Language selection

Government of Canada / Gouvernement du Canada

Search


Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information: Report

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information


Report

Date of Publishing:

Executive Summary

Subsequent to the collection of foreign signals intelligence by the Communications Security Establishment (CSE), any incidentally collected Canadian identifying information (CII) is suppressed in CSE’s intelligence reporting to protect the privacy of Canadians and persons in Canada. However, the Government of Canada (GC) and foreign clients of such reports can request the details of this information if they have lawful authority and operational justification.

The National Security and Intelligence Review Agency (NSIRA) conducted a review of CSE’s disclosures of CII to GC clients. In reviewing disclosures containing 2,351 Canadian identifiers over a five year period, NSIRA found that 28% of requests from all clients were not sufficiently justified to warrant the release of CII. . Nevertheless, during the period under review, CSE approved 99% of these requests for CII from its domestic clients. Given this and other findings related to CSE’s internal practices, NSIRA found that CSE’s implementation of its CII disclosure regime may not be in compliance with the Privacy Act.

Moreover, NSIRA found that CSE has released CII to GC clients from its technical and operational assistance to the Canadian Security Intelligence Service (CSIS) in relation to section 16 of the CSIS Act, in a manner that was likely not communicated to the Federal Court by CSIS.

This report is a summary of the more detailed, classified report provided to the Minister of National Defence on November 25, 2020.

Introduction

The Communications Security Establishment (CSE) may incidentally acquire information about Canadians or persons in Canada in its collection of foreign signals intelligence (SIGINT). Canadian identifying information (CII) refers to any information that can identify an individual, ranging from names to email addresses and IP addresses. CII is suppressed in intelligence reports to protect the privacy of Canadians and persons in Canada. Government of Canada (GC) and foreign clients may subsequently request the details of this information if they have lawful authority and operational justification to collect it. This information sharing regime has been in place since the 2001 enactment of CSE’s powers under the National Defence Act, and has been previously reviewed by the Office of the CSE Commissioner (OCSEC)

Following a review of CSE’s disclosures of CII, the National Security and Intelligence Review Agency (NSIRA) concluded that CSE’s implementation of its disclosure regime may not be in compliance with the Privacy Act. Therefore, pursuant to subsection 35(1) of the NSIRA Act, NSIRA submitted a compliance report to the Minister of National Defence on November 25, 2020.

CSE’s disclosure regime, in place for nearly two decades, is one of the most important national security information sharing structures in the federal government, surpassing the volume of disclosures processed through the information sharing mechanism under the Security of Canada Information Disclosure Act (SCIDA). Unlike CSE’s disclosure regime, information sharing processes under SCIDA have recently undergone comprehensive scrutiny and debate both in Parliament and by the public as part of the deliberation of Bill C-59.

CSE’s work results in special responsibilities to protect the privacy of Canadians. In this context, NSIRA assessed CSE’s operational structures, policies, and processes to determine the rigour of the CII disclosure regime. NSIRA found serious problems with several aspects of the governance and implementation of CSE’s CII disclosure regime. NSIRA also found that CSE discloses information collected pursuant to the authority of Federal Court issued warrants as part of its assistance to the Canadian Security Intelligence Service (CSIS). NSIRA believes that although the Federal Court is aware of CSIS’ disclosure of CII, the Court may not have been fully informed about the parallel disclosure process taking place at CSE. In January 2021, CSIS provided the Federal Court with a copy of NSIRA’s full, classified review, excluding information protected by solicitor-client privilege.

Methodology

As part of its review, NSIRA examined a selected sample of CII disclosures and their associated intelligence reports – initially from July 1, 2018 to July 31, 2019, though the review period was later expanded to cover July 1, 2015 to July 31, 2019 for certain types of disclosures. Over that period, CSE received requests for 3,708 Canadian identifiers. NSIRA received information about the outcome of all of these requests. Additionally, NSIRA was able to closely review requests pertaining to 2,351 identifiers.

In all, NSIRA examined electronic records, correspondence, intelligence reports, legal opinions, policies, procedures, documents pertaining to judicial proceedings, Ministerial Authorizations, and Ministerial Directives of relevance to CSE’s CII disclosure regime. CSE also responded to NSIRA’s questions throughout the review.

While this began as a review of solely CSE, it became evident that NSIRA also needed to engage with CSE’s Government of Canada clients of CII. In the spirit of its legislation, NSIRA “followed the thread” by engaging with a range of federal departments, from recurring clients of CII, such as CSIS and the Royal Canadian Mounted Police (RCMP), to less frequent clients, such as Innovation Science and Economic Development Canada (ISED). Through this engagement, NSIRA was able to understand the lifecycle of CII disclosures, from their origin within intelligence reporting to their eventual use by Government of Canada clients.

NSIRA also assessed CSE’s disclosures of CII arising from its assistance to CSIS in relation to section 16 of the CSIS Act. When CSE assists CSIS in that context, it is bound by the applicable Federal Court warrants’ conditions. While CSIS’ disclosures were not the subject of this review, they helped contextualize the adherence of CSE’s section 16 CII disclosures with the conditions and principles on which the Court issued the relevant warrants.

NSIRA also reviewed CSIS affidavits to the Federal Court in relation to Canadian information acquired through section 16 warrants, which served as the basis for a recent decision issued on this program by the Court (reported as 2020 FC 697). Given this window into the parallel practices and policy requirements of CSIS, NSIRA had the opportunity to contextualize CSE’s disclosures of CII arising from section 16 collection in a way that was unprecedented for an external review body.

Based on the records provided by CSE, CSIS, and other federal government entities, NSIRA made several findings and recommendations to improve the governance of CSE’s CII disclosure regime and to bring to the attention of the Federal Court important aspects of CSE’s disclosures of information acquired in relation to section 16 of the CSIS Act.

For CSE to disclose Canadians’ personal information without their consent, both CSE and the CII recipient must comply with relevant legislation, which, for the period under review, consisted of the Privacy Act and the National Defence Act:

In assessing CSE’s disclosures, NSIRA applied a two-pronged test in line with the Privacy Act requirements: the institution holding the personal information must have a disclosure authority to disclose it to another institution, and the recipient institution must have a collection authority. These thresholds derive from existing Privacy Act jurisprudence. In other words:

  • CSE’s CII clients are required to meet the section 4 collection requirement of the Privacy Act by establishing a direct and immediate relationship (with no intermediary) between the information to be collected through a CII request and their operating programs or activities.
  • On CSE’s side, its disclosures of CII had to comply with section 8 of the Privacy Act, and the National Defence Act, which was the governing statute for CSE during the review period.
  • Because the disclosure authority within the National Defence Act required CSE to protect the privacy of Canadians, NSIRA assessed whether CSE evaluated each disclosure request rigorously on its own merits, including the operational justification provided by clients, to determine whether the requests were reasonable and whether the disclosure was appropriate under the Privacy Act regime.

CSE’s internal practices

NSIRA assessed CSE’s privacy protection measures for compliance with its legal responsibilities and Ministerial Direction. NSIRA assessed whether CSE’s CII disclosures are subject to a thorough, well-documented evaluation and approval process that demonstrates each disclosure’s compliance with legal and operational requirements. Specifically, NSIRA assessed whether CSE’s clients demonstrated their legal authority to collect CII, and did so in compliance with section 4 of the Privacy Act by showing a direct and immediate relationship between their mandated activities and the requested CII.

During the period under review, CSE received requests for 3,708 identifiers from 15 domestic departments, releasing 3,671 – which represents a release rate of 99%. This release rate was also reflected in the eventual sample of disclosures selected for detailed review by NSIRA. NSIRA expected to find disclosure requests of a consistently high quality commensurate with their near-absolute approval by CSE. Nevertheless, the findings below represent several areas in which NSIRA observed shortcomings.

Employee training and documentation requirements

CSE employees generally decide whether to release CII. NSIRA did not find evidence of written guidance or training to guide employees’ assessment of the substance of disclosure requests; instead, the training materials and procedures that employees receive primarily focus on the logistical processes to release CII.

In their assessment of CII requests, CSE personnel can take a range of actions, including conducting further research into a requesting department and its mandate or communicating with the requester to obtain clarity. NSIRA found that these actions are generally not documented for requests from domestic clients, and the approved disclosures only contain the requested CII without the reasons for approving the request. NSIRA was unable to confirm that CSE personnel were taking steps to communicate with a requestor to clarify incomplete or unclear disclosure requests.

While this is not a requirement in CSE’s policies for domestic requests, NSIRA observed detailed rationales provided by personnel responsible for approving and denying CII requests originating from foreign clients for CII. NSIRA believes CSE should require employees to document their assessment of requests from domestic clients, including the rationale for their approval.

In sum, NSIRA found that CSE’s employees do not receive sufficient written training and guidance on assessing the substance of disclosure requests and are not required to document mandatory actions and assessments they make when releasing CII. NSIRA recommended that CSE require, through procedures and policy, that employees document their decision-making and rationales and train them to assess the substance of disclosure requests in light of applicable legal obligations.

Management oversight

Certain types of disclosures are elevated for review and approval at a higher level within the organization. This is another process that lacked the appropriate documentation. Based on data compiled by NSIRA, all requests for CII reviewed at this level were approved, with no documentation of the rationale behind the decision to approve the remainder.

An internal monthly compliance check is conducted to confirm that releases of CII follow sufficient justification, that only the requested CII is released, and to determine whether any procedural errors have occurred. The compliance checks reviewed by NSIRA did not contain any analysis of the disclosure requests. While CSE explained that employees are informally coached if disclosures do not meet requirements, this is not documented within the compliance checks, which provide only statistical summaries of CII disclosures.

NSIRA found that personnel responsible for approving certain CII disclosures and conducting periodic compliance checks did not document their decision-making and assessment of requests. NSIRA recommended that similar to employees at the working level, CSE management must document their decision-making and rationales.

CSE’s assessment of CII disclosure requests

CSE’s CII disclosure request form requires that the requestor state an applicable legal authority for collecting the information. NSIRA observed requests where this information was not provided. In this context, NSIRA expected that CSE would follow up with requestors or assure itself through its own assessment that the requestor had the appropriate legal authority for collecting CII. NSIRA found no evidence that this process was taking place.

NSIRA used its ability to follow the thread of a disclosure and engaged some of CSE clients for CII regarding their legal authority to collect Canadians’ personal information. Where these departments had not indicated a legal authority to receive CII, NSIRA inquired directly with them about their legal authorities, receiving detailed legal assessments prepared in response to NSIRA’s questions. NSIRA found no documented evidence that CSE had similarly assured itself of the clients’ legal authorities at the time of disclosure.

As the custodian of incidentally collected CII, CSE has the responsibility to assure itself and document that both a collection and disclosure authority exist before sharing it with third party clients.

Next to a legal authority, the second key component of a disclosure request is the recipient’s operational justification for collecting the CII. A demonstrable operational nexus is required to justify a requester’s collection of CII in line with the Privacy Act regime.

NSIRA found that CSIS, the RCMP, and the Canada Border Services Agency (CBSA) generally demonstrated a clear link between the intelligence reporting and associated CII to their mandated activities, with some exceptions. This was a result of the strong operational justifications provided proactively by these clients, and does not reflect a more rigorous process on CSE’s end. Disclosures to these departments comprised approximately half of NSIRA’s sample.

CSE has accepted operational justifications provided by these and other clients that NSIRA found to be inadequate. In these cases, the clients’ justifications pertained to CII that was not demonstrably related to their mandate or operations.

From the sample of all disclosures reviewed by NSIRA, we found 69% to be justified, 28% to be insufficiently justified to warrant the release of CII, 2% that could not be evaluated, and 1% that CSE denied. Nevertheless, within this sample, CSE had approved these disclosure requests at a 99% rate.

CSE also released additional personal information to clients beyond that which was requested and explained this to be a standard practice. For example, NSIRA observed cases where CSE disclosed Canadians’ names and other personal information even when the recipient only asked CSE for a company’s identity. NSIRA observed other types of scenarios where CSE disclosed more identifiers than requested.

In sum, NSIRA found that CSE has not sufficiently assessed the legal authorities invoked by its clients and recommended that CSE and these clients obtain legal advice from the Department of Justice to determine the extent of their legal authority to collect CII. NSIRA further found that CSE’s implementation of its CII disclosure regime may not have been in compliance with the Privacy Act framework and recommended that CSE cease disclosing CII to clients other than CSIS, RCMP, and CBSA until it addresses the findings and recommendations contained in NSIRA’s review.

CSE’s governance of the disclosure regime

Many of the systemic issues presented in NSIRA’s review arise from CSE’s CII disclosure regime governance. CSE develops its internal policies, procedures, and legal assessments to which its disclosure clients are generally not privy. CSE’s existing arrangements with its clients govern operational issues such as security standards, information handling and system access. However, at an institutional level, NSIRA has not found a consistent understanding among CSE’s CII disclosure clients of the legal requirements underlying this practice.

A more transparent governance structure would allow all parties to understand and formally acknowledge at an institutional level the legal and operational requirements behind disclosing and collecting CII. It is not sufficient for CSE to manage the regime with its clients not privy to the policies, procedures, and legal requirements that underlie it.

NSIRA found that CSE’s governance of the CII disclosure regime does not foster an environment where its clients can take equal responsibility for CII disclosures. NSIRA recommended that CSE work with the Department of Justice and the Treasury Board of Canada Secretariat to establish Information Sharing Agreements with its regular domestic clients.

CSE’s disclosure of CII collected through its assistance to CSIS

Throughout the review, NSIRA encountered reporting and associated disclosures that pertained to activities of foreign persons within Canada. As CSE is prohibited from directing its activities at such persons, NSIRA submitted a series of questions and received briefings on the subject. NSIRA learned that CSE discloses CII collected as part of its assistance to CSIS in relation to section 16 of the CSIS Act.

Under section 16 of the CSIS Act, CSIS may assist the Minister of Foreign Affairs or the Minister of National Defence by collecting foreign intelligence within Canada in relation to Canada’s defence or international affairs. In turn, CSIS can apply to the Federal Court for a warrant, under section 21 of the CSIS Act, to obtain judicial authorization for intrusive collection powers in support of the section 16 investigation. Subsequently, CSIS may request CSE assistance if it does not have the tools or capacity to carry out this collection. CSE’s assistance takes the form of developing tools and techniques, intercepting target communications, decryption, report writing, and translation.

In its assistance to CSIS, CSE must respect the legal authorities and limitations imposed on CSIS by law and Federal Court warrants. In its documented requests for CSE assistance, CSIS does not explicitly request that CSE disclose the CII collected under warrant. Such disclosures are also absent from internal CSE plans that set out CSE’s support parameters. At the same time, both agencies insist that CSE can disclose such CII using its regular disclosure policies and procedures.

The practice of handling CII incidentally collected pursuant to section 16-related warrants has been the subject of ongoing treatment by the Federal Court. CSIS has described its own practices to the Court, including detailed summaries of how section 16 information is collected, its processing for intelligence reporting, and the rigorous disclosure regime associated with this reporting. CSIS also noted, in less detail and with omissions, some aspects of CSE’s parallel disclosure of CII collected through its assistance to CSIS under these warrants.

Overall, the stringent practices described by CSIS to the Court do not present a complete picture. For instance, CSIS’s limited distribution of section 16 intelligence reports and associated CII is not mirrored in CSE’s wider release of this information. Additionally, the senior approval levels that CSIS has in place for disclosing information about Canadian officials are also not reflected in CSE’s practices. In fact, CSE does not have a policy on how to treat Canadian officials’ information through its assistance mandate, and generally releases it at the working level. Further, CSE personnel are not generally aware that the information they are releasing originates from section 16 collection, and its associated Federal Court warrants and conditions. Moreover, CSIS has communicated to the Court that its own disclosure practice includes an assessment of a disclosure request by the operational branch responsible for the warrant, while CSE discloses such CII independent of CSIS operational branches.

In recent testimony before Parliament, CSE was asked how it operationalizes its assistance mandate. In its response, CSE stated that information collected under assistance is segregated, returned to CSIS, and belongs to CSIS, emphasizing that CSE effectively acts as an agent of CSIS in supporting section 16 activities. NSIRA is of the view that this is not a complete representation of the lifecycle of information collected by CSE in its assistance. By approving CSE’s section 16 intelligence reports, CSIS effectively releases ownership of this information to CSE, which was not conveyed to the Federal Court by CSIS in its affidavits detailing the reporting and use of section 16 information.

CSE’s treatment and dissemination of this information differs from the stringent standards communicated to the Court by CSIS, particularly when it pertains to Canadian public officials and other sensitive groups. NSIRA believes that fully describing the CII disclosure process during warrant applications is necessary to support the process of imposing any terms and conditions advisable in the public interest, as contemplated by paragraph 21(4)(f) of the CSIS Act.

Given the findings of the review, NSIRA recommended that the Federal Court be fully informed of CSE’s disclosure practices and that, in the interim, CSE cease disclosing CII incidentally collected under the authority of federal court warrants related to section 16 investigations.

Conclusion

NSIRA’s findings and observations over the course of this review indicate that CSE’s implementation of its disclosure regime may not be in compliance with its obligations under the Privacy Act. Throughout this review, CSE has defended practices that NSIRA believes do not reflect a commitment to rigorous implementation of the Privacy Act. Finally, CSE has released CII as part of its assistance to CSIS in a manner that contradicts the procedures communicated to the Federal Court.

Accordingly, NSIRA made a number of recommendations as outlined above, to improve the governance of CSE’s CII disclosure regime and to bring to the attention of the Federal Court important aspects of CSE’s disclosures of information acquired in relation to section 16 of the CSIS Act.

Share this page
Date Modified:

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information: CSE Responses

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information


CSE Responses

CSE Management Response to NSIRA Review of 2018-2019 Disclosures of Canadian Identifying Information

NSIRA delivered its classified review to the Minister of National Defence in November 2020.

Throughout NSIRA’s review of CSE’s disclosure process, CSE responded to NSIRA requests in a timely manner and offered to provide additional context and briefings to NSIRA regarding CSE processes.

Importance of independent external review

CSE values independent, external review of our activities, and we remain committed to a positive and ongoing dialogue with NSIRA and other review and oversight bodies.

This oversight frameworks allows us to deliver our important mission of foreign intelligence, cyber security and foreign cyber operations in a way that demonstrates accountability, and that builds trust and confidence with Canadians.

CSE operates within a culture of compliance, grounded in our understanding of and commitment to our legal and policy regime, and evidenced by our record of self-reporting and addressing incidents and errors that may occur.

We appreciate NSIRA and their continued work to provide Canadians with greater insight and understanding of the important work that CSE does on a regular basis to keep Canadians safe.

We accept the recommendations aimed at improving our processes, yet are concerned that the overall conclusions do not fully appreciate CSE’s commitment to, and work on protection of privacy.

Canadian Identifying Information and CSE’s Commitment to Privacy

CSE is Canada’s national lead for foreign signals intelligence and cyber operations, and the national technical authority for cybersecurity. We provide critical foreign intelligence and cyber defence services for the Government of Canada (GC). Protecting Canadian information and the privacy of Canadians is an essential part of our mission.

CSE does not direct its foreign signals intelligence activities at Canadians or anyone in Canada. The CSE Act, however, recognizes that incidental collection of Canadian communications or Canadian information may occur even when targeting only foreign entities outside Canada. CSE takes very seriously our responsibility to protect Canadian privacy interests that may occur as a result of this incidental collection.

In the event that Canadian information is incidentally acquired in foreign signals intelligence collection, CSE may include obfuscated references to Canadian individuals or organizations in intelligence reporting if those references are essential to understand the foreign intelligence.

The obfuscation of this Canadian Identifying Information (CII) in reporting represents one of many layered privacy measures that are applied at different points in CSE’s end-to-end intelligence process. These include, among others, legal and policy training and on-site support for intelligence analysts, mandatory annual privacy tests for all operational employees, data tagging and auto-deletion, strict retention limits, specific handling guidelines, escalating approvals for reporting that includes CII, compliance spot checks, and separate vetting processes for disclosing obfuscated information and taking action on intelligence reporting.

Pursuant to the Privacy Act, government clients who receive CSE foreign intelligence reports may ask for obfuscated CII to be “disclosed” to them if that information relates directly to their department’s operating program or activities. Any disclosed CII is provided solely to inform their understanding of the foreign intelligence presented in the report. Government officials may not take action, share or otherwise use the CII disclosed to them under the disclosure process.

CSE continually refines its CII disclosure process. For example, to help support audit and review, CSE implemented a requirement for government clients to provide an operational justification to support their CII disclosure requests. It is important to note, however, that this is a matter of internal policy and that the Privacy Act does not require the documentation of legal authorities before information can be collected and disclosed.

Review Recommendations

CSE is committed to continuous improvement. We know that the recommendations from independent external review play an important role in that improvement. CSE has 25 years of experience working with the Office of the CSE Commissioner and now NSIRA to help improve our processes. We thank these review bodies for their work to help build trust and confidence with Canadians.

CSE continuously refines our privacy-protection measures, including those associated with the disclosure process. Improvements made over the past decade have been informed by the recommendations made by the CSE Commissioner as part of his annual reviews of CSE’s CII disclosures. Prior to NSIRA taking over review duties, CSE had accepted and implemented 95% of the recommendations made by the CSE Commissioner. Those not adopted were duplicative or overtaken by events such as new legislation. In his final 2018-2019 review, the Commissioner confirmed that CSE’s disclosures of CII complied with the law and were done in accordance with ministerial direction.

In this NSIRA review, as with previous CSE Commissioner reviews, we appreciate and have accepted the recommendations aimed at improving our internal policies and practices.

Given the overlap in this review period between the two bodies, certain NSIRA recommendations duplicate some presented in the CSE Commissioner’s reviews. As a result, we are pleased to note that many have already been implemented at this time; other NSIRA recommendations are in the process of being implemented.

Review Findings

Throughout this CII disclosure review, CSE provided extensive feedback and context to NSIRA, and sought clarification regarding the assessment criteria used to determine adequacy or inadequacy of specific records, the vast majority of which were deemed adequate by NSIRA. Without explaining the methodology used to support the findings, we are concerned that broad generalizations based on specific aspects of certain records within a single privacy measure may leave the reader with an incorrect impression about CSE’s overall commitment to privacy protections for Canadians.

CSE’s case-by-case process for disclosing CII to authorized GC recipients is part of robust and comprehensive internal measures that protect Canadians’ privacy. We balance the sharing of our intelligence with the privacy and safety of Canadians at all times. CSE disclosure analysts receive training and follow internal policies, guidelines and standard operating procedures to guide decision making.

While committed to implementing the recommended process improvements contained in the report, CSE remains concerned by NSIRA’s overall conclusions and characterization of the disclosure process and its role in the broader privacy framework, which we have expressed to NSIRA.

Referral to Attorney General of Canada

The Minister of National Defence submitted NSIRA’s classified report to the Attorney General of Canada in January 2021, supported by a comprehensive analysis of each record identified by NSIRA in its review.

The analysis supports the view that our activities, including applying protections for the privacy of Canadians, were conducted within a robust system of accountability, including compliance with the Privacy Act.

Additional Information

Top Secret-cleared and special intelligence-indoctrinated GC clients received thousands of foreign intelligence reports via CSE’s mandate under the CSE Act. These reports corresponded to Cabinet-approved intelligence priorities and were delivered to government clients who had both the authority to receive them and the ‘need to know’ their contents.

These reports reflect a wide range of intelligence requirements, from support to Canadian military operations, espionage, terrorism and kidnappings to geostrategic concerns, cyber threats, foreign interference and global crises, among others. While only a very small percentage of these reports contain obfuscated CII, the underlying Canadian information is often essential for GC officials to understand the context of the threat and its Canadian nexus.

Share this page
Date Modified:

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information: Backgrounder

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information


Backgrounder

Backgrounder

On November 25, 2020, the National Security and Intelligence Review Agency (NSIRA) presented the Minister of National Defence and the Minister of Public Safety with a classified compliance report on its review of CSE’s disclosures of Canadian identifying information (CII). In this review, NSIRA found that the CII disclosure regime lacked rigour and that its implementation may not have been in compliance with the Privacy Act. Additionally, NSIRA found that the Federal Court may not have been adequately informed about key elements of CSE’s disclosures of CII collected on the authority of warrants issued in relation to section 16 of the Canadian Security Intelligence Service (CSIS) Act. Given the findings of the review, NSIRA has published its unclassified summary of the compliance report.

In carrying out its foreign intelligence mandate, CSE may incidentally acquire information about Canadians or person(s) in Canada. CII is information that could be used to identify an individual, and is normally suppressed from reporting unless Government of Canada or foreign clients request these details and are able to demonstrate that they have operational justification and legal authority to receive it.

After a thorough review of CSE’s disclosures of CII, which also involved direct engagement with other Government of Canada departments that request CII, NSIRA made 6 findings and 11 recommendations. This unclassified summary provides an overview of the CII disclosure regime, and NSIRA’s observations related to the policies, procedures, training, and the legal authorities governing it.

Publishing this summary aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work. Looking forward, NSIRA will conduct future reviews of the CII disclosure regime to ensure that its recommendations are implemented in a way that will improve the CII disclosure program and that this program is compliant with the applicable legal framework.

As per section 8(1)(a) of the NSIRA Act, independent review of CSE’s activities is a statutory requirement for NSIRA. As such, NSIRA will continue to review CSE activities and report on compliance issues if they arise.

To learn more about NSIRA’ mandate, click here.

Share this page
Date Modified:

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019: Report

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019


Report

Date of Publishing:

Executive Summary

The Avoiding Complicity in Mistreatment by Foreign Entities Act (Avoiding Complicity Act or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, September 4, 2019, to the end of the previous calendar year, December 31, 2019. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Act.

While this was the inaugural annual review under the NSIRA Act, it builds upon previous work in this area undertaken by NSIRA and its predecessor SIRC. NSIRA’s review on the 2017 Ministerial Direction on information sharing with Foreign Entities is an example. The results from this previous review were sent to applicable departments in July 2020. NSIRA is building upon this previous review and strongly supports the findings and recommendations within it. As of the date of this report, departmental responses have not been received regarding the recommendations provided in NSIRA’s July 2020 Ministerial Direction review.

(U) It was essential to ensure that both NSIRA and the departments being reviewed met their obligations under the Avoiding Complicity Act and the NSIRA Act. The approach used to gather information during a global pandemic was purposely designed for this first and unique review period.

To capture a complete view on the departmental implementation, NSIRA requested information that related directly to every department’s specific obligations under the Act and the directions. The responses and associated information captured departmental activities related to the Act during the review period, and what procedures, policies, tools, etc. (frameworks) were leveraged to support these activities. NSIRA believes that having a robust framework is an essential part of an effective implementation of the directions departments have received.

Beyond the specific requirements of implementation, the information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken since the review period to build and formalize their frameworks. This information and knowledge will help set up the foundation for future reviews and assist efforts on creating consistent implementation across departments. While many of the issues discussed in this report go beyond the specific requirements of the directions, their consideration is critical to the overall improvement of the implementation process and how departments ultimately support the Act. No case studies were undertaken for this review. However, the information gathered has helped establish a baseline for overarching issues the community is facing. Building on this, future reviews will begin to examine specific sharing framework challenges and questions and look closely at specific cases and departmental legal opinions to guide review findings.

While NSIRA was pleased with the considerable efforts made by many departments new to the Avoiding Complicity Act in building up their supporting frameworks, it was clear during this review that departments are employing very different approaches to guide their information handling activities. The responses received demonstrate various inconsistencies across the departments. Having a consistent and coordinated approach when addressing the concerns related the Act is not a requirement for implementation, however, NSIRA believes that there is value in such an approach. And while departments will always require unique aspects in their sharing frameworks to address the unique characteristics of their mandates and activities, to improve the implementation process, a goal all involved likely have, the identification and sharing of best practices is critical.

For example, determining the best means for having a unified approach when engaging with foreign entities of concern or ensuring that an information sharing activity is consistently evaluated for risk by all departments. The recommendations provided on these issues in this review capture what NSIRA believes to be important concerns and considerations for supporting and improving departmental implementation.

Additionally, as the directives received under the Act do not describe the specific means by which departments ‘implement’ them, it is incumbent on the community to ensure that they have sufficiently robust frameworks and programs in place to fully support an assertion of implementation. Therefore, the information gathered during this review went beyond a strict assessment of implementation, but also considered the aspects required to better support this implementation. Going forward, this approach will help establish the foundation for subsequent reviews. Drawing on the findings and concerns identified here, NSIRA will continue to consider aspects that will ultimately improve underlying frameworks, thereby supporting an improved implementation of the Act across the community.

Authorities

This review was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Avoiding Complicity Act.

Introduction

Focus of the Act

In the same spirit as the Ministerial Direction (MD) that preceded it, the Avoiding Complicity Act and its associated directions seek to prevent the mistreatment of any individual due to the exchange of information between a Government of Canada department and a foreign entity. The Act also aims to limit the use of information received from a foreign entity that may have been obtained through the mistreatment of an individual. While the previous MD guided the activities of a selection of Canada’s security and intelligence departments, the Act broadened this scope to capture all departments whose interactions with foreign entities included information exchanges where such a concern may apply.

The focus of the Act is to ensure departments take the necessary steps during their information sharing activities to avoid contributing in any way to the mistreatment of an individual. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. There is an expectation that each department will satisfy these requirements by leveraging departmentally established mechanisms and procedures, or frameworks that will allow each department to confidently demonstrate how it has responded to its responsibilities under the Act.

During the first year that the Act was in force, written directions using nearly identical language were sent to the Deputy Heads of 12 departments. In regard to disclosure, the directions read as follows:
“If the disclosure of information to a foreign entity would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not disclose the information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”

With respect to requesting information, the directions state:
“If the making of a request to a foreign entity for information would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not make the request for information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”

Lastly, as it relates to the use of information, the directions indicate:
“The Deputy Head must ensure that information that is likely to have been obtained through the mistreatment of an individual by a foreign entity is not used by the Department

  • (a) in any way that creates a substantial risk of further mistreatment;
  • (b) as evidence in any judicial, administrative or other proceeding; or
    (c) in any way that deprives someone of their rights or freedoms, unless the Deputy Head or, in exceptional circumstances, a senior official designated by the Deputy Head determines that the use of the information is necessary to prevent loss of life or significant personal injury and authorizes the use accordingly.”

At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. This determination is done on a case-by-case basis. Each department is responsible for making these determinations as it applies to its activities. Following the outcome of a department’s determination of these important questions, cases may be approved, denied, or elevated to the Deputy Head for consideration. For the latter cases, this then results in additional reporting requirements for the Deputy Head. Throughout this process, there is also a requirement to ensure the accuracy, reliability, and limitations of use of all information being handled.

Review Objectives

After the Avoiding Complicity Act came into force in July 2019, the Governor in Council’s written directions were sent to each applicable department in September 2019. The period for this year’s review is September 4, 2019 to December 31, 2019. The short timeframe (approximately 4 months) associated with this year’s review means that departments are being assessed, in large part, on what they would already have had in place to address risks of mistreatment associated with information sharing, or what they were able to implement in a four-month window. NSIRA is cognizant that for the departments that were not previously subject to the 2017 MD on Avoiding Complicity in Mistreatment by Foreign Entities, the timeframe to implement the written directions was somewhat limited, as it would have been challenging to create and operationalize new procedures such that they would be reflected in the department’s activities during the period being reviewed.

While it was essential to ensure that both NSIRA and the departments being reviewed met their obligations, these challenges were kept in mind when evaluating the objectives for this first review. Given these considerations, the objectives of this year’s review were to determine whether:

  • departments had fully implemented the directions received under the Act in conformity with the obligations set out therein;
  • departments had established and operationalized frameworks that sufficiently enabled them to meet the obligations set out in the Act and directions; and,
  • there was consistency in implementation across applicable departments.

Methodology and assessment focus

To capture a complete view of the departmental implementation of the Act, NSIRA constructed a series of questions related directly to every department’s obligations under the Act and the directions. The responses and associated information captured what specific activities took place during the review period and what departmental frameworks were leveraged to adequately support these activities.

The information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken to build and formalize their frameworks to meet their obligations under the Act and directions. The information provided and the knowledge gained will help set up the foundation for future reviews and help create consistent implementation across departments.

The method used to gather information during a global pandemic was designed for this first and unique review period. We believe it allowed departments to quickly and efficiently indicate both whether the directions had been implemented, and what frameworks, processes, and policies had been leveraged or put in place.

Responses to many of the RFI questions were simply yes/no answers. Often, answers were dependent on what information handling activities took place with foreign entities by the department during the review period. As such, a number of questions could be returned with ‘not applicable’, and this was an acceptable response. Many of the questions were related to specific and easily defined requirements under the Act and its associated directions, e.g. ‘was a report submitted to the Minister?’ or ‘Did the Deputy Minister inform the applicable bodies of all their decision made under the act?’.

Other questions were designed to capture the details of the underlying processes that supported a department’s implementation, i.e. a department may indicate that they ensured no substantial risk of mistreatment was present in any of their information sharing activities, but how did they support this claim? Likewise, for an assertion that a possible substantial risk of mistreatment had been mitigated, what was in place that allowed a department to make this assertion? Therefore, this series of questions required sufficiently detailed responses to fully capture what a department had in place that allowed it to confidently state that it has met its implementation obligations under the Act and the issued directions.

Finally, a portion of the questions was intended to capture the level of uniformity in implementation across departments. This includes such things as country/entity assessments, triage practices, and record keeping. Much of this information will also help with recommendations going forward. This multi-faceted approach resulted in three main areas being evaluated to assess implementation for this review period and help set the groundwork for future reviews.

  • Departments have clear and comprehensive frameworks, policies, and guidelines such that they can demonstrate how they have fully implemented the directions under the Act.
  • All reporting requirements associated with both the Act and its applicable directions have been met.
  • Differences or gaps associate with areas such as country/entities assessments, record keeping, case triage, etc., such that consistent implementation across departments would be challenging.

Summary of the results table

The table in Annex A captures a summary of both the departmental responses to the implementation questions and NSIRA’s assessment regarding these responses. The assessment was based on the associated details provided by departments in the context of the specific information requested. As explained above, many of the responses were returned as not applicable (n/a). Since many implementation requirements are connected to specific activities, the absence of such activities would mean that the requirement does not come into play. The best example of this for the current review is the absence of any Deputy Minister level determinations. All 12 departments indicated that they did not have any cases referred to the Deputy Minister level for determination. All additional reporting requirements associated with this level of decision were not applicable and thus considered satisfied.

If a specific requirement was not met, it was flagged. The relatively few instances of this were connected with departments not meeting certain reporting obligations under the Act. In all cases, the department involved pre-identified these missing requirements and indicated that efforts were underway to address them.

The concerns and findings captured in the table (and others) are discussed subsequently. A concern was flagged in two situations: where there was an uncertainty associated with a department’s ability to support their implementation requirements; and cross-cutting issues related to general aspects of all of the frameworks described, both of which led to the findings and recommendations proposed.

Findings and Recommendations

Realities of Implementation for 2019

A challenge for departments for this first review was associated with one of the assessment items listed above, i.e. whether they had established frameworks to demonstrate how they supported the implementation of the directions they received.

With the Avoiding Complicity Act coming into force in July 2019, it was not feasible that departments would create and stand-up new frameworks for information exchanges in time for the period being reviewed. Although the Act did specify several Deputy Heads that were to receive directions, it only included those who received the previous 2017 MD. The remaining new departments received their directions in September 2019. Regardless of this two-month difference, each department would have been required to rely on, to some extent, existing procedures when handling information sharing with foreign entities during the review period.

This put the departments that had previously formalized policies and processes at an advantage when implementing the directions. For those departments who were not subject to the previous 2017 MD on information sharing, NSIRA considered how they leveraged and adjusted what was already in place to respond to their new responsibilities under the Act. What we then expected to see, for all departments, was what subsequent steps were taken during the review period and afterwards, to either adjust or create frameworks to better meet implementation requirements going forward. NSIRA noted that in response to questions on frameworks for handling information and mitigating risk, several of the departments new to the considerations of the Act provided extensive detail on their efforts and progress on building out their frameworks to support the directives. References to having these frameworks formalized over the subsequent year were also encouraging.

Finding no. 1: NSIRA found that several departments, new to the considerations of the Act, described considerable progress being made during the review period and afterwards to build out formalized frameworks to support implementation.

Importance of establishing operational framework

As discussed, having fully established operational frameworks in place for this review period may not have been feasible for the departments that did not previously have processes to support their activities. This, however, did not exempt a department from the requirements of implementation. Each department was still expected to leverage what it currently had in place to properly address the concerns associated with the Avoiding Complicity Act. Furthermore, there was a logical follow-on expectation that departments would take subsequent steps to build out formal frameworks to address any perceived gaps to support the implementation of the Act going forward if necessary.

After reviewing the responses received, NSIRA is concerned that departments with minimal information sharing activities taking place during their operations have yet to address the necessity of having a robust framework in place, regardless of how often that framework is leveraged. For example, although PS and TC may primarily act as facilitators or coordinators for information exchanges on specific programs, they are still interacting with foreign entities, and therefore are required to fully assess their interactions with a foreign entity in this regard.

If a department without a formal framework assesses that it has few or no cases associated with the Act, then it may believe it is adequately positioned to address any sharing concerns should they arise. This, however, is not the case. Even single instances of information exchange in which the concerns of the Act may apply require a framework to support it properly. In many cases, it will be the framework itself that properly identifies whether a sharing activity raises concerns under the Act. If there is no formal process in place, then this identification becomes problematic. Simply saying that there are no cases or activities associated with the Act is not sufficient. That determination can only be made after a sharing activity is scrutinized through the lens of a robust framework. Going forward, all departments who receive directions should demonstrate a formal framework that ensures all information sharing activities are adequately evaluated against the considerations of the Act.

Finding no. 2: NSIRA found that departments conducting minimal information exchanges with foreign entities have not yet fully addressed the importance of having an official information sharing framework in place.

Recommendation no. 1: NSIRA recommends that all departments in receipt of directions under the Act have an official framework that ensures they can fully support their implementation of the directions.

Community coordination and best practices

While departmental coordination and the sharing of best practices are not a requirement of the Avoiding Complicity Act or the directions, NSIRA considered such an approach’s value. What became clear during this first review was that every department employs a very different framework to guide their information sharing activities with foreign entities. This is to be expected to some extent, given the different mandates, sharing requirements, and areas of focus associated with each department. However, these differences are also a reflection of the independent, internal development that has taken place for the different frameworks being used. While the departments receiving directions under the Act do interact on this subject to some extent, to date, based on the responses provided, it appears that the majority of the work done by the departments to build supporting frameworks to address their responsibilities associated with the Act have been done so independently. There was little to no overlap with how departments described the various aspects of their frameworks, even amongst the departments subject to the earlier MD on this issue.

There would be value in departments collectively identifying the key aspects common or required in all information exchanges with foreign entities and then working together to craft best practices, irrespective of what a department currently has in place. This process should draw on all available resources to make this determination. Each department can then turn to their existing frameworks to consider where and how they can be adjusted to match this community-agreed upon ideal. This is not to say that aspects of what a department already has in place in their framework will not ultimately be seen as the best practice. Several departments do have robust sharing frameworks in place, and these will contribute significantly to this exercise. However, arriving at this determination independently will provide an additional level of confidence.

Department-specific challenges, of course, cannot be ignored. In fact, they will weigh in strongly on such a conversation. Departments share information under their mandates for various reasons, and this will mean that coordination on certain aspects of a sharing framework may not be possible. However, this needs to be evaluated. It is important that what already exists, or what is hard change, does not unduly influence what may be best. This approach will create uniformity (where possible) across the community and provide a starting point for ‘must haves’ for each department to evaluate their existing processes against.

The Public Safety Information Sharing Coordination Group (ISCG) was established to support departments on information sharing. As such, it is in an ideal position to help mitigate issues arising from the lack of coordination. Leading such efforts would build on the work already being done by this group. During recent discussions with NSIRA, the ISCG indicated that the tracking of lessons learned and the sharing of best practices was not yet routine. Going forward, there would be value in a more coordinated effort when departments are updating/changing their framework. Ensuring that this coordination takes place will require support and leadership by senior-level officials. This will help in sharing best practices once identified, and establish more consistent approaches across departments.

Finding no. 3: NSIRA found that the differences and variability in departmental frameworks demonstrate a previous lack of coordination across the community and a need to identify best practices.

Recommendation no. 2: NSIRA recommends that departments coordinate to identify best practices for all essential components of information sharing frameworks and that the ISCG is leveraged to ensure these practices are shared where possible across the community to support the implementation of the Act.

Framework application inconsistency

A series of questions in this review was related to aspects of consistency in how departments apply their frameworks. From this series, a comparison was made on how many times an information sharing/use event triggered an evaluation of any kind against the considerations of the Avoiding Complicity Act, versus how many of these triaged cases were elevated or referred up for decision. The results helped gauge two important aspects of a framework: One, the threshold requirements, i.e. how often a sharing activity triggers an evaluation of any kind; and two, the decision making power given to the operators who are initially handling these activities.

The feedback and the responses received demonstrate potential inconsistencies in both aspects across departments. For example, several departments indicated zero cases as being triaged/evaluated under the concerns of the Act during the review period, yet also specified that they are involved in regular information sharing or, specified that no information received from foreign entities was derived from mistreatment. These responses appear to be inconsistent as it would be problematic to participate in information sharing or to make such mistreatment determinations without the activity being evaluated on some level.

Other departments indicated a larger number of cases as initial triaged/evaluated, but also indicated that none of them were elevated in their decision making process for higher-level decisions. This would seem to suggest that all determinations were being made at the operational level. Such a result puts significant weight on the operator and the initial assessment tools they are leveraging if they are making all determinations independently. This reinforces the importance of a robust framework to help make these determinations, as previously indicated in Finding no. 2. As a result of these differences, potential challenges arise on accurately assessing the volume of cases being handled by departments, the tracking of those cases deemed to present a substantial risk, those which can be mitigated for, and those where the risk was not found to be substantial or even present.

These responses may result from how each department defines a ‘case’ or how it records a case, or they may be a result of differences in how a department’s decision-making process is leveraged. NSIRA’s concern is that these differences may indicate an inconsistency in application thresholds at different departments. As such, the following results were viewed as a potential issue based on the responses received:

  • if a department was involved in any kind for information exchange with a foreign entity during the review period, but did not indicate that any cases were formally triaged/evaluated; or
  • if there was a significant number of cases triaged, but none were elevated to a higher level for determination.

Such results do not necessarily indicate a problem as aspects of a framework may be able to account for this, however, looking further into how and why the department’s framework produced these outcomes is important. Future reviews will be able to do this. Consistent initial steps for information sharing activities, including triage/evaluation thresholds and documentation, are critical to the effective application of a framework, and ultimately to identifying best practices.

Finding no. 4: NSIRA found that there are inconsistencies in the application of existing sharing frameworks between departments, specifically concerning information evaluation thresholds, and decisions being elevated for senior level determinations,

Recommendation no. 3: NSIRA recommends that departments establish consistent thresholds for triggers in their information sharing frameworks, including initial evaluations against the concerns of the Act, when a case is to be elevated in the decision process, and how this is documented.

Country and entity assessments

A key recommendation of NSIRA’s previous review on information sharing related to the country/entity assessments being used by departments to inform their decision making process when sharing or using information with a foreign entity. While the use of country/entity assessments is not a required aspect of implementing the directions under the Act, NSIRA continues to support this tool as an important aspect of any sharing framework. In its previous review, NSIRA determined that having a firm grasp on the human rights situation, as well as any other pertinent information associated with a country/entity, was essential to making an informed decision on whether there should be concerns, caveats, or limitations when handling information with that country/entity. Moreover, having such information captured to ensure all departments consistently approach these countries/entities is critical. At the time of the previous review, the following recommendation was made:

  • a unified set of assessments of the human rights situations in foreign countries including as standardized ‘risk of mistreatment’ classification level for each country; and
  • to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.

It is important to note that there has been no formal response from departments on this previous recommendation as of the date of this report. Furthermore, during this report, two departments continue to raise concerns with NSIRA’s stance on this issue during the consultation process. While NSIRA continues to support this recommendation, as explained below, further discussions with departments on how to approach this matter may be warranted, specifically on the distinction between how this recommendation may apply to a foreign country/entity vs a specific foreign partner a department may be dealing with.

Based on the responses provided on this topic for the current review period, there is still inconsistency in this area. While almost all departments indicated that country/entity assessments were a standard part of their framework, the responses also indicate differences in which country assessments are used, how they are leveraged, and who is responsible for updating them. For example, several departments rely on their own in-house created assessments, while others leverage the assessments created by Global Affairs Canada and others. While departments who indicated that they are leveraging country/entity assessment tools in their process also indicated that these assessments captured human rights concerns, this has yet to be independently evaluated. NSIRA is concerned that these differences could result in different approaches/stances being taken by departments when dealing with the same foreign entity. While the country/entity assessments tools themselves are not necessarily in question, the fact that every department is not leveraging or does not have access to all useful or applicable information is.

NSIRA remains of the view that having a consistent stance on all countries and entities when implementing the requirements of the Act is important. Issues such as mistreatment and human rights should not be decided at a departmental level, but on a whole-of-government level. While mindful of classification levels, ensuring all departments have access to the same relevant information associated with a foreign country/entity is critical to making an informed decision. Due to the nature of their work, departments may be privy to unique information on a country/entity, some or all of which can be shared. This would lead to fully informed assessments that allow for a consistent approach when dealing with any country/entity. In addition to improving duplication of effort in this area by departments, NSIRA continues to see standardized country and entity assessments, which can be accessed and contributed to by all departments, as key to moving toward a more consistent and effective implementation of the Act across the community

Finding no. 5: NSIRA found a lack of unification and standardization in the country and entity assessments being leveraged by departments, resulting in inconsistencies in approach/stance by the community when interacting with Foreign Entities of concern related to the Act.

Recommendation no. 4: NSIRA recommends that departments identify a means to establish unified and standardized country and entity risk assessment tools to support a consistent approach by departments when interacting with Foreign Entities of concern under the Act.

Conclusion

While aspects of implementation can be easily quantified and evaluated e.g. reporting requirements to a Minister, others, which support implementation are more difficult to measure, e.g.:

  • What does a sufficiently robust framework for assessing and mitigating risk when sharing with a foreign entity look like?
  • Does this depend on the specific requirements and activities of the department; or,
  • Are there steps that should always be involved when vetting a foreign entity under the considerations of the Act?

Measuring and weighing the answers to such questions is challenging. They are more nuanced, and can’t be as easily quantified. Regardless, they must be considered and addressed. Drawing on the considerations and concerns identified in this review will help departments to ask the questions that will improve their underlying frameworks with the following goals in mind:

  • To identify the essential/key elements that need to be a part of any framework for it to address the concerns associated with the Avoiding Complicity Act sufficiently; and,
  • To have all identified best practices implemented as consistently as possible across departments.

Future reviews will push towards these goals by seeking answers to those questions above. By looking more closely at specific case studies, departmental legal opinions, items of inconsistency, and the departmental frameworks that are already demonstrating best practices that should be shared. Ultimately the results of such efforts will contribute to improving the implementation of the Act across the community.

Share this page
Date Modified:

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019: Backgrounder

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019


Backgrounder

Backgrounder

In 2011, the Government of Canada implemented a general framework for Addressing Risks of Mistreatment in Sharing Information with Foreign Entities. The framework aimed to establish a coherent and consistent approach across government when sharing and receiving information with Foreign Entities. Following this, Ministerial Direction was issued to applicable departments in 2011 on Information Sharing with Foreign Entities, and then again in 2017 on Avoiding Complicity in Mistreatment by Foreign Entities.

On July 13, 2019, the Avoiding Complicity Act came into force. This Act codifies and enshrines Canada’s commitments in respect to the Canadian Charter of Rights and Freedoms, and Canada’s international legal obligations on prohibiting torture and other cruel and inhumane treatment.

On September 4, 2019, pursuant to section 3 of the Act, the Governor in Council (GiC) issued written directions to the Deputy Heads of the following 12 departments and agencies: Canada Border Services Agency (CBSA), Canada Revenue Agency (CRA), Canadian Security Intelligence Service (CSIS), Communications Security Establishment (CSE), Department of Fisheries and Oceans Canada (DFO), Department of National Defence and Canadian Armed Forces (DND/CAF), Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Global Affairs Canada (GAC), Immigration, Refugees, and Citizenship Canada (IRCC), Public Safety Canada (PS), the Royal Canadian Mounted Police (RCMP) and Transport Canada (TC).

The GiC issued directions focused on three aspects of handling information when interacting with a foreign entity: the disclosure of information, the requesting of information, and the use of any information received.

Pursuant to section 7 of the Act, every Deputy Head having received direction must, before March 1 of each year, submit to the appropriate Minister a report regarding the implementation of those directions during the previous calendar year. Following this, every Deputy Head must, as soon as feasible after submitting the report, make a version of it available to the public.

Share this page
Date Modified:

Review of the Communications Security Establishment’s Self-Identified Privacy Incidents and Procedural Errors: Report

Review of the Communications Security Establishment’s Self-Identified Privacy Incidents and Procedural Errors


Report

Table of Contents

Date of Publishing:

HTML Version Coming Soon

Our team is working on an HTML version of this content to enhance usability and compatibility across devices. We aim to make it available in the near future. Thank you for your patience!

Share this page
Date Modified:

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2019: Report

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2019


Report

Date of Publishing:

Abstract

Parliament enacted the Security of Canada Information Disclosure Act (SCIDA) in 2019 to improve the sharing of intelligence and national security information. SCIDA provisions aim to enhance accountability by clarifying roles and responsibilities in the disclosure process and amending the specific authority under which federal institutions may disclose this information. The National Security and Intelligence Review Agency (NSIRA) is responsible for reviewing and reporting annually on these disclosures. SCIDA has been used 114 times to disclose information during the reporting period of June 21 to December 31, 2019. The initial impression is that departments and agencies are making good progress to institutionalize this new legislative authority. The Royal Canadian Mounted Police and the Canadian Security Intelligence Service were the main recipients of SCIDA disclosures; Immigration, Refugees and Citizenship Canada and Global Affairs Canada were the main disclosers of information. The content of these disclosures varied, but generally involved personal information: names, age, physical characteristics, location and residential information. Departments and agencies varied significantly in how they applied certain SCIDA requirements. For example, the level of detail varied in statements disclosing institutions made to recipients concerning the accuracy, reliability and origin of information. In determining whether to disclose information, departments and agencies were also inconsistent in how they applied the contribution test, that is, determining whether disclosure would contribute to the exercise of the recipient’s jurisdiction, or the carrying out of its responsibilities in respect of activities that undermine the security of Canada. In addition, NSIRA identified some requests for information that were broad in nature, raising a risk that extraneous personal information could have been inadvertently shared. Finally, NSIRA observed two instances of departments or agencies destroying or returning information that either exceeded initial requests or was not necessary for the institution to exercise its jurisdiction. NSIRA also observed that the disclosures contained caveats.

Executive Summary

The Security of Canada Information Disclosure Act (SCIDA) promotes the disclosure of certain information between institutions of the Government of Canada in order to protect Canada against activities that undermine the nation’s security. SCIDA is an updated statute intended to improve the sharing of intelligence and national security information, as well as to enhance accountability by clarifying roles and responsibilities in the disclosure process and amending the specific authority under which federal institutions may disclose this information.

Our agency, the National Security and Intelligence Review Agency (NSIRA), is required under its governing legislation to submit an annual report to the Minister of Public Safety and Emergency Preparedness on disclosures made under SCIDA. We have prepared this report to fulfil that obligation. This report is also intended to provide an overview of SCIDA and the obligations that it has created for federal departments and agencies.

Because SCIDA came into force only in June 2019, this report is based on a period of just six months; going forward, the reporting period will be a full calendar year. In addition, given the unprecedented nature of the COVID-19 pandemic, and its impact on our work, we could not complete our review of the disclosures made under SCIDA in 2019 in time for this publication. We are continuing our analysis of the disclosures, however, and intend to publish our findings in next year’s report.

In the last six months of 2019, departments and agencies made 114 disclosures under SCIDA. Immigration, Refugees and Citizenship Canada made almost half of these disclosures, primarily to the Canadian Security Intelligence Service and the Royal Canadian Mounted Police. The content of these disclosures varied, but was generally concerned with personal information: names, age, physical characteristics, location and residential information.

Public Safety Canada has primary responsibility for coordinating the implementation of SCIDA. While we will return to this theme next year, our initial impression is that good progress is being made to institutionalize this new legislative authority.

Finally, we are also pleased to report that we have laid a foundation for working collaboratively with the Office of the Privacy Commissioner of Canada (OPC) on next year’s annual review of SCIDA. The National Security and Intelligence Review Agency Act specifically allows for us to coordinate with the OPC; this will enable us to undertake a more comprehensive analysis of disclosures of information under SCIDA. Our goal is to produce a joint NSIRA-OPC report on SCIDA disclosures in 2021.

Sharing information in a timely and effective manner is critical to assessing and mitigating threats, which can be complex and global in scope, and often evolve rapidly. Generally, departments and agencies share information with one another under the authority of, and consistent with, legal frameworks specific to their mandates. Disclosures must also be compliant with the Privacy Act. That legislation sets out that, except in specific limited circumstances, personal information under the control of a government institution shall not be disclosed without the consent of the individual. One exception is that information maybe shared without consent when the purpose for disclosure is consistent with the original purpose for which the information was obtained or compiled. This exception, under section 8 of the Privacy Act, is known as “consistent use.”

Problems with respect to information sharing date back to at least the 1980s.They were apparent in the work of Justice Major’s Commission of Inquiry into the Investigation of the Bombing of Air India Flight 182, which addressed information sharing in relation to the bombing. The 2010 inquiry concluded that the failure of domestic agencies to share information effectively contributed to the downing of the Air India flight, and that information sharing lacked coordination, was unstructured and was inconsistent.

In 2010, the government released its “Action Plan – The Government of Canada Response to the Commission of Inquiry into the Investigation of the Bombing of Air India Flight 182.” This action plan led to the Security of Canada Information Sharing Act (SCISA), which came into force in 2015. SCISA’s goal was to facilitate information sharing for national security purposes. In 2019, the legislation was amended and renamed the Security of Canada Information Disclosure Act (SCIDA) in response to concerns expressed by various stakeholders and the general public.

SCIDA provides an independent authority for federal government institutions to disclose information to protect against activities that undermine the security of Canada. It is meant to improve the effectiveness and accountability of national security and intelligence information sharing by clarifying roles and responsibilities in the disclosure process, and by amending the specific legislative authority under which federal institutions are able to disclose this information.

Information sharing that takes place under SCIDA remains a small fraction of the information that is shared for national security purposes. Most information sharing continues to take place under the authority of the specific legal frameworks of the relevant departments, and under the authority of the Privacy Act, particularly its consistent use provision.

This Report

The National Security and Intelligence Review Agency (NSIRA) is required under its governing legislation to submit to the Minister of Public Safety and Emergency Preparedness a yearly report on disclosures made under SCIDA. This report fulfils NSIRA’s statutory obligation and is an essential component of the accountability measures in SCIDA. This report and NSIRA’s annual public report are important vehicles through which NSIRA hopes to contribute to transparency with respect to the national security and intelligence activities of federal departments and agencies.

Given the unprecedented circumstances created by the COVID-19 pandemic and how it has affected NSIRA’s work, the agency regrets that it was unable to complete in time for publication its assessment of the extent to which the 2019 SCIDA disclosures were legally compliant, as well as the extent to which these disclosures were reasonable and necessary. NSIRA is continuing to analyze these disclosures, however, and intends to publish its findings in next year’s SCIDA report. Instead, this year’s SCIDA report will provide parliamentarians and Canadians with information about SCIDA and how it fits alongside other legal mechanisms for the sharing of information, as well as provide baseline information on the disclosures for this reporting period. It also sets out NSIRA’s expectations and intentions for the future, and explains why information sharing is a critical issue for NSIRA.

In this regard, NSIRA is pleased to report that it has taken important steps to lay the foundation for working jointly with the Office of the Privacy Commissioner of Canada (OPC) on next year’s annual review of SCIDA. Coordinating with the OPC, pursuant to both the National Security and Intelligence Review Agency Act and the Privacy Act, will allow for a more comprehensive report in respect of disclosures of information under SCIDA. In addition to avoiding duplication, working collaboratively will ensure that NSIRA’s expertise in national security is complemented by the OPC’s privacy expertise, whose mandate is to oversee compliance with the Privacy Act. The goal is to produce a joint NSIRA-OPC report on SCIDA disclosures in 2021.

Initial Concerns with SCIDA’s Predecessor, the Security of Canada Information Sharing Act (SCISA)

As noted, SCIDA was shaped by the government’s consultations on national security matters in 2016, as well as by Parliament’s scrutiny of the bill. These efforts highlighted concerns among stakeholders and the general public that the legislation would permit too much sharing of personal information, and without appropriate mechanisms for accountability. Many commentators urged the government to enhance the legal threshold for disclosing information; they argued that the term “relevance” was too low. Several stakeholders also urged that the receipt of information be governed by a standard of necessity and proportionality and that a precise definition of “threats to the security of Canada,” one modelled on the Canadian Security Intelligence Service Act (CSIS Act), be incorporated into the bill.

In 2017, the review body for CSIS at the time, the Security Intelligence Review Committee (SIRC), published a review of SCISA to examine how it affected information sharing between CSIS and its domestic partners. That same year, the OPC published a report on SCISA intended to determine, among other things, whether departments and agencies had engaged in appropriate risk management activities to identify and minimize the privacy impacts of sharing. Both SIRC and the OPC noted general deficiencies in tracking and record keeping; they expressed concerns about SCISA’s lack of clear requirements in that regard, which were thought to be key to maintaining strict controls over information sharing.

In response to these concerns, the preamble in the proposed Act was amended to include a statement that disclosure of information must respect the Privacy Act and other privacy legislation, as well as the Canadian Charter of Rights and Freedoms (the Charter). Other legislative amendments to SCISA included a change to the previous threshold of relevance, and a new requirement that both the disclosing agency and the receiving agency perform assessments throughout the disclosure process. In addition, the legislation now contains retention, reporting and record-keeping requirements. NSIRA’s analysis of the 2019 disclosures — still under way — focuses on these concerns in assessing whether the disclosures met all statutory obligations.

The SCIDA preamble now declares that one of the Act’s objectives is to create an explicit authority to facilitate the effective and responsible disclosure of information to protect the security of Canada. SCIDA also stipulates that it cannot authorize a disclosure prohibited under another federal statute. It further stipulates that SCIDA does not constitute a lawful authority for a department or agency to collect information.

Under SCIDA, a disclosing department or agency must verify that the recipient is one of the 17 departments and agencies listed in schedule 3 authorized to receive disclosures. It must also be satisfied that the disclosure will “contribute to the exercise of the recipient’s jurisdiction, or the carrying out of its responsibilities in respect of activities that undermine the security of Canada” (paragraph 5(1)(a)). Importantly, information relating to lawful advocacy, protest, dissent and artistic expression cannot be disclosed unless conducted in conjunction with an activity that undermines the security of Canada. The disclosure must not “affect any person’s privacy interest more than is reasonably necessary in the circumstances” (paragraph 5(1)(b)). Additionally, the disclosing department or agency “must provide information regarding its accuracy and the reliability of the manner in which it was obtained” (subsection 5(2)).

At the same time, the receiving department or agency is subject to specific requirements under the Act. In particular, it must assess the “personal information” received in order to ensure that all information that is not necessary for the department or agency to exercise its jurisdiction, or to carry out its responsibilities in respect of activities that undermine the security of Canada, is promptly destroyed or returned. An exception to this requirement is if retention is otherwise required by law. For example, the requirement to destroy or return personal information does not apply to certain law enforcement bodies, including the RCMP, if they are subject to criminal law disclosure obligations. Additionally, pursuant to subsection 5.1(3), the requirement to return or destroy personal information obtained pursuant to SCIDA does not apply to CSIS in respect of any information that relates to the performance of its duties and functions under section 12 of the CSIS Act to collect information and intelligence on threats to the security of Canada.

SCIDA Information Sharing Scheme

BEFORE DISCLOSURE DISCLOSURE TEST OTHER REQUIREMENTS

GC institution requests information from another GC institution. The recipient institution must be listed in schedule 3 of the Act.

GC institution, on its own initiative, decides to disclose to a GC institution listed in schedule 3 of the Act.

The information that the GC institution is expected to share is in respect of activities that undermine the security of Canada as defined in s.2 of the Act.

The disclosing institution must be satisfied that:

a) the disclosure will contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, under an Act of Parliament or another lawful authority; and

b) the disclosure will not affect any person’s privacy interest more than it is reasonably necessary in the circumstances.

(paragraphs 5(1)(a) and 5(1)(b)).

Copy to NSIRA
In relation to the record-keeping requirement, a copy of every record of disclosure shared or received must be provided every year to NSIRA. (subsec. 9(3))

Destroy or return
The receiver must, as soon as feasible after receiving disclosure, destroy or return any personal information that is not necessary for the institution to exercise its jurisdiction, or to carry out its responsibilities, under an Act of Parliament or another lawful authority, in respect of activities that undermine the security of Canada. (subsec. 5.1 (1))

Accuracy and reliability
GC institution that discloses information under subsection (1) must, at the time of the disclosure, also provide information regarding its accuracy and the reliability of the manner in which it was obtained. (subsec. 5(2))

Recordkeeping
GC institution must, as soon as feasible after receiving it under section 5, destroy or return any personal information, as defined in section 3 of the Privacy Act, that is not necessary for the institution to exercise its jurisdiction, or to carry out its responsibilities, under an Act of Parliament or another lawful authority, in respect of activities that undermine the security of Canada (subsec. 5.1(1)) unless otherwise required by law. (subsec. 5.1(2))

CSIS – Exception
Recordkeeping requirement does not apply to CSIS in respect of any information that relates to the performance of its duties and functions under s. 12 of the CSIS Act. (subsec. 5.1(3))

SCIDA in Context

Currently, the information sharing that takes place under SCIDA represents a small fraction of the information that is shared for national security purposes among federal government departments and agencies. All sharing of personal information by the federal government must be done in conformity with the Charter. Of note, section 8 of the Charter protects against “unreasonable search or seizure” and applies wherever a person might have a reasonable expectation of privacy. An authority to share information does not guarantee that the sharing meets the standards derived from section 8 of the Charter, and this issue must be assessed on a case-by-case basis. The Privacy Act governs all handling of personal information by federal government departments and agencies. SCIDA, however, is specific, and relates to the disclosure of national security information. Both Acts work hand-in-glove.

Additionally, there are specific statutes under which information sharing may occur. For example, subsection 19(2) of the CSIS Act authorizes the disclosure of information obtained by CSIS, and sections 43, 44 and 46 of the Communications Security Establishment Act (CSE Act) authorize the disclosure of information obtained by the Communications Security Establishment (CSE), with both pieces of legislation specifying that the information had to be obtained in the performance of each agency’s own duties in certain circumstances. Other examples of specific statutes permitting such information sharing include the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, the Immigration and Refugee Protection Act (IRPA), the Customs Act, and the Secure Air Travel Act. In addition to these statutory authorities, section 8 of SCIDA provides that information can also be shared under the Crown prerogative or common law authorities. Much information sharing in the national security context, however, is done pursuant to the various exemptions of the Privacy Act. The RCMP, for example, may rely on the Privacy Act to disclose personal information in various contexts, including programs that coordinate the sharing of personal information, such as the Criminal Intelligence Service and the Canadian Police Information Centre, which are administered pursuant to the RCMP’s law enforcement mandate.

Disclosures to NSIRA

Proper record keeping is a key aspect of accountability, as a failure to document and track disclosures and receipts of information undermines the review function, whether external or internal.

Under subsection 9(1) of SCIDA, records must be kept by departments and agencies that disclose and receive such information. The records must include, among other baseline information, the information that disclosing departments and agencies relied on to satisfy themselves that they had the authority to disclose the information. Recipient departments and agencies must indicate whether the information has been destroyed or returned. Under subsection 9(3) of SCIDA, a copy of those records must be provided to NSIRA within 30 days after the end of each calendar year.

Statutory Requirement to Report Disclosures to NSIRA

NSIRA received records from all agencies that disclosed or received information on a timely basis. However, some discrepancies were detected such that the number of disclosures of information reported did not, in a minority of cases, match the reported receipts of information. NSIRA asked for, and was provided, explanations for these discrepancies and is satisfied that the root causes can be attributed to the newness of the regime and that there was no attempt to obscure the fact of information having been disclosed or received. NSIRA is aware of the community’s ongoing efforts to address this, led by Public Safety Canada. NSIRA expects that, next year, there will be fewer or no discrepancies in the numbers reported. NSIRA also requested and received access to the disclosures themselves, from all departments and agencies that either disclosed or received information. The necessity to provide complete copies of all disclosures and receipts, in addition to a “record” of each disclosure as set out in SCIDA, is required to allow NSIRA to fully assess whether the departments and agencies met their statutory obligations.

Frequency of Disclosures

During the last six months of 2019, departments and agencies reported havingused SCIDA 114 times to disclose information. In comparison, during the firstsix months after its predecessor SCISA was enacted in 2015, departmentsand agencies reported using that legislation to disclose information 58 times.

2019 SCIDA Disclosures

A total of 114 disclosures were sent and received by Government of Canada departments in 2019. The below table identifies by whom and to whom disclosures were sent and received, and the volume of 2019 disclosures under the SCIDA.

Disclosing Institution Number of Disclosures Receiving Institution
Canada Border Services Agency 2 Royal Canadian Mounted Police
Canada Border Services Agency 1 Canadian Security Intelligence Service
Global Affairs Canada 23 Canadian Security Intelligence Service
Global Affairs Canada 3 Immigration, Refugees and Citizenship Canada
Global Affairs Canada 1 Public Safety Canada
Global Affairs Canada 15 Royal Canadian Mounted Police
Immigration, Refugees and Citizenship Canada 17 Canadian Security Intelligence Service
Immigration, Refugees and Citizenship Canada 5 Communications Security Establishment
Immigration, Refugees and Citizenship Canada 1 Department of National Defence and Canadian Armed Forces
Immigration, Refugees and Citizenship Canada 36 Royal Canadian Mounted Police
Royal Canadian Mounted Police 4 Canada Revenue Agency
Royal Canadian Mounted Police 1 Financial Transactions and Reports Analysis Centre of Canada
Royal Canadian Mounted Police 1 Immigration, Refugees and Citizenship Canada
Royal Canadian Mounted Police 3 Global Affairs Canada
Transport Canada 1 Royal Canadian Mounted Police

Not surprisingly, the main recipients of SCIDA disclosures were the RCMP and CSIS, both of which have the authority under their respective mandates to collect and retain information in the conduct of investigations in the national security context. SCIDA, by contrast, does not constitute an authority to collect information.

Information disclosed under SCIDA may be disclosed either proactively or in response to a specific request. In many cases, the RCMP and CSIS requested of their government partners to obtain information of relevance to their active investigations. Information was then disclosed responsively under the authority of SCIDA.

Immigration, Refugees and Citizenship Canada (IRCC) was responsible for approximately half of the disclosures made under SCIDA in 2019. This, too, is not surprising, considering IRCC’s mandate to collect personal information about Canadians, permanent residents and foreign nationals under the IRPA, the Citizenship Act and the Canadian Passport Order. In general, records gathered during the course of applications for immigration to Canada were often the subject of disclosure. IRCC also supplied information about the status of individuals in Canada. In NSIRA’s view, a great deal of the information disclosed by IRCC would be considered “personal information” as defined in the Privacy Act and incorporated in the SCIDA.

Global Affairs Canada (GAC) was responsible for slightly over a third of all disclosures. The information was obtained in the course of providing consular assistance to Canadians, or through engagement with host-country authorities in regards to consular cases. In a majority of cases, GAC proactively disclosed the information at issue.

The content of disclosures varied, but was generally concerned with personal information: names, age, physical characteristics, location and residential information. As noted, some of the disclosures merely involved advising whether an individual had status in Canada. Other disclosures included familial and relationship information. A few disclosures contained personal information on individuals connected to an investigation.

Anonymized Scenario Examples of SCIDA Disclosures

RCMP request for disclosure from IRCC: The RCMP initiated a criminal investigation of an individual who applied for citizenship with personal finances potentially linked to terrorist investments. The RCMP requested descriptors, biographical information, employment history and other known selectors from IRCC that would assist in this investigation.

RCMP request for disclosure from IRCC: The RCMP initiated a criminal investigation of individuals believed to be facilitators of a terrorism organization. The RCMP sought identification information (e.g., full names, citizenship, marital status, photographs) for these individuals, in addition to contact and locational data, as well as marital status and known family members to assist in this investigation.

CSE request for disclosure from IRCC: CSE’s request for disclosure sought to confirm whether a given individual held Canadian citizenship or other status in Canada. This information assists CSE as it is prohibited from targeting Canadians. IRCC disclosed the information as requested, with caveats to protect the individual’s privacy rights when communicating back to third parties.

RCMP disclosure to the Canada Revenue Agency (CRA): The RCMP discloses information related to registered charities and individuals linked to them, in certain cases. This includes confirming whether organizations or individuals are or have been the subject of an investigation. The CRA is responsible for protecting the integrity of Canada’s registration system for charities. This information supports them in their efforts to detect and address risk as it relates to terrorist abuse of Canada’s charitable sector.

A very small number of disclosures targeted more than a single individual. These appeared to represent an efficiency because the grounds for requesting or disclosing were the same. Nevertheless, NSIRA will be attentive to these types of disclosures in future reviews, given the potential risks associated with disclosures of this nature.

Other Observations

The disclosures contained caveats related to the use and disclosure of information; NSIRA observed no refusals of caveats by requesters. The degree to which disclosures included statements concerning the accuracy, reliability and origin of information, however, varied. Simply put, the level of detail varied from disclosure to disclosure. Given the O’Connor Commission’s finding that inaccurate information related to Maher Arar was shared with foreign partners, this is an important observation. Next year’s review will look for a consistently high standard across departments and agencies in this regard.

In addition, there were instances in which, based on the broad nature of the request, NSIRA assessed that extraneous personal information could have been inadvertently shared. Responsible use of SCIDA depends on departments and agencies demonstrating caution and attention to detail throughout the process to ensure that the disclosure will not affect anyone’s privacy interest more than is reasonably necessary in the circumstances. This becomes a challenge when requests are not precise, or are expansive in scope. In this context, it is worth noting that NSIRA observed two instances of departments or agencies destroying or returning information that either exceeded initial requests or was not necessary for the institution to exercise its jurisdiction. NSIRA will pay particular attention to this issue in future reviews.

Finally, SCIDA specifies that a disclosing department or agency must be satisfied that the disclosure will “contribute to the exercise of the recipient’s jurisdiction, or the carrying out of its responsibilities, in respect of activities that undermine the security of Canada.” This is known as the “contribution test.”

NSIRA noted some variation in the application of this test from disclosure to disclosure. Some departments and agencies applied it to each disclosure on a case-by-case basis. Others applied blanket or generic statements for several different requests. It is the responsibility of the disclosing department or agency to satisfy itself, among other things, that the information disclosed will contribute to the mandate of the recipient institution. Requests for information should provide a rationale that is sufficiently detailed and nuanced so that the disclosing department or agency would be able to be satisfied that the information would contribute to the mandate of the recipient department or agency. This will be an area that NSIRA will closely scrutinize in the future.

Systems and Training

Public Safety Canada has assumed a lead role in promoting interagency cooperation with respect to SCIDA. The department established the Strategic Coordination Centre on Information Sharing. This centre is dedicated to providing support to federal departments and agencies in operationalizing SCIDA, advancing governmental knowledge related to information sharing, and better educating the public on issues of national security information sharing. The department also formed a working group comprising SCIDA’s schedule 3 departments and agencies.

In late 2019, Public Safety Canada produced a 92-page explanatory guide, “A Step-by-Step Guide to Responsible Information Sharing.” This guide provides contextual information to promote better understanding of the purpose of SCIDA. It provides supporting material to assist with practical implementation of the Act in an effort to achieve consistency across departments and agencies in the disclosure process and in record keeping. For example, the guide outlines the required actions to be taken to disclose and receive information under SCIDA, and includes checklists and record-keeping and disclosure templates. It also clearly describes the mandates of all 17 departments and agencies listed in SCIDA as an aid to disclosing departments and agencies, since they must understand these mandates before disclosing information. Overall, the guide demonstrates a serious effort to educate the government on SCIDA and to encourage its use. Departments and agencies using SCIDA are encouraged by NSIRA to make its use of the materials, including the templates, developed by Public Safety Canada.

Since July 2019, Public Safety Canada has also held SCIDA training and information sessions. Between July 2019 and February 2020, 14 sessions attracted some 245 participants. These sessions traced the history of SCIDA, provided guidance as to its use, and engaged participants with case scenarios. Participant feedback indicates these sessions were well-received. Due to the COVID-19 pandemic, training is now being held virtually.

All departments and agencies listed in SCIDA as potential recipients received the guidance materials from Public Safety Canada and all departments and agencies that actively disclosed material participated in the training. Training materials were also distributed to the members of the working group. These efforts promote consistency across government departments and agencies, which supports NSIRA’s review responsibilities. Training for other departments and agencies that are more likely to receive information under SCIDA was scheduled for spring 2020, but was postponed because of the pandemic.

Public Safety Canada also encourages departments and agencies to develop their own internal guidance materials to communicate SCIDA requirements in the context of their specific information holdings, and with regard to their specific responsibilities for handling that information. Some departments and agencies have already developed internal guidance materials to further support the use of SCIDA as an authority to disclose information and to complement the materials provided by Public Safety Canada. For example, IRCC has developed guidance material to support the responsible implementation of SCIDA, as has CSE. In future reviews, NSIRA will examine how departments and agencies have supported and educated staff internally.

Conclusion: The Way Forward

Next year, NSIRA’s review will respond to the two key concerns expressed during the public debate about this legislation, namely, that it would permit the disclosure of too much personal information, and that the information would be shared without appropriate mechanisms for accountability. Specifically, the report will feature a detailed examination of SCIDA disclosures to verify that the requirements and limitations of the Act are being respected when information is disclosed. As noted, this review will be coordinated with the OPC and will include, pursuant to the OPC’s mandate, a review of government departments and agencies’ compliance with the Privacy Act with respect to disclosures made under SCIDA.

In formulating an assessment, NSIRA will expect departments and agencies to have complied with the thresholds and requirements identified in SCIDA and the Privacy Act, as well as other applicable laws related to both disclosures and receipt of information. This will include an assessment of whether, for example:

  • the disclosures contributed to the exercise of the recipient department or agency’s jurisdiction, or the discharge of its responsibilities;
  • the disclosure affects any person’s privacy interest more than was reasonably necessary in the circumstances;
  • any personal information that was not necessary for the department or agency to exercise its jurisdiction, or to carry out its responsibilities, was returned or destroyed; and
  • statements on the accuracy and reliability of the information were provided.

NSIRA will be attentive to the limitation on disclosing information related to lawful advocacy, protest, dissent and artistic expression.

NSIRA will also expect the departments and agencies to continue to respect the record-keeping and reporting requirements of SCIDA; to have taken reasonable steps to put in place required policies, training or guidance, and procedures to ensure compliance with SCIDA; and, finally, that established policies and procedures have been followed in all cases. NSIRA’s analysis will be informed and guided by the initial observations made in relation to the 2019 SCIDA disclosures, as described above.

Share this page
Date Modified: