CAF’s interpretation of foreseeability runs the risk of narrowing the definition of substantial risk and therefore the application of the 2017 MD. Given the importance of a clear and consistent understanding of “substantial risk” across departments, in future years NSIRA may review the application of the “substantial risk” threshold by DND/CAF – and other departments – to information sharing with foreign entities.

A substantial risk of mistreatment is defined as existing in cases where mistreatment is more likely than not. The definition includes a qualifier, however, that the threshold may be met at lower level of probability “where the risk is of severe harm”. This reflects a larger point that the assessment of substantial risk is not intended to be a narrowly mechanistic process of balancing probabilities. The 2017 MD notes that the Government of Canada “has no interest in actions associated with the use of torture or other cruel, inhumane or degrading treatment or punishment. Knowingly associating the Government of Canada with any of these actions would damage the credibility and effectiveness of any department or agency associated with them”. When interpreting the threshold of substantial risk, departments should always bear in mind the larger purpose of Canada’s framework for sharing information with foreign entities.

In order to give life to this framework, it is incumbent on departments, first, to ensure that their employees are trained to the point where they fully understand their legal obligations, and second, to establish clear and well-developed processes that foster and facilitate compliance in the broadest sense.

6. Conclusion

This review set out to build NSIRA’s knowledge of the information sharing processes adopted by departments under the 2017 MD. NSIRA noted significant differences between the six departments reviewed with respect to the level of implementation of information sharing processes. Processes also varied widely in terms of the level of independence of decision-making.

Although departmental information sharing frameworks will continue to evolve over time, this review will provide a baseline of comparison for future developments under the ACMFEA. The review also served to identify areas of potential concern that NSIRA may revisit in future years.

Share this page
Date Modified:

National Security and Intelligence Review Agency Annual Report 2020

Backgrounder

NSIRA’s 2020 Annual Report focuses on review and investigation work carried out during our first full year of operation. In 2020, NSIRA completed reviews covering the national security and intelligence activities of departments and agencies across Canada’s federal government.

This report highlights key findings and recommendations, as well as our efforts to standardize and modernize our review processes. The report also discusses our new approach to information verification in reviews (our “trust but verify” approach) as well as NSIRA’s review plan for the coming years. Review highlights include:

  • CSIS threat reduction measures (TRM) and intelligence-sharing activities;
  • CSE activities, notably the disclosure of Canadian identifying information (CII) to Government of Canada departments, ministerial authorizations (MAs) and ministerial orders (MOs) under the CSE Act, and CSE’s signals intelligence (SIGINT) data retention policies and procedures;
  • DND/CAF counter-intelligence gathering activities;
  • A review of a GAC program; and,
  • Two cross-departmental reviews with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act and disclosures of information under the Security of Canada Information Disclosure Act.

NSIRA’s mandate includes the investigation of complaints related to national security made by members of the public. In 2020, we completed one investigation and modernized our complaints investigation model to ensure efficiency and transparency. Two priorities guided the modernization of the process, namely, access to justice for self-represented complainants and the creation of streamlined and less formal procedural steps. This was achieved through the creation of new Rules of Procedure as well as the implementation of our new declassified, de-personalized policy on final investigations reports.

NSIRA’s 2020 Annual Report also discusses our organization’s underlining goals and values, and highlights how the organization grew in size and capacity throughout the 2020, as it continued efforts to enhance its technical and subject matter expertise.

Date of Publishing:

Dear Prime Minister,

On behalf of the National Security and Intelligence Review Agency, it is my pleasure to present you with our second annual report. Consistent with subsection 38(1) of the National Security and Intelligence Review Agency Act, the report includes information about our activities in 2020, as well as our findings and recommendations.

In accordance with paragraph 52(1)(b) of the National Security and Intelligence Review Agency Act, our report was prepared after consultation with the deputy heads concerned in an effort to ensure that it does not contain information the disclosure of which would be injurious to national security, national defence or international relations, or is information that is subject to solicitorclient privilege, the professional secrecy of advocates and notaries or to litigation privilege.

Yours sincerely,

The Honourable Marie Deschamps, C.C.

Chair // National Security and Intelligence Review Agency

Message from the members

The National Security and Intelligence Review Agency (NSIRA) began operating in 2019 as a new independent accountability mechanism in Canada. Our broad review and investigations mandate covers the national security and intelligence activities of departments and agencies across the federal government. In our first annual report, released in 2020, we discussed our initial activities from our inception in July 2019 to December 2019.

We are pleased to now present our second annual report, covering our activities in our first full year of operation. In 2020, we completed numerous reviews and investigations, engaged with stakeholders in the national security and intelligence community, including our international counterparts, launched an ambitious review plan for the coming years, initiated a comprehensive reform of our complaints investigation process, developed a uniform approach to information verification in reviews (our “trust but verify” approach), began standardizing our review processes, and made strides in formalizing efforts to coordinate and collaborate with various partner organizations. NSIRA’s Secretariat also continued to grow steadily in size, expertise, and administrative, technical, and substantive capacity. We achieved all of this within the considerable constraints presented by the COVID-19 pandemic.

We are committed to transparency and public engagement, striving to keep Canadians informed about national security and intelligence activities, and ensure our plans reflect the priorities of all Canadians. Our annual report is one way among many of achieving this. We also aim to achieve this through regularly engaging with stakeholders, members of diverse communities, and parallel review bodies internationally, including those that comprise the Five Eyes Intelligence Oversight and Review Council (FIORC). We are likewise committed, and have began to, releasing public versions of our reports as they are completed (our “write for release” initiative), and to provide timely updates via our website and social media platforms.

After the release of our inaugural annual report, we sought and received feedback from academic and community stakeholders. As a result of these consultations, we have reorganized how we present some of the material in our 2020 annual report. In particular, we have grouped our review summaries, including any findings and recommendations, according to the institutions to which they pertain. We also discuss the outcomes and themes of interagency reviews. As well, this report sets out a framework for more robust statistical reporting on certain aspects of the activities of the Canadian Security Intelligence Service and the Communications Security Establishment activities, to enable year-to-year comparisons.

The pandemic delayed our plans and progress on reviews, investigations, and corporate initiatives in 2020, as was the case for many industries and sectors around the world. As of writing, our staff has begun to have more regular access to our offices and to the classified material critical to our work. More frequent and sustained access will help us conduct our work in a more timely and efficient manner. We look forward to carrying out an ambitious agenda in the year ahead.

We wish to extend our sincere thanks to our NSIRA staff for their dedication and diligence over the past challenging year, and for their continued efforts to build a strong organization.

Marie Deschamps
Craig Forcese
Ian Holloway
Faisal Mirza
Marie-Lucie Morin

Executive Summary

The National Security and Intelligence Review Agency (NSIRA) marked its first full year in operation in 2020. With the agency’s broad jurisdiction under the National Security and Intelligence Review Agency Act (NSIRA Act), it reviewed and investigated national security and intelligence matters relating to not only the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), but also several federal departments and agencies, including:

  • the Department of National Defence (DND) and the Canadian Armed Forces (CAF);
  • Global Affairs Canada (GAC);
  • the Royal Canadian Mounted Police (RCMP);
  • Immigration, Refugees and Citizenship Canada (IRCC);
  • the Canada Border Services Agency (CBSA);
  • Transport Canada;
  • the Public Health Agency of Canada; and,
  • all departments and agencies engaging in national security and intelligence activities in the context of NSIRA’s yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act.

The agency also focused on standardizing and modernizing the processes that govern the two main functions under NSIRA’s mandate—reviews and investigations—to ensure that our processes are robust, clear, and transparent.

The year 2020 also saw the organization grow in size and capacity, as it continues efforts to enhance its technical and subject-matter expertise.

Review highlights

Canadian Security Intelligence Service

Over the course of 2020, NSIRA completed two reviews that strengthened its knowledge of important areas of CSIS activity:

  • The review of CSIS’s threat reduction measures (TRM) found that CSIS met its obligations under ministerial direction. However, in a limited number of cases, CSIS’s TRMs were not “reasonable and proportional.”
  • The review of CSIS and RCMP intelligence-sharing through the lens of an ongoing investigation shed light on an important unresolved issue in Canada’s national security framework: the limitations on the use of CSIS intelligence to support RCMP criminal investigations, also known as the “intelligence-to-evidence” dilemma.

Communications Security Establishment

NSIRA completed three reviews of CSE activities in 2020, including of:

  • CSE’s disclosure of Canadian identifying information (CII) to Government of Canada (GC) departments, which found that 28% of requests for disclosure were insufficiently justified to warrant the release of CII;
  • ministerial authorizations (MAs) and ministerial orders (MOs) under the CSE Act, which allow CSE to engage in activities that would otherwise be unlawful, to support its mandate; and
  • CSE’s signals intelligence (SIGINT) data retention policies and procedures, to better understand the SIGINT lifecycle management process and compliance with legal data retention limits and related government and internal policies.

Department of National Defence and the Canadian Armed Forces

In 2020, NSIRA completed a review of DND/CAF, which examined how the Canadian Forces National Counter-Intelligence Unit (CFNCIU) conducted its counter-intelligence gathering activities—focusing particularly on how the unit’s activities corresponded with legal and governance frameworks.

Global Affairs Canada

In 2020, NSIRA completed its first dedicated review of Global Affairs Canada (GAC) focusing on one of its programs.

Other departmental reviews

NSIRA also began reviews regarding a specialized RCMP intelligence unit, to better understand the national security role and responsibilities of Immigration, Refugees and Citizenship Canada, and a review of air passenger targeting at the Canada Border Services Agency.

Cross departmental reviews

NSIRA conducted two mandated cross-departmental reviews in 2020:

  • a review of directions issued with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act; and
  • a review of disclosures of information under the Security of Canada Information Disclosure Act (SCIDA); and

NSIRA also began another cross-departmental review in 2020:

  • a review to map the collection and use of biometrics across the federal government in security and intelligence activities.

Investigation highlights:

In 2020, NSIRA reformed and modernized its complaints process to promote efficiency and transparency. Two priorities guided this process of modernization, namely, promoting access to justice for self-represented complainants, and putting in place more streamlined and less formal procedural steps.

As part of this reform process, NSIRA created new Rules of Procedures, completing an extensive consultation exercise with stakeholders in the public and private sectors to ensure the most effective and considered final product. The new rules have come into force on July 19, 2021.

NSIRA also developed a new policy statement in 2020 that commits to publishing redacted and de-personalized investigation reports to promote and enhance transparency in its investigations.

Introduction

1.1 Who we are

Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament. Prior to NSIRA’s creation, several gaps existed in Canada’s national security accountability framework. Notably, NSIRA’s predecessor review bodies did not have the ability to collaborate or share their classified information, but were each limited to conducting reviews for a specified department or agency.

By contrast, NSIRA has the authority to review all Government of Canada national security and intelligence activities in an integrated manner. As noted in the 2019 annual report, with NSIRA’s expanded role, Canada now has one of the world’s most extensive systems for independent review of national security in the world.

1.2 Mandate

NSIRA has a dual mandate to conduct reviews and investigations on Canada’s national security and intelligence activities. Annex B contains a financial and administrative overview of NSIRA.

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act).2 This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency, the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada, and the Department of Justice. Further, NSIRA reviews any national security or intelligence matters that a minister of the Crown refers to NSIRA. Annex C describes NSIRA’s review framework.

NSIRA’s reviews assess whether Canada’s national security and intelligence activities comply with relevant laws and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.

Reviews of CSIS and CSE will always remain a core part of NSIRA’s efforts, since the entire focus of these organizations is to address national security and intelligence matters. Unlike its predecessor review bodies, however, NSIRA has an all- encompassing review mandate. NSIRA will also continue to prioritize and examine how other departments engaging in national security and intelligence activities meet their obligations. NSIRA’s reviews help keep Parliament and Canadians informed about the lawfulness and reasonableness of Canada’s national security and intelligence activities.

Investigations

In addition to its review mandate, NSIRA is responsible for investigating national security- or intelligence-related complaints. This duty is outlined in paragraph 8(1)(d) of the NSIRA Act, and involves investigating complaints about:

  • the activities of CSIS or CSE;
  • decisions to deny or revoke certain federal government security clearances; and,
  • ministerial reports under the Citizenship Act that recommend denying certain citizenship applications.

This mandate also includes investigating national security-related complaints referred to NSIRA by the Civilian Review and Complaints Commission for the RCMP (the RCMP’s own complaints mechanism)3 and the Canadian Human Rights Commission.

1.3 Annual Reports to Parliament

Each calendar year, NSIRA has a statutory obligation to submit to the Prime Minister a report on its activities in the preceding year, along with its findings and recommendations.

2019 Annual Report

NSIRA’s first annual report (2019 Annual Report) covered the six-month period from July 2019 when NSIRA was established, through to the end of 2019. In that report, the agency discussed the reviews and investigations that it had either completed or launched in 2019, with the accompanying findings and recommendations. It also published the results of reviews that had not yet been made public by its predecessor organizations, the Security Intelligence Review Committee (SIRC) and the Office of the Communications Security Establishment Commissioner (OCSEC).

The 2019 Annual Report also presented NSIRA’s review findings through a novel framework called the “information continuum.” Given the agency’s comprehensive, overarching review mandate, this framework offers a lens for understanding key national security- and intelligence-related themes, trends and challenges that are common to departments and agencies across the federal government. This lens allows for discussing shared concerns in Canada’s overall security and intelligence architecture, and informs future review priorities and the recommendations for addressing them. The information continuum is discussed further in section 2.1 below.

2020 Annual Report

In response to feedback received from stakeholders, NSIRA’s second annual report groups the review summaries according to government department, including for CSIS and CSE. Nevertheless, NSIRA continues to be committed to presenting broader themes and observations on national security and intelligence accountability across Canada.

In the 2020 Annual Report, NSIRA therefore presents:

  • its “trust but verify” approach, developed to ensure it has timely access to all relevant information when conducting department and agency reviews;
  • an update on the agency’s plans to continue presenting review analyses through the information continuum lens;
  • summaries of NSIRA’s completed and ongoing reviews of CSIS, CSE, and other government departments and agencies in 2020, with background in the next section and summarized in Annex D, as well as detailed findings and recommendations listed in Annex E;7
  • data on CSE and its compliance-related activities, to promote greater transparency in these matters;
  • NSIRA’s plans for upcoming department and agency reviews, including to inform the three-year mandated parliamentary review of the National Security Act, 2017, that is expected to begin in 2022;
  • summaries of complaints investigations completed and ongoing in 2020;
  • an outline of the agency’s new, modernized complaints process, the result of an extensive reform initiative; and,
  • statistics on NSIRA’s complaints investigations in 2020 in Annex F.

1.4 Values and goals

NSIRA is committed to:

  • being open and transparent, to keep Canadians informed about the lawfulness and reasonableness of our country’s national security and intelligence activities;
  • anticipating the various risks that are part of each of the reviewed entities’
  • mandate;
  • being, as well as being seen to be, objective and independent;
  • maintaining methodological excellence, to ensure the rigour and quality of NSIRA’s approach;
  • engaging regularly with partners, stakeholders, and community members; and,
  • fostering forward- and innovative-thinking, to keep abreast and, ideally, stay ahead of new technology and an ever-changing national security environment.

As part of a commitment to methodological excellence, NSIRA developed its “trust but verify” approach (highlighted below) to provide an important measure of confidence in the completeness of information received from departments and agencies.

In 2020 the NSIRA Secretariat also began work to develop a Code of Conduct for all employees, which was finalized in June 2021. The Code sets out the organizational values that guide the workforce’s activities and functions and the expected standards that must be observed during and after a person’s employment with the NSIRA Secretariat.8

Additional details on NSIRA’s values and goals related to transparency, anticipation of risk, objectivity and independence, methodological excellence, stakeholder and community engagement, and forward- and innovative-thinking can be found in Annex G.

1.5 Trust but verify

The NSIRA Act grants the agency extensive access rights to information: with the exception of Cabinet confidences, NSIRA is entitled to have access in a timely manner to any information in the possession or under the control of any department. In conducting reviews and investigations, it requires timely access to a wide range of information, people, and assets. This, in turn, requires regular support from expert liaison units that can provide documentation, arrange briefings, answer questions, and generally guide and implement NSIRA’s access requirements. NSIRA’s ability to fulfil its mandate can be challenged when it faces delays in receiving information.

As a review agency, NSIRA must be able to assure Parliament — and through it, Canadians — that it has a high level of confidence in the completeness of the information received from departments and agencies, and hence, in the robustness of its findings. The ‘’trust but verify” approach is a critical tool for reaching this objective.

NSIRA recognizes, on the one hand, that the principle of trust requires each party to understand and appreciate the mandate, and feel confident in the integrity, of the other. Of course, in a review relationship there will necessarily be healthy tensions stemming from differences in perspective.

On the other hand, verification is a fundamental prerequisite of any credible review. NSIRA must be able to independently test the completeness of the information it receives.

Moving forward, NSIRA will implement a “tailored access” process for conducting verification. Tailored access involves identifying its information access needs in response to the specific review or investigation and collaborating with departments and agencies in determining the various types of access that will constitute the best manner in which to obtain that information. The tailored access process may include targeted access of computer networks and information, proxy access, dedicated office space, and access to training materials.

  • Targeted access constitutes direct access to a department’s or agency’s computer networks and/or sensitive information. Targeted access is the gold standard for ensuring a robust verification of information received as part of the trust but verify approach.
  • Proxy access involves a departmental or agency intermediary who accesses
  • information repositories in the presence of NSIRA staff, and who can review relevant information as it appears on the system.
  • Allocated office space at departments or agencies, either temporary or permanent, enables more expedient and secure exchanges of information.
  • Access to training requires access to departmental or agency training modules relating to relevant corporate policies and other matters, to allow NSIRA to build specific knowledge.

The tailored access processes can place logistical and resource strains on departments and agencies having to implement them, and may require a shift in culture. Overall, however, tailored access provides mutual benefits. Tailored access processes can increase transparency and accountability on all sides, allow information to be accessed in a more secure and timely manner, foster positive professional interactions, improve overall expertise, and strengthen evidence-based findings and recommendations. Moreover, NSIRA believes that tailored access will, over time, result in a reduced workload for liaison staff at departments and agencies under review.

The trust but verify approach is not new. Both NSIRA and its predecessor, SIRC, have already had long-standing tailored access arrangements with CSIS that include targeted (direct) access to CSIS’s computer networks and sensitive information.

The trust but verify principle is a key aspect of maintaining the integrity and credibility of NSIRA’s reviews. In keeping with the commitment to transparency and methodological rigour, its reviews will contain a “confidence statement” to report NSIRA’s confidence level in the completeness of the information on which the findings rely, given agency’s ability to verify. The confidence statement is an important tool for apprising ministers, Parliament, and members of the public on the extent to which NSIRA has been able to access all relevant information.

Review

2.1 The information continuum

As previously mentioned, NSIRA’s review mandate extends throughout the federal government. NSIRA’s broader jurisdiction allows it not only to examine the national security and intelligence activities of a specific organization, but also to identify common themes that emerge across government.

In the 2019 Annual Report, NSIRA introduced a framework to assist in discussing and analyzing such trends. The “information continuum” identifies four main stages in the lifecycle of national security and intelligence information where problems can arise, including in information collection, safeguarding, sharing, and use in real-world actions.

In an environment that is constantly changing, including the rapid development of new technologies, each stage presents potential challenges for departments and agencies engaging in national security and intelligence activities. Despite the challenges, all national security and intelligence activities must comply with the law and applicable ministerial directions, and meet the tests of reasonableness and necessity.

The 2019 Annual Report also identified a number of future priorities that would benefit from analysis through the lens of the information continuum. To achieve these goals, NSIRA promised to invest in building in-house technological expertise, collaborate with allied accountability bodies through the Five Eyes Intelligence Oversight and Review Council, and seek to stay current with new and emerging technologies such as artificial intelligence, machine learning, quantum computing, and “big data.”

NSIRA also pledged to continue to work with the Office of the Privacy Commissioner (OPC) and the National Security and Intelligence Committee of Parliamentarians (NSICOP) on matters of joint concern to ensure the broadest range of perspectives are addressed.

NSIRA continues to examine national security and intelligence activities through the lens of the information continuum, and plans on presenting work on its website using the continuum approach to help situate horizontal themes for national security review. For 2020, however, this report builds on some feedback NSIRA received on last year’s annual report and uses a more institutional approach as a narrative device.10

2.2 Reality of review during a pandemic

As noted in the 2019 Annual Report, NSIRA staff continued to work remotely in 2020, which meant limited office access and, therefore, minimal access to the classified physical and electronic documents that must be protected in a secure environment, and that are critical to NSIRA’s work. Just as all organizations have had to adapt to the realities of the pandemic, so has NSIRA. It revised its review plans, and implemented strict rotating schedules to enable limited office access for classified work to safely continue to fulfill its statutory obligations and uphold its commitments to Canadians.

2.3 Parliamentary review of the National Security Act, 2017

The omnibus National Security Act, 2017, which established NSIRA and made major changes to Canada’s national security framework, contains provisions mandating a review by Parliament during NSIRA’s fourth year of operation, which will be in 2022.

This comprehensive review will require Parliament to assess the effects of the National Security Act, 2017, on the operations of the Canadian Security Intelligence Service (CSIS), the Royal Canadian Mounted Police (RCMP) and the Communications Security Establishment (CSE) that relate to national security, information sharing, and the interaction of those organizations with NSIRA, the Office of the Intelligence Commissioner and NSICOP.11

NSIRA has structured and sequenced its review plan in order to inform Parliament’s examination of new powers granted to security agencies through the National Security Act, 2017. Reviews of these new powers will take place over the course of 2021 and into early 2022, to determine whether they were exercised in compliance with the law and ministerial direction, and whether they were reasonable and necessary.

2.4 CSIS reviews

Overview

Under the NSIRA Act, NSIRA has a mandate to review any CSIS activity. The Act requires NSIRA to submit an annual report to the Minister of Public Safety and Emergency Preparedness on CSIS activities each year, including information related to CSIS’s compliance with the law and applicable ministerial directions, and the reasonableness and necessity of the exercise of CSIS’s powers.12

In 2020, NSIRA completed two CSIS reviews, summarized below. NSIRA also began two more reviews: a review of CSIS’s technology programs and intelligence collection techniques, and a review of the duty of candour owed by both CSIS and the Department of Justice in warrant proceedings before the Federal Court. Other NSIRA ongoing reviews, including multiple agency reviews, have a CSIS component.

Threat reduction measures

Under the Anti-terrorism Act, 2015, CSIS was granted the authority to undertake threat reduction measures (TRMs). NSIRA is required to review, annually, at least one aspect of CSIS’s performance in using its threat reduction powers.13

This was NSIRA’s first review of CSIS’s threat reduction mandate. It included a detailed compliance review of a sample of TRMs from 2019. The review also included a high- level analysis of CSIS’s use of TRMs over the past five years to identify trends and to inform NSIRA’s choice of future review topics.

The sample reviewed by NSIRA consisted of TRMs that were employed to disrupt threats to Canadian democratic institutions in relation to the 2019 federal election. NSIRA assessed the measures against legislative and policy requirements, as well as ministerial direction.

For all the measures reviewed, NSIRA found that CSIS met its obligations under ministerial direction, namely that CSIS consulted with its government partners and completed an assessment of the operational, political, foreign relations and legal risks of each TRM.

For most of the measures taken by CSIS, NSIRA noted that the measures satisfied the requirements of the Canadian Security Intelligence Service Act (CSIS Act). NSIRA also noted, however, that in a limited number of cases, CSIS selected individuals for inclusion in the TRM without a rational link between the selection of the individual and the threat. As a result, these measures were not “reasonable and proportional” as required under the CSIS Act.14

For one type of TRM reviewed by NSIRA, CSIS deemed that a warrant was not required. NSIRA identified concerns about factors which would require CSIS to consider fully the implications of the Canadian Charter of Rights and Freedoms for its measures, and could require CSIS to obtain warrants before taking certain measures.

Finally, NSIRA noted some inconsistencies in the type of information provided to CSIS decision-makers in its internal requests for approval. NSIRA also found gaps and inconsistencies in CSIS’s documentation, which had the effect of hindering NSIRA’s compliance review. As a result, NSIRA recommended that formalized and documented processes be developed for the management of all TRM-related information. In addition, NSIRA recommended that all pertinent facts relating to the TRM be formally provided to the National Security Litigation and Advisory Group (NSLAG), which is part of the Department of Justice, to ensure that the NSLAG has the information necessary to provide considered legal advice.

The legal issues and questions raised in this review, as well as the analysis of trends across the last five years, point the way to further reviews by NSIRA. In particular, NSIRA was struck by the potential for a class of TRMs to affect rights and freedoms protected under the Charter. In future, NSIRA will pay particular attention to this class of TRMs and the associated legal risks. NSIRA also notes that CSIS has yet to undertake a TRM under the authority of a court warrant. If and when CSIS obtains a TRM warrant, NSIRA will prioritize it for review.

Response to NSIRA’s recommendations

NSIRA’s recommendations, CSIS’ management responses, and other details about this review, are found in Annex E of this report.

CSIS-RCMP relationship in a region of Canada through the lens of an ongoing investigation

CSIS and the RCMP must work together and share intelligence to effectively counter national security threats.15 NSIRA examined the state of the relationship between CSIS and the RCMP through the lens of an ongoing investigation in a specific region of Canada. NSIRA undertook an in-depth study of both agencies’ operations, with particular attention to how the two agencies collaborated on this investigation in recent years, both in this region and at headquarters. Although the findings of this review are specific to the given investigation, NSIRA has no reason to believe that the investigation in question is atypical, and thus this review provides insight into the more general state of the two agencies’ relationship.

With respect to CSIS’s investigation specifically, NSIRA found that CSIS was reliant on a narrow set of information and was thus vulnerable; NSIRA observed how external factors arose that sharply limited CSIS’s ability to collect intelligence on the threat in question, resulting in collection gaps.

NSIRA found that in the specific region in question, CSIS and the RCMP had developed a strong relationship that has fostered effective tactical de-confliction of operational activities. Nonetheless, technological constraints made CSIS-RCMP de-confliction in the region excessively burdensome and time-consuming.

The RCMP’s use of CSIS information in support of criminal prosecutions has long been limited by perceived risks of involving CSIS or CSIS information in a prosecution. As an element of this, NSIRA observed a general reluctance on the parts of both CSIS and the RCMP to connect CSIS information to an RCMP investigation. In the case of the regional investigation in question, CSIS intelligence had not been shared or used in a way that significantly advanced the RCMP’s investigations.

On the whole, NSIRA found that CSIS and the RCMP had made little progress in addressing the threat under investigation. Moreover, CSIS and the RCMP did not have a complementary strategy to address the threat.

NSIRA has the legal authority to assess CSIS-RCMP activities from the perspective of both parties, and is not limited to the standpoint of CSIS, as was the case for the Security Intelligence Review Committee (SIRC). This regional review exposed an important, yet unresolved, issue in Canada’s national security framework: the limitations on the use of CSIS intelligence to support RCMP criminal investigations, often termed the “intelligence-to-evidence” dilemma. Given the centrality of the CSIS- RCMP relationship to Canada’s national security architecture, NSIRA will return to this topic in future years.

Response to NSIRA’s recommendations

NSIRA’s recommendations, CSIS’ management responses, and other details about this review, are found in Annex E of this report.

Statistics and data

To achieve greater public accountability, NSIRA is requesting that CSIS publish statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSIS operations, as well as display the evolution of activities from year to year.

The number of section 21 warrant applications (a) approved, and (b) denied; each further broken down as either new or replacement/supplemental.

  • Number of section 21 warrant applications approved: 15
  • New: 2
  • Replacement: 8
  • Supplemental: 5
  • Number of section 21 warrant applications denied: 0

The number of section 21.1 warrant applications (a) approved, and (b) denied; each further broken down as either new or replacement/supplemental.

  • There were no warrant applications under section 21.1.

The number of CSIS targets

  • 360 targets

The number of publicly available datasets (a) evaluated, and (b) retained.

  • Six section 11 PADs were evaluated and retained.

*Note that one had been collected in late 2019 but was evaluated in 2020.

The number of Canadian datasets (a) evaluated, and (b) retained after authorization by the Court, and the number of such requests denied.

  • There were zero Canadian datasets evaluated, subject to a request, or retained in calendar year 2020.

The number of foreign datasets (a) evaluated, and (b) retained after approval by the Minister and Intelligence Commissioner, and the number of such requests denied (by either the Minister or Intelligence Commissioner).

  • There were zero foreign datasets evaluated in calendar year 2020. (All pending submissions were evaluated in 2019.)
  • There was one foreign dataset retained after authorization by the Minister (Director as designate, November 18, 2020) and approval by the Intelligence Commissioner (December, 16, 2020) in calendar year 2020. (It was evaluated in 2019.)
  • There were no requests for foreign datasets denied by the Minister or Intelligence Commissioner in calendar year 2020.

The number of TRMs (a) approved, and (b) executed.

  • Approved: 11
  • Executed: 8

The number of Justification Framework (a) approvals, and (b) invocations.

  • Emergency designations made under section 20.1(8): 0
  • Authorizations given under section 20.1(12): 147
  • Written reports submitted under section 20.1(23): 123 (this includes 39 commissions by employees and 84 directions)

The number of internal CSIS compliance incidents.

In 2020, External Review and Compliance processed 50 compliance incidents. Of these, 29 were considered to be administrative, 14 related to warrant terms and conditions, and 7 related to internal policies, procedures or directives.

General compliance challenges: Outdated operational policies

As legal and operational environments have evolved over the years, the suite of internal policies and procedures governing CSIS operations has drifted out of date. These operational policies and procedures translate the limits imposed by law and ministerial directions into everyday practice for CSIS activities.

NSIRA, and previously SIRC, noted concerns with out-of-date policies and procedures in reports and reviews over the years. CSIS also recognizes these concerns, but has struggled to adequately resource and prioritize the renewal of its operational policy suite. The result is a confusing collection of old and new policies, and ad hoc directives that have not yet been incorporated into policy. Over the past two years, CSIS has reported that more than 150 of its operational policy related documents need to be developed, updated, or significantly revised.

Written policies and procedures that do not reflect current operational realities and legal requirements—or are simply not internally consistent—elevate the risk that CSIS will not comply with the law and ministerial directions. CSIS employees should always have a clear, consistent and up-to-date suite of policies and procedures that makes compliance easy.

NSIRA is aware of CSIS’ ongoing efforts to overhaul and organize its full range of operational policies and procedures. Since the backlog has persisted for years, it remains unclear whether the latest efforts at renewal are sufficiently well-resourced to truly remedy the situation in a timely manner.

Internal compliance and proactive disclosure to NSIRA

In 2020, CSIS proactively disclosed to NSIRA a compliance issue related to certain operational activities. After CSIS employees raised concerns about an operational program, CSIS conducted an internal compliance review. The initial review focused on compliance with CSIS policies and procedures, but as the issue was explored CSIS opted to conduct a legal assessment as well. CSIS has since taken a number of steps to address the shortcomings it identified, including improved operational governance and management accountability. NSIRA received a comprehensive briefing on the matter in early 2021; CSIS is also providing, and has committed to continue to provide, NSIRA with the full range of relevant internal documents. NSIRA is examining this material with interest and will follow up with CSIS as appropriate.

This incident illustrates how departmental compliance mechanisms and NSIRA’s external review mandate can complement each other. NSIRA encourage CSIS to continue to engage the agency when internal compliance issues of note are uncovered.

2021 CSIS review plan

In 2021, NSIRA is commencing or conducting three reviews exclusively focused on CSIS, one review focused on CSIS and the Department of Justice and a number of interagency reviews with a CSIS component. The reviews are summarized below.

In addition to NSIRA’s two legally mandated reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has initiated or is planning the following CSIS reviews, for completion in 2021:

Survey of new technology programs and intelligence collection techniques

This review, initiated in 2020, involves a broad survey of CSIS’s technology programs and intelligence collection techniques, with a particular focus on those that require authorization by court warrant. The review will help to identify specific technologies or investigative techniques that merit future review due to their novelty, potential intrusiveness, or potential for posing risks to compliance. Once identified, these technologies or techniques will be reviewed over subsequent years to ensure legal compliance.

Review arising from the Federal Court’s judgment in 2020 FC 616

This review arises from the Federal Court’s judgement in 2020 FC 616.16 To fully identify systemic, governance and cultural shortcomings and failures that may have led to the breach noted by the Court, NSIRA has undertaken an extensive program of document review and briefings involving both CSIS and the Department of Justice. NSIRA is also conducting confidential interviews with CSIS and Department of Justice employees, at various levels, to better understand the dynamics shaping decision-making in both departments and the interactions between the departments. In addition, NSIRA has consulted with external experts where possible. This review is distinct from other reviews NSIRA has conducted, as it is led by two NSIRA members: Marie Deschamps and Craig Forcese. The final report is expected to be completed in late 2021 or early 2022.

Beyond 2021, NSIRA intends to explore CSIS reviews of topics including, but not limited to:

  • ministerial direction issued to CSIS;
  • CSIS intelligence collection relating to foreign interference;
  • CSIS datasets; and
  • CSIS’s justification regime for intelligence collection activities.

Access

The range of information that CSIS must proactively inform NSIRA about has expanded under amendments to the CSIS Act. NSIRA must be informed about matters that include CSIS’s use of datasets, threat reduction measures, disclosures of information, and the new justification framework for otherwise unlawful activities. Since these requirements are embedded in the CSIS Act, it is NSIRA’s understanding that Parliament intended that NSIRA keep itself continuously apprised of these activities. To this end, NSIRA will systematically monitor the information received from CSIS for its compliance with the law, and the reasonableness and necessity of those activities.

However, NSIRA considers it vital that CSIS also keep NSIRA informed of those activities beyond those that CSIS is explicitly required to bring to NSIRA’s attention. NSIRA is working with CSIS to establish a process that builds on NSIRA’s existing direct access to CSIS’s main databases. This process will enable NSIRA to obtain additional information that complements the information that CSIS is required to report to NSIRA.

This endeavour will not only strengthen the content of NSIRA’s public annual reporting, but will also better inform the annual classified report on CSIS that NSIRA must provide to the Minister of Public Safety and Emergency Preparedness.

CSIS has been subject to independent review since its creation in 1984. To manage its relationship with external review bodies, CSIS has long maintained a dedicated review secretariat, which is currently housed within its External Review and Compliance branch. CSIS’s review secretariat has enhanced its ability to meet its statutory obligations to provide NSIRA with timely access to the information NSIRA deems relevant. In 2020, NSIRA was generally satisfied with its access to CSIS.

During this reporting period, CSIS personnel have remained supportive and available to the extent possible, and in several instances in 2020, went to exceptional lengths to assist NSIRA is completing reviews whose timelines had themselves been disrupted by COVID-19. Although CSIS and NSIRA may disagree on specific issues — as is to be expected with regard to an external accountability body — NSIRA is of the view that the continued cooperation of CSIS personnel under difficult circumstances reflects an underlying understanding of and respect for the role of independent review at CSIS.

2.5 CSE reviews

Overview

As set out in the NSIRA Act, NSIRA has a mandate to review any CSE activity. Under the NSIRA Act, NSIRA must also submit an annual report to the Minister of National Defence on CSE activities each year, including information related to CSE’s compliance with the law and applicable ministerial directions, and the reasonableness and necessity of the exercise of CSE’s powers.

In 2020, NSIRA completed three CSE reviews. This annual report also presents results from a 2019 review that NSIRA was unable to share in the 2019 Annual Report. NSIRA also initiated three reviews, as discussed below.

In meetings with representatives from Canadian civil society and academia, some stakeholders expressed an interest in receiving follow-up information pertaining to reviews conducted under the former Office of the CSE Commissioner (OCSEC).20 NSIRA remain committed to redacting, translating, and publishing OCSEC historical reviews as resources permit. However, many of OCSEC’s reviews are no longer relevant in light of the legislative amendments introduced in 2019 by the National Security Act, 2017. Many of OCSEC’s recommendations have also been implemented, since they called for changes to the law that were subsequently captured in the National Security Act, 2017. As well, any ministerial directions and other instruments issued under the previous legal framework for CSE (National Defence Act) are now obsolete, having been reissued under the new authorities.

Disclosure of Canadian identifying information to Canadian partners

On June 18, 2021, NSIRA released a public summary of its review of CSE’s disclosures of Canadian Identifying information (CII).21 When CSE conducts foreign signals intelligence (SIGINT) collection, it suppresses any incidentally collected CII in its intelligence reporting to protect the privacy of Canadians and persons in Canada. 22 Nevertheless, the Government of Canada and foreign recipients of these intelligence reports can request the details of this information—including names, email addresses, and IP addresses—if they have the legal authority and operational justification to receive it.

In 2020, NSIRA reviewed the lawfulness and appropriateness of CSE’s disclosure of CII, focusing on CSE’s disclosure of CII to other Government of Canada departments.

This review examined a sample of CSE’s CII disclosures from July 1, 2015 to July 31, 2019 containing 2,351 Canadian identifiers, including in the context of assisting CSIS’s foreign intelligence collection under section 16 of the CSIS Act.

NSIRA found that although CSE approved 99% of requests for CII disclosure from its domestic partners, 28% of all requests were not sufficiently justified to warrant the release of CII. As a result, NSIRA concluded that CSE’s implementation of the CII disclosure regime lacked rigour, and may not have complied with its responsibilities under the Privacy Act. This report therefore constituted a compliance report pursuant to section 35 of the NSIRA Act, and was presented to the Minister of National Defence on November 25, 2020.

NSIRA also found that CSE’s releases of CII collected under section 16 of the CSIS Act were conducted in a manner that was unlikely to have been communicated to the Federal Court by CSIS. CSIS had provided the Federal Court with testimony about its treatment of information about Canadians collected through section 16 of the CSIS Act. Yet, when NSIRA compared this testimony with how CSE handled information about Canadians collected when assisting CSIS in relation to section 16, NSIRA found notable discrepancies in the standards communicated to the Federal Court. CSIS was not involved in assessing or releasing the disclosures about which NSIRA had concerns; these disclosures were handled solely by CSE.

Response to NSIRA’s recommendations:

As detailed in Annex E of this report, CSE accepted all 11 of NSIRA’s recommendations. CSE initiated a privacy impact assessment of its CII disclosure regime, and has informed NSIRA that it is in the final stages of implementing an updated version of its CII request software, which is intended to ensure that all necessary information related to operational justification, and legal authority is captured prior to a disclosure taking place. CSE has also ceased releasing CII collected under section 16 of the CSIS Act until the Federal Court is fully informed about CSE’s sharing of information derived from collection under section 16 warrants.

Ministerial authorizations and ministerial orders under the CSE Act

After the CSE Act came into force in 2019, CSE received a new set of ministerial authorizations (MAs). These documents, issued by the Minister of National Defence, authorize CSE to engage in activity that risks contravening an “Act of Parliament or interfering with a reasonable expectation of privacy of a Canadian or person in Canada.” For example, such activities might include the incidental interception of private communications during CSE’s foreign SIGINT collection activities.

The CSE Act also created the legislative authority for the Minister to “designate electronic information or information infrastructures or classes of electronic information or information infrastructures as being of importance to the Government of Canada” through a ministerial order (MO). Designating infrastructures as being of importance to the Government of Canada enables CSE to share certain kinds of information, and provide direct assistance.

In 2019, the Minister of National Defence issued seven MAs and three MOs under the CSE Act. NSIRA received comprehensive briefings on the activities authorized by each MA and MO. Based on the records that CSE provided, NSIRA believes that CSE employed considerable rigour in the MA application process. NSIRA found that CSE’s MA application requests contained sufficient information, and provided more information than previous applications under CSE’s pre-CSE Act governing legislation, National Defence Act, thereby allowing for greater transparency of CSE’s activities.

NSIRA found, however, that CSE has not fully assessed the legal implications of certain activities enabled since the CSE Act, which have not yet occurred, but which are permissible under a specific type of MA. NSIRA also found that CSE was unable to provide an assessment of its obligations under international law regarding the conduct of active cyber operations.

CSE’s briefings on these matters have informed NSIRA’s three-year review plan. In particular, this review highlighted the immediate need for NSIRA to focus on CSE’s active cyber operations (ACOs) and defensive cyber operations (DCOs), given that the Intelligence Commissioner does not provide approval for these activities and that CSE has no statutory obligation to notify NSIRA when it undertakes these activities. Active and defensive cyber operations represent a new aspect of CSE’s mandate, and NSIRA will closely examine both the governance policies and procedures for these activities, as well as the operations themselves.

Response to NSIRA’s recommendations

As detailed in Annex E, CSE generally accepted NSIRA’s recommendations in relation to this review. CSE agrees that its operations should be assessed with respect to compliance with international law, but continues to dispute NSIRA’s assertion that it was unable to provide an assessment of its obligations under international law.

Signals Intelligence data retention policies and procedures

Inspired by a similar review by the U.S. Inspector General for the National Security Agency, NSIRA completed a review of CSE’s SIGINT data retention policies and procedures in December 2020. The purpose of the review was to understand the SIGINT data lifecycle management process and learn about compliance with legal data retention limits, and with government and internal policy. Non-compliance with these limits could potentially adversely affect civil liberties and privacy protections. NSIRA completed its review and will use the information learned as a foundation for a future review.

Privacy Incidents File (2019)

On March 4, 2021, NSIRA publicly released its first review of CSE, which was a 2019 review of CSE’s Privacy Incidents File (PIF).29 A privacy incident occurs when the privacy of a Canadian or a person in Canada is put at risk in a manner that runs counter to, or is not provided for, in CSE’s policies. NSIRA’s 2019 PIF review, including findings and recommendations, was discussed in Annex A of the 2019 Annual Report. NSIRA was unable to publish CSE’s responses to NSIRA’s recommendations in time for that report, and so these responses are now included in Annex E to the present annual report.

Response to NSIRA’s recommendations

CSE accepted all five of NSIRA’s recommendations regarding the 2019 PIF review. CSE is pursuing a standardized mechanism for identifying and reporting on incidents with privacy interests, and is investigating ways to reach more streamlined and uniform reporting between operational compliance teams. CSE committed to standardizing its policy on how to assess whether a privacy incident constitutes a material privacy breach, and re-examining its assessment methods to ensure they are effective and reasonable. In November 2019, CSE also abolished a specific practice that NSIRA had raised concerns about.

Statistics and data

To achieve greater public accountability, NSIRA is requesting that CSE publish more statistics and data about public interest and compliance-related aspects of its activities. This section presents some of this CSE data.

NSIRA intends to provide data on an annual basis to provide benchmarks and enable comparison. It cautions, however, that some CSE data are difficult to interpret without significant analysis and full context, and may not necessarily indicate particular practices or developments.

In 2020, CSE provided foreign intelligence reports to more than 2100 clients in over 25 departments and agencies within the Government of Canada in response to a range of priorities related to international affairs, defence, and security. As examples, CSE believes that its own intelligence reporting helped thwart or respond to foreign cyber threats, supported Canada’s military operations, protected deployed forces, identified hostile state activities, and provided insight into global events and crises to help inform Government of Canada policies and decision making.

In calendar year 2020, CSE received 24 requests for assistance from CSIS, the RCMP, and the Department of National Defence, and actioned 23 of these requests.

Also in 2020, CSE recorded a total of 81 incidents in its PIF, second party privacy incidents file (SPIF), and minor procedural errors file.

In calendar year 2020, CSE was issued six MAs. The table below provides a breakdown of these MAs, as well as of MAs from calendar year 2019, which NSIRA was unable to publish in its 2019 annual report. NSIRA will continue to benchmark and compare these, and other statistics, each year.

* Note that the above tables refer to ministerial authorizations (MAs) that were issued in the given calendar years, and may not necessarily reflect MAs that were in effect. For example, if an MA was issued in late 2019 and remained in effect in parts of 2020, it is counted above solely as a 2019 MA.

In June 2021, in CSE’s 2020-2021 public annual report, CSE confirmed that it has conducted foreign cyber operations.32 CSE informed NSIRA that it is not prepared to release specific information related to foreign cyber operations, as it would constitute special operational information that, if disclosed, could be injurious to Canada’s international relations, national defence or national security.

Internal compliance programs

In addition to NSIRA’s independent expert review, CSE’s functions are also subject to its own internal compliance programs. For this annual report, NSIRA asked CSE to provide information on some of its internal compliance programs. CSE’s Internal Program for Operation Compliance is responsible for activities of the Canadian Centre for Cyber Security (Cyber Centre), while compliance of SIGINT activities is overseen by the SIGINT Compliance section.

Unlike some of its international counterparts, NSIRA does not currently assess the effectiveness of department and agency internal compliance programs. However, NSIRA recognizes that assessing such programs would be an important component of its review mandate, and it intends to build capacity in this area. In the interim, there is nevertheless value in publishing the information available on internal compliance, to provide a greater understanding of CSE’s policies in this regard. The information provided in this section should not be considered an independent assessment or evaluation.

Internal program for operation compliance

The Internal Program for Operation Compliance (IPOC) is responsible for providing mission management support and operationalizing the Cyber Centre’s Internal Compliance Program, which encompasses three fundamental accountability pillars:

  • Enabling Compliance (education, prevention, and collaboration);
  • Compliance Verification and Assurance (monitoring, review, and audit); and
  • Compliance Incident Management (analysis, mitigation, and reporting).

According to CSE, the Cyber Centre’s ability to demonstrate compliance with legal, ministerial, and policy obligations while conducting cybersecurity activities is “a key component of its ‘licence to operate’.” CSE considers these accountability and transparency values to be at the core of Cyber Centre operations; they are seen as constituting the foundation for maintaining Canadians’ trust and confidence in the Cyber Centre’s activities.

CSE also stated that, in addition to conducting annual compliance monitoring of cybersecurity and information assurance activities, IPOC works with Cyber Centre operational areas to promote “compliance by design,” whereby control mechanisms and privacy protection measures are intended to be proactively built into systems, tools, and operational business processes.

SIGINT compliance

Ensuring compliance of activities is, according to CSE, “of utmost importance to SIGINT, as it is critical to CSE’s continued lawfulness.” The SIGINT Compliance section works with employees to clarify their roles in compliance, for example through employee engagement, incident handling, annual compliance accreditation training, and compliance advice on new and established SIGINT initiatives. The section works to build and maintain a compliance review framework based on the CSE Act and other appropriate legislation, as well as CSE’s internal policy instruments.

According to CSE, this compliance review framework dictates internal compliance reviews that the group must complete annually over a three-year cycle. Moreover, the SIGINT Compliance group is meant to review SIGINT activities across the entire lifecycle of intelligence production, from data acquisition to processing, analysis and end-product dissemination. When necessary, these reviews contain required actions that employees in certain activity areas must complete to maintain or improve compliance. These required actions must be tracked and updated regularly by both the compliance group, as well as senior management.

NSIRA understands that transparency related to compliance is not achieved overnight, and that CSE’s transparency efforts are, as CSE told NSIRA, “still a work in progress.” NSIRA can assist CSE in such efforts, for example by providing information to the Canadian public about CSE’s lawfulness, compliance, and its functions more broadly.

Internal compliance errors reported to NSIRA

CSE states that it promotes a culture of compliance and encourages the self-reporting of potential compliance incidents. In 2019-20, CSE had concerns that it may have received information outside of a valid MA period, in relation to cybersecurity activities on a certain type of infrastructure.

CSE ultimately notified the infrastructure owner, purged the inadvertently received information from its systems in accordance with standard privacy safeguards, and launched a review of the incident for the purpose of identifying and implementing additional privacy protection measures. CSE also proactively engaged the Minister of National Defence and NSIRA for transparency and accountability purposes.

NSIRA appreciates that CSE brought this incident to its attention. NSIRA did not consider the incident to be of major concern, but view CSE’s proactive and voluntary notification of the incident as a key success in the NSIRA-CSE relationship. NSIRA feels that CSE’s response to this incident bodes well for effective and honest communication and collaboration moving forward.

2021 CSE review plan

In general, NSIRA prioritizes its reviews of CSE based on legislative requirements, as well as risk. In the case of risk, NSIRA seeks to identify those activities that may potentially pose higher risks of legal non-compliance, often because these activities are new and untested, or operate under the updated authorities of the CSE Act. NSIRA also engages with various stakeholders, both internal and external to the Government of Canada, to consider CSE-related concerns that should be reviewed.

Over the coming years, NSIRA will focus on newer aspects of CSE’s mandate, as well as on CSE’s use of certain emerging technologies, including artificial intelligence. In particular, NSIRA has heard various concerns from Canadian stakeholders about CSE’s novel foreign cyber operations mandate. NSIRA is closely examining CSE’s foreign cyber operations, including in two ongoing reviews, and NSIRA will continue to review these kinds of operations in future. NSIRA will also continue to review discrete CSE activities in cybersecurity and SIGINT based on their associated risks.

In addition to NSIRA’s two legally mandated reviews of the Security of Canada Information Disclosure Act (SCIDA) and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has initiated or is planning the following CSE reviews, for completion in 2021:

Review of information use and sharing between aspects of CSE’s mandates

This review examines how CSE ensures compliance with its lawful authorities and restrictions when exchanging information between aspects of its mandates. An exchange of information between aspects occurs, for example, if CSE collects information under the foreign intelligence aspect and then shares this information with those operating under the cybersecurity aspect. The review examines how CSE uses such cross-aspect information, in order to ensure compliance with the CSE Act. This review was initiated in January 2020, but has been delayed.

Review of CSE’s active cyber operations and defensive cyber operations, Part 1: Governance

This review examines CSE’s new active cyber operation / defensive cyber operation powers under the CSE Act to ensure legal compliance. It looks at the policy and legal framework for conducting these activities for the 2019-20 MAs. This review was initiated in August 2020, but has been delayed.

Review of an activity conducted under CSE’s foreign intelligence Ministerial Authorizations

This review studies an activity conducted under CSE’s Foreign Intelligence Ministerial Authorizations to examine CSE’s policies and procedures. This activity has not been subject to any external or internal assessment, audit, or compliance review, and as such presents an opportunity for NSIRA to conduct the first-ever review of this CSE activity. CSE provided a preliminary briefing to NSIRA on this topic in early 2021, but this review has been delayed.

Departmental study under section 31 of the NSIRA Act

Under section 31 of the NSIRA Act, NSIRA can direct CSE to conduct a study of its activities that relate to national security and intelligence, to ensure that these activities are carried out in compliance with the law and any applicable ministerial directions, and that they are reasonable and necessary. On completion of the study, CSE must provide a copy of the report to the Minister of National Defence and to NSIRA. Following NSIRA’s review of CSE’s CII disclosures, NSIRA concluded that CSE’s implementation of its disclosure regime under the National Defence Act may not have complied with requirements under the Privacy Act. Given the change in CSE’s governing legislation in 2019, NSIRA has directed CSE to review its disclosures to Government of Canada partners as well as foreign partners to ensure that these disclosures comply with section 43 of the CSE Act.

Beyond 2021, NSIRA intends to explore CSE reviews of topics including, but not limited to:

  • Active Cyber Operations and Defensive Cyber Operations, Part 2: Operations;
  • Safeguarding of sensitive information, including use of the polygraph;
  • Assistance to CSIS;
  • A specific cybersecurity activity as outlined within an MA;
  • The Vulnerabilities Equities Management Framework (VEMF);
  • The use of emerging technologies, including Artificial Intelligence;
  • A foreign SIGINT collection program conducted under an MA; and
  • SIGINT retention practices.

NSIRA’s mandate allows it to conduct inter-departmental reviews (also known as ‘follow-the-thread’ reviews), and it intends to do so for several ongoing and planned CSE reviews. In engaging with a range of federal departments and agencies, NSIRA’s CII review was its first follow-the-thread review.

Access

In 2020, NSIRA’s CSE Review Team established office space in CSE’s headquarters. This office space, which began partial operations in 2020, includes nine workstations and provides NSIRA with greater access to its CSE counterparts. Access to NSIRA’s CSE office is restricted, and appropriate safeguards are in place to ensure NSIRA’s independence.

A significant challenge to NSIRA’s CSE review is the lack of comprehensive and independently verifiable access to CSE’s information repository.37 As one component of addressing challenges, NSIRA is exploring options to have CSE proactively disclose specific categories of information on a regular basis, which would be used to both ensure compliance of activities and inform the conclusions NSIRA provides in the annual classified report to the Minister.

As another component of addressing access challenges, NSIRA is also exploring some options with CSE to implement the “tailored access” approach described under section 1.5 of this Report. Implementing tailored access will result in trust being maintained between the two organizations, while ensuring that NSIRA has the ability to independently verify the information received in the context of its review. It should also be noted that the speed at which NSIRA receives information before the verifications stage remains important, as any delays in receiving information has the potential to impede NSIRA’s ability to fulfill its mandate.

To encourage greater accountability in the year ahead, NSIRA intends to establish more formal guidelines for the provision of information by departments and agencies, including targets for the timeliness of responses to requests for information, and a framework for reporting publicly on the above.

Conclusion

As a new organization, NSIRA continued to staff its CSE Review Team in 2020,39 in addition to improving its overall understanding of CSE’s remit. NSIRA acknowledges the need to continue consolidating its familiarity and expertise with CSE and various aspects related to CSE’s functions. Similarly, CSE—which built a close relationship with OCSEC over some 23 years of review — is in the process of building its own familiarity with NSIRA and its mandate. NSIRA also acknowledges that reviews of CSE’s functions can be particularly sensitive, for example, because of the high volume of highly classified special information content.

NSIRA thanks CSE for timely assistance in providing publicly-releasable information for this annual report, much of which has not previously been made public. NSIRA feels that this reflects steps by CSE toward increased transparency to Canadians. Further, NSIRA is grateful for regular support from CSE’s Information Technology services in helping with secure communications.

2.6 Other government departments

Overview

One key reason for creating NSIRA was to ensure scrutiny of Canadian national security and intelligence departments and agencies that did not already have dedicated review bodies. To this end, the NSIRA Act provides the legal foundation to “review any activity carried out by a department that relates to national security or intelligence.”40 As would be expected, selecting which departments and agencies outside of CSIS and CSE that require examination is complex and must be continuously updated in tandem with the ever-changing national security landscape.

In addition to selecting specific departments for review, NSIRA is developing an integrated review framework that addresses broad-based national security and intelligence issues both horizontally and vertically across departments and agencies. This is in addition to the yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, which when considered cumulatively, provide the opportunity to cover the entire community.

As previously mentioned in section 1 of this report, NSIRA is working with departments and agencies across government to design a process where the information provided for a review is corroborated and verified for completeness. NSIRA calls this the trust but verify principle: NSIRA trusts departments to provide access to information, people and assets in a timely manner, while having mechanisms in place to allow the agency to independently verify the completeness of the access.

It is also important to note that NSIRA works closely with the NSICOP and the OPC to share review plans and de-conflict when reviews touch on similar subjects.

Beyond CSIS and CSE, NSIRA initiated reviews with the following departments and agencies in 2020:

  • Department of National Defence / Canadian Armed Forces (DND/CAF);
  • Global Affairs Canada;
  • the RCMP;
  • Immigration, Refugee and Citizenship Canada;
  • the Canada Border Services Agency;
  • Transport Canada; and
  • the Public Health Agency of Canada.
  • the following sections outline reviews completed or initiated in 2020, by department/agency, as well as some planned future reviews.

As well, through the yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has engaged with all departments and agencies that make up the Canadian national security and intelligence community.

The following sections outline reviews completed or initiated in 2020, by department or agency, as well as some planned future reviews.

Department of National Defence and the Canadian Armed Forces

The Canadian Forces National Counter-Intelligence Unit

The Canadian Forces National Counter-Intelligence Unit (CFNCIU) falls under the Canadian Forces Intelligence Group within Canadian Forces Intelligence Command and is organized along Regional Detachments. CFNCIU’s activities involve investigating and reporting counter-intelligence threats that pose a security risk to DND/CAF, supporting CAF operations to enhance force posture and operational security, coordinating exchanges of threat information with security partners, and providing early warning. CFNCIU’s primary responsibility is the collection of security intelligence for integration into national or local threat assessments.

The investigative framework for CFNCIU is unique insofar as it covers a broad range of security intelligence concerns similar to those of CSIS, yet is limited in investigative scope to DND/CAF information, people and assets (i.e. nexus to DND/CAF). Unlike CSIS, CFNCIU does not collect expansively on threats given the need for a nexus; and unlike a Departmental Security Officer, CFNCIU does not conduct investigations on issues regarding policy compliance, or security issues involving inappropriate behavior by employees that do not point to an obvious threat. Furthermore, CFNCIU does not have responsibility for security screening or criminal investigations. The investigative scope of CFNCIU is therefore best understood as occupying a very narrow space above those related to discipline and security screening, yet falling below criminal thresholds.

This review examined CFNCIU’s domestic efforts at investigating counter-intelligence threats posed to DND/CAF, the rationale used by CFNCIU for justifying investigations, and the associated investigative activities that follow. In this context, the review specifically sought to provide an initial understanding of the DND/CAF governance framework, as well as how CFNCIU views threats, collects intelligence, engages in cooperation and applies analysis. Particular attention was paid to CFNCIU’s legal foundations, processes and procedures, and how they contribute to safeguarding against insider-threat scenarios. NSIRA also reviewed how intelligence derived from investigations was conveyed to DND/CAF decision-makers. The full review is currently being redacted and should be released on NSIRA’s website soon.

NSIRA found that CFNCIU and other DND/CAF security components have been organized into narrowly focused vertical silos that do not work in an integrated manner. While CFNCIU adhered to internal policies used to initiate investigations, it did not have a formalized process to help guide investigation prioritization based on relevant criteria. It was also evident that CFNCIU required clarity on its legal authorities, to ensure the proper sharing of information in support of administrative and criminal processes.

NSIRA further identified the need for DND/CAF to empower CFNCIU to make full use of its investigative capabilities to reduce investigative durations, an issue that NSIRA found runs contrary to the sound safeguarding practices of DND/CAF information, people, and assets.

Moreover, NSIRA’s review found that CFNCIU did not adequately consider the cumulative effect of its counter-intelligence activities in relation to an investigation subject’s privacy, raising questions about the adequacy of CFNCIU’s efforts to ensure procedural fairness and prompting NSIRA to recommend that CFNCIU seek advice from the OPC. NSIRA also observed that CFNCIU’s information sharing regime was not compliant with Government of Canada policies for safeguarding information, people, and assets.

The presence of white supremacy within the Canadian military has been well documented. White supremacist groups actively seek individuals with prior military training and experience, or conversely, encourage individuals to enlist in order to gain access to specialized training, tactics and equipment. Although NSIRA acknowledges that the responsibility for addressing this threat cannot fall uniquely on the shoulders of CFNCIU, the review’s multiple findings lead to concern that CFNCIU may not be fully utilized to proactively identify white supremacists across DND/CAF. After examination of case studies and interviews with CFNCIU investigators, the review found that white supremacy poses an active counter-intelligence threat to DND/CAF, and that the CFNCIU’s mandate to proactively identify this threat is limited.

Finally, following some concerns identified in the later stages of this review, NSIRA will carry out a case study of CFNCIU computer searches and interview processes in 2021 to assess whether these activities were Charter-compliant.

DND/CAF response to NSIRA’s recommendations

DND/CAF agreed with NSIRA’s recommendations, and stated that they welcome the review report. DND/CAF agreed that action will be taken at the appropriate levels in conjunction with required expertise and offices, noting that work in this regard has commenced, and that some of NSIRA’s recommendations are already being addressed. For example, DND/CAF are working to complete a Privacy Impact Assessment of Defence Intelligence activities, and will engage the OPC for further input once this assessment is completed.

Reviews in progress

NSIRA launched a review of the Defence Intelligence Enterprise to map intelligence collection, and obtain information on the governance frameworks, authorities and structures of defence intelligence with a view towards assisting future review planning. This information was further supplemented by a corollary review of Intelligence Oversight, Review and Compliance within DND/CAF’s defence intelligence system. Although there are no findings or recommendations stemming from these inquiries, NSIRA members will receive a briefing note and presentation from NSIRA staff on key observations gained through this process. The expected completion is fall of 2021.

NSIRA has also begun to follow-up on issues identified during last year’s CFNCIU review. NSIRA’s Counter-Intelligence Operational Collection and Privacy Review will further examine CFNCIU’s practices concerning subject interview and database access to information management/information technology systems; this latter assessment will require access by NSIRA staff to DND/CAF computer networks to validate how these systems are used when conducting counter-intelligence inquiries.

NSIRA has also initiated an examination of DND/CAF’s human intelligence (HUMINT) capabilities, primarily through review of the governance of this specialized collection activity. The review will cover the evolution of HUMINT within DND/CAF, including consideration of recent internal initiatives aimed at improving governance and guidance for HUMINT. In the fall of 2021 NSIRA staff will travel to DND/CAF’s HUMINT training centre, and will conduct wide-ranging interviews of HUMINT senior leadership, trainers, and practitioners. The review will lay the foundation for a full operational review of HUMINT sources in various theatres of operation.

As a result of recent disclosures from DND/CAF through the Scoping Review of the Defence Intelligence Enterprise, NSIRA will also examine DND/CAF’s Open Source Intelligence and Medical Intelligence collection activities beginning at the end of 2021. This review will assess the governance and compliance of these activities.

COVID-19 has affected timelines and scheduling significantly, resulting in delays of up to six months. While COVID presented challenges affecting timelines and impacting review work, both DND/CAF and the National Security and Intelligence Review and Oversight Coordination Secretariat were attentive to NSIRA requests, providing access to information, people and assets when required.

Global Affairs Canada

NSIRA completed its first dedicated review of a Global Affairs Canada program. The review period was January 1, 2017 to December 31, 2019, although information from outside this period was used to conduct a full assessment of specific aspects of this program. Challenges related to COVID-19 resulted in methodological adjustments such as the use of secure video-teleconferencing in place of in-person interviews for some of the employees.

While clients of the program find it both unique and valuable to the Government of Canada, the review identified several areas of improvement. NSIRA made a number of recommendations aimed at improving this program. Global Affairs Canada has agreed to “positively address all of the recommendations” and has committed to responding to NSIRA in the near future. Due to the highly sensitive nature of this review, NSIRA will not be publishing anything further at this time.

Royal Canadian Mounted Police

In 2021, NSIRA will finish a review of a specialized RCMP intelligence unit, and it will launch a review of the RCMP’s National Security Program’s human source activities. Going forward, NSIRA plans to increase the number of reviews involving the RCMP. For example, the agency will review how the RCMP and CSIS have responded to the threat posed by ideologically motivated violent extremism.

Immigration, Refugees and Citizenship Canada

NSIRA is currently conducting a scoping review of Immigration, Refugees and Citizenship Canada in order to delineate its national security role and responsibilities. While the department has no intelligence collection programs, Immigration, Refugees and Citizenship Canada has an intricate mandate with shared legal authorities and operational responsibilities for ensuring the integrity of the immigration system and mitigating threats to national security from abroad.

Canada Border Services Agency

NSIRA has initiated its plan to conduct in-depth reviews of the most sensitive security and intelligence activities of the Canada Border Services Agency (CBSA), as identified by NSICOP: scenario-based targeting, surveillance, confidential human sources, lookouts and joint force operations. A review of air passenger targeting is currently underway, focusing on how the CBSA uses predictive analyses, including what is termed “scenario-based targeting,” to identify inbound air travellers for further scrutiny in relation to national security threats. Reviews of the CBSA’s use of confidential human sources and surveillance activities are slated for completion in 2022.

Cross departmental reviews

Avoiding complicity in mistreatment by Foreign Entities Act

On September 4, 2019, the Governor in Council issued written directions to the Deputy Heads of 12 departments and agencies under the new Avoiding Complicity in Mistreatment by Foreign Entities Act (Avoiding Complicity Act). The Avoiding Complicity Act and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. To do this, the Avoiding Complicity Act and the directions lay out a series of requirements that need to be met or implemented by departments when handling information. Under subsection 8(2.2) of the NSIRA Act, NSIRA is required to annually review implementation of all directions sent to departments and agencies.

While this was the inaugural annual review under the NSIRA Act, it builds on previous work in this area undertaken by NSIRA and its predecessor SIRC. NSIRA’s review on the 2017 Ministerial Direction on Information Sharing with Foreign Entities is an example. NSIRA is building on this previous review and strongly supports that review’s findings and recommendations. It was essential to ensure that both NSIRA and the departments being reviewed met their obligations under the Avoiding Complicity Act and the NSIRA Act. The approach used to gather information during a global pandemic was purposely designed for this first and unique review period. The full 2019 review of the Avoiding Complicity Act has been redacted and released on its website.

To capture a complete view on the departmental implementation, NSIRA requested information that related directly to every department’s specific obligations under the Avoiding Complicity Act and the directions. The responses and associated information captured departmental activities related to the Avoiding Complicity Act during the review period, and what procedures, policies, tools, etc. (frameworks) were leveraged to support these activities. No case studies were undertaken for this review. However, the information gathered has helped establish a baseline for overarching issues the community is facing. Building on this, future reviews will begin to examine specific sharing framework challenges and questions, and look closely at specific cases and departmental legal opinions to guide review findings.

While NSIRA was pleased with the considerable efforts made by many departments new to the Avoiding Complicity Act in building up their supporting frameworks, it was clear during this review that departments were employing very different approaches to guide their information handling activities. The responses received demonstrate various inconsistencies across the departments. Having a consistent and coordinated approach when addressing the concerns related the Avoiding Complicity Act is not a requirement for implementation, however, NSIRA believes that there is value in such an approach.

Additionally, as the directives received under the Avoiding Complicity Act do not describe the specific means by which departments ‘implement’ them, it is incumbent on the departments and agencies to ensure that they have sufficiently robust frameworks and programs in place to fully support an assertion of implementation. Therefore, the information gathered during this review went beyond a strict assessment of implementation, and also considered the aspects required to better support this implementation. Going forward, this approach will help establish the foundation for subsequent reviews. Drawing on the findings and concerns identified here, NSIRA will continue to consider aspects that will ultimately improve underlying frameworks, thereby supporting an improved implementation of the Avoiding Complicity Act across the community.

Disclosure of information under the Security of Canada Information Disclosure Act

Enacted in 2019, the purpose of the Security of Canada Information Disclosure Act (SCIDA) is to encourage and facilitate the disclosure of information between Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada. NSIRA has a statutory requirement to conduct an annual review of disclosures made under the SCIDA.

In 2020, NSIRA completed the 2019 Annual Report on the Disclosure of Information under the Security of Canada Information Disclosure Act. The report covers the period from when SCIDA came into force on June 21, 2019 to December 31 of that year. During the reporting period, federal institutions made 114 disclosures of information under SCIDA. The report notes that institutions made good progress in institutionalizing this new legislation. The report provides historical and contextual information on SCIDA and how it fits alongside other legal mechanisms for the sharing of information. The report also includes anonymized scenario examples of SCIDA disclosures, and criteria for future assessment. NSIRA intends to work closely with the OPC for future iterations of this report. Outcomes of NSIRA’s subsequent review of disclosures under SCIDA will be discussed in the 2020 report on the disclosure of information under this SCIDA.

Biometrics

NSIRA has advanced its commitment made last year to map the collection and use of biometrics across the government in relation to its security and intelligence activities. A horizontal review of biometrics in the border continuum is currently underway, focusing on activities conducted by the CBSA, Immigration, Refugees and Citizenship Canada and Transport Canada. The activities under review include the issuance and verification of travel documents — with an emphasis on air travel — and the screening of foreign nationals seeking admission to Canada. A subsequent review will examine the use of biometrics in security intelligence and national security related policing activities.

Conclusion

Given the ongoing pandemic and lessons emerging from current reviews, in some instances NSIRA have modified the plan put forward in NSIRA’s 2019 Annual Report. Its work on economic security, for example, benefited from a scoping exercise involving several departments to help it better understand the authorities in this area, and to help it determine whether to pursue further work on this issue. Similarly, following a scoping exercise, a decision on whether to review public health intelligence awaited considerations of the conclusions of an independent report commissioned by the Minister of Health in this area that has now been released.

Over the next year, NSIRA will continue to engage with departments and agencies through focused reviews. Some of these will be organized around broad horizontal themes that may include multiple departments, requiring a coordinated approach. NSIRA is committed to working collaboratively with departments, particularly on the establishment of an access regime that supports independent verification and accountability.

Complaints investigations

3.1 2020 challenges

The pandemic has had an adverse impact on the timely conduct of NSIRA’s investigations. As of March 2020, inevitable delays resulted from the provincial stay- at-home orders and public health guidelines that were issued. Just as NSIRA was affected by limited access to classified documents as a result, so too were the for federal government parties to investigations that are obliged to provide information to NSIRA. Consequently, in several ongoing matters, NSIRA granted adjournments and extensions of deadlines for procedural steps, including the filing of submissions and evidentiary material. While this was regrettable, NSIRA adapted to the challenging circumstances of the pandemic as best as possible and advanced investigative procedures in an innovative manner whenever possible, such as conducting some proceedings in writing and holding case management conferences and meetings virtually.

Despite the procedural setbacks in 2020, NSIRA was able to complete one complaint investigation and issue a final report. NSIRA also issued formal decisions to close three other files. In addition, it succeeded in completing a complex process reform initiative that will see the modernization and streamlining of the investigative process.

3.2 Complaints investigation process: Reform and next steps

While the pandemic affected complaints investigations, NSIRA made considerable progress on reforming the processes governing such investigations. In the course of the year, NSIRA undertook a process reform initiative to modernize the complaints investigation model to meet its goal of ensuring efficiency and transparency. Two priorities guided the modernization of the process, namely, access to justice for self-represented complainants and the creation of streamlined and less formal procedural steps.

NSIRA created new Rules of Procedures to reflect this new model and completed an extensive consultation exercise with stakeholders in the public and private sectors to achieve the most effective and considered final product. These new Rules of Procedure have been in effect since July 2021.

NSIRA also implemented a new policy statement that provides a commitment to the public to increase transparency in its investigations by publishing redacted and de- personalized complaints investigation reports.

In the year ahead, NSIRA will update its website to include improved procedural guidance to inform members of the public on how to make complaints and navigate the investigative process. Part of the update to NSIRA’s website will involve implementing a secure portal for the online filing of complaints and for protected communications to assist in effectively managing NSIRA’s complaints case load.

In the future, NSIRA also plans on conducting a trend analysis for complaints, which will involve a broad initiative to appropriately collect race-based and other demographic information. The objectives of this initiative are to improve access to justice by improving awareness and understanding of the investigation process. The overall aim is to document the different groups among civilian complainants and identify the frequency of complaints that include allegations of racial or other forms of bias, and to determine whether there are disparities; whether there are differences with respect to the types of complaints made against national security and intelligence organizations based on different groups; whether complaints investigation outcomes vary by group; and whether civilian satisfaction with NSIRA’s investigation process varies by group.

NSIRA’s investigation case load: The year ahead

On concluding efforts to case manage NSIRA’s ongoing investigations in the context of the challenges presented by the pandemic in 2020, NSIRA will look ahead to the coming year with a reformed investigation process that will assist in implementing modern and fair procedures to advance these cases, complemented by an improved website that will promote access and transparency in the investigations process.

NSIRA will also see a substantial increase in its caseload in 2021 as a result of close to 60 new investigations added to its existing inventory. These complaints were referred to NSIRA in April 2021 by the Canadian Human Rights Commission pursuant to subsection 45(2) of the Canadian Human Rights Act. This high-volume caseload will significantly challenge NSIRA’s case management. NSIRA will be implementing procedural efficiencies as much as possible while meeting procedural fairness requirements.

3.3 2020 complaints

Summary of final report

Allegations against CSIS’s role in cancellation/denial of site access clearance

Background

The Complainant filed a complaint against CSIS requesting an investigation of CSIS’s role or involvement in the cancellation and/or denial of site access screening requests for employment with a private company at a government building.

Allegation

The Complainant alleged CSIS improperly used information collected and made an improper inference of a security threat which led to the denial of a site access clearance.

Investigation

NSIRA considered the evidence given by summoned witnesses, the documentation submitted by the parties as well as other relevant material made available during the course of the investigation of the complaint, including classified documents disclosed to NSIRA by CSIS. NSIRA also heard evidence provided by the Complainant.

Sections 13 and 15 of the CSIS Act give CSIS the authority to provide security assessments to departments of the Government of Canada and to conduct investigations as required. CSIS receives applications from government departments for persons seeking a security clearance or site access clearance and their role is defined in section 2 of the CSIS Act. CSIS presented evidence on the steps that are followed in CSIS’s process, the Treasury Board Secretariat’s Standard on Security Screening, and the fact that the client department decides whether to grant a clearance. As such, CSIS only provides background information and an assessment from a national security perspective so that government departments have the information it needs to make an informed decision.

NSIRA also heard evidence from CSIS with respect to some information shared with the client department that requested the site access clearance and how it pertained to both reliability and loyalty. CSIS acknowledged that some information shared with the client department took place in an informal setting and that it should not have occurred in such way. It was noted that after open source information was shared, the client department cancelled its request and CSIS closed its file.

The Complainant expressed a belief that CSIS was responsible for denying his application for a site access clearance.

NSIRA acknowledged the Complainant’s perception that CSIS denied his request for a site access clearance, but the evidence demonstrated that CSIS did not make the decision. The decision was made by the government department and CSIS had no further involvement in the matter.

Findings

NSIRA found that:

  • CSIS did not improperly use the open source information that was shared;
  • CSIS acknowledges that the sharing of information would not have been approved by management; and
  • CSIS did not deny the Complainant’s request for a site access clearance, but rather it was the government department that made the decision to cancel the request.

Conclusion

NSIRA determined that the complaint is unsupported.

Summaries of complaints deemed abandoned

Allegations against CSIS for sharing information with foreign authorities and impact on border crossing

The Complainant filed a complaint against CSIS about the sharing of information with foreign authorities that led to having difficulty with border crossings. NSIRA commenced its investigation and had an informal case management conference with the parties for the purposes of resolving the complaint. As a result of this resolution meeting, the Complainant undertook to take steps to resolve any ongoing issues. NSIRA attempted to communicate with the Complainant on several occasions to determine whether the ongoing issues were resolved. NSIRA determined that reasonable attempts had been made to communicate with the Complainant and issued reasons deeming the complaint abandoned as per NSIRA’s Rules of Procedure. The complaint investigation file was closed.

Allegations against CSIS’s role in delaying security assessment regarding a permanent residency application

The Complainant filed a complaint against CSIS alleging that it caused a significant delay in submitting the security assessment for a permanent residency application. During the investigation, NSIRA attempted to communicate with the Complainant on several occasions regarding the possibility of engaging in informal resolution discussions with CSIS. NSIRA determined that reasonable attempts had been made to communicate with the Complainant and issued reasons deeming that the complaint had been abandoned as per NSIRA’s Rules of Procedure. The complaint investigation file was closed.

Allegations against the RCMP for improper conduct during arrest

This complaint was referred to NSIRA by the Civilian Review and Complaints Commission for the RCMP, pursuant to subsection 45.53(4.1) of the RCMP Act. The complaint alleged that members of the Royal Canadian Mounted Police (RCMP) failed to inform the Complainant of the Complainant’s rights and obligations during an interaction that occurred the day before an arrest for a terrorism hoax and public mischief, use of excessive force and other allegations. During the course of launching its investigation, NSIRA attempted to establish contact with the Complainant on several occasions. NSIRA found that reasonable attempts had been made to communicate with the Complainant and had exhausted all options. Accordingly, NSIRA issued reasons deeming the complaint had been abandoned as per NSIRA’s Rules of Procedure. The complaint investigation file was closed.

Conclusion

In 2020, NSIRA’s teams worked under exigent conditions and yet were able to outperform. NSIRA is grateful to them for having conducted the reviews in an efficient manner. As mentioned in this annual report, NSIRA have ambitious plans for ongoing and future work, all while continuing to grow its own capacity and to strengthen its relationships with the departments and agencies under its review. In 2020, NSIRA’s staff complement grew from 30 to 58 individuals, its CSE Review Team began operations in offices on site at CSE, and NSIRA neared completion of a new facility for staff, all while carefully and responsibly adapting to the challenges of the pandemic.

In the spirit of coordinating and complementing other review and oversight entities, NSIRA continued to strengthen its relationships with various counterparts, including the Five Eyes Intelligence Oversight and Review Council, the National Security and Intelligence Committee of Parliamentarians, and the Office of the Privacy Commissioner of Canada. NSIRA also remains dedicated to robust and mutually- beneficial engagement with non-governmental stakeholders. NSIRA hopes both to raise awareness of its mandate amongst various communities — including students — as well as to receive input to help us further its work and refine its agenda. NSIRA strongly encourages feedback and input and hopes you found this report useful and helpful. No matter your background, please reach out to us and share your thoughts about this report, as well as NSIRA’s review and complaints work.

NSIRA is very grateful for the perseverance, diligence, and passion of its staff for continuing to produce meaningful work and achieve important results despite the challenges of the pandemic in 2020. As NSIRA grows as an organization, including in staff numbers, it looks forward to continuing to promote accountability in the Canadian security and intelligence community.

Share this page
Date Modified:

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019

Completed Reviews

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019


Backgrounder

In 2011, the Government of Canada implemented a general framework for Addressing Risks of Mistreatment in Sharing Information with Foreign Entities. The framework aimed to establish a coherent and consistent approach across government when sharing and receiving information with Foreign Entities. Following this, Ministerial Direction was issued to applicable departments in 2011 on Information Sharing with Foreign Entities, and then again in 2017 on Avoiding Complicity in Mistreatment by Foreign Entities.

On July 13, 2019, the Avoiding Complicity Act came into force. This Act codifies and enshrines Canada’s commitments in respect to the Canadian Charter of Rights and Freedoms, and Canada’s international legal obligations on prohibiting torture and other cruel and inhumane treatment.

On September 4, 2019, pursuant to section 3 of the Act, the Governor in Council (GiC) issued written directions to the Deputy Heads of the following 12 departments and agencies: Canada Border Services Agency (CBSA), Canada Revenue Agency (CRA), Canadian Security Intelligence Service (CSIS), Communications Security Establishment (CSE), Department of Fisheries and Oceans Canada (DFO), Department of National Defence and Canadian Armed Forces (DND/CAF), Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Global Affairs Canada (GAC), Immigration, Refugees, and Citizenship Canada (IRCC), Public Safety Canada (PS), the Royal Canadian Mounted Police (RCMP) and Transport Canada (TC).

The GiC issued directions focused on three aspects of handling information when interacting with a foreign entity: the disclosure of information, the requesting of information, and the use of any information received.

Pursuant to section 7 of the Act, every Deputy Head having received direction must, before March 1 of each year, submit to the appropriate Minister a report regarding the implementation of those directions during the previous calendar year. Following this, every Deputy Head must, as soon as feasible after submitting the report, make a version of it available to the public.

Date of Publishing:

Executive Summary

The Avoiding Complicity in Mistreatment by Foreign Entities Act (Avoiding Complicity Act or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, September 4, 2019, to the end of the previous calendar year, December 31, 2019. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Act.

While this was the inaugural annual review under the NSIRA Act, it builds upon previous work in this area undertaken by NSIRA and its predecessor SIRC. NSIRA’s review on the 2017 Ministerial Direction on information sharing with Foreign Entities is an example. The results from this previous review were sent to applicable departments in July 2020. NSIRA is building upon this previous review and strongly supports the findings and recommendations within it. As of the date of this report, departmental responses have not been received regarding the recommendations provided in NSIRA’s July 2020 Ministerial Direction review.

(U) It was essential to ensure that both NSIRA and the departments being reviewed met their obligations under the Avoiding Complicity Act and the NSIRA Act. The approach used to gather information during a global pandemic was purposely designed for this first and unique review period.

To capture a complete view on the departmental implementation, NSIRA requested information that related directly to every department’s specific obligations under the Act and the directions. The responses and associated information captured departmental activities related to the Act during the review period, and what procedures, policies, tools, etc. (frameworks) were leveraged to support these activities. NSIRA believes that having a robust framework is an essential part of an effective implementation of the directions departments have received.

Beyond the specific requirements of implementation, the information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken since the review period to build and formalize their frameworks. This information and knowledge will help set up the foundation for future reviews and assist efforts on creating consistent implementation across departments. While many of the issues discussed in this report go beyond the specific requirements of the directions, their consideration is critical to the overall improvement of the implementation process and how departments ultimately support the Act. No case studies were undertaken for this review. However, the information gathered has helped establish a baseline for overarching issues the community is facing. Building on this, future reviews will begin to examine specific sharing framework challenges and questions and look closely at specific cases and departmental legal opinions to guide review findings.

While NSIRA was pleased with the considerable efforts made by many departments new to the Avoiding Complicity Act in building up their supporting frameworks, it was clear during this review that departments are employing very different approaches to guide their information handling activities. The responses received demonstrate various inconsistencies across the departments. Having a consistent and coordinated approach when addressing the concerns related the Act is not a requirement for implementation, however, NSIRA believes that there is value in such an approach. And while departments will always require unique aspects in their sharing frameworks to address the unique characteristics of their mandates and activities, to improve the implementation process, a goal all involved likely have, the identification and sharing of best practices is critical.

For example, determining the best means for having a unified approach when engaging with foreign entities of concern or ensuring that an information sharing activity is consistently evaluated for risk by all departments. The recommendations provided on these issues in this review capture what NSIRA believes to be important concerns and considerations for supporting and improving departmental implementation.

Additionally, as the directives received under the Act do not describe the specific means by which departments ‘implement’ them, it is incumbent on the community to ensure that they have sufficiently robust frameworks and programs in place to fully support an assertion of implementation. Therefore, the information gathered during this review went beyond a strict assessment of implementation, but also considered the aspects required to better support this implementation. Going forward, this approach will help establish the foundation for subsequent reviews. Drawing on the findings and concerns identified here, NSIRA will continue to consider aspects that will ultimately improve underlying frameworks, thereby supporting an improved implementation of the Act across the community.

Authorities

This review was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Avoiding Complicity Act.

Introduction

Focus of the Act

In the same spirit as the Ministerial Direction (MD) that preceded it, the Avoiding Complicity Act and its associated directions seek to prevent the mistreatment of any individual due to the exchange of information between a Government of Canada department and a foreign entity. The Act also aims to limit the use of information received from a foreign entity that may have been obtained through the mistreatment of an individual. While the previous MD guided the activities of a selection of Canada’s security and intelligence departments, the Act broadened this scope to capture all departments whose interactions with foreign entities included information exchanges where such a concern may apply.

The focus of the Act is to ensure departments take the necessary steps during their information sharing activities to avoid contributing in any way to the mistreatment of an individual. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. There is an expectation that each department will satisfy these requirements by leveraging departmentally established mechanisms and procedures, or frameworks that will allow each department to confidently demonstrate how it has responded to its responsibilities under the Act.

During the first year that the Act was in force, written directions using nearly identical language were sent to the Deputy Heads of 12 departments. In regard to disclosure, the directions read as follows:
“If the disclosure of information to a foreign entity would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not disclose the information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”

With respect to requesting information, the directions state:
“If the making of a request to a foreign entity for information would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not make the request for information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”

Lastly, as it relates to the use of information, the directions indicate:
“The Deputy Head must ensure that information that is likely to have been obtained through the mistreatment of an individual by a foreign entity is not used by the Department

  • (a) in any way that creates a substantial risk of further mistreatment;
  • (b) as evidence in any judicial, administrative or other proceeding; or
    (c) in any way that deprives someone of their rights or freedoms, unless the Deputy Head or, in exceptional circumstances, a senior official designated by the Deputy Head determines that the use of the information is necessary to prevent loss of life or significant personal injury and authorizes the use accordingly.”

At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. This determination is done on a case-by-case basis. Each department is responsible for making these determinations as it applies to its activities. Following the outcome of a department’s determination of these important questions, cases may be approved, denied, or elevated to the Deputy Head for consideration. For the latter cases, this then results in additional reporting requirements for the Deputy Head. Throughout this process, there is also a requirement to ensure the accuracy, reliability, and limitations of use of all information being handled.

Review Objectives

After the Avoiding Complicity Act came into force in July 2019, the Governor in Council’s written directions were sent to each applicable department in September 2019. The period for this year’s review is September 4, 2019 to December 31, 2019. The short timeframe (approximately 4 months) associated with this year’s review means that departments are being assessed, in large part, on what they would already have had in place to address risks of mistreatment associated with information sharing, or what they were able to implement in a four-month window. NSIRA is cognizant that for the departments that were not previously subject to the 2017 MD on Avoiding Complicity in Mistreatment by Foreign Entities, the timeframe to implement the written directions was somewhat limited, as it would have been challenging to create and operationalize new procedures such that they would be reflected in the department’s activities during the period being reviewed.

While it was essential to ensure that both NSIRA and the departments being reviewed met their obligations, these challenges were kept in mind when evaluating the objectives for this first review. Given these considerations, the objectives of this year’s review were to determine whether:

  • departments had fully implemented the directions received under the Act in conformity with the obligations set out therein;
  • departments had established and operationalized frameworks that sufficiently enabled them to meet the obligations set out in the Act and directions; and,
  • there was consistency in implementation across applicable departments.

Methodology and assessment focus

To capture a complete view of the departmental implementation of the Act, NSIRA constructed a series of questions related directly to every department’s obligations under the Act and the directions. The responses and associated information captured what specific activities took place during the review period and what departmental frameworks were leveraged to adequately support these activities.

The information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken to build and formalize their frameworks to meet their obligations under the Act and directions. The information provided and the knowledge gained will help set up the foundation for future reviews and help create consistent implementation across departments.

The method used to gather information during a global pandemic was designed for this first and unique review period. We believe it allowed departments to quickly and efficiently indicate both whether the directions had been implemented, and what frameworks, processes, and policies had been leveraged or put in place.

Responses to many of the RFI questions were simply yes/no answers. Often, answers were dependent on what information handling activities took place with foreign entities by the department during the review period. As such, a number of questions could be returned with ‘not applicable’, and this was an acceptable response. Many of the questions were related to specific and easily defined requirements under the Act and its associated directions, e.g. ‘was a report submitted to the Minister?’ or ‘Did the Deputy Minister inform the applicable bodies of all their decision made under the act?’.

Other questions were designed to capture the details of the underlying processes that supported a department’s implementation, i.e. a department may indicate that they ensured no substantial risk of mistreatment was present in any of their information sharing activities, but how did they support this claim? Likewise, for an assertion that a possible substantial risk of mistreatment had been mitigated, what was in place that allowed a department to make this assertion? Therefore, this series of questions required sufficiently detailed responses to fully capture what a department had in place that allowed it to confidently state that it has met its implementation obligations under the Act and the issued directions.

Finally, a portion of the questions was intended to capture the level of uniformity in implementation across departments. This includes such things as country/entity assessments, triage practices, and record keeping. Much of this information will also help with recommendations going forward. This multi-faceted approach resulted in three main areas being evaluated to assess implementation for this review period and help set the groundwork for future reviews.

  • Departments have clear and comprehensive frameworks, policies, and guidelines such that they can demonstrate how they have fully implemented the directions under the Act.
  • All reporting requirements associated with both the Act and its applicable directions have been met.
  • Differences or gaps associate with areas such as country/entities assessments, record keeping, case triage, etc., such that consistent implementation across departments would be challenging.

Summary of the results table

The table in Annex A captures a summary of both the departmental responses to the implementation questions and NSIRA’s assessment regarding these responses. The assessment was based on the associated details provided by departments in the context of the specific information requested. As explained above, many of the responses were returned as not applicable (n/a). Since many implementation requirements are connected to specific activities, the absence of such activities would mean that the requirement does not come into play. The best example of this for the current review is the absence of any Deputy Minister level determinations. All 12 departments indicated that they did not have any cases referred to the Deputy Minister level for determination. All additional reporting requirements associated with this level of decision were not applicable and thus considered satisfied.

If a specific requirement was not met, it was flagged. The relatively few instances of this were connected with departments not meeting certain reporting obligations under the Act. In all cases, the department involved pre-identified these missing requirements and indicated that efforts were underway to address them.

The concerns and findings captured in the table (and others) are discussed subsequently. A concern was flagged in two situations: where there was an uncertainty associated with a department’s ability to support their implementation requirements; and cross-cutting issues related to general aspects of all of the frameworks described, both of which led to the findings and recommendations proposed.

Findings and Recommendations

Realities of Implementation for 2019

A challenge for departments for this first review was associated with one of the assessment items listed above, i.e. whether they had established frameworks to demonstrate how they supported the implementation of the directions they received.

With the Avoiding Complicity Act coming into force in July 2019, it was not feasible that departments would create and stand-up new frameworks for information exchanges in time for the period being reviewed. Although the Act did specify several Deputy Heads that were to receive directions, it only included those who received the previous 2017 MD. The remaining new departments received their directions in September 2019. Regardless of this two-month difference, each department would have been required to rely on, to some extent, existing procedures when handling information sharing with foreign entities during the review period.

This put the departments that had previously formalized policies and processes at an advantage when implementing the directions. For those departments who were not subject to the previous 2017 MD on information sharing, NSIRA considered how they leveraged and adjusted what was already in place to respond to their new responsibilities under the Act. What we then expected to see, for all departments, was what subsequent steps were taken during the review period and afterwards, to either adjust or create frameworks to better meet implementation requirements going forward. NSIRA noted that in response to questions on frameworks for handling information and mitigating risk, several of the departments new to the considerations of the Act provided extensive detail on their efforts and progress on building out their frameworks to support the directives. References to having these frameworks formalized over the subsequent year were also encouraging.

Finding no. 1: NSIRA found that several departments, new to the considerations of the Act, described considerable progress being made during the review period and afterwards to build out formalized frameworks to support implementation.

Importance of establishing operational framework

As discussed, having fully established operational frameworks in place for this review period may not have been feasible for the departments that did not previously have processes to support their activities. This, however, did not exempt a department from the requirements of implementation. Each department was still expected to leverage what it currently had in place to properly address the concerns associated with the Avoiding Complicity Act. Furthermore, there was a logical follow-on expectation that departments would take subsequent steps to build out formal frameworks to address any perceived gaps to support the implementation of the Act going forward if necessary.

After reviewing the responses received, NSIRA is concerned that departments with minimal information sharing activities taking place during their operations have yet to address the necessity of having a robust framework in place, regardless of how often that framework is leveraged. For example, although PS and TC may primarily act as facilitators or coordinators for information exchanges on specific programs, they are still interacting with foreign entities, and therefore are required to fully assess their interactions with a foreign entity in this regard.

If a department without a formal framework assesses that it has few or no cases associated with the Act, then it may believe it is adequately positioned to address any sharing concerns should they arise. This, however, is not the case. Even single instances of information exchange in which the concerns of the Act may apply require a framework to support it properly. In many cases, it will be the framework itself that properly identifies whether a sharing activity raises concerns under the Act. If there is no formal process in place, then this identification becomes problematic. Simply saying that there are no cases or activities associated with the Act is not sufficient. That determination can only be made after a sharing activity is scrutinized through the lens of a robust framework. Going forward, all departments who receive directions should demonstrate a formal framework that ensures all information sharing activities are adequately evaluated against the considerations of the Act.

Finding no. 2: NSIRA found that departments conducting minimal information exchanges with foreign entities have not yet fully addressed the importance of having an official information sharing framework in place.

Recommendation no. 1: NSIRA recommends that all departments in receipt of directions under the Act have an official framework that ensures they can fully support their implementation of the directions.

Community coordination and best practices

While departmental coordination and the sharing of best practices are not a requirement of the Avoiding Complicity Act or the directions, NSIRA considered such an approach’s value. What became clear during this first review was that every department employs a very different framework to guide their information sharing activities with foreign entities. This is to be expected to some extent, given the different mandates, sharing requirements, and areas of focus associated with each department. However, these differences are also a reflection of the independent, internal development that has taken place for the different frameworks being used. While the departments receiving directions under the Act do interact on this subject to some extent, to date, based on the responses provided, it appears that the majority of the work done by the departments to build supporting frameworks to address their responsibilities associated with the Act have been done so independently. There was little to no overlap with how departments described the various aspects of their frameworks, even amongst the departments subject to the earlier MD on this issue.

There would be value in departments collectively identifying the key aspects common or required in all information exchanges with foreign entities and then working together to craft best practices, irrespective of what a department currently has in place. This process should draw on all available resources to make this determination. Each department can then turn to their existing frameworks to consider where and how they can be adjusted to match this community-agreed upon ideal. This is not to say that aspects of what a department already has in place in their framework will not ultimately be seen as the best practice. Several departments do have robust sharing frameworks in place, and these will contribute significantly to this exercise. However, arriving at this determination independently will provide an additional level of confidence.

Department-specific challenges, of course, cannot be ignored. In fact, they will weigh in strongly on such a conversation. Departments share information under their mandates for various reasons, and this will mean that coordination on certain aspects of a sharing framework may not be possible. However, this needs to be evaluated. It is important that what already exists, or what is hard change, does not unduly influence what may be best. This approach will create uniformity (where possible) across the community and provide a starting point for ‘must haves’ for each department to evaluate their existing processes against.

The Public Safety Information Sharing Coordination Group (ISCG) was established to support departments on information sharing. As such, it is in an ideal position to help mitigate issues arising from the lack of coordination. Leading such efforts would build on the work already being done by this group. During recent discussions with NSIRA, the ISCG indicated that the tracking of lessons learned and the sharing of best practices was not yet routine. Going forward, there would be value in a more coordinated effort when departments are updating/changing their framework. Ensuring that this coordination takes place will require support and leadership by senior-level officials. This will help in sharing best practices once identified, and establish more consistent approaches across departments.

Finding no. 3: NSIRA found that the differences and variability in departmental frameworks demonstrate a previous lack of coordination across the community and a need to identify best practices.

Recommendation no. 2: NSIRA recommends that departments coordinate to identify best practices for all essential components of information sharing frameworks and that the ISCG is leveraged to ensure these practices are shared where possible across the community to support the implementation of the Act.

Framework application inconsistency

A series of questions in this review was related to aspects of consistency in how departments apply their frameworks. From this series, a comparison was made on how many times an information sharing/use event triggered an evaluation of any kind against the considerations of the Avoiding Complicity Act, versus how many of these triaged cases were elevated or referred up for decision. The results helped gauge two important aspects of a framework: One, the threshold requirements, i.e. how often a sharing activity triggers an evaluation of any kind; and two, the decision making power given to the operators who are initially handling these activities.

The feedback and the responses received demonstrate potential inconsistencies in both aspects across departments. For example, several departments indicated zero cases as being triaged/evaluated under the concerns of the Act during the review period, yet also specified that they are involved in regular information sharing or, specified that no information received from foreign entities was derived from mistreatment. These responses appear to be inconsistent as it would be problematic to participate in information sharing or to make such mistreatment determinations without the activity being evaluated on some level.

Other departments indicated a larger number of cases as initial triaged/evaluated, but also indicated that none of them were elevated in their decision making process for higher-level decisions. This would seem to suggest that all determinations were being made at the operational level. Such a result puts significant weight on the operator and the initial assessment tools they are leveraging if they are making all determinations independently. This reinforces the importance of a robust framework to help make these determinations, as previously indicated in Finding no. 2. As a result of these differences, potential challenges arise on accurately assessing the volume of cases being handled by departments, the tracking of those cases deemed to present a substantial risk, those which can be mitigated for, and those where the risk was not found to be substantial or even present.

These responses may result from how each department defines a ‘case’ or how it records a case, or they may be a result of differences in how a department’s decision-making process is leveraged. NSIRA’s concern is that these differences may indicate an inconsistency in application thresholds at different departments. As such, the following results were viewed as a potential issue based on the responses received:

  • if a department was involved in any kind for information exchange with a foreign entity during the review period, but did not indicate that any cases were formally triaged/evaluated; or
  • if there was a significant number of cases triaged, but none were elevated to a higher level for determination.

Such results do not necessarily indicate a problem as aspects of a framework may be able to account for this, however, looking further into how and why the department’s framework produced these outcomes is important. Future reviews will be able to do this. Consistent initial steps for information sharing activities, including triage/evaluation thresholds and documentation, are critical to the effective application of a framework, and ultimately to identifying best practices.

Finding no. 4: NSIRA found that there are inconsistencies in the application of existing sharing frameworks between departments, specifically concerning information evaluation thresholds, and decisions being elevated for senior level determinations,

Recommendation no. 3: NSIRA recommends that departments establish consistent thresholds for triggers in their information sharing frameworks, including initial evaluations against the concerns of the Act, when a case is to be elevated in the decision process, and how this is documented.

Country and entity assessments

A key recommendation of NSIRA’s previous review on information sharing related to the country/entity assessments being used by departments to inform their decision making process when sharing or using information with a foreign entity. While the use of country/entity assessments is not a required aspect of implementing the directions under the Act, NSIRA continues to support this tool as an important aspect of any sharing framework. In its previous review, NSIRA determined that having a firm grasp on the human rights situation, as well as any other pertinent information associated with a country/entity, was essential to making an informed decision on whether there should be concerns, caveats, or limitations when handling information with that country/entity. Moreover, having such information captured to ensure all departments consistently approach these countries/entities is critical. At the time of the previous review, the following recommendation was made:

  • a unified set of assessments of the human rights situations in foreign countries including as standardized ‘risk of mistreatment’ classification level for each country; and
  • to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.

It is important to note that there has been no formal response from departments on this previous recommendation as of the date of this report. Furthermore, during this report, two departments continue to raise concerns with NSIRA’s stance on this issue during the consultation process. While NSIRA continues to support this recommendation, as explained below, further discussions with departments on how to approach this matter may be warranted, specifically on the distinction between how this recommendation may apply to a foreign country/entity vs a specific foreign partner a department may be dealing with.

Based on the responses provided on this topic for the current review period, there is still inconsistency in this area. While almost all departments indicated that country/entity assessments were a standard part of their framework, the responses also indicate differences in which country assessments are used, how they are leveraged, and who is responsible for updating them. For example, several departments rely on their own in-house created assessments, while others leverage the assessments created by Global Affairs Canada and others. While departments who indicated that they are leveraging country/entity assessment tools in their process also indicated that these assessments captured human rights concerns, this has yet to be independently evaluated. NSIRA is concerned that these differences could result in different approaches/stances being taken by departments when dealing with the same foreign entity. While the country/entity assessments tools themselves are not necessarily in question, the fact that every department is not leveraging or does not have access to all useful or applicable information is.

NSIRA remains of the view that having a consistent stance on all countries and entities when implementing the requirements of the Act is important. Issues such as mistreatment and human rights should not be decided at a departmental level, but on a whole-of-government level. While mindful of classification levels, ensuring all departments have access to the same relevant information associated with a foreign country/entity is critical to making an informed decision. Due to the nature of their work, departments may be privy to unique information on a country/entity, some or all of which can be shared. This would lead to fully informed assessments that allow for a consistent approach when dealing with any country/entity. In addition to improving duplication of effort in this area by departments, NSIRA continues to see standardized country and entity assessments, which can be accessed and contributed to by all departments, as key to moving toward a more consistent and effective implementation of the Act across the community

Finding no. 5: NSIRA found a lack of unification and standardization in the country and entity assessments being leveraged by departments, resulting in inconsistencies in approach/stance by the community when interacting with Foreign Entities of concern related to the Act.

Recommendation no. 4: NSIRA recommends that departments identify a means to establish unified and standardized country and entity risk assessment tools to support a consistent approach by departments when interacting with Foreign Entities of concern under the Act.

Conclusion

While aspects of implementation can be easily quantified and evaluated e.g. reporting requirements to a Minister, others, which support implementation are more difficult to measure, e.g.:

  • What does a sufficiently robust framework for assessing and mitigating risk when sharing with a foreign entity look like?
  • Does this depend on the specific requirements and activities of the department; or,
  • Are there steps that should always be involved when vetting a foreign entity under the considerations of the Act?

Measuring and weighing the answers to such questions is challenging. They are more nuanced, and can’t be as easily quantified. Regardless, they must be considered and addressed. Drawing on the considerations and concerns identified in this review will help departments to ask the questions that will improve their underlying frameworks with the following goals in mind:

  • To identify the essential/key elements that need to be a part of any framework for it to address the concerns associated with the Avoiding Complicity Act sufficiently; and,
  • To have all identified best practices implemented as consistently as possible across departments.

Future reviews will push towards these goals by seeking answers to those questions above. By looking more closely at specific case studies, departmental legal opinions, items of inconsistency, and the departmental frameworks that are already demonstrating best practices that should be shared. Ultimately the results of such efforts will contribute to improving the implementation of the Act across the community.

Share this page
Date Modified:

Departmental Plan: 2021-2022

Meta data information

Cat. Number: PS106-6E-PDF
ISSN: 2563-0334

© Her Majesty the Queen in Right of Canada, 2020

Date of Publishing:

From the Executive Director

I am very pleased to present the 2021–22 Departmental Plan for the National Security and Intelligence Review Agency (NSIRA). The year ahead will build on a very successful 2020–21, in which we achieved several key milestones for our new agency, despite the challenges imposed on us and the organizations we review as a result of the COVID-19 pandemic.

In 2021–22, we will be continuing to implement NSIRA’s three-year review plan, which emphasizes reviews of increasing scale and complexity as we become familiar with the operations of departments and agencies that have only recently become subject to review.

In the year ahead, we will also roll out a new process for taking in and investigating complaints from members of the public. Multiple key stakeholders will help to shape this new process, which aims to provide greater accessibility and greater timeliness to our complaints investigation function.

Significant efforts to scale up our operations will continue in 2021–22, including expanding to a second site, recruiting staff across all business lines, and continuing our support to staff working from home. In all aspects, we will continue to prioritize our staff’s health and safety as we build on our successes and pursue ambitious organizational goals. We will also continue to emphasize diversity and inclusion in the workplace, including developing an employment equity strategy.

More details on this and other initiatives are found in this report. I hope that it helps inform Canadians of NSIRA’s priorities for the year ahead.

John Davies
Executive Director

Plans at a glance

Over the coming year, NSIRA will continue its ambitious review agenda, based on the three-year review plan established in 2020–21. This will include mandatory reviews related to the Canadian Security Intelligence Service (CSIS), the Communications Security Establishment (CSE), the Security of Canada Information Disclosure Act and Governor in Council directions under the Avoiding Complicity in Mistreatment by Foreign Entities Act. NSIRA will also continue to expand the agency’s knowledge of departments and agencies not previously subject to expert review, including through the conduct of interagency reviews and by “following the thread” of activities from one agency to another. Of note, in 2021–22, NSIRA will continue its comprehensive review, announced in July 2020, to fully identify the systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in illegal activity and a related breach of candour to the Federal Court.

In 2021–22, NSIRA will also focus on implementing a new model for investigating complaints. This work will be rooted in the development of new rules of procedure, which will be implemented after consultation with key stakeholders in the year ahead. The goals of this process are to enhance access to justice for complainants and to ensure that NSIRA investigates complaints in a timely manner.

An important responsibility over the coming year will be further adapting operations to the conditions imposed by the COVID-19 pandemic, with a priority on maintaining a safe and healthy work environment. NSIRA will also emphasize employment equity, diversity and inclusion as a major corporate theme over the year ahead, including training staff on key concepts.

For more information on NSIRA’s plans, priorities and planned results, see the “Core responsibilities: planned results and resources, and key risks” section of this report.

Core responsibilities: planned results and resources, and key risks

This section contains detailed information on the department’s planned results and resources for each of its core responsibilities. It also contains information on key risks related to achieving those results.

National Security and Intelligence Reviews and Complaints Investigations

Description

NSIRA reviews Government of Canada national security and intelligence activities to assess whether they are lawful, reasonable and necessary. It investigates complaints from members of the public regarding activities of CSIS, CSE or the national security activities of the Royal Canadian Mounted Police (RCMP), as well as certain other national security–related complaints. This independent scrutiny contributes to the strengthening of the framework of accountability for national security and intelligence activities undertaken by Government of Canada institutions and supports public confidence in this regard.

Planning highlights

In support of this outcome, in 2021–22, NSIRA will implement an ambitious review agenda. It will continue to review the activities of CSIS and CSE to provide responsible ministers and the Canadian public with an informed assessment of these activities, including their lawfulness, reasonableness and necessity. NSIRA will also build on the knowledge it has acquired of departments and agencies, such as the RCMP, the Canada Border Services Agency, Immigration, Refugees and Citizenship Canada, and the Department of National Defence and Canadian Armed Forces. Using that knowledge, NSIRA will ensure these organizations’ national security or intelligence activities are independently verified and assessed. NSIRA is committed to transcending the silos that have characterized national security review until now, and will “follow the thread” of an activity between agencies to ensure its assessments reflect the complex and interwoven approach Canada takes to national security.

In 2021–22, NSIRA will complete its review of the systemic, governance and cultural factors that led to CSIS engaging in illegal activity and breaching its duty of candour to the Federal Court. This review is being conducted jointly by two NSIRA members, the Honourable Marie Deschamps, a former justice of the Supreme Court of Canada, and Craig Forcese, a professor in the Faculty of Law at the University of Ottawa. This matter was referred to NSIRA by the Minister of Public Safety and Emergency Preparedness and the Minister of Justice. NSIRA is confident its findings and recommendations will play a constructive role in ensuring that future national security activities reflect Canadians’ expectations of these fundamental institutions.

NSIRA is committed to ensuring its review agenda remains responsive and topical. In 2021–22, NSIRA will continue to engage with community stakeholders to understand their concerns surrounding national security and intelligence activities. NSIRA will ensure that matters of equity and non-discrimination are reflected in its review agenda. NSIRA’s work must also be accessible to the public and civil society. In 2021–22, NSIRA will increase its activities on Twitter and ensure that the agency’s processes, methodologies and findings are readily available on its website. NSIRA will proactively publish unclassified versions of its reports throughout the year. The annual report will continue to summarize NSIRA’s review findings and recommendations in context, situating these elements within a broader discussion of the key trends and challenges NSIRA has observed over the year.

In 2021–22, NSIRA will continue to draw on the close relationships it has established with the National Security and Intelligence Committee of Parliamentarians and the Office of the Privacy Commissioner. The agency will coordinate its activities to ensure review is efficient and comprehensive, and avoids unnecessary duplication of effort. NSIRA is also developing close ties to its international equivalents. It will host a conference in 2021–22 that will bring together review agency representatives from Canada, the United States, Australia, New Zealand and the United Kingdom to discuss artificial intelligence and other topics of common interest. NSIRA will also deploy multidisciplinary review teams in 2021–22, leveraging the integrated expertise of researchers, lawyers and technical experts right from the start. This will ensure NSIRA reviews reflect a sound understanding of many complex issues, and that the agency is equipped to provide clear, precise analysis of the impacts of new technology in an ever-changing national security environment.

In 2021–22, NSIRA will also strengthen institutions’ accountability and enhance public confidence by ensuring consistency, quality and timeliness in investigating national security–related complaints. The independent investigation of complaints plays a critical role in maintaining public confidence in Canada’s national security institutions. In 2021–22, NSIRA will continue to offer an informal resolution process to complement the investigative process to respond to complaints. NSIRA also developed new rules of procedure to ensure timeliness in the investigation of complaints. The ambition is to ensure access to justice. New service standards to be set in January 2021 will enable baseline measurements to be established in 2021–22.

Gender-based analysis plus

In 2021–22, NSIRA will undertake several initiatives related to employment equity, diversity and inclusion. Incorporating baseline data derived from employee self-identification, NSIRA will develop an employment equity strategy to increase representation and to ensure it reflects the diversity of the Canadian public, which it serves.

Training and learning events for staff on issues related to systemic discrimination will continue over the coming year. These activities will ensure a common understanding of key concepts and build a corporate culture that promotes the values of diversity and inclusion in the workplace.

Work will continue in 2021–22 to incorporate analysis of bias and discrimination into reviews and complaints investigations. NSIRA will also work with centres of excellence within the Government of Canada to enhance its understanding of how gender-based analysis plus concepts can be more formally integrated into its work.

Finally, NSIRA will build on outreach and engagement conducted over the past year to expand its range of stakeholder partnerships and learn more about concerns related to the differential impacts of national security and intelligence activities.

Key risks

NSIRA’s ability to access the information it needs to do its work and speak to the relevant stakeholders to understand policies, operations and ongoing issues is closely tied to the capacity of the organizations being reviewed to respond to NSIRA’s demands. The resource constraints of those organizations might continue to be compounded next year by disruptions stemming from the COVID-19 pandemic. This presents a risk of hindering NSIRA’s ability to deliver on its mandate in a timely way. NSIRA is mitigating this risk by ensuring clear communication about information requests and by setting review priorities.

The physical distancing precautions required by the COVID-19 pandemic might continue to be needed in 2021–22. This would limit employees’ access to NSIRA offices and to classified physical and electronic documents. Such restrictions could slow NSIRA’s ability to deliver on its mandate in a timely way and limit the frequency and type of outreach NSIRA can do in person. The pandemic also complicates the recruitment, on-boarding and training of new review staff. NSIRA is mitigating these risks by adapting its office space and investing in communications technology. It will continue to innovate to enable its operations and engage virtually with stakeholders, departments and agencies.

Departmental results Departmental result indicator Target Date to achieve target 2017-18 actual results* 2018-19 actual results* 2019-20 actual results*
*Because NSIRA was created on July 12, 2019, there is no comparative information to provide for 2017–18 and 2018–19. Actual results for 2019–20 are not available as the new Departmental Results Framework in the changeover from the Security Intelligence Review Committee (SIRC) to NSIRA was being developed. This new framework is for measuring and reporting on results achieved starting in 2021–22.
Ministers and Canadians are informed whether national security and intelligence activities undertaken by Government of Canada institutions are lawful, reasonable and necessary All mandatory reviews are completed on an annual basis 100% completion of mandatory reviews 2021-22 Not applicable (N/A) N/A N/A
Reviews of national security or intelligence activities of at least five departments or agencies are conducted each year At least one national security or intelligence activity is reviewed in at least five departments or agencies annually 2021-22 N/A N/A N/A
All Member-approved high priority national security or intelligence activities are reviewed over a three- year period 100% completion over three years; at least 33% completed each year 2021-22 N/A N/A N/A
National security-related complaints are independently investigated in a timely manner Percentage of investigations completed within NSIRA service standards 90% 2021-22 N/A N/A N/A

Financial, human resources and performance information for NSIRA’s program inventory is available in the GC InfoBase.

Planned budgetary financial resources for assisting the National Security and Intelligence Review Agency

2021–22 budgetary spending (as indicated in Main Estimates) 2021–22 planned spending 2022–23 planned spending 2023–24 planned spending
12,047,835 12,047,835 10,740,923 10,744,262

Financial, human resources and performance information for NSIRA’s program inventory is available in the GC InfoBase.

Planned human resources for assisting the National Security and Intelligence Review Agency

2021–22 planned full-time equivalents 2022–23 planned full-time equivalents 2023–24 planned full-time equivalents
69.0 69.0 69.0

It is expected that NSIRA will be at full capacity by the close of 2021–22 to fulfil its new mandate.

Financial, human resources and performance information for NSIRA’s program inventory is available in the GC InfoBase.

Internal Services: planned results

Description

Internal Services are those groups of related activities and resources that the federal government considers to be services in support of Programs and/or required to meet corporate obligations of an organization. Internal Services refers to the activities and resources of the 10 distinct services that support Program delivery in the organization, regardless of the Internal Services delivery model in a department. These services are:

  • Management and Oversight Services
  • Communications Services
  • Legal Services
  • Human Resources Management Services
  • Financial Management Services
  • Information Management Services
  • Information Technology Services
  • Real Property Management Services
  • Materiel Management Services
  • Acquisition Management Services

Planning highlights

A key priority in the coming year will be Internal Services support and leadership with respect to the development and implementation of effective employment equity, diversity and inclusion strategies.

NSIRA will also continue to leverage technologies and proven information management practices to increase the effectiveness of operations as the agency continues to operate under COVID-19 pandemic conditions.

The ability of NSIRA to continue its rapid increase in personnel will be contingent on effective Internal Services functions. As a result, over the coming year, NSIRA will continue to invest in and strengthen its frameworks for human resources management, information technology and security, and continue to implement its accommodation strategy.

Planned budgetary financial resources for Internal Services

2021–22 budgetary spending (as indicated in Main Estimates) 2021–22 planned spending 2022–23 planned spending 2023–24 planned spending
18,147,084 18,147,084 15,386,717 7,691,725

Planned human resources for Internal Services

2021–22 planned full-time equivalents 2022–23 planned full-time equivalents 2023–24 planned full-time equivalents
31.0 31.0 31.0

Financial, human resources and performance information for NSIRA’s program inventory is available in the GC InfoBase.

Spending and human resources

This section provides an overview of the department’s planned spending and human resources for the next three consecutive fiscal years, and compares planned spending for the upcoming year with the current year’s spending.

Planned spending

Departmental spending 2018–19 to 2023–24

The following graph presents planned (voted and statutory) spending over time.

Departmental spending trend graph
2018-19 2019-20 2020-21 2021-22 2022-23 2023-24
Statutory 0 371,057 1,056,362 1,704,632 1,704,632 1,704,632
Voted 0 5,254,250 16,662,479 28,490,287 24,423,008 16,731,355
Total 0 5,625,250 17,718,841 30,194,919 26,127,640 18,435,987

Because NSIRA was created in July 2019, the actual expenditures of fiscal year 2019–20 do not reflect a full fiscal year of spending. The increase from 2019–20 to 2020–21 is also explained by growth in personnel and the initiation of accommodation, infrastructure and systems investments that were delayed from the previous fiscal year.

Fiscal years 2021–22 to 2023–24 present planned spending based on approved authorities. The fluctuation in planned spending between fiscal year 2020–21 to 2023–24 is mainly explained by funds earmarked for the completion of accommodation, infrastructure and systems projects.

When compared with the Departmental Plan from the previous year, the change in planned spending for 2021–22 and 2022–23 is largely resulting from a reprofile of funding from 2019–20 to 2021–22 and 2022–23 to align funding with the delayed projects noted.

Planned spending for 2023–24 shows the ongoing financial authorities after completion of the office expansion project.

Budgetary planning summary for core responsibilities and Internal Services (dollars)

The following table shows actual, forecast and planned spending for NSIRA’s core responsibility and for Internal Services for the years relevant to the current planning year.

Core responsibilities and Internal Services 2017–18 expenditures 2018–19 expenditures 2019–20 forecast spending 2020–21 budgetary spending (as indicated in Main Estimates) 2020–21 planned spending 2021–22 planned spending 2022–23 planned spending
* Because NSIRA was created on July 12, 2019, there is no comparative information to provide for prior years. Numbers for 2019–20 are for the reporting period of July 12, 2019 – March 31, 2020.
National Security and Intelligence Reviews and Complaints Investigations N/A 3,009,066 6,716,166 12,047,835 12,047,835 10,740,923 10,744,262
Subtotal N/A 3,009,066 6,716,166 12,047,835 12,047,835 10,740,923 10,744,262
Internal Services N/A 2,616,241 11,002,675 18,147,084 18,147,084 15,386,717 7,691,725
Total N/A 5,625,307 17,718,841 30,194,919 30,194,919 26,127,640 18,435,987

Planned human resources

The following table shows actual, forecast and planned full-time equivalents (FTEs) for the core responsibility in NSIRA’s departmental results framework and for Internal Services for the years relevant to the current planning year.

Human resources planning summary for core responsibilities and Internal Services

Core responsibilities and Internal Services 2018-19 Actual full-time equivalents 2019-20 Actual full-time equivalents 2020-21 Forecast full-time equivalents 2021-22 Planned full-time equivalents 2022-23 Planned full-time equivalents 2023-24 Planned full-time equivalents
* Because NSIRA was created on July 12, 2019, there is no comparative information to provide for prior years. Numbers for 2019–20 are for the reporting period of July 12, 2019 – March 31, 2020.
Assist the National Security and Intelligence Review Agency N/A 17.5 44.1 69.0 69.0 69.0
Subtotal N/A 17.5 44.1 69.0 69.0 69.0
Internal Services N/A 11.2 23.6 31.0 31.0 31.0
Total N/A 28.7 67.7 100.0 100.0 100.0

Over the course of 2019–20, funding for an additional 26 FTEs was received to account for NSIRA’s expanded mandate. It is expected that NSIRA will be at full capacity by the close of 2021–22 to fulfil its new mandate.

Estimates by vote

Information on NSIRA’s organizational appropriations is available in the 2021–22 Main Estimates.

Condensed future-oriented statement of operations

The future-oriented condensed statement of operations provides an overview of NSIRA’s operations for 2020–21 to 2021–22.

The amounts for forecast and planned results in this statement of operations were prepared on an accrual basis. The amounts for forecast and planned spending presented in other sections of the Departmental Plan were prepared on an expenditure basis. Amounts may therefore differ.

A more detailed future-oriented statement of operations and associated notes, including a reconciliation of the net cost of operations to the requested authorities, are available on NSIRA’s website.

Future-oriented Condensed statement of operations for the year ending March 31, 2022 (dollars)

Financial information 2020-21 Forecast results 2021-22 Planned results Difference (2021-22 planned results minus 2020-21 Forecast results)
Total expenses 17,695,822 28,235,300 10,539,478
Total revenues
Net cost of operations before government funding and transfers 17,695,822 28,235,300 10,539,478

The difference between the 2021–22 planned results and 2020–21 forecast results is mostly explained by $8.5M of planned accommodation, infrastructure and systems project costs. It is also explained by the increase in personnel to reach NSIRA’s full capacity of 100 FTE’s by the close of 2021–22.

Corporate Information

Organizational profile

Appropriate minister: The Right Honourable Justin Trudeau, Prime Minister of Canada
Institutional head: John Davies, Executive Director
Ministerial portfolio: Privy Council Office
Enabling instrument: National Security and Intelligence Review Agency Act
Year of incorporation / commencement: 2019

Raison d’être, mandate and role: who we are and what we do

“Raison d’être, mandate and role: who we are and what we do” is available on NSIRA‘s website.

Operating context

Information on the operating context is available on NSIRA’s website.

Reporting framework

NSIRA’s Departmental Results Framework, with accompanying results and indicators, is under development. Additional information on key performance measures will be included in the 2021- 22 Departmental Plan.

Core Responsibility: National Security and Intelligence Reviews and Complaints Investigations
Departmental Results Framework Ministers and Canadians are informed whether national security and intelligence activities undertaken by Government of Canada institutions are lawful, reasonable and necessary Indicator: All mandatory reviews are completed on an annual basis Internal Services
Indicator: Reviews of national security or intelligence activities of at least five departments or agencies are conducted each year
Indicator: All Member-approved high priority national security or intelligence activities are reviewed over a three-year period
National security-related complaints are independently investigated in a timely manner Indicator: Percentage of investigations completed within NSIRA service standards
Program Inventory Program: National security and intelligence activity reviews and complaints investigations

The changeover of the Security Intelligence Review Committee (SIRC) to NSIRA required significant changes to the Departmental Results Framework, expected results and indicators. With NSIRA’s broader mandate, these changes now provide a framework for measuring and reporting on results achieved starting in 2021–22 and beyond.

Changes to the approved reporting framework since 2020-21

Structure 2020-21 2021-22 Change Reason for change
Total expenses Investigations of Canadian Security Intelligence Service’s (CSIS’s) operational activities National Security and Intelligence Reviews and Complaints Investigations New Core responsibility New Departmental Results Framework
Programs Review of CSIS’s operations National security and intelligence activity reviews and complaints investigations New Program New Departmental Results Framework
Investigation of complaints against CSIS

Supporting information on the program inventory

Supporting information on planned expenditures, human resources, and results related to NSIRA’s program inventory is available in the GC InfoBase.

Supplementary information tables

The following supplementary information tables are available on NSIRA‘s website.

  • Departmental Sustainable Development Strategy
  • Gender-based analysis plus

Federal tax expenditures

NSIRA’s Departmental Plan does not include information on tax expenditures that relate to its planned results for 2021–22.

Tax expenditures are the responsibility of the Minister of Finance, and the Department of Finance Canada publishes cost estimates and projections for government-wide tax expenditures each year in the Report on Federal Tax Expenditures.[xi] This report provides detailed information on tax expenditures, including objectives, historical background and references to related federal spending programs, as well as evaluations, research papers and gender-based analysis. The tax measures presented in this report are solely the responsibility of the Minister of Finance.

Organizational contact information

National Security and Intelligence Review Agency
P.O. Box 2430, Station “D” Ottawa, Ontario
K1P 5W5

Telephone: The phone number is temporarily disabled
Fax: 613-907-4445
Email: info@nsira-ossnr.gc.ca
Website: www.nsira-ossnr.gc.ca

Appendix: definitions

appropriation (crédit)

Any authority of Parliament to pay money out of the Consolidated Revenue Fund.

budgetary expenditures (dépenses budgétaires)

Operating and capital expenditures; transfer payments to other levels of government, organizations or individuals; and payments to Crown corporations.

core responsibility (responsabilité essentielle)

An enduring function or role performed by a department. The intentions of the department with respect to a core responsibility are reflected in one or more related departmental results that the department seeks to contribute to or influence.

Departmental Plan (plan ministériel)

A report on the plans and expected performance of an appropriated department over a 3‑year period. Departmental Plans are usually tabled in Parliament each spring.

departmental priority (priorité)

A plan or project that a department has chosen to focus and report on during the planning period. Priorities represent the things that are most important or what must be done first to support the achievement of the desired departmental results.

departmental result (résultat ministériel)

A consequence or outcome that a department seeks to achieve. A departmental result is often outside departments’ immediate control, but it should be influenced by program-level outcomes.

departmental result indicator (indicateur de résultat ministériel)

A quantitative measure of progress on a departmental result.

departmental results framework (cadre ministériel des résultats)

A framework that connects the department’s core responsibilities to its departmental results and departmental result indicators.

Departmental Results Report (rapport sur les résultats ministériels)

A report on a department’s actual accomplishments against the plans, priorities and expected results set out in the corresponding Departmental Plan.

experimentation (expérimentation)

The conducting of activities that seek to first explore, then test and compare the effects and impacts of policies and interventions in order to inform evidence-based decision-making, and improve outcomes for Canadians, by learning what works, for whom and in what circumstances. Experimentation is related to, but distinct from innovation (the trying of new things), because it involves a rigorous comparison of results. For example, using a new website to communicate with Canadians can be an innovation; systematically testing the new website against existing outreach tools or an old website to see which one leads to more engagement, is experimentation.

full‑time equivalent (équivalent temps plein)

A measure of the extent to which an employee represents a full person‑year charge against a departmental budget. For a particular position, the full‑time equivalent figure is the ratio of number of hours the person actually works divided by the standard number of hours set out in the person’s collective agreement.

gender-based analysis plus (GBA Plus) (analyse comparative entre les sexes plus [ACS Plus])

An analytical process used to assess how diverse groups of women, men and gender-diverse people experience policies, programs and services based on multiple factors including race ethnicity, religion, age, and mental or physical disability.

government-wide priorities (priorités pangouvernementales)

For the purpose of the 2020–21 Departmental Results Report, those high-level themes outlining the government’s agenda in the 2019 Speech from the Throne, namely: Fighting climate change; Strengthening the Middle Class; Walking the road of reconciliation; Keeping Canadians safe and healthy; and Positioning Canada for success in an uncertain world.

horizontal initiative (initiative horizontale)

An initiative where two or more federal organizations are given funding to pursue a shared outcome, often linked to a government priority.

non‑budgetary expenditures (dépenses non budgétaires)

Net outlays and receipts related to loans, investments and advances, which change the composition of the financial assets of the Government of Canada.

performance (rendement)

What an organization did with its resources to achieve its results, how well those results compare to what the organization intended to achieve, and how well lessons learned have been identified.

performance indicator (indicateur de rendement)

A qualitative or quantitative means of measuring an output or outcome, with the intention of gauging the performance of an organization, program, policy or initiative respecting expected results.

performance reporting (production de rapports sur le rendement)

The process of communicating evidence‑based performance information. Performance reporting supports decision making, accountability and transparency.

plan (plan)

The articulation of strategic choices, which provides information on how an organization intends to achieve its priorities and associated results. Generally, a plan will explain the logic behind the strategies chosen and tend to focus on actions that lead to the expected result.

planned spending (dépenses prévues)

For Departmental Plans and Departmental Results Reports, planned spending refers to those amounts presented in Main Estimates.

A department is expected to be aware of the authorities that it has sought and received. The determination of planned spending is a departmental responsibility, and departments must be able to defend the expenditure and accrual numbers presented in their Departmental Plans and Departmental Results Reports.

program (programme)

Individual or groups of services, activities or combinations thereof that are managed together within the department and focus on a specific set of outputs, outcomes or service levels.

program inventory (répertoire des programmes)

Identifies all the department’s programs and describes how resources are organized to contribute to the department’s core responsibilities and results.

result (résultat)

A consequence attributed, in part, to an organization, policy, program or initiative. Results are not within the control of a single organization, policy, program or initiative; instead they are within the area of the organization’s influence.

statutory expenditures (dépenses législatives)

Expenditures that Parliament has approved through legislation other than appropriation acts. The legislation sets out the purpose of the expenditures and the terms and conditions under which they may be made.

target (cible)

A measurable performance or success level that an organization, program or initiative plans to achieve within a specified time period. Targets can be either quantitative or qualitative.

voted expenditures (dépenses votées)

Expenditures that Parliament approves annually through an appropriation act. The vote wording becomes the governing conditions under which these expenditures may be made.

Share this page
Date Modified:

National Security and Intelligence Review Agency Annual Report 2019

Backgrounder

The report focuses on NSIRA’s initial review work from July 2019 through December 2019, and also includes discussion of previously unreleased reviews by predecessor organizations, namely the Security Intelligence Review Committee (SIRC) and the Office of the Communications Security Establishment Commissioner (OCSEC). We discuss Canada’s complex, interwoven approach to national security through the cross-cutting themes of intelligence collection, safeguarding, information sharing, and intelligence informed actions.  Highlights include:

  • Legal issues regarding new technologies;
  • Ongoing concerns related to the duty of candour owed by CSIS to the Federal Court;
  • Issues concerning CSIS’s use of the polygraph;
  • CSE privacy protection practices; and,
  • Inconsistent approaches to how Canada avoids mistreatment when sharing information abroad.

NSIRA’s mandate also brings together the investigation of complaints related to national security made by members of the public. The report describes issues related to complaints from 2019, emphasizing our commitment to modernizing the complaints investigation process to ensure greater timeliness and accessibility. We also raise concerns concerning gaps in the current legal framework for “whistleblowing as it relates to the national security community.”

Our annual report discusses our organization’s underlining values, particularly our desire to be more accessible in our work, reach a broader audience, and have our review priorities and complaints process informed by engaging communities who feel they are affected by national security and intelligence activities.

 “We hope that our annual report will both inform Canadians as to how their national security agencies protect us and give them confidence that strong accountability and transparency mechanisms are in place and working as intended. We look forward to engaging Canadians on the report’s findings.”

–The Honourable Dr. Ian Holloway, P.C., C.D., Q.C. (NSIRA Interim Chair)—

Date of Publishing:

Dear Prime Minister,

On behalf of the National Security and Intelligence Review Agency, it is my pleasure to present you with our first annual report. Consistent with subsection 38(1) of the National Security and Intelligence Review Agency Act, the report includes information about our activities in 2019, as well as our findings and recommendations. Pursuant to transitional provisions 12(1) and 12(2) of the National Security Act, 2017, this report also includes information that our predecessor organizations, the Security Intelligence Review Committee and the Office of the Communications Security Establishment Commissioner, had not yet reported on publicly.

In accordance with paragraph 52(1)(b) of the National Security and Intelligence Review Agency Act, our report was prepared after consultation with the deputy heads concerned in an effort to ensure that it does not contain information the disclosure of which would be injurious to national security, national defence or international relations, or is information that is subject to solicitor-client privilege or the professional secrecy of advocates and notaries or to litigation privilege.

Yours sincerely,

The Honourable Dr. Ian Holloway, P.C., C.D., Q.C.
Acting Chair
National Security and Intelligence Review Agency

Committee message

We are proud to present the first annual report of the National Security and Intelligence Review Agency (NSIRA) for work undertaken in 2019. Our enabling legislation requires us to present a report to Parliament each year with respect to our activities during the previous calendar year, including any reviews not yet made public by our predecessor organizations, the Security Intelligence Review Committee, and the Office of the Communications Security Establishment Commissioner. In doing so, our report discusses our activities within a framework that addresses the complex, multi-agency and interwoven approach to national security that exists in Canada.

We are primarily a retrospective body, meaning we generally look at activities that have already taken place and make conclusions regarding their compliance with the law and ministerial direction. We also examine the reasonableness and necessity of a department’s exercise of its powers. We are very conscious of the need for timely access to our findings by parliamentarians and all Canadians. NSIRA is committed to releasing redacted reviews as soon as possible after they are provided to the appropriate minister(s). We hope that our annual report will be a mechanism to reflect on broader trends and themes that cut across the full range of our work. We feel strongly that this approach is embedded in our mandate, and is supported by the government’s own push for greater transparency in national security.

Openness also means deepening the dialogue with Canadians on national security. We have broadened our exposure to a diverse set of viewpoints to ensure our review plan reflects the concerns and priorities of all Canadians. This is particularly important in the context of anti-racism movements that are taking place around the world. We hope that engagement with diverse communities will help our organization learn about how we can best contribute to the fight against racism and discrimination in the national security and intelligence field. Engagement with Canadian experts, with cultural communities and with civil society has already begun as we build our social media presence and our capacity to organize videoconferences and in-person meetings. We have met several stakeholders in Ottawa, Victoria, Toronto and Calgary — and more activities are planned in the year ahead. Internationally, we work with and share our experiences with parallel review bodies as a member of the Five Eyes Intelligence Oversight and Review Council, which is made up of our partners in Australia, New Zealand, the United Kingdom and the United States.

We are mindful of the need to avoid overlap with other review bodies and to make the best use of resources within the national security community that are in place to facilitate our work. We know that for many departments and agencies, external review is a new endeavour that will take time to adjust to. We are very pleased with the level of cooperation and support we are seeing. We have developed and shared our three-year review plan, which we hope will clarify our work priorities and give the organizations that we will be reviewing time to adjust and prepare. Our legislation is unequivocal as to our access to information: we are entitled to timely access to anything that is in the possession or under the control of a department in relation to our reviews (except only Cabinet confidences). The integrity of our work demands this access. Our public reports will accordingly record any shortcomings in this regard. To avoid duplication and to enhance the quality of Canada’s system of national security accountability, we are committed to cooperating with other oversight and review bodies, including the Intelligence Commissioner’s Office, the National Security and Intelligence Committee of Parliamentarians, the Office of the Privacy Commissioner of Canada (OPC), the Civilian Review and Complaints Commission for the RCMP and the Office of the Auditor General of Canada.

NSIRA also brings together under one roof the investigation of complaints related to national security that are made by members of the public. We have a mandate to investigate complaints into the activities of the Canadian Security Intelligence Service, the Communications Security Establishment and national security-related activities of the Royal Canadian Mounted Police. Additionally, we can investigate complaints arising from an individual whose security clearance is denied or revoked, as well as referrals from the Canadian Human Rights Commission and certain matters under the Citizenship Act. We are confident that this consolidation of complaints investigations will help to ensure that Canadians’ national security-related grievances can be addressed with the greatest degree of consistency, quality and timeliness possible. A particular task we are undertaking over the next year is to improve the efficiency of the complaints process.

We would be remiss if we did not address the unique and challenging environment facing us all at this moment. The COVID-19 pandemic has had far-reaching consequences the world over that we are perhaps only beginning to understand. Throughout much of 2020, NSIRA staff have been working from home, with minimal access to the office and, therefore, minimal access to classified physical and electronic documents that must be kept within a secure space. We are very proud of the extraordinary work of our staff, who have kept momentum alive during this difficult period, and who continue to put measures in place to enhance our organizational adaptability. We also expect that organizations that are subject to our review and complaints investigations will continue to allocate personnel to these vital functions, and continue to prioritize national security accountability as they too adjust to an ever-changing situation.

At this time, we would like to express our gratitude to three NSIRA members whose terms concluded this year: the Honourable Pierre Blais, the Honourable L. Yves Fortier, and Murray Rankin, NSIRA’s first Chair. Their collegiality and leadership during a time of transition were greatly appreciated, and their contributions to national security accountability in Canada continue to be deeply felt.

We are honoured to have been chosen to be the first members of NSIRA. We are committed to providing meaningful findings and recommendations on the extent to which Canada’s national security community is complying with the law and on the necessity and reasonableness of its actions. We look forward to the challenge facing us in this increasingly complex environment.

The Honourable Dr. Ian Holloway, P.C., C.D., Q.C. (Acting Chair)
The Honourable Marie Deschamps, C.C.
Professor Craig Forcese
The Honourable Marie-Lucie Morin, P.C., C.M.
The Honourable Pierre Blais, P.C. (Member until May 2020)
The Honourable L. Yves Fortier, P.C., C.C., O.Q., Q.C. (Member until October 2020)
Murray Rankin, Q.C. (Member and Chair until September 2020)

Executive summary

  • Information pertaining to the transition from the Security Intelligence Review Committee (SIRC) to the National Security and Intelligence Review Agency (NSIRA), corporate milestones, organizational values and objectives, and other relevant elements, are briefly described in the introduction, and are supplemented with more detailed material in various annexes as well as on NSIRA’s website.
  • Review findings and themes discussed in this report reflect NSIRA’s work over the first several months of our mandate, beginning in July 2019. They also build on work done by SIRC and the Office of the Communications Security Establishment Commissioner (OCSEC), including reviews that these organizations had not yet released prior to the establishment of NSIRA. Summaries of these reviews are found in Annexes A and B. We discuss findings and themes in this report according to the “information continuum”: collection, safeguarding, sharing and action.
  • A key challenge for departments and agencies in Canada is to ensure that their use of new technology conforms to privacy laws and respects Canadians’ rights under the Canadian Charter of Rights and Freedoms (the Charter). NSIRA is aware of instances where an agency used technology in ways that exceeded legal authorities. Notably, one of NSIRA’s first reviews concerned the Canadian Security Intelligence Service’s (CSIS) use of publicly available geolocation data. NSIRA concluded that CSIS’s use of this data without a warrant risked breaching section 8 of the Charter, which protects against unreasonable search and seizure. NSIRA submitted a report under section 35 of the NSIRA Act, to the Minister of Public Safety and Emergency Preparedness regarding the possible unlawful activity.
  • The report provides an overview of some longstanding issues with regard to the failure of CSIS to meet its duty of candour to the Federal Court, most recently in relation to its human source activities. Specifically, CSIS did not inform the Court that CSIS’s warrant applications were based on intelligence that had likely been collected by illegal means. The Court also observed failings with regard to the Department of Justice’s role in the situation. In response, the Government referred the matter to NSIRA for review under paragraph 8(1)(c) of the NSIRA Act. Over the next year, NSIRA will dedicate significant resources to a review stemming from this Federal Court decision.
  • NSIRA has prioritized safeguarding (i.e., how the government protects people, information and assets) as a review theme we will examine on a yearly basis. In our first year, NSIRA completed one safeguarding review of CSIS, and commenced another within the Department of National Defence (DND). Of note, our observations with regard to the polygraph (i.e., “lie detector test”) during the security clearance process, highlight a number of shortcomings, including:
    • CSIS was unable to justify the capacity of examiners — who are not medical practitioners — to ask medical-related questions of the examinees.
    • There were unequal outcomes or consequences for polygraph exams conducted on external applicants to CSIS vs. current employees.
  • This finding raises broader issues. Although the Treasury Board Secretariat (TBS) Standard on Security Screening, created in 2014, cites the use of the polygraph as an appropriate tool for assessing candidates seeking an Enhanced Top Secret clearance, TBS was unable to provide any policy rationale for the use of this tool. NSIRA brought a number of shortcomings to the attention of TBS. The standard is currently under internal review at TBS, and we are awaiting the results.
  • NSIRA made several findings and corresponding recommendations for the Communications Security Establishment (CSE) to improve its documentation, mitigation and privacy protection practices in relation to its Privacy Incidents File.
  • In 2019, NSIRA launched our first interagency review, an assessment of the implementation of the 2017 Ministerial Direction on Avoiding Complicity in Mistreatment by Foreign Entities by: the Canada Border Services Agency, CSE, CSIS, DND, Global Affairs Canada, and the Royal Canadian Mounted Police. NSIRA found significant variation among the six departments and agencies in terms of their success in implementing the 2017 ministerial direction. While some departments or agencies, such as CSIS and CSE, had fairly advanced procedures for implementing the ministerial direction, the review highlighted some shortcomings. Some departments and agencies face challenges in operationalizing this direction. Some also face challenges in establishing decision-making mechanisms that are independent from the operational front line in cases where there is a risk of mistreatment. One of the key issues that NSIRA’s review identified was the inconsistent application of the “substantial risk of mistreatment” threshold across departments – under the 2017 directions and their successors, sharing is prohibited where there is a “substantial risk of mistreatment of an individual by a foreign entity”. How departments and agencies assess this standard will be a future area of inquiry.
  • In 2020–21, NSIRA is modernizing the process for addressing complaints. Our goal will not change: to provide a just and efficient investigation and resolution of complaints. Two priorities will guide the modernization: access to justice for self-represented complainants, and the need for a broader spectrum of tools to streamline the resolution of complaints.
  • In previous correspondence to the Attorney General, NSIRA identified legislative gaps related to whistleblower protections in Canada’s national security community and the corresponding negative implications resulting from these gaps. In the interim, NSIRA will be implementing internal procedures to address concerns brought forward by members of the security and intelligence community.
  • In 2019, NSIRA launched a series of public engagements to increase awareness of our new organization, expand our network, and deepen our understanding of Canadians’ concerns relating to national security and intelligence activities. Over the coming year NSIRA intends to continue our outreach and engagement program, with a focus on four key areas: expanding our network to help us address issues related to new and emerging technologies (including artificial intelligence); broadening our dialogue with stakeholders to inform NSIRA’s future review priorities; building new relationships with community groups, in an effort to demystify the complaints investigation process; and scaling up recruitment efforts to ensure NSIRA continues to build an elite workforce with a diverse set of skills and backgrounds.
  • To enhance transparency, NSIRA also intends to proactively redact and release future NSIRA reports as they are approved throughout the year, rather than waiting for the release of our annual report to disclose our findings and recommendations. The organization is working with departments and agencies to ensure that this new approach is as timely and efficient as possible, and both protects vital national security and intelligence information, and provides the public with as much insight as possible into the results of NSIRA’s reviews.

Introduction

01. The National Security and Intelligence Review Agency (NSIRA) began operations July 12, 2019, as part of the transformation of Canada’s national security accountability framework. As a result, this inaugural annual report covers only a six-month period, from July to the end of the 2019 calendar year. During that time and continuing into 2020, NSIRA did a great deal of work to ensure the successful transition from the Security Intelligence Review Committee (SIRC), to a larger organization with a much broader mandate.

02. Because the NSIRA website provides detailed information relating to NSIRA’s mandate, the types of reviews undertaken, the process and lifecycle of a review, and the complaints investigation process, this report does not discuss these topics.

03. Instead, it focuses on NSIRA’s initial work on reviews, our complaints investigations, and our public engagement and transparency efforts. The emphasis on analysis of recent findings and trends in review draws on previously unreleased SIRC and Office of the Communications Security Establishment Commissioner reviews going back to 2018 and 2019, respectively, as well as NSIRA reviews completed in the first several months of operation. Summaries of these individual reports are available in Annexes A and B.

04. Part 1 outlines our organizational values and NSIRA’s approach to building a new institution.

05. Part 2 provides detailed analysis of themes that cut across many of these reviews, drawing linkages and establishing a platform for future work.

06. Part 3 deals with our complaints investigations and briefly discusses themes from 2019 and priorities for the year ahead, with an emphasis on modernizing the complaints investigation process to ensure greater timeliness and accessibility. Summaries and statistics relating to complaints investigations are available in Annexes C and D.

07. Part 4 outlines NSIRA’s efforts and our vision in addressing engagement and transparency, which are key priorities for the organization.

08. Key accomplishments and ongoing priorities with respect to NSIRA’s corporate services, including measures taken to adapt to an expanded mandate, are detailed in Annex E. 

09. This is NSIRA’s first annual report, and we have structured it in a way that aims to be useful and engaging for the reader, while it serves its intended function, namely, to make an important contribution to Canadians’ dialogue on national security and intelligence issues. We are interested in feedback on how to make it as helpful and accessible as possible in achieving this aim.

Part 1: Institution building

10. The creation of NSIRA, following the proclamation of the National Security Act, 2017, represented a considerable step forward in the development of national security and intelligence accountability in Canada. Over the past two decades, national security and intelligence operations have become increasingly interconnected within the Government of Canada. This resulted in a number of departments and agencies that had not traditionally been part of the security and intelligence community now playing key roles in this area. However, review bodies’ powers did not evolve with the changing national security and intelligence landscape, and their ability to review agencies and make contributions remained compartmentalized.

11. NSIRA’s creation remedies these long-standing gaps in Canada’s national security architecture and significantly strengthens the framework for national security accountability. NSIRA has taken over the mandates of our predecessors to review the operations of the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), respectively, but we also have an additional and novel mandate to review any activity in the federal government that relates to national security or intelligence. Alongside this expanded mandate, NSIRA has unfettered access to classified information in the possession or under the control of any department or agency (except Cabinet confidences). This allows NSIRA to break down the previously compartmentalized approach to review and accountability, and replace it with horizontal, in-depth interagency review. As such, Canada now has one of the world’s most extensive systems for independent review of national security in the world.

12. Since July 2019, the NSIRA Secretariat has focused on ensuring a successful and effective transition to a much larger organization with a much broader mandate. This included emphasis on the following: securing new accommodations; effective staffing and knowledge development; establishing strong working relationships with departments and agencies, as well as other Canadian review bodies; and delivering on our mandatory reporting requirements. NSIRA absorbed a staff complement from the Security Intelligence Review Committee (SIRC), who had expertise in review and complaints investigation related to CSIS. Sustained effort to recruit staff and build knowledge of the broader security and intelligence community will continue in the year ahead.

Review

13. In the early months of our mandate, NSIRA developed a three-year review plan. This plan will help develop a systematic approach to deciding what to review and how to set priorities. Besides helping to guide resource allocation and staffing decisions in the medium term, the review plan provides clarity to the departments and agencies we review and prevents overlap with other review bodies.

14. Part of the challenge inherent in NSIRA’s mandate is thinking differently about how to organize and undertake reviews. The interagency mandate allows for reviews to be planned and undertaken in a horizontal manner, involving several departments and agencies from the start. Similarly, NSIRA is also working in a horizontal manner internally, to incorporate legal and technical experts into reviews more systematically, so that considerations in these areas are built into reviews from the start.

15. Within this plan, in-depth review of CSIS and CSE remain organizational priorities. NSIRA is also developing foundational knowledge of national security and intelligence activities conducted in federal government institutions that have not traditionally been subject to review. Through a series of increasingly complex and in-depth reviews conducted over the upcoming years, NSIRA will seek to provide a holistic and detailed picture of activities, programs or key themes in the national security and intelligence community.

16. When conducting reviews, whether simple scoping exercises or more complex projects, NSIRA considers a number of elements to develop conclusions, findings and recommendations. These include the lawfulness, compliance with directives and policies, reasonableness, necessity, and proportionality of security and intelligence activities. These considerations help NSIRA ensure that Canadians are confident that national security and intelligence activities undertaken by the Government of Canada are thoroughly reviewed and assessed.

Complaints investigations

17. In addition to NSIRA’s review mandate, the organization has the responsibility to investigate national security-related complaints. This includes hearing complaints from the public regarding actions taken by CSIS and CSE, national security-related complaints regarding the Royal Canadian Mounted Police (RCMP), and complaints related to the revocation or denial of security clearances.

18. NSIRA acknowledges that the complaints investigation framework inherited from SIRC has been far too slow and too complex. An analysis of the number of complaints filed annually and the number outside NSIRA’s jurisdiction to investigate also reveals a clear knowledge gap with respect to NSIRA’s role in this regard. For these reasons, NSIRA has begun to reform the complaints process, including increasing access, timeliness and accountability.

NSIRA’s values

19. NSIRA inherited a number of values, practices and expertise from the review agencies that came before. Nonetheless, NSIRA is dedicated to undertaking our work in a new way — one that emphasizes outreach, engagement and transparency. As such, NSIRA has begun a comprehensive program of engagement with civil society, community groups, academics and others, based on a number of objectives including but not limited to:

  • informing NSIRA’s review plan;
  • raising awareness of and demystifying the complaints investigation process;
  • leveraging and creating communities of interest on key issues (for instance, on artificial intelligence); and
  • recruiting talented Canadians.

20. The new organization wants to break with previous practices that resulted in findings and recommendations being publicly reported only once per year. To increase transparency, NSIRA is committed to the release of unclassified versions of reviews as they become available after redaction and translation. By making our reviews available to the public, NSIRA hopes to increase transparency and accountability, and to open the door to extensive discussions and debate in the public sphere. Consequently, a priority is to draft reports that avoid classified information because the intent is to release them; this “write to release” approach will facilitate the redaction process, where necessary, and ensure more timely and effective release of information.

21. NSIRA is committed to:

  • openness and transparency, in an effort to better connect with Canadians;
  • methodological excellence to ensure the quality of our work; and
  • forward thinking and innovation, including how we consider the impacts of new technology and an ever-changing national security environment.

22. To achieve our numerous and complex objectives, NSIRA relies on a skilled and experienced workforce. As the organization grows, NSIRA will continue to recruit talented candidates that reflect Canada’s diverse and inclusive nature.

23. NSIRA understands the importance of organizational health and wellness as fundamental to success. The organization wishes to be an employer of choice that promotes and provides a healthy work environment. Although the COVID-19 pandemic has raised unprecedented challenges, NSIRA remains focused on further adapting to the sweeping changes brought by the pandemic. Ensuring the physical and mental health and wellness of our staff remains a cornerstone of the organization’s strategy as we develop creative ways to maintain effectiveness and efficiency while working in a distributed manner.

24. In addition to maintaining a broad expertise within the organization, NSIRA has been focusing on building a strong network of partnerships to help define our research priorities and deliver on our mandate. NSIRA has been working with other organizations within the Canadian review and accountability system, such as the National Security and Intelligence Committee of Parliamentarians (NSICOP) and the Office of the Privacy Commissioner of Canada (OPC), on issues of common interest to maximize both the effectiveness and efficiency of national security review agencies, while limiting duplication of efforts.

25. NSIRA made a great deal of progress in all aspects of our mandate throughout the first few months of operation in 2019. Many ambitious projects are under way for the year ahead, in order to progress on building an institution that is fit to play a broad and constructive role in Canada’s system for national security accountability.

Part 2: Review

Section I — The information continuum

This part outlines NSIRA’s framework for discussing findings and trends in review, and provides detailed analysis according to the four categories within this framework. This part does not go into detail about review methodology and prioritization. In short, as we expand our knowledge base of national security and intelligence activities across the Government of Canada, NSIRA aims to undertake increasingly complex reviews over the next three years.

27. Members of NSIRA are planning to proactively redact and publicly release full reviews, along with unclassified executive summaries, as they are approved and translated, rather than having to wait for the annual report to showcase the organization’s review work. This new practice opens up opportunities for the annual report to discuss and dissect lessons learned throughout the year in new and interesting ways. Rather than discussing the findings and recommendations of each review individually (or vertically), as had been done in the Security Intelligence Review Committee (SIRC) and Office of the Communications Security Establishment Commissioner (OCSEC) annual reports, NSIRA will focus on the entire body of work horizontally, and ask what broad lessons, trends or themes emerge. NSIRA believes that this will allow for a more comprehensive analysis of findings and will help to develop more holistic and interconnected review planning.

28. The following discussion is organized according to what NSIRA calls the “information continuum.” This continuum is meant to reflect the lifecycle of information, from how it is collected and safeguarded, to how it is shared and, ultimately, how it is used to inform real-world actions undertaken for national security or intelligence purposes.

29. NSIRA acknowledges that the information continuum differs from the national security and intelligence information cycle. The continuum is not a unidirectional process, and all concepts mentioned in it are intertwined. However, we hope that presenting our findings within this framework will facilitate a reader’s understanding of key themes and priorities within the national security and intelligence environment. Future annual reports might adopt a different structure depending on the recommendations NSIRA receives and the information we wish to communicate.

Section II — Collection

30. Collection is the first step in the information continuum described in this report. It refers to all forms of information gathering by the Government of Canada’s departments and agencies that relates to national security or intelligence. It covers information that is gathered directly by these federal institutions, in Canada and abroad, as well as information received from other federal entities and other orders of government, such as information from provincial or municipal law enforcement. The receipt of information from foreign entities is also a form of collection, but given the special human rights considerations governing such activity, this report discusses this topic in the section on information sharing.

31. Departments and agencies collect information using a range of techniques. Some recruit human sources to collect information on the agency’s behalf. Others intercept telecommunications through a variety of technical means, such as wiretaps. Telecommunications, in this context, refers to both the gathering of communications content (e.g., intercepting a voice conversation or email) and metadata (e.g., telecommunications subscriber information or information related to Internet connections). Importantly, collection here refers to information that is gathered by Government of Canada institutions both covertly and overtly, and includes publicly available information. The distinction between what is publicly available and what is not has been controversial, and it is a subject that NSIRA will review in the future. Often, the information collected relates only to one person or a handful of people; in other instances, departments and agencies collect data in bulk.

32. Obviously, the collection of certain information by departments and agencies can intrude into the private affairs of Canadians. Indeed, of the many types of national security and intelligence activities that NSIRA is mandated to review, collection is the area with the most potential to impinge on the privacy rights of Canadians. Nonetheless, Canadians expect their private lives, communications and online activities to remain free from state surveillance unless the intrusion complies with the law (including, where required, pre-authorization by an independent judicial officer), and that the collection is reasonable, and goes no further than necessary to achieve a legitimate goal, such as the investigation of a criminal offence or the investigation of a threat to the security of Canada. For these reasons, scrutinizing the government’s collection of information will be a permanent area of focus for NSIRA.

Legal frameworks

33. The legal frameworks governing information collection by government departments and agencies are complex, and vary from department to department, and agency to agency. There are a few overarching principles, however. In simple terms, all departments and agencies are subject to the Canadian Charter of Rights and Freedoms (the Charter) and must ensure that their collection of information is “reasonable” under section 8 of the Charter, which protects against “unreasonable search and seizure” of their persons, property and information. This means that where state action intrudes on a person’s reasonable expectation of privacy, the search must generally be pre-authorized by an independent judicial officer — typically a judge issuing a warrant. In limited circumstances, however, warrantless collection of information in which a person has a reasonable expectation of privacy is permissible, so long as it is authorized by a law that is considered reasonable in striking an appropriate balance between privacy and the state interest being pursued, and the search is conducted reasonably.

34. In Canada, the police and other peace officers seek a number of different authorizations permitting intrusive searches and seizures that implicate a person’s reasonable expectation of privacy. These “lawful access” authorizations include search warrants, production orders to obtain documents or records, and warrants authorizing the interception of private communications. The Canadian Security Intelligence Service (CSIS) can seek warrants from the Federal Court authorizing the interception of any communication or the obtaining of any information, record, document or thing. The procedures followed for obtaining these authorizations vary depending on the statute governing the agency seeking it, and also depend on the search’s intrusiveness. The Communications Security Establishment (CSE), for its part, collects information outside of Canada in accordance with its various mandates related to foreign intelligence and cybersecurity. Where those collection activities might otherwise contravene an act of Parliament or interfere with the reasonable expectation of privacy of a Canadian or any person in Canada, CSE must obtain ministerial authorizations from the Minister of National Defence. Before they come into effect, CSE’s ministerial authorizations under its foreign intelligence mandate and its cybersecurity and information assurance mandate must be approved by the Intelligence Commissioner, who is a retired judge.

35. Regardless of the sensitivity of the information being collected, a department or agency must have a legal authority to collect it. Departments and agencies receive such legal authority from their enabling statutes (for example, the CSIS Act for CSIS; the CSE Act for CSE), as well as from common law powers, especially for the RCMP.

36. These statutes also set important limits, often by spelling out what information departments are permitted to collect, when and to what extent. For instance, CSE is prohibited from directing its collection against Canadians or persons in Canada. But it is not always possible to know in advance which information involves Canadians and which does not. As a result, CSE may sometimes collect information relating to Canadians and persons in Canada incidentally — that is, without deliberately seeking it. CSE must handle this information in accordance with the CSE Act and the ministerial authorizations that it has received from the Minister of National Defence.

Ministerial direction and policy

37. The collection of information by the Government of Canada is guided not only by the law, but also by a range of ministerial directions and internal policies. Ministerial direction represents the formal guidance issued by a minister to a department or agency. Though not a statutory instrument, a ministerial direction has a more robust legal status than mere departmental internal policy, and often serves to set out a minister’s expectations regarding how a department should function, and how it should interpret its legal powers. These directions are used, for example, to implement the Government of Canada’s Intelligence Priorities, which are periodically approved by Cabinet. The Intelligence Priorities set out those areas that the Government of Canada has identified as requiring the greatest need for information. Ministers then direct departments to allocate collection resources accordingly, although they must always remain within the scope of their legal collection mandates. When NSIRA reviews a collection activity related to national security or intelligence, we review not just compliance with the law, but also compliance with ministerial direction and internal policy.

Collection challenges

Technology and privacy

38. Criminals and those who pose a threat to national security are constantly adopting the latest technologies to shield their activities from scrutiny. This places pressure on investigative agencies, in Canada and abroad, to maintain their capacity to collect usable information. As a result, Canada’s national security and intelligence agencies must employ new technologies quickly to circumvent or get ahead of the capabilities of their subjects of investigation.

39. Unfortunately, many new technologies can be used in ways that erode privacy. The rise of the Internet and mobile communications means that individuals now generate far more information and metadata about themselves than in the past. At the same time, intelligence collectors are facing a progressive loss of direct access to private communications stemming from the increasing ubiquity of strong encryption. In part for these reasons, there has been heightened interest worldwide in the bulk collection of information and metadata in recent decades. This raw material is then sifted and analyzed to glean insights and patterns. For example, use of smartphones leaves digital traces that, particularly when assembled or later identified, can reveal contacts, patterns of movement and other intimate details. A key difference between bulk collection and more traditional techniques, such as wiretaps, is that the vast majority of the information collected relates to ordinary citizens who are not subjects of investigation. The risks that such techniques pose for personal privacy are clear.

40. A major challenge for departments and agencies in Canada is to ensure that their use of new technology conforms to privacy laws and respects Charter rights. Generally, this requires departments and agencies to engage the federal Department of Justice to obtain advice on the legal parameters that govern the use of the technology, and then to put in place a strong policy framework and obtain the necessary authorizations before beginning to use a new technology. Often this is exactly what happens. But NSIRA is also aware of instances where technology was used in ways that exceeded legal authorities. These are described below. Some of these examples are drawn from NSIRA’s reviews to date, while others are drawn from SIRC’s history of reviewing CSIS.

41. On a few occasions in recent years, CSIS used new collection techniques without first fully understanding and addressing their legal and policy implications. In these cases, legal and policy work lagged behind the operational imperative to maintain and improve collection capabilities. This risked — and at times compromised — the lawfulness of the collection activity and the privacy of Canadians. The first example is from an NSIRA review:

a) Geolocation: One of NSIRA’s first reviews concerned CSIS’s use of publicly available geolocation data. This review raised pressing questions regarding the use of data that is publicly available, but that nevertheless engages a person’s reasonable expectation of privacy. NSIRA concluded that CSIS’s use of this data without a warrant risked breaching section 8 of the Charter, which protects against unreasonable search and seizure. NSIRA’s review examined the decision-making process that led CSIS to use this data without a warrant, and found that CSIS lacked the policies or procedures to ensure that before the data was used CSIS sought legal advice to avoid unlawful use of the data. On March 16, 2020, we submitted a report under section 35 of the NSIRA Act to the Minister of Public Safety and Emergency Preparedness describing the possible unlawful activity. Under section 35, NSIRA must refer to the relevant minister any national security or intelligence activity that might not be in compliance with the law. The minister is then required to forward the report to the Attorney General.

42. Other examples can be drawn from the period before NSIRA was created, which were reported by the former review bodies, SIRC and OCSEC:

a) CSIS metadata: A 2014 SIRC review assessed whether CSIS’s collection, use and retention of metadata collected under the authority of a Federal Court warrant was carried out lawfully and appropriately. At the time, CSIS warrants required any communications or metadata collected incidentally (i.e., not related to the subjects of the warrant) to be destroyed, unless certain conditions were met, including if there were reasonable grounds to believe that the information “may assist” in the investigation of a threat to the security of Canada. CSIS concluded that the words “may assist” established a low threshold, and accordingly retained and used the metadata, despite the data having been collected incidentally. SIRC was given no indication that CSIS had informed the Federal Court of the nature and scope of its activities. SIRC therefore recommended that CSIS make the Court aware of the extent of its retention and use of metadata collected under warrant. Alerted by SIRC’s recommendation, the Federal Court concluded in October 2016 that CSIS could not retain the information unless it was related to a threat to the security of Canada, because CSIS’s collection mandate in section 12 of the CSIS Act includes the qualifier that CSIS can collect information or intelligence only “to the extent that it is strictly necessary.” The Court found that CSIS’s authority to retain information was informed by this limit. Therefore, it held that CSIS had exceeded its lawful authority in retaining much of the metadata collected under warrant. The Court also found that CSIS had failed in its duty of candour to the Court. As discussed below, the question of retention of electronic “datasets” is a matter now more fully regulated by the CSIS Act, following amendments made by the National Security Act, 2017.

b) CSE metadata: Technological advances have created vast amounts of information in the digital realm. Agencies often turn to automation to apply privacy protection measures to large amounts of information efficiently. In 2013, CSE notified its previous review body, OCSEC, that metadata containing Canadian identity information had not been properly minimized by software. This software failure resulted in Canada’s Five Eyes allies receiving data that Canadian laws prohibit CSE from sharing. CSE suspended sharing certain types of metadata while it developed a solution to rectify this problem. Although this was the only instance in which CSE was found by OCSEC not to have complied with the law, related issues arose periodically, including the incomplete reporting on private communications. OCSEC found this to be the result of human and system error. Many of the observations raised historically by OCSEC centred on the interaction of human and technical elements involved in collection and subsequent reporting activities.

c) Datasets: In 2016, SIRC reviewed CSIS’s use of datasets. These datasets were not collected under the authority of a warrant. The review examined whether the collection of such datasets met the statutory test for collection by CSIS under section 12 of the CSIS Act, which is that information can be collected only to the extent “strictly necessary.” Most of the datasets were not directly related to national security threats. SIRC found that there was no comprehensive governance framework guiding the collection, retention and use of bulk datasets. There was also no requirement to assess the datasets to ensure that they met the requirement of being “strictly necessary” to advise the government on suspected threats. These events pushed CSIS to reconsider the legal underpinnings of its collection of datasets. Amendments to the CSIS Act included in the National Security Act, 2017, have since provided CSIS with an explicit authority to collect, retain and use datasets containing personal information that is not directly and immediately related to a threat to the security of Canada. As noted in the final SIRC certificate, pending the coming into force of the National Security Act, 2017, CSIS continued its dataset program despite the legal risks that had been identified.

43. These examples illustrate how the adoption of new collection technologies also poses a challenge for review bodies, who must equip themselves with the technical expertise needed to ensure that the implications of the technologies being deployed are fully understood. This is particularly important given that the use of many new technologies is a closely guarded secret and thus shielded from public scrutiny. As such, it is largely up to review and oversight bodies to scrutinize the use of these technologies. NSIRA’s plans to address this issue are set out in the section on “Future priorities.”

Candour

44. CSIS has struggled to overcome an institutional culture of secrecy that has contributed to failures to fully disclose certain activities and information to the Federal Court, to the Minister of Public Safety and Emergency Preparedness, and to review bodies. A lack of candour can be particularly problematic where it intersects with the use of new technology. The difference between collection that is lawful or unlawful often hinges on very specific details regarding the information that the technology will enable CSIS to collect. A key consideration is whether that information will reveal intimate details of the lifestyle and personal choices of an individual. The breadth of the information collected and other details of its use can also affect a technology’s level of intrusiveness. It is thus vital that oversight and review bodies are made fully aware of departmental activities in order to fulfil their mandates. The broader the scrutiny of a new technology’s use, the more that its implications will be thoroughly considered.

45. Three times in recent years, the Federal Court has found that CSIS failed in its duty of candour toward the Court during warrant applications. In two of the three instances, CSIS omitted certain information regarding the use of technology to collect information. The omissions compromised the Court’s ability to properly exercise its judicial control function. Indeed, it is worth noting that the Court is not required to approve CSIS warrants, even if CSIS meets the basic statutory requirements. The Court must also be satisfied that the warrant powers are reasonable in light of all the circumstances, and must therefore be given all the information it needs to make this key assessment. The Court is also permitted to place any conditions on CSIS warrants that it considers to be in the public interest, and must therefore be able to appreciate the privacy implications of new technologies.

46. The Minister of Public Safety and Emergency Preparedness also plays an important role overseeing the activities of CSIS because of his or her statutory responsibilities related to the CSIS warrant process. Before CSIS can submit a warrant application to the Federal Court, the application must first be approved by the Minister. The Minister — and the officials in Public Safety Canada who advise the Minister — must therefore be provided with all relevant information. It is notable that the Minister has felt it necessary to issue ever-more precise and detailed direction to CSIS specifying that the organization must keep the Minister informed of its activities. The most recent example, the 2019 Ministerial Direction for Accountability, specified that CSIS must inform the Minister of activities “where a novel authority, technique, or technology, is used. This includes novel uses of existing authorities, techniques, or technologies.”

Human source activities

47. Most recently, CSIS failed to meet its duty of candour to the Court in relation to its human source activities. CSIS sometimes pays human sources to collect intelligence. Often, the access these sources have to valuable information is directly related to their personal involvement in terrorism or other threat activities. In paying these individuals for their information, CSIS runs the risk of violating the laws that prohibit paying any money or providing any other resources that support terrorism or other criminal activity. For years, CSIS relied on the doctrine of Crown immunity to provide a legal justification for its actions and to remain within the ambit of the rule of law. The law in Canada has evolved in recent decades, however, making the use of Crown immunity increasingly tenuous as a justification.

48. In 2015 and 2016, SIRC raised a number of questions regarding the legality of CSIS’s human source activities. Notably, SIRC recommended that CSIS obtain legal clarification regarding the continued viability of its reliance on Crown immunity. In response, CSIS obtained legal advice in early 2017 that concluded that Crown immunity could no longer be used to justify activities that would ordinarily be unlawful. This set off a chain of events inside government that culminated in the creation of a new statutory regime allowing CSIS to take actions that would otherwise be unlawful in the course of its human source operations. This new regime was introduced as part of Bill C-59, the National Security Act, 2017, which came into force in mid-2019. While Bill C-59 was before Parliament, however, CSIS decided to continue several human source operations, given their intelligence value, despite the fact that they seemed to violate the law. CSIS only decided to halt these activities in January 2019.

49. In March 2019, SIRC completed its certification of the 2017–18 annual report submitted by the Director of CSIS to the Minister of Public Safety and Emergency Preparedness. Prior to the National Security Act, 2017, SIRC was required to certify the lawfulness of the activities described in each of CSIS’s reports to the Minister. The 2017–18 report discussed CSIS’s continued reliance on Crown immunity in the context of its human source activities. SIRC reviewed the situation and concluded that CSIS had in fact been advised that Crown immunity could no longer be used as a legal defence. As a result, in its certificate, SIRC found that CSIS had knowingly broken the law. SIRC also made clear that although CSIS’s operations could have been important from the standpoint of national security, this in no way excused it from adhering to the rule of law. 

50. Starting in early 2018, the Federal Court began to question the legal basis of CSIS’s human source activities independently of SIRC. These questions led to a series of proceedings that culminated, as mentioned, in the Court finding CSIS to have breached its duty of candour to the Court. Specifically, CSIS did not inform the Court that CSIS’s warrant applications were based on intelligence likely collected by illegal means. The Court also observed certain failings with regard to the Department of Justice’s role in the situation. The Court recommended that there be a broader, independent review of the systemic, governance and cultural shortcomings and failures at CSIS and the Department of Justice that resulted in CSIS engaging in illegal activity and in the related breach of its duty of candour to the Court.

51. In response to the identified shortcomings, the government referred the matter to NSIRA for review under paragraph 8(1)(c) of the NSIRA Act. This review, conducted both at the request of the Minister and also under NSIRA’s autonomous review authority in section 8 of the Act, is now under way. Two members of NSIRA, the Honourable Marie Deschamps, C.C., a former Justice of the Supreme Court of Canada, and Professor Craig Forcese of the Faculty of Law at the University of Ottawa, are jointly leading the review.

52. These events are troubling. CSIS not only broke the law, but CSIS and its legal counsel also failed to disclose important matters to the Federal Court, which they were required to do. CSIS also failed to provide key legal opinions to SIRC, or else provided them many years too late, even though SIRC had a legal right to this information.

Future priorities

53. NSIRA’s review mandate has three principal parts: the review of CSIS, the review of CSE, and the review of the national security or intelligence activities of all other federal entities. The review of CSIS and CSE will always remain central to NSIRA’s mission, but over the coming years, NSIRA will systematically map and review other departments’ collection activities. In so doing, NSIRA will scrutinize collection activities to ensure that they are lawful, reasonable and necessary. In other words, NSIRA will not only consider whether a department can collect information, but also whether it reasonably should do so in light of the department’s mandate and the implications for privacy.

54. In our reviews, NSIRA will emphasize scrutiny of a department’s or agency’s use of technology, and particularly new or emerging technologies that pose the greatest risks. NSIRA’s reviews will make recommendations with an eye to improving departmental processes to manage the legal and privacy risks associated with the use of technology. When relevant, NSIRA will examine departmental candour with ministers and oversight bodies, consistent with Canada’s broader system of accountability for national security and intelligence.

55. To achieve these goals, NSIRA will invest in building in-house technological expertise, through a combination of hiring technological experts, training and reaching out to the broader technological community. NSIRA will also collaborate with allied accountability bodies through a forum known as the Five Eyes Intelligence Oversight and Review Council (FIORC). NSIRA will seek to stay current with regard to new and emerging technologies, including artificial intelligence, machine learning and quantum computing, and related concerns such as “big data.” Our goal is to be able to review departmental use of these technologies and their effects in a timely and effective manner.

56. NSIRA has also worked — and will continue to work — with the Office of the Privacy Commissioner of Canada (OPC) and the National Security and Intelligence Committee of Parliamentarians (NSICOP) on matters of joint concern to ensure that the broadest range of perspectives are brought to bear.

CSIS

57. Over the next year, much of NSIRA’s review scrutiny of CSIS will be dedicated to the review stemming from the Federal Court decision discussed above.

58. In addition, NSIRA will systematically map CSIS’s use of technology and its warrant powers. NSIRA will then undertake reviews of the technologies and powers that are deemed to pose the greatest risks. In this way, NSIRA will gain knowledge of CSIS’s most intrusive activities over time. NSIRA will also increase scrutiny of the warrant process in order to monitor CSIS’s candour to the Federal Court.

59. In addition, the National Security Act, 2017, gave CSIS a suite of new powers. NSIRA will review CSIS’s use of these powers in the coming years so as to help inform Parliament’s statutory review of the National Security Act, 2017, which will begin in 2022 or 2023. In particular, NSIRA will review CSIS’s use of datasets, including those that are publicly available, as well as the new justification regime for CSIS activities, that are undertaken in support of collection, which would otherwise be unlawful. NSIRA is also required each year to review at least one aspect of CSIS’s activities under its threat reduction mandate. This mandate authorizes CSIS to go beyond the collection of information in order to take active measures to “reduce” threats to the security of Canada. Over the coming years, NSIRA will take stock of CSIS’s use of these powers since they were acquired in 2015.

CSE

60. CSE uses a range of collection powers and technologies in its everyday operations. Over time, NSIRA intends to comprehensively review the full suite of collection techniques in place at CSE. NSIRA will start by focusing on certain collection techniques that are authorized under a ministerial authorization and comparing them to techniques that are authorized through other channels. As well, NSIRA will examine how CSE addresses incidentally intercepted information, especially the information of Canadians or persons in Canada, and how it decides whether to retain the information.

61. The rapid technological evolution in areas such as quantum computing, 5G and artificial intelligence will affect the work of CSE, perhaps more than any other federal entity. These technologies could also result in the collection of new information or the development of new collection techniques. Using our growing technical expertise in these areas, NSIRA will conduct both general and targeted reviews of the use of these technologies.

62. CSE has also received new powers in the National Security Act, 2017, including the ability to carry out defensive and offensive cyber operations. CSE cannot use these powers to collect information, separately from authorizations issued under its foreign intelligence or cybersecurity mandates. As CSE begins to conduct these operations, NSIRA will review them to ensure they are not being used for — or do not result in — the collection of information.

Other government departments

63. For entities other than CSIS and CSE, NSIRA’s initial reviews will build foundational knowledge of departments with significant collection programs. Of note, NSICOP has already reviewed the security and intelligence activities of the Canada Border Services Agency (CBSA) and of the Department of National Defence (DND) and Canadian Armed Forces (CAF). These reviews identified certain areas of risk, including the use of what is termed “scenario-based targeting,” which is used to screen travellers entering the country, as well as the CBSA’s use of covert surveillance in Canada. NSIRA will build on NSICOP’s work with in-depth reviews of the collection activities of these departments and agencies.

64. NSIRA also intends to map collection through the rest of the federal national security and intelligence apparatus. In particular, NSIRA will explore the collection programs of the RCMP by looking in detail at the RCMP’s national security criminal investigation program, and by examining how the RCMP collects intelligence in support of those investigations. Throughout, NSIRA will be mindful of public concerns with respect to law enforcement, and pay due attention to the RCMP’s activities in sensitive sectors and to any appearance of bias.

65. Within the next three years, NSIRA will examine the collection activities of Global Affairs Canada (GAC). NSIRA will also map the collection and use of biometrics across the government in relation to its security and intelligence activities. This review will examine the collection and use of biometrics by Immigration, Refugees and Citizenship Canada, the CBSA and Transport Canada in relation to their national security responsibilities and canvass the use of biometrics by CSIS and the RCMP in security intelligence and national security-related police investigations.

66. Among the novel and complex areas of collection that NSIRA will also review is the collection of financial intelligence. Financial intelligence is a core component of national security collection, especially in relation to terrorism. It is also central to large law enforcement intelligence operations, especially those that involve money laundering and terrorist financing. Canada’s financial intelligence centre of expertise and responsibility is the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). NSIRA will review FINTRAC’s activities and examine FINTRAC’s relationship with domestic partners.

67. Over the course of the next year, NSIRA will also conduct targeted reviews of DND/CAF. NSIRA has already begun to review the Canadian Forces National Counter-Intelligence Unit to determine how this unit conducts its counter-intelligence gathering activities and, in particular, how the unit’s activities correspond to legal and governance frameworks by focusing on cases of right-wing extremism. NSIRA will also review the Defence Intelligence Enterprise, to gain a general overview and to learn how it is positioned within DND/CAF governance frameworks and authorities. In light of recent media coverage, this review will focus on medical and open-source intelligence.

Medical intelligence and public health intelligence

68. Given the current COVID-19 pandemic, NSIRA will explore how the Government of Canada collects intelligence on medical issues or in relation to the health of Canadians. This is known as medical intelligence, or public health intelligence. At present, NSIRA does not have a firm understanding of what the government considers to be medical intelligence or the extent to which medical intelligence is used. To rectify this gap, NSIRA will review the Public Health Agency of Canada, as well as DND/CAF, whose American counterpart operates the National Center for Medical Intelligence. In Canada, medical issues are usually not part of the public discourse as to what should or should not constitute the government’s intelligence priorities. Medical intelligence will be a completely new area for NSIRA, and it is hoped that it will provoke a useful conversation in light of current events.

Section III — Safeguarding

69. Safeguarding refers to the protection of people, information and other government assets within the national security and intelligence portfolio. Information collected, analyzed and used within this community is often sensitive, either due to the sources and methods from which it is derived, or because of attendant legal protections.

70. There are real consequences when safeguarding measures fail. Should hostile actors like terrorists or foreign governments gain access to information on human sources, for example, this could put lives at risk. Likewise, if hostile actors learn details on electronic methods of collection, this could lead them to apply countermeasures, which could limit Canadian knowledge on key security and intelligence priorities. There is also reputational risk to the Canadian security and intelligence community if allies perceive that the sensitive information they share with Canada, in trust, is not being adequately protected. It is therefore incumbent on the government to ensure that such information is secured from exploitation, compromise or other unauthorized disclosure.

71. Several security breaches in recent years illustrate that the Canadian national security system has not been immune from the risks associated with “insider threats.” The first contemporary public reminder of this risk was the successful prosecution of Jeffrey Delisle. He was a Canadian Navy Sub-Lieutenant who, in 2007, began releasing classified information to the Russian government. On November 30, 2013, Qing Quentin Huang was arrested and charged with attempting to communicate safeguarded information to the Chinese embassy in Ottawa. Mr. Huang had been employed in a sector providing specialized services to the government. Last year, police laid charges against Cameron Ortis, a civilian executive within the RCMP, who was charged with leaking classified information to foreign entities. Both the Huang and Ortis cases remain before the courts.

Safeguarding policy and legal thresholds

72. Safeguarding is neither a legal term of art nor a precisely defined policy term. It encompasses several distinct elements clustered together due to their impact on the protection of people, information and assets. For this reason, the rules for safeguarding begin with the two main policy instruments that govern the management of security within the Government of Canada: the Policy on Government Security and the Directive on Security Management. These policy instruments outline the various requirements for organizations and employees to contribute to security in the workplace.

73. The Treasury Board Secretariat (TBS) is the lead government agency responsible for setting the minimum standards, or safeguards, used to support these policy instruments, covering:

  • information and identity assurance;
  • individual security screening;
  • physical security;
  • information technology security;
  • emergency and business continuity management; and
  • government contracting.

74. Department- and agency-specific policies and procedures across the security and intelligence community — derived from the TBS standards — also set out additional security requirements. As important as it is to define what safeguarding is, it is equally important to understand what it is not. In this context, safeguarding does not refer to measures directed at persons who do not have access to sensitive government information or assets.

75. Employees in the security and intelligence community are also subject to liability for any violation of the provisions of the Security of Information Act (SOIA), which sets out various offences related to the handling of classified material. For instance, the SOIA defines “special operational information” as information that the Government of Canada is taking measures to safeguard.

76. One of the important objectives of the SOIA is to prohibit the unlawful disclosure of sensitive information. However, a mechanism allows for situations where an individual believes that the disclosure of such information is in the public interest — that is, whistleblowing — for example, in preventing public servants from committing a crime in the course of their duties. Whistleblowing protections guard against violations of public trust that erode the confidence of the public in the government’s practices. Whistleblowing protections give an individual a potential legitimate defence against prosecution under some offences in the SOIA.

77. Because the stakes can be high for disclosing safeguarded information, the SOIA outlines a series of preconditions that would enable an accused person to avoid criminal liability for such disclosures. If they are met, the Court will perform a balancing exercise to determine whether the disclosure was in the public interest. These preconditions include weighing factors like the extent or risk of harm created by the disclosure and the seriousness of the alleged offence. However, where the accused is alleging an offence has been committed (and except where disclosure of information is necessary to avoid grievous bodily harm or death), the judge may find the public interest favoured disclosure only where the accused first reported the wrongdoing. NSIRA is the final step in this reporting chain.

Safeguarding themes

78. The concept of safeguarding has an impact on NSIRA’s work in three crucial ways. First, as discussed above NSIRA has procedures for receiving reporting of wrongdoing by whistleblowers. Second, NSIRA must ensure that our members, employees and systems safeguard sensitive information, assets and people from compromise. Third, in both our review and complaint investigation activities, NSIRA plays a crucial role in assessing if the governance systems used to deter, detect and mitigate such risks are compliant, reasonable and necessary.

79. NSIRA has prioritized safeguarding as a review theme to be examined yearly. In selecting this as a review priority, we will help determine the extent to which the security and intelligence community is appropriately safeguarding its employees, information and assets, and will report on whether such practices are lawful, reasonable and necessary to reduce the identified risks. To this end, in our first year NSIRA completed one safeguarding review relating to CSIS, and started another within DND. The latter review was ongoing at the time of writing. When these two reviews are considered holistically along with available open-source information, broader observations can be made about safeguarding.

80. A key observation is the importance of maintaining security vigilance. Currently, the security system engages in high-intensity scrutiny at predetermined intervals — e.g., initial screening on hiring, five-year updates to security clearances, yearly employee security awareness week — and then periods between these intervals where security is less prominent. Moreover, if other priorities take precedence, the time between intervals could increase. In the case of Mr. Delisle, for instance, his Top Secret security clearance had lapsed and was not properly updated prior to his arrival at the government facility where he committed his crimes. Had proper clearance renewal standards been followed, his loyalty to Canada would have been assessed and other vulnerabilities scrutinized.

81. Another important observation is the essential role of clear, concise and updated policies in setting standards across the government. As already mentioned, TBS establishes the minimum security standards for government departments and agencies to follow. Gaps in these standards could create a domino effect, with each department and agency creating their own policies and procedures. Such gaps could lead not only to an absence of standardization across government, but also, in certain cases, to the unreasonable and unnecessary application of security practices.

The polygraph

82. A final observation relates to the government’s use of the polygraph for screening security and intelligence employees. Commonly referred to as a lie detector test, the polygraph is a technology that measures and records several physiological indicators such as blood pressure, pulse, respiration and skin conductivity while a person responds to a number of questions. “Deceptive” answers produce physiological responses that can, so it is alleged, be differentiated from those associated with “non-deceptive” answers.

83. The TBS Standard on Security Screening, created in 2014, cites the use of the polygraph as an appropriate tool, among others, for assessing candidates seeking an Enhanced Top Secret (ETS) clearance. CSIS, in conducting security assessments for its staff, uses the results of the polygraph as a determinative element when granting ETS clearances, rather than an instructive element, to be considered as part of a series of relevant factors. If an outside candidate, employee or individual contracting with the Government of Canada is denied a security clearance that is necessary to obtain or keep federal employment or a contract, the individual can make a complaint to NSIRA pursuant to section 18 of the NSIRA Act. If NSIRA’s jurisdiction is established, the complaint would be investigated by an NSIRA member. This could include, for example, a complaint where a CSIS employee was terminated solely because of the revocation of a security clearance, and the Deputy Head of CSIS could have based the decision to revoke the clearance on the results of a polygraph test. Given the highly invasive and controversial nature of this technology, NSIRA decided to examine the use of the polygraph within our latest safeguarding review of CSIS. We sought to determine the justifications for its use, and the extent to which such determinations are reasonable and necessary.

84. Several key observations were derived from this analysis. First, this tool can have profound negative impacts on an employee’s mental health if not used appropriately. Second, CSIS was unable justify the merits of examiners — who are not medical practitioners — to ask medical-related questions of the people they examine. Third, the outcomes or consequences for polygraph exams conducted on external applicants compared with CSIS employees differed. [ Text removed – As of November 20, 2020, NSIRA and CSIS could not agree on how all of the facts of this review should be presented in an unclassified, public document]. Essentially, a successful polygraph is a determinative factor for external applicants in obtaining an ETS clearance through CSIS. Fourth, CSIS requires policy clarity for cases where employees fail the polygraph examination. Finally, CSIS did not conduct a privacy impact assessment (PIA) for the use of the polygraph, despite a PIA being required by government policy when a department or agency is dealing with “personal information.”

85. These issues raised in the CSIS context are related to a much broader consideration: namely, the extent to which the government’s overarching policy document, the Standard on Security Screening, provides adequate guidance for departments and agencies when they implement this safeguarding measure. For example, this standard requires the use of the polygraph for all ETS clearances, but it is silent on any guidance on the implementation of this requirement, including the conditions for the reasonable use of the polygraph. Rather, such key considerations are left to the discretion of specific departments and agencies.

86. The OPC has also raised concerns with TBS as to how the polygraph examination is used as an enhanced screening requirement under the 2014 Standard on Security Screening. In July 2017 correspondence, for example, the OPC noted particular concerns surrounding its effectiveness, sensitivity and privacy implications, and the potential adverse consequences associated with polygraph examinations.

87. These contemporary observations are not new. In seven consecutive annual reports, ranging from 1985–86 to 1991–92, SIRC requested that CSIS stop using the polygraph. One of the key concerns raised by successive committees were SIRC’s “grave doubts” about the use of the technology, pointing to the fact that test results could be wrong 10% of the time or more. As well, Canadian courts have refused to admit the results of a polygraph as evidence in criminal trials. The Supreme Court of Canada has found that they are unreliable and risky, and would not assist the Court in determining a person’s guilt or innocence.

88. After consideration of the foregoing, on December 12, 2019, NSIRA sent a letter to TBS seeking access to the legal advice prepared for Treasury Board on how the polygraph complies with Canadian legal requirements, as well as a summary of the evidentiary basis used to establish the requirement for using the polygraph, and any assessments of how the use of the polygraph achieves its intended goal. The TBS response failed to answer NSIRA’s questions. However, the letter did acknowledge that the next round of security policy modifications was under way.

89. When SIRC recommended in 1985 that CSIS should cease using the polygraph, it was meant to allow the government time to reach definitive conclusions about whether this technique should be employed by Canadian agencies and, if so, under what circumstances and under what rules. SIRC requested what sound government policy instruments should always require: namely, that there are consistent approaches across government; that risks are managed; and that policies exhibit public service values such as probity, prudence, equity and transparency. NSIRA has not been provided with evidence that suggests that the use of the polygraph meets all of these policy requirements. To this end, future reviews will examine the polygraph’s use outside of CSIS, and based on the information assessed, NSIRA will make a definitive determination about the legality and utility of this instrument.

Future review priorities

90. NSIRA will conduct several reviews of safeguarding practices in the coming years, in an effort to ensure that we are covering as broad a spectrum as possible of security and intelligence community actors. These safeguarding reviews will allow NSIRA to remain involved in relevant key priorities of the field, such as legality, privacy, science-based tools and international best practices.

91. As an independent agency charged with assessing propriety and legality at the core of our mandate, we make our own assessment of the lawfulness of the actions of the security and intelligence community. This forms the basis for NSIRA findings, recommendations and reporting. To this end, NSIRA intends to maintain a strong focus on assessing the process for the input of expert legal advice. Within the context of specific reviews, NSIRA will review the Department of Justice’s role in providing legal analysis to security and intelligence stakeholders.

92. Considering the primacy of privacy in much of the information collected and used by the government in this field, another priority is the need to evaluate the government’s respect for privacy rights, regardless of the policy merits of the safeguarding measure. One of NSIRA’s fellow accountability organizations, the OPC, plays a key role in helping ensure government compliance with Canadian privacy legislation. NSIRA will continue to work collaboratively with the OPC on future safeguarding reviews.

93. In keeping with NSIRA’s mandate to assess the reasonableness and necessity of a department’s exercise of its powers, NSIRA intends to go beyond assessing whether safeguarding measures are legally sound and privacy compliant. NSIRA’s mandate includes reviewing for necessity and reasonableness. For any government to continue to build an adaptive security system, scientific evidence and data-driven analysis must inform which safeguarding tools and processes are necessary. Currently, NSIRA is concerned that there is an absence of transparent and defensible science underpinning policy decisions for selecting security measures. Therefore, our future reviews will include the examination of scientific justifications for specific safeguarding measures.

94. Finally, NSIRA will assess the potential for the government to further advance collaborative practices through additional outreach with foreign partners in allied countries. Although it is known that exchanges of this nature are routine within certain sectors of the security and intelligence community, another feature of these exchanges that should be examined is the extent to which these outreach and coordination efforts relate to safeguarding measures and the extent to which they help revitalize the government’s security posture. NSIRA’s reviews will also provide insight into this component of international best practices.

95. Five safeguarding reviews are planned over the coming years to ensure coverage of as broad a spectrum as possible of security and intelligence community actors. The first will address an aspect of security screening within GAC. The second safeguarding review will relate to CSE’s use of the polygraph for employee security screening; this will be in addition to the yearly reviews of CSE that routinely cover various cybersecurity initiatives used to protect government systems from exploitation. The third review will consider the use of biometrics across the Canadian government. The final two reviews will examine aspects of the RCMP (i.e., the division devoted to Operations Research within this police force, while the other will evaluate the security/safeguarding implications of the Ortis case, using the RCMP’s own internal reviews as a starting point for our analysis).

96. This series of reviews relating to safeguarding will help to provide Parliament and all Canadians with facts about the adequacy of security practices within the security and intelligence community, and ideally, help improve such safeguarding measures. Most importantly, NSIRA exists to ensure that whatever government security standards are ultimately created, they are tested through expert scrutiny and their application is reported on to encourage sustained public debate.

Section IV— Sharing

97. Departments and agencies complement the information they collect on their own with robust information sharing both domestically and internationally. Counter-terrorism, in particular, requires an integrated response, one that involves multiple departments and agencies, in Canada and internationally. Indeed, this is one of the lessons that has been learned post-9/11, but it comes with its own risks and a concomitant need for caution.

98. Information sharing in the security and intelligence community, however, is a broader issue than sharing information to prevent acts of terrorism. Departments share not only to prevent acts of terrorism, but also to counter espionage, foreign interference and the proliferation of restricted technologies. They also share information to advance Canada’s foreign policy and defence priorities. Moreover, they share information broadly — within the security and intelligence community; outside that community with other federal, provincial, municipal and private sector organizations; and with foreign partners.

99. Equally noteworthy is the impact of technology on information sharing. Departments are able not only to collect vast amounts of information, but also to share that information more quickly and easily than ever before. And the burgeoning field of data analytics encourages the sharing of information that can then be analyzed.

100. Against this backdrop, information sharing raises issues of privacy and potential mistreatment abroad, as well as the need to protect sensitive sources and methods when information is shared. These are important issues for Canadians and for policy-makers, and so they will be for NSIRA as well in our review work.

Legal framework for sharing

101. A complex legal framework governs departments’ information sharing. The Privacy Act is an overarching piece of legislation; it is not limited to issues pertaining to the sharing of personal information for national security purposes. The Act sets out specific rules regarding when and why federal government agencies are permitted to share personal information. More recently, Parliament also enacted the Security of Canada Information Disclosure Act (SCIDA), discussed below.

102. In addition, agencies such as CSE, CSIS and the RCMP are subject to specific provisions in their governing statutes for sharing information. Departments can also share information for specific purposes under specific legislation. For example, under the Customs Act, CBSA officials can share customs information where that information is reasonably regarded by the official to be information relating to the national security or defence of Canada. Likewise, in certain circumstances, FINTRAC and law enforcement bodies receive and disclose financial information pursuant to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

103. Departments’ information sharing can also be shaped by international agreements and resolutions, as well as guidance from their respective ministers.

Information-sharing challenges

104. On the basis of three commissions of inquiry in the past 15 years — as well as numerous reviews by NSIRA’s predecessors OCSEC and SIRC — we can safely say that the key challenges of sharing information for national security purposes domestically and internationally are well documented.

105. Justice Major’s Commission of Inquiry into the bombing of Air India Flight 182 addressed several questions, including whether there was effective cooperation and sharing of information between CSIS and the RCMP. Ultimately, the inquiry concluded that the failure of domestic agencies to share information effectively contributed in a material way to the tragic downing of the Air India flight.

106. Since then, CSIS and the RCMP have taken steps to strengthen their information sharing and cooperation. The objective of a CSIS national security investigation is to provide security intelligence to the government; the RCMP collects evidence to be used in a judicial process. While collecting for these different purposes, the two agencies have a shared interest in protecting their respective sources and investigative techniques.

107. In national security investigations, intelligence agencies — most notably CSIS — can be reluctant to share information with the police. Police themselves might want to maintain a distance from intelligence information because it could eventually be subject to disclosure; disclosure disputes can delay or disrupt criminal prosecutions. From a public safety perspective, the limited sharing between intelligence and police agencies could be harmful. This was Justice Major’s central conclusion. It can complicate coordination and impede or delay the range of public safety actions available to the government. This is known as the “intelligence to evidence” dilemma.

108. To address this issue, CSIS and the RCMP have developed a One Vision framework. The framework seeks to enhance cooperation and streamline information sharing.

109. The intelligence to evidence issue was a key part of the country-wide national security consultations that the government undertook in 2016. Ultimately, the government did not bring forward any legislative amendments to specifically address this issue. During our first year, however, NSIRA heard from an external expert that CSIS and the RCMP continue to wrestle with this challenge. The two organizations are undertaking a thorough review to find ways they can remove unnecessary impediments to information sharing and facilitate successful enforcement. Given the importance of the CSIS-RCMP relationship, NSIRA has launched an in-depth case study, to be completed later in 2020, that examines this relationship.

Clear authority for sharing

110. Historically, departments wanting to share national security information regarding threats to Canadian citizens and interests have been concerned about the lack of an independent authority to do so. The Privacy Act’s “consistent use” provision can be used in the national security context where there is a reasonable and direct connection to the original purpose for which the information was obtained. However, this legislation is not specific to the national security context. Overall, it was believed that the complexity of the legal landscape was impeding the sharing of information with national security and intelligence agencies.

111. In response, the government passed the Security of Canada Information Sharing Act (SCISA) in 2015. It created a single legislative authority for federal government institutions to disclose information on an activity that “undermines the security of Canada.” The intent in doing so was to improve the effectiveness and timeliness of sharing threat-related information, including by departments and agencies that are outside the core security and intelligence community. In separate reviews of disclosures under SCISA, however, both SIRC and the OPC were critical of departments’ internal controls and record keeping.

112. The legislation was amended and renamed SCIDA as part of the National Security Act, 2017. Further, NSIRA now has a statutory requirement, pursuant to subsection 39(1) of the NSIRA Act, to conduct a review of disclosures made under SCIDA. To ensure robust review of these disclosures, and in keeping with the statutory authority to coordinate to avoid unnecessary duplication of work, NSIRA and the OPC have agreed to work together on these review efforts.

113. NSIRA is also looking beyond SCIDA to other aspects of the challenge of having clear authority to share information for national security purposes. In our first year, NSIRA has elected to conduct three reviews that feature CSE’s incidental collection and use of Canadian identity information, including disclosure of such information to departments. When sharing intelligence reports with other departments and agencies, CSE typically suppresses Canadian identity information, which is collected incidentally in the course of its foreign intelligence activities and its cybersecurity and information assurance activities. However, departments and agencies that can demonstrate they have the legal authority and operational justification to receive the Canadian identity information can submit to CSE a request for disclosure of the information. NSIRA expects to complete a review later in 2020 that focuses on the lawfulness and appropriateness of Canadian identity information disclosures, and a review that focuses on CSE’s ministerial authorizations and ministerial orders.

Review of CSE’s Privacy Incidents File

114. One review featuring Canadian identity information was NSIRA’s first completed review relating to CSE. The review examines CSE’s Privacy Incidents File, which records privacy incidents discovered by CSE. A privacy incident occurs when the privacy of a Canadian, or a person in Canada, is put at risk in a manner that runs counter to, or is not provided for, in CSE’s policies. The review of the Privacy Incidents File was an annual review conducted by OCSEC, CSE’s former independent review body. For this review, based on an examination of a selected sample of incidents reported in the Privacy Incidents File for the period of July 1, 2018, to July 31, 2019, NSIRA commended CSE’s timely response to reporting and mitigating privacy incidents. However, NSIRA made five additional findings and corresponding recommendations for CSE to improve its documentation, mitigation and privacy protection practices.

Sharing with international partners and the risk of mistreatment

115. Justice O’Connor’s inquiry into the actions of Canadian officials in relation to Maher Arar examined the circumstances under which a Canadian citizen, Maher Arar, was rendered to Syria and tortured. A key outcome of the inquiry was its conclusion that sharing inaccurate or non-caveated information with foreign partners can result in the mistreatment and torture of individuals, as it did with Mr. Arar.

116. The government responded by issuing a series of ministerial directions on information sharing with foreign partners, culminating in the Avoiding Complicity in Mistreatment by Foreign Entities Act (Complicity Avoidance Act), which came into force in 2019 and required written direction be issued by the Governor in Council (GIC) to the deputy head of multiple departments and agencies. The GIC directions have codified the expectations of departments and agencies. In particular, there is now a clear prohibition for any sharing of information that would result in a substantial risk of mistreatment of an individual. Additionally, they limit the use of any information that was likely obtained through the mistreatment of an individual.

117. Throughout its history, SIRC paid careful attention to CSIS’s information-sharing practices with foreign partners. It also specifically addressed the operationalization of the relevant ministerial direction. Its attention to these issues continued through 2018–19, through two separate reviews of CSIS foreign stations. The first of these reviews focused on the need for CSIS to institute and follow a rigorous decision-making process with respect to sharing information with foreign partners, supported by foreign arrangements anchored in thorough assessments of the human rights records of Canada’s foreign partners.

118. The second foreign station review also examined CSIS’s relationships with foreign partners within the geographic region encompassed by the station. In this case, all of the foreign partners are deemed high risk from a human rights perspective and, thus, restrictions have been placed on all foreign arrangements in the station’s area of responsibility.

119. One of NSIRA’s first reviews examined changes to CSIS’s procedures and policies on information sharing by means of a detailed examination of three cases, identified as high risk, that had been reviewed by CSIS’s Information Sharing Evaluation Committee. The review yielded two recommendations meant to ensure that decisions are made at a level commensurate with the assessment of risk, and that legal opinions are sought, as appropriate, to ensure compliance with the law and ministerial directions when sharing information with a foreign entity.

120. As part of our governing statute, NSIRA is now required to review departments’ implementation of GIC directions on information sharing with foreign partners under the Complicity Avoidance Act. To date, the GIC has issued these directions to 12 departments, including several that have never before received formal direction specific to information sharing with foreign partners.

121. To prepare for this new responsibility, NSIRA launched our first interagency review, an assessment of how six departments and agencies— the CBSA, CSE, CSIS, DND, GAC and the RCMP — were implementing the 2017 Ministerial Direction on Avoiding Complicity in Mistreatment by Foreign Entities, which was the basis of the direction under the Complicity Avoidance Act. The purpose of the review was also to provide a future roadmap for departments that, pursuant to the Complicity Avoidance Act, received this direction for the first time in 2019.

122. NSIRA found significant variation among the six departments and agencies in terms of their success in implementing the 2017 ministerial direction. Some, like CSE, have developed and rolled out comprehensive policy suites to guide their information sharing with foreign partners. Some departments face challenges in operationalizing this direction. Some also face challenges in establishing decision-making mechanisms that are independent from the operational front line in cases where there is a risk of mistreatment. One of the key issues that NSIRA’s review identified was the inconsistent application of the “substantial risk” threshold across departments and agencies. This will be an area of inquiry in the future.

Future priorities

123. NSIRA has a specific statutory requirement to review the implementation of GIC direction under the Complicity Avoidance Act, and to review disclosures under SCIDA. These reviews are annual requirements, reflecting the potential risks to Canadians when departments and agencies share under these respective statutory mandates. NSIRA will be attentive to those risks, including the potential risks to privacy posed by information sharing. At the same time, however, NSIRA intends to map and review the full range of information sharing in which departments engage — under different statutes and legal sources, as well as internationally and with one another, provincial and territorial agencies, and the private sector.

124. Over our first three years, NSIRA will begin to explore information sharing across the security and intelligence community. We will focus on key partnerships, and how departments and agencies collaborate in keeping Canadians safe and achieving Canada’s foreign policy and defence objectives. The scope of information sharing is broad, and NSIRA hopes to build our understanding of this issue over time.

125. NSIRA has begun a building block review of CSIS-RCMP collaboration and information sharing in relation to a particular investigation. One of the objectives of this review is to document the challenges that the two agencies face in relation to the intelligence to evidence dilemma.

126. NSIRA will examine other key partnerships within the security and intelligence community, including information sharing between CSIS and CBSA to prevent people or goods posing a threat to national security from crossing the border. We will also examine how CSE and CSIS collaborate to collect foreign intelligence that is useful for Canadian policy-makers.

127. NSIRA will also look at horizontal arrangements, and information sharing across different levels of government. For example, we will assess institutionalized measures to promote sharing and cooperation, such as in relation to Integrated National Security Enforcement Team investigations. These teams are led by the RCMP and include representatives from other federal agencies, as well as representatives from municipal police services and provincial police in the case of Ontario and Quebec. NSIRA will also look at information sharing outside of the counter-terrorism context, including how departments and agencies protect Canada’s economic security, beginning with actions under the Investment Canada Act and extending to include the full spectrum of tools at the government’s disposal.

128. NSIRA will examine information sharing with private sector organizations, such as information that the Canadian Centre for Cyber Security collects from organizations to prevent or mitigate cyber attacks by hostile state actors, or that chartered banks report to FINTRAC for investigating suspicious financial transactions.

129. Finally, NSIRA recognizes that in examining information sharing with foreign partners, we can see and understand only Canadian actions. NSIRA therefore participates in international fora such as FIORC, which brings together review bodies from Canada, Australia, New Zealand, the United Kingdom and the United States to stay up to date with (unclassified) trends internationally and to share best practices. Given the close relationship that exists among the Five Eyes intelligence agencies, information sharing has been a topic of discussion at FIORC. These discussions are one way for NSIRA to address the potential gap in accountability that exists with respect to international cooperation.

130. In sum, cooperation and information sharing among members of Canada’s security and intelligence community have always been essential features of Canada’s national security efforts. In practice, this means that there will be very little of NSIRA’s review work that will not include attention to information sharing in some form or another. NSIRA will be attentive to the risks of sharing, as well as the need for effective and timely sharing.

Section V— Action

131. “Actions” refer to any activities undertaken by a federal government department or agency to influence an outcome relating to national security or intelligence. Actions can also come as a result of intelligence collection and/or intelligence sharing. Intelligence is one aspect of the information and analysis that shape how actions are construed and implemented. The action itself, and the influence of intelligence, can be visible (overt) or invisible (covert) to Canadians. A visible action would eventually be known to the recipient, while the occurrence of an invisible action might never be known.

132. The former review bodies, SIRC and OCSEC, could conduct only agency-specific reviews of the key “collectors”: CSIS and CSE. Their reviews of national security activities tended to focus on collection, safeguarding and information sharing. This briefly changed when Parliament enacted the Anti-terrorism Act, 2015, and SIRC began to undertake reviews of CSIS’s new mandate to reduce threats to the security of Canada. SIRC provided the only after-the-fact review of these extraordinary new powers. However, SIRC’s reviews remained confined to CSIS’s actions — a narrow subset of the broad array of national security-related actions taken every day across Canada’s security and intelligence community.

133. NSIRA’s mandate goes beyond intelligence and its collectors, extending to any national security-related activity of any department or agency. Our statutory authorities equip us with the power to review the full range of “action” activities. Such activities have rarely been subject to any form of independent review, and NSIRA is able to ensure that they now are.

134. The National Security Act, 2017, established clear mandates for the main intelligence collectors subject to review, CSIS and CSE, to act in certain circumstances against perceived national security threats. For CSIS, this new legislation updated its threat reduction mandate. For CSE, the Act established active cyber operations (ACO) and defensive cyber operations (DCO) as aspects of its mandate. These new authorities merely supplement the many existing authorities that enable over a dozen other federal security and intelligence departments and agencies to take actions relating to national security, making the “action” cluster of activities vast. For instance, actions within the security and intelligence community include the interception of people and goods at the border by the CBSA and criminal arrest (including, potentially, preventive detention) by the RCMP.

135. The range of actions within NSIRA’s mandate to review “any activity carried out by a department that relates to national security or intelligence” is broad, and includes such actions as denying a person entry into Canada, revoking a Canadian’s passport, placing a person on the Secure Air Travel Act list (Canada’s “No Fly List”), disrupting a person’s affairs through a threat reduction measure, detaining an alleged terrorist or carrying out military actions in an armed conflict. Sometimes, a high-level strategic decision can also be an action activity, such as a policy choice on a national priority like securing the Arctic.

136. NSIRA’s reviews in this area overlap with other priority subject areas. We can review national security action activities that stem from intelligence collection, national security actions unrelated to intelligence collection, and national security actions that lead to intelligence collection. As an example of this last category, a CAF tactical raid during an overseas mission could yield new sources of intelligence that might then seed an NSIRA review in that area.

137. Due to the largely secretive nature of national security and intelligence actions, the effects and impacts are often unseen by the larger public. NSIRA is acutely conscious of concerns expressed during our outreach to civil society with how actions of the security and intelligence agencies might affect the lives of Canadians. This amplifies earlier concerns, primarily centred on privacy issues stemming from information collection and sharing. As a result, one of our key tenets is, to the extent possible, to bring transparency and accountability to our reviews of the actions of the security and intelligence community.

Past review observations

138. As mentioned, before the National Security Act, 2017, reviews did not typically extend to the realm of action activities. For this reason, NSIRA has only a modest archive of domestic review materials from which to extrapolate themes in action reviews. NSIRA’s current focus is to build on foundational reviews to derive key themes. This report discusses NSIRA’s approach to future review in the next section. Nevertheless, some themes have emerged from past reviews of CSIS’s threat reduction measures (TRMs) — which were the only action activities reviewed in the past.

139. From the introduction of its TRM mandate in 2015 to August 2020, CSIS has not sought a warrant from the Federal Court for TRM activities. When introduced, TRM powers raised legal questions and potential issues related to the Charter. The National Security Act, 2017, addressed many of these ambiguities, and enacted new provisions that strengthened Charter protections. NSIRA will closely monitor CSIS’s use of TRMs and review its assessments of when warrants are required for TRMs. NSIRA will also be attentive to how CSIS executes any TRM conducted under the authority of a warrant — and pay close attention to the extent of CSIS’s compliance with all court directions and conditions.

CSE

140. Other themes arising in our review of action activities stem from the widespread commentary within civil society relating to CSE’s new powers to conduct ACOs and DCOs. Prior to the National Security Act, 2017, CSE’s mandates limited the organization (primarily) to observation and collection. Now, under its ACO/DCO mandates, CSE can direct actions through the global information infrastructure at the activities of foreign individuals or foreign entities outside Canada. CSE can conduct ACO activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities or activities of entities as they relate to international affairs, defence or security. CSE can conduct DCO activities on or through the global information infrastructure to help protect the electronic information and information infrastructures of federal institutions or those designated as being important to the Government of Canada. These powers have equivalents among those available to Five Eyes partners. They also empower CSE to play a significant, but unprecedented, role in national security action activities.

141. Civil liberties groups have identified ACO/DCO activities as a principal concern with the National Security Act, 2017, and point specifically to the absence of independent oversight (that is, pre-authorization) of these activities. Under the current statutory regime, in order for CSE to lawfully conduct ACO/DCO, the Minister of National Defence must authorize all such activities. This authorization requires the Minister to conclude that there are reasonable grounds to believe that the activity is reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities. Additionally, the Minister of Foreign Affairs must approve ACO activities and must be consulted on DCO activities.

142. Ministerial authorizations for ACO/DCO activities do not require the approval of the Intelligence Commissioner, which is not the case for foreign intelligence and cybersecurity activities. There is, therefore, no scrutiny by an arm’s-length, independent body of ACO/DCO authorizations prior to their approval. This is why NSIRA considers our reviews of ACO/DCO actions to be particularly important. Unlike in the case of CSIS TRMs, CSE has no statutory obligation to notify NSIRA when it undertakes ACO/DCO activities. NSIRA intends, however, to focus proactively on these activities.

143. Although legislation limits powers such as TRMs and ACO/DCO, these activities occur in secret. This is in contrast with other types of national security actions, such as arrests made by police, which are overt and can be challenged in open court. NSIRA considers the opacity of certain types of actions to warrant future reviews. The more secret the national security action, the more essential it is for NSIRA to conduct rigorous review.

Law enforcement

144. Prior to the enactment of the National Security Act, 2017, the RCMP’s national security-related activities were reviewed by the Civilian Review and Complaints Commission for the RCMP. Those national security-related actions are now reviewed by NSIRA. The enactment of new offences — especially terrorism offences — and a focus on terrorism have drawn police into a greater national security role. Police investigate crime, and have a role in preventing its occurrence. In doing so, police might investigate, among other things, terrorism offences, while at the same time being involved in community-based programs directed at countering radicalization to violence. They can also engage in crime prevention or risk mitigation actions that do not lead to full prosecutions. The traditional tool for holding police accountable is the criminal justice system. For example, police conduct will be scrutinized during a criminal trial. However, accountability mechanisms are less robust where police pursue national security threat disruption strategies that are not challenged in the courts. Therefore, we believe that NSIRA’s review functions will become particularly important in these circumstances.

145. The CBSA’s scrutiny of people and goods crossing the border can be triggered by intelligence shared from domestic and foreign partners or derived from its own collection and assessment efforts. CBSA actions include searches at the border and the seizure or interdiction of goods, currency and people. These searches and the CBSA’s determination that a non-Canadian might be inadmissible can have implications for people’s liberty, privacy, freedom of movement and commercial interests. NSIRA’s task is to review the CBSA’s national security and intelligence activities in an effort, among other things, to ensure that it fully complies with its legal requirements. This is especially true as, at present, no independent body currently can hear public complaints against the CBSA.

Future priorities

146. In our reviews of action activities, NSIRA makes findings and recommendations on an organization’s compliance with the law and any applicable ministerial direction and the reasonableness and necessity of its exercise of its powers. NSIRA is in a unique position to assess the Government of Canada’s visible or invisible actions and to provide assurance to Canadians that their national security and intelligence agencies are accountable in order to protect Canada’s national security interests and defend the rights and freedoms of Canadians and people residing in Canada.

147. NSIRA’s strategic plan focuses on reviewing three types of action activities: operational actions, law enforcement actions and administrative actions, defined below. In each of the following categories, NSIRA has identified certain action activities of interest that we will scrutinize in future reviews. The items listed are not necessarily part of NSIRA’s review plan but serve to highlight the breadth of situations that fall within reviews of the “action” activities undertaken by the security and intelligence community.

  • Operational: covert action activities in direct support of a national security objective. Operational actions of interest to NSIRA include: CSE’s use of ACO/DCO, to be reviewed annually; CSIS TRMs, to be reviewed annually; and CAF’s operations in theatre and on the battlefield.
  • Law enforcement: covert or overt action activities to enforce laws, investigate crimes and make arrests. Law enforcement action activities on which NSIRA might concentrate, while being sensitive to the administration of justice and the concept of police independence in investigative decisions, include the CBSA’s targeting that leads to the identification and/or interception of high-risk people, goods and conveyances that pose a threat to the security of Canadians, and RCMP investigations that could lead to detention, arrest or prosecution.
  • Administrative: visible action activities taken in the act or process of administering a statutory power entrusted by Parliament to the federal government. Administrative action activities on which NSIRA might focus include: GAC’s implementation of foreign policy and trade sanctions; the Investment Canada Act reviews of investments that could be injurious to national security; the decision to add a person to the Secure Air Travel Act list under the Passenger Protect Program; and national security-related admissibility issues.

148. As NSIRA’s capacity to conduct reviews expands, we will compile a complete picture of the actions that national security and intelligence agencies take in exercising their mandates, and assess these actions for legal compliance, reasonableness and necessity.

Part 3: Complaints

Section I— NSIRA’s complaints investigation mandate

Under the NSIRA Act, one of NSIRA’s core functions is to investigate complaints in the following instances:

  • complaints with respect to an activity carried out by the Canadian Security Intelligence Service (CSIS) or the Communications Security Establishment (CSE);
  • complaints referred by the Civilian Review and Complaints Commission for the RCMP (CRCC) with respect to an activity by the Royal Canadian Mounted Police (RCMP) that is closely related to national security; and
  • complaints regarding the denial or revocation of security clearances to federal government employees and contractors.

150. Through the National Security Act, 2017, NSIRA inherited the complaints functions of the Security Intelligence Review Committee (SIRC) and the Office of the CSE Commissioner, which investigated complaints related to CSIS and CSE, respectively. In addition, NSIRA absorbed responsibility for investigating national security-related complaints against the RCMP. NSIRA also inherited SIRC’s complaints investigation infrastructure, but it was evident early in our mandate that the SIRC model needed to be enhanced to provide more timely and efficient investigations. NSIRA has therefore begun to rework the Rules of Procedure and enhance the overall process. NSIRA has also worked collaboratively with the RCMP and the CRCC to effectively manage national security-related complaints against the RCMP.

Section II— Synopsis of trends and key themes

151. NSIRA has experienced an increase in the volume of complaints we receive, specifically complaints against CSIS, as well as complaints relating to security clearances. In comparison to the complaints statistics in the SIRC annual report for 2017–18 and statistics for 2018–19, NSIRA has seen an increase of 40% for newly opened complaint files. In particular, complaints against CSIS have doubled and security clearance complaints have increased by 30%. NSIRA did not investigate most of the recent complaints against CSIS because we concluded that they were not in NSIRA’s jurisdiction — they did not concern an activity carried out by CSIS, or NSIRA was satisfied that the complaints were trivial, frivolous or made in bad faith.

152. The majority of the complaints received relating to the alleged denial or revocation of a security clearance did not fall within NSIRA’s mandate. Rather, it turned out they were related to a complainant’s reliability status or enhanced reliability status. NSIRA may only investigate complaints relating to security clearances, not reliability status matters. Complaints relating to reliability status generally must be challenged on judicial review in the Federal Court. As a result, NSIRA investigated very few security clearance complaints. A lesson drawn from the past year is that departments and agencies should ensure that they provide clear and accurate information regarding an individual’s rights of review and redress, and correctly identify both the nature of the security status at issue and the body to whom the person may complain as a result of being denied that status. By the same token, NSIRA is taking steps to increase the public’s awareness of our mandate, while also ensuring that complainants are informed of their redress mechanisms early on so that their rights to seek a remedy are preserved.

153. With respect to security clearance complaints investigated both by NSIRA and SIRC, some of the key issues revolved around out-of-country background checks and cases in which there was insufficient information to grant an individual a security clearance. One of the lessons derived from these types of complaints is that departments must ensure that individuals receive a written notice informing them of the reasons for the decision, if that is possible in the circumstances (i.e., such disclosure is not prohibited under federal legislation). Going forward, NSIRA will continue to encourage the parties to make efforts to informally resolve complaints at the earliest opportunity.

Section III— Whistleblower protection

154. The Public Servants Disclosure Protection Act (PSDPA) is whistleblowing legislation that offers federal public sector employees an external mechanism to report ethical breaches and to complain about reprisals that they believe they have suffered. The PSDPA, however, specifically excludes members of CSIS, CSE and the Canadian Armed Forces (CAF), as well as all people who wish to make a disclosure pertaining to special operational information. CSIS, CSE and the CAF have implemented internal mechanisms for disclosure of wrongdoing, pursuant to their requirements under the PSDPA. However, the current structure offers no external reporting mechanisms for disclosures that pertain to special operational information and/or for employees from CSIS, CSE or the CAF.

155. As discussed above, a “public interest defence” is available, in certain circumstances, to Canadian whistleblowers who are permanently bound to secrecy and who have been charged with certain offences under the Security of Information Act (SOIA). This defence is available only if the accused has followed the steps outlined in the SOIA before making the disclosure to the public. The SOIA identifies NSIRA as a forum in which, under certain conditions, this kind of disclosure of wrongdoing can be made. However, the SOIA does not describe how this process is meant to function procedurally nor does it articulate the role, if any, that NSIRA should play in accepting disclosures of wrongdoing from CSIS, CSE or CAF employees.

156. In previous correspondence to the Attorney General, NSIRA identified these legislative gaps and the negative implications for national security that can occur when democratic countries have deficient protocols for whistleblowing within their national security and intelligence communities. In the interim, NSIRA will be implementing internal procedures to address concerns brought forward by members of the security and intelligence community. If the concern brought to NSIRA is not within the scope of the public interest defence under section 15 of the SOIA, NSIRA can examine the matter if it relates to NSIRA’s review mandate, pursuant to subsection 8(1) of the NSIRA Act.

157. Canada’s threat environment and national security landscape require effective and robust protections for Canada’s national secrets and for the public servants who keep these secrets. Potential legislative amendments to enhance current whistleblowing protections for members of the security and intelligence community could include amendments to the SOIA, to the PSDPA or to the NSIRA Act. A key component of any legislative amendment would be external accountability and protections akin to those of the Office of the Integrity Commissioner under the PSDPA.

Section IV— Priorities for the year ahead

158. In 2020, NSIRA is modernizing the complaints process. NSIRA’s goal remains the just, efficient investigation and resolution of complaints. Modernization is needed to adapt to the changing complaints landscape. Two priorities will guide the modernization: access to justice for self-represented complainants and a broader spectrum of tools to streamline the resolution of complaints.

159. To this end, NSIRA is updating our website and revising our forms to provide clearer directions for potential complainants. We intend to place greater emphasis on explaining NSIRA’s jurisdiction, and how to file complaints, which should assist in a complaint starting in a timely fashion and in the correct forum. Further, the website will contain a guide for self-represented complainants, so they can better navigate each step of the process and have their complaint resolved in an appropriate way.

160. One size never fits all. Each complaint that NSIRA receives calls for a unique approach. As noted, we are currently updating our Rules of Procedure. The new rules will allow for greater flexibility, efficiency and transparency. Some of the changes under consideration are the following: a discussion of expectations with a complainant at the outset; a new process for quickly deciding jurisdiction; an interview with the complainant; more options for informal resolution; quick and standardized disclosure of information between the parties; and, a requirement for declassified file summaries and chronologies. NSIRA believes these changes will allow complaints investigations to proceed more quickly and in a more efficient manner.

Part 4: Engagement and transparency

As expressed in the National Security Act, 2017 preamble, “enhanced accountability and transparency are vital to ensuring public trust and confidence in Government of Canada institutions that carry out national security or intelligence activities.” Along with public engagement, these are core values for NSIRA and we consider each to be vital to ensuring that we fulfil our mandate. The benefits of public engagement have been underscored in recent years, including through the national security consultations undertaken by the government in 2016. Engagement with stakeholders during our first year of operation helped establish connections and relationships that we will build on in the years ahead. As outlined in this section, NSIRA has taken strong steps in our first year of operation to promote increased transparency of national security and intelligence activities. In addition to our own initiatives, NSIRA will continue to encourage departments and agencies to promote transparency of their activities, including in fulfilment of the National Security Transparency Commitment.

Section I— Engagement

162. In 2019, NSIRA launched a series of public engagements to increase awareness about the organization, to expand our network, and to deepen our understanding of Canadians’ concerns with respect to national security and intelligence activities. In 2019 and into 2020, we undertook engagement sessions throughout the country with various stakeholders, including academics, civil society, law enforcement and government organizations.

163. These sessions provided a valuable opportunity for NSIRA to hear from stakeholders about programs and issues that they recommended for NSIRA review, as well as the privacy and civil liberties risks they felt these programs presented. The uniformly positive feedback that NSIRA received from stakeholders demonstrated the value of these engagements.

164. Internationally, NSIRA continues to be actively involved with the Five Eyes Intelligence Oversight and Review Council, which allows NSIRA to: advance our knowledge of cross-cutting international themes in the area of national security and intelligence accountability; share priorities and compare best practices; collaborate on key issues of mutual interest; and promote coordinated review of issues of international importance.

165. Over the coming year NSIRA intends to continue our program of outreach and engagement. We will take advantage of opportunities to connect with stakeholders nationally and internationally via videoconference and, where possible, in person. In the year ahead, engagement will focus on four key areas:

  • expanding our network with respect to issues related to new and emerging technologies (including artificial intelligence), to better understand their use as well as the risks and opportunities they present from a national security accountability perspective;
  • broadening our dialogue with stakeholders to inform future review priorities;
  • building new relationships with community groups to demystify the complaints investigation process; and
  • scaling up recruitment efforts to ensure we continue to build an elite workforce with a diverse set of skills and backgrounds.

Section II— Transparency

166. NSIRA has taken a number of steps to increase openness and transparency related to our work and the work of the national security and intelligence community. We established a Twitter account early in our mandate, which we are using to share content, provide updates on our work and provide a platform for dialogue on security-related issues.

Redaction and writing for release

167. Over recent months, NSIRA has begun publishing reports from our predecessor organization, the Security Intelligence Review Committee (SIRC), that had been redacted for release to individuals who had applied to see the reports through the Access to Information Act. Under the Access to Information Act, the reports only had to be made available to the applicant. To support transparency, NSIRA plans to gradually publish online redacted versions of all SIRC reviews, from 1985 to 2019, which involves more than 270 reports.

168. To complement this initiative, NSIRA also wishes to proactively redact and release future NSIRA reports as they are approved and translated throughout the year, rather than waiting for the release of our annual report to publicize our findings and recommendations. This aims to enhance the timeliness and relevance of NSIRA’s work to public discourse on national security and intelligence issues. It also means that we can devote more time and space in future annual reports to discussing and analyzing horizontal or thematic trends, rather than individual (or vertical) reviews or issues.

169. NSIRA is working with departments and agencies to ensure that this new approach takes place in such a way that vital national security and intelligence information is protected, while at the same time providing the public with as much insight as possible into the results of our reviews. On a case-by-case basis, relevant ministers will be offered an opportunity to raise concerns with respect to the release of specific reports.

170. To facilitate redaction efforts and release reports in an efficient and timely manner, NSIRA has committed to making efforts to “write for release.” This method includes writing as much as possible at an unclassified level, including unclassified executive summaries; clearly identifying within a report what portions contain classified information; and leaving classified information out of the body of the report where possible and, instead, including it in footnotes or annexes.

Conclusion

171. We are very proud of NSIRA’s achievements during our first five months of operation. We have an ambitious agenda for the year ahead, despite the constraints imposed by the pandemic. We have set in motion a review plan that covers multiple issues over the coming year and will involve numerous departments and agencies. We are in the midst of significantly overhauling our complaints investigation process, with the aim of making it more accessible for all. We will also expand our corporate infrastructure to facilitate our growth over the years ahead, including through the acquisition of additional office space and the hiring of talented new staff.

172. We look forward to deepening our relations with other review and oversight bodies in Canada and internationally, as well as with diverse stakeholder groups to ensure that our work is as effective and as meaningful as possible. On that note, we hope that this report is useful. We encourage all readers to tell us their thoughts on the format, the content, and any aspects that we can improve in the next iteration.

173. We are very grateful to our staff for continuing to achieve strong results despite the challenges that the ongoing pandemic has presented. We look forward to tackling the many challenges and opportunities that await us in the year ahead.

Share this page
Date Modified: