Ottawa, Ontario, November 6, 2024 – The National Security and Intelligence Review Agency’s (NSIRA) fifth annual report has been tabled in Parliament.
This report provides an overview and discussion of NSIRA’s review and investigation work throughout 2023, including its findings and recommendations. It highlights the significant outcomes achieved through strengthened partnerships and an unwavering commitment to all Canadians to provide accountability and transparency regarding the Government of Canada’s national security and intelligence activities.
The annual report also reflects on a major milestone: NSIRA’s five-year anniversary. The agency has matured since its inception in 2019, keeping pace with emerging threats, technological advancements, and evolving security and intelligence activities. In stride, NSIRA has built an enhanced capacity to address complex issues and conduct thorough and effective reviews and investigations with a team of dedicated professionals with diverse expertise.
In 2023, in addition to its mandatory reviews, NSIRA continued executing discretionary reviews that were deemed relevant and appropriate. Of the ongoing reviews in 2023, NSIRA has since completed 12. In particular, NSIRA’s review on the Dissemination of Intelligence on People’s Republic of China Political Foreign Interference, 2018–2023 was a significant achievement. NSIRA evaluated the flow of intelligence within government from the collectors to consumers, including senior public servants and elected officials. This involved scrutinizing internal processes regarding how collected information was shared and escalated to relevant decision-makers. NSIRA determined it was in the public interest to report on this matter and produced its first special report under section 40 of the NSIRA Act, which was tabled in both houses of Parliament in May 2024.
Review highlights in the report include the following:
A review of the Communications Security Establishment’s (CSE) use of the polygraph for security screening, which examined the way CSE operated its polygraph program and the role of the Treasury Board of Canada Secretariat (TBS) in establishing the Standard on Security Screening that governs the use of the polygraph for security screening by the Government of Canada;
A review of the Canadian Security Intelligence Service’s (CSIS) current application of its dataset regime, which enables CSIS to collect and retain datasets containing personal information that are not directly and immediately related to threats but likely to assist in national security investigations;
A review of operational collaboration between CSE and CSIS, NSIRA’s first review to examine the effectiveness of the collaboration by assessing their respective mandates and associated prohibitions;
Two mandated multi-departmental reviews: a review of directions issued with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act and a review of disclosures of information under the Security of Canada Information Disclosure Act; and
Three reviews concerning human source programs: the RCMP’s Human Source Program, CBSA’s Confidential Human Source Program, and the Department of National Defence/Canadian Armed Forces’ Human Source Handling Program.
NSIRA also closed 12 investigations in 2023. Last year, the agency saw an increase in complaints against CSIS under section 16 of the NSIRA Act, alleging process delays in immigration or citizenship security screening.
This annual report demonstrates the value of expanded partnerships and how the organization leveraged its network of international oversight partners in 2023, including lessons learned and shared. NSIRA’s integration into the global community of national security and intelligence oversight has advanced the agency’s development and enhanced its capacity to carry out its mandate.
Over the past five years, NSIRA has sought to demystify the often-opaque domain of national security and intelligence agencies and empower Canadians to participate in informed discussions about their security and rights. Recently, the agency codified its approach by formalizing its vision, mission, and values statements.
Looking ahead, NSIRA is committed to continuing its vital work reporting on whether national security or intelligence activities are respectful of the rights and freedoms of all Canadians and enhancing public awareness and understanding of the critical issues at stake in national security and intelligence.
This report presents findings and recommendations made in NSIRA’s annual review of disclosures of information under the Security of Canada Information Disclosure Act (SCIDA). It was tabled in Parliament by the Minister of Public Safety, as required under subsection 39(2) of the NSIRA Act, on November 1st, 2023.
The SCIDA provides an explicit, stand-alone authority to disclose information between Government of Canada institutions in order to protect Canada against activities that undermine its security. Its stated purpose is to encourage and facilitate such disclosures.
This report provides an overview of the SCIDA’s use in 2022. In doing so, it:
documents the volume and nature of information disclosures made under the SCIDA;
assesses compliance with the SCIDA; and
highlights patterns in the SCIDA’s use across Government of Canada institutions and over time.
The report contains six recommendations designed to increase standardization across the Government of Canada in a manner that is consistent with institutions’ demonstrated best practices and the SCIDA’s guiding principles.
Department of National Defence/Canadian Armed Forces
FINTRAC
Financial Transactions and Reports Analysis Centre of Canada
GAC
Global Affairs Canada
GC
Government of Canada
IRCC
Immigration, Refugees and Citizenship Canada
NSIRA
National Security and Intelligence Review Agency
PHAC
Public Health Agency of Canada
PS
Public Safety Canada
RCMP
Royal Canadian Mounted Police
SCIDA
Security of Canada Information Disclosure Act
TC
Transport Canada
Glossary of Terms
Contribution test
The first part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (paragraph 5(1)(a)).
Proportionality test
The second part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will not affect any person’s privacy interest more than reasonably necessary in the circumstances (paragraph 5(1)(b)).
Executive summary
This review provides an overview of the Security of Canada Information Disclosure Act (SCIDA)’s use in 2022. In doing so, it documents the volume and nature of information disclosures made under the SCIDA; assesses compliance with the SCIDA; and highlights patterns in the SCIDA’s use across Government of Canada (GC) institutions and over time.
In 2022, four disclosing institutions made a total of 173 disclosures to five recipient institutions. The National Security and Intelligence Review Agency (NSIRA) found that institutions complied with the SCIDA’s requirements for disclosure and record keeping in relation to the majority of these disclosures. Instances of non-compliance related to subsection 9(3), regarding the timeliness of records copied to NSIRA; subsection 5.1(1), regarding the timeliness of destruction or return of personal information; and subsection 5(2), regarding the provision of a statement on accuracy and reliability. The observed non-compliance did not point to any systemic failures in GC institutions’ implementation of the SCIDA.
NSIRA also made findings in relation to practices that, although compliant with the SCIDA, left room for improvement. These findings related to:
the use of information sharing arrangements;
the format of records prepared by institutions and copied to NSIRA, including the characteristics of effective records;
the nature of information provided under paragraph 9(1)(e) and relied upon in the conduct of assessments under subsection 5(1);
the provision of statements regarding accuracy and reliability prepared under subsection 5(2); and
the timeliness of administrative processes supporting information disclosure.
NSIRA made six recommendations designed to increase standardization across the GC in a manner that is consistent with institutions’ demonstrated best practices and the SCIDA’s guiding principles.
Overall, NSIRA observed improvements in reviewee performance as compared with findings from prior years’ reports and over the course of the review. These improvements include corrective actions taken by reviewees in response to NSIRA’s requests for information in support of this review.
1. Introduction
Authority
This review was conducted pursuant to paragraph 8(1)(b) and subsection 39(1) of the National Security and Intelligence Review Agency Act (NSIRA Act).
Scope of the Review
This review provides an overview of the Security of Canada Information Disclosure Act (SCIDA)’s use in 2022. In doing so, it:
Documents the volume and nature of information disclosures made under the SCIDA;
Assesses Government of Canada (GC) institutions’ compliance with the SCIDA’s requirements for record keeping;
Assesses GC institutions’ compliance with the SCIDA’s requirements for disclosure, including the destruction or return of personal information, as appropriate; and
Highlights patterns in the SCIDA’s use across GC institutions and over time.
The review’s scope was defined by records provided to NSIRA under the SCIDA, subsection 9(3) (see Annex A for a copy of institutions’ section 9 obligations under the Act). As such, the review’s assessment of compliance was limited to the seven GC institutions identified within these records as either disclosers or recipients (Canada Border Services Agency [CBSA], Communications Security Establishment [CSE], Canadian Security Intelligence Service [CSIS], Department of National Defence/Canadian Armed Forces [DND/CAF], Global Affairs Canada [GAC], Immigration, Refugees and Citizenship Canada [IRCC], and the Royal Canadian Mounted Police [RCMP]); and to instances of information disclosure where the SCIDA was identified by these institutions as an authority for disclosure. The review also included Public Safety Canada (PS) in its capacity as manager of the Strategic Coordination Centre on Information Sharing, which provides SCIDA-related policy guidance and training across the GC.
The review satisfies the NSIRA Act’s section 39 requirement for NSIRA to report to the Minister of Public Safety on disclosures made under the SCIDA during the previous calendar year.
Methodology
The review’s primary source of information was records provided to NSIRA by disclosing and recipient institutions under the SCIDA, subsection 9(3). NSIRA also identified a targeted sample of disclosures for which it requested and assessed all associated documents provided by both the disclosing and recipient institution. This information was supplemented by a document review of institutions’ SCIDA policies and procedures, and related explanations.
NSIRA assessed administrative compliance with the SCIDA’s record-keeping obligations in relation to all disclosures identified in the records provided to NSIRA under subsection 9(3) (N=173). Where these records were incomplete, NSIRA provided an opportunity for institutions to supply the missing records. NSIRA accounted for such late submissions in its assessment of compliance with subsections 9(1) and 9(2).
NSIRA assessed substantive compliance with the SCIDA’s disclosure requirements in relation to the sample of disclosures (n=19). The sample was designed to reflect a non-representative cross-section of the SCIDA’s use, with particular attention to areas at higher risk of non-compliance. Disclosures were selected for the sample based on the content of records provided to NSIRA under subsection 9(3), according to defined parameters (see Annex B, Sample of Disclosures).
Review Statements
NSIRA found that, overall, its expectations for responsiveness by CSE, CSIS, DND/CAF, GAC, IRCC, PS, and RCMP during this review were met. Its expectations for responsiveness by CBSA were partially met, as CBSA required repeated follow-up to provide the requested information.
NSIRA was able to verify information for this review in a manner that met NSIRA’s expectations.
2. Backgrounder
The SCIDA provides an explicit, stand-alone authority to disclose information between GC institutions in order to protect Canada against activities that undermine its security. Its stated purpose is to encourage and facilitate such disclosures.
Section 9 of the SCIDA prescribes record-keeping obligations for all institutions who (1) disclose or (2) receive information under the Act. Each paragraph under subsections 9(1) and 9(2) identifies particular elements that must be set out in the records prepared and kept by each institution (see Annex A). Subsection 9(3) requires that these records be provided to NSIRA within 30 days after the end of each calendar year.
Subsection 5(1) of the SCIDA authorizes GC institutions to disclose information – subject to any prohibitions or restrictions in other legislation or regulations – to designated recipient institutions, if the disclosing institution is satisfied that (a) the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (the “contribution test”); and (b) the information will not affect any person’s privacy interest more than is reasonably necessary in the circumstances (the “proportionality test”).
Subsection 5(2) requires institutions that disclose information under subsection (1) to, at the time of the disclosure, also provide information regarding its accuracy and the reliability of the manner in which it was obtained.
When a GC institution receives information under the Act, subsection 5.1(1) requires that the institution destroy or return any unnecessary personal information as soon as feasible after receiving it.
The Act’s guiding principles underscore the importance of effectiveness and responsibility across disclosure activities. Of note, subsection 4(c) sets out that information sharing arrangements are appropriate in particular circumstances.
3. Findings, Analysis, and recommendations
Volume and Nature of Disclosures
In 2022, four disclosing institutions made a total of 173 disclosures to five recipient institutions (see Table 1). 79% (n=136) of these disclosures were requested by the recipient institution. The other 21% of disclosures (n=37) were sent proactively by the disclosing institution.
Table 1: Number of SCIDA disclosures made in 2022, by disclosing and recipient institution [all disclosures (proactive disclosures)]
Designated Recipient Institutions
Disclosing Institution
CBSA
CFIA
CNSC
CRA
CSE
CSIS
DND/CAF
Finance
FINTRAC
GAC
Health
IRCC
PHAC
PSC
RCMP
TC
TOTAL (proactive)
CBSA
–
–
–
–
–
–
–
–
–
–
–
–
–
–
4
(3)
–
4
(3)
GAC
–
–
–
–
–
39
(18)
2
(2)
–
–
–
–
–
–
–
12
(12)
–
53
(32)
IRCC
–
–
–
–
59
(0)
56
(2)
–
–
–
–
–
–
–
–
–
–
115
(2)
RCMP
–
–
–
–
–
–
–
–
–
–
–
1
(0)
–
–
–
–
1
(0)
TOTAL (proactive)
–
–
–
–
59
(0)
95
(20)
2
(2)
–
–
–
–
1
(0)
–
–
16
(15)
–
173
(37)
The total number of disclosures made under the SCIDA since its implementation reflects a slight downward trend, with a generally constant proportion of requested versus proactive disclosures for the years in which this data was collected (see Figure 1).
Figure 1: Number of SCIDA disclosures over time
In 2022, these disclosures were made and received by institutions that had each disclosed or received information, as the case may be, in at least two prior review years (see Annex C, Overview of SCIDA Disclosures in Prior Years).
Finding 1:NSIRA found that CSE, CSIS, GAC, and IRCC regularly use the SCIDA in a manner that warrants information sharing arrangements, as encouraged by subsection 4(c) of the SCIDA.
CSE, CSIS, GAC, and IRCC were the most frequent users of the SCIDA in 2022. The number of disclosures between these institutions was comparable to those observed by NSIRA in prior years (see Annex C), indicating the occurrence of regular exchange over time.
NSIRA also observed regular patterns in the purpose and nature of the information exchanged between these institutions in 2022, as described in Table 2. These information exchanges were not governed by up-to-date information sharing arrangements.
Table 2: Nature of disclosures between the SCIDA’s most frequent users
GAC-to-CSIS (N=39)
IRCC-to-CSIS (N=56)
IRCC-to-CSE (N=59)
GAC information holdings relevant to threats to the security of Canada
Often (85%) made in direct response, or as a follow-up, to CSIS requests
IRCC information holdings relevant to threats to the security of Canada
Almost always (96%) made in response to CSIS requests
IRCC confirmation of Canadian status of named individuals of interest, required to ensure lawfulness of CSE operational activities
All (100%) made in response to CSE requests
NSIRA has previously recommended that information sharing arrangements be updated (for GAC and CSIS) or created (for IRCC and CSE) to govern certain information exchanges made under the SCIDA.
Recommendation 1: NSIRA recommends that information sharing arrangements be used to govern regular SCIDA disclosures between GAC and CSIS; IRCC and CSIS; as well as IRCC and CSE.
Record Keeping
Copy to NSIRA: Subsection 9(3)
Finding 2: NSIRA found that CBSA, DND/CAF, and IRCC were non-compliant with subsection 9(3) of the SCIDA, as they failed to provide all records created under subsections 9(1) or 9(2) to NSIRA within the legislated timeframe.
Requests for information from NSIRA during the course of this review prompted the late production of additional records relating to paragraphs under subsections 9(1) or 9(2) from each of CBSA, DND/CAF, and IRCC (see Table 3).
Table 3: Number [and associated subsection 9(1) or 9(2) paragraph] of late records leading to non-compliance with subsection 9(3), by cause
Administrative Error
Delayed Preparation of Records
CBSA
2 [paragraph 9(1)(e)]
–
DND/CAF
–
2 [paragraphs 9(2)(e-g)]
IRCC
6 [paragraph 9(1)(e)]
1 [paragraphs 9(2)(e-g)]
CBSA and IRCC were non-compliant with subsection 9(3) due to administrative error; the records they eventually supplied had existed at the time of the reporting deadline, but were not copied to NSIRA as required.
NSIRA expected that all records would be prepared within 30 days after the end of the calendar year, in order to meet the subsection 9(3) requirement to provide a copy of those records to NSIRA within that timeframe.
DND/CAF and IRCC were non-compliant with subsection 9(3) on account of delayed preparation of records; they did not prepare the records referred to in Table 3 within 30 days after the end of the calendar year, and therefore did not provide a copy of them to NSIRA within the legislated timeframe.
NSIRA underscores the importance of administrative precision and timeliness in preparing records and copying them to NSIRA.
Format of Records
Finding 3: NSIRA found improved compliance outcomes in instances where departments prepared record overview spreadsheets under subsections 9(1) and 9(2) of the SCIDA that displayed the following characteristics:
a row for each disclosure made or received;
columns explicitly tied to each individual paragraph under section 9; and
additional columns to capture relevant administrative details, such as whether the disclosure was requested or proactive; the date of the request (if applicable); and any applicable file reference numbers.
The SCIDA does not specify a format for records prepared under section 9. Accordingly, in 2022, GC institutions fulfilled their record-keeping obligations in different ways.
Most institutions provided NSIRA with an overview of each disclosure made or received. These overviews were submitted to NSIRA as spreadsheets that generally captured the information required in records under subsections 9(1) and 9(2).
Most institutions also provided NSIRA with a copy of the disclosure itself and a selection of related documents. These documents often included email consultations with legal services, disclosure request letters, and other correspondence between disclosing and recipient institutions. The scope of requests for information in the course of the review was minimized in cases where institutions provided such documents.
DND/CAF and IRCC (for its one disclosure receipt) were the only institutions that originally provided NSIRA with a copy of the raw disclosure, including transmittal details, in the absence of a record overview or other related documents.
NSIRA observed that DND/CAF and IRCC’s choice in records format for these disclosures contributed to their non-compliance with subsection 9(3), described in Table 3. The information elicited under paragraphs 9(2)(e-g) cannot by definition be found within a copy of the disclosure itself, as it relates to action taken by recipient institutions following the disclosure’s receipt. A copy of the disclosure on its own is therefore insufficient to comply with all requirements under subsection 9(2).
Both DND/CAF and IRCC were infrequent recipients of disclosures under the SCIDA in 2022, accounting for only two and one disclosures, respectively. Each of the more frequent recipients of information (CSE, CSIS, and RCMP) included express columns in their record overview spreadsheets to capture whether and, if applicable, when personal information was destroyed or returned, per the requirements of paragraphs 9(2)(e-g).
NSIRA also observed that CBSA and IRCC’s choice in records format contributed to their non-compliance with subsection 9(3) due to administrative error. These institutions did not account for the full scope of information required under paragraph 9(1)(e) in their record overview spreadsheets.
The information relied upon to satisfy the disclosing institution that a disclosure is authorized under the Act is not required to be conveyed within the disclosure itself. Completing an appropriately-specified record overview spreadsheet is therefore an effective way to ensure that the corresponding information is documented and conveyed to NSIRA ahead of the legislated deadline.
The RCMP’s record overview spreadsheet was particularly effective in demonstrating compliance with the Act. The spreadsheet included columns that were explicitly tied to individual paragraphs under section 9, with additional fields limited to RCMP administrative information such as file and database reference numbers.
Spreadsheets designed in this way enable institutions’ efficient self-assessment against the requirements of the Act. They also facilitate the task of review by clearly matching the information provided with its corresponding requirement under the SCIDA, and by organizing disclosures and receipts of information in a manner that supports cross-verification.
Recommendation 2: NSIRA recommends that all GC institutions prepare record overviews to clearly address the requirements of subsections 9(1) and 9(2) of the SCIDA; and provide them to NSIRA along with a copy of the disclosure itself and, where relevant, a copy of the request.
Preparing and Keeping Records: Subsections 9(1) and 9(2)
Finding 4: NSIRA found that all GC institutions complied with their obligation to prepare and keep records that set out the information prescribed under subsections 9(1) and 9(2) of the SCIDA.
Finding 5: NSIRA found that more than half of the descriptions provided by CBSA and IRCC under paragraph 9(1)(e) of the SCIDA did not explicitly address their satisfaction that the disclosure was authorized under paragraph 5(1)(b), the proportionality test.
Although NSIRA expected an express statement describing the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under the SCIDA, in this review, NSIRA considered any records that demonstrated the corresponding assessment had been conducted.
IRCC n’a pas fait de déclaration expresse précisant que les communications demandées par le SCRS, qui représentent 57 % (n=54) de l’ensemble de ses communications, lui semblaient satisfaisantes du point de vue du critère de proportionnalité. En revanche, IRCC a fourni des copies des lettres de demande et de l’information communiquée en guise de réponse, ce qui confirme que la communication était manifestement conforme aux besoins précis de la demande (et donc témoigne d’une évaluation de la proportionnalité).
L’ASFC n’a pas fourni de déclaration expresse concernant sa satisfaction au regard du critère de proportionnalité pour 75 % (n=3) de ses communications. Elle a plutôt démontré qu’elle tenait compte du principe de proportionnalité en fournissant divers documents justificatifs, y compris de la correspondance interne.
La feuille de calcul utilisée par AMC pour donner une vue d’ensemble de ses documents a été particulièrement efficace pour répondre aux exigences de l’alinéa 9(1)e). L’analyse détaillée qu’elle a consignée en ce qui concerne les critères de contribution et de proportionnalité lui a permis de remplir ses obligations en matière de conservation des dossiers et de démontrer qu’elle respectait en substance le paragraphe 5(1).
Recommendation 3: NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
Disclosure of Information
Contribution and Proportionality Tests: Paragraphs 5(1)(a) and 5(1)(b)
Finding 6: NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves of both the contribution and proportionality tests, in compliance with subsection 5(1) of the SCIDA.
Finding 7: NSIRA found that GAC satisfied itself under the SCIDA’s paragraph 5(1)(a) contribution test based on an incorrect understanding of the recipient’s national security mandate in two cases.
The threshold for compliance with subsection 5(1) is that the disclosing institution has satisfied itself of the contribution and proportionality tests, and that it has done so prior to having made the disclosure.
In relation to the two disclosures that it made proactively to DND/CAF, GAC provided a rationale for the information’s contribution to DND/CAF’s mandate in respect of national security. Upon receipt of the information, however, DND/CAF did not agree with GAC’s assessment and therefore assessed that the SCIDA was not an appropriate disclosure mechanism in the circumstances.
Informal communication between the two institutions may have allowed DND/CAF and GAC to resolve this issue prior to the disclosure. When such communications occur, it is important that they be limited to the information necessary to confirm that the information contributes to the recipient’s mandate in respect of activities that undermine the security of Canada.
Recommendation 4: NSIRA recommends that GC institutions contemplating the use of proactive disclosures under the SCIDA communicate with the recipient institution, ahead of making the disclosure, to inform their assessments under subsection 5(1).
Statement Regarding Accuracy and Reliability: Subsection 5(2)
Finding 8: NSIRA found, within the sample of disclosures reviewed, that CBSA and GAC (in one and two disclosures, respectively) were non-compliant with the SCIDA’s subsection 5(2) requirement to provide a statement regarding accuracy and reliability.
Finding 9: NSIRA found, in relation to the remaining disclosures within the sample, that GAC, IRCC, and RCMP included their statements regarding accuracy and reliability within the disclosures themselves, whereas CBSA provided its statements in the disclosures’ cover letters.
Providing the statement on accuracy and reliability in a cover letter for the disclosure satisfies the Act’s requirement to provide the statement at the time of disclosure. However, separating the statement from the information disclosed increases the risk that the information may be subsequently used without awareness of relevant qualifiers. The location of the statement on accuracy and reliability – and not just its contemporaneous provision to the recipient – is therefore relevant to its value added.
Recommendation 5: NSIRA recommends that all disclosing institutions include statements regarding accuracy and reliability within the same document as the disclosed information.
Requirement to Destroy or Return Personal Information: Subsection 5.1(1)
Finding 10: NSIRA found that DND/CAF destroyed information under the SCIDA subsection 5.1(1), but they were non-compliant with the requirement to do so “as soon as feasible after receiving it.”
DND/CAF determined, upon receipt of the two disclosures it received from GAC, that the personal information contained within the disclosures should not be retained. The information, however, was not destroyed until April 2023 – 12 days following a request for information from NSIRA to provide a copy of records that set out whether and when the information had been destroyed or returned. The date of destruction was 299 and 336 days following DND/CAF’s receipt of each disclosure.
Taking into consideration the elapsed time between receipt of the information and its destruction, as well as DND/CAF’s timely conclusion that the information should not be retained, DND/CAF’s ultimate destruction of the information was non-compliant with the requirement to destroy the information “as soon as feasible after receiving it.” Its delay in this respect was also inconsistent with the responsible use and management of the information.
DND/CAF was the only institution to identify any disclosures as containing information that was destroyed or returned under subsection 5.1(1) in 2022. NSIRA did not identify any other disclosures within the sample for which personal information disclosed should have been destroyed or returned.
Purpose and Principles: Effective and responsible disclosure of information
Finding 11: NSIRA found delays between when a disclosure was authorized for sending and when it was received by the individual designated by the head of the recipient institution to receive it in at least 20% (n=34) of disclosures.
These 34 disclosures include 29 for which there was a delay between the dates provided by disclosing and recipient institutions in their section 9 records, as well as an additional five for which CSIS reported both the date of administrative receipt within the institution and the subsequent date of receipt by the person designated by the head to receive it (i.e., the relevant operational unit).
NSIRA attributes most of these delays to expected dynamics in classified information sharing: the individual authorizing the disclosure is not always the same individual who administratively sends it to the recipient, and the person who administratively receives the disclosure is not always the same person who is designated by the head to receive it.
In the majority of cases, the observed delays were shorter than one week. In nine cases, however, the delay ranged from 30 to 233 days.
Such delays mean that information is not processed and actioned within the recipient institution until long after it was sent – or intended to be sent – by the individual authorizing the disclosure. While these delays do not amount to non-compliance with the SCIDA, they are inconsistent with the Act’s purpose and guiding principles.
Recommendation 6: NSIRA recommends that GC institutions review their administrative processes for sending and receiving disclosures under the SCIDA, and correct practices that cause delays.
4. Conclusion
The SCIDA’s requirements for disclosure and record keeping apply to both disclosing and recipient institutions in all cases where the SCIDA is invoked as a mechanism for disclosure. This review assessed GC institutions’ compliance with requirements for record keeping in respect of all 173 disclosures that were made and received in 2022. It assessed their compliance with requirements for disclosure in relation to a targeted sample of 19 disclosures.
NSIRA found that institutions complied with the SCIDA’s requirements for disclosure and record keeping in relation to the majority of disclosures. GC institutions’ non-compliance with subsection 9(3) was driven by irregularities in the reporting of 11 disclosures. Observed non-compliance with substantive requirements under subsection 5(2) related to three disclosures; and non-compliance with subsection 5.1(1) related to two disclosures. These instances of non-compliance do not point to any systemic failures in GC institutions’ implementation of the SCIDA.
Within this context, NSIRA observed improvements in reviewee performance as compared with findings from prior years’ reports and over the course of the review. Of note, NSIRA’s requests for information in support of this review prompted corrective action by CBSA, DND/CAF, and IRCC that would have otherwise amounted to non-compliance with requirements under section 9.
NSIRA also observed several practices that, although compliant with the SCIDA, leave room for improvement. NSIRA’s recommendations in this review are designed to increase standardization across the GC in a manner that is consistent with institutions’ demonstrated best practices and the SCIDA’s guiding principles.
Annex A. Record Keeping Obligations for Disclosing and Recipient Institutions
Obligation – disclosing institution
Obligation — recipient institution
9 (1) Every Government of Canada institution that discloses information under this Act must prepare and keep records that set out
(2) Every Government of Canada institution that receives information under this Act must prepare and keep records that set out
(a) a description of the information;
(a) a description of the information;
(b) the name of the individual who authorized its disclosure;
(b) the name of the institution that disclosed it;
(c) the name of the recipient Government of Canada institution;
(c) the name or position of the head of the recipient institution — or of the person designated by the head — who received the information;
(d) the date on which it was disclosed;
(d) the date on which it was received by the recipient institution;
(e) a description of the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under this Act; and
(e) whether the information has been destroyed or returned under subsection 5.1(1);
(f) if the information has been destroyed under subsection 5.1(1), the date on which it was destroyed;
(g) if the information was returned under subsection 5.1(1) to the institution that disclosed it, the date on which it was returned; and
(f) any other information specified by the regulations.
(h) any other information specified by the regulations.
Copy to National Security and Intelligence Review Agency
Within 30 days after the end of each calendar year, every Government of Canada institution that disclosed information under section 5 during the year and every Government of Canada institution that received such information must provide the National Security and Intelligence Review Agency with a copy of every record it prepared under subsection (1) or (2), as the case may be, with respect to the information.
Annex B. Sample of Disclosures
Disclosures were selected for the sample based on the content of records provided to NSIRA under subsection 9(3), according to the following parameters:
At least two disclosures per discloser-recipient pair, if available;
At least one proactive disclosure per discloser, if available;
At least one requested disclosure per recipient, if available;
All disclosures identified by recipient institutions as including personal information that was destroyed or returned under the SCIDA, subsection 5.1(1);
All disclosures for which there is a high-level discrepancy in the discloser and recipient records (i.e., a record of receipt, but no record of disclosure; a substantive misalignment in the description of the information; greater than seven days’ discrepancy in the date sent and received; date of receipt earlier than the date of sending);
All disclosures made by an institution that is not listed in Schedule 3 of the SCIDA; and
All disclosures received by institutions added to Schedule 3 in the preceding year.
Annex C. Overview of SCIDA Disclosures in Prior Years
Drawing on information published in previous NSIRA reports, Table 5 summarizes the number and distribution of disclosures made under the SCIDA in prior years.
Table 5: Number of SCIDA disclosures, by disclosing and recipient institution, 2019-2021
Designated Recipient Institutions
Disclosing Institution
CBSA
CFIA
CNSC
CRA
CSE
CSIS
DND/CAF
Finance
FINTRAC
GAC
Health
IRCC
PHAC
PSC
RCMP
TC
TOTAL (proactive)
2021
DND/CAF
–
–
–
–
–
2
–
–
–
–
–
–
–
–
–
–
2
GAC
–
–
–
–
–
41
–
–
–
–
–
1
–
–
2
–
44
IRCC
–
–
–
–
68
79
–
–
–
2
–
–
–
–
–
–
149
TOTAL
–
–
–
–
68
122
–
–
–
2
–
1
–
–
2
–
195
2020
CBSA
–
–
–
–
–
1
–
–
–
–
–
–
–
–
3
–
4
GAC
–
–
–
–
1
25
–
–
–
–
–
1
–
–
13
–
40
IRCC
–
–
–
–
60
61
–
–
–
–
–
–
–
–
37
1
159
RCMP
–
–
–
–
–
–
1
–
–
3
–
5
–
–
–
–
9
TC
–
–
–
–
–
–
–
–
–
–
–
–
–
–
2
–
2
Other
–
–
–
–
–
1
–
–
–
–
–
–
–
–
–
–
1
TOTAL
–
–
–
–
61
88
1
–
–
3
–
6
–
–
55
1
215
2019
CBSA
–
–
–
–
–
1
–
–
–
–
–
–
–
–
2
–
3
GAC
–
–
–
–
–
23
–
–
–
–
–
3
–
1
15
–
42
IRCC
–
–
–
–
5
17
1
–
–
–
–
–
–
–
36
–
59
RCMP
–
–
–
4
–
–
–
–
1
3
–
1
–
–
–
–
9
TC
–
–
–
–
–
–
–
–
–
–
–
–
–
–
1
–
1
TOTAL
–
–
–
4
5
41
1
–
1
3
–
4
–
1
54
–
114
Annex D. Findings and Recommendations
Findings
NSIRA found that CSE, CSIS, GAC, and IRCC regularly use the SCIDA in a manner that warrants information sharing arrangements, as encouraged by subsection 4(c) of the SCIDA.
NSIRA found that CBSA, DND/CAF, and IRCC were non-compliant with subsection 9(3) of the SCIDA, as they failed to provide all records created under subsections 9(1) or 9(2) to NSIRA within the legislated timeframe.
NSIRA found improved compliance outcomes in instances where departments prepared record overview spreadsheets under subsections 9(1) and 9(2) of the SCIDA that displayed the following characteristics:
a row for each disclosure made or received;
columns explicitly tied to each individual paragraph under section 9; and
additional columns to capture relevant administrative details, such as whether the disclosure was requested or proactive; the date of the request (if applicable); and any applicable file reference numbers.
NSIRA found that all GC institutions complied with their obligation to prepare and keep records that set out the information prescribed under subsections 9(1) and 9(2) of the SCIDA.
NSIRA found that more than half of the descriptions provided by CBSA and IRCC under paragraph 9(1)(e) of the SCIDA did not explicitly address their satisfaction that the disclosure was authorized under paragraph 5(1)(b), the proportionality test.
NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves of both the contribution and proportionality tests, in compliance with subsection 5(1) of the SCIDA.
NSIRA found that GAC satisfied itself under the SCIDA’s paragraph 5(1)(a) contribution test based on an incorrect understanding of the recipient’s national security mandate in two cases.
NSIRA found, within the sample of disclosures reviewed, that CBSA and GAC (in one and two disclosures, respectively) were non-compliant with the SCIDA’s subsection 5(2) requirement to provide a statement regarding accuracy and reliability.
NSIRA found, in relation to the remaining disclosures within the sample, that GAC, IRCC, and RCMP included their statements regarding accuracy and reliability within the disclosures themselves, whereas CBSA provided its statements in the disclosures’ cover letters.
NSIRA found that DND/CAF destroyed information under the SCIDA subsection 5.1(1), but they were non-compliant with the requirement to do so “as soon as feasible after receiving it.”
NSIRA found delays between when a disclosure was authorized for sending and when it was received by the individual designated by the head of the recipient institution to receive it in at least 20% (n=34) of disclosures.
Recommendations
NSIRA recommends that information sharing arrangements be used to govern regular SCIDA disclosures between GAC and CSIS; IRCC and CSIS; as well as IRCC and CSE.
NSIRA recommends that all GC institutions prepare record overviews to clearly address the requirements of subsections 9(1) and 9(2) of the SCIDA; and provide them to NSIRA along with a copy of the disclosure itself and, where relevant, a copy of the request.
NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
NSIRA recommends that GC institutions contemplating the use of proactive disclosures under the SCIDA communicate with the recipient institution, ahead of making the disclosure, to inform their assessments under subsection 5(1).
NSIRA recommends that all disclosing institutions include statements regarding accuracy and reliability within the same document as the disclosed information.
NSIRA recommends that GC institutions review their administrative processes for sending and receiving disclosures under the SCIDA, and correct practices that cause delays.
Ottawa, Ontario, October 30, 2023 – The National Security and Intelligence Review Agency’s (NSIRA) fourth annual report was tabled in Parliament on October 30, 2023.
This report provides an overview and discussion of NSIRA’s activities throughout 2022, including our findings and recommendations. Our growth and evolution as an agency, including our continued efforts to refine our approaches and processes, both in our reviews and investigations, allowed us to take on new and challenging work. The report also assesses our review work to date, highlighting important themes and trends that have emerged.
Our report summarizes review and investigations work during the 2022 period and highlights our continued effort to enhance transparency by evaluating important aspects of our engagement with reviewed departments and agencies. Review highlights in the report include the following:
The annual review of the Canadian Security Intelligence Service’s (CSIS) threat reduction measures (TRMs), and the annual review of CSIS’s activities to inform our report to the Minister of Public Safety;
Reviews of the Communications Security Establishment’s (CSE) active and defensive cyber operations, a foreign intelligence collection program, as well as the annual review of CSE activities to inform our report to the Minister of National Defence;
A review submitted to the Minister of National Defence under s. 35 of the NSIRA Act on particular human source handling activities undertaken by the Canadian Armed Forces that may not have been in compliance with the law;
A review of the Canada Border Services Agency’s Air Passenger Targeting program; and
Our mandated multi-departmental reviews with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act and sharing of information within the federal government under the Security of Canada Information Disclosure Act.
During 2022, NSIRA continued modernizing its complaints investigations process, which helped us improve the consistency and efficiency of our work. While the pandemic continued to impact the investigative landscape, processes introduced will reduce delays moving forward. In addition to its other investigations work, NSIRA completed its investigation in relation to a group of 58 complaints referred by the Canadian Human Rights Commission.
This annual report also highlights how the organization pursued greater engagement with partners, seeking and sharing best practices with like-minded review and oversight bodies. In addition, it discusses our organization’s corporate initiatives, including efforts to increase our capacity across our business lines, including technology and information management.
NSIRA’s Members continue to be proud of the work of NSIRA’s Secretariat and the dedication and professionalism of its staff.
On behalf of the National Security and Intelligence Review Agency, it is my pleasure to present you with our third annual report. Consistent with subsection 38(1) of the National Security and Intelligence Review Agency Act, the report includes information about our activities in 2021, as well as our findings and recommendations.
In accordance with paragraph 52(1)(b) of the National Security and Intelligence Review Agency Act, our report was prepared after consultation with relevant deputy heads, in an effort to ensure that it does not contain information the disclosure of which would be injurious to national security, national defence or international relations, or is information that is subject to solicitor-client privilege, the professional secrecy of advocates and notaries, or to litigation privilege.
Yours sincerely,
The Honourable Marie Deschamps, C.C.
Chair // National Security and Intelligence Review Agency
Message from the members
As we reflect on this past year’s work, the National Security and Intelligence Review Agency (NSIRA) is proud of what it has accomplished. We pushed past the challenges of the pandemic and pursued our mission with renewed energy and innovation, understanding that we can adapt and even thrive in this new environment. In 2022, our agency focused on building out and refining its processes as we empowered our review and complaints professionals in their work. These efforts enhanced our ability to meet the challenges of our review and investigations mandates, and thereby improve the transparency and accountability of the national security and intelligence activities across the federal government.
In addition to completing a wide array of reviews and investigations, we have stepped back to reflect on our work and activities over the first few years of our mandate. Despite being a relatively new agency, we are now in the position to make broader observations on the themes and trends in our work, and on the community we review. Indeed, as our experience grows, our approaches in our reviews and investigations mature and evolve. We meet our goals of increased efficiency and expertise through a commitment to address the challenges we face, and by seeking out best practices through expanded partnerships with like-minded domestic and international institutions.
During NSIRA’s brief history, ministers of the Crown have referred certain matters to us for review, as provided for in the National Security and Intelligence Review Agency Act. At the time of writing, we are in the process of such a referral. As this important review progresses, we will ensure that our commitment to independent and professional review is reflected in all our activities.
This report continues themes from previous annual reports by presenting an overview of our work, a discussion on our engagement with reviewees, and an account of the initiatives we undertook to ensure that our products are complete, thorough and professional. It is our belief that as we grow, we bring confidence to the Canadian public with each review and investigation we conduct.
We would like to thank our previous members, Ian Holloway and Faisal Mirza, for their commitment and contribution to advancing the important work of NSIRA during their tenure, and we wish them well in their future endeavours. Finally, we thank the staff of NSIRA’s Secretariat for their professionalism and dedication to fulfilling the agency’s mandate, and we have no doubt that the year ahead will bring further success for NSIRA
Marie Deschamps Craig Forcese Ian Holloway Faisal Mirza Marie-Lucie Morin
Executive Summary
In 2022, the National Security and Intelligence Review Agency (NSIRA) continued to execute its review and investigations mandates with the goal of improving national security and intelligence accountability and transparency in Canada. This related not only to the activities of the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), but also to other federal departments and agencies engaged in such activities, including:
the Department of National Defence (DND) and the Canadian Armed Forces (CAF);
the Canada Border Services Agency (CBSA); and
all departments and agencies engaging in national security or intelligence activities in the context of NSIRA’s yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act.
NSIRA has reflected on its work to date and found that a horizontal view of all its findings and recommendations over the past three years reveals the emergence of three major themes: governance; propriety; and information management and sharing. NSIRA observes that there is an interconnected and overlapping aspect to these issues, and as a result believes that improvements to governance could result in broader improvements across all themes.
Reviews
Canadian Security Intelligence Service
The following are highlights of the reviews completed in 2022 along with key outcomes. The number of reviews defined as completed does not include any ongoing reviews, or reviews completed in previous years but that went through or are in the process of going through consultations for their release to the public. Annex C lists all the findings and recommendations associated with reviews completed in 2022, along with the corresponding responses from reviewees, if provided.
In addition to the reviews discussed below, NSIRA determined that a number of ongoing reviews would be closed or terminated. These decisions, based on a variety of considerations, allow NSIRA to redirect its efforts and resources towards other important issues.
Canadian Security Intelligence Service
In 2022, NSIRA completed the following reviews on CSIS activities:
the third annual review of CSIS’s threat reduction measures, which provided an overview of all such measures conducted in 2021, and also focused on a subset of these measures to consider the implementation of each measure, how what happened aligned with what was originally proposed, and, relatedly, the role of legal risk; and
an annual review of CSIS’s activities, which informed, in part, NSIRA’s 2022 annual report to the Minister of Public Safety.
Communications Security Establishment
In 2022, NSIRA completed two dedicated reviews of CSE, and commenced an annual review of CSE activities:
a review of CSE’s active and defensive cyber operations (ACO/DCO), which is a continuation of NSIRA’s 2021 review of the governance of ACO/DCO by CSE and Global Affairs Canada;
a review of a sensitive CSE foreign intelligence collection program, which assistedNSIRA in better informing the Minister of National Defence about CSE’s activities; and
an annual review of CSE activities similar to that for CSIS, begun for the first time in 2022 and that informed, in part, NSIRA’s 2022 annual report to the Minister of National Defence.
Department of National Defence and the Canadian Armed Forces
In the course of a review of the Department of National Defence and Canadian Armed Forces (DND/CAF) human source handling activities, NSIRA issued to the Minister of National Defence a report on December 9, 2022, under section 35 of the National Security and Intelligence Review Agency Act in relation to a specific operation. Section 35 requires that NSIRA submit to the appropriate Minister a report with respect to any activity that is related to national security or intelligence that, in NSIRA’s opinion, may not be in compliance with the law. NSIRA will complete the broader review of DND/CAF’s human source handling activities in 2023.
Canada Border Services Agency
NSIRA completed its first in-depth review of national security or intelligence activities of the Canada Border Services Agency (CBSA) in 2022: a review of air passenger targeting. This review examined the CBSA’s pre-arrival risk assessment of passengers based on data collected by commercial air carriers. It evaluated whether the CBSA’s activities complied with legislative requirements and Canada’s non-discrimination obligations.
Multi-departmental reviews
NSIRA conducted two mandated multi-departmental reviews in 2022:
a review of directions issued with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act; and
a review of disclosures of information under the Security of Canada Information Disclosure Act.
Review work not resulting in a final report
During the past year NSIRA determined that certain ongoing review work would be closed or not result in a final report to a Minister. These decisions allow NSIRA to remain nimble and to pivot its work plan. Multiple considerations can lead to the decision to close a review, and doing so allows NSIRA to redirect efforts and resources.
Technology in review
In 2022, NSIRA expanded its Technology Directorate to keep pace with the national security and intelligence community’s evolving use of digital technologies. The team comprises technical experts and review professionals, who are supported by academic researchers. This expanded team launched NSIRA’s first technology-led review, focusing on the lifecycle of warranted CSIS information. In addition to directly supporting NSIRA’s reviews, the Technology Directorate also began hosting learning sessions and discussion forums designed to enhance NSIRA employees’ knowledge of broader technical issues.
Engagement with reviewees
NSIRA continues to address and improve on aspects of its interaction with reviewees during the review process. It saw both improvements and ongoing challenges, and seeks to provide full and transparent assessments in this regard. Updated criteria will be used to evaluate engagement. These criteria are critical for supporting NSIRA’s efforts during a review. This approach builds on the agency’s previous confidence statements and provides a more consistent and complete assessment on engagement.
NSIRA continues to optimize its methods for accessing, receiving and tracking the information required to complete reviews. This involves ongoing discussions and support from reviewees. Limitations and challenges to this process are addressed directly and are communicated publicly where possible.
Complaints investigations
As NSIRA marked its third year of existence in 2022 it continued maturing and modernizing the processes for fulfilling its investigations mandate. The jurisdiction assessment phase was standardized, incorporating a verification protocol for the three agencies for which NSIRA has complaints jurisdiction. To speed up the investigative process, investigative interviews are being used more often, taking over from the formal hearings NSIRA previously relied on.
The pandemic continued to impact the investigative landscape in the first half of 2022. COVID protocols conflicted with security protocols for investigations, which require in-person meetings. Processes introduced in 2022 are expected to reduce delays in the conduct of investigations on a forward basis.
The number of investigation activities last year remained high and included the completion of a referral of a group of 58 complaints by the Canadian Human Rights Commission.
Data management and service standards initiatives that were launched are expected to enhance complaint file management in the coming year.
Partnerships
During the past year, NSIRA expanded its engagement with valuable partners, both domestically and internationally, and has already reaped the benefits through the exchange of best practices. As a relatively new agency, NSIRA sees such relationships as a priority for its institutional development. NSIRA had the privilege of visiting many international partners as an active participant in the Five Eyes Intelligence Oversight and Review Council, and also engaged other European partners through various forums that bring together like-minded oversight, review and data protection agencies from all over the world.
Introduction
1.1 Who we are
Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament. Canadian review bodies before NSIRA did not have the ability to collaborate or share their classified information but were each limited to conducting reviews on a specified department or agency. By contrast, NSIRA has the authority to conduct an integrated review of Government of Canada national security and intelligence activities, and Canada now has one of the world’s most extensive systems for independent review of national security.
1.2 Mandate
NSIRA has a dual mandate to conduct reviews on and carry out investigations of complaints related to Canada’s national security or intelligence activities.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the activities of any other federal department or agency that are related to national security or intelligence. Further, NSIRA reviews any national security or intelligence matters that a minister of the Crown refers to NSIRA.
Investigations
In addition to its review mandate, NSIRA is responsible for investigating complaints related to national security or intelligence. This duty is outlined in paragraph 8(1)(d) of the NSIRA Act, and involves investigating complaints about:
the activities of CSIS or CSE;
decisions to deny or revoke certain federal government security clearances; and
ministerial reports under the Citizenship Act that recommend denying certain citizenship applications.
This mandate also includes investigating national security-related complaints referred to NSIRA by the Civilian Review and Complaints Commission for the RCMP (the RCMP’s own complaints mechanism) and the Canadian Human Rights Commission.
Observations and themes
NSIRA has a horizontal, in-depth view of the Canadian national security landscape that allows for an assessment of Canada’s complex, interwoven approach to national security. NSIRA annual reports discuss its activities within that framework. This annual report provides an opportunity to reflect on NSIRA’s body of work horizontally, and consider what broad trends or themes emerge.
NSIRA findings and recommendations touch on many aspects of government activities and operations. Grouping all findings and recommendations according to topics that fall under three broad themes helps simplify a horizontal assessment of trends to date. This categorization and the terminology used may evolve over time.
The themes that emerge are governance; propriety; and information management and sharing. These themes appear year after year in NSIRA annual reports. The following topics are included in these themes:
Theme
Topics
Governance
Policies, procedures, framework and other authorities
Internal oversight
Risk management, assessment and practices
Decision-making and accountability, including ministerial accountability and direction
Training, tools and staffing resources
Propriety
Reasonableness, necessity, efficacy and proportionality
Legal thresholds and advice, compliance and privacy interests
Information management and sharing
Collection, documentation, tracking, implementing, reporting, monitoring and safeguarding
Information sharing and disclosure
Keeping and providing accurate and up-to-date information, timeliness
These themes can be found in every NSIRA annual report, and this year’s is no exception. In this year’s annual report, the following examples illustrate the three themes:
Governance:
the review of disclosures under the Security of Canada Information Disclosure Act for 2021 identified that employees did not receive adequate guidance to fulfill their obligations, and recommended improvements to training;
the review of a CSE foreign intelligence activity identified several instances where the program’s activities were not adequately captured within CSE’s applications for certain ministerial authorizations, resulting in recommendations that CSE more effectively inform the Minister of National Defence about aspects of its bilateral relationships with certain partners, the extent of its participation in certain types of activities, and the testing and evaluation of products.
Propriety:
in a report issued to the Minister of National Defence under s.35 of the NSIRA Act, NSIRA explained that, in its opinion, certain activities undertaken by the Canadian Armed Forces may not have been in compliance with the law;
the review of the threat reduction measures of the Canadian Security Intelligence Service found that this agency did not meet its internal policy requirements regarding the timelines to submit threat reduction measure implementation reports.
Information management and sharing:
the Canada Border Services Agency air passenger targeting review noted that this agency does not document its triaging practices that use passenger data in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions.
A high-level overview of the past three annual reports shows the number of NSIRA findings and recommendations each year, broken down by theme. Over the three years, governance related findings and recommendations constituted 43% of the overall total. The comparable figures for propriety and information management (IM) and sharing categories were 26% and 31% respectively. The breakdown by year is captured in the following table:
Figure 1: Trends in findings and recommendations
Text version of Figure 1
Trends in findings and recommendations
2020 annual report
2021 annual report
2022 annual report
Governance
45%
41%
44%
Propriety
26%
27%
24%
Information Management and Sharing
29%
32%
32%
The interconnected nature of the problems identified in NSIRA reviews, along with the balance of themes illustrated in the graphic above, reveals a narrative. Indeed, issues rarely stand-alone – governance and IM and sharing issues may, for example, culminate in propriety challenges. The number of findings and recommendations over three years that touch on governance, propriety and IM and sharing matters suggest that these are issues deserving close attention. Employees are expected to succeed in meeting intelligence and national security service missions while adhering to policy and legal requirements. Here, improvements to staff training and development are likely to have the most significant impacts.
Review
Details provided on individual reviews are a high-level summary of their content and outcomes. Full versions of each review are available once they have been redacted for public release.
3.1 Canadian Security Intelligence Service reviews
Overview
NSIRA has a mandate to review any Canadian Security Intelligence Service (CSIS) activity. The NSIRA Act requires NSIRA to submit an annual report on CSIS activities each year to the Minister of Public Safety and Emergency Preparedness (with these responsibilities now divided into two portfolios, NSIRA currently submits these reports to the Minister of Public Safety). These classified reports include information related to CSIS’s compliance with the law and applicable ministerial directions, and the reasonableness and necessity of the exercise of CSIS’s powers.
In 2022, NSIRA completed one dedicated review of CSIS, and its annual review of CSIS activities, both summarized below. Furthermore, CSIS is implicated in other NSIRA multi- departmental reviews, such as the legally mandated annual reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, the results of which are described in Multi-departmental reviews.
Threat reduction measures review
This is NSIRA’s third annual review of CSIS threat reduction measures (TRMs), which are measures to reduce threats to the security of Canada, within or outside Canada. Section 12.1 of the Canadian Security Intelligence Service Act (CSIS Act) authorizes CSIS to take these measures.
NSIRA found that CSIS’s activities under its TRM mandate in 2021 were broadly consistent with these activities in preceding years. NSIRA observed that 2018 was an inflection point for CSIS’s use of the TRM mandate. In that year, CSIS proposed nearly as many TRMs as were proposed in total in the preceding three years — the first three of the mandate. In the following year, however, the number dropped slightly, before a more significant reduction in 2020. The number of proposed TRMs in 2021 went up slightly compared with the previous year, as did both approvals and implementations.
NSIRA selected three TRMs implemented in 2021 for a more intensive review, assessing the measures for compliance with applicable law, ministerial direction and policy. At the same time, NSIRA considered the implementation of each measure, including the alignment between what was proposed and what occurred, and the role of legal risk assessments for guiding CSIS activity, as well as the documentation of outcomes.
For all the measures reviewed, NSIRA found that CSIS met its obligations under the law, specifically the Canadian Charter of Rights and Freedoms and sections 12.1 and 12.2 of the CSIS Act. In addition to general legal compliance, NSIRA found that CSIS sufficiently established a “rational link” between the proposed measure and the identified threat.
In one case, NSIRA found that CSIS did not meet its obligations under the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety.
The TRM in question involved certain sensitive factors. NSIRA believes that the presence of these factors ought to have factored into the overall risk assessment of the measure. CSIS argued that risks associated with these factors relate primarily to reputational risk to CSIS, which it assessed in this case. Certain risks related to the sensitive factors, however, are not, and in this instance were not, captured by CSIS’s reputational risk assessment.
Similarly, the legal risk assessment for this TRM did not comply with ministerial direction. NSIRA recommended that legal risk assessments be conducted for TRMs involving these sensitive factors, and further, that CSIS consider and evaluate whether the current process for legal risk assessments complies with applicable ministerial direction.
A comparative analysis of the two legal risk assessments provided for the other TRMs under review underscored the practical utility of clear and specific legal direction for CSIS personnel. Clear direction allows investigators to be aware of, and understand, the legal parameters within which CSIS personnel can operate; it also permits reporting after an action is completed to document how implementation stayed within those legal parameters.
With respect to documenting outcomes, NSIRA further noted issues with how quickly CSIS produces certain reports after a TRM is implemented. Although NSIRA recognizes that overly burdensome documentation requirements can unduly inhibit CSIS activities, NSIRA nonetheless believes that the recommendations provided are prudent and reasonable. Relevant information, available in a timely manner, benefits CSIS operations.
Annual review of Canadian Security Intelligence Service activities
In 2022, NSIRA completed its annual review of CSIS activities, which aims to identify compliance-related challenges, general trends and emerging issues using CSIS documents in 12 categories (legislatively required and supplementary) from January 1, 2022, to December 31, 2022. Besides contributing to NSIRA’s Annual Report to the Minister of Public Safety on CSIS activities, the review may identify areas that merit new NSIRA reviews and may produce a briefing or report with its own observations, findings and recommendations. NSIRA provided its report on CSIS activities in 2021 to the Minister of Public Safety on October 12, 2022, and the Chair subsequently met with the Minister to discuss its contents as well as ongoing issues and challenges related to NSIRA review of CSIS.
Statistics and data
To achieve greater public accountability, NSIRA has requested that CSIS publish statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSIS operations, as well as display the evolution of activities from year to year.
Warrant applications
Section 21 of the CSIS Act authorizes CSIS to make an application to a judge for a warrant if it believes, on reasonable grounds, that more intrusive powers are required to investigate a particular threat to the security of Canada. Warrants may be used by CSIS, for example, to intercept communications, enter a location, or obtain information, records or documents. Each individual warrant application could include multiple individuals or request the use of multiple intrusive powers.
Table 1: Section 21 warrant applications made by the Canadian Security Intelligence Service, 2018 to 2022
2018
2019
2020
2021
2022
Total section 21 applications
24
24
15
31
28
Total approved warrants
24
23
15
31
28
New warrants
10
9
2
13
6
Replacements
11
12
8
14
14
Supplemental
3
2
5
4
8
Total denied warrants
0
1
0
0
0
Threat reduction measures
CSIS is authorized to seek a judicial warrant for a TRM if it believes that certain intrusive measures, outlined in section 21 (1.1) of the CSIS Act, are required to reduce the threat. The CSIS Act is clear that when a proposed TRM would limit a right or freedom protected by the Canadian Charter of Rights and Freedoms or would otherwise be contrary to Canadian law, a judicial warrant authorizing the measure is required. To date, CSIS has sought no judicial authorizations to undertake warranted TRMs. TRMs approved in one year may be executed in future years. Operational reasons may also prevent an approved TRM from being executed.
Table 2: Total number of approved and executed threat reduction measures, 2015 to 2022
2015
2016
2017
2018
2019
2020
2021
2022
Approved threat reduction measures
10
8
15
23
24
11
23
16
Executed
10
8
13
17
19
8
17
12
Warranted threat reduction measures
0
0
0
0
0
0
0
0
Canadian Security Intelligence Service targets
CSIS is mandated to investigate threats to the security of Canada, including espionage, foreign influenced activities, political, religious or ideologically motivated violence, and subversion.6 Section 12 of the CSIS Act sets out criteria permitting CSIS to investigate an individual, group or entity for matters related to these threats. Subjects of a CSIS investigation, whether they be individuals or groups, are called “targets.”
Table 3: Number of Canadian Security Intelligence Service targets, 2018 to 2022
2018
2019
2020
2021
2022
Number of targets
430
467
360
352
340
Datasets
Data analytics is a key investigative tool for CSIS, providing it with the capacity to make connections and identify trends that are not possible through traditional methods of investigation. The National Security Act, 2017, which came into force in 2019, gave CSIS new powers, including a legal framework for it to collect, retain and use datasets. The framework authorizes CSIS to collect datasets (divided into Canadian, foreign and publicly available datasets) that have the ability to assist CSIS in the performance of its duties and functions. It also establishes safeguards for the protection of Canadian rights and freedoms, including privacy rights. These protections include enhanced requirements for ministerial accountability. Depending on the type of dataset, CSIS must meet different requirements before it is able to use a dataset.
The CSIS Act also requires that NSIRA be kept apprised of certain dataset-related activities. Reports prepared following the handling of datasets are to be provided to NSIRA, under certain conditions and within reasonable timeframes. While CSIS is not required to advise NSIRA of judicial authorizations or ministerial approvals for the collection of Canadian and foreign datasets, CSIS has been proactively keeping NSIRA apprised of these activities.
Table 4: Evaluation and retention of publicly available, Canadian and foreign datasets by the Canadian Security Intelligence Service, 2019 to 2022
2019
2020
2021
2022
Publicly available datasets
Evaluated
9
6
4
4
Retained
9
6
2
4
Canadian datasets
Evaluated
0
0
2
0
Retained (approved by Federal Court)
0
0
0
2
Denied by Federal Court
0
0
0
0
Foreign datasets
Evaluated
10
0
0
1
Retained (approved by the Minister and Intelligence Commissioner
0
1
1
1
Denied by the Minister
0
0
0
0
Denied by the Intelligence Commissioner
0
0
0
0
Justification Framework
The National Security Act, 2017, also created a legal justification framework for CSIS’s intelligence collection operations. The framework establishes a limited justification for CSIS employees, and persons acting at their direction, to carry out activities that would otherwise constitute offences under Canadian law. CSIS’s Justification Framework is modelled on those already in place for Canadian law enforcement. The Justification Framework provides needed clarity to CSIS, and to Canadians, as to what CSIS may lawfully do in the course of its activities. It recognizes that it is in the public interest to ensure that CSIS employees can effectively carry out its intelligence collection duties and functions, including by engaging in otherwise unlawful acts or omissions, in the public interest and in accordance with the rule of law. The types of otherwise unlawful acts and omissions that are authorized by the Justification Framework are determined by the Minister and approved by the Intelligence Commissioner. There remain limitations to what activities can be undertaken, and nothing in the Justification Framework permits the commission of an act or omission that would infringe a right or freedom guaranteed by the Charter.
According to section 20.1 (2) of the CSIS Act, employees must be designated by the Minister of Public Safety and Emergency Preparedness to be covered under the Justification Framework while committing or directing an otherwise unlawful act or omission. Designated employees are CSIS employees who require the justification framework as part of their duties and functions. Designated employees are justified in committing an act or omission themselves (commissions by employees) and they may direct another person to commit an act or omission (directions to commit) as a part of their duties and functions.
Table 5: Authorizations, commissions and directions under the Justification Framework, 2019 to 2022
2019
2020
2021
2022
Authorizations
83
147
178
172
Commissions by employees
17
39
51
61
Directions to commit
32
84
116
131
Emergency designations
0
0
0
0
Compliance
CSIS’s internal operational compliance program unit leads and manages overall compliance within CSIS. The objective of this unit is to promote a culture of compliance within CSIS by leading an approach for reporting and assessing potential non-compliance incidents to provide timely advice and guidance related to internal policies and procedures for employees. This program is the centre for processing all instances of potential non-compliance related to operational activities.
NSIRA notes that CSIS reports Charter violations as operational non-compliance. NSIRA will continue to monitor closely instances of non-compliance that relate to Canadian law and the Charter, and work with CSIS to improve transparency around these activities.
Table 6: Total number of non-compliance incidents processed by CSIS, 2019 to 2022
2019
2020
2021
2022
Processed compliance incidents
53
99
85
59
Administrative
53
64
42
Operational
40
19
21
17
Canadian law
–
–
1
2
Charter
–
–
6
5
Warrant conditions
–
–
6
3
CSIS governance
–
–
8
15
3.2 Communications Security Establishment reviews
Overview
NSIRA has the mandate to review any activity conducted by the Communications Security Establishment (CSE). NSIRA must also submit an annual report to the Minister of National Defence on CSE activities, including information related to CSE’s compliance with the law and applicable ministerial directions, and NSIRA’s assessment of the reasonableness and necessity of the exercise of CSE’s powers.
In 2022, NSIRA completed two dedicated reviews of CSE and commenced an annual review of CSE activities, all summarized below. Furthermore, CSE is implicated in other NSIRA multi- departmental reviews, such as the legally mandated annual reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, the results of which are described in Multi-departmental reviews.
Review of the Communications Security Establishment’s active and defensive cyber operations
The Communications Security Establishment Act (CSE Act) grants CSE the authority to conduct active cyber operations and defensive cyber operations (ACOs and DCOs). CSE ACOs and DCOs have become a tool of Government of Canada foreign and security policy. In 2021, NSIRA reviewed CSE’s governance of and the general planning and approval process for ACO and DCO activities. The governance review made several observations about the governance of ACOs and DCOs by CSE — and to a lesser extent, by Global Affairs Canada (GAC). Some of these observations identified gaps that resulted in recommendations. Building on the governance review, the report focused on CSE’s ACOs and DCOs themselves:
the operations;
the implementation of CSE’s governance; and
the legal framework in the context of specific ACOs and DCOs.
NSIRA incorporated GAC, CSIS, the Royal Canadian Mounted Police (RCMP) and DND/CAF into this review, given these organizations’ varying degrees of coordination or involvement in these CSE activities. NSIRA also inspected some technical elements of a case study ACO to verify aspects of the operation independently, as well as to deepen NSIRA’s understanding of how an ACO works. While NSIRA reviewed all ACOs and DCOs planned or conducted by CSE until mid-2021, this review focused on a sample of such ACOs or DCOs, each presenting unique characteristics.
Overall, NSIRA found that ACOs and DCOs that CSE planned or conducted during the period of review were lawful and noted improvements in GAC’s assessments for foreign policy risk and international law. NSIRA further observed that CSE developed and improved its processes for the planning and conduct of ACOs and DCOs in a way that reflected some of NSIRA’s observations from the governance review.
NSIRA also made findings pertaining to how CSE could improve aspects of ACO and DCO planning, as well as communication to the Minister of National Defence and coordination with other Government of Canada entities. More specifically, NSIRA identified areas of potential risk:
GAC’s capability to independently assess potential risks resulting from CSE ACOs and DCOs;
the accuracy of information provided, and issues related to delegation, within some of the applications for authorizations for ACOs and DCOs;
the degree to which CSE engaged with CSIS and the RCMP on ACOs and DCOs, and CSE explanations of how it determined whether the objective of an ACO or DCO could not reasonably be achieved by other means;
the extent to which CSE described the intelligence collection that may occur alongside or as a result of ACOs or DCOs in applications for ACO and DCO authorizations and in operational documentation; and
overlap between activities conducted under the ACO and DCO aspects of CSE’s mandate as well as under all four aspects of CSE’s mandate.
It should be noted that NSIRA faced significant challenges in accessing CSE information on this review. These access challenges had a negative impact on the review. As a result, NSIRA could not be confident in the completeness of information provided by CSE.
Review of a foreign intelligence activity
In 2022, NSIRA completed a review of a sensitive CSE foreign intelligence collection program. As part of this review, NSIRA made several findings and observations regarding the activities carried out as part of this program. Notably, NSIRA identified several instances where the program’s activities were not adequately captured within CSE’s applications for certain ministerial authorizations. As such, NSIRA recommended that CSE more effectively inform the Minister of National Defence about aspects of its bilateral relationships with certain partners, the extent of its participation in certain types of activities, and the testing and evaluation of products.
NSIRA also found several areas where the program lacked adequate governance structures, resulting in improper application of key policy and procedural requirements related to information sharing, confirmation of foreignness, and CSE’s mistreatment risk assessment process. NSIRA made recommendations to strengthen these processes, to establish governance structures specific to the program, and to improve other governance structures with broader applicability throughout CSE.
Annual review of Communications Security Establishment activities
In 2022, NSIRA launched the annual review of CSE activities, which aimed to identify compliance-related challenges, general trends and emerging issues using CSE documents in 11 categories (legislatively required and supplementary) from January 1, 2022, to December 31, 2022. Besides contributing to NSIRA’s Annual Report to the Minister of National Defence on CSE activities, the review may identify areas that merit new NSIRA reviews and may produce a briefing or report with its own observations, findings and recommendations. It is based largely on the structure of the annual review of CSIS activities but has been adapted to CSE. NSIRA’s Chair met with the Minister of National Defence on December 15, 2022 to discuss ongoing issues and challenges related to NSIRA reviews of CSE activities.
Statistics and data
To achieve greater accountability and transparency, NSIRA has requested statistics and data from CSE about public interest and compliance-related aspects of its activities. NSIRA is of the opinion these statistics will provide the public with important information related to the scope and breadth of CSE operations, as well as display the evolution of activities from year to year.
Ministerial authorizations and ministerial orders
Ministerial authorizations are issued to CSE by the Minister of National Defence. Those authorizations support specific foreign intelligence or cybersecurity activities or defensive or active cyber operations conducted by CSE pursuant to those aspects of the CSE mandate. Authorizations are issued when these activities could otherwise contravene an Act of Parliament or interfere with a reasonable expectation of privacy of a Canadian or a person in Canada.
Table 7: Ministerial authorizations issued, 2019 to 2022
Type of ministerial authorization
Enabling section of the CSE Act
Issued in 2019
Issued in 2020
Issued in 2021
Issued in 2022
Foreign intelligence
26(1)
3
3
3
3
Cybersecurity — federal and non-federal
27(1) and 27(2)
2
1
2
3
Defensive cyber operations
29(1)
1
1
1
1
Active cyber operations
30(1)
1
1
2
3
Note: This table lists ministerial authorizations that were issued in a given calendar year and may not necessarily reflect ministerial authorizations that were in effect at a given time. For example, if a ministerial authorization was issued in late 2021 and remained in effect in parts of 2022, it is counted solely as a 2021 ministerial authorization.
Ministerial orders are issued by the Minister for the purpose of (1) designating any electronic information, any information infrastructures or any class of electronic information or information infrastructures as electronic information or information infrastructures of importance to the Government of Canada (section 21(1) of the CSE Act); or (2) designating recipients of information related to Canadians or persons in Canada, that is, Canadian- identifying information (sections 45 and 44(1) of the CSE Act).
Table 8: Ministerial orders in effect as of 2022
Name of ministerial order
Enabling section of the CSE Act
Designating electronic information and information infrastructures of importance to the Government of Canada
21(1)
Designating recipients of information relating to a Canadian or person in Canada acquired, used or analyzed under the cybersecurity and information assurance aspects of the CSE mandate
45 and 44(1)
Designating recipients of Canadian identifying information used, analyzed or retained under a foreign intelligence authorization pursuant to section 45 of the CSE Act
45 and 43
Designating electronic information and infrastructures of Ukraine as Systems of Importance
21(1)
Designating electronic information and infrastructures of Latvia as Systems of Importance
21(1)
Note: Ministerial orders remain in effect until rescinded by the Minister.
Foreign intelligence reporting
Under section 16 of the CSE Act, CSE is mandated to acquire information from or through the global information infrastructure. The CSE Act defines the global information infrastructure as including electromagnetic emissions, any equipment producing such emissions, communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those emissions, that equipment, those systems or those networks. CSE uses, analyzes and disseminates the information for providing foreign intelligence in accordance with the Government of Canada’s intelligence priorities.
Table 9: Number of foreign intelligence reports issued, 2019 to 2022
CSE foreign intelligence reporting
2019
2020
2021
2022
Number of reports released
N/A
N/A
3,050
3,185
Number of departments/agencies
N/A
>25
28
26
Number of specific clients within departments/agencies
N/A
>2,100
1,627
1,761
Note: NSIRA did not ask CSE for statistics related to foreign intelligence reporting for its 2019 public annual report. In 2020, statistics were requested, but were provided in general terms due to the classification of the data at the time, and CSE indicated that release of further detail, would be injurious to national security.
Information relating to a Canadian or a person in Canada
Information relating to a Canadian or a person in Canada (IRTC) is the information about Canadians or persons in Canada that may be incidentally collected by CSE while conducting foreign intelligence or cybersecurity activities under the authority of a ministerial authorization. Incidental collection refers to information acquired that CSE was not deliberately seeking, and where the activity that enabled the acquisition of this information was not directed at a Canadian or a person in Canada. According to CSE policy, IRTC is defined as any information recognized as having reference to a Canadian or person in Canada, regardless of whether that information could be used to identify that Canadian or person in Canada.
CSE was asked to release statistics or data about the regularity with which IRTC or “Canadian- collected information” is included in CSE’s end-product reporting. CSE responded that “this information remains at a classified level. We have determined that the release of thisinformation would be injurious to Canada’s international relations, national defence and security. Furthermore, the sharing of this information would provide an additional level of detail on the success of Canadian collection programs, our level of reliance on information from Five- Eye partners to produce intelligence, as well as a level of detail on Five-Eye use and reporting from Canadian collection that has not been previously made public.”
Canadian identifying information
CSE is prohibited from directing its activities at Canadians or persons in Canada. However, CSE’s collection methodologies sometimes result in incidentally acquiring such information. When such incidentally collected information is used in CSE’s foreign intelligence reporting, any part potentially identifying a Canadian or a person in Canada is suppressed to protect the privacy of the individual(s) in question. CSE may release unsuppressed Canadian-identifying information (CII) to designated recipients when the recipients have the legal authority and operational justification to receive it and when it is essential to international affairs, defence or security (including cyber security).
Table 10: Number of requests for disclosure of CII, 2021 and 2022
Type of request
2021
2022
Government of Canada requests
741
657
Five Eyes requests
90
62
Non-Five Eyes requests
0
0
Total
831
719
In 2022, of the 719 requests received, CSE reported having denied 65 requests. By the end of the year, 51 were still being processed.
CSE was asked to release the number of instances where CII is suppressed in CSE foreign intelligence or cyber security reporting. It indicated that “[d]isclosure of the number of instances where [CII] is suppressed in CSE intelligence reporting would be injurious to CSE’scapabilities. Such a disclosure would reveal information about CSE’s capabilities including theirlimitations. Thus, this information could be used by hostile security threats to counter CSE’s capabilities impeding CSE’s ability to protect Canada and its citizens.”
Privacy incidents and procedural errors
A privacy incident occurs when the privacy of a Canadian or a person in Canada is put at risk in a manner that runs counter to, or is not provided for, in CSE’s policies. CSE tracks such incidents via its Privacy Incidents File and, for privacy incidents that are attributable to a second-party partner or a domestic partner, its Second-party Privacy Incidents File.
Table 11: Number of privacy incidents recorded by CSE, 2021 and 2022
Type of incident
2021
2022
Privacy incidents
96
114
Second-party privacy incidents
33
23
Cyber security and information assurance
Under section 17 of the CSE Act, CSE is mandated to provide advice, guidance and services to help protect electronic information and information infrastructures of federal institutions, as well as those of non-federal entities that are designated by the Minister as being of importance to the Government of Canada.
The Canadian Centre for Cyber Security (Cyber Centre) is Canada’s unified authority on cybersecurity. The Cyber Centre, which is a part of CSE, provides expert guidance, services and education, while working in collaboration with stakeholders in the private and public sectors. The Cyber Centre handles incidents in government and designated institutions that include:
reconnaissance activity by sophisticated threat actors;
phishing incidents, that is, email containing malware;
unauthorized access to corporate information technology (IT) environments;
imminent ransomware attacks; and
zero-day exploits, which involves exploration of critical vulnerabilities in unpatched software.
Table 12: Number of cyber incident cases opened by CSE, 2022
Type of incident
2022
Federal institutions
1,070
Critical infrastructure
1,575
Total
2,645
Defensive and active cyber operations
Under section 18 of the CSE Act, CSE is mandated to conduct DCOs to help protect electronic information and information infrastructures of federal institutions, as well as those of non- federal entities that are designated by the Minister as being of importance to the Government of Canada from hostile cyber attacks.
Under section 19 of the CSE Act, CSE is mandated to conduct ACOs against foreign individuals, states, organizations or terrorist groups as they relate to international affairs, defence or security.
CSE was asked to release the number of DCOs and ACOs approved, and the number carried out, during 2022. CSE responded that it is “not in a position to provide this information for publication by NSIRA, as doing so would be injurious to Canada’s international relations,national defence, and national security.”
Technical and operational assistance
As part of the assistance aspect of CSE’s mandate, CSE receives requests for assistance from Canadian law enforcement and security agencies, as well as from the Department of National Defence and the Canadian Forces (DND/CAF).
Table 13: Number of requests for assistance received and actioned by CSE, 2020 to 2022
2020
2021
2022
Approved
23
32
59
Not approved
1
3
Not applicable
Cancelled
Not available
Not available
1
Denied
Not available
Not available
2
Total received
24
35
62
3.3 Other departments
Overview
In addition to the CSIS and CSE reviews above, NSIRA completed the following reviews of departments and agencies in 2022:
A review of the Department of National Defence and the Canadian Armed Forces;
A review of the Canada Border Services Agency; and
NSIRA’s annual reviews of both the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, both of which involve a broader set of departments and agencies that make up the Canadian national security and intelligence community.
Department of National Defence and the Canadian Armed Forces
Report issued pursuant to section 35 of the NSIRA Act
In the course of a review of the Department of National Defence and the Canadian Armed Forces (DND/CAF) human source handling activities, which was still ongoing at the time of writing, NSIRA issued on December 9, 2022, a report under section 35 of the NSIRA Act to the Minister of National Defence. According to section 35, NSIRA must submit to the appropriate minister a report with respect to any activity that is related to national security or intelligence that, in NSIRA’s opinion, may not be in compliance with the law. The Minister of National Defence submitted a copy of this report to the Attorney General of Canada and included her comments indicating that her interpretation of the facts and law differs from NSIRA’s. NSIRA stands by its position and is of the view that the Minister’s position is based on a narrow interpretation of the facts and the law. NSIRA will complete the larger review of DND/CAF’s human source handling activities in 2023. While the section 35 report does not include recommendations, the broader review will examine accountability and oversight of the program, its risk framework, and DND/CAF’s discharge of its duty of care with respect to human sources. The review also assesses the lawfulness of the program and its related activities, as well as the sufficiency of its legal and policy foundations. In doing so, the report may include recommendations addressing the observations made in the section 35 report.
Canada Border Services Agency
Air passenger targeting review
The Canada Border Services Agency (CBSA) air passenger targeting program uses pre-arrival risk assessments to identify inbound air travellers at higher risk of being inadmissible to Canada or whose entry, or that of their goods, may otherwise contravene the CBSA’s program legislation.
The first step in these multi-stage assessments is to triage travellers based on the characteristics and travel patterns conveyed to the CBSA by commercial air carriers in AdvancePassenger Information and Passenger Name Record data. This triage may be manual (flight list targeting) or automated (scenario-based targeting). In both methods, the CBSA relies on information and intelligence from a variety of sources to determine which data elements to treat as indicators of risk in relation to particular enforcement issues, including those related to national security. Use of these indicators may lead the CBSA to differentiate among travellers in subsequent stages of targeting or at the border, with impacts on passengers’ time, privacy and equal treatment.
The review of air passenger targeting was NSIRA’s first in-depth assessment of the CBSA’s compliance with relevant law. It focused, first, on whether the CBSA complies with restrictions on the use of passenger data established by the Customs Act and the Protection of Passenger Information Regulations. Next, the review examined whether the CBSA’s use of these types of passenger data was discriminatory under the Canadian Human Rights Act and the Canadian Charter of Rights and Freedoms.
NSIRA found that the CBSA’s use of both types of passenger data in scenario-based targeting was for a purpose authorized by the Customs Act. For flight list targeting, however, the CBSA does not document the reasons underpinning its triage decisions. NSIRA was therefore unable to verify compliance of flight list targeting with the purpose limitations set out in the Customs Act. As well, the documentation did not allow NSIRA to verify that the CBSA’s use of Passenger Name Record data in either triage method complied with the Protection of Passenger Information Regulations, which require that access to retained data be for a purpose related to the identification of persons who have or may have committed a terrorism offence or serious transnational crime.
NSIRA also found that the CBSA did not consistently demonstrate an adequate justification for its selection of particular indicators as signals of increased risk. When adequate justification is not present, differentiating among passengers on the basis of prohibited grounds of discrimination (such as age, national or ethnic origin, or sex) creates a risk of discrimination.
NSIRA recommended that the CBSA document its triage practices in a manner that demonstrates compliance with the Customs Act and, where applicable, the Protection of Passenger Information Regulations. It recommended that the CBSA ensure, in an ongoing manner, that its selection of risk indicators be adequately justified based on well-documented information or intelligence. NSIRA further recommended that the CBSA develop more robust and regular oversight of air passenger targeting, including updates to policies, procedures, training and other guidance. NSIRA also recommended that the CBSA begin collecting the data necessary to identify, analyze and mitigate discrimination-related risks stemming from air passenger targeting.
3.4 Multi-departmental reviews
Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2021
The review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act (SCIDA) in 2021 describes the results of a review of the 2021 disclosures made by federal institutions under this legislation. In 2022, NSIRA focused the review on Global Affairs Canada (GAC)’s proactive disclosures.
The SCIDA encourages and facilitates the disclosure of information between federal institutions to protect Canada against activities that undermine or threaten national security, subject to certain conditions. The SCIDA provides a two-part threshold that must be met before an institution can make a disclosure:
that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (paragraph 5(1)(a)); and
that the information will not affect any person’s privacy interest more than reasonably necessary in the circumstances (paragraph 5(1)(b)).
The SCIDA also includes provisions and guiding principles related to the management of disclosures, including accuracy and reliability statements and record keeping obligations.
NSIRA identified concerns that demonstrate the need for GAC to improve its training. NSIRA found that there is potential for confusion on whether the SCIDA is the appropriate mechanism for certain disclosures of national security–related information. For some disclosures, GAC did not meet the two-part threshold requirements of the SCIDA before disclosing the information, which was not compliant with the SCIDA. Two disclosures did not contain accuracy and reliability statements, as required under the SCIDA. With respect to record keeping, NSIRA recommended that departments document, at the same time as they are deciding to disclose information under the SCIDA, the information they are relying on to satisfy themselves that the disclosure is authorized under the Act (paragraph 9(1)(e)).
Review of departmental implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2021
This review focused on departmental implementation of directions received through orders in council issued under the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA). This was NSIRA’s third annual statutorily mandated review of the implementation of all directions issued under the ACA. It assessed departments’ implementation of the directives received under the ACA and their operationalization of frameworks to address ACA requirements. As such, this review constitutes the first in-depth examination of the ACA within individual departments.
This year’s review covered the 2021 calendar year and was split into three sections. Section one addressed the statutory obligations of all departments. Sections two and three were an in- depth analysis of how the Royal Canadian Mounted Police (RCMP) and Global Affairs Canada (GAC) have implemented the directions under the ACA. NSIRA used case studies, where possible, to examine these departments’ implementation of their ACA framework.
This was the third consecutive year where no cases were referred to the deputy head level in any department. This is a requirement of the orders in council when officials are unable to determine if the substantial risk can be mitigated. Future reviews will be attuned to the issue of case escalation and departmental processes for decision-making.
In the 2019 NSIRA Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities14, NSIRA recommended that “the definition of substantial risk should be codified in law or public direction.” NSIRA noted that some departments have accounted for this gap by relying on the definition of substantial risk in the 2017 ministerial directions. In light of the pending statutorily mandated review of the National Security Act, 2017 and the importance of the concept of substantial risk to the ACA regime, NSIRA reiterated its 2019 recommendation that the definition of substantial risk be codified in law.
In the review of departmental implementation of ACA in 2020, NSIRA identified the Canada Border Services Agency (CBSA) and Public Safety Canada as not yet having finalized their ACA policies. While the CBSA and Public Safety Canada continue to make advancements, these departments have not fully implemented an ACA framework and supporting policies and procedures.
The RCMP has a robust framework in place for the triage and processing of cases pertaining to the ACA. The in-depth analysis portion of this review found that the RCMP does not have a centralized system of documenting assurances and does not regularly monitor and update the assessment of the reliability of assurances. The RCMP has also not developed mechanisms to update country and entity profiles in a timely manner, and the information collected throughthe liaison officer during an operation is not centrally documented such that it can inform future assessments.
In the analysis of one of the RCMP’s Foreign Information Risk Advisory Committee case files, NSIRA found that the RCMP’s Assistant Commissioner’s rationale for rejecting the risk advisory committee’s advice did not adequately address concerns consistent with the provisions of the orders in council. In particular, NSIRA found that the Assistant Commissioner erroneously considered the importance of the potential future strategic relationship with a foreign entity in the assessment of potential risk of mistreatment of the individual.
NSIRA found that GAC is now strongly dependent on operational staff and heads of mission for decision-making and accountability under the ACA. This is a marked change from the findings of the 2019 review that found decision-making was done by the Ministerial Direction Compliance Committee at Headquarters.
GAC has also not conducted an internal mapping exercise to determine which business lines are most likely to be implicated by the ACA. Considering the low number of cases this year and the size of GAC, and that ACA training is not mandatory for staff, NSIRA has concerns that not all areas involved in information sharing within Global Affairs Canada are being properly informed of their ACA obligations.
NSIRA also notes that GAC has no formalized tracking or documentation mechanism for the follow-up of caveats and assurances. This is problematic as mission staff are rotational and may therefore have no knowledge of previous caveats and assurances related to prior information sharing instances.
3.5 Closed review work
This past year NSIRA determined that certain ongoing review work would be closed or not result in a final report to a Minister. These decisions allow NSIRA to remain nimble and to pivot its work plan. Considerations such as shifting priorities, resourcing demands, ongoing work taking place within the reviewed department, and deconfliction with partner review agencies can all be factors that lead to a decision to close a review. Such decisions allow NSIRA to redirect its efforts and resources towards other important issues, and thereby maximize the value of its work.
For example, a review of the Royal Canadian Mounted Police’s (RCMP) Operations Research Branch was closed. A contributing factor in this decision was that the RCMP branch in question ceased to operate. Another example is the decision to cease an ongoing review of how the RCMP handles encryption in the interception of private communications in national security criminal investigations. This review was cancelled to support deconfliction efforts with the National Security and Intelligence Committee of Parliamentarians (NSICOP), who were conducting a similar review. Finally, a review of the Financial Transactions and Reports Analysis Centre’s (FINTRAC) terrorist financing and information sharing regime, which was in its early stages, was cancelled at the same time that NSIRA decided to initiate a review of the Canada Revenue Agency’s (CRA) Review and Analysis Division, which delivers the CRA’s anti- terrorism mandate.
3.6 Technology in review
Integration of technology in review
Digital technologies continue to play a crucial role in the operational activities of Canada’s national security and intelligence community as agencies increasingly use new technologies to meet their mandates, propose new avenues for activities, and monitor new threats.
It remains essential for an accountability body like NSIRA to keep pace with the use of digital technologies in Canada’s national security and intelligence community. By staying apprised of rapidly changing technology ecosystems, NSIRA can ensure that the organizations it reviews are pursuing their mandates lawfully, reasonably and appropriately.
NSIRA’s Technology Directorate is a team of engineers, computer scientists, technologists andtechnology review professionals. The mandate of NSIRA’s Technology Directorate is to:
lead the review of Information Technology (IT) systems and capabilities;
assess a reviewed entity’s IT compliance with applicable laws, ministerial direction andpolicy;
conduct independent technical investigations;
recommend IT system and data safeguards to minimize the risk of legal non-compliance;
produce reports explaining and interpreting technical subjects;
lead the integration of technology themes into yearly NSIRA review plans;
leverage external expertise in the understanding and assessment of IT risks; and
support assigned NSIRA members in the investigation of complaints against CSIS, CSE or the RCMP when technical expertise is required to assess the evidence.
In 2022, the Technology Directorate grew from one full-time employee to three and welcomed a cooperative education student and two external researchers. With its increased capacity, the Technology Directorate expanded its analysis of technologies in many NSIRA reviews, started formalizing its research methodology, and began hosting micro-learning sessions and discussion forums focused on relevant technical issues, including dark patterns, open-source intelligence and encryption.
The Technology Directorate also began establishing an academic research network with the goal of supporting NSIRA reviews. To date, contributors to the research network have produced valuable internal memos, reports, and discussion forums, which have enhanced NSIRA’s knowledge of a broad set of technical issues.
During the last year, the Technology Directorate also launched NSIRA’s first technology-led review, which focuses on the lifecycle of CSIS information collected by technical capabilities under a Federal Court warrant. This review presents an opportunity for NSIRA to draw on technical standards and review processes used by its Five Eyes peers and the international review and oversight community. NSIRA has been using this review to develop a risk assessment model and technical inspection plan, expanding NSIRA’s broader review toolkit.
Future of technology in review
During the next year, NSIRA will continue to hire more full-time employees in the Technology Directorate, support cooperative education and use external researchers to add capacity. Doing so will augment NSIRA’s ability to keep pace with the rapidly changing and expanding use of digital technologies in Canada’s national security and intelligence ecosystem.
Building on the successes of its budding academic research network, the Technology Directorate intends to prioritize unclassified research on a number of topics, including open- source intelligence, advertising technologies and metadata (content versus non-content data).
NSIRA’s Technology Directorate will also support NSIRA’s complaint investigations team to understand where and when technology factors into their processes and pursuits.
3.7 Engagement with reviewees
Improvements and ongoing challenges
As discussed in previous annual reports, as a new review body, NSIRA experienced initial challenges in its interactions with departments and agencies being reviewed. These challenges are continually being addressed and NSIRA’s relationship with reviewees has matured. While work on this front is not done, reviewees have demonstrated improvements in cooperation and support to the independent review process. The following discussion captures general commentary on the overall engagement with reviewees that were the focus of the past year’s reviews. These overviews cover 2022 and up to the date of writing of this report. Related review-specific commentary or issues, where available, are discussed within each review’s overview above.
Canadian Security Intelligence Service
After temporary restrictions and adjustments related to COVID-19 were lifted, NSIRA returned to its pre-pandemic level of occupancy within CSIS headquarters for CSIS-related reviews. This includes dedicated workspace and building passes for NSIRA employees reviewing CSIS activities. NSIRA employees have direct access to CSIS databases, and CSIS provides any training necessary, when requested, to navigate and access those systems. Generally, CSIS responds to NSIRA requests for information in a reasonably timely manner. Delays and challenges occur on occasion, but communication between NSIRA and CSIS is constructive in resolving issues.
Communications Security Establishment
NSIRA continued to use the space it procured within CSE’s headquarters in the Edward Drake Building to conduct review-related business. There was little improvement in 2022 to NSIRA’s access requirements at CSE. However, as of 2023, NSIRA is piloting limited direct access to CSE’s primary corporate document repository, GCDOCS. Issues remain and NSIRA is not in a position to assess the pilot project’s utility. In some instances, CSE has improved its responsiveness to NSIRA information requests in terms of timeliness, although some challenges remain with the quality of responses. NSIRA continues to work diligently with CSE to address these concerns.
Department of National Defence
Discussions continue with respect to developing dedicated office space and access to networks. While there has been little advancement on longer-term solutions, DND/CAF has worked with NSIRA to provide access to relevant documents, including sensitive files. DND/CAF has provided good access to facilities and people. Generally, responses to requests for information have been timely; however, a lack of proactiveness in DND/CAF disclosures has required NSIRA to send additional requests to ensure completeness and accuracy of information. Overall, the communication between NSIRA and DND/CAF has been constructive.
Royal Canadian Mounted Police
The past year was marked by inconsistencies in the RCMP’s responsiveness to NSIRA’s requests for information. The RCMP has taken steps to add to its capacity to respond to NSIRA, and this has yielded positive results. NSIRA does not have direct access to information systems but has been granted access to the files relevant to the matters under review. NSIRA has, on multiple occasions, had to send additional requests to ensure the completeness of files provided. In most cases, materials are reviewed on site in the dedicated NSIRA office space that has been provided within RCMP Headquarters. Despite challenges earlier in the year, NSIRA generally had access to people, including RCMP regular members who are experts in the areas under review. Overall, the engagement between NSIRA and the RCMP has seen improvements.
Global Affairs Canada
GAC has been responsive to NSIRA’s requests, made effort to clarify requests, and facilitated all meetings requested. During the review of departmental implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2021, GAC provided NSIRA with documents requested within a reasonable time frame. NSIRA did not have direct access to GAC systems, however this did not have an impact on NSIRA’s ability to verify information or access sensitive files as GAC was able to transfer all materials requested either by email or through their secure portal.
Canada Border Services Agency
The CBSA has provided NSIRA with adequate access to information and people. Some challenges in terms of timeliness were resolved promptly after NSIRA sent notice of a pending advisory letter. These challenges appear to be related to the CBSA’s lengthy approval process for the release of documents to NSIRA. NSIRA does not have direct access to CBSA systems, but this has not impeded NSIRA’s access to sensitive files. Overall, the CBSA has been responsive to NSIRA requests, ensuring that CBSA employees are available to answer NSIRA’s questions.
Refining NSIRA’s confidence statements
Assessing responsiveness and verification
NSIRA continues to place importance on assessing the overall quality and efficiency of its interactions with reviewees. Previously, NSIRA captured this assessment in a “confidence statement,” which provided important additional context to the review, apprising readers of the extent to which NSIRA was able to verify necessary or relevant information, and therefore whether its confidence in the information was impacted. These statements were also informed by aspects such as access to information systems and delays in receiving requested information.
NSIRA has further refined and standardized its approach for evaluating the key aspects of its interactions with reviewees and going forward will evaluate the following criteria during each review:
timeliness of responses to requests for information;
quality of responses to requests for information;
access to systems;
access to people;
access to facilities;
professionalism; and
proactiveness.
Follow-up on timeliness and advisory letters
NSIRA’s 2021 public annual report committed to addressing the ongoing struggle for timely responses from reviewees for requested information. During the past year, all delays have been captured by a request for information tracking system. The results inform one of the criteria discussed above. Additionally, NSIRA continues to leverage its three-staged approach to address continued delays by sending advisory letters to senior officials and ultimately respective Ministers should delays persist. This advisory tool was used at five occasions in 2022, three of which were sent to CSE, and two to the RCMP.
Advisory letters sent to a reviewee during a review may be appended to the final report for both the appropriate minister’s and the public’s awareness of such delays. Combined with the updated assessment criteria discussed above, NSIRA works to provide transparency and awareness of both the challenges and successes on interactions with those reviewed.
Complaints investigations
4.1 Overview
In the three years since its establishment, NSIRA has focused on reforming the investigative process for complaints and developing procedures and practices to ensure the conduct of investigations is fair, timely and transparent. NSIRA previously reported on the creation of its Rules of Procedure, on its policy to commit to the publishing of redacted investigation reports, and on the implementation of the use of video technology. In the past year, NSIRA streamlined its jurisdictional assessment phase and its investigative process through the increased use of investigative interviews as the principal means of fact finding. These developments enabled NSIRA to deal with a significant volume of complaints over this reporting period.
After receiving a complaint, NSIRA must evaluate whether it is within NSIRA’s jurisdiction to investigate based on conditions stated in the National Security and Intelligence Review Agency Act (NSIRA Act). For complaints against the Canadian Security Intelligence Service (CSIS) or the Communications Security Establishment (CSE), NSIRA must be satisfied that the complaint against the respondent organization refers to an activity carried out by the organization and that the complaint is not trivial, frivolous or vexatious. For complaints referred from the Civilian Review and Complaints Commission (CRCC) of the Royal Canadian Mounted Police (RCMP), NSIRA must receive and investigate a complaint referred to it under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act if satisfied that the complaint is not trivial, frivolous or vexatious or made in bad faith. For security clearance denials, with impacts upon individuals as set out in the NSIRA Act, NSIRA must receive and investigate the complaint.
NSIRA has developed a robust process to review and independently verify respondent organization information, mindful of the interests of the complainant and the security imperatives of the organization.
In the past, the Security Intelligence Review Committee routinely dealt with complaints related to CSIS by recourse to formal hearings. While NSIRA retains this statutory power, it has sought to make increasing use of interviews to ascertain the evidence required to fully investigate and consider complaints. Considering the security constraints that limit the disclosure of information to complainants during formal hearings, investigative interviews permit NSIRA access to information in a timely manner and are expected to decrease the length of time toresolve complaints. This will be important as NSIRA deals with an increased complaint case load owing to its mandate (which includes complaints related to CSIS, CSE, RCMP and security clearances), as well as delays resulting from COVID-19 impacts over the last three years.
4.2 Ongoing initiatives
NSIRA has committed to establishing service standards for the investigation of complaints, with the goal of completing 90% of investigations within NSIRA service standards by March 2024. During 2022, NSIRA began developing these service standards, which also aim to encourage prompt and efficient administrative decision-making. The service standards will set internal time limits for certain investigative steps for each type of complaint, under normal circumstances. The service standards will specify the circumstances under which those time limits do not apply. The development of the service standards includes tracking and data collection on whether NSIRA is meeting its own service standards in the investigation of complaints. NSIRA will finalize and publish its service standards in 2023 and is committed to reporting on whether they were met.
For the year ahead, NSIRA will continue to improve its website to promote accessibility to the investigation of complaints. More specifically, NSIRA will develop an online password-protected portal through which complainants will be able to submit complaints and receive updates on the status of their file.
NSIRA began the last phase of the study on race-based data and the collection of demographic information jointly commissioned with the CRCC. The study is assessing the viability of the collection of identity-based and demographic data as part of the CRCC’s ongoing anti-racism initiatives. Improved, more precise and more consistent tracking, collection and measurement of data is necessary to support anti-racism efforts in government. In completing the study, the CRCC and NSIRA will be informed on:
meaningful and purposeful data collection;
challenges with the collection of data;
perspective on how the data collected can be applied to address any potential systemic barriers in NSIRA’s investigations process and its anti-racism initiatives; and
public sentiment of the retention of identity-based data.
Observations on areas for legal reform
NSIRA notes that some reforms to its legislation would make it easier to fulfill its investigations mandate. Among these would include an allowance for NSIRA members to have jurisdiction to complete any complaint investigation files they have begun, even if their appointment term expires. Broadened rights of access to individuals and premises of reviewed organizations would enhance verification activities.
4.3 Investigation report summaries
Allegations against CSIS’s role in delaying security assessments regarding permanent resident and temporary resident visa applications (07-403-30)
Background
The complainants filed a complaint against CSIS alleging that it caused delays in their permanent resident and temporary resident visa applications.
Investigations
During NSIRA’s investigation, CSIS provided its advice in relation to the complainants’ permanent resident applications. In light of this information, NSIRA requested confirmation from the complainants regarding whether they still wished to proceed with their complaint. The complainants clarified that they wanted to either receive monetary compensation or an explanation for the delay that occurred in relation to their file.
Conclusion
NSIRA informed the complainants that it does not have the authority to make remedial orders such as requiring CSIS to make monetary compensation to a complainant. However, NSIRA inquired whether CSIS was interested in participating in an informal resolution process to resolve some of or all the issues in the complaint. In the context of NSIRA’s informal resolution process, information was provided to the complainants regarding CSIS’s involvement in their permanent resident and temporary resident visa applications. NSIRA attempted to communicate with the complainants on several occasions to determine whether they had any questions that would assist in clarifying the circumstances of their complaint.
NSIRA determined that reasonable attempts had been made to communicate with the complainants and issued reasons deeming the complaint abandoned as per NSIRA’s Rules of Procedure. The complaint investigation file was closed.
Allegations against CSIS, Immigration, Refugees and Citizenship Canada, the Canada Border Services Agency, and Public Safety Canada in relation to their role in processing immigration applications (07-405-1 et al.)
Background
Under subsection 45(2) of the Canadian Human Rights Act, the Canadian Human Rights Commission (CHRC) referred 58 individual and group complaints to NSIRA. This matter constituted the first time NSIRA had received a section 45 referral from the CHRC.
The complainants, Iranian nationals, alleged that the Government of Canada discriminated against them on the basis of national or ethnic origin or race due to the delays in the processing of their temporary or permanent residency visa, or Canadian citizenship.
Under section 46 of the Canadian Human Rights Act, NSIRA is obliged to conduct an investigation and return a report to the CHRC. It further provides that on NSIRA’s report, the CHRC may dismiss the complaint or proceed to deal with the complaint.
NSIRA’s role in section 45 referrals is confined to scrutinizing the components of a matter that are based on considerations relating to the security of Canada and report findings of its investigation into classified information to the CHRC in an unclassified manner. NSIRA does not possess the authority to exercise the CHRC’s statutory discretion to refer the matter to the Canadian Human Rights Tribunal.
Investigation
During its investigation, NSIRA considered the evidence given by witnesses and submissions of their counsel during an investigative interview, and the documentation and submissions submitted by the government parties, including classified documents disclosed to NSIRA by CSIS, Immigration, Refugees and Citizenship Canada (IRCC), the Canada Border Services Agency (CBSA) and Public Safety Canada.
Importantly, NSIRA heard evidence from the government parties in relation to a particular mandatory indicator developed by the CBSA and used by IRCC officers in deciding referrals for security screening of Iranian immigration applications. Prior to reforms made by August 2018, one indicator was based entirely on Iranian nationality, coupled only with the age and sex of the applicant. Where an applicant met the criteria, IRCC officers would automatically refer the file to the CBSA and CSIS for security screening. The evidence showed that the government abandoned mandatory indicators in 2018 because of efficacy concerns and because it contributed to delays.
NSIRA further noted that IRCC did not keep a record of the particular indicator on which the referral was based. This hindered NSIRA’s ability to investigate the other indicators that may have affected the processing of a complainant’s immigration application. That being said, NSIRA acknowledged that an indicator tracking code system was being piloted at the time of the investigative interview. This technical solution would allow for the tracking of the IRCC officers’ decisions to refer immigration applications for security screening through a coding system identifying the reason for the referral.
Conclusion
NSIRA found that:
the mandatory age and sex indicator used by IRCC in processing immigration applications until May 2018 relied exclusively on nationality, age and sex, which are listed as prohibited grounds of discrimination in section 5 of the Canadian Human Rights Act;
the mandatory age and sex indicator produced a disadvantage (including in terms of delays) to those Iranians who were subjected to security screening and to those whose own files were linked to these applicants;
at the material times at issue in this matter, the application of that mandatory indicator was not justifiable on national security grounds; and
the security screening process applicable to citizenship applications in this matter did not produce a disadvantage based on grounds enumerated in the Canadian Human Rights Act, as citizenship applications received by IRCC are sent to CSIS for security screening, regardless of the applicant’s country of birth.
NSIRA submitted its report to the CHRC so that it can assess whether there is a reasonable basis in the evidence for a referral to the Canadian Human Rights Tribunal or whether to dismiss the complaints.
Investigation of a complaint regarding the revocation of a security clearance by the Chief of the Defence Staff (1170-17-7)
Background
The complainant was a regular force soldier who held a Top-Secret security clearance. The results of the complainant’s polygraph examination, although not exclusively relied on, were the primary influence in the security assessments of the complainant prepared by CSIS and the DND Departmental Security Officer. As a result of those assessments, the Chief of the Defence Staff (CDS) revoked the complainant’s security clearance. The complainant filed a complaint with NSIRA against the CDS over the revocation of the security clearance.
Investigation
During the Investigation, NSIRA heard from government witnesses from DND and CSIS about the polygraph examination, the investigation into the complainant, and the process leading to the revocation of the complainant’s security clearance. In addition to the oral evidence, the government parties filed documents and made submissions. NSIRA also considered the oral evidence and written submissions provided by the complainant.
NSIRA reviewed all of the evidence it received to determine whether there were reasonable grounds for the CDS to revoke the complainant’s security clearance and to ensure the accuracy of the information the CDS used to reach the decision to revoke.
NSIRA found several deficiencies in the way the complainant’s polygraph was handled, reported and disseminated. In addition, NSIRA found that exculpatory facts were not contextualized nor placed before the CDS prior to the decision to revoke.
Conclusion
NSIRA found that the information the CDS relied on to make the decision to revoke was not accurate. As a result, the decision to revoke the clearance was not reasonable.
NSIRA recommended that CSIS apologize to the complainant for the manner in which the polygraph was handled, reported and disseminated and that the CDS revisit the decision to revoke the complainant’s security clearance.
Review of the Royal Canadian Mounted Police’s report regarding a public complaint (07-407-3)
Background
The complainant filed a complaint with the CRCC related to the conduct of members of the RCMP. The complainant alleged that the RCMP carried out an unjustified and arbitrary arrest of their minor son, conducted a zealous and abusive search of the family home, and publicized the arrest.
In addition, the complainant alleged that the RCMP disclosed information to U.S. authorities, stated that the complainant’s son’s arrest form would be forgotten and destroyed, and violated the son’s safety and that of his family, their constitutional rights and their whistleblower rights.
The RCMP concluded, in a report sent to the complainant pursuant to section 45.64 of the Royal Canadian Mounted Police Act (RCMP Act), that the members had acted appropriately and consequently did not support any of the complainant’s allegations.
The complainant referred their complaint to the CRCC for review as they were not satisfied with the RCMP’s findings. The CRCC referred the complaint to NSIRA pursuant to subsection 45.53(4.1) of the RCMP Act.
Investigation
NSIRA determined that it had jurisdiction to review the request for review of the RCMP’s report under section 19 of the NSIRA Act.
NSIRA’s investigation included a review of:
the complaint;
the complainant’s request for review filed with the CRCC;
the RCMP investigation file related to the complaint, including documents provided by the complainant during the investigation; and
the RCMP’s operational file related to the complaint, including numerous audio and video recordings, as well as relevant policies and legislation.
Conclusion
NSIRA found that the RCMP’s conclusions in its report were reasonable.
Notwithstanding the foregoing, NSIRA pointed out to the RCMP the importance of the decision- maker and signatory of an RCMP report having no prior involvement with the file that is the subject of the complaint, in addition to the importance of complete and contemporaneous notetaking.
4.4 Statistics on complaints investigations
Investigation activity continued at significant levels in 2022 (see Annex D). One noteworthy difference in activity from 2021 to 2022 was the significant decline in the number of active investigations: from 81 in 2021 to 19 in this reporting period. This decrease is largely attributed to a referral of close to 60 related files from the CHRC, which were dealt with during this reporting period.
Under section 16 of the NSIRA Act, any person may make a complaint to NSIRA with respect to any activity carried out by CSIS; section 17 covers complaints related to CSE activities. However, for NSIRA to be able to accept a complaint, the complainant to CSIS must first send a letter of complaint to the Director of CSIS; for CSE complaints, a letter must first be sent to the CSE Chief. NSIRA will investigate the complaint if the complainant has not received a response within a period of time that NSIRA considers reasonable or if the complainant is dissatisfied with the response given. In that regard, NSIRA observed that in 2022, 53% of complainants did not receive a letter from CSIS in response to their letter of complaint to the Director of CSIS.
There is a need to increase awareness and understanding on the part of members of the public and complainants on NSIRA’s investigative mandate and process. For example, NSIRA members do not have the ability to make remedial orders, such as compensation, or to order a government department to pay damages to complainants. NSIRA continues to make improvements to its public website to raise this awareness and better inform the public and complainants on the investigations mandate and investigative procedures it follows.
Expanding NSIRA partnerships
NSIRA believes that establishing a community of practice in the business of independent review and oversight is essential and is actively contributing to this effort. During the past year, it resumed and expanded its engagement with valuable partners, both domestically and internationally, and has already reaped the benefits of these efforts.
International partnerships
NSIRA has identified international relationships with counterparts as a priority for its institutional development. During the past year, NSIRA benefited from excellent free-flowing and extensive interactions with its closest international partners. A better understanding of the parameters of the review and oversight activities of NSIRA’s international counterparts, and sharing best practices, are vital to the agency’s growth.
Five Eyes Intelligence Oversight and Review Council
Since its inception, NSIRA has been an active participant in the Five Eyes Intelligence Oversight and Review Council. The council comprises agencies with an oversight and review mandate concerning the national security activities in their respective countries (Canada, Australia, New Zealand, the United Kingdom and the United States). NSIRA participates alongside the Office of the Intelligence Commissioner as Canada’s delegation to the council. The group meets annually, and NSIRA participated in the Five Eyes Intelligence Oversight and Review Council conference in Washington D.C. in 2022. NSIRA has the distinct pleasure of hosting council partners in Ottawa in fall 2023.
NSIRA also frequently engages bilaterally with council partners at the working level. These exchanges allow NSIRA to better understand critical issues impacting its work, compare challenges and best practices in review and oversight methodology, and discuss views on subjects of mutual interest and concern. For instance, learning about council partners’ information access rights, and the legal framework enabling such access, has helped to contextualize some of NSIRA’s own access challenges.
NSIRA met with one of its council partners, the Investigatory Powers Commissioner’s Office in London, U.K. The Commissioner’s office has a broad mandate of activities that includes, among others, approving warrants authorized by the Secretary of State and the independent oversight of the use of the powers by the U.K.’s security and intelligence community. The multi-day meetings provided an opportunity to better understand each other’s respective organizations, exchange ideas and share best practices. NSIRA met with a number of departments with whom the Commissioner’s office engages and shadowed a day-long inspection carried out by the Commissioner’s office. Of particular interest was the Commissioner’s office’s approach for following up on the implementation of recommendations it provides and its insights on the production of annual reports. Support for this important partnership continues, and NSIRA has further engaged with Commissioner’s office staff to cement this strong relationship.
NSIRA was also able to complete working-level visits to the office of Australia’s Inspector- General of Intelligence and Security and to offices of some members of the U.S. inspector general community in Washington.
Additional European engagement
NSIRA also participated in the International Intelligence Oversight Forum, which brings together oversight, review and data protection agencies from all over the world. The event was productive and NSIRA had the additional benefit of constructive bilateral exchanges with participating institutions.
As part of its efforts to build strong relationships with continental European counterparts in like- minded jurisdictions with strong accountability mechanisms, NSIRA visited the Norwegian Parliamentary Oversight Committee on Intelligence and Security Services, the Danish Intelligence Oversight Board, the Netherlands’ Review Committee on the Intelligence and Security Services, and the Swiss Independent Oversight Authority for Intelligence Activities.
Each of these highly productive visits allowed NSIRA to learn from these partners and make its work more visible within this review community.
Stronger domestic coordination
NSIRA continued to invest in strengthening relationships with key domestic partners — the National Security and Intelligence Committee of Parliamentarians (NSICOP), the Civilian Review and Complaints Commission for the RCMP and the Office of the Intelligence Commissioner, as well as the various agents of Parliament who play a key role in government accountability.
NSIRA and NSICOP have complementary roles in enhancing accountability for federal national security and intelligence activities and are required by law to cooperate in the fulfillment of their respective mandates. Regular cooperation meetings are held at various levels and the two agencies continue to refine ways to cooperate and coordinate. NSIRA and NSICOP have supported each other’s work by communicating regularly on review plans to avoid duplication and to make adjustments where required. These coordination efforts contributed to NSIRA’s decision to cease work on an RCMP encryption review. NSIRA has also provided, after ministerial consultation, many of its final reports to NSICOP. For its part, NSICOP has provided NSIRA with its classified reports and background briefings. These exchanges have allowed both organizations to refine their review topics and methodologies. NSICOP’s and NSIRA’s legal teams have also engaged productively, with a view to working through common access challenges, among other things. These frequent and in-depth exchanges serve as an important foundation for a cohesive and robust national security and intelligence review apparatus, and NSIRA and NSICOP enjoy a level of cooperation that is among the strongest of their international counterparts.
As discussed under Ongoing initiatives, NSIRA and the Civilian Review and Complaints Commission for the RCMP have jointly commissioned a study on race-based data and the collection of demographic information. This study will inform each organization’s approach to developing and implementing an identity-based data strategy in the context of its complaints investigations. The study is currently in its last phase and is expected to be completed in fiscal year 2023–2024.
In 2022, the NSIRA Secretariat joined a network of legal professionals from across the various agents of Parliament. As a separate agency and separate employer mandated with supporting independent oversight, NSIRA’s Secretariat benefits from collaborating with this community of practice through discussions on legal issues of common interest, professional development and knowledge transfer initiatives.
Emerging cooperation in technology
Building partnerships allows NSIRA’s growing Technology Directorate to gather diverse perspectives, collaborate on common goals, refine methodologies, and build on established best practices. In 2022, the team focused on building relationships with peers who share mandates on technical topics, such as privacy-enhancing technologies, automated decision- making and service design. Within Canada, this included collaboration with the Office of the Privacy Commissioner’s Technology Analysis Directorate, the artificial intelligence team at the Treasury Board Secretariat’s Office of the Chief Information Officer, and the Canadian Digital Service.
International and academic collaborations offered access to rich technical knowledge and expertise of other review and oversight bodies. Knowledge management, talent retention and evolving technical capabilities became the focal point of regular engagement with teams at the Investigatory Powers Commissioner’s Office, Australia’s Inspector-General of Intelligence and Security, and the Norwegian Parliamentary Oversight Committee on Intelligence and Security Services. Finally, 2022 gave rise to NSIRA’s external research program aimed at informing and supporting reviews already in progress with relevant and timely technical expertise. Building on the past year’s efforts, the Technology Directorate intends to continue developing domestic and international partnerships, including expanding its network with academics, civil society and commercial leaders to ensure key technological issues factor into its approaches.
Conclusions
As NSIRA fulfills its role within Canada’s security and intelligence landscape, it is continually motivated by the vital importance of its mandate. This is expressed through each review and complaint investigation completed. In executing its mission in 2022, NSIRA continued to build best practices across the agency. This ongoing growth and evolution position it well to take on new challenges.
As the agency’s experience grows so too does its knowledge, and it is confident in its ability to be a leading voice in the review and investigations discourse. Partnerships and engagement with reviewees are maturing, and NSIRA is already reaping the benefits of significant effort on both fronts. Applying lessons learned from these partnerships allows NSIRA to iterate and improve its processes and approaches. While there is there is still much work ahead, the results are encouraging.
As NSIRA’s members consider the agency’s accomplishments this past year, they are proud of the diligence and enthusiasm that Secretariat staff have demonstrated. NSIRA has risen to the challenge of changing circumstances and growth and have done so with an outstanding professionalism. The agency looks forward to the year ahead as it carries on with its important work.
Annexes
Annex A: Abbreviations
Abbreviation
Full Name
ACA
Avoiding Complicity in Mistreatment by Foreign Entities Act
ACO
active cyber operations
CAF
Canadian Armed Forces
CBSA
Canada Border Services Agency
Cyber Centre
Canadian Centre for Cyber Security
CDS
Chief of the Defence Staff
CHRC
Canadian Human Rights Commission
CII
Canadian-identifying information
CRA
Canada Revenue Agency
CRCC
Civilian Review and Complaints Commission for the RCMP
CSE
Communications Security Establishment
CSIS
Canadian Security Intelligence Service
DCO
defensive cyber operations
DLS
Directorate of Legal Services
DND
Department of National Defence
DOJ
Department of Justice
FINTRAC
Financial Transactions and Reports Analysis Centre
FIRAC
Foreign Information Risk Advisory Committee
GAC
Global Affairs Canada
IRCC
Immigration, Refugees and Citizenship Canada
IRTC
Information relating to a Canadian or a person in Canada
IT
Information technology
JPAF
Joint Planning and Authorities Framework
MA
Ministerial Authorization
NSICOP
National Security and Intelligence Committee of Parliamentarians
NSIRA
National Security and Intelligence Review Agency
NSLAG
National Security Litigation and Advisory Group (Justice)
PS
Public Safety Canada
RCMP
Royal Canadian Mounted Police
SCIDA
Security of Canada Information Disclosure Act
SIGINT
Signals intelligence
TRM
Threat reduction measure
Annex B: Financial overview, staffing, achievements and priorities
Financial overview
The NSIRA Secretariat is organized according to two main business lines: Mandate Management and Internal Services. The table below presents a comparison of spending between 2021 and 2022 for each of these two business lines.
(In dollars)
Expenditures (2022)
Expenditures (2021)
Mandate Management
7,679,950
7,523,552
Internal Services
11,033,465
8,926,178
Total
18,713,415
16,449,730
In the 2022 calendar year, the Secretariat spent $18.7 million, a $2.3 million (14%) increase from the $16.4 million spent in 2021. This spending increase is mainly attributed to the ramping up of a large infrastructure project and an increased use of external services for corporate activities.
Staffing
As of June 30, 2023, NSIRA Secretariat staff complement stood at 76. In an attempt to address hiring and retention challenges, the Secretariat implemented several initiatives including the introduction of an internal development program for its mandate management sector employees. The Program aims at promoting existing employees once they acquire the level of knowledge and competencies required to be promoted. The program is individualized, informed by regular review of progress in the achievement of core knowledge and competencies expectations. The Secretariat has also launched a program to hire recent Ph D. graduates in fields of expertise that are of interests to NSIRA’s mandate.
The Secretariat also continues to use modern and flexible staffing strategies, procedures and practices. It has adapted its operations and activities to allow, to the extent possible, a flexible hybrid work model.
Clearer articulation of its core competency profiles, operational methodologies and practices also enabled a more effective integration and onboarding of employees into the organization.
Having hired a dedicated employee responsible for the implementation of an employee wellness agenda combined with an active Mental Health and Wellness Committee, several initiatives have been delivered in an aim to foster workplace well-being and increased interactions between employees.
Progress on foundational initiatives
Accessibility, employment equity, diversity, and inclusion
Informed by its three-year action plan and its commitments to the Clerk of the Privy Council, the Secretariat’s internal committee responsible for accessibility, employment equity, diversity and inclusion invited guests and led discussions aimed at increasing awareness, celebrating the Secretariat’s diverse workforce, and identifying barriers and solutions with respect to these themes.
NSIRA also took concrete steps as part of its mandated activities to include, among other things, a Gender-based Analysis Plus lens into the design and implementation of its policies and programs. As a result, NSIRA’s renewed forward-looking review plan is informed by considerations related to anti-racism, equity and inclusion. These considerations apply to the process of selecting reviews to undertake, as well as to the analysis that takes place within individual reviews. NSIRA reviews routinely consider the potential for national security or intelligence activities to result in disparate outcomes for various communities and will continue to do so in the year ahead.
In 2022, NSIRA also continued to work with another review body to develop strategies for the collection, analysis and use of identity-based data. The goal of the exercise is to rely on public consultations to determine how the public perceives the collection, analysis and use of identity- based data in relation to mandate.
Finally, the Secretariat also developed and posted its inaugural accessibility plan on NSIRA’s external website. The plan outlines the steps that will be taken over the next three years to increase physical and information accessibility, both for employees within the organization as well as for Canadians more generally.
Facilities projects, technology and security
The Secretariat is in the process of retrofitting additional workspace to enable it to accommodate all its employees within the confines of one building. The construction phase is expected to be completed late in 2023. Over the course of 2022, the Secretariat worked closely with lead security agencies to ensure the fit-up meets best practices and established standards.
Transparency and privacy
The Secretariat continues to promote transparency by dedicating resources to redact, declassify and release previous reports from the Security Intelligence Review Committee, in addition to proactively releasing NSIRA’s reviews. In 2022, a major upgrade to NSIRA’s external website was initiated with the goal of increasing access to information including access to redacted review reports and recommendations. It is expected that the website will be released in 2023.
From a privacy perspective, the NSIRA Secretariat continued to make progress further to the privacy impact assessment exercise conducted in fiscal year 2021-2022 in relation to review activities and internal services. It also initiated a privacy impact assessment for the investigations function. This work is expected to be completed in fiscal year 2023-2024.
Considering the importance of privacy as part of its activities, NSIRA took concrete steps to implement best practices to protect the privacy of individuals as part of complaints investigations and as part of the conduct of reviews.
Annex C: Review findings and recommendations
This annex lists the full findings and recommendations for the National Security and Intelligence Review Agency (NSIRA) reviews completed in 2022, as well as reviewees’ management responses to NSIRA’s recommendations, to the fullest extent possible at the time of publication. NSIRA will update such information from all reviews when they are published on its website.
Canadian Security Intelligence Service review
Threat Reduction Measures Annual Review
NSIRA’s findings
NSIRA finds that the Canadian Security Intelligence Service’s (CSIS’s) use of its TRM mandate in 2021 was broadly consistent with its use in preceding years.
For all the cases reviewed, NSIRA finds that CSIS met its obligations under the law, specifically the Canadian Charter of Rights and Freedoms and sections 12.1 and 12.2 of the CSIS Act.
For all the cases reviewed, NSIRA finds that CSIS sufficiently established a “rational link”between the proposed measure and the identified threat.
For Case 1 and Case 2, NSIRA finds that CSIS met its obligations under the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety.
For Case 3, NSIRA finds that CSIS did not meet its obligations under the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety.
With respect to legal risk assessments, NSIRA finds that greater specificity regarding legal risks, and direction as to how said risks could be mitigated and/or avoided, resulted in more detailed outcome reporting vis-à-vis legal compliance.
For Case 2 and Case 3, NSIRA finds that CSIS did not meet its obligations with respect to one requirement of its Conduct of Operations, Section 12.1 Threat Reduction Measures, Version 4. CSIS did not meet its internal policy requirements regarding the timelines to submit TRM implementation reports.
For Case 3, NSIRA finds that the Intended Outcome Report was not completed in a timely manner.
NSIRA finds that current policy for the completion of Strategic Impact Reports may inhibit the timely production of important information.
NSIRA’s recommendations
Recommendation
Recommendation 1: NSIRA recommends that formal legal risk assessments be conducted for TRMs involving [*sensitive factors*].
Recommendation 2: NSIRA recommends that CSIS consider and evaluate whether legal risk assessments under TRM Modernization comply with applicable ministerial direction.
Recommendation 3: NSIRA recommends that CSIS work with the Department of Justice to ensure that legal risk assessments include clear and specific direction regarding possible legal risks and how they can be avoided/mitigated during implementation of the TRM.
Recommendation 4: NSIRA recommends that Implementation Reports specify how the legal risks identified in the legal risk assessment were avoided/mitigated during implementation of the TRM.
Recommendation 5: NSIRA recommends that CSIS specify in its Conduct of Operations, Section 12.1 Threat Reduction Measures when the Intended Outcome Report is required, as it does for the Strategic Impact Report.
Recommendation 6: NSIRA recommends that CSIS integrate in policy a requirement that the Strategic Impact Report be completed at the expiry of the TRM authority.
Communications Security Establishment reviews
Review of the Communications Security Establishment’s Governance of Active and Defensive Cyber Operations — Part 2
NSIRA’s recommendations
NSIRA finds that the Global Affairs Canada Foreign Policy Risk Assessment process, as well as the related international legal assessment, improved since the Governance Review, for Communications Security Establishment (CSE) active cyber operations (ACOs) and defensive cyber operations (DCOs).
NSIRA finds that Global Affairs Canada does not have capability to independently assess potential risks resulting from the techniques used in CSE ACOs and DCOs.
NSIRA finds that CSE and the Department of Justice demonstrated a thorough understanding of section 32 of the CSE Act. However, CSE does not appropriately consult with the Department of Justice at the [*specific step*]15 stage to ensure that the assessment of legal compliance remains valid.
NSIRA finds that CSE’s applications for authorizations issued under subsections 29(1) and 30(1) of the CSE Act for [*description*] activities did not include all the available information relevant to a meaningful assessment of the requirements in subsections 34(1) and (4) of the CSE Act.
NSIRA finds that there is potential for overlap between CSE and CSIS activities in the context of capabilities used by CSE to conduct its ACOs and DCOs. However, CSE did not consistentlyconsult with CSIS about CSE’s cyber operations.
NSIRA finds that despite close collaboration with Global Affairs Canada, and the Department of National Defence and Canadian Armed Forces on ACOs and DCOs, CSE did not demonstrate consistent engagement with CSIS or the Royal Canadian Mounted Police (RCMP) to determine whether the objective of an ACO or DCO could not reasonably be achieved by other means.
NSIRA finds that the Chief’s applications for active and defensive cyber operations activities for the period of review did not accurately describe the relationship between a cyber operation, and intelligence collection.
NSIRA finds that, in its [*a specific document*], CSE did not always provide clarity pertaining to foreign intelligence missions.
NSIRA finds that CSE’s ACOs and DCOs that were planned or conducted prior to July 30, 2021,including the case studies analyzed in this report, were lawful.
NSIRA finds that there is significant overlap between activities conducted under the ACO and DCO aspects of CSE’s mandate, as well as between all four aspects of CSE’s mandate.
NSIRA’s recommendations, and CSE response
Recommendation
CSE and GAC Response (June 21st , 2023)
Recommendation 1: NSIRA recommends that Global Affairs Canada develop or otherwise leverage capability to enable it to independently assess potential risks resulting from the techniques used in CSE ACOs and DCOs.
Disagree. CSE and GAC disagree with this recommendation.
In accordance with the CSE-GAC Governance Framework, GAC assesses CSE cyber operations for foreign policy risks and compliance with international law. CSE’s internal risk assessment process assesses the cyber operation for technical risks based on the techniques used.
Just as CSE relies upon GAC to provide expertise in foreign policy and international law, GAC relies upon CSE to provide expertise on technologies and techniques at the forefront of development.
Accurate assessment of all risks from a cyber operation relies on the continuation of open and honest dialogue and trust between GAC and CSE. As such, CSE will continue to share information with GAC on techniques, whenever their use may have an impact on GAC’s foreign policy risk assessment.
Recommendation 2: NSIRA recommends that the Department Justice be fully consulted at all stages of an ACO or DCO, particularly prior to operational execution.
Agree in principle. CSE agrees with this recommendation in principle.
CSE believes that the advice and guidance provided by the Department of Justice (DOJ) representatives embedded in CSE's Directorate of Legal Services (DLS) is integral to CSE's success. CSE consults with DLS at all relevant stages of a cyber operation. As a matter of practice, CSE consults DLS throughout the Joint Planning and Authorities Framework (JPAF) process and at a key stage, and more consultation is conducted when an activity is new or novel.
Internal tools developed by DLS are used to ensure that activities do not contravene the prohibitions set out in the CSE Act and assist analysts in identifying when a higher risk necessitates further legal review. Additionally, CSE's internal operational policy team is consulted on all key stages.
Recommendation 3: NSIRA recommends that CSE abandon the practice of generic ACO and DCO applications to the Minister of National Defence, and instead submit individual applications.
Disagree. CSE and GAC disagree with this recommendation.
When submitting an application for these particular ACO and DCO Ministerial Authorizations (MAs), CSE and GAC always ensure that the Minister of National Defence and the Minister of foreign Affairs are provided with a sufficient amount of information to make an informed decision as to whether CSE’s proposed activities are reasonable and proportionate against a specific set of objectives. To that end, these particular ACO and DCO MAs are structured around key objectives in countering a number of well-defined threats globally. In that sense, they are not “generic”, but their scope is broad enough to give CSE the flexibility to act against a wide range of targets, when the identity of threat actor or the location and context is unknown at the time of application.
For any operations assessed as falling under the authority of these MAs, the current governance framework allows for appropriate risk management of operations. CSE provides GAC with detailed mission plans for each operation, which allows for a proper assessment of foreign policy risks associated with CSE’s cyber operations.
Following Recommendation no. 1 from the Governance review (FCO 1), CSE and GAC increased the amount of information included in the 2021 application for this MA. The level of detail was improved further in the 2022 application. Moreover, CSE and GAC work collaboratively on any new MAs to both ensure that relevant foreign policy objectives are reflected and that authorized operations are sufficiently scoped. Whenever an activity does not fit within the category covered by these MAs, CSE will submit a new application specific to that circumstance.
Recommendation 4: NSIRA recommends that CSE always engage with CSIS, the RCMP, and any other federal departments or agencies as to whether those departments are in a position to reasonably achieve the objective of a cyber operation.
Agree. CSE agrees with this recommendation.
CSE values the importance of consulting with all relevant Government of Canada stakeholders. During the planning of operations, CSE has and will continue to strengthen its collaborative relationships with its partners, including engaging with CSIS, RCMP, and other relevant federal departments or agencies whose mandates may intersect with a planned ACO or DCO.
Recommendation 5: NSIRA recommends that the Chief’s applications for active and defensive cyber operations inform the Minister of National Defence that acquisition of information under a valid foreign intelligence, cybersecurity, or emergency authorization, [*description*].
Agree. CSE and GAC agree with this recommendation.
This recommendation has already been addressed in the applications for the 2022-23 ACO and DCO Ministerial Authorizations.
Recommendation 6: NSIRA recommends that documentation prepared as part of the CSE’s cyber operations framework provide clear links to all known applicable foreign intelligence (or cybersecurity) missions.
Agree. CSE agrees with this recommendation.
Since the period under review, and partially stemming from NSIRA recommendations issued in the Governance review (FCO 1), CSE has implemented this change into its cyber operations framework. Under the current framework, the documentation now includes links to s.16 or s.17 operations that are directly relevant to a s.18 or s.19 cyber operation.
Recommendation 7: NSIRA recommends that CSE continue to refine, and to define, the distinctions between activities conducted under different aspects of its mandate, particularly between ACO and DCO activities, but also with regard to foreign intelligence and cybersecurity activities.
Agree in principle. CSE agrees with this recommendation in principle.
CSE agrees with the principle of understanding the nuances of its mandate. The CSE Act (ss.15-20) expressly distinguishes between the five aspects of the mandate. Operations are planned with an understanding of the scope and boundaries of the authorizing aspect of the mandate. CSE works closely with the Directorate of Legal Services (DLS) and its Operational Policy team to ensure that operations are planned and conducted under the appropriate authorities.
In the body of its report, NSIRA acknowledges both the clarity of the Act and of CSE’s ability to explain why an operation should be authorized under a particular aspect of the mandate. CSE’s policies and procedures governing the planning and conduct of operations rely on the distinction between aspects of the mandate. CSE’s Mission Policy Suite addresses each aspect of the mandate and provides a distinction between ACOs and DCOs. The cyber operations framework provides for planning documentation that sets out why the objectives and nature of the planned operation align with the authorities of an ACO versus a DCO, notwithstanding the techniques being applied. Finally, CSE is in the process of launching updated legal and policy training to its operational staff.
Foreign intelligence review
NSIRA’s findings
NSIRA finds that CSE has not updated the Minister of National Defence since [*year*] on its relationship with a foreign partner.
NSIRA finds that in the context of a joint operation, CSE’s analytic exchanges with a partner did not comply with all of CSE’s internal policy requirements relating to such exchanges with its partners.
NSIRA finds that CSE’s applications to the Minister of National Defence for Foreign Intelligence Authorizations did not describe the full extent of CSE’s involvement in [*specific activity*].
NSIRA finds that CSE did not appropriately apply its Mistreatment Risk Assessment process to information shared with a foreign partner. CSE conducted a mistreatment risk assessment only after having already shared substantial information with the partner.
NSIRA finds that CSE did not appropriately justify its mistreatment risk for targets of an operation.
[*Finding not releasable in public report*]
NSIRA finds that CSE does not have a mechanism to obtain timely and concrete verification ofa person’s Canadian status in order to verify that it is not directing its activities at Canadians.
NSIRA finds that CSE has not developed policies and procedures to govern its participation in [*specific activity*].
NSIRA finds that CSE’s contributions to operations with its partners are not governed by any written arrangements with operational activities.
NSIRA finds that CSE’s contributions to operations led by a partner have not been accompanied with the operational planning and risk assessment as described by CSE to the Minister of National Defence.
NSIRA finds that CSE does not obtain operational plans or risk assessments developed by its partners leading the operations, nor contributes to the development of these plans or their associated parameters.
NSIRA finds that CSE’s application for the Authorization did not inform the Minister of National Defence that it intends to conduct testing and evaluation activities under the authority of the Authorization.
NSIRA’s recommendations, and CSE response
Recommendation
CSE and GAC Response (March 14th , 2023)
Recommendation 1: CSE should update the Minister of National Defence on of its relationship with a foreign partner.
Agree. CSE agrees with this recommendation.
CSE concurs and regularly updates the minister on topics of importance, including the status of relationships with international partners.
CSE plans to continue providing comprehensive updates to the Minister on its international engagements and relationships with foreign partners, including the named foreign partner.
Recommendation 2: CSE should comply with the Releasable SIGINT Products requirements pursuant to the Foreign Intelligence Mission Policy Suite when conducting analytic exchanges with its partners in the performance of all operational activities.
Agree. CSE agrees with this recommendation.
CSE recognizes that despite having robust policies, practices, and procedures, improvements can still be made in outreach and training to mission staff. CSE is working on a comprehensive revision of its operational legal and policy training, and will consider this recommendation when developing its compliance plans for 2023–2024.
Recommendation 3: CSE should describe to the Minister of National Defence the full extent of its participation in any activities when applying for Foreign Intelligence Authorizations.
Agree. CSE agrees with this recommendation.
CSE will include relevant details to clarify [specific activities] in its next Ministerial Authorization application at a level of detail consistent with Ministerial Authorization applications.
Recommendation 4: CSE must perform a Mistreatment Risk Assessment prior to sharing information with [*country*] in accordance with parameters established with the Minister of National Defence, Minister of Foreign Affairs, and the Privy Council Office in the development of CSE’s working arrangement with this partner.
Agree in principle. CSE agrees with this recommendation in principle.
CSE is of the view that its policy instruments are already clear and that there are already established best practices when sharing information with foreign entities about identifiable individuals. CSE continually seeks to improve both the implementation of internal policies, and the training and internal outreach programs for its analysts.
Additionally, it is important to note that there exists a strong mitigating factor in the overarching agreements with [*country*] which contain explicit language regarding how SIGINT may be used, and with explicit prohibitions for purposes that could result in mistreatment.
Recommendation 5: When performing a Mistreatment Risk Assessment, CSE should specify why and how its risk rating applies to each individual implicated in the sharing of information with a foreign partner.
Agree in principle. CSE agrees with this recommendation in principle.
Since 2011, CSE has continually refined its mistreatment risk assessment process and documentation. In certain cases where an initial assessment has determined that all of the conditions of information sharing will be identical across a category of individuals in an activity, CSE has determined that a group mistreatment risk assessment appropriately documents the risk profiles for all individuals associated with that activity. In the event that the information sharing conditions change, or specific characteristics related to an individual associated with the activity may change the risk, a separate assessment is conducted.
CSE has continued to improve our documentation to ensure that it better reflects the analysis behind the risk assessment and why a rationale would apply to a group of individuals under a single activity. As CSE’s operational activities continue to evolve, the mistreatment risk assessment process grows to reflect the requirements of those activities.
Recommendation 6: CSE should ensure that a foreignness assessment is completed prior to commencing collection and reporting on individuals. CSE should also develop policy requirements for the documentation, tracking, and management review of foreignness assessments.
Agree in principle. CSE agrees with this recommendation in principle.
As part of the SIGINT process, and relying on a combination of policy, administrative, and technological means, CSE already documents a targeting justification demonstrating reasonable grounds to believe that a target is a foreign entity outside Canada. This auditable justification crystallizes the current state of knowledge about the foreignness of a target, at the time of targeting.
In addition, as analysts perform their duties and build knowledge about a target, a foreignness assessment persists throughout SIGINT analysis in a process that is guided by the Mission Policy Suite. Each new fragment of information acquired about a target increases the body of knowledge evaluated by an analyst, including more information about a target’s foreignness that may not have been available at the time of targeting.
If at any point the analyst no longer has reasonable grounds to believe that the target is a foreign entity outside Canada, the analyst must de-target the associated selectors and register a privacy incident with CSE’s Program for Operational Compliance team, who will guide internal processes through any additional required remedial steps, such as purging any collected information. In addition, a citizenship check can also be requested from Immigration, Refugees, and Citizenship Canada (IRCC) if sufficient information is available.
Recommendation 7: CSE should develop a mechanism with Immigration, Refugees and Citizenship Canada, or other federal institutions as appropriate, to facilitate timely and concrete confirmation of the Canadian status of individuals implicated in CSE’s operational activities.
Agree. CSE agrees with this recommendation.
This recommendation was previously put forward in the SCIDA 2020 final report. CSE continues to pursue discussions with IRCC for an information sharing agreement. CSE is reengaging at both working and executive levels to facilitate progress.
It should be recognized that in order to produce more accurate results, a citizenship check needs to include specific information regarding an individual target, which is not always available to CSE. In the absence of that information, a citizenship check is not guaranteed to produce conclusive results, and cannot be considered as a concrete confirmation of citizenship status. In addition, it is CSE’s understanding that IRCC databases may not capture Canadians born with Canadian citizenship. The citizenship check process and associated timelines are fully within the jurisdiction of IRCC.
Recommendation 8: CSE should develop policies and procedures to govern its participation in [*specific activities*] within the program.
Agree. CSE agrees with this recommendation.
CSE remains committed to building robust policy frameworks to govern its activities and ensure that its work continues at the highest level of integrity.
While at the time of review, policies and procedures specific to the program were still in development, CSE’s existing policies and procedures include principles that govern all foreign intelligence activities conducted under CSE authorities, including [*program*].
Recommendation 9: CSE should develop written arrangements with its partners implicated in activities, to set the parameters for collaborating on these activities.
Disagree. CSE disagrees with this recommendation.
CSE has enjoyed a uniquely strong relationship with partners for [*amount of time*]. By leveraging shared capabilities, Canada benefits greatly, magnifying its ability to provide quality information exponentially. The cooperation with our partners means that we [*description*], with procedures in place to manage our interactions. CSE’s operations with partners are based on bilateral information sharing and technical cooperation arrangements.
Recommendation 10: When collaborating on an operation with a partner, CSE should prepare an operational plan and conduct a risk assessment associated with the activity with a view to ensuring an operation’s alignment with CSE’s priorities and risk tolerance levels. CSE should also ensure that parameters and any caveats for the partner’s [*specific activity*] be outlined and acknowledged.
Agree. CSE agrees with this recommendation.
CSE policy outlines that, when conducting SIGINT operations, including joint operations with a partner, the activity be approved via an operational plan and risk assessment in order to exercise an aspect of the CSE mandate.
Collaboration that involves [*specific activity*] without participating in the resulting operation does not require operational plans or risk assessments to be created at CSE, but rather at the partner agency conducting the operation and adopting the risk. CSE will, however, ensure that the partner agency is aware of and acknowledges any caveats or parameters.
Recommendation 11: When applying for a Ministerial Authorization, CSE should disclose to the Minister any related testing or evaluation activities that it intends to undertake pursuant to paragraph 23(1)(c) of the CSE Act.
Disagree. CSE disagrees with this recommendation.
The purpose of a ministerial authorization is to seek authorities for activities that would contravene an Act of Parliament or involve the acquisition of information that interferes with the reasonable expectation of privacy (REP) of a Canadian or any person in Canada. Testing activities, as per s.23(1)(c) of the CSE Act, are not carried out under the authorities of a ministerial authorization if they do not risk contravening an Act of Parliament or do not involve the acquisition of information that interferes with the REP of a Canadian or any person in Canada. In such cases, it is not required to request authorities to conduct testing activities from the Minister through a ministerial authorization. However, at the Chief’s discretion, CSE will inform the Minister of non- ministerial authorization activities through other means.
Paragraph 23(1)(c) provides an exception to CSE’s prohibition on directing its activities at a Canadian or any person in Canada when conducting testing or evaluating products, software and systems. This means that CSE may conduct these activities which will not be considered directed at a Canadian or any person in Canada.
Any foreign intelligence activities, including testing activities, that contravene an Act of Parliament or involve the acquisition of information that interferes with the REP of a Canadian or any person in Canada can only be conducted under the authorities of a ministerial authorization. In such cases, the activities must be conducted under the authorities of an existing ministerial authorization or will require that the Minister issue a new ministerial authorization, and the Minister would be fully informed of the activities being considered before being in a position to approve them.
Department of National Defence and the Canadian Armed Forces Review
Report issued pursuant to section 35 of the NSIRA Act
NSIRA’s finding
The report contained a finding that, in NSIRA’s opinion, certain activities undertaken by the Canadian Armed Forces may not have been in compliance with the law.
Department of National Defence and the Canadian Armed Forces (DND/CAF’s) response
DND/CAF recognize the importance of independent, external reviews of the Government of Canada’s national security and intelligence activities. We fully support NSIRA’s review mandate and take all of its reports seriously.
Upon receipt of NSIRA’s section 35 compliance report, DND/CAF conducted a comprehensive analysis and do not agree with NSIRA’s opinion. Our analysis supports that the reviewed activities were conducted in accordance with the law within a robust system of oversight and accountability. Furthermore, an earlier independent external review was consistent with our analysis and supported a number of recommendations that were implemented to strengthen the governance framework. The Minister is following the steps in order to meet all the requirements outlined in section 35 of the Act.
Canada Border Services Agency review
Air Passenger Targeting Review
NSIRA’s findings
The use of Advance Passenger Information and Passenger Name Record data by the Canada Border Services Agency (CBSA) in scenario-based targeting complied with section 107(3) of the Customs Act.
The CBSA does not document its triaging practices in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions.
The CBSA has not consistently demonstrated that an adequate justification exists for its Air Passenger Targeting triaging practices. This weakness in the link between the indicators used to triage passengers and the potential threats or contraventions they seek to identify creates a risk that Air Passenger Targeting triaging practices may be discriminatory.
The CBSA’s policies, procedures, and training are insufficiently detailed to adequately equip CBSA staff to identify potential discrimination-related risks and to take appropriate action to mitigate these risks in the exercise of their duties.
The CBSA’s oversight structures and practices are not rigorous enough to identify and mitigate potential discrimination-related risks, as appropriate. This is compounded by a lack of collection and assessment of relevant data.
NSIRA’s recommendations, and the CBSA’s responses
Recommendation
Response (July 2022)
Recommendation 1: NSIRA recommends that the CBSA document its triaging practices in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions.
Agree. The CBSA will complete a review of its air passenger targeting triaging practices to ensure practices are in place which will enable effective verification of compliance with statutory and regulatory restrictions.
Recommendation 2: NSIRA recommends that the CBSA ensure, in an ongoing manner, that its triaging practices are based on information and/or intelligence that justifies the use of each indicator. This justification should be well-documented to enable effective internal and external verification of whether the CBSA’s triaging practices comply with its non-discrimination obligations.
Agree. While we are satisfied that justification for triaging and targeting practices exist, the CBSA acknowledges that better documentation practices could be implemented to enable effective internal and external verification of whether the CBSA’s triaging practices comply with its non- discrimination obligations.
The CBSA’s Scenario Based Targeting Governance Framework will be updated to include information and/or intelligence that justifies the use of each indicator.
Annual reviews of scenarios will continue to be conducted and documented to confirm that each active scenario is supported by recent and reliable intelligence.
Recommendation 3: NSIRA recommends that the CBSA ensure that any Air Passenger Targeting- related distinctions on protected grounds that are capable of reinforcing, perpetuating, or exacerbating a disadvantage constitute a reasonable limit on travellers’ equality rights under the Charter.
Agree. The CBSA will review its air passenger targeting practices to ensure that distinctions based on protected grounds are reasonable and can be demonstrably justified in the border administration and enforcement context.
Recommendation 4: NSIRA recommends that the CBSA develop more robust and regular oversight for Air Passenger Targeting to ensure that its practices are not discriminatory. This should include updates to the CBSA’s policies, procedures, training, and other guidance, as appropriate.
Agree. The CBSA acknowledges that policies, procedures, training, and other guidance, as appropriate can be improved to ensure robust and regular oversight for Air Passenger Targeting to ensure that its practices are not discriminatory.
The CBSA will complete a review of its policies, procedures, guidelines and training to ensure practices are not discriminatory.
Recommendation 5: NSIRA recommends that the CBSA start gathering and assessing the necessary data to identify, analyze, and mitigate discrimination-related risks. This includes disaggregated demographic data, data on the effects of Air Passenger Targeting on secondary examinations that may be apparent from related human rights complaints, and data on a baseline comparator group.
Agree. To that end, the CBSA is taking deliberate steps to develop its capacity to capture and analyze reliable and accurate data in non-intrusive ways. The Agency is working on developing standard and consistent positions and frameworks on the collection, use, management and governance of disaggregated data, developing metrics and indicators to measure the impact of decisions and policies on different groups; using data to build more inclusive and representative policies and strategies, and; identifying possible discrimination and bias.
Multi-departmental reviews
Review of Federal Institutions’ Disclosures of Information under the Security of Canada Information Disclosure Act in 2021
NSIRA’s findings
NSIRA finds that, in 12 out of 13 disclosures, Global Affairs Canada demonstrated that it satisfied itself as to the contribution of the information to the recipient institution’s responsibilities in respect of activities that undermine the security of Canada, as required under paragraph 5(1)(a) of the SCIDA.
NSIRA finds that, without first conducting the analysis under paragraph 5(1)(a) of the SCIDA, departments risk disclosing information that does not pertain to the national security mandate of the recipient institution or to activities that undermine the security of Canada.
NSIRA finds that, in 1 of 13 disclosures, Global Affairs Canada consulted on more information than necessary to obtain confirmation from CSIS that the disclosure contributed to its mandate and was linked to activities that undermine the security of Canada.
NSIRA finds that, in 10 out of 13 disclosures, Global Affairs Canada demonstrated that it satisfied itself that the disclosure will not affect any person’s privacy interest more than reasonably necessary in the circumstances, as required under paragraph 5(1)(b) of the SCIDA.
NSIRA finds that 2 of 13 disclosures did not contain the accuracy and reliability statements as required by subsection 5(2) of the SCIDA.
NSIRA finds that Global Affairs Canada training on the SCIDA lacks sufficient illustrative examples required to provide employees with adequate guidance to fulfill their obligations under the SCIDA.
NSIRA’s recommendations, and government response
Recommendation
Response (February 14th, 2023)
Recommendation 1: NSIRA recommends that consultations be limited to the information necessary to obtain confirmation from the potential recipient that the information contributes to its mandate and is linked to activities that undermine the security of Canada.
Agree. Public Safety’s Step-by-Step SCIDA Guide 2022 (“SCIDA Guide 2022”) was updated and distributed to federal institutions in October 2022. Many of the updates to the SCIDA Guide 2022, that were based on practitioner feedback, directly address this recommendation. The updated SCIDA Guide 2022 specifies that preliminary consultations prior to a disclosure should only include general information to ensure that SCIDA thresholds are met before the disclosing institution proceeds with the disclosure. In addition, SCIDA training material was updated in September 2022 with a renewed emphasis on the need for disclosing institutions to strictly limit the information communicated with recipient institutions during preliminary consultations.
Multiple SCIDA trainings have been delivered to federal institutions using the new material. Public Safety will continue to work with federal institutions to provide them with access to training, guidance and other useful resources on the use of the SCIDA. Given the focus of this review, Public Safety will work closely with Global Affairs Canada to address this recommendation.
Recommendation 2: NSIRA recommends that in order to provide the most valuable and meaningful context for the recipient institution, accuracy and reliability statements should be clear and specific to the circumstances of the disclosure.
Agree. Statements regarding the accuracy of the information and the reliability of the manner in which it was obtained are an essential part of the disclosure process. To ensure greater compliance with this requirement, the SCIDA Guide 2022 and its related templates, as well as the updated SCIDA training material, emphasize the importance of providing statements on the accuracy of the information and reliability of the manner in which it was obtained that are clear and specific to the circumstances of the disclosure.
Public Safety will continue to provide SCIDA training and guidance to federal institutions to highlight the requirement for statements of accuracy and reliability that are clear, complete, accurate and do not include formulaic language in support of disclosures under the SCIDA.
Recommendation 3: NSIRA recommends that all disclosing departments contemporaneously prepare descriptions of the information that was relied on to satisfy themselves that disclosures were authorized under the SCIDA.
Agree. Record keeping is an essential component of the SCIDA, and records of disclosures must include an appropriately robust description of the information relied upon to satisfy the disclosing institution that the disclosure meets the thresholds of the SCIDA. The SCIDA Guide 2022 includes templates that support federal institutions with their record-keeping requirements. This includes sections where disclosing institutions must prepare and maintain records that set out a description of the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under the SCIDA. While paragraph 9(1)(e) of the SCIDA does not explicitly require departments to contemporaneously prepare descriptions of the information related to SCIDA disclosures, Public Safety takes note of NSIRA’s recommendation to do so in a timely manner.
Public Safety will continue to provide SCIDA training and guidance to federal institutions to highlight their recordkeeping obligations to ensure that all disclosures are authorized under the SCIDA and assist them in understanding their authorities for requesting and disclosing information under the Act.
Recommendation 4: NSIRA recommends that additional illustrative examples and scenarios be included in the SCIDA training, including for disclosure threshold requirements, accuracy and reliability statements and record-keeping requirements.
Agree. SCIDA training material was updated in September 2022 with multiple illustrative examples and case studies that provide further details on how to apply the disclosure threshold requirements, accuracy and reliability statements and record-keeping requirements. SCIDA training sessions have been delivered to federal institutions using the new material. Given the focus of this review, Public Safety will work closely with Global Affairs Canada to address this recommendation.
Review of departmental implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2021
NSIRA’s findings
NSIRA finds that the Canada Border Services Agency and Public Safety Canada still have not fully implemented an ACA framework and supporting policies and procedures are still under development.
NSIRA finds that from January 1, 2021, to December 31, 2021, no cases under the ACA were escalated to deputy heads in any department.
NSIRA finds that the RCMP has a robust framework in place for the triage of cases pertaining to the ACA.
NSIRA finds that the RCMP’s Foreign Information Risk Advisory Committee (FIRAC) risk assessments include objectives external to the requirements of the Orders in Council, such as the risk of not exchanging information.
NSIRA finds that the RCMP use of a two-part risk assessment, that of the country profile and that of the individual to determine if there is a substantial risk, including the particular circumstances of the individual in question within the risk assessment is a best practice.
NSIRA finds that the RCMP does not have a centralized system of documenting assurances and does not regularly monitor and update the assessment of the reliability of assurances.
NSIRA finds that the RCMP does not regularly update or have a schedule to update its Country and Entity Assessments. In many cases these assessments are more than four years old and are heavily dependent on an aggregation of open-source reporting.
NSIRA finds that information collected through the Liaison Officer in the course of an operation is not centrally documented such that it can inform future assessments.
NSIRA finds that FIRAC members concluded that the information sharing would result in a substantial risk of mistreatment that could not be mitigated. The Assistant Commissioner determined that it may be mitigated. This amounts to a disagreement between officials or a situation where “officials are unable to determine whether the risk can be mitigated”.
NSIRA finds that the Assistant Commissioner’s rationale for rejecting FIRAC’s advice did not adequately address concerns consistent with the provisions of the Orders in Council. In particular, NSIRA finds that the Assistant Commissioner erroneously considered the importance of the potential future strategic relationship with a foreign entity in the assessment of potential risk of mistreatment of the individual.
NSIRA finds that Global Affairs Canada is now strongly dependent on operational staff and Heads of Mission for decision-making and accountability under the ACA.
NSIRA finds that Global Affairs Canada has not demonstrated that all of its business lines are integrated into its framework under the ACA.
NSIRA finds that Global Affairs Canada has not made ACA training mandatory for all staff across relevant business lines. This could result in staff being involved in information exchanges without the proper training and knowledge of the implications of the ACA.
NSIRA finds that Global Affairs Canada has not regularly updated its Human Rights Reports. While many were updated during the 2021 review year, more than half have not been updated since 2019. This is particularly problematic when departments and agencies rely on these reports as a key source in assessing risk related to the ACA.
NSIRA finds that Global Affairs Canada does not have a standardized centralized approach for the tracking and documentation of assurances.
NSIRA’s recommendations
Recommendation
Recommendation 1: NSIRA recommends that the RCMP establish a centralized system to track caveats and assurances provided by foreign entities and where possible to monitor and document whether said caveats and assurances were respected.
Recommendation 2: NSIRA recommends that in cases where the RCMP Assistant Commissioner disagrees with FIRAC’s recommendation not to share the information, the case be automatically referred to the Commissioner.
Recommendation 3: NSIRA recommends that the assessment of substantial risk be limited to the provisions of the Orders in Council – namely the substantial risk of mistreatment and whether the risk may be mitigated – and external objectives such as fostering strategic relationships should not factor into this decision-making.
Recommendation 4: NSIRA recommends that FIRAC recommendations are referred to an Assistant Commissioner who is not responsible for the branch from which the case originates.
Recommendation 5: NSIRA recommends that GAC ensure that accountability for compliance with the ACA clearly rests with the Avoiding Mistreatment Compliance Committee.
Recommendation 6: NSIRA recommends that GAC conduct a formal internal mapping exercise of other possibly implicated business lines to ensure it is meeting its obligations set out in the ACA.
Recommendation 7: NSIRA recommends that GAC make ACA training mandatory for all rotational staff.
Recommendation 8: NSIRA recommends that GAC ensure countries’ Human Rights Reports are updated more regularly to ensure evolving human rights related issues are captured.
Recommendation 9: NSIRA recommends that GAC establish a centralized system to track caveats and assurances provided by foreign entities and document any instances of non-compliance for use in future risk assessments.
Review arising from the Federal Court’s decision in 2020 FC 616, rebuilding trust: reforming the CSIS warrant and Department of Justice legal advisory processes
This review was approved in 2022. Under section 38 (1) of the NSIRA Act, NSIRA is therefore obliged to report on its findings and recommendations as part of its annual report for the calendar year 2022. A summary of this review is available in NSIRA’s Annual Report 2021.
NSIRA’s findings
NSIRA finds that the legal advice-seeking and giving process, and resource constraints at the Department of Justice’s National Security Litigation and Advisory Group (NSLAG) contribute to considerable delays, [*description of timeline*].
NSIRA finds that Justice legal opinions have sometimes been prepared without sufficient attention to the audience that needs to understand and act on them. Opinions have been focused on assessing legal risk, often late in the development of a CSIS activity, with limited effort made to propose alternative and legally sustainable means of arriving at the intended objective.
NSIRA finds that the Justice Legal Risk Management Framework is misunderstood at the working level at CSIS and further that it does not provide an appropriate framework for the unequivocal communication of unlawful conduct to CSIS.
NSIRA finds that difficulties in acquiring prompt and relevant legal advice have contributed to [*discussion of the detrimental effects on and risks to operations*] that may require legal advice. In consequence, the manner in which NSLAG has provided legal advice to CSIS has often not met the needs of CSIS operations.
NSIRA finds that Justice does not generate the necessary business analytics to track its service delivery performance to CSIS.
NSIRA finds that Justice has acknowledged that internal silos at NSLAG between the advisory and litigation wings have sometimes left warrant counsel unaware of emerging legal issues and that Justice has taken steps to resolve these issues.
NSIRA finds that Justice has committed to improve its advice-giving to CSIS, including moving toward “road map” style legal advice that involves working collaboratively and iteratively with CSIS to achieve operational goals within the bounds of the law.
NSIRA finds that CSIS has not always shared all relevant information with NSLAG, prompting a degree of mistrust and limiting Justice’s ability to provide responsive legal advice.
NSIRA finds that CSIS has a history of quick reforms, followed by neglect, high turnover of personnel leading to a loss of institutional knowledge, and resourcing that did not match stated priorities. CSIS does not track or measure the outcome of past reforms adequately and has no performance metrics for assessing success.
NSIRA finds that CSIS policies have not kept pace with operational reality, as they are often vague, dated, overlapping and contradictory. The absence of clear policy creates legal doubt or concerns, and gives rise to disparate interpretations of legal and operational standards.
NSIRA finds that there is little common understanding regarding the process or basis on which a warrant is prioritized. Frequent shifts in this process of prioritization have added to operational uncertainty. The prioritization process has made it very difficult to bring novel issues to the Court with the goal of addressing legal ambiguities through court decisions.
NSIRA finds that the actors involved in the warrant process do not have a common understanding of the rationale for each of the [*multiple*] of steps in the overarching warrant application scheme and are not always sure what role each approval step plays.
NSIRA finds that the proliferation of process in seeking warrants has created a system of diluted accountability widely regarded as slow and unwieldy, with delays caused by multiple levels of approval.
NSIRA finds there is no regular feedback process in which explanations for warrant-related decisions made at one level filter back to other levels. The absence of feedback is especially acute for the regional investigators.
NSIRA finds that often, the sole means to address legal uncertainty is to bring legal questions to the Federal Court through warrant applications. In consequence, an unwieldy warrant process makes resolution of legal doubt more difficult.
NSIRA finds that CSIS has struggled to ensure that all information material to the credibility of sources is properly contained in warrant applications. This “recurring omissions” problem stems from a misunderstanding of the Federal Court’s role in assessing the credibility of sources and from the presence of multiple, siloed information management systems. CSIS has undertaken reforms, but work remains to implement long-term sustainable solutions.
NSIRA finds that the Affiant Unit constitutes a vital and laudable reform within CSIS. However, the Affiant Unit is currently at risk of collapse. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission. The benefits of the Affiant Unit are currently in jeopardy because of governance, human resource, and training deficiencies.
NSIRA finds that the Affiant Unit’s placement in the [*Name*] branch is not commensurate with its functions and importance. This governance anomaly most likely contributes to administrative hurdles and resource challenges faced by the Affiant Unit.
NSIRA finds that without a functional Affiant Unit able to produce timely and accurate warrant applications, CSIS puts at risk access to warrants and the information collected under them.
NSIRA finds that the “independent counsel” role falls short of creating a thorough challenge function.
NSIRA finds that the CSIS regional warrants coordinators have not received sufficient training enabling them to translate the contents of the warrants into advice on proper warrant execution.
NSIRA finds that CSIS lacks long-term training programs for Intelligence Officers.
NSIRA finds that CSIS has failed to provide systematic training programs for “non-Intelligence Officers.”
NSIRA finds that the CSIS’s Learning and Development Branch has not been sufficiently resourced to develop and administer comprehensive training programs, especially in specialized areas not covered by the training offered for Intelligence Officers early in their career.
NSIRA finds that CSIS and Justice are at risk of not being able to fulfill their respective mandates. No one reform is likely to succeed unless each is pursued as part of a coherent package. No package will succeed unless backed by prioritization at senior levels, and the stable provision of resources, including people with the means and institutional knowledge to see reforms through. And no reform initiative will succeed unless accompanied by clear performance indicators, measured and analyzed regularly to track progress.
NSIRA’s recommendations and departmental responses
Recommendation
Departmental response (March 29, 2022)
Recommendation 1: NSIRA recommends that Justice pursue its commitment to reforming the manner of providing legal advice to CSIS, and its stated commitment to “road map”-style advice as a best practice. In support of this objective and the provision of timely, operationally relevant advice, NSIRA further recommends that Justice implement the following:
Whether through an expanded “office hours” and liaison counsel program or otherwise, NSLAG must develop a legal support service operating full time, staffed by experienced lawyers empowered to provide operational advice in real time on which CSIS officers can rely, on the basis of settled Justice positions on recurring legal issues, accessible directly to CSIS officers across all regional offices and at all levels.
NSLAG develop a concise reference tool with its position on recurring issues and most common legal authorities invoked and make the tool accessible to counsel to support their real-time advice.
To minimize the need to resort to the formalized legal advice-seeking process, NSLAG (in coordination with CSIS) must involve counsel with CSIS officers at the early stage of the planning of key or novel operations and throughout their entire operational lifecycle to case-manage an iterative legal guidance process.
Agree. Prior to NSIRA issuing its report, Justice Canada has been working on a number of measures concerning policies and practices in the provision of legal services to CSIS. These measures include activities related to the duty of candour and the warrant acquisition process, best practices in the delivery of legal services, advising CSIS on legal risks associated with its operations, the sharing of information in the national security context, and tracking and responding to key performance indicators related to the delivery of legal services.
Justice is committed to improving the manner of providing legal services and ensuring practical and timely legal services. The measures undertaken to date and further measures underway support a coordinated approach for legal services, striking the right balance of resources across corporate and operational priorities. This includes providing legal advice in a more accessible, iterative manner, and supporting Counsel through interactive training to better understand and support their work in a proactive manner.
Justice and CSIS working together in an integrated fashion ensures that counsel are involved throughout an operation’s life-cycle, including the early stages. Early integration into operational planning supports the provision of timely and relevant legal advice as operations progress.
Justice has already modified its liaison counsel model. Liaison counsel are experienced counsel designated to support CSIS officers across regional offices and particular operations.
Enhancements to the role have resulted in liaison counsel providing timely and focused advice, supporting operational imperatives, and identifying trends and issues of concern to develop guidance documents and other practical tools.
Justice is developing a suite of practical tools and legal service delivery mechanisms to support CSIS. These include:
a user-friendly blog that describes relevant legal issues and concepts in plain-language and with a practical application to CSIS’s work;
a field guide for the practical application of legal concerns to CSIS’s operations that can be used by officers in the field and in real time;
interpretation and guidance documents; and,
knowledge management tools ensuring counsel can access legal precedents and interpretations.
Recommendation 2: NSIRA recommends that NSLAG (in coordination with CSIS) develop Key Performance Indicators to measure the delivery of legal services to CSIS.
Agree. Justice has developed business metrics to measure service delivery performance. Justice will continue to work with CSIS to invest in resources to conduct detailed business analytics to enhance the provision of legal services and make improvements to the existing system. Client feedback surveys are undertaken regularly.
Recommendation 3: NSIRA recommends that CSIS and Justice should include in their training programs interactive scenario-based training developing the operational intelligence activities expertise of NSLAG counsel and the legal knowledge of CSIS operational staff.
Agree. Justice has worked with CSIS to develop and deliver interactive scenario-based training and is committed to continuing that involvement.
Recommendation 4: To ensure Justice is able to give meaningful and responsive legal advice as recommended in recommendation #1, NSIRA recommends that CSIS invite Justice counsel to sit at the table at all stages of the lifecycle of key and novel operations, and that it fully and frankly brief counsel on operational objectives, intent, and details.
Agree. As set out above, Justice is working with CSIS to be involved sooner and more continuously across the lifecycle of operations to provide timely, focused and iterative legal services.
Recommendation 5: NSIRA recommends that Justice’s advice-giving must clearly and unequivocally communicate advice on the unlawfulness of client conduct, whether criminal or otherwise.
Agree. Justice is currently undertaking a review of its legal risk framework in order to improve both how legal risk is assessed, and also how risks are communicated to clients.
Recommendation 6: NSIRA recommends that CSIS adopt, and share internally, clear criteria for the warrant prioritization process.
Agree. CSIS will further refine the warrant prioritization process and work to set clear criteria.
Recommendation 7: NSIRA recommends that CSIS establish a new warrant process eliminating steps that do not make a significant contribution to a more accurate application. The process should assign clear lines of responsibility for the production of accurate applications. The reformed system should ensure that delays associated with managerial approvals are minimized, and that time is reallocated to those steps contributing to the preparation of the accurate applications.
Agree. Work on implementation is underway. CSIS and Justice are committed to streamlining warrant applications, templates, and requests as part of broader modernisation objectives.
Recommendation 8: NSIRA recommends that CSIS integrate the regional stakeholders (including the implicated investigators) at every key milestone of the warrants process.
Agree. CSIS has already undertaken related improvements to address this recommendation, including through the updated Affiant Unit business approach to warrant acquisition, which now includes regional stakeholders.
Recommendation 9: NSIRA recommends that CSIS adopt policies and procedures governing the reformed warrant process that clearly outlines the roles and responsibilities of each participant and the objective of each step in the warrant process and that these policies be kept current as the process evolves.
Agree. The revised CSIS Justice Joint Policy on Duty of Candour and the associated guidance document outline the role of all CSIS employees (not just the affiants) in ensuring that disclosure obligations to the Court are met. In addition, CSIS has developed a s.21 warrant policy and the drafting of the related procedure is underway. In 2020 and 2021, CSIS provided Duty of Candour training to all operational employees through a special project.
Recommendation 10: To address the seeming inevitability of “recurring omissions”, NSIRA recommends that CSIS prioritize the development of [*an improved*] system for human source information management. CSIS should also continue initiatives meant to ensure that source handlers are assiduous in documenting and then reporting in source precis information going to credibility. Even with these reforms, the Affiant Unit should adopt procedures for verifying the information prepared by the regions.
Agree. The recommendation endorses a CSIS initiative already underway. An Action Plan approved by the Executive in January 2021 identified the requirement, and CSIS stakeholders are advancing this initiative. CSIS developed a comprehensive requirements package, and identified a potential technical solution. The complexity of the technical development process means this will be a long process.
Recommendation 11: NSIRA recommends that CSIS recognize the importance of the Affiant Unit by assigning affiants and analysts an employment classification congruent with their responsibilities.
Agree. CSIS has addressed this recommendation by classifying affiants at one level above the Intelligence Officer working level to recognize the complexity of their work and to attract/retain candidates. A competitive competition process is underway to staff the affiant positions and is anticipated to be completed by the end of March 2022.
Recommendation 12: NSIRA recommends that CSIS should create an Affiant Branch reporting directly to the CSIS Director.
Disagree. The Service notes the concerns raised by the committee in its report regarding the Affiant’s Unit current placement in the organization’s hierarchy. This said, throughout the course of this review, CSIS has invested heavily in the Affiant Unit and its employees and has made significant changes to the warrant process and its governance. The Service is confident that these changes will be sufficient to address the concerns that resulted in this finding and recommendation, particularly as it relates to observations related to administrative and human resource challenges. In addition, the current placement of the Affiant Unit with other units with corresponding responsibilities for warrant acquisition best facilitates the provision of ongoing guidance and advice throughout the warrant lifecycle to ensure compliance and duty of candour obligations are met. Given its importance, CSIS commits to ongoing monitoring and evaluation of the Affiant Unit to ensure the concerns highlighted in the report do not re-occur.
Recommendation 13: NSIRA recommends that CSIS urgently resource the Affiant Unit to meet its responsibilities and ensure its sustainability. In deciding the size of the Affiant Unit, CSIS should assess how many warrants an affiant team might reasonably complete every year.
Agree. In line with the recommendation, CSIS already increased the resourcing of the Affiant Unit and approved changes to the organizational chart in March 2021. As noted above, a staffing action is currently underway that aims to create a pool of qualified candidates which can be leveraged to help increase the Affiant Unit’s capacity.
Recommendation 14: NSIRA recommends that CSIS, in consultation with Justice, develop a comprehensive training course for all affiants and analysts, codifying best practices and methods for members of the Affiant Unit.
Agree. CSIS intends to provide fulsome training to the affiant unit, as recommended. In late 2021, initial consultations were held to identify appropriate training. Unfortunately, the pandemic has disrupted training efforts.
Justice is supporting CSIS in the development and delivery of all comprehensive and practical training for all those working on warrant applications. Cross-reference recommendations 3 and 18.
Recommendation 15: NSIRA recommends that NSLAG be staffed by a complement of counsel and support personnel sufficient to ensure that CSIS operations are not impeded by resource limitations at NSLAG.
Agree. Justice and CSIS will continue to work together on resources and staffing issues.
Recommendation 16: NSIRA recommends that the function of the Independent Counsel as performed by National Security Group counsel at the Department of Justice should be eliminated, in favour of a new challenge function, analogous to the role a defence lawyer would play were warrants subject to an adversarial process, situated at Public Safety and supported by the Public Safety vetting team, and performed by a knowledgeable lawyer from the Public Prosecution Service of Canada, the private sector, or elsewhere, who is independent from Justice management and not otherwise involved in CSIS warrant applications.
Agree. Public Safety will develop an enhanced vetting function, housed in Public Safety Canada, that reflects the principles and objectives set out by NSIRA. Public Safety Canada will develop the enhanced vetting function as part of the CSIS warrant acquisition process such that it provides a meaningful challenge function without adding undue complexity or delay. While this work is underway, Public Safety Canada will take steps to strengthen warrant vetting on an interim basis.
Recommendation 17: NSIRA recommends that CSIS regional warrants coordinator positions receive adequate training, and that CSIS professionalize the position and enable warrant coordinators to more effectively translate the content of warrants into advice on warrant execution.
Agree. CSIS acknowledges the importance of training and of centers of expertise. CSIS is determining training requirements.
Recommendation 18: NSIRA recommends that CSIS adequately resource and regularly deliver evergreen scenario-based training programs for all CSIS employees, including;
annual, comprehensive, warrant training for all operational employees;
specialized onboarding training for all employees not part of the Intelligence Officer program; and
continued long-term training for all specialized personnel.
Agree. CSIS is committed to improving the training offered to all of its employees, as recommended. Scenario-based training, which helps employees understand the application of policies and procedures, is now an integral part of operational training, which includes the development of an annual operational workshop. A recently approved business case will significantly increase staffing in Learning & Development to further enable training of CSIS employees. This business case includes the creation of a new position responsible for developing an enhanced onboarding for all newly hired employees, as well as the creation of new positions to create and deliver additional learning opportunities for all operational employees. Cross- reference recommendations 3 and 14.
Recommendation 19: The recommendations within this review should be treated as a coherent package and that progress and outcomes in implementing these recommendations be tracked, allowing management, the Ministers of Public Safety and of Justice, and NSIRA, to assess the efficacy of reforms and course-correct if necessary.
Agree. PS, CSIS, and Justice are committed to taking a holistic approach to the implementation of the recommendations and will track and course correct as required in this complex operating environment.
Recommendation 20: The full classified version of this report be shared with the designated judges of the Federal Court.
Partially agree. The Attorney General of Canada has shared the full report, redacted for solicitor- client privilege, with the designated judges of the Federal Court of Canada.
Annex D: Statistics on complaints investigations
January 1, 2022, to December 31, 2022
INTAKE INQUIRIES
75
New complaints filed
75
National Security and Intelligence Review Agency Act (NSIRA Act), section 16, Canadian Security and Intelligence Service (CSIS) complaints
Ottawa, Ontario, October 7, 2022 – The third Annual Report of the National Security and Intelligence Review Agency (NSIRA) was tabled in Parliament today, October 7, 2022.
NSIRA’s 2021 Annual Report focuses on our progress and activities in our second full year of operation. During this time, we pursued the reform of our processes and methods for doing review and investigations, both of which helped us improve the consistency and efficiency of our work.
This report highlights key findings and recommendations. The report also presents our intention to use future annual reports to publicly assess and track the implementation of previous recommendations, in accordance with our continued commitment to transparency and public engagement. Review highlights include:
Four reviews of important areas of CSIS activities, notably CSIS threat reduction measures (TRMs) and technical capabilities, as well as the manner in which CSIS seeks and receives legal service from de Department of Justice and prepares and executes the warrants it needs to collect information. An annual compliance review of CSIS’s activities was also completed;
CSE activities, notably CSE’s governance framework that guides the conduct of active and defensive cyber operations, internal information sharing, and CSE disclosures of Canadian-identifying information (CII);
DND/CAF Defense Intelligence Enterprise and a follow-up review of the Canadian Forces National Counter-Intelligence Unit;
Two specifically mandated multi-departmental reviews with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act and sharing of information within the federal government under the Security of Canada Information Disclosure Act; and,
One multi-departmental review relating to the collection and use of biometrics in the “border continuum”.
In 2021, NSIRA saw its complaints investigation caseload increase significantly as a result of 58 complaints referred to NSIRA by the Canadian Human Rights Commission pursuant to subsection 45(2) of the Canadian Human Rights Act. NSIRA also completed its investigation process reform initiative after consultation with multiple stakeholders. NSIRA investigations under this new model are already showing improved efficiency.
NSIRA’s 2021 Annual Report also discusses our organization’s underlining goals and values, and highlights how the organization continued to grow in size and capacity throughout the year, and sought to enhance its technical and subject-matter expertise.
On behalf of the National Security and Intelligence Review Agency, it is my pleasure to present you with our third annual report. Consistent with subsection 38(1) of the National Security and Intelligence Review Agency Act, the report includes information about our activities in 2021, as well as our findings and recommendations.
In accordance with paragraph 52(1)(b) of the National Security and Intelligence Review Agency Act, our report was prepared after consultation with relevant deputy heads, in an effort to ensure that it does not contain information the disclosure of which would be injurious to national security, nation al defence or international relations, or is information that is subject to solicitor-client privilege, the professional secrecy of advocates and notaries, or to litigation privilege.
Yours sincerely,
The Honourable Marie Deschamps, C.C.
Chair // National Security and Intelligence Review Agency
Message from the members
The National Security and Intelligence Review Agency (NSIRA) is pursuing its mission of enhancing accountability for national security and intelligence activities in Canada. In 2021, our agency continued to grow in size and improved its ability to fully take advantage of its broad review and investigations mandate covering the national security and intelligence activities of departments and agencies across the federal government.
It is our pleasure to present to you our third annual report in which we discuss our progress and activities in our second full year of operation. Despite the recurrent challenges posed by the COVID-19 pandemic and delays caused by a cyber incident, we completed a wide array of reviews and investigations, and continued improving our processes across the agency. Indeed, we pursued the reform of our processes and methods for doing reviews and investigations, both of which helped us to improve the consistency and efficiency of our work tremendously. These reforms, in conjunction with our growing experience, have allowed us to implement and deliver on our review plan. All of this was made possible by the development of a much stronger corporate policy framework backed by a corporate group that really cares about service delivery and the health of the agency.
In accordance with our continued commitment to transparency and public engagement, this report will present our intention to use future annual reports to publicly assess and track the implementation of previous recommendations. In the same spirit of holding us and the reviewed organizations accountable, we also formalized standards that will allow us to assess the timeliness of responses. It is our hope that these initiatives, in addition to the stringent verification process to assess our confidence in each review that we are currently developing, will inspire confidence and trust in our recommendations and findings.
We would like to thank the staff of NSIRA’s Secretariat for their efforts, patience and resilience throughout this challenging year and we hope you share our enthusiasm for what we can accomplish in the year ahead.
Marie Deschamps Craig Forcese Ian Holloway Faisal Mirza Marie-Lucie Morin
Executive Summary
The National Security and Intelligence Review Agency (NSIRA) marked its second full year in operation in 2021. With the agency’s broad jurisdiction under the National Security and Intelligence Review Agency Act (NSIRA Act), it reviewed and investigated national security and intelligence matters relating to not only the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), but also several federal departments and agencies, including:
the Department of National Defence (DND) and the Canadian Armed Forces (CAF);
the Royal Canadian Mounted Police (RCMP);
Immigration, Refugees and Citizenship Canada (IRCC);
the Canada Border Services Agency (CBSA);
Transport Canada; and
all departments and agencies engaging in national security and intelligence activities in the context of NSIRA’s yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act.
In 2021, NSIRA continued to grow in capacity and sought to enhance its technical and subject-matter expertise.
Review highlights
Canadian Security Intelligence Service
Over the course of 2021, NSIRA completed four reviews that strengthened its knowledge of important areas of CSIS activity:
a review of the cultural, governance and systemic issues arising in the context of the manner in which CSIS seeks and receives legal services from the Department of Justice and prepares and executes the warrants it needs to collect information;
a survey of CSIS’s suite of technical capabilities, along with its associated governancestructure, and areas of interest or concern to which NSIRA may return in future reviews;
the second annual review of CSIS’s Threat Reductions Measures (TRMs) that expandson findings from the previous review by examining a larger number of TRMs; and
an annual compliance review of CSIS’s activities.
Communications Security Establishment
In 2021, NSIRA completed two reviews of CSE activities, and directed CSE to conduct one departmental study:
a review of CSE’s governance framework that guides the conduct of active and defensive cyber operations, including whether CSE appropriately considered its legal obligations and the foreign policy impacts of operations;
a review focused on internal information sharing within CSE between the foreign intelligence aspect and the cybersecurity and information assurance aspect of its mandate; and
a departmental study on whether CSE disclosures of Canadian-identifying information were conducted in a manner that complies with the Communications Security Establishment Act, and were essential to international affairs, defence, security or cybersecurity.
Department of National Defence and the Canadian Armed Forces
In 2021, NSIRA completed two reviews of the DND/CAF:
a scoping exercise to gain foundational knowledge of the Defence Intelligence Enterprise, where a significant part of intelligence functions of the DND/CAF are located; and
a follow-up review on the previous year’s examination of the Canadian Forces National Counter-Intelligence Unit, with emphasis on operational collection and privacy practices.
Multi-departmental reviews
NSIRA conducted two specifically mandated multi-departmental reviews in 2021:
a review of directions issued with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act; and
a review of information sharing within the federal government under the Security of Canada Information Disclosure Act.
NSIRA also completed a multi-departmental review under its general mandate to review any activity carried out by a department that relates to national security or intelligence:
to map the collection and use of biometrics across several federal government departments and agencies in security and intelligence activities related to international travel and immigration, that is, the “border continuum.”
Complaints investigations
In 2021, NSIRA saw its complaints investigation caseload increase significantly as a result of 58 complaints referred to NSIRA by the Canadian Human Rights Commission pursuant to subsection 45(2) of the Canadian Human Rights Act.
Further, the COVID-19 pandemic contributed to delays in NSIRA’s investigations by reducingparties’ responsiveness in providing access to information and evidence.
In 2021, NSIRA completed its investigation process reform initiative after consultation with multiple stakeholders. NSIRA investigations under this new model are already showing improved efficiency.
Introduction
1.1 Who we are
Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities. Prior to NSIRA’s creation, several gaps existed in Canada’s national security accountability framework. Notably, NSIRA’s predecessor review bodies did not have the ability to collaborate or share their classified information but were each limited to conducting reviews for their specified department or agency.
By contrast, NSIRA has the authority to review any Government of Canada national security or intelligence activity in an integrated manner. As noted in the 2019 annual report, with NSIRA’s expanded role, Canada now has one of the most extensive systems for independent review of national security.
1.2 Mandate
NSIRA has a dual mandate to conduct reviews and investigations of Canada’s national security and intelligence activities. Annex B contains a financial and administrative overview of NSIRA.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice.
Further, NSIRA reviews any national security or intelligence matters that a minister of the Crown refers to NSIRA. Annex C contains summaries of the reviews completed in 2021.
NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Reviews of CSIS and CSE will always remain a core part of NSIRA’s work since the entire focus of these organizations is to address national security and intelligence matters. Unlike its predecessor review bodies, however, NSIRA has an all-encompassing review mandate. NSIRA will thus continue to prioritize and examine how other departments engaging in national security and intelligence activities meet their obligations. NSIRA reviews help keep Parliament and Canadians informed about the lawfulness and reasonableness of Canada’s national security and intelligence activities.
Investigations
In addition to its review mandate, NSIRA is responsible for investigating national security- or intelligence-related complaints. This duty is outlined in paragraph 8(1)(d) of the NSIRA Act, and involves investigating complaints about:
the activities of CSIS or CSE;
decisions to deny or revoke certain federal government security clearances; and
ministerial reports under the Citizenship Act that recommend denying certain citizenship applications.
This mandate also includes investigating national security-related complaints referred to NSIRA by the Civilian Review and Complaints Commission for the RCMP (the RCMP’s own complaints mechanism) and the Canadian Human Rights Commission.
Reviews
2.1 Canadian Security Intelligence Service reviews
Overview
NSIRA has a mandate to review any Canadian Security Intelligence Service (CSIS) activity. The NSIRA Act requires NSIRA to submit a classified annual report to the Minister of Public Safety and Emergency Preparedness on CSIS activities each year, including information related to CSIS’s compliance with the law and applicable ministerial directions, and the reasonableness and necessity of the exercise of CSIS’s powers.
In 2021, NSIRA completed four reviews of CSIS, summarized below. NSIRA also began two more reviews: one of CSIS’s Justification Framework and the other of CSIS’s Dataset Regime. Several other ongoing NSIRA reviews contain a CSIS component.
Review arising from the Federal Court’s decision in 2020 FC 616, Rebuilding Trust: Reforming the CSIS Warrant and Department of Justice Legal Advisory Processes
In a 2020 decision (2020 FC 616), the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.” Based on that recommendation, the Minister of Public Safety and Minister of Justice referred the review to NSIRA pursuant to paragraph 8(1)(c) of the NSIRA Act. Acting on this reference and relying on its own jurisdiction, NSIRA therefore reviewed the manner in which CSIS seeks and receives legal services from the Department of Justice and prepares and executes the warrants it needs to collect information.
This review found an intelligence service and its counsel who struggle to organize themselves in a manner that enables them to meet their legal obligations, including to the Federal Court. NSIRA also found a failure at CSIS to fully and sustainably professionalize the warrant application process as a specialized trade requiring training, experience and investment. This review also demonstrated the need to transform the relationship between CSIS and its legal counsel.
This review was led by NSIRA members Marie Deschamps and Craig Forcese. One or both members were directly involved in every aspect of the review including review process management, briefings, interviews and document review. This included dozens of confidential interviews with Department of Justice and CSIS employees whose perspectives were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal briefings.
In organizing these interviews, NSIRA ensured robust representation covering the range of functions in the warrant and legal advice giving processes. The interviews raised issues and concerns that would have otherwise been unavailable to NSIRA. This assisted NSIRA in making recommendations on governance, systemic and cultural issues that contribute to inefficiencies threatening the ability of CSIS and the Department of Justice to fulfil their mandates.
NSIRA heard repeated concerns from interviewees that these problems put at risk the ability of the intelligence service to meet the mandate Parliament has assigned to it. Addressing these challenges urgently is in the public interest. Though CSIS and the Department of Justice have made improvements, difficulties are still evident.
NSIRA grouped its findings and recommendations into three overarching areas:
the Department of Justice’s provision of legal advice;
CSIS’s and the Department of Justice’s management of the warrant acquisition process; and investment in people.
The Department of Justice’s provision of legal advice
CSIS operates in often rapidly evolving and legally challenging environments. Timely, nimble and actionable legal advice is critical. The Department of Justice provides CSIS with legal advice on national security matters via the National Security Litigation and Advisory Group (NSLAG). This review highlighted factors that prevent NSLAG from providing CSIS with the legal advice it needs.
The Department of Justice has employed a centralized “one voice” model for delivering its legal services. The one voice model reflects a desire for uniform and consistent legal advice delivered on behalf of the Attorney General of Canada. Although the premise for the one voice approach is sound, NSIRA found that NSLAG struggled to provide timely, responsive and useful legal advice in the CSIS context. The way the Department of Justice provides advice has often not been responsive to CSIS operations. For example, NSLAG presents its advice as a legal risk assessment using the Department of Justice-wide Legal Risk Management grid. This grid uses a colour-coded risk rating that can be compared to a “traffic light” system: a green risk rating represents a low legal risk to CSIS, a red risk rating represents a high legal risk, and, more ambiguously, a yellow risk rating represents an intermediate legal risk. Yellow light responses are reportedly the most common and the most frustrating for CSIS, especially when unaccompanied by discussions on how to mitigate the risk, the inclusion of which NSIRA heard is not currently common practice.
Therefore, some at CSIS perceive the Department of Justice as presenting a roadblock because of its bureaucracy, its perceived operational illiteracy and its unhelpful approach to communicating legal advice.
However, the problems with timely, responsive and useful legal advice do not stem from the Department of Justice alone. NSIRA heard that CSIS has not always shared all relevant information with the Department of Justice, prompting a degree of mistrust. The internal process for requesting legal advice at CSIS also contributes to delays and lack of relevance. The advice that sometimes comes back to operational investigators at CSIS filtered through bureaucratic hierarchies may be of limited relevance.
NSIRA heard that the laborious advice-seeking and -receiving process has sometimes caused [discussion of detrimental effects on and risks to operations].
CSIS and the Department of Justice often operate in a situation of legal doubt because of lack of clarity in the law. Clarifying legal standards often requires judicial case law. However, an unwieldy warrant process, discussed below, makes that prospect more difficult.
The Department of Justice is aware of the need for change. Broad, recent initiatives include the Vision Project, which promises client-centric strategic partnerships. New procedures have been implemented at NSLAG to address internal silos between advisory and litigation counsel, and to improve training, improve access to legal advice and facilitate consistent legal opinions. NSLAG also appears to recognize the desire for a different approach to providing legal advice, including moving toward legal advice that promotes collaborative and iterative engagement with CSIS in order to achieve its operational goals, within the bounds of the law. However, as of fall 2021, it did not appear that CSIS and the Department of Justice had systematically put this model into effect.
To facilitate proper advice-giving, CSIS needs to provide NSLAG with all the facts, and to engage NSLAG early on, at the operational level. Earlier and ongoing involvement throughout the stages of an investigation or operation would enable counsel to provide informal legal nudges that allow CSIS to course-correct before too much time has been spent. A more iterative process of incorporating legal advice over the full course of an operation could address the reported challenge of operations halted due to untimely or ambiguous legal advice.
Management of the warrant process
CSIS organizes the process of seeking a warrant around a system of internal preparation and approvals before proceeding to the statutory step of seeking ministerial approval of the warrant application. A number of legal concepts and expectations enter into the warrant process, including the “duty of candour” owed to the Court.
The Federal Court duty of candour concerns fit into two categories: disclosure of information material to the credibility of the sources who supply information used in the application; and disclosure of information material to matters of potential concern about the broader context of the warrant and how it will be executed.
Despite past attempts at reforms, the current warrant process adopted by CSIS and supported by the Department of Justice has repeatedly failed to meet these candour obligations. Many reforms appear to have contributed to the bureaucratic complexity of the warrant process, without addressing candour issues.
CSIS has especially struggled to ensure that all information material to the credibility of sources is properly included in warrant applications. NSIRA heard repeatedly that CSIS officers involved in the early stages of preparing warrant applications do not clearly understand the legal expectations surrounding the duty of candour. Deficient information management systems related to human sources at CSIS have also resulted in important omissions, violating duty of candour obligations. These challenges produce what NSIRA calls the “recurring omissions” problem.
In 2019, CSIS sought to professionalize affiant work by creating an Affiant Unit. CSIS’s establishment of the Affiant Unit is a critical development and, properly resourced and staffed, it would be well positioned to respond to long-standing problems with the duty of candour. However, when created, the Affiant Unit was placed [Name of Branch]. [Name] has a broad mandate that does not align with the Affiant Unit’s functions in preparing legally robust warrant applications. This governance anomaly may explain the Affiant Unit’s present administrative and human resource challenges. The Affiant Unit’s sustainability is in question, and indeed NSIRA heard that the unit could currently be described as being in a state of crisis. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission.
Warrants counsel at NSLAG have several key roles in the warrant application process and are intimately implicated in ensuring adherence to the duty of candour. Fostering a strong, collaborative and productive relationship with CSIS is key. Morale among NSLAG warrants counsel may have suffered in light of the recent Federal Court decision that prompted this review. With recent staffing increases, it appears that NSLAG currently has the requisite complement to manage the number of annual warrant applications expected from CSIS, but recruitment challenges remain an ongoing issue. NSLAG should be staffed to ensure that CSIS’s operations are not stalled due to the lack of availability of warrants counsel.
The warrant application process is meant to be strengthened through a review of the near- final affidavit by an “independent counsel” (IC) – in practice, a lawyer drawn from the Department of Justice’s National Security Group. The role was originally envisioned as performing a rigorous challenge of the warrant application. However, the primary role of the IC appears to be more clerical than substantive, designed to cite check rather than assertively perform a devil’s advocate function.
NSIRA believes that the presence of a rigorous challenge function performed by a knowledgeable, adequately supported lawyer distant from the warrant application is valuable and necessary. However, NSIRA proposes that the current IC model be abandoned in favour of a challenge function performed at Public Safety Canada, whose precise role is that of oversight of the CSIS warrant application process.
Working with the Public Safety Canada unit charged with warrant review, an experienced and specialized warrant counsel could perform a genuine challenge role to the warrant, analogous to the role a defence lawyer would play were warrants subject to an adversarial process. NSIRA believes that a testing review of this sort will help forestall duty of candour shortcomings stemming from a failure to disclose fully information material to matters of potential concern about the broader context of the warrant and how it will be executed.
Once a judge issues a warrant, CSIS may execute the warrant. That execution must comply with the scope and terms of the warrant. However, the CSIS regional warrant coordinators have not received sufficient training to enable the contents of warrants to be translated into advice on proper execution.
Investment in people
Concern about inadequate training at CSIS was a recurring theme in this review. This concern was noted in internal CSIS documents. CSIS acknowledges that it is currently not a learning organization and does not have a learning culture. There are too few training opportunities required to sustain a modern professional intelligence service operating in a complex environment.
Conclusions
This report concluded with observations on cross-cutting cultural and governance challenges that stem, at least in part, from challenges characterizing the provision of legal advice and the warrant process. NSIRA divides these broad, cross-cutting phenomena into two categories: morale and attitudes; and performing the mission.
Low morale at CSIS was a common theme throughout this review. The systemic problems in the warrant application process are likely one cause of this problem: morale is affected when a warrant acquisition system repeatedly prevents CSIS officers from performing their mandated duties and is the source of regular reputational crises stemming from failures to meet the duty of candour.
Meanwhile, a failure to correct problems with the warrant process impairs CSIS’s and the Department of Justice’s abilities to fulfil their mandates. The Department of Justice must go from being perceived as a roadblock to a frank and forthright advisor fully attuned to operational objectives.
Within CSIS, the warrant application process was sometimes likened to winning a lottery — not because the Federal Court declines to issue warrants, but because of the resources required to prepare and complete the application. The current, laborious warrant application process is preventing some collection activities from moving forward.
In sum, this review was sparked by a compliance failure in a duty of candour matter. It concludes that repeated failures in this area are both caused by, and cause, deep-seated cultural and governance patterns. This vicious cycle has compounded the challenges of reform in the warrant acquisition process.
Cherry-picked or paper-based reforms that mask without addressing the overarching systemic, cultural, and governance challenges will suffer the fate of prior reforms: the problems will continue.
NSIRA intends to launch a follow-up review within two years that will measure progress at CSIS, the Department of Justice and Public Safety Canada in resolving the systemic problem with the warrant process addressed by this review. Moreover, in other regular reviews implicating warrants, NSIRA will document recurrences of systemic problems. In the meantime, since this review originated with a decision of the Federal Court, it is vital that the Minister and CSIS share it in its full form with the designated judges of that court. NSIRA’s full redacted report can be read on its website.4
Response to NSIRA’s recommendations
NSIRA’s recommendations, the management response of CSIS, Public Safety Canada and the Department of Justice, and other details about this review are found in Annex D of this report.
Study of CSIS Technical Capabilities
Canada’s national security threat landscape is constantly evolving and changes in technology present CSIS with a variety of new investigative opportunities. Consequently, CSIS must develop and acquire new technical capabilities, as well as adapt (repurpose) existing tools to support its mandated collection activities. This process presents potential compliance risk, as CSIS’s existing governance and legal frameworks may not capture the new deployment or adaptation of these technical capabilities. Furthermore, certain personnel and supporting legal counsel may not fully understand how these tools are used operationally, impacting their ability to advise whether or not CSIS has the legal and policy framework required to support use of the technology. These risks require NSIRA to maintain up-to-date knowledge of CSIS’s technical capabilities and related warrant powers.
NSIRA’s survey of CSIS technical capabilities offers a first step in this endeavour by surveying CSIS’s suite of capabilities, along with its associated governance structure, and identifying areas of interest or concern to which NSIRA may return in future reviews.
Reality of the risks
NSIRA’s review of CSIS’s use of a geolocation tool found that the lack of “developed policies and procedures around the assessment of new and emerging collection technologies” directly contributed to the risk that CSIS had breached section 8 of the Canadian Charter of Rights and Freedoms while testing the tool.
– NSIRA Study 2018-05
The full range of technical capabilities CSIS currently employs in support of its intelligence collection operations was examined. NSIRA reviewed relevant policy and legal frameworks as communicated by CSIS but did not conduct an independent verification or audit of the claims or activities themselves. NSIRA also examined the tripartite information/knowledge sharing and support nexus that exists between CSIS’s operational branches, technological branches and CSIS’s Department of Justice counsel with regard to the deployment of capabilities in support of operations.
In addition to the foundational knowledge NSIRA gained of CSIS’s technical capabilities, NSIRA made several observations identifying areas of interest for possible future reviews. For example, NSIRA noted, and CSIS agreed, that the main policy suite related to the use of technical capabilities is outdated and under revision, though the timeline for completing this task is unclear.
In the interim, the policy suite is buttressed as required by directives from senior leadership and other relevant policies and practices. The lack of up-to-date policies and procedures may result in heightened compliance risks, an issue of interest to future NSIRA reviews.
In addition, CSIS is currently reworking the framework it uses to assess compliance and risk in this area. CSIS indicated that greater efficiencies in addressing stakeholder needs and compliance gaps could be achieved through new initiatives such as the creation of the Operational Technology Review Committee, which was created in May 2021. This committee’s objective is to review all new technologies used to collect intelligence and existing technologies that will be used in a new or different manner. The creation of the Operational Technology Review Committee suggests a positive step toward mitigating the risk of compliance breaches related to the deployment of technologies in support of operations. Most obviously, it presents a forum in which potential risks can be proactively identified and mitigated. The evolving nature of how compliance is monitored in relation to technical capabilities will be of interest to NSIRA moving forward.
Further questions exist regarding how CSIS monitors the operational value of technical capabilities. CSIS needs to strengthen its performance metrics program with regard to its deployment of technologies in support of operations. A performance measurement regime, currently under development, will become an important feature of the governance framework, with attendant compliance implications for possible future NSIRA reviews.
Overall, it will be important for NSIRA to remain up to date with respect to the technical aspects of CSIS intelligence collection operations, particularly given the speed with which technology and associated technical capabilities evolve.
As part of this effort, it may be possible to leverage existing reporting requirements already undertaken by CSIS. For example, Section 3 of the Ministerial Direction to the Canadian Security Intelligence Service: Accountability (September 10, 2019) requires CSIS to inform the Minister of Public Safety of operational activities in which “a novel authority, technique or technology is used.” These notifications could provide NSIRA with ongoing and up-to-date knowledge of CSIS’s capability suite and how/when technologies are deployed operationally. Furthermore, sharing the notifications would bolster CSIS’s efforts toward proactive transparency, which are in line with commitments to provide explanatory briefings to the Federal Court on new technologies used in warranted operations.
NSIRA has recommended that the full, unredacted, version of this technical survey be shared with the designated judges of the Federal Court.
Review of CSIS Threat Reduction Activities: A Focus on Information Disclosure to External Parties
Under the Anti-terrorism Act, 2015, CSIS was granted the authority to undertake threat reduction measures (TRMs). NSIRA is required to review, annually, at least one aspect of CSIS’s performance in the use of its threat reduction powers. NSIRA recognizes that CSIS’s threat reduction powers can be an effective tool to diminish a national security threat; however, these powers also command heightened responsibility, given their nature and ability to profoundly impact, not only the subject of a given TRM, but others potentially captured by its scope.
This year, NSIRA produced its second annual review of CSIS’s TRMs. This review sought to expand on findings from the previous review by examining a larger number of TRMs, wherein CSIS disclosed information to external parties, and in doing so, provided the external party the opportunity to take action, at their discretion and pursuant to their authorities, to reduce identified threats. This review studied the characteristics of these particular TRMs but focused its examination on the extent to which CSIS appropriately identified, documented and considered any plausible adverse impacts that these measures could have on affected individuals.
NSIRA observed that several different kinds of external parties were involved in the TRMs. These external parties had varied levers of control through which they could take action to reduce a threat.
NSIRA found that CSIS’s documentation of the information disclosed to external parties as part of TRMs was inconsistent and, at times, lacked clarity and specificity. NSIRA also found that CSIS did not systematically identify or document the authorities or abilities of external parties to take action, or the plausible adverse impacts of the TRM. NSIRA also found that CSIS did not always document the outcomes of a specific TRM, or the actions taken by external parties to reduce a threat.
Without robust documentation, CSIS is neither capable of assessing the efficacy of its measures nor appreciating the full impact of its actions related to these measures.
NSIRA recommended that when a TRM involves the disclosure of information to external parties, CSIS should clearly identify and document the scope and breadth of information that will be disclosed as part of the proposed measure. NSIRA recommended that CSIS should also fully identify, document and consider the authority and ability of the external party to take specific action to reduce a threat, as well as the plausible adverse impacts of the measure. Beyond recommending that CSIS comply with its record-keeping policies, NSIRA recommended that CSIS amend its TRM policy to include a requirement to systematically document the outcomes of TRMs, including actions taken by external parties. This practice should inform post-action assessments and future decision-making.
In addition, NSIRA found that the current assessment framework employed as part of the TRM approval process is overly narrow and does not sufficiently consider the full impact of CSIS TRMs. NSIRA recommended that CSIS consider plausible adverse impacts resulting not only from CSIS disclosures of information, but also from the actions of external parties as part of TRMs.
The variety of impacts observed in this year’s review, combined with the gaps identified in CSIS’s understanding and assessment of these impacts, highlights the salience of a number of NSIRA’s recommendations made in 2020. NSIRA reiterated its 2020 recommendation that CSIS consider more comprehensively the plausible adverse impacts of these types of measures on the affected individuals, even when they are carried out by the external party and not CSIS. These impacts should be considered not only when assessing the reasonableness and proportionality of a proposed measure, but also when determining whether a warrant is required.
The Canadian Security Intelligence Service Act (CSIS Act) is clear that when a proposed TRM would limit a right or freedom protected in the Canadian Charter of Rights and Freedoms, or would otherwise be contrary to Canadian law, CSIS must seek a judicial warrant. NSIRA fundamentally disagrees with CSIS’s understanding of and approach to the legal analysis of determining whether a warrant is required for proposed TRMs. In 2020, CSIS responded to this recommendation by stating, “the Department of Justice will consider this recommendation and factor it into its work related to TRMs under the CSIS Act.”
Going forward, NSIRA recommended that CSIS seeks a warrant when a proposed TRM could infringe on an individual’s Charter rights, or where it would otherwise be contrary to Canadian law, regardless of whether the activity would be conducted by CSIS directly, or via an external party to whom CSIS discloses information.
NSIRA was able to use its direct access to CSIS information repositories to confirm information that it needed to verify and pursue necessary additional inquiries. For that reason, NSIRA has a high level of confidence in the information used to complete this review. NSIRA would also like to recognize CSIS’s timeliness in responding to NSIRA’s requests for information throughout the course of this review.
Response to NSIRA’s recommendations
NSIRA’s recommendations, the management response of CSIS and other details about this review are found in Annex D of this report.
NSIRA’s annual review of CSIS activities
In accordance with the CSIS Act, CSIS is required to provide information to NSIRA on specific activities. In response, NSIRA has developed a process to examine this information throughout the year and highlight any significant observations as part of NSIRA’s annual reporting obligations to the Minister of Public Safety. This process aims to keep NSIRA informed of key CSIS activities so that it can identify emerging issues and compliance gaps in a timely manner, and plan reviews and annual reporting obligations. Furthermore, this process facilitates additional scrutiny of these activities, as necessary, to assess for compliance, reasonableness and necessity.
In 2021, NSIRA formalized this process and initiated an annual review pursuant to its review mandate (paragraph 8(1)(a) of the NSIRA Act). To enhance transparency, NSIRA requested additional categories of information from CSIS, including approved warrant applications, compliance reports, internal audits and evaluations, and communications between CSIS and the Federal Court and CSIS and the Minister of Public Safety. These additional categories sought to ensure that NSIRA has the benefit of specific policy and governance information beyond that which CSIS is legislatively required to provide.
NSIRA found that CSIS met its legislated reporting requirements; however, these requirements do not always translate into information that can be used for assessments by NSIRA. Notably, CSIS did not provide information on the additional categories of activities requested by NSIRA. Conversations to address these gaps will continue in 2022.
In 2022, NSIRA will continue its review of CSIS activities with the support of the information from CSIS as required under the CSIS Act and the NSIRA Act.
Statistics
NSIRA requested that CSIS provide for publication statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSIS operations, as well as display the evolution of activities from year to year.
Warrant applications
Section 21 of the CSIS Act authorizes CSIS to make an application to a judge for a warrant if CSIS believes, on reasonable grounds, that more intrusive powers are required to investigate a particular threat to the security of Canada. Warrants may be used by CSIS, for example, to intercept communications, enter a location, and/or obtain information, records or documents. Each individual warrant application could include multiple individuals or request the use of multiple intrusive powers.
NSIRA is aware that difficulties with the warrant acquisition process within CSIS persist. NSIRA’s Review on Rebuilding Trust: Reforming the CSIS Warrant and Justice Legal Advisory Process found that the current warrant process continues to be overly burdensome, despite attempts at reform. The review found a failure at CSIS to professionalize the warrant application process fully and sustainably. The lack of clear accountability and clear communication combined with excessive complexity have contributed to the problems facing this process. The review made a number of findings and recommendations related to systemic problems with CSIS’s warrant process.
Section 21 warrant applications made by CSIS, 2018 to 2021
2018
2019
2020
2021
Approved warrants Total
24
23
15
31
New warrant
10
9
2
13
Replacements
11
12
8
14
Supplemental
3
2
5
4
Denied total
0
1
0
0
Threat reduction measures (TRMs)
Section 12.1 of the CSIS Act authorizes CSIS to take measures to reduce threats to the security of Canada, within or outside Canada. CSIS is authorized to seek a judicial warrant if it believes that certain intrusive measures (outlined in subsection 21 (1.1) of the CSIS Act) are required to reduce the threat. To date, CSIS has sought no judicial authorizations to undertake warranted TRMs.
NSIRA’s first two reviews of CSIS’s use of threat reduction measures found that CSIS did not sufficiently consider the full impact of the measure as part of the approval process for these activities. More specifically, these impacts were not explicitly considered when determining whether a warrant may be required. As already noted, NSIRA expects that when CSIS is proposing a TRM where an individual’s Charter rights would be limited or the TRM would otherwise be contrary to Canadian law, whether CSIS is undertaking the TRM directly or whether it will be executed by an external party, CSIS will seek a warrant to authorize the TRM.
Threat reduction measures approved, executed by CSIS and warranted, 2015 to 2021
2015
2016
2017
2018
2019
2020
2021
Approved TRMs
10
8
15
23
24
11
23
Executed
10
8
13
17
19
8
17
Warranted TRMs
0
0
0
0
0
0
0
CSIS targets
CSIS is mandated to investigate threats to the security of Canada, including espionage; foreign-influenced activities; political, religious or ideologically motivated violence; and subversion. Section 12 of the CSIS Act sets out criteria permitting CSIS to investigate an individual, group or entity for matters related to these threats. Sub jects of a CSIS investigation, whether they be individuals or groups, are called “targets.”
CSIS targets, 2018 to 2021
2018
2019
2020
2021
Number of targets
430
467
360
352
Datasets
Data analytics is a key investigative tool for CSIS, providing it with the capacity to make connections and identify trends that are not possible through traditional methods of investigations. The National Security Act, 2017, which was passed by Parliament in June 2019, gave CSIS a suite of new powers including a legal framework for the collection, retention and use of datasets. The framework authorizes CSIS to collect datasets (sub- divided into Canadian, foreign and publicly available datasets) that have the ability to assist CSIS in the performance of its duties and functions. It also establishes safeguards for the protection of Canadian rights and freedoms, including privacy rights. These protections include enhanced requirements for ministerial accountability. Depending on the type of dataset, CSIS must meet different requirements before it is able to use the dataset.
The CSIS Act also requires CSIS to keep NSIRA apprised of certain dataset-related activities. Reports prepared following the handling of datasets are to be provided to NSIRA, under certain conditions and within reasonable timeframes. While CSIS is not required to advise NSIRA of judicial authorizations or ministerial approvals for the collection of Canadian and foreign datasets, CSIS has been proactively keeping NSIRA apprised of these activities.
While this new framework has provided opportunities to execute CSIS’s mandate to investigate threats, CSIS noted in its 2020 Public Annual Report that the current legislative framework is not without its challenges. NISRA is currently reviewing CSIS’s implementation of its dataset regime. The results of this review will inform Parliament’s review of the National Security Act, 2017.
Datasets evaluated by CSIS, approved or denied by the Federal Court or Intelligence Commissioner, and retained by CSIS, 2019 to 2021
2019
2020
2021
Publicly available datasets
Evaluated
8
11
4
Retained
8
11
215
Canadian datasets
Evaluated
10
0
2
Retained by CSIS
0
0
016
Denied by the Federal Court
0
0
0
Foreign datasets
Evaluated
8
0
0
Retained by CSIS
0
1
117
Denied by Minister
0
0
0
Denied by IntelligenceCommissioner
0
0
0
Justification Framework
The National Security Act, 2017, also created a legal justification framework for CSIS’s intelligence collection operations. The framework establishes a limited justification for CSIS employees, and persons acting at their direction, to carry out activities that would otherwise constitute offences under Canadian law. CSIS’s Justification Framework is modelled on those already in place for Canadian law enforcement. The Justification Framework provides needed clarity to CSIS, and to Canadians, as to what CSIS may lawfully do in the course of its activities. It recognizes that it is in the public interest to ensure that CSIS employees can effectively carry out its intelligence collection duties and functions, including by engaging in otherwise unlawful acts or omissions, in the public interest and in accordance with the rule of law. The types of otherwise unlawful acts and omissions that are authorized by the Justification Framework are determined by the Minister and approved by the Intelligence Commissioner. There remain limitations to what activities can be undertaken, and nothing in the Justification Framework permits the commission of an act or omission that would infringe a right or freedom guaranteed by the Charter.
According to subsection 20.1 (2) of the CSIS Act, employees must be designated by the Minister of Public Safety in order to be covered under the Justification Framework while committing or directing an otherwise unlawful act or omission. Designated employees are CSIS employees who require the Justification Framework as a part of their duties and functions. Designated employees are justified in committing an act or omission themselves (commissions by employees) and they may direct another person to commit an act or omission (directions to commit) as a part of their duties and functions. NSIRA is currently reviewing CSIS’s implementation of the Justification Framework. The results of this review will inform Parliament’s review of the National Security Act, 2017.
Authorizations, commissions and directions under the Justification Framework, 2019 to 2021
2019
2020
2021
Authorizations
83
147
178
Commissions by employees
17
39
51
Directions to commit
32
84
116
Emergency designations
0
0
0
Compliance
CSIS’s internal operational compliance program leads and manages overall compliance within CSIS. The objective of this unit is to promote a “culture of compliance” within CSIS by investing in information technology (IT) to support the process around warrants, designing an approach for reporting and assessing potential non-compliance incidents, embedding experts in operational branches to provide timely advice and guidance, and producing internal policies and procedures for employees. This program is the centre for processing all instances of potential non-compliance related to operational activities.
NSIRA’s knowledge of CSIS operational non-compliance and associated violations of the Charter is limited to what is contained in the CSIS Director’s Annual Report on Operations to the Minister of Public Safety. NSIRA notes with interest that CSIS reports Charter violations as operational non-compliance. NSIRA will continue to monitor closely instances of non- compliance that relate to Canadian law and the Charter, and to work with CSIS to improve transparency around these activities.
Non-compliance incidents processed by CSIS, 2019 to 2021
2019
2020
2021
Processed compliance incidents19
53
99
85
Administrative
53
64
Operational
4020
19
21
Canadian law
1
Canadian Charter of Rights and Freedoms
6
Warrant conditions
6
CSIS governance
8
CSIS review plan
In 2022, NSIRA is commencing or conducting five reviews exclusively focused on CSIS, one review focused on CSIS and CSE operational collaboration (See 2022 CSE review plan, below), one focused on threat management by CSIS and the RCMP of ideologically motivated violent extremism, and a number of interagency reviews that contain a CSIS component.
In addition to NSIRA’s three legally mandated reviews of the Security of Canada Information Disclosure Act, the Avoiding Complicity in Mistreatment by Foreign Entities Act and CSIS’s TRMs, NSIRA has initiated or is planning the following CSIS reviews:
Justification Framework
This review will assess the implementation of CSIS’s new Justification Framework for activities that would otherwise be unlawful, authorized under the National Security Act, 2017.
Datasets
This review will examine the implementation of CSIS’s dataset regime following the coming into force of the National Security Act, 2017.
CSIS Cover Program
This review would be the first review of CSIS Cover Operations. It will survey the full range of CSIS cover activities and concentrate on building foundational knowledge to allow NSIRA to select specific activities for detailed review in future years.
Ideologically Motivated Violent Extremism
This is a joint CSIS-RCMP review of their respective and joint threat management of ideologically motivated violent extremism. The core of the review will be the interplay between CSIS and the RCMP in the context of ideologically motivatedviolent extremism, and an assessment of whether activities complied with the law, applicable ministerial directions, operational policies, and whether activitieswere necessary and reasonable.
Beyond 2022, NSIRA intends to explore reviews of CSIS on topics including, but not limited to:
the lifecycle of warranted information;
CSIS’s section 16 mandate;
“Strictly Necessary” retention policies; and
CSIS’s Internal Compliance Framework.
Access to CSIS information
Throughout 2021, NSIRA faced differing levels of access and responsiveness in relation to CSIS. COVID-19 related restrictions resulted in considerable delays with receiving requested information and briefings and impeded direct access to NSIRA’s dedicated office space within CSIS Headquarters.
In response to NSIRA’s requests for information, CSIS was transparent in its ability to respond and communicate anticipated delays. When access and staffing levels were no longer restricted, CSIS responses to formal and informal requests related to the Study of Technical Capabilities and the TRM review were timely and complete, and briefings were well administered and provided the requested information.
As mentioned above, throughout 2021, NSIRA did not have consistent access to its dedicated office space within CSIS Headquarters, which is used by NSIRA review, legal and investigation staff. As a result, NSIRA’s direct access to CSIS’s information systems was notably limited. NSIRA was provided various temporary accommodations within CSIS headquarters during this time.
CSIS was able to continue to provide NSIRA members access to its regional offices across Canada throughout 2021, however. This access supported NSIRA members not based in the National Capital Region, whose work often requires secure facilities where they can safely and securely access information relevant to reviews and investigations. NSIRA greatly appreciates the willingness and efforts of CSIS and its regional colleagues in this regard.
2.2 Communications Security Establishment reviews
Overview
NSIRA has the mandate to review any activity conducted by CSE. NSIRA must also submit a classified annual report to the Minister of National Defence on CSE activities, including information related to CSE’s compliance with the law and applicable ministerial directions, and NSIRA’s assessment of the reasonableness and necessity of the exercise of CSE’s powers.
In 2021, NSIRA completed two reviews of CSE, and directed CSE to conduct one departmental study, all of which are summarized below. NSIRA also began five new reviews focused on CSE’s activities that are scheduled for completion in 2022 (see 2022 CSE Review Plan, below). Furthermore, CSE is implicated in other NSIRA multi-departmental reviews, such as the legally mandated annual reviews of the Security of Canada Information Disclosure Act (SCIDA) and the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA), the results of which are described below (see Multi-departmental Reviews).
Although the pandemic and other priorities precluded NSIRA from advancing its previous commitments to redacting, translating and publishing reviews of the former Office of the CSE Commissioner, NSIRA remains committed to releasing this material, resources permitting.
Review of CSE’s Governance of Active and Defensive Cyber Operations
The Communications Security Establishment Act (CSE Act) provides CSE with the authority to conduct active cyber operations (ACOs) and defensive cyber operations (DCOs). As defined by the CSE Act, an ACO is designed to “degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.” A DCO helps protect Canadian federal government systems, or systems deemed by the Minister of National Defence to be important to Canada against foreign cyber threats. ACOs and DCOs are authorized by ministerial authorizations and, due to the potential impact on Canadian foreign policy, require the Minister of Foreign Affairs to consent to an ACO ministerial authorization or be consulted on a DCO ministerial authorization.
In this review, NSIRA assessed the governance framework that guides the conduct of ACOs and DCOs, and whether CSE appropriately considered its legal obligations and the foreign policy impacts of operations. NSIRA analyzed policies and procedures, governance and operational documentation, and correspondence within and between CSE and GAC. The review scope included the earliest available materials pertaining to ACOs and DCOs and ended concurrently with the validity period of the first ACO and DCO ministerial authorizations (2019–2020).
NSIRA incorporated GAC into this review, given the role of the Minister of Foreign Affairs in the ACO and DCO governance structure. As a result, NSIRA gained an understanding of the governance and accountability structures in place for these activities by obtaining unique perspectives from the two departments on their respective roles and responsibilities.
The novelty of these powers required CSE to develop new mechanisms and processes while also considering new legal authorities and boundaries. NSIRA found that both CSE and GAC made considerable efforts in building the ACO and DCO governance structure. In this context, NSIRA has found that some aspects of the governance of ACOs and DCOs could be improved by making them more transparent and clearer.
Specifically, NSIRA found that CSE could improve the level of detail provided to all parties involved in the decision-making and governance of ACOs and DCOs, within documents such as the ministerial authorizations authorizing these activities and the operational plans that are in place to govern their execution. Additionally, NSIRA also identified several gaps that CSE and GAC need to address, and recommended improvements relating to:
engaging other departments to ensure an operation’s alignment with broader
Government of Canada priorities;
demarcating an ACO from a pre-emptive DCO;
assessing each operation’s compliance with international law; and
communicating with each other any newly acquired information that is relevant to the risk level of an operation.
The gaps observed by NSIRA, if left unaddressed, could carry risks. For instance, the broad and generalized nature of the classes of activities, techniques and targets comprising ACOs and DCOs could capture unintended higher-risk activities and targets. Additionally, given the difference in the required engagement of GAC in ACOs and DCOs, misclassifying what is truly an ACO as a pre-emptive DCO could result in a heightened risk to Canada’s international relations through the insufficient engagement of GAC.
While this review focused on the governance structures at play in relation to ACOs and DCOs, of even greater importance is how these structures are implemented and followed in practice. NSIRA made several observations about the information contained within the governance documents developed to date and will subsequently assess how they are put into practice as part of NSIRA’s forthcoming review focused on the operations themselves.
Response to NSIRA’s recommendations
NSIRA’s recommendations and other details about this review are found in Annex D of this report.
Review of Information Sharing across Aspects of CSE’s Mandate
This review examined CSE’s legal authority for sharing information obtained in the course of one aspect of its mandate for the purposes of fulfilling another aspect of its mandate. Specifically, the review focused on internal information sharing within CSE between the foreign intelligence aspect and the cybersecurity and information assurance (cybersecurity) aspect of CSE’s mandate.
NSIRA examined whether CSE’s internal sharing of information relating to a Canadian or a person in Canada (IRTC) is consistent with the Privacy Act, which limits how collected personal information can be used by a federal institution, and the CSE Act, which applies to CSE’s incidental collection and use of IRTC. NSIRA concluded that from the descriptions of the aspects in sections 16 and 17 of the CSE Act, sometimes information acquired under one aspect can be used for the same, or a consistent purpose, as another. This would satisfy Privacy Act requirements for sharing information internally. However, this principle cannot simply be assumed to apply as the purposes of the aspects differ within the CSE Act. CSE must conduct case-by-case compliance analysis that considers the purpose of the collection and sharing.
NSIRA considers it necessary for the Chief of CSE’s application for a ministerial authorization to fully inform the Minister of National Defence of how IRTC might be used and analyzed by CSE, including the sharing of IRTC to another aspect, and for what purpose. With one exception, the Chief’s applications for the period of review appropriately informed the Minister that retained IRTC might be used to support a different aspect. Moreover, the foreign intelligence applications appropriately informed the Minister how CSE assessed “essentiality” for IRTC collected under the foreign intelligence aspect.
Under CSE policy, an assessment of IRTC’s relevance, essentiality or necessity to each aspect is required for sharing information across the aspects. CSE policy offers definitions and criteria for assessing and applying these thresholds to the information. NSIRA found that CSE’s policy framework with regards to the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is compliant with the CSE Act.
Response to NSIRA’s recommendations
NSIRA’s recommendations, CSE’s management response and other details about this review are found in Annex D of this report.
CSE Departmental Study on Disclosures of Canadian Identifying Information
Following a 2020 review of CSE’s disclosures of Canadian identifying information (CII),21 NSIRA concluded that CSE’s implementation of its disclosure regime under the National Defence Act may not have been in compliance with the Privacy Act. On November 25, 2020, following the release of the review, NSIRA submitted a compliance report to the Minister of National Defence. NSIRA was of the opinion that CSE, as the custodian of incidentally collected CII, has the responsibility to assure itself and to document that both a collection and disclosure authority exist before sharing it with third-party recipients. NSIRA then directed CSE to conduct a departmental study of its disclosure of CII from August 1, 2019, to March 1, 2021.
The purpose of the departmental study was to ensure that disclosures of CII conducted by CSE were conducted in a manner that complies with the CSE Act, and that all disclosures of CII were essential to international affairs, defence, security or cybersecurity.
CSE provided the completed departmental study to the Minister of National Defence on October 8, 2021, with a copy to NSIRA, on November 1, 2021. NSIRA is satisfied that CSE provided a complete accounting of its disclosure regime for the requested period of review and provided a report that meets the objectives detailed in NSIRA’s terms of reference. In doing so, CSE defined its process for assessing and disclosing CII requests to Government of Canada and foreign clients under the CSE Act while also providing an update on relevant changes that have been made to its disclosure regime based on NSIRA’s recommendations from the last CII review.
The production of the departmental study also provided an opportunity for CSE to review the CII disclosure regime from CSE’s own perspective. This process provides NSIRA with a clearer understanding of how CSE manages its program and evaluates its relevant legal authorities. In addition to contributing to NSIRA’s current understanding of CSE’s disclosure regime, the study will also assist in identifying avenues of inquiry for the planned follow-up review of CII scheduled for 2023.
Statistics
To achieve greater public accountability, NSIRA recommends that CSE publish statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSE operations, as well as display the evolution of activities from year to year.
Ministerial authorizations and ministerial orders
Ministerial authorizations are issued by the Minister of National Defence and authorize specific activities conducted by CSE pursuant to one of the aspects of the CSE mandate. The following table lists the ministerial authorizations issued between 2019 and 2021.
CSE ministerial authorizations, 2021
Type of ministerial authorization
Enabling section of the CSE Act
Number issued in 2019
Number issued in 2020
Number issued in 2021
Foreign intelligence
26(1)
3
3
3
Cybersecurity — federal and non- federal
27(1) and27(2)
2
1
2
Defensive cyber operations
29(1)
1
1
1
Active cyber operations
30(1)
1
1
2
Note: This table refers to ministerial authorizations that were issued in the given calendar years and may not necessarily reflect ministerial authorizations that were in effect at a given time. For example, if a ministerial authorization was issued in late 2020 and remained in effect in parts of 2021, it is counted above solely as a 2020 ministerial authorization.
Ministerial orders are issued by the Minister of National Defence and designate people or organizations with whom CSE can work and share information. For instance, a ministerial order designating non-federal information infrastructures as being of importance to the Government of Canada is required for CSE to carry out certain aspects of its cybersecurity and defensive cyber operations mandate. A ministerial order is also required to designate recipients of CII. The following table lists the three ministerial orders in effect in 2021.
CSE ministerial orders, 2021
Nameof ministerial order
In effect in 2021
Enabling section of the CSE Act
Designating electronic information and information infrastructures of importance to the Government of Canada
1
21(1)
Designating recipients of information relating to a Canadian or person in Canada acquired, used or analyzedunder the cybersecurity and information assurance aspects of the CSE mandate
1
44(1) and45
Designating recipients of Canadian identifying information used, analyzed or retained under a foreign intelligence authorization pursuant to section45 of the CSE Act
1
43 and 45
Foreign intelligence reporting
Pursuant to section 16 of the CSE Act, CSE is mandated to acquire information from or through the global information infrastructure, and to use, analyze and disseminate the information for the purpose of providing foreign intelligence in accordance with the Government of Canada’s intelligence priorities.
According to CSE, it released 3,050 foreign intelligence end-product reports to 1,627 clients across 28 departments or agencies of the Government of Canada in 2021.
Information relating to a Canadian or a person in Canada
As discussed in NSIRA’s Review of Information Sharing Across Aspects of CSE’s Mandate, IRTC includes information about Canadians or persons in Canada that may be incidentally collected by CSE while conducting foreign intelligence or cybersecurity activities under the authority of a ministerial authorization. According to CSE policy, IRTC is any information recognized as having reference to a Canadian or person in Canada, regardless of whether that information could be used to identify that Canadian or person in Canada.
CSE was asked to release statistics or data about the regularity with which IRTC or “Canadian-collected information” is included in CSE’s end-product reporting. CSE responded that “as this type of information has not previously been disclosed publicly, CSE is carrying out an injury assessment to determine if information can be provided for publication.” CSE subsequently advised that “The impact assessment for disclosure of information requested … is a longer-term endeavour that is unlikely to be resolved in time for the 2021 NSIRA public annual report. Please consider [CSE’s response] as ‘no releasable information’ for the purpose of this year’s report.”
Canadian identifying information
CSE is prohibited from directing its activities at Canadians or persons in Canada. However, given the nature of the global information infrastructure and CSE’s collection methodologies, such information may be incidentally acquired by CSE. When used in CSE foreign intelligence reporting, incidentally collected information potentially identifying a Canadian or a person in Canada is suppressed in order to protect the privacy of the individual(s) in question. CSE may release unsuppressed CII to designated recipients when the recipients have the legal authority and operational justification to receive it and when it is essential to international affairs, defence or security (including cybersecurity).
The following table shows the number of requests CSE received for disclosure of CII in 2021.
Number of requests for disclosure of Canadian identifying information, 2021.
Type of request
Number
Government of Canada requests
741
Five Eyes27 requests
90
Non-Five Eyes requests
0
Total
831
CSE was also asked to release the number of instances where CII is suppressed in CSE foreign intelligence or cybersecurity reporting. CSE indicated that “as this type of information has not previously been disclosed publicly, CSE is carrying out an injury assessment to determine if information can be provided for publication.” CSE subsequently advised that “The impact assessment for disclosure of information requested … is a longer-term endeavour that is unlikely to be resolved in time for the 2021 NSIRA public annual report. Please consider [CSE’s response] as ‘no releasable information’ for the purpose of this year’s report.”
Privacy incidents and procedural errors
A privacy incident occurs when the privacy of a Canadian or a person in Canada is put at risk in a manner that runs counter to, or is not provided for, in CSE’s policies. CSE tracks such incidents via its Privacy Incidents File, Second-party Privacy Incidents File and Minor Procedural Errors File.
The following table show the number of privacy incidents and procedural errors CSE tracked in 2021.
CSE privacy incidents and procedural errors, 2021
Type of incident
Number
Privacy incidents
96
Second-party privacy incidents
33
Minor procedural errors
18
Cybersecurity and information assurance
Pursuant to section 17 of the CSE Act, CSE is mandated to provide advice, guidance and services to help protect electronic information and information infrastructures of federal institutions, as well as non-federal entities which are designated by the Minister as being of importance to the Government of Canada.
CSE was asked to release statistics or data characterizing CSE’s activities related to the cybersecurity and information assurance aspect of its mandate. CSE responded that:
Generally, the Canadian Centre for Cyber Security does not comment on specific cyber security incidents, nor do we confirm businesses or critical infrastructure partners that we work with or provide statistics on the number of reported incidents. Statistics on cyber incidents, including cybercrime, are predicated upon victims coming forward, which is not an accurate reflection of the Canadian environment.
CSE and its Canadian Centre for Cyber Security work every day to defend Government of Canada systems from cyber attacks. On any given day, CSE’s dynamic defence capabilities block up to seven billion reconnaissance scans on these systems.
Defensive and active cyber operations
Pursuant to section 18 of the CSE Act, CSE is mandated to conduct DCOs to help protect electronic information and information infrastructures of federal institutions, as well as non- federal entities that are designated by the Minister of Defence as being of importance to the Government of Canada from hostile cyber attacks.
Pursuant to section 19 of the CSE Act, CSE is mandated to conduct ACOs against foreign individuals, states, organizations or terrorist groups as they relate to international affairs, defence or security.
CSE was asked to release the number of DCOs and ACOs approved during 2021. CSE responded that it is “not in a position to provide this information for publication by NSIRA, as doing so would be injurious to Canada’s international relations, national defence and national security.”
Technical and operational assistance
As part of the assistance aspect of CSE’s mandate, CSE receives Requests for Assistance from Canadian law enforcement and security agencies, as well as from the DND/CAF.
The following table shows the number of requests for assistance CSE received and acted on in 2020 and 2021.
CSE requests for assistance received and acted on, 2020 and 2021
Requests for assistance
2020
2021
Number received
24
35
Number acted on
23
32
2022 CSE review plan
In addition to NSIRA’s two legally mandated reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, both of which implicate CSE, NSIRA has initiated or is planning the following five reviews of CSE:
Review of CSE’s Internal Security Program (Safeguarding)
This review will examine how CSE safeguards its employees, information and assets. It will explore the ways in which CSE mitigates internal security risks through inquiries and investigations, and in particular, the use of the polygraph as a tool in the security screening process. This review will alsoassess CSE’s compliance with Treasury Board security policies and directives, as well as the adequacy of, adherence to and effectiveness of CSE’s internal processes used to address potential or actual security incidents, violations and breaches of security.
Review of Cybersecurity — Network-Based Solutions
This will be NSIRA’s first review focused on the cybersecurity and information assurance aspect of CSE’s mandate. It will explore the use of a specific tool: Network Based Solutions as outlined within the cybersecurity ministerial authorization.
Review of Active and Defensive Cyber Operations — Part 2 (Operations)
This review is the continuation of NSIRA’s examination of CSE’s active and defensive cyber operations conducted prior to July 30, 2021. The first review focused on the internal policies and procedures governing CSE’s use of active and defensive cyber operations. This review builds on NSIRA’s previous work and will focus on the implementation of these governance structures in actual operations.
Review of a Program under the Foreign Intelligence Mandate
This is a review of a classified program under the foreign intelligence aspect of CSE’s mandate. Thisprogram is authorized by a ministerial authorization, which also sets out its parameters.
Review of CSE-CSIS Operational Collaboration
This review will examine operational collaboration between CSE and CSIS, both under the assistance aspect of CSE’s mandate, but also as it relates to joint operational activities coordinated between them under each agency’s respective mandates.
Beyond 2022, NSIRA intends to review topics including, but not limited to:
a CSE collection program conducted under a ministerial authorization; and
CSE’s Equities Management Framework.
Access to CSE information
In its 2020 Public Annual Report, NSIRA noted that it was seeking to formalize CSE’s provision of specific categories of information on a regular basis, such as ministerial authorizations, orders and directives, which would be used to ensure compliance of activities and to inform the conclusions NSIRA provides in the annual classified report to the Minister of National Defence. NSIRA will commence this review, called the annual compliance review of CSE, in 2022. NSIRA is pleased to report that CSE has already begun the process of providing the requested information.
NSIRA also previously reported that a lack of comprehensive and independently verifiable access to CSE’s information repositories posed a significant challenge to NSIRA’s ability to review CSE’s activities. In 2021, this challenge persisted.
In 2021, NSIRA sought to develop direct access to CSE information repositories, further to NSIRA’s “trust but verify” review model. With the exception of dedicated office space, which NSIRA continues to utilize at CSE’s Headquarters, NSIRA and CSE have been unable to achieve a workable trust-but-verify model for any reviews of CSE to date, despite several proposals for test cases brought forward by NSIRA throughout the year. NSIRA remains committed to developing a greater degree of verifiable access to CSE information so as to ensure the robustness of its findings and recommendations and, in turn, provide greater transparency of CSE activities to Parliament and the Canadian public.
In lieu of direct access to CSE information repositories, NSIRA has to rely on CSE External Review staff to collect relevant information held by CSE on its behalf. CSE External Review organizes briefings by subject matter experts, solicits responses to specific questions, and coordinates searches by CSE staff through information repositories for documents and other materials relevant to reviews. NSIRA recognizes the work of CSE External Review staff and thanks them for their contribution to the work of review.
However, reliance on CSE to locate, collate and curate information for NSIRA is not a proper long-term alternative to direct access. Currently, and on receipt of a request for information, CSE conducts a lengthy process to locate and collect information, followed by an internal review of this information to determine relevance prior to releasing materials to NSIRA. CSE’s predetermination of relevance of information undercuts NSIRA’s authority to decide whether information relates to its reviews and contributes to significant delays in the provision of information to NSIRA. Furthermore, this process creates a burden on CSE staff to coordinate responses to NSIRA’s information requirements. This workload could be substantially reduced by allowing NSIRA to conduct its own searches in CSE’s information repositories. Concurrently, it would serve as an element of verification that could strengthen NSIRA’s confidence in the completeness of information reviewed.
Beyond the issues related to limitations on NSIRA’s ability to trust but verify are ongoing concerns related to CSE’s responsiveness. As mentioned above, significant delays in the provision of information continued to pose a disruptive challenge to all NSIRA reviews of CSE activities in 2021. Although the COVID-19 pandemic interrupted life everywhere, it alone could not account for the extent of delays experienced during 2021. The timely provision of information required for a review not only facilitates the work of NSIRA, but is a legal requirement to which NSIRA expects CSE to adhere.
The sole exception to NSIRA’s right of access to information under the control of CSE is a confidence of the Queen’s Privy Council for Canada, otherwise known as a Cabinet confidence. Information subject to the Privacy Act, or any other act of Parliament, for that matter, as well as highly classified or Exceptionally Controlled Information (ECI) must be made available to NSIRA in a timely manner, when it relates to a review. This was not always the case in 2021.
In light of the ongoing challenges to NSIRA reviews of CSE activities, NSIRA continues to be of the opinion that the only mechanism to ensure a high degree of confidence, reliability and independence in its work is to have direct access to information relevant to its reviews. One important way by which CSE can continue to increase the level of transparency for its activities is to facilitate greater direct access for external review. For NSIRA to be able to conduct its work with a high degree of confidence, it must be able to verify the accuracy and completeness of the information on which it bases its findings and recommendations. NSIRA will continue to work with CSE to identify ways it can begin to implement additional elements of NSIRA’s trust but verify methodology in a more comprehensive and meaningful manner.
2.3 Other government departments
Overview
Beyond CSIS and CSE, NSIRA initiated reviews of the following departments and agencies in 2021:
the Department of National Defence / Canadian Armed Forces (DND/CAF);
the Royal Canadian Mounted Police (RCMP);
Immigration, Refugees and Citizenship Canada (IRCC);
the Canada Border Services Agency (CBSA); and
Transport Canada.
As well, through the annual reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has engaged with all departments and agencies that make up the Canadian national security and intelligence community.
The following sections outline reviews completed or initiated in 2021, by department or agency, as well as some planned future reviews.
Department of National Defence and the Canadian Armed Forces
Study of the Defence Intelligence Enterprise of the Department of National Defence and the Canadian Armed Forces
The purpose of this study was threefold. The primary objective focused on understanding the concept of the Defence Intelligence Enterprise (DIE), the umbrella under which DND/CAF conducts its intelligence activities. The second objective focused on developing an understanding of the compliance and oversight functions within the DIE, as well as the reporting of instances of non-compliance. Finally, the information gathered through the two primary objectives of this review provided NSIRA with prerequisite knowledge to help design future reviews.
Although comprising only a small percentage of the work of DND/CAF, the intelligence function is growing both in how DND/CAF perceives its importance, as well as in resource allocation. All of DND/CAF’s intelligence activities and structures fall within the DIE and without an understanding of this enterprise, NSIRA’s review plan would lack focus and organization. The DIE represents a large and complex structure with widely varied activities and functions. Successive reviews will build on NSIRA’s knowledge and experience, as well as developing the required expertise to proactively identify areas of future review. In addition, having a more complete understanding of the DIE will help NSIRA better situate DND/CAF in the broader security and intelligence community, so it can identify more opportunities for horizontal review activities.
This study also helped to highlight and identify some of the challenges NSIRA may face in reviewing DND/CAF moving forward. Notably, DND/CAF represents a large and complex structure with widely varied activities and functions. Reporting structures are complex. For example, DND senior management structures report directly to the Deputy Minister, CAF Commands report directly to the Chief of the Defence Staff, and some accountability structures require reporting to both. NSIRA also observed that information collection and storage procedures vary across the organization and that it has over 180 independent electronic repositories. The combination of these elements emphasizes the importance of maintaining strong working relationships with DND/CAF to help navigate access to timely information and assets. NSIRA is working closely with DND/CAF on how to overcome these challenges, including the possibility of providing detailed search strings and follow-up briefings to attest to the reliability, completeness and specificity of the provided documentation.
Review of the Canadian Forces National Counter-Intelligence Unit — Operational Collection and Privacy Practices
This review was a follow up to last year’s review of the Canadian Forces National Counter- Intelligence Unit (CFNCIU). This year’s review focused on how IT searches were used to support counter-intelligence investigations. NSIRA assessed whether IT searches and the collection of information in support of counter-intelligence investigations interfered with individuals’ reasonable expectation of privacy in the circumstances.
Over the course of the review, NSIRA identified three areas of concern tied to the requests for, and conduct of, counter-intelligence internal IT network searches. These are arranged under the following categories: (1) CFNCIU’s search of a subject’s email, internet and removable device activity; (2) the CFNCIU checklist used to identify and restrict search parameters, and how applicable stakeholders define search parameters; and (3) the use acquired information to expand supplementary searches.
NSIRA believes that DND employees and CAF members have a reasonable expectation of privacy when using work computers for personal use. CFNCIU requires the assistance of police or security agencies to obtain search warrants or technical intercept services, under Level II and Level III investigations. NSIRA found that CFNCIU may be inappropriately relying on DND/CAF policies as lawful authority to interfere with a subject’s reasonable expectation of privacy.
NSIRA observed that information obtained by CFNCIU via the checklist has the potential to capture intimate and personal information that touches on a subject’s biographical core. NSIRA found that the checklist risks capturing information that is protected by section 8 of the Charter. NSIRA also found that DND/CAF is applying a definition of metadata that captures information that could be subject to a reasonable expectation of privacy.
NSIRA observed that CFNCIU IT inquiries used broad search parameters, which may include information not relevant to the investigation. These parameters were applied as broad approvals with no specific internal controls or oversight at both the operational and working levels. Collection techniques, due in part to the limitations of IT audit tools and broad search parameters, resulted in a wide net being cast. NSIRA found that the investigative IT system practices observed in the context of CFNCIU’s counter-intelligence investigations have insufficient legal oversight to ensure that they are as minimally invasive as possible.
As a result of these findings, NSIRA recommended that DND/CAF suspend investigative IT system practices in the context of CFNCIU counter-intelligence investigations until a reasonable legal authority has been established. Once a reasonable legal authority has been established, DND/CAF should create a new policy framework that is reflective of the noted findings.
Response to NSIRA’s recommendations
NSIRA’s recommendations, DND/CAF’s management response and other details about this review are found in Annex D of this report.
Reviews planned or in progress
NSIRA has several reviews planned for DND/CAF and will conduct further work on two in 2022. The first one in progress is NSIRA’s review of DND/CAF’s human intelligence (HUMINT) program. This review will examine the entirety of the human source handling program used by DND/CAF.
Second, NSIRA is currently examining the domestic open-source collection activities of DND/CAF. More specifically, this review will take a closer look at legal authorities and the policy framework, program support and training, information and technology management systems, collection activities, intelligence production and dissemination, and oversight and accountability mechanisms.
Access to DND/CAF information
DND/CAF is the largest federal government department, both in terms of personnel (127,000 including regular and reserve forces) and number of physical locations occupied (42 in the National Capital Region alone). Given its domestic and international breadth, information collection and storage varies across the organization, with 180+ independent electronic repositories. NSIRA primarily accesses information through DND/CAF’s liaison body, the National Security and Intelligence Review and Oversight Coordination Secretariat (NSIROCS).
To help ensure that NSIRA receives timely and complete access to requested information, DND/CAF has formalized processes for responding to requests for information that includes a Level 1 (assistant deputy minister or equivalent) approval and attestation. Therefore, when NSIROCS receives a request for information, it coordinates with internal stakeholders to provide the requested information and submit it for Level 1 approval, after which the assistant deputy minister (or equivalent) provides a managerial attestation verifying the completeness and accuracy of the information provided.
NSIRA has also established direct access to specific DND/CAF IT systems for an ongoing review, and is working on a “proxy access” model for future reviews. Ultimately, the nature and scope of the review will dictate the access and verification model to be applied. NSIRA remains committed to working with NSIROCS to ensure that access and verification processes meet review requirements.
Royal Canadian Mounted Police
Reviews in progress or planned
NSIRA is currently working on three reviews focused exclusively on the RCMP. One of these reviews assesses the RCMP’s use of human sources in national security criminal investigations. Another review examines how the RCMP bypasses encryption when it intercepts private communications in national security criminal investigations. Lastly, NSIRA’S review of the Operational Research Unit of the RCMP will be examining the unit’s access to and use of security intelligence. The RCMP is also implicated in one multi- departmental review that is discussed below.
Access to RCMP information
NSIRA began reviewing the RCMP in 2020 and does not yet have direct access to the RCMP’s IT systems. The decentralized nature of the RCMP’s information holdings, COVID-19- related restrictions, and limitations resulting from other emergencies have resulted in delays in the RCMP providing NSIRA with requested information. NSIRA is committed to working with the RCMP’s National Security External Reviews and Compliance (NSERC) team to establish approaches for the timely provision of information.
In lieu of direct access to RCMP IT systems, NSIRA currently relies on the RCMP’s NSERC team to collect relevant information. NSIRA thanks the NSERC team for its contribution to the work of review but looks forward to working toward direct access to RCMP IT systems or alternate independent verification processes that provides NSIRA with independent confidence in the reliability and completeness of the information it has access to.
Canada Border Services Agency
In 2021, NSIRA completed its review of the Government of Canada’s use of biometrics in the border continuum that, while also examining IRCC and Transport Canada, had a strong CBSA component. The summary of this review can be found in the multi-departmental review section below.
NSIRA also made considerable progress on two CBSA -focused reviews. The first review is of air passenger targeting and examines the CBSA’s use of predictive analysis to identify inbound air travellers for further scrutiny in relation to national security threats. The second review assesses the CBSA’s use of confidential human sources, building on prior work in this area by National Security and Intelligence Committee of Parliamentarians.
Financial Transactions and Reports Analysis Centre of Canada
NSIRA is currently working on its first review of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). NSIRA will examine FINTRAC’s existing regime for sharing information with its domestic and international partners by looking at queries and disclosures to foreign financial intelligence units.
2.4 Multi-departmental reviews
Study of the Government of Canada’s Use of Biometrics in the Border Continuum
Biometrics play a fundamental role in the border continuum, which includes the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air. In the course of this review, NSIRA examined activities conducted by the CBSA, IRCC and Transport Canada. The review also extended to the RCMP, which plays a supporting role in one of the major IRCC-led programs using biometrics.
Biometrics are sensitive personal information. The identification of persons by virtue of their biological characteristics raises privacy and human rights concerns. There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. At the same time, identifying individuals entering the country — and consequently determining whether they have a right to enter, or what risks they might pose — serves a national security function. In this way, the use of biometrics requires an assessment of the balance between security and privacy.
The immediate objective of this review was to map the nature and scope of biometric activities occurring in this space. This included examining the collection, retention, use and disclosure of biometric information, as well as the legal authorities under which these activities occur. This review also considered the reasonableness and necessity of these activities, studying the accuracy and reliability of biometrics.
This review identified a set of observations linked to nine overarching themes:
Biometrics and national security. The centrality of national security as a justification for biometric activities has waned over time relative to other objectives, such as identity management and traveller facilitation. This makes it challenging to assess biometric activities in general as national security activities. Future NSIRA reviews may focus more narrowly on biometric activities that directly engage national security.
The steady-state activities. The steady-state biometric activities in the border continuum are generally well-supported by current legal authorities and are consistent with international practice.
Expanding use of biometrics over time. The use of biometrics in the border continuum has significantly expanded over the last three decades and is likely to continue expanding in the future. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for particular, intended objectives.
Pilot projects. Pilot projects and initiatives raise more concerns than do steady-state activities, as they risk being implemented without sufficient legal analysis or policy development. Despite the temporary or experimental nature of a project, NSIRA expects that departments will conduct the analysis necessary to ensure that legal authority is in place for the conduct of the activity, and that the attendant collection, use, retention and disclosure of personal information is well-governed by policy.
Evolving legal and societal norms. The public debate surrounding legal authorities questions whether existing standards and protections are sufficient for regulating biometric activities or whether new standards and protections are required. The border is, comparatively, a space in which greater intrusiveness is considered reasonable — but the boundaries of those justifications are not limitless, and will require careful calibration moving forward.
The dual use of biometrics. NSIRA observed several instances of possible dual use of biometric information in the activities examined in this report. Even where new uses of biometrics offer demonstrable benefits, new uses must be carefully considered to ensure their reasonableness and proportionality. In addition, all new uses must be justified and well-authorized in law. The principle of “purpose limitation” may be a way of guarding against dual use in the context of biometric activities.
Technical systems. There is significant overlap between the technical systems and databases used across the steady-state biometric activities. The overall architecture of the systems is complex, though not necessarily problematic.
Visibility into algorithms. Departments and agencies have limited ability to see how the algorithms they use for biometric analysis operate. Each department and agency did, however, demonstrate that performance metrics are known and tested, and that custom thresholds are used when appropriate.
Preventing bias and discrimination. IRCC and the CBSA have conducted preliminary analyses to explore how their biometric activities may impact diverse groups of people, though the implementation of possible mitigation strategies was not always apparent. In some contexts, technological advancements have helped to reduce, but not eliminate, differential impacts. More work remains in terms of mitigating differential impacts on segments of the population. At the same time, the departments and agencies under review have demonstrated their awareness of possible systemic inequalities and their commitment to addressing them.
Public debate about the government’s application of biometric technology will continue to evolve, driving change in the legal and regulatory frameworks associated with such activities. As such, continued scrutiny from NSIRA is warranted, particularly in those instances where the collection and use of biometric information is justified by explicit reference to national security outcomes.
Review of Federal Institutions’ Disclosures of Information under the Security of Canada Information Disclosure Act in 2020
In November 2021, NSIRA and the Office of the Privacy Commissioner of Canada (OPC) completed a joint review of the 215 disclosures made under the Security of Canada Information Disclosure Act (SCIDA) in 2020 — NSIRA’s first joint review with another review body.
SCIDA encourages and facilitates the sharing, or disclosure, of information within the federal government to protect against activities that undermine or threaten national security, subject to certain conditions. SCIDA permits disclosures of information where the disclosing federal institution satisfies itself that the information will contribute to the exercise of the recipient federal institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than is reasonably necessary. This is called the disclosure test.
The review found that 212 of the 215 disclosures (approximately 99%) appeared to meet both parts of the disclosure test. In the remaining three disclosures, the information appeared speculative, with no clear connection to activities that undermine the security of Canada. All three of the disclosures of concern were proactive disclosures by the RCMP. Of particular interest was the RCMP’s disclosure of the identities and biometric information about approximately 2,900 individuals to the CAF. NSI RA and the OPC recommended that the RCMP update its policies and practices to support compliance with the disclosure test, that the institution that received the disclosure of concern from the RCMP delete or return the information unless they can demonstrate a valid reason not to,and that any institution disclosing personal information about a large number of individuals (bulk disclosure) exercise heightened due diligence.
The records reviewed also highlighted one case of a verbal disclosure made to CSIS months prior to a formal SCIDA disclosure and without an apparent source of legal authority. NSIRA and the OPC recommended that institutions with national security expertise ensure that when they request personal information for national security purposes from other federal institutions, they make it clear that their request, in and of itself, does not constitute or confer authority on the other institution to disclose personal information.
Based on CSE’s and IRCC’s information-sharing patterns under SCIDA, NSIRA and the OPC recommended that these two institutions enter into an information-sharing arrangement, and that GAC and CSIS update their information-sharing arrangement to incorporate SCIDA’s guiding principles.
Finally, the review examined the federal government’s SCIDA policies. The review found that Public Safety Canada developed a SCIDA guide for federal institutions, led an interdepartmental working group, and provided training that included all 17 of the federal institutions listed in SCIDA. The review also found that 16 of the 17 federal institutions listed in SCIDA — the exception being the Canadian Food Inspection Agency — have policies to support compliance with SCIDA. NSIRA and the OPC recommended that the Canadian Food Inspection Agency develop a similar framework to implement a SCIDA policy.
Response to NSIRA’s recommendations
NSIRA’s recommendations, the management response of reviewees and other details about this review are found in Annex D of this report.
Review of Departmental Implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2020
The Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA) and directions issued according to the ACA seek to prevent the mistreatment of any individual as a result of information exchanged between a department of the Government of Canada and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated. To do this, the ACA and the directions lay out a series of requirements that need to be met or implemented when handling information.
This review covered the implementation of the directions sent to 12 departments and agencies from January 1, 2020, to the end of the calendar year, December 31, 2020. It was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the ACA.
This was the first ACA review to cover a full calendar year. Many of the reviewed departments noted that the COVID-19 pandemic impacted their information-sharing activities, such as the number of cases requiring further review as per the ACA. As such, NSIRA found that from January 1, 2020, to December 31, 2020, no cases under the ACA were issued to deputy heads in any department.
While NSIRA was pleased with the considerable efforts made by many departments new to the ACA in building their frameworks, the CBSA and Public Safety Canada had not finalized their policy frameworks in support of the directions received under the ACA within the review period.
Mitigation measures used by departments were also reviewed this time, since they are an integral part in the information-sharing process for departments.
NSIRA believes that it is now in a position to conduct in-depth case study assessments of individual departments’ adherence to the ACA and directions, irrespective of whether a department reported any cases to its deputy head. Finally, future reviews will follow up on the ongoing implementation of NSIRA’s past recommendations.
Reviews planned or in progress
In the future, NSIRA intends to continue to take advantage of its mandate to “review any activity carried out by a department that relates to national security or intelligence” by pursuing more multi-departmental reviews and avoiding examinations in siloes. In addition to the mandated annual SCIDA and ACA reviews, NSIRA plans to work on two more reviews involving multiple departments. The first one is a review of how CSIS and the RCMP manage threats posed by ideologically motivated violent extremism. The second review will study the relationship between CSE and CSIS on operational activities.
2.5 Technology in review
Integration of technology in review
Traditionally associated with the systems and software responsible for the administrative support of an organization, IT plays an increasingly large role in the operational activities of Canada’s national security and intelligence community. By taking advantage of rapid advances in cutting-edge technologies, Canada’s security and intelligence community is operationalizing advancements in technology to a degree greater than ever before. Modern national security and intelligence agencies must not only use new technologies to enhance their respective mandates, but they also do so to keep abreast of new opportunities, as well as new threats.
These advancements happen quickly, are complex and are often unique to each institution. Furthermore, emerging technologies, while ostensibly developed for one purpose, often have unforeseen implications on civil liberties and privacy, especially when used in an intelligence or security capacity. It is essential for an accountability body like NSIRA to keep pace with the use of developing technologies in Canada’s national security and intelligence community to ensure that the organizations it is responsible to review are discharging their mandates lawfully, reasonably and appropriately.
The vision for NSIRA’s Technology Directorate is to enhance the review landscape to incorporate an appropriate focus on the use and implementation of technology by security and intelligence agencies in Canada. By extending its reach into the practical applications of technology, and by entrusting this new focus to an in-house team of engineers, computer scientists and experienced review professionals, NSIRA will be well placed to ensure that the departments and agencies are held accountable for the decisions they make in leveraging the various aspects of emerging technology.
The development of this capacity at NSIRA will also provide a unique opportunity to build a review model that will put us on equal footing within the Five Eyes and the international review community. Without dedicated in-house technology expertise, NSIRA’s work will not stay current with contemporary national security legal and compliance risks or issues.
To that effect, NSIRA’s Technology Directorate will:
lead the review of IT systems and cutting-edge technical advancements;
conduct independent technical investigations;
support assigned NSIRA members in the investigation of complaints against CSIS, CSE or the RCMP requiring technological expertise to assess the evidence;
produce reports explaining and interpreting sophisticated technical subjects;
assess the risk of a reviewed entity’s IT compliance with applicable laws and policy;
recommend IT system and data safeguards to minimize the risk of legal non- compliance;
lead the integration of technology themes into yearly NSIRA review plans; and leverage external expertise in the understanding and assessment of IT risks.
Future of technology in review
In 2022, NSIRA will continue to increase the number of employees working in the Technology Directorate as it takes an increasingly active and significant role. It will also lead the first technology-focused reviews of the lifecycle of CSIS information collected by technical capabilities pursuant to a Federal Court warrant. NSIRA is also scheduled to review CSE’s SIGINT retention practices in 2023.
In terms of important considerations for ongoing reviews, NSIRA Technology Directorate has identified the following three technology-related topics as priorities for consideration:
dual-use technologies;
data warehousing, bulk data and data analytics; and
automated decision-making.
As Canada’s security and intelligence community continues to grow its technical collection and analytic capacity, NSIRA must develop its own expertise in technical review in tandem. Over the next year, NSIRA intends to establish domestic and international partnerships and develop working relationships with academics, civil society and commercial leaders to ensure key technological issues factor into its approaches. NSIRA’s Technology Directorate will also support the NSIRA complaint investigations team to understand where and when technology advancements could be applied to NSIRA investigations.
2.6 Review policies and processes
Method for assessing timeliness
Guidelines for assessing timeliness in reviews
To ensure greater accountability and predictability, NSIRA will be using the following guidelines to assess the timeliness of reviewee responses to requests for information (RFIs) during the review process, and will comment both privately and publicly on the outcomes. Notably, NSIRA’s annual report will track timeliness each year. These guidelines provide clear, standardized expectations on this important aspect of the review process.
Standard request for information (RFI) timelines
Much of the information requested by NSIRA falls into two categories: “off-the-shelf,” readily available material, and material requiring additional work to compile. Off-the-shelf material may include items such as policy documents, ministerial directives, operational policies, legal opinions and standard operating procedures. Information that requires additional work to compile may include things such as material that requires data manipulation or explanations and material in certain specialized databases and emails. RFIs will clearly state which type of material they pertain to, and standard timelines of 15 or 30 days, respectively, will be provided for responses.
Non-standard RFI timelines
NSIRA may deem it necessary to provide longer response times for information requests, for example, when the review covers new subject matter, the request is expected to return a large amount of information or documentation, or the reviewee has other ongoing reviews or other operational considerations. Non-standard timelines are at NSIRA’s discretion and will be applied based on the judgment of the review team.
NSIRA recognizes that extraordinary factors and extenuating circumstances may affect responses to requests for information and documentation. To accommodate this, reviewees may present, with significant justification, an alternative RFI timeline to the one originally provided. This should be done on receipt and review of the request, if possible. The decision to grant an extension is made by the NSIRA review team, and other arrangements, such as providing the requested information in tranches, can be considered. Regardless, RFI’s will always have an associated response timeline attached to them. This timeline will determine whether subsequent remedial steps are required.
Remedial steps
NSIRA will implement a three-stage approach to engage reviewees when no response is received to an RFI within the associated timeline. When a deadline is missed with no satisfactory response, NSIRA will escalate its concerns progressively by sending a series of letters to the assistant deputy minister, deputy minister and, finally, the responsible minister.
The letters will be attached as an annex to the related review and will inform an overall assessment of timeliness of the reviewee in NSIRA’s public annual report. The above guidelines will also be reviewed annually and may be updated based on the outcome of their ongoing implementation to ensure they meet their objectives.
Implementation of recommendations
The key outcomes of the work flowing from NSIRA’s review mandate are typically captured and distilled in the recommendations NSIRA provides based on its findings. In most NSIRA reviews completed since its inception, NSIRA has issued recommendations to the departments and agencies under review. In turn, reviewees have provided responses to these recommendations, which may include a plan for implementation. With a little over two years since recommendations for the first NSIRA reviews were issued, NSIRA believes enough time has elapsed to begin seeing the results of the implementation of these recommendations reflected in reviewees’ activities and policies. Therefore, NSIRA will begin considering the most appropriate means to track and evaluate the implementation of the recommendations issued in past reviews.
NSIRA will discuss with agencies and departments that were reviewed how to evaluate the implementation of past recommendations. For example, if issues and challenges remain unaddressed, NSIRA may initiate follow-up reviews. NSIRA’s public annual report may also raise issues in the implementation of recommendations as needed.
Verification
As noted above, verification is a fundamental component of credible and professional independent review. NSIRA must be able to test the completeness or accuracy of information it may receive as a matter of course during every review. This component is key to NSIRA’s ability to assure its stakeholders that it has confidence in the information it receives during a review, and thereby in the findings and conclusions of the review.
During a review, NSIRA is entitled to receive all information it deems relevant, except for Cabinet confidences. This feature of the NSIRA Act is critical for the success of NSIRA’s mandate. For NSIRA to assure Parliament and Canadians that it has a high level of confidence in the information it receives, departments and agencies under review are expected to support processes that satisfy NSIRA’s requirement to independently verify the completeness and accuracy of information provided by the department or agency. For example:
provide NSIRA, in support of each review, an index of documents provided, and an indication as to whether any information has been altered or removed and why; and
include a record of how searches of information are conducted, including which search terms were used, and which databases were queried.
Reviewees should always expect an element of verification as a regular part of each review. In keeping with its commitment to transparency and methodological rigour, NSIRA reviews now contain a “confidence statement.” This statement reflects NSIRA’s ability to verify information during a review. The confidence statement also provides important additional context to the review, apprising readers of the extent to which NSIRA has been able to verify necessary or relevant information during the review, and whether its confidence was impacted as a result of this exercise.
Complaints investigations
3.1 Overview
In the course of the year, NSIRA continued to adapt in conducting its complaints investigations by using innovative approaches. This included the use of videoconference technology for its hearings and investigative interviews, as well as finding procedural efficiencies such as proceeding with some investigations in writing. In part due to challenges inherent to the COVID-19 pandemic, NSIRA experienced delays in its investigations stemming from reduced responsiveness in accessing information and evidence. Annex E contains statistics for NSIRA’s complaints investigations in 2021.
Advancing the investigations and obtaining evidence presented issues for both NSIRA and the federal government parties to investigations that were obligated to provide information to NSIRA. In several ongoing matters, NSIRA granted adjournments and extensions of deadlines for procedural steps, including the filing of submissions and evidentiary material. In addition to pandemic-related delays, NSIRA notes that federal government parties to investigations cited other reasons for their requests for extensions of deadlines to file material, such as issues related to availability of witnesses and shortage of resources. Furthermore, NSIRA had to ask for additional information in response to incomplete initial disclosures in more than one investigation, which also created delays.
As to NSIRA’s investigation caseload in 2021, NSIRA dealt with a continued substantial increase in its inventory of cases. This increase resulted from 58 complaints referred in April 2021 to NSIRA for investigation by the Canadian Human Rights Commission, pursuant to subsection 45(2) of the Canadian Human Rights Act. This high-volume caseload has impacted NSIRA’s overall management of its cases.
NSIRA has also been focusing on strengthening its program delivery by working on strategies for the collection, analysis and use of race-based and demographic data in the context of the complaints investigation process. Working closely with its partner, the Civilian Review and Complaints Commission for the RCMP, NSIRA has been developing strategies of common interest in improving procedures to take into account considerations of diversity and inclusion. The specific objective is to improve access to justice by improving awareness and understanding of the investigation process. The intent is also to document the different racial groups among civilian complainants and determine:
whether there are significant racial disparities;
whether there are racial differences with respect to the types of complaints made against national security organization members based on different groups;
the frequency of complaints that include allegations of racial or other forms of bias; and
whether complaint investigation outcomes vary by racial group.
Looking to the year ahead, NSIRA will analyze procedural data with respect to the timelines of its investigations in order to inform the establishment of new service standards, continuing its efforts to ensure efficiency and transparency in the process. NSIRA is mindful that service standards are based on time commitments in normal circumstances. As the public health situation with respect to the COVID-19 pandemic continues to improve, NSIRA looks forward to the cooperation of federal government parties in increasing their responsiveness to advance investigations. In light of NSIRA’s objective of developing service standards, it will be adopting a measured approach to requests for adjournments and extensions of deadlines, which will be permitted in exceptional circumstances. Also for the year ahead, NSIRA will continue to improve its website to promote accessibility to and relevance of processes in the investigation of complaints.
3.2 Status of complaints investigation process reform
In 2021, NSIRA completed its investigation process reform initiative after a complex consultation with multiple stakeholders. In July 2021, NSIRA launched its new process that included the implementation of its new rules of procedure, aiming to provide greater accessibility as well as greater efficiency in NSIRA’s investigation mandate. Investigations under this new model show early signs of efficiency in that NSIRA has set timelier dates for the conduct of investigative interviews.
3.3 Investigations
Final report summaries
Investigation Concerning Allegations Against the Canadian Security Intelligence Service (1500-516)
Background
The Complainant filed a complaint against the Canadian Security Intelligence Service (CSIS) regarding its involvement in different incidents with airport authorities while the Complainant was travelling.
In addition, the Complainant alleged harassment, possible interference with employment opportunities, interference with a passport application, intercepting and reviewing mail, and disrupting personal relationships.
Investigation
During the investigation, the Complainant raised several separate incidents that led to the filing of their complaint. NSIRA reviewed the evidence before it to determine whether CSIS’s actions were reasonable and proportionate in the circumstances; whether CSIS’s actions constituted harassment; and whether it had acted lawfully.
NSIRA considered the evidence given by witnesses, the documentation submitted by the parties, as well as other relevant material made available during the course of the investigation of the complaint. NSIRA also heard evidence provided by the Complainant.
With respect to one specific incident in dealing with airport authorities while travelling, NSIRA heard evidence by witnesses regarding section 8 of the Canadian Charter of Rights and Freedoms (Charter). Section 8 of the Charter provides that everyone has the right to be secure against unreasonable search and seizure.
Conclusion
With respect to all allegations, NSIRA determined that the complaint is unsupported. However, concerning events related to CSIS participating in a Canada Border Services Agency search of the Complainant’s cell phone at an airport on one occasion, NSIRA found that CSIS breached section 8 of the Charter.
NSIRA concluded that CSIS did not take the Complainant’s privacy interests casually and did not deliberately disregard privacy considerations in relation to the search. The breach of section 8 of the Charter was not egregious and constituted an error in judgment.
Reopened Investigation Concerning Allegations Against the Canadian Security Intelligence Service (1500-471)
Background
NSIRA issued a supplemental final report resulting from a reopened investigation that was concluded by its predecessor, the Security Intelligence Review Committee (SIRC).
The Complainant alleged that CSIS had violated his constitutional rights due to his race and religion as well as his refusal to work as a human source. He further alleged that CSIS agents were harassing him by stopping him in airports and following him. Lastly, the Complainant alleged that CSIS had disclosed false information to a foreign entity, which resulted in him being held for eight hours without food in a foreign country’s airport.
In SIRC’s final report, SIRC concluded that the Complainant’s allegations of discrimination and harassment were unsupported. SIRC also concluded that the actions of CSIS officials had violated section 12 of the CSIS Act, ministerial directions, policies and operational procedures, and that these actions resulted in adverse consequences for the Complainant.
NSIRA’s reopened investigation was strictly limited to two questions of law: (1) whether the reasonable grounds to suspect standard under section 12 of the CSIS Act must be met when CSIS makes initial inquiries of its operational holdings; and (2) whether CSIS was required to obtain an individual targeting authority against the Complainant.
Investigation
The investigation of the reopening was deemed to be continued before NSIRA pursuant to subsection 11(1) of the National Security Act. NSIRA considered the documentation submitted by the parties, including classified submissions and documents filed by CSIS. NSIRA also considered the submissions filed by the Complainant as well as any other relevant material made available during the course of the investigation of this reopening.
With respect to whether the reasonable grounds to suspect standard under section 12 of the CSIS Act must be met when CSIS makes initial inquiries of its operational holdings, CSIS conceded during the investigation that it requires reasonable grounds to suspect that activities constitute a threat to the security of Canada, as described in section 2 of the CSIS Act, to conduct such initial inquiries of its operational holdings.
On the facts of this case, NSIRA determined that SIRC had correctly found that CSIS did not possess objective facts about activities that met the requisite reasonable grounds to suspect standard.
With regard to whether CSIS was required to obtain an individual targeting authority against the Complainant, NSIRA concluded that SIRC’s findings of fact regarding the extent and manner in which CSIS investigated the Complainant would not be revisited by NSIRA. NSIRA found that SIRC’s conclusion that there is a point in the CSIS investigation where CSIS agents were specifically investigating the activities of the Complainant was unequivocal, and, therefore, it was clear that CSIS should have obtained an individual targeting authority against him, yet failed to do so.
Conclusion
NSIRA determined that SIRC’s report and the findings were affirmed.
Conclusion
In 2021, NSIRA delivered on its mandate by completing reviews on a wide array of federal departments and agencies involved in national security and intelligence activities. Similarly, despite the challenges of the COVID-19 pandemic for complaints investigation proceedings and a large increase in its workload, NSIRA adapted its methods and continued its efforts to improve its program delivery.
NSIRA aims to increase its capacity to review technology and its practical use in national security and intelligence activities. The ongoing growth in NSIRA’s staff complement will also help the organization review a greater variety of national security and intelligence activities and continue to progress in its investigation of a large number of complaints.
NSIRA remains committed to engage with non-government stakeholders. NSIRA took note of feedback on its prior annual report and will continue to aim to improve its usefulness.
Once again, NSIRA members are very grateful for the excellent work of the Secretariat staff and their dedication to the organization’s mission of promoting greater accountability in the Canadian security and intelligence community and improving the confidence of Canadians in their oversight institutions.
This report describes the results of a review by the National Security and Intelligence Review Agency (NSIRA) of the 2021 disclosures made by federal institutions under the Security of Canada Information Disclosure Act (SCIDA). This is the third year of implementation of the SCIDA regime. This year, NSIRA decided to focus the review on Global Affairs Canada’s (GAC) proactive disclosures.
The SCIDA encourages and facilitates the disclosure of information between federal institutions to protect Canada against activities that undermine or threaten national security, subject to certain conditions. The SCIDA provides a two-part threshold which must be met prior to making a disclosure: that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances. The SCIDA also includes provisions and guiding principles related to the management of disclosures, including accuracy and reliability statements and record keeping obligations.
1.This report describes the results of a review by the National Security and Intelligence Review Agency (NSIRA) of the 2021 disclosures made by federal institutions under the Security of Canada Information Disclosure Act (SCIDA). This is the third year of implementation of the SCIDA regime. This year, NSIRA decided to focus the review on Global Affairs Canada’s (GAC) proactive disclosures.
2.The SCIDA encourages and facilitates the disclosure of information between federal institutions to protect Canada against activities that undermine or threaten national security, subject to certain conditions. The SCIDA provides a two-part threshold which must be met prior to making a disclosure: that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances. The SCIDA also includes provisions and guiding principles related to the management of disclosures, including accuracy and reliability statements and record keeping obligations.
3.NSIRA identified concerns that demonstrate the need for improved training. NSIRA found that there is potential for confusion on whether the SCIDA is the appropriate mechanism for certain disclosures of national security-related information. Some disclosures were of concern as GAC did not meet the two-part threshold requirements of the SCIDA prior to disclosing the information. Without meeting these requirements, some disclosures of personal information were not compliant with the SCIDA. Two disclosures did not contain accuracy and reliability statements, as required under the SCIDA. With respect to record-keeping, NSIRA recommends that departments contemporaneously document the information relied on to satisfy themselves that disclosures will not affect any person’s privacy interest more than is reasonably necessary in the circumstances.
4.NSIRA is confident that it received all information necessary to conduct the review.
2. Introduction
5.When federal departments fail to share national security information in a timely, coordinated, or responsible manner, serious and tragic consequences can result – as the Arar and Air India Inquiries found. As a mechanism in Canada’s national security accountability framework, NSIRA is mandated to prepare a report respecting disclosures under the Security of Canada Information Disclosure Act (SCIDA) during the previous calendar year. This is the only NSIRA review that must be made public and laid before both the House of Commons and the Senate, reflecting the importance Parliament has placed on independent review and accountability of national security information disclosure.
6.The SCIDA’s designated long title also reflects its stated purpose: An Act to encourage and facilitate the disclosure of information between Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada.
7.The SCIDA governs how Government of Canada institutions disclose information, including personal information, that is relevant to activities that undermine the security of Canada, to a select group of federal institutions with national security mandates. Disclosures are either made proactively, on the initiative of a Government of Canada institution, or in response to a request by an institution authorized to receive information under the SCIDA.
8.It is important to note that the SCIDA is simply a tool. It is only as useful as its real-time recognition and application. Its success relies on how individuals and institutions interact with and implement its provisions. Those federal government institutions authorized to disclose information under the SCIDA must maintain a certain vigilance for information that may have national security repercussions, including at the most basic operational level. Having recognized information that could involve national security matters, departments must then decide whether they are authorized to disclose that information and to whom, paying close attention to minimizing any impacts on individual privacy rights.
9.Federal departments and agencies with core national security mandates are generally able to rely on their own legal frameworks to share information with other domestic institutions, and do not require the SCIDA to do so. Previous NSIRA reports have found that for many such institutions, disclosures made under the SCIDA comprise only a small portion of their domestic national security information sharing.
10.NSIRA understands the significance of the SCIDA in the overall national security framework, and is concerned with its robust application, in keeping with the provisions of the SCIDA, including its guiding principles, and with respect to the disclosure of personal information. What is more, NSIRA has the ability to review all disclosures across the Government of Canada, and through this broad lens, can identify common themes and trends. This perspective, not available to individual federal departments, enables NSIRA to make findings and recommendations that can strengthen overall information disclosure within the national security framework.
Focus of this Review
11.In determining the focus of this review, NSIRA considered the concerns raised in its review conducted the year prior. In the review of disclosures made under the SCIDA in 2020, which NSIRA undertook jointly with the Office of the Privacy Commissioner (OPC), the review found that the majority of federal department disclosures – approximately 99 per cent – met the threshold requirements that permit information to be disclosed under the SCIDA. In other words, the disclosing institutions sufficiently demonstrated that they had satisfied themselves, prior to providing the disclosures, that the information to be disclosed would contribute to the exercise of the recipient’s jurisdiction or responsibilities respecting activities that undermine the security of Canada, and that it would not affect any person’s privacy interest more than reasonably necessary in the circumstances.
12.The few disclosures that raised concerns, however, were those that had been provided to the recipient institutions on a proactive basis. As such, NSIRA chose to focus on this category for its 2021 review of disclosures under the SCIDA. In 2021, the majority of proactive disclosures came from Global Affairs Canada (GAC). NSIRA therefore chose to focus on GAC’s proactive disclosures in 2021, as a representative sample.
13.In addition to reviewing these disclosures from the perspective of the SCIDA’s prerequisite thresholds, this review also assessed other important requirements under the SCIDA that help to ensure responsible disclosures of national security information. These include the need for disclosures to be accompanied by statements that attest to the accuracy and reliability of the information being disclosed, as well as the obligation on all disclosing institutions to prepare and keep records that set out a description of the information that was relied on to satisfy themselves that the disclosure was authorized under the SCIDA.
14.Although the review sample focused on GAC proactive disclosures, many findings and recommendations are general and illustrative and, in many instances, may be useful to all institutions when disclosing under the SCIDA.
Review Objectives
15.The objectives of this review were to assess proactive disclosures of information under the SCIDA.
16.Specifically, the review assessed whether GAC:
a) Satisfied itself, prior to disclosing any information, that the disclosure would contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, in respect of activities that undermine the security of Canada, as required under paragraph 5(1)(a) of the SCIDA;
b) Satisfied itself, prior to disclosing any information, that the disclosure would not affect any person’s privacy interest more than reasonably necessary in the circumstances, as required under paragraph 5(1)(b) of the SCIDA;
c) Described, at the time of the disclosure, the accuracy of the information disclosed and the reliability of the manner in which it was obtained, as required under subsection 5(2) of the SCIDA; and
d) Kept records that included a description of the information that was relied on to satisfy itself that the disclosure was authorized under the SCIDA, as required under paragraph 9(1)(e) of the SCIDA.
Methodology
17.NSIRA received 195 disclosures of information from federal departments that reported either disclosing or receiving information under the SCIDA between January 1, 2021 and December 31, 2021. NSIRA conducted a preliminary review of all disclosures received.
18.NSIRA focused this year’s review on GAC proactive disclosures only. GAC identified 16 proactive disclosures out of a total of 44 disclosures under the SCIDA in 2021. However, in reviewing the material provided by GAC, NSIRA noted that three of these files were in fact requests for information from another department, and not disclosures of information under the SCIDA. As such, NSIRA removed these three files from the review sample, and only analyzed the remaining 13 disclosures identified by GAC as proactive disclosures.
19.NSIRA sent five follow up requests for information to GAC regarding its disclosures, and assessed all records provided.
3. Analysis
20. In conducting this review, NSIRA observed positive components of disclosures that it endeavours to highlight in this report. Proactive disclosures are an important feature of the SCIDA regime, and the following findings and recommendations aim to enhance compliance with the SCIDA.
Thresholds for disclosing information to federal institutions under the SCIDA
a) Jurisdiction or responsibilities in respect of activities that undermine the security of Canada
21. Paragraph 5(1)(a) of the SCIDA requires departments to satisfy themselves that disclosures “will contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, under an Act of Parliament or another lawful authority, in respect of activities that undermine the security of Canada.”
22. The definition of “activity that undermines the security of Canada” is set out at subsection 2(1) of the SCIDA and includes, for example, espionage and terrorism. Certain activities are excluded from this definition, notably advocacy and protest not carried out in conjunction with an activity that undermines the security of Canada.
23. In conducting this review, NSIRA examined each disclosure in the sample and its corresponding documentation to assess whether GAC had satisfied itself, prior to making the disclosure, that the information to be disclosed would contribute to the recipient department’s jurisdiction in respect of activities that undermine the security of Canada, as defined in the SCIDA.
24. In 12 of the 13 disclosures reviewed, GAC sufficiently demonstrated that it had satisfied itself as to these requirements. Furthermore, in all of these 12 disclosures, GAC documented that it had considered not only whether the recipient had the appropriate jurisdiction, but also how the information would contribute to that jurisdiction in respect of an activity that undermines the security of Canada as defined in the SCIDA. For example, see text box 1. The information in the disclosure file supports the text of this statement.
Text box 1: Example of statement in disclosure demonstrating GAC satisfied itself as to the requirements under 5(1)(a) of the SCIDA
GAC’s disclosure will contribute to the carrying out of CSIS’ responsibilities under section 12 of the CSIS Act, which require CSIS to investigate activities that may on reasonable grounds be suspected of constituting threats to the security of Canada. Section 2.a of the CSIS Act defines threats to the security of Canada as encompassing threats or acts of “espionage or sabotage that is against Canada or is detrimental to the interests of Canada or activities directed toward or in support of such espionage or sabotage.” CSIS collects, analyzes and retains information and intelligence on these threats to the extent that it is strictly necessary to do so, and reports to and advises the Government of Canada. In the circumstances, GAC’s disclosure will contribute to CSIS’ responsibility under section 12 of the CSIS Act to investigate and report on threats to the security of Canada as defined in section 2.a of the CSIS Act. Specifically, the disclosure will contribute to an assessment of a potential espionage threat [against Canadian interests abroad].
25.However, NSIRA observed that in one of those twelve disclosures, GAC consulted on more information than necessary to determine whether the disclosure was authorized under the SCIDA. This disclosure is described below.
Disclosure 1
26.A foreign country provided information about an individual with ties to Canada, to GAC headquarters, and requested that GAC forward the information to appropriate authorities. GAC then met with CSIS and showed them the information in their holdings, in order to clarify whether the information contributed to CSIS’s national security mandate. CSIS reviewed the information and confirmed that the information was of value to their investigation. CSIS did not report any of the information in its holdings.
27.Following that consultation, GAC concluded that a number of the documents did not pertain to an activity that undermines the security of Canada, as they contained “significant amounts of personal information unrelated to [the subject of the investigation] and reflecting acts considered lawful in Canada, such as freedom of speech (with no stated intent to engage in acts of violence) and freedom of peaceful assembly.” As such, GAC subsequently formally disclosed to CSIS only a fraction of the previously consulted documents. With respect to this formal disclosure, GAC demonstrated that it satisfied itself as to the requirements under paragraph 5(1)(a) of the SCIDA.
28. GAC indicated to NSIRA that the Public Safety guide on responsible information-sharing (PS Guide) is its primary policy guidance on the SCIDA. NSIRA notes that the PS Guide encourages government institutions to “communicate with the designated recipient institution prior to disclosure to determine not only whether the information is linked to activities that undermine the security of Canada but also how it contributed to that institution’s national security mandate.” This should not be interpreted as providing authorization to consult on more information than necessary, given the possibility that information outside the scope of a SCIDA disclosure may be included.
29. During its consultation with CSIS, GAC consulted on information that it later assessed as not concerning an activity that undermines the security of Canada as defined in the SCIDA and which was later removed from the formal disclosure under the SCIDA. The consultation involved showing GAC’s full information holdings to CSIS, which was more information than necessary to obtain confirmation from CSIS that the information was of value. Information used in consultations should be limited to the information necessary to obtain confirmation from the potential recipient that the information contributes to the carrying-out of its mandate and is linked to activities that undermine the security of Canada.
30. Furthermore, despite twelve out of thirteen disclosures meeting the requirements of paragraph 5(1)(a) of the SCIDA, one disclosure did not. NSIRA addresses this disclosure below.
Disclosure 2
31. An individual overseas, on their own initiative, identified themselves as a member of that country’s government and provided information to an official at a Canadian embassy about an alleged threat. GAC disclosed this information along with personal information, including the individual’s contact information, to the Canadian Security Intelligence Service (CSIS), invoking the SCIDA as an authority to make the disclosure. However, GAC did not consider whether this disclosure met the two threshold requirements under paragraphs 5(1)(a) and 5(1)(b) of the SCIDA, prior to disclosing this information in its entirety. During the course of this review, GAC explained to NSIRA that the disclosure was erroneously made under the SCIDA, and it was authorized under another authority for disclosing information in such circumstances, that is the Privacy Act or the Crown Prerogative. NSIRA did not assess whether these mechanisms would have been appropriate in the circumstances. Nonetheless this example demonstrates a) that there is potential for confusion on whether the SCIDA is the appropriate mechanism for certain disclosures of national security-related information, and b) that such confusion, in this case, led to the improper use of the SCIDA to disclose.
Finding no. 1: NSIRA finds that, in twelve out of thirteen disclosures, GAC demonstrated that it satisfied itself as to the contribution of the information to the recipient institution’s responsibilities in respect of activities that undermine the security of Canada, as required under paragraph 5(1)(a) of the SCIDA.
Finding no. 2: NSIRA finds that, without first conducting the analysis under paragraph 5(1)(a) of the SCIDA, departments risk disclosing information that does not pertain to the national security mandate of the recipient institution or to activities that undermine the security of Canada.
Finding no. 3: NSIRA finds that, in one of thirteen disclosures, GAC consulted on more information than necessary to obtain confirmation that the disclosure contributed to CSIS’s mandate and was linked to activities that undermine the security of Canada.
Recommendation no. 1: NSIRA recommends that consultations be limited to the information necessary to obtain confirmation from the potential recipient that the information contributes to its mandate and is linked to activities that undermine the security of Canada.
b) Privacy interest not impacted more than reasonably necessary in the circumstances
32. Paragraph 5(1)(b) of the SCIDA requires that disclosing institutions be satisfied that the disclosure will not affect any person’s privacy interests more than reasonably necessary in the circumstances.
33. All thirteen proactive disclosures included personal information as defined in the Privacy Act, that is, identifiable information about an individual, such as name, contact information, background information, or suspicions concerning the individual.
34. The PS Guide provides direction on the type of analysis required prior to disclosing personal information. More specifically, the PS Guide states “whether the information impacting a person’s privacy interest is considered ‘reasonably necessary’ will depend upon the particular circumstances of each case. Relevant considerations may include contextual factors, such as the type and nature of the information in question and the particular purpose for the disclosure.”
35. In response to NSIRA requests for further information, GAC explained how it satisfied itself that these proactive disclosures did not affect any person’s privacy interest more than reasonably necessary in the circumstances.
36. For example, GAC explained that in eight of the thirteen disclosures, GAC determined that some of the information it was considering disclosing was not within the scope of the recipient institution’s mandate. In the same disclosures, GAC also stated that it determined that some of the information in its holdings did not contribute to the institution’s investigation or fall within the recipient institution’s original request for information. For example, in one disclosure, only an individual’s travel status abroad was shared with CSIS as this pertained to the latter’s responsibilities in a national security matter. Other information in GAC’s holdings, such as information concerning other individuals, was determined by GAC not to be relevant, and therefore was not included in the disclosure.
37. Similarly, GAC explained that in two of the thirteen disclosures, GAC determined that some information was necessary to report to the recipient department, and therefore included in the disclosure. More detailed information not linked to activities that undermine the safety of Canada was not disclosed. For example, in one of the two disclosures, only information about suspected espionage activity was disclosed to CSIS, while detailed information about certain personal activities and behaviours was withheld.
38. NSIRA observed that of the 13 disclosures in the sample, three disclosures did not meet the requirements under paragraph 5(1)(b) of the SCIDA.
39. In Disclosure 2, described above, GAC disclosed information that was received from an individual who, on their own initiative, provided information to an official at a Canadian embassy overseas. GAC did not conduct any analysis under the SCIDA including whether the disclosure would affect privacy interests more than reasonably necessary in the circumstances, and proceeded with disclosing the entirety of the information to CSIS. GAC explained to NSIRA that the disclosure was erroneously made under the SCIDA, and was authorized under another authority for disclosing information, that is the Privacy Act or the Crown Prerogative. NSIRA did not assess whether these mechanisms would have been appropriate in the circumstances.
Disclosures 3 and 4
40. A Canadian embassy abroad received screen shots of a private social media group. The screenshots included information about a political movement in a foreign country. They also contained the contact information of all members of the group. While the group shared posters about the movement and information concerning protests in Canada, there were no threats, whether specific or general, in the material. However, based on some information in the screenshots, as well as the broader context of protests, past events, and open source media, GAC determined that the information contributed to the exercise of the Royal Canadian Mounted Police (RCMP)’s and CSIS’s jurisdiction, or the carrying out of their responsibilities, in respect of activities that undermine the security of Canada.
41. GAC disclosed the entirety of the information to both the RCMP and CSIS. The only information redacted was the name and contact information of the individual who provided the information to GAC.
42. GAC explained to NSIRA that it concluded that paragraph 5(1)(b) of the SCIDA was met because it did not identify a reasonable expectation of privacy in the content of the private social media group. NSIRA observes that GAC did not consider all of the relevant factors that would allow it to satisfy itself that the disclosure would not affect any person’s privacy interest more than is reasonably necessary in the circumstances. As such, the disclosure of information did not meet the second threshold requirement under subsection 5(1) of the SCIDA. Therefore, the disclosure of personal information of the group members did not comply with the requirements of the SCIDA.
Finding no. 4: NSIRA finds that, in ten out of thirteen disclosures, GAC satisfied itself that the disclosure will not affect any person’s privacy interest more than reasonably necessary in the circumstances, as required under paragraph 5(1)(b) of the SCIDA.
Accuracy and Reliability Statements
43. The Arar Report noted that “sharing unreliable or inaccurate information does not provide a sound foundation for identifying and thwarting real and dangerous threats to national security and can cause irreparable harm to individuals.”
44. A core theme in the SCIDA’s guiding principles is that of effective and responsible disclosure of information. Disclosing institutions are required, under subsection 5(2) of SCIDA, to provide information at the time of disclosure regarding the accuracy of the information disclosed and the reliability of the manner in which it was obtained.
45. Given the valuable context that accuracy and reliability statements provide to disclosures, precise and complete statements tailored to the specific circumstances of the disclosure can help avoid false perceptions, and can help ensure that recipient institutions have a clear understanding as to the accuracy and reliability of the information disclosed.
46. GAC relied on the PS Guide as its primary policy guidance document on the SCIDA. The PS Guide sets out that ensuring that the information disclosed is as accurate, complete, and as upto-date as possible is key to responsible and effective information sharing.
47. GAC informed NSIRA that partner agencies can better verify the accuracy of the information and the reliability of its source than GAC. NSIRA agrees that in some instances, GAC has limited capability for verification. Nonetheless, the SCIDA requires accuracy and reliability statements in every disclosure; accuracy and reliability statements must be clear and contextspecific in order to be meaningful.
48. In an example of a well-developed statement, GAC provided the following: The information disclosed by GAC was obtained through interactions between GAC officials with [known and credible source X and another individual]. GAC is not in a position to assess the accuracy and reliability of the above information provided to GAC officials by [these individuals]. GAC assesses that [source X] is highly credible, and is likely providing reliable information. In this case, the statement made a distinction between the accuracy and reliability of the information disclosed, depending on the source of that information. The disclosure sets out which information was provided by which source.
49. Overall, eleven of the thirteen disclosures contained accuracy and reliability statements. Two disclosures did not include the statement as the SCIDA requires. These omissions were not tied to GAC’s inability to verify the accuracy and reliability of the information.
Finding no. 5: NSIRA finds that two out of thirteen disclosures did not contain accuracy and reliability statements as required by subsection 5(2) of the SCIDA.
Recommendation no. 2: NSIRA recommends that in order to provide the most valuable and meaningful context for the recipient institution, accuracy and reliability statements should be clear and specific to the circumstances of the disclosure.
Record-keeping
50. Paragraph 9(1)(e) of the SCIDA requires that disclosing institutions prepare a description of the information that they relied on to satisfy themselves that the disclosure was authorized under the SCIDA, including that the disclosure did not affect privacy interests more than reasonably necessary, as part of their record-keeping obligations under the SCIDA.
51. It is noted that the PS Guide sets out the steps to making a disclosure, which include creating a record describing the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under the SCIDA. Furthermore, the PS Guide’s Appendix A: Record-keeping Template for Institutions Disclosing Information under the SCIDA, which is intended to help departments meet record-keeping obligations for disclosing institutions under the SCIDA, contains a field for departments to describe that information. It also restates the requirements under paragraphs 5(1)(a) and (b) of the SCIDA that the disclosing institution be satisfied that the disclosure will contribute to the recipient institution’s national security mandate, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances.
52. The SCIDA 2020 Review observed that GAC’s records describing the information it used to satisfy itself that certain responsive disclosures to CSIS, were robust. The basis for this observation was that GAC’s records contained information provided by CSIS to aid in GAC’s assessment, including details of the potential impact on the subject(s) of the request.
53. During the course of this year’s review, NSIRA requested that GAC provide a description of how it satisfied itself that the disclosure was authorized under both threshold requirements under the SCIDA. NSIRA also requested that GAC provide all supporting documents GAC relied on in its assessment. GAC provided explanations in response to NSIRA’s queries in this regard, referencing supporting documents. Based on a review of the records provided, NSIRA observes that GAC’s practices could be improved by contemporaneously and expressly articulating which information it relied on to satisfy itself that the disclosures would not impact any person’s privacy interest more than reasonably necessary in the circumstances.
Recommendation no. 3: NSIRA recommends that all disclosing departments contemporaneously prepare descriptions of the information that was relied on to satisfy themselves that disclosures were authorized under the SCIDA.
Training on the SCIDA
54. GAC used four distinct PowerPoint documents in 2021 to train employees on the SCIDA.
55. A course entitled Governance, Access, Espionage and Technical Security (GATE) was accessible to all employees going on postings as an introductory course focused on the awareness of information security at GAC. This presentation did not include practical examples or scenarios, but explained that any information sharing under the SCIDA must be done through GAC Headquarters.
56. Furthermore, a presentation provided by the Director General of the Intelligence Bureau to the majority of Heads of Mission going on postings, as an introductory course on intelligence support and security, did not provide illustrative examples or scenarios, but set out that information sharing under the SCIDA must be done through Headquarters.
57. Finally, the Department of Justice legal team provided two presentations: one to Global Security Reporting Program Officers going on postings as an introduction to information sharing policies and practices, including several slides on the SCIDA, and the other to groups of employees at Headquarters as an introduction to information sharing policies and practices. NSIRA noted that each presentation included only one or two examples illustrating the considerations in making a disclosure under the SCIDA.
58. Three of the four presentations also included a range of information about record-keeping requirements. However, the information in the presentations was largely limited to reiterating the requirements under the SCIDA, and no practical examples or scenarios were provided. Similarly, while these presentations reiterated requirements under the SCIDA to include accuracy and reliability statements, no practical examples were provided.
Finding no. 6: NSIRA finds that GAC training on the SCIDA lacks sufficient illustrative examples required to provide employees with adequate guidance to fulfill their obligations under the SCIDA.
Recommendation no. 4: NSIRA recommends that additional illustrative examples and scenarios be included in the SCIDA training, including for disclosure threshold requirements, accuracy and reliability statements and record-keeping requirements.
4. Responsiveness and provision of information
59. All departments met the timelines for the provision of information to NSIRA.
60. Subsections 9(1) and 9(2) of the SCIDA contain record-keeping obligations for disclosing and recipient institutions. Subsection 9(3) of the SCIDA requires all departments to provide every record prepared under those subsections to NSIRA, for the purpose of NSIRA’s annual review of disclosures under SCIDA. Not only is thorough record-keeping a legal requirement for disclosing and recipient institutions, it is not possible for NSIRA to fulfill its mandated annual review without all records from all departments.
61. This review focussed on GAC proactive disclosures. NSIRA conducted a cross-comparison of the number of disclosures reported by GAC and those received by recipient institutions and notes that the numbers align. NSIRA did not independently verify the completeness of the records provided by GAC. Nonetheless, the assessment under the SCIDA requires GAC to demonstrate compliance. Additional requests for information over the course of the review led NSIRA to conclude that it received all information necessary to conduct the review. Finally, GAC had the opportunity to review a preliminary draft of this report and provide additional information. For these reasons, NSIRA is confident that it received all information necessary to conduct the review.
5. Conclusion
62. The SCIDA is a legislative tool meant to encourage and facilitate the responsible and effective disclosure of national security-related information between federal government institutions. Of the thirteen disclosures in the review sample, three did not meet one or both disclosure threshold requirements and two did not contain accuracy and reliability statements. Prior to consulting on potential disclosures, departments should consider what information is necessary to include in the consultation. Departments should also contemporaneously document on what basis they were satisfied that disclosures were authorized under the SCIDA. Furthermore, improvements to ongoing training are recommended, to provide more illustrative examples to guide employees in fulfilling their obligations under the SCIDA. NSIRA looks forward to revisiting the implementation of the SCIDA in future years and expects to find improved compliance, recordkeeping, and delivery of training programs.
NSIRA’s 2020 Annual Report focuses on review and investigation work carried out during our first full year of operation. In 2020, NSIRA completed reviews covering the national security and intelligence activities of departments and agencies across Canada’s federal government.
This report highlights key findings and recommendations, as well as our efforts to standardize and modernize our review processes. The report also discusses our new approach to information verification in reviews (our “trust but verify” approach) as well as NSIRA’s review plan for the coming years. Review highlights include:
CSIS threat reduction measures (TRM) and intelligence-sharing activities;
CSE activities, notably the disclosure of Canadian identifying information (CII) to Government of Canada departments, ministerial authorizations (MAs) and ministerial orders (MOs) under the CSE Act, and CSE’s signals intelligence (SIGINT) data retention policies and procedures;
Two cross-departmental reviews with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act and disclosures of information under the Security of Canada Information Disclosure Act.
NSIRA’s mandate includes the investigation of complaints related to national security made by members of the public. In 2020, we completed one investigation and modernized our complaints investigation model to ensure efficiency and transparency. Two priorities guided the modernization of the process, namely, access to justice for self-represented complainants and the creation of streamlined and less formal procedural steps. This was achieved through the creation of new Rules of Procedure as well as the implementation of our new declassified, de-personalized policy on final investigations reports.
NSIRA’s 2020 Annual Report also discusses our organization’s underlining goals and values, and highlights how the organization grew in size and capacity throughout the 2020, as it continued efforts to enhance its technical and subject matter expertise.
On behalf of the National Security and Intelligence Review Agency, it is my pleasure to present you with our second annual report. Consistent with subsection 38(1) of the National Security and Intelligence Review Agency Act, the report includes information about our activities in 2020, as well as our findings and recommendations.
In accordance with paragraph 52(1)(b) of the National Security and Intelligence Review Agency Act, our report was prepared after consultation with the deputy heads concerned in an effort to ensure that it does not contain information the disclosure of which would be injurious to national security, national defence or international relations, or is information that is subject to solicitorclient privilege, the professional secrecy of advocates and notaries or to litigation privilege.
Yours sincerely,
The Honourable Marie Deschamps, C.C.
Chair // National Security and Intelligence Review Agency
Message from the members
The National Security and Intelligence Review Agency (NSIRA) began operating in 2019 as a new independent accountability mechanism in Canada. Our broad review and investigations mandate covers the national security and intelligence activities of departments and agencies across the federal government. In our first annual report, released in 2020, we discussed our initial activities from our inception in July 2019 to December 2019.
We are pleased to now present our second annual report, covering our activities in our first full year of operation. In 2020, we completed numerous reviews and investigations, engaged with stakeholders in the national security and intelligence community, including our international counterparts, launched an ambitious review plan for the coming years, initiated a comprehensive reform of our complaints investigation process, developed a uniform approach to information verification in reviews (our “trust but verify” approach), began standardizing our review processes, and made strides in formalizing efforts to coordinate and collaborate with various partner organizations. NSIRA’s Secretariat also continued to grow steadily in size, expertise, and administrative, technical, and substantive capacity. We achieved all of this within the considerable constraints presented by the COVID-19 pandemic.
We are committed to transparency and public engagement, striving to keep Canadians informed about national security and intelligence activities, and ensure our plans reflect the priorities of all Canadians. Our annual report is one way among many of achieving this. We also aim to achieve this through regularly engaging with stakeholders, members of diverse communities, and parallel review bodies internationally, including those that comprise the Five Eyes Intelligence Oversight and Review Council (FIORC). We are likewise committed, and have began to, releasing public versions of our reports as they are completed (our “write for release” initiative), and to provide timely updates via our website and social media platforms.
After the release of our inaugural annual report, we sought and received feedback from academic and community stakeholders. As a result of these consultations, we have reorganized how we present some of the material in our 2020 annual report. In particular, we have grouped our review summaries, including any findings and recommendations, according to the institutions to which they pertain. We also discuss the outcomes and themes of interagency reviews. As well, this report sets out a framework for more robust statistical reporting on certain aspects of the activities of the Canadian Security Intelligence Service and the Communications Security Establishment activities, to enable year-to-year comparisons.
The pandemic delayed our plans and progress on reviews, investigations, and corporate initiatives in 2020, as was the case for many industries and sectors around the world. As of writing, our staff has begun to have more regular access to our offices and to the classified material critical to our work. More frequent and sustained access will help us conduct our work in a more timely and efficient manner. We look forward to carrying out an ambitious agenda in the year ahead.
We wish to extend our sincere thanks to our NSIRA staff for their dedication and diligence over the past challenging year, and for their continued efforts to build a strong organization.
Marie Deschamps Craig Forcese Ian Holloway Faisal Mirza Marie-Lucie Morin
Executive Summary
The National Security and Intelligence Review Agency (NSIRA) marked its first full year in operation in 2020. With the agency’s broad jurisdiction under the National Security and Intelligence Review Agency Act (NSIRA Act), it reviewed and investigated national security and intelligence matters relating to not only the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), but also several federal departments and agencies, including:
the Department of National Defence (DND) and the Canadian Armed Forces (CAF);
Global Affairs Canada (GAC);
the Royal Canadian Mounted Police (RCMP);
Immigration, Refugees and Citizenship Canada (IRCC);
the Canada Border Services Agency (CBSA);
Transport Canada;
the Public Health Agency of Canada; and,
all departments and agencies engaging in national security and intelligence activities in the context of NSIRA’s yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act.
The agency also focused on standardizing and modernizing the processes that govern the two main functions under NSIRA’s mandate—reviews and investigations—to ensure that our processes are robust, clear, and transparent.
The year 2020 also saw the organization grow in size and capacity, as it continues efforts to enhance its technical and subject-matter expertise.
Review highlights
Canadian Security Intelligence Service
Over the course of 2020, NSIRA completed two reviews that strengthened its knowledge of important areas of CSIS activity:
The review of CSIS’s threat reduction measures (TRM) found that CSIS met its obligations under ministerial direction. However, in a limited number of cases, CSIS’s TRMs were not “reasonable and proportional.”
The review of CSIS and RCMP intelligence-sharing through the lens of an ongoing investigation shed light on an important unresolved issue in Canada’s national security framework: the limitations on the use of CSIS intelligence to support RCMP criminal investigations, also known as the “intelligence-to-evidence” dilemma.
Communications Security Establishment
NSIRA completed three reviews of CSE activities in 2020, including of:
CSE’s disclosure of Canadian identifying information (CII) to Government of Canada (GC) departments, which found that 28% of requests for disclosure were insufficiently justified to warrant the release of CII;
ministerial authorizations (MAs) and ministerial orders (MOs) under the CSE Act, which allow CSE to engage in activities that would otherwise be unlawful, to support its mandate; and
CSE’s signals intelligence (SIGINT) data retention policies and procedures, to better understand the SIGINT lifecycle management process and compliance with legal data retention limits and related government and internal policies.
Department of National Defence and the Canadian Armed Forces
In 2020, NSIRA completed a review of DND/CAF, which examined how the Canadian Forces National Counter-Intelligence Unit (CFNCIU) conducted its counter-intelligence gathering activities—focusing particularly on how the unit’s activities corresponded with legal and governance frameworks.
Global Affairs Canada
In 2020, NSIRA completed its first dedicated review of Global Affairs Canada (GAC) focusing on one of its programs.
Other departmental reviews
NSIRA also began reviews regarding a specialized RCMP intelligence unit, to better understand the national security role and responsibilities of Immigration, Refugees and Citizenship Canada, and a review of air passenger targeting at the Canada Border Services Agency.
Cross departmental reviews
NSIRA conducted two mandated cross-departmental reviews in 2020:
a review of directions issued with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act; and
a review of disclosures of information under the Security of Canada Information Disclosure Act (SCIDA); and
NSIRA also began another cross-departmental review in 2020:
a review to map the collection and use of biometrics across the federal government in security and intelligence activities.
Investigation highlights:
In 2020, NSIRA reformed and modernized its complaints process to promote efficiency and transparency. Two priorities guided this process of modernization, namely, promoting access to justice for self-represented complainants, and putting in place more streamlined and less formal procedural steps.
As part of this reform process, NSIRA created new Rules of Procedures, completing an extensive consultation exercise with stakeholders in the public and private sectors to ensure the most effective and considered final product. The new rules have come into force on July 19, 2021.
NSIRA also developed a new policy statement in 2020 that commits to publishing redacted and de-personalized investigation reports to promote and enhance transparency in its investigations.
Introduction
1.1 Who we are
Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament. Prior to NSIRA’s creation, several gaps existed in Canada’s national security accountability framework. Notably, NSIRA’s predecessor review bodies did not have the ability to collaborate or share their classified information, but were each limited to conducting reviews for a specified department or agency.
By contrast, NSIRA has the authority to review all Government of Canada national security and intelligence activities in an integrated manner. As noted in the 2019 annual report, with NSIRA’s expanded role, Canada now has one of the world’s most extensive systems for independent review of national security in the world.
1.2 Mandate
NSIRA has a dual mandate to conduct reviews and investigations on Canada’s national security and intelligence activities. Annex B contains a financial and administrative overview of NSIRA.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act).2 This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency, the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada, and the Department of Justice. Further, NSIRA reviews any national security or intelligence matters that a minister of the Crown refers to NSIRA. Annex C describes NSIRA’s review framework.
NSIRA’s reviews assess whether Canada’s national security and intelligence activities comply with relevant laws and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Reviews of CSIS and CSE will always remain a core part of NSIRA’s efforts, since the entire focus of these organizations is to address national security and intelligence matters. Unlike its predecessor review bodies, however, NSIRA has an all- encompassing review mandate. NSIRA will also continue to prioritize and examine how other departments engaging in national security and intelligence activities meet their obligations. NSIRA’s reviews help keep Parliament and Canadians informed about the lawfulness and reasonableness of Canada’s national security and intelligence activities.
Investigations
In addition to its review mandate, NSIRA is responsible for investigating national security- or intelligence-related complaints. This duty is outlined in paragraph 8(1)(d) of the NSIRA Act, and involves investigating complaints about:
the activities of CSIS or CSE;
decisions to deny or revoke certain federal government security clearances; and,
ministerial reports under the Citizenship Act that recommend denying certain citizenship applications.
This mandate also includes investigating national security-related complaints referred to NSIRA by the Civilian Review and Complaints Commission for the RCMP (the RCMP’s own complaints mechanism)3 and the Canadian Human Rights Commission.
1.3 Annual Reports to Parliament
Each calendar year, NSIRA has a statutory obligation to submit to the Prime Minister a report on its activities in the preceding year, along with its findings and recommendations.
2019 Annual Report
NSIRA’s first annual report (2019 Annual Report) covered the six-month period from July 2019 when NSIRA was established, through to the end of 2019. In that report, the agency discussed the reviews and investigations that it had either completed or launched in 2019, with the accompanying findings and recommendations. It also published the results of reviews that had not yet been made public by its predecessor organizations, the Security Intelligence Review Committee (SIRC) and the Office of the Communications Security Establishment Commissioner (OCSEC).
The 2019 Annual Report also presented NSIRA’s review findings through a novel framework called the “information continuum.” Given the agency’s comprehensive, overarching review mandate, this framework offers a lens for understanding key national security- and intelligence-related themes, trends and challenges that are common to departments and agencies across the federal government. This lens allows for discussing shared concerns in Canada’s overall security and intelligence architecture, and informs future review priorities and the recommendations for addressing them. The information continuum is discussed further in section 2.1 below.
2020 Annual Report
In response to feedback received from stakeholders, NSIRA’s second annual report groups the review summaries according to government department, including for CSIS and CSE. Nevertheless, NSIRA continues to be committed to presenting broader themes and observations on national security and intelligence accountability across Canada.
In the 2020 Annual Report, NSIRA therefore presents:
its “trust but verify” approach, developed to ensure it has timely access to all relevant information when conducting department and agency reviews;
an update on the agency’s plans to continue presenting review analyses through the information continuum lens;
summaries of NSIRA’s completed and ongoing reviews of CSIS, CSE, and other government departments and agencies in 2020, with background in the next section and summarized in Annex D, as well as detailed findings and recommendations listed in Annex E;7
data on CSE and its compliance-related activities, to promote greater transparency in these matters;
NSIRA’s plans for upcoming department and agency reviews, including to inform the three-year mandated parliamentary review of the National Security Act, 2017, that is expected to begin in 2022;
summaries of complaints investigations completed and ongoing in 2020;
an outline of the agency’s new, modernized complaints process, the result of an extensive reform initiative; and,
statistics on NSIRA’s complaints investigations in 2020 in Annex F.
1.4 Values and goals
NSIRA is committed to:
being open and transparent, to keep Canadians informed about the lawfulness and reasonableness of our country’s national security and intelligence activities;
anticipating the various risks that are part of each of the reviewed entities’
mandate;
being, as well as being seen to be, objective and independent;
maintaining methodological excellence, to ensure the rigour and quality of NSIRA’s approach;
engaging regularly with partners, stakeholders, and community members; and,
fostering forward- and innovative-thinking, to keep abreast and, ideally, stay ahead of new technology and an ever-changing national security environment.
As part of a commitment to methodological excellence, NSIRA developed its “trust but verify” approach (highlighted below) to provide an important measure of confidence in the completeness of information received from departments and agencies.
In 2020 the NSIRA Secretariat also began work to develop a Code of Conduct for all employees, which was finalized in June 2021. The Code sets out the organizational values that guide the workforce’s activities and functions and the expected standards that must be observed during and after a person’s employment with the NSIRA Secretariat.8
Additional details on NSIRA’s values and goals related to transparency, anticipation of risk, objectivity and independence, methodological excellence, stakeholder and community engagement, and forward- and innovative-thinking can be found in Annex G.
1.5 Trust but verify
The NSIRA Act grants the agency extensive access rights to information: with the exception of Cabinet confidences, NSIRA is entitled to have access in a timely manner to any information in the possession or under the control of any department. In conducting reviews and investigations, it requires timely access to a wide range of information, people, and assets. This, in turn, requires regular support from expert liaison units that can provide documentation, arrange briefings, answer questions, and generally guide and implement NSIRA’s access requirements. NSIRA’s ability to fulfil its mandate can be challenged when it faces delays in receiving information.
As a review agency, NSIRA must be able to assure Parliament — and through it, Canadians — that it has a high level of confidence in the completeness of the information received from departments and agencies, and hence, in the robustness of its findings. The ‘’trust but verify” approach is a critical tool for reaching this objective.
NSIRA recognizes, on the one hand, that the principle of trust requires each party to understand and appreciate the mandate, and feel confident in the integrity, of the other. Of course, in a review relationship there will necessarily be healthy tensions stemming from differences in perspective.
On the other hand, verification is a fundamental prerequisite of any credible review. NSIRA must be able to independently test the completeness of the information it receives.
Moving forward, NSIRA will implement a “tailored access” process for conducting verification. Tailored access involves identifying its information access needs in response to the specific review or investigation and collaborating with departments and agencies in determining the various types of access that will constitute the best manner in which to obtain that information. The tailored access process may include targeted access of computer networks and information, proxy access, dedicated office space, and access to training materials.
Targeted access constitutes direct access to a department’s or agency’s computer networks and/or sensitive information. Targeted access is the gold standard for ensuring a robust verification of information received as part of the trust but verify approach.
Proxy access involves a departmental or agency intermediary who accesses
information repositories in the presence of NSIRA staff, and who can review relevant information as it appears on the system.
Allocated office space at departments or agencies, either temporary or permanent, enables more expedient and secure exchanges of information.
Access to training requires access to departmental or agency training modules relating to relevant corporate policies and other matters, to allow NSIRA to build specific knowledge.
The tailored access processes can place logistical and resource strains on departments and agencies having to implement them, and may require a shift in culture. Overall, however, tailored access provides mutual benefits. Tailored access processes can increase transparency and accountability on all sides, allow information to be accessed in a more secure and timely manner, foster positive professional interactions, improve overall expertise, and strengthen evidence-based findings and recommendations. Moreover, NSIRA believes that tailored access will, over time, result in a reduced workload for liaison staff at departments and agencies under review.
The trust but verify approach is not new. Both NSIRA and its predecessor, SIRC, have already had long-standing tailored access arrangements with CSIS that include targeted (direct) access to CSIS’s computer networks and sensitive information.
The trust but verify principle is a key aspect of maintaining the integrity and credibility of NSIRA’s reviews. In keeping with the commitment to transparency and methodological rigour, its reviews will contain a “confidence statement” to report NSIRA’s confidence level in the completeness of the information on which the findings rely, given agency’s ability to verify. The confidence statement is an important tool for apprising ministers, Parliament, and members of the public on the extent to which NSIRA has been able to access all relevant information.
Review
2.1 The information continuum
As previously mentioned, NSIRA’s review mandate extends throughout the federal government. NSIRA’s broader jurisdiction allows it not only to examine the national security and intelligence activities of a specific organization, but also to identify common themes that emerge across government.
In the 2019 Annual Report, NSIRA introduced a framework to assist in discussing and analyzing such trends. The “information continuum” identifies four main stages in the lifecycle of national security and intelligence information where problems can arise, including in information collection, safeguarding, sharing, and use in real-world actions.
In an environment that is constantly changing, including the rapid development of new technologies, each stage presents potential challenges for departments and agencies engaging in national security and intelligence activities. Despite the challenges, all national security and intelligence activities must comply with the law and applicable ministerial directions, and meet the tests of reasonableness and necessity.
The 2019 Annual Report also identified a number of future priorities that would benefit from analysis through the lens of the information continuum. To achieve these goals, NSIRA promised to invest in building in-house technological expertise, collaborate with allied accountability bodies through the Five Eyes Intelligence Oversight and Review Council, and seek to stay current with new and emerging technologies such as artificial intelligence, machine learning, quantum computing, and “big data.”
NSIRA also pledged to continue to work with the Office of the Privacy Commissioner (OPC) and the National Security and Intelligence Committee of Parliamentarians (NSICOP) on matters of joint concern to ensure the broadest range of perspectives are addressed.
NSIRA continues to examine national security and intelligence activities through the lens of the information continuum, and plans on presenting work on its website using the continuum approach to help situate horizontal themes for national security review. For 2020, however, this report builds on some feedback NSIRA received on last year’s annual report and uses a more institutional approach as a narrative device.10
2.2 Reality of review during a pandemic
As noted in the 2019 Annual Report, NSIRA staff continued to work remotely in 2020, which meant limited office access and, therefore, minimal access to the classified physical and electronic documents that must be protected in a secure environment, and that are critical to NSIRA’s work. Just as all organizations have had to adapt to the realities of the pandemic, so has NSIRA. It revised its review plans, and implemented strict rotating schedules to enable limited office access for classified work to safely continue to fulfill its statutory obligations and uphold its commitments to Canadians.
2.3 Parliamentary review of the National Security Act, 2017
The omnibus National Security Act, 2017, which established NSIRA and made major changes to Canada’s national security framework, contains provisions mandating a review by Parliament during NSIRA’s fourth year of operation, which will be in 2022.
This comprehensive review will require Parliament to assess the effects of the National Security Act, 2017, on the operations of the Canadian Security Intelligence Service (CSIS), the Royal Canadian Mounted Police (RCMP) and the Communications Security Establishment (CSE) that relate to national security, information sharing, and the interaction of those organizations with NSIRA, the Office of the Intelligence Commissioner and NSICOP.11
NSIRA has structured and sequenced its review plan in order to inform Parliament’s examination of new powers granted to security agencies through the National Security Act, 2017. Reviews of these new powers will take place over the course of 2021 and into early 2022, to determine whether they were exercised in compliance with the law and ministerial direction, and whether they were reasonable and necessary.
2.4 CSIS reviews
Overview
Under the NSIRA Act, NSIRA has a mandate to review any CSIS activity. The Act requires NSIRA to submit an annual report to the Minister of Public Safety and Emergency Preparedness on CSIS activities each year, including information related to CSIS’s compliance with the law and applicable ministerial directions, and the reasonableness and necessity of the exercise of CSIS’s powers.12
In 2020, NSIRA completed two CSIS reviews, summarized below. NSIRA also began two more reviews: a review of CSIS’s technology programs and intelligence collection techniques, and a review of the duty of candour owed by both CSIS and the Department of Justice in warrant proceedings before the Federal Court. Other NSIRA ongoing reviews, including multiple agency reviews, have a CSIS component.
Threat reduction measures
Under the Anti-terrorism Act, 2015, CSIS was granted the authority to undertake threat reduction measures (TRMs). NSIRA is required to review, annually, at least one aspect of CSIS’s performance in using its threat reduction powers.13
This was NSIRA’s first review of CSIS’s threat reduction mandate. It included a detailed compliance review of a sample of TRMs from 2019. The review also included a high- level analysis of CSIS’s use of TRMs over the past five years to identify trends and to inform NSIRA’s choice of future review topics.
The sample reviewed by NSIRA consisted of TRMs that were employed to disrupt threats to Canadian democratic institutions in relation to the 2019 federal election. NSIRA assessed the measures against legislative and policy requirements, as well as ministerial direction.
For all the measures reviewed, NSIRA found that CSIS met its obligations under ministerial direction, namely that CSIS consulted with its government partners and completed an assessment of the operational, political, foreign relations and legal risks of each TRM.
For most of the measures taken by CSIS, NSIRA noted that the measures satisfied the requirements of the Canadian Security Intelligence Service Act (CSIS Act). NSIRA also noted, however, that in a limited number of cases, CSIS selected individuals for inclusion in the TRM without a rational link between the selection of the individual and the threat. As a result, these measures were not “reasonable and proportional” as required under the CSIS Act.14
For one type of TRM reviewed by NSIRA, CSIS deemed that a warrant was not required. NSIRA identified concerns about factors which would require CSIS to consider fully the implications of the Canadian Charter of Rights and Freedoms for its measures, and could require CSIS to obtain warrants before taking certain measures.
Finally, NSIRA noted some inconsistencies in the type of information provided to CSIS decision-makers in its internal requests for approval. NSIRA also found gaps and inconsistencies in CSIS’s documentation, which had the effect of hindering NSIRA’s compliance review. As a result, NSIRA recommended that formalized and documented processes be developed for the management of all TRM-related information. In addition, NSIRA recommended that all pertinent facts relating to the TRM be formally provided to the National Security Litigation and Advisory Group (NSLAG), which is part of the Department of Justice, to ensure that the NSLAG has the information necessary to provide considered legal advice.
The legal issues and questions raised in this review, as well as the analysis of trends across the last five years, point the way to further reviews by NSIRA. In particular, NSIRA was struck by the potential for a class of TRMs to affect rights and freedoms protected under the Charter. In future, NSIRA will pay particular attention to this class of TRMs and the associated legal risks. NSIRA also notes that CSIS has yet to undertake a TRM under the authority of a court warrant. If and when CSIS obtains a TRM warrant, NSIRA will prioritize it for review.
Response to NSIRA’s recommendations
NSIRA’s recommendations, CSIS’ management responses, and other details about this review, are found in Annex E of this report.
CSIS-RCMP relationship in a region of Canada through the lens of an ongoing investigation
CSIS and the RCMP must work together and share intelligence to effectively counter national security threats.15 NSIRA examined the state of the relationship between CSIS and the RCMP through the lens of an ongoing investigation in a specific region of Canada. NSIRA undertook an in-depth study of both agencies’ operations, with particular attention to how the two agencies collaborated on this investigation in recent years, both in this region and at headquarters. Although the findings of this review are specific to the given investigation, NSIRA has no reason to believe that the investigation in question is atypical, and thus this review provides insight into the more general state of the two agencies’ relationship.
With respect to CSIS’s investigation specifically, NSIRA found that CSIS was reliant on a narrow set of information and was thus vulnerable; NSIRA observed how external factors arose that sharply limited CSIS’s ability to collect intelligence on the threat in question, resulting in collection gaps.
NSIRA found that in the specific region in question, CSIS and the RCMP had developed a strong relationship that has fostered effective tactical de-confliction of operational activities. Nonetheless, technological constraints made CSIS-RCMP de-confliction in the region excessively burdensome and time-consuming.
The RCMP’s use of CSIS information in support of criminal prosecutions has long been limited by perceived risks of involving CSIS or CSIS information in a prosecution. As an element of this, NSIRA observed a general reluctance on the parts of both CSIS and the RCMP to connect CSIS information to an RCMP investigation. In the case of the regional investigation in question, CSIS intelligence had not been shared or used in a way that significantly advanced the RCMP’s investigations.
On the whole, NSIRA found that CSIS and the RCMP had made little progress in addressing the threat under investigation. Moreover, CSIS and the RCMP did not have a complementary strategy to address the threat.
NSIRA has the legal authority to assess CSIS-RCMP activities from the perspective of both parties, and is not limited to the standpoint of CSIS, as was the case for the Security Intelligence Review Committee (SIRC). This regional review exposed an important, yet unresolved, issue in Canada’s national security framework: the limitations on the use of CSIS intelligence to support RCMP criminal investigations, often termed the “intelligence-to-evidence” dilemma. Given the centrality of the CSIS- RCMP relationship to Canada’s national security architecture, NSIRA will return to this topic in future years.
Response to NSIRA’s recommendations
NSIRA’s recommendations, CSIS’ management responses, and other details about this review, are found in Annex E of this report.
Statistics and data
To achieve greater public accountability, NSIRA is requesting that CSIS publish statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSIS operations, as well as display the evolution of activities from year to year.
The number of section 21 warrant applications (a) approved, and (b) denied; each further broken down as either new or replacement/supplemental.
Number of section 21 warrant applications approved: 15
New: 2
Replacement: 8
Supplemental: 5
Number of section 21 warrant applications denied: 0
The number of section 21.1 warrant applications (a) approved, and (b) denied; each further broken down as either new or replacement/supplemental.
There were no warrant applications under section 21.1.
The number of CSIS targets
360 targets
The number of publicly available datasets (a) evaluated, and (b) retained.
Six section 11 PADs were evaluated and retained.
*Note that one had been collected in late 2019 but was evaluated in 2020.
The number of Canadian datasets (a) evaluated, and (b) retained after authorization by the Court, and the number of such requests denied.
There were zero Canadian datasets evaluated, subject to a request, or retained in calendar year 2020.
The number of foreign datasets (a) evaluated, and (b) retained after approval by the Minister and Intelligence Commissioner, and the number of such requests denied (by either the Minister or Intelligence Commissioner).
There were zero foreign datasets evaluated in calendar year 2020. (All pending submissions were evaluated in 2019.)
There was one foreign dataset retained after authorization by the Minister (Director as designate, November 18, 2020) and approval by the Intelligence Commissioner (December, 16, 2020) in calendar year 2020. (It was evaluated in 2019.)
There were no requests for foreign datasets denied by the Minister or Intelligence Commissioner in calendar year 2020.
The number of TRMs (a) approved, and (b) executed.
Approved: 11
Executed: 8
The number of Justification Framework (a) approvals, and (b) invocations.
Emergency designations made under section 20.1(8): 0
Authorizations given under section 20.1(12): 147
Written reports submitted under section 20.1(23): 123 (this includes 39 commissions by employees and 84 directions)
The number of internal CSIS compliance incidents.
In 2020, External Review and Compliance processed 50 compliance incidents. Of these, 29 were considered to be administrative, 14 related to warrant terms and conditions, and 7 related to internal policies, procedures or directives.
General compliance challenges: Outdated operational policies
As legal and operational environments have evolved over the years, the suite of internal policies and procedures governing CSIS operations has drifted out of date. These operational policies and procedures translate the limits imposed by law and ministerial directions into everyday practice for CSIS activities.
NSIRA, and previously SIRC, noted concerns with out-of-date policies and procedures in reports and reviews over the years. CSIS also recognizes these concerns, but has struggled to adequately resource and prioritize the renewal of its operational policy suite. The result is a confusing collection of old and new policies, and ad hoc directives that have not yet been incorporated into policy. Over the past two years, CSIS has reported that more than 150 of its operational policy related documents need to be developed, updated, or significantly revised.
Written policies and procedures that do not reflect current operational realities and legal requirements—or are simply not internally consistent—elevate the risk that CSIS will not comply with the law and ministerial directions. CSIS employees should always have a clear, consistent and up-to-date suite of policies and procedures that makes compliance easy.
NSIRA is aware of CSIS’ ongoing efforts to overhaul and organize its full range of operational policies and procedures. Since the backlog has persisted for years, it remains unclear whether the latest efforts at renewal are sufficiently well-resourced to truly remedy the situation in a timely manner.
Internal compliance and proactive disclosure to NSIRA
In 2020, CSIS proactively disclosed to NSIRA a compliance issue related to certain operational activities. After CSIS employees raised concerns about an operational program, CSIS conducted an internal compliance review. The initial review focused on compliance with CSIS policies and procedures, but as the issue was explored CSIS opted to conduct a legal assessment as well. CSIS has since taken a number of steps to address the shortcomings it identified, including improved operational governance and management accountability. NSIRA received a comprehensive briefing on the matter in early 2021; CSIS is also providing, and has committed to continue to provide, NSIRA with the full range of relevant internal documents. NSIRA is examining this material with interest and will follow up with CSIS as appropriate.
This incident illustrates how departmental compliance mechanisms and NSIRA’s external review mandate can complement each other. NSIRA encourage CSIS to continue to engage the agency when internal compliance issues of note are uncovered.
2021 CSIS review plan
In 2021, NSIRA is commencing or conducting three reviews exclusively focused on CSIS, one review focused on CSIS and the Department of Justice and a number of interagency reviews with a CSIS component. The reviews are summarized below.
In addition to NSIRA’s two legally mandated reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has initiated or is planning the following CSIS reviews, for completion in 2021:
Survey of new technology programs and intelligence collection techniques
This review, initiated in 2020, involves a broad survey of CSIS’s technology programs and intelligence collection techniques, with a particular focus on those that require authorization by court warrant. The review will help to identify specific technologies or investigative techniques that merit future review due to their novelty, potential intrusiveness, or potential for posing risks to compliance. Once identified, these technologies or techniques will be reviewed over subsequent years to ensure legal compliance.
Review arising from the Federal Court’s judgment in 2020 FC 616
This review arises from the Federal Court’s judgement in 2020 FC 616.16 To fully identify systemic, governance and cultural shortcomings and failures that may have led to the breach noted by the Court, NSIRA has undertaken an extensive program of document review and briefings involving both CSIS and the Department of Justice. NSIRA is also conducting confidential interviews with CSIS and Department of Justice employees, at various levels, to better understand the dynamics shaping decision-making in both departments and the interactions between the departments. In addition, NSIRA has consulted with external experts where possible. This review is distinct from other reviews NSIRA has conducted, as it is led by two NSIRA members: Marie Deschamps and Craig Forcese. The final report is expected to be completed in late 2021 or early 2022.
Beyond 2021, NSIRA intends to explore CSIS reviews of topics including, but not limited to:
ministerial direction issued to CSIS;
CSIS intelligence collection relating to foreign interference;
CSIS datasets; and
CSIS’s justification regime for intelligence collection activities.
Access
The range of information that CSIS must proactively inform NSIRA about has expanded under amendments to the CSIS Act. NSIRA must be informed about matters that include CSIS’s use of datasets, threat reduction measures, disclosures of information, and the new justification framework for otherwise unlawful activities. Since these requirements are embedded in the CSIS Act, it is NSIRA’s understanding that Parliament intended that NSIRA keep itself continuously apprised of these activities. To this end, NSIRA will systematically monitor the information received from CSIS for its compliance with the law, and the reasonableness and necessity of those activities.
However, NSIRA considers it vital that CSIS also keep NSIRA informed of those activities beyond those that CSIS is explicitly required to bring to NSIRA’s attention. NSIRA is working with CSIS to establish a process that builds on NSIRA’s existing direct access to CSIS’s main databases. This process will enable NSIRA to obtain additional information that complements the information that CSIS is required to report to NSIRA.
This endeavour will not only strengthen the content of NSIRA’s public annual reporting, but will also better inform the annual classified report on CSIS that NSIRA must provide to the Minister of Public Safety and Emergency Preparedness.
CSIS has been subject to independent review since its creation in 1984. To manage its relationship with external review bodies, CSIS has long maintained a dedicated review secretariat, which is currently housed within its External Review and Compliance branch. CSIS’s review secretariat has enhanced its ability to meet its statutory obligations to provide NSIRA with timely access to the information NSIRA deems relevant. In 2020, NSIRA was generally satisfied with its access to CSIS.
During this reporting period, CSIS personnel have remained supportive and available to the extent possible, and in several instances in 2020, went to exceptional lengths to assist NSIRA is completing reviews whose timelines had themselves been disrupted by COVID-19. Although CSIS and NSIRA may disagree on specific issues — as is to be expected with regard to an external accountability body — NSIRA is of the view that the continued cooperation of CSIS personnel under difficult circumstances reflects an underlying understanding of and respect for the role of independent review at CSIS.
2.5 CSE reviews
Overview
As set out in the NSIRA Act, NSIRA has a mandate to review any CSE activity. Under the NSIRA Act, NSIRA must also submit an annual report to the Minister of National Defence on CSE activities each year, including information related to CSE’s compliance with the law and applicable ministerial directions, and the reasonableness and necessity of the exercise of CSE’s powers.
In 2020, NSIRA completed three CSE reviews. This annual report also presents results from a 2019 review that NSIRA was unable to share in the 2019 Annual Report. NSIRA also initiated three reviews, as discussed below.
In meetings with representatives from Canadian civil society and academia, some stakeholders expressed an interest in receiving follow-up information pertaining to reviews conducted under the former Office of the CSE Commissioner (OCSEC).20 NSIRA remain committed to redacting, translating, and publishing OCSEC historical reviews as resources permit. However, many of OCSEC’s reviews are no longer relevant in light of the legislative amendments introduced in 2019 by the National Security Act, 2017. Many of OCSEC’s recommendations have also been implemented, since they called for changes to the law that were subsequently captured in the National Security Act, 2017. As well, any ministerial directions and other instruments issued under the previous legal framework for CSE (National Defence Act) are now obsolete, having been reissued under the new authorities.
Disclosure of Canadian identifying information to Canadian partners
On June 18, 2021, NSIRA released a public summary of its review of CSE’s disclosures of Canadian Identifying information (CII).21 When CSE conducts foreign signals intelligence (SIGINT) collection, it suppresses any incidentally collected CII in its intelligence reporting to protect the privacy of Canadians and persons in Canada. 22 Nevertheless, the Government of Canada and foreign recipients of these intelligence reports can request the details of this information—including names, email addresses, and IP addresses—if they have the legal authority and operational justification to receive it.
In 2020, NSIRA reviewed the lawfulness and appropriateness of CSE’s disclosure of CII, focusing on CSE’s disclosure of CII to other Government of Canada departments.
This review examined a sample of CSE’s CII disclosures from July 1, 2015 to July 31, 2019 containing 2,351 Canadian identifiers, including in the context of assisting CSIS’s foreign intelligence collection under section 16 of the CSIS Act.
NSIRA found that although CSE approved 99% of requests for CII disclosure from its domestic partners, 28% of all requests were not sufficiently justified to warrant the release of CII. As a result, NSIRA concluded that CSE’s implementation of the CII disclosure regime lacked rigour, and may not have complied with its responsibilities under the Privacy Act. This report therefore constituted a compliance report pursuant to section 35 of the NSIRA Act, and was presented to the Minister of National Defence on November 25, 2020.
NSIRA also found that CSE’s releases of CII collected under section 16 of the CSIS Act were conducted in a manner that was unlikely to have been communicated to the Federal Court by CSIS. CSIS had provided the Federal Court with testimony about its treatment of information about Canadians collected through section 16 of the CSIS Act. Yet, when NSIRA compared this testimony with how CSE handled information about Canadians collected when assisting CSIS in relation to section 16, NSIRA found notable discrepancies in the standards communicated to the Federal Court. CSIS was not involved in assessing or releasing the disclosures about which NSIRA had concerns; these disclosures were handled solely by CSE.
Response to NSIRA’s recommendations:
As detailed in Annex E of this report, CSE accepted all 11 of NSIRA’s recommendations. CSE initiated a privacy impact assessment of its CII disclosure regime, and has informed NSIRA that it is in the final stages of implementing an updated version of its CII request software, which is intended to ensure that all necessary information related to operational justification, and legal authority is captured prior to a disclosure taking place. CSE has also ceased releasing CII collected under section 16 of the CSIS Act until the Federal Court is fully informed about CSE’s sharing of information derived from collection under section 16 warrants.
Ministerial authorizations and ministerial orders under the CSE Act
After the CSE Act came into force in 2019, CSE received a new set of ministerial authorizations (MAs). These documents, issued by the Minister of National Defence, authorize CSE to engage in activity that risks contravening an “Act of Parliament or interfering with a reasonable expectation of privacy of a Canadian or person in Canada.” For example, such activities might include the incidental interception of private communications during CSE’s foreign SIGINT collection activities.
The CSE Act also created the legislative authority for the Minister to “designate electronic information or information infrastructures or classes of electronic information or information infrastructures as being of importance to the Government of Canada” through a ministerial order (MO). Designating infrastructures as being of importance to the Government of Canada enables CSE to share certain kinds of information, and provide direct assistance.
In 2019, the Minister of National Defence issued seven MAs and three MOs under the CSE Act. NSIRA received comprehensive briefings on the activities authorized by each MA and MO. Based on the records that CSE provided, NSIRA believes that CSE employed considerable rigour in the MA application process. NSIRA found that CSE’s MA application requests contained sufficient information, and provided more information than previous applications under CSE’s pre-CSE Act governing legislation, National Defence Act, thereby allowing for greater transparency of CSE’s activities.
NSIRA found, however, that CSE has not fully assessed the legal implications of certain activities enabled since the CSE Act, which have not yet occurred, but which are permissible under a specific type of MA. NSIRA also found that CSE was unable to provide an assessment of its obligations under international law regarding the conduct of active cyber operations.
CSE’s briefings on these matters have informed NSIRA’s three-year review plan. In particular, this review highlighted the immediate need for NSIRA to focus on CSE’s active cyber operations (ACOs) and defensive cyber operations (DCOs), given that the Intelligence Commissioner does not provide approval for these activities and that CSE has no statutory obligation to notify NSIRA when it undertakes these activities. Active and defensive cyber operations represent a new aspect of CSE’s mandate, and NSIRA will closely examine both the governance policies and procedures for these activities, as well as the operations themselves.
Response to NSIRA’s recommendations
As detailed in Annex E, CSE generally accepted NSIRA’s recommendations in relation to this review. CSE agrees that its operations should be assessed with respect to compliance with international law, but continues to dispute NSIRA’s assertion that it was unable to provide an assessment of its obligations under international law.
Signals Intelligence data retention policies and procedures
Inspired by a similar review by the U.S. Inspector General for the National Security Agency, NSIRA completed a review of CSE’s SIGINT data retention policies and procedures in December 2020. The purpose of the review was to understand the SIGINT data lifecycle management process and learn about compliance with legal data retention limits, and with government and internal policy. Non-compliance with these limits could potentially adversely affect civil liberties and privacy protections. NSIRA completed its review and will use the information learned as a foundation for a future review.
Privacy Incidents File (2019)
On March 4, 2021, NSIRA publicly released its first review of CSE, which was a 2019 review of CSE’s Privacy Incidents File (PIF).29 A privacy incident occurs when the privacy of a Canadian or a person in Canada is put at risk in a manner that runs counter to, or is not provided for, in CSE’s policies. NSIRA’s 2019 PIF review, including findings and recommendations, was discussed in Annex A of the 2019 Annual Report. NSIRA was unable to publish CSE’s responses to NSIRA’s recommendations in time for that report, and so these responses are now included in Annex E to the present annual report.
Response to NSIRA’s recommendations
CSE accepted all five of NSIRA’s recommendations regarding the 2019 PIF review. CSE is pursuing a standardized mechanism for identifying and reporting on incidents with privacy interests, and is investigating ways to reach more streamlined and uniform reporting between operational compliance teams. CSE committed to standardizing its policy on how to assess whether a privacy incident constitutes a material privacy breach, and re-examining its assessment methods to ensure they are effective and reasonable. In November 2019, CSE also abolished a specific practice that NSIRA had raised concerns about.
Statistics and data
To achieve greater public accountability, NSIRA is requesting that CSE publish more statistics and data about public interest and compliance-related aspects of its activities. This section presents some of this CSE data.
NSIRA intends to provide data on an annual basis to provide benchmarks and enable comparison. It cautions, however, that some CSE data are difficult to interpret without significant analysis and full context, and may not necessarily indicate particular practices or developments.
In 2020, CSE provided foreign intelligence reports to more than 2100 clients in over 25 departments and agencies within the Government of Canada in response to a range of priorities related to international affairs, defence, and security. As examples, CSE believes that its own intelligence reporting helped thwart or respond to foreign cyber threats, supported Canada’s military operations, protected deployed forces, identified hostile state activities, and provided insight into global events and crises to help inform Government of Canada policies and decision making.
In calendar year 2020, CSE received 24 requests for assistance from CSIS, the RCMP, and the Department of National Defence, and actioned 23 of these requests.
Also in 2020, CSE recorded a total of 81 incidents in its PIF, second party privacy incidents file (SPIF), and minor procedural errors file.
In calendar year 2020, CSE was issued six MAs. The table below provides a breakdown of these MAs, as well as of MAs from calendar year 2019, which NSIRA was unable to publish in its 2019 annual report. NSIRA will continue to benchmark and compare these, and other statistics, each year.
* Note that the above tables refer to ministerial authorizations (MAs) that were issued in the given calendar years, and may not necessarily reflect MAs that were in effect. For example, if an MA was issued in late 2019 and remained in effect in parts of 2020, it is counted above solely as a 2019 MA.
In June 2021, in CSE’s 2020-2021 public annual report, CSE confirmed that it has conducted foreign cyber operations.32 CSE informed NSIRA that it is not prepared to release specific information related to foreign cyber operations, as it would constitute special operational information that, if disclosed, could be injurious to Canada’s international relations, national defence or national security.
Internal compliance programs
In addition to NSIRA’s independent expert review, CSE’s functions are also subject to its own internal compliance programs. For this annual report, NSIRA asked CSE to provide information on some of its internal compliance programs. CSE’s Internal Program for Operation Compliance is responsible for activities of the Canadian Centre for Cyber Security (Cyber Centre), while compliance of SIGINT activities is overseen by the SIGINT Compliance section.
Unlike some of its international counterparts, NSIRA does not currently assess the effectiveness of department and agency internal compliance programs. However, NSIRA recognizes that assessing such programs would be an important component of its review mandate, and it intends to build capacity in this area. In the interim, there is nevertheless value in publishing the information available on internal compliance, to provide a greater understanding of CSE’s policies in this regard. The information provided in this section should not be considered an independent assessment or evaluation.
Internal program for operation compliance
The Internal Program for Operation Compliance (IPOC) is responsible for providing mission management support and operationalizing the Cyber Centre’s Internal Compliance Program, which encompasses three fundamental accountability pillars:
Enabling Compliance (education, prevention, and collaboration);
Compliance Verification and Assurance (monitoring, review, and audit); and
Compliance Incident Management (analysis, mitigation, and reporting).
According to CSE, the Cyber Centre’s ability to demonstrate compliance with legal, ministerial, and policy obligations while conducting cybersecurity activities is “a key component of its ‘licence to operate’.” CSE considers these accountability and transparency values to be at the core of Cyber Centre operations; they are seen as constituting the foundation for maintaining Canadians’ trust and confidence in the Cyber Centre’s activities.
CSE also stated that, in addition to conducting annual compliance monitoring of cybersecurity and information assurance activities, IPOC works with Cyber Centre operational areas to promote “compliance by design,” whereby control mechanisms and privacy protection measures are intended to be proactively built into systems, tools, and operational business processes.
SIGINT compliance
Ensuring compliance of activities is, according to CSE, “of utmost importance to SIGINT, as it is critical to CSE’s continued lawfulness.” The SIGINT Compliance section works with employees to clarify their roles in compliance, for example through employee engagement, incident handling, annual compliance accreditation training, and compliance advice on new and established SIGINT initiatives. The section works to build and maintain a compliance review framework based on the CSE Act and other appropriate legislation, as well as CSE’s internal policy instruments.
According to CSE, this compliance review framework dictates internal compliance reviews that the group must complete annually over a three-year cycle. Moreover, the SIGINT Compliance group is meant to review SIGINT activities across the entire lifecycle of intelligence production, from data acquisition to processing, analysis and end-product dissemination. When necessary, these reviews contain required actions that employees in certain activity areas must complete to maintain or improve compliance. These required actions must be tracked and updated regularly by both the compliance group, as well as senior management.
NSIRA understands that transparency related to compliance is not achieved overnight, and that CSE’s transparency efforts are, as CSE told NSIRA, “still a work in progress.” NSIRA can assist CSE in such efforts, for example by providing information to the Canadian public about CSE’s lawfulness, compliance, and its functions more broadly.
Internal compliance errors reported to NSIRA
CSE states that it promotes a culture of compliance and encourages the self-reporting of potential compliance incidents. In 2019-20, CSE had concerns that it may have received information outside of a valid MA period, in relation to cybersecurity activities on a certain type of infrastructure.
CSE ultimately notified the infrastructure owner, purged the inadvertently received information from its systems in accordance with standard privacy safeguards, and launched a review of the incident for the purpose of identifying and implementing additional privacy protection measures. CSE also proactively engaged the Minister of National Defence and NSIRA for transparency and accountability purposes.
NSIRA appreciates that CSE brought this incident to its attention. NSIRA did not consider the incident to be of major concern, but view CSE’s proactive and voluntary notification of the incident as a key success in the NSIRA-CSE relationship. NSIRA feels that CSE’s response to this incident bodes well for effective and honest communication and collaboration moving forward.
2021 CSE review plan
In general, NSIRA prioritizes its reviews of CSE based on legislative requirements, as well as risk. In the case of risk, NSIRA seeks to identify those activities that may potentially pose higher risks of legal non-compliance, often because these activities are new and untested, or operate under the updated authorities of the CSE Act. NSIRA also engages with various stakeholders, both internal and external to the Government of Canada, to consider CSE-related concerns that should be reviewed.
Over the coming years, NSIRA will focus on newer aspects of CSE’s mandate, as well as on CSE’s use of certain emerging technologies, including artificial intelligence. In particular, NSIRA has heard various concerns from Canadian stakeholders about CSE’s novel foreign cyber operations mandate. NSIRA is closely examining CSE’s foreign cyber operations, including in two ongoing reviews, and NSIRA will continue to review these kinds of operations in future. NSIRA will also continue to review discrete CSE activities in cybersecurity and SIGINT based on their associated risks.
In addition to NSIRA’s two legally mandated reviews of the Security of Canada Information Disclosure Act (SCIDA) and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has initiated or is planning the following CSE reviews, for completion in 2021:
Review of information use and sharing between aspects of CSE’s mandates
This review examines how CSE ensures compliance with its lawful authorities and restrictions when exchanging information between aspects of its mandates. An exchange of information between aspects occurs, for example, if CSE collects information under the foreign intelligence aspect and then shares this information with those operating under the cybersecurity aspect. The review examines how CSE uses such cross-aspect information, in order to ensure compliance with the CSE Act. This review was initiated in January 2020, but has been delayed.
Review of CSE’s active cyber operations and defensive cyber operations, Part 1: Governance
This review examines CSE’s new active cyber operation / defensive cyber operation powers under the CSE Act to ensure legal compliance. It looks at the policy and legal framework for conducting these activities for the 2019-20 MAs. This review was initiated in August 2020, but has been delayed.
Review of an activity conducted under CSE’s foreign intelligence Ministerial Authorizations
This review studies an activity conducted under CSE’s Foreign Intelligence Ministerial Authorizations to examine CSE’s policies and procedures. This activity has not been subject to any external or internal assessment, audit, or compliance review, and as such presents an opportunity for NSIRA to conduct the first-ever review of this CSE activity. CSE provided a preliminary briefing to NSIRA on this topic in early 2021, but this review has been delayed.
Departmental study under section 31 of the NSIRA Act
Under section 31 of the NSIRA Act, NSIRA can direct CSE to conduct a study of its activities that relate to national security and intelligence, to ensure that these activities are carried out in compliance with the law and any applicable ministerial directions, and that they are reasonable and necessary. On completion of the study, CSE must provide a copy of the report to the Minister of National Defence and to NSIRA. Following NSIRA’s review of CSE’s CII disclosures, NSIRA concluded that CSE’s implementation of its disclosure regime under the National Defence Act may not have complied with requirements under the Privacy Act. Given the change in CSE’s governing legislation in 2019, NSIRA has directed CSE to review its disclosures to Government of Canada partners as well as foreign partners to ensure that these disclosures comply with section 43 of the CSE Act.
Beyond 2021, NSIRA intends to explore CSE reviews of topics including, but not limited to:
Active Cyber Operations and Defensive Cyber Operations, Part 2: Operations;
Safeguarding of sensitive information, including use of the polygraph;
Assistance to CSIS;
A specific cybersecurity activity as outlined within an MA;
The Vulnerabilities Equities Management Framework (VEMF);
The use of emerging technologies, including Artificial Intelligence;
A foreign SIGINT collection program conducted under an MA; and
SIGINT retention practices.
NSIRA’s mandate allows it to conduct inter-departmental reviews (also known as ‘follow-the-thread’ reviews), and it intends to do so for several ongoing and planned CSE reviews. In engaging with a range of federal departments and agencies, NSIRA’s CII review was its first follow-the-thread review.
Access
In 2020, NSIRA’s CSE Review Team established office space in CSE’s headquarters. This office space, which began partial operations in 2020, includes nine workstations and provides NSIRA with greater access to its CSE counterparts. Access to NSIRA’s CSE office is restricted, and appropriate safeguards are in place to ensure NSIRA’s independence.
A significant challenge to NSIRA’s CSE review is the lack of comprehensive and independently verifiable access to CSE’s information repository.37 As one component of addressing challenges, NSIRA is exploring options to have CSE proactively disclose specific categories of information on a regular basis, which would be used to both ensure compliance of activities and inform the conclusions NSIRA provides in the annual classified report to the Minister.
As another component of addressing access challenges, NSIRA is also exploring some options with CSE to implement the “tailored access” approach described under section 1.5 of this Report. Implementing tailored access will result in trust being maintained between the two organizations, while ensuring that NSIRA has the ability to independently verify the information received in the context of its review. It should also be noted that the speed at which NSIRA receives information before the verifications stage remains important, as any delays in receiving information has the potential to impede NSIRA’s ability to fulfill its mandate.
To encourage greater accountability in the year ahead, NSIRA intends to establish more formal guidelines for the provision of information by departments and agencies, including targets for the timeliness of responses to requests for information, and a framework for reporting publicly on the above.
Conclusion
As a new organization, NSIRA continued to staff its CSE Review Team in 2020,39 in addition to improving its overall understanding of CSE’s remit. NSIRA acknowledges the need to continue consolidating its familiarity and expertise with CSE and various aspects related to CSE’s functions. Similarly, CSE—which built a close relationship with OCSEC over some 23 years of review — is in the process of building its own familiarity with NSIRA and its mandate. NSIRA also acknowledges that reviews of CSE’s functions can be particularly sensitive, for example, because of the high volume of highly classified special information content.
NSIRA thanks CSE for timely assistance in providing publicly-releasable information for this annual report, much of which has not previously been made public. NSIRA feels that this reflects steps by CSE toward increased transparency to Canadians. Further, NSIRA is grateful for regular support from CSE’s Information Technology services in helping with secure communications.
2.6 Other government departments
Overview
One key reason for creating NSIRA was to ensure scrutiny of Canadian national security and intelligence departments and agencies that did not already have dedicated review bodies. To this end, the NSIRA Act provides the legal foundation to “review any activity carried out by a department that relates to national security or intelligence.”40 As would be expected, selecting which departments and agencies outside of CSIS and CSE that require examination is complex and must be continuously updated in tandem with the ever-changing national security landscape.
In addition to selecting specific departments for review, NSIRA is developing an integrated review framework that addresses broad-based national security and intelligence issues both horizontally and vertically across departments and agencies. This is in addition to the yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, which when considered cumulatively, provide the opportunity to cover the entire community.
As previously mentioned in section 1 of this report, NSIRA is working with departments and agencies across government to design a process where the information provided for a review is corroborated and verified for completeness. NSIRA calls this the trust but verify principle: NSIRA trusts departments to provide access to information, people and assets in a timely manner, while having mechanisms in place to allow the agency to independently verify the completeness of the access.
It is also important to note that NSIRA works closely with the NSICOP and the OPC to share review plans and de-conflict when reviews touch on similar subjects.
Beyond CSIS and CSE, NSIRA initiated reviews with the following departments and agencies in 2020:
Department of National Defence / Canadian Armed Forces (DND/CAF);
Global Affairs Canada;
the RCMP;
Immigration, Refugee and Citizenship Canada;
the Canada Border Services Agency;
Transport Canada; and
the Public Health Agency of Canada.
the following sections outline reviews completed or initiated in 2020, by department/agency, as well as some planned future reviews.
As well, through the yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has engaged with all departments and agencies that make up the Canadian national security and intelligence community.
The following sections outline reviews completed or initiated in 2020, by department or agency, as well as some planned future reviews.
Department of National Defence and the Canadian Armed Forces
The Canadian Forces National Counter-Intelligence Unit
The Canadian Forces National Counter-Intelligence Unit (CFNCIU) falls under the Canadian Forces Intelligence Group within Canadian Forces Intelligence Command and is organized along Regional Detachments. CFNCIU’s activities involve investigating and reporting counter-intelligence threats that pose a security risk to DND/CAF, supporting CAF operations to enhance force posture and operational security, coordinating exchanges of threat information with security partners, and providing early warning. CFNCIU’s primary responsibility is the collection of security intelligence for integration into national or local threat assessments.
The investigative framework for CFNCIU is unique insofar as it covers a broad range of security intelligence concerns similar to those of CSIS, yet is limited in investigative scope to DND/CAF information, people and assets (i.e. nexus to DND/CAF). Unlike CSIS, CFNCIU does not collect expansively on threats given the need for a nexus; and unlike a Departmental Security Officer, CFNCIU does not conduct investigations on issues regarding policy compliance, or security issues involving inappropriate behavior by employees that do not point to an obvious threat. Furthermore, CFNCIU does not have responsibility for security screening or criminal investigations. The investigative scope of CFNCIU is therefore best understood as occupying a very narrow space above those related to discipline and security screening, yet falling below criminal thresholds.
This review examined CFNCIU’s domestic efforts at investigating counter-intelligence threats posed to DND/CAF, the rationale used by CFNCIU for justifying investigations, and the associated investigative activities that follow. In this context, the review specifically sought to provide an initial understanding of the DND/CAF governance framework, as well as how CFNCIU views threats, collects intelligence, engages in cooperation and applies analysis. Particular attention was paid to CFNCIU’s legal foundations, processes and procedures, and how they contribute to safeguarding against insider-threat scenarios. NSIRA also reviewed how intelligence derived from investigations was conveyed to DND/CAF decision-makers. The full review is currently being redacted and should be released on NSIRA’s website soon.
NSIRA found that CFNCIU and other DND/CAF security components have been organized into narrowly focused vertical silos that do not work in an integrated manner. While CFNCIU adhered to internal policies used to initiate investigations, it did not have a formalized process to help guide investigation prioritization based on relevant criteria. It was also evident that CFNCIU required clarity on its legal authorities, to ensure the proper sharing of information in support of administrative and criminal processes.
NSIRA further identified the need for DND/CAF to empower CFNCIU to make full use of its investigative capabilities to reduce investigative durations, an issue that NSIRA found runs contrary to the sound safeguarding practices of DND/CAF information, people, and assets.
Moreover, NSIRA’s review found that CFNCIU did not adequately consider the cumulative effect of its counter-intelligence activities in relation to an investigation subject’s privacy, raising questions about the adequacy of CFNCIU’s efforts to ensure procedural fairness and prompting NSIRA to recommend that CFNCIU seek advice from the OPC. NSIRA also observed that CFNCIU’s information sharing regime was not compliant with Government of Canada policies for safeguarding information, people, and assets.
The presence of white supremacy within the Canadian military has been well documented. White supremacist groups actively seek individuals with prior military training and experience, or conversely, encourage individuals to enlist in order to gain access to specialized training, tactics and equipment. Although NSIRA acknowledges that the responsibility for addressing this threat cannot fall uniquely on the shoulders of CFNCIU, the review’s multiple findings lead to concern that CFNCIU may not be fully utilized to proactively identify white supremacists across DND/CAF. After examination of case studies and interviews with CFNCIU investigators, the review found that white supremacy poses an active counter-intelligence threat to DND/CAF, and that the CFNCIU’s mandate to proactively identify this threat is limited.
Finally, following some concerns identified in the later stages of this review, NSIRA will carry out a case study of CFNCIU computer searches and interview processes in 2021 to assess whether these activities were Charter-compliant.
DND/CAF response to NSIRA’s recommendations
DND/CAF agreed with NSIRA’s recommendations, and stated that they welcome the review report. DND/CAF agreed that action will be taken at the appropriate levels in conjunction with required expertise and offices, noting that work in this regard has commenced, and that some of NSIRA’s recommendations are already being addressed. For example, DND/CAF are working to complete a Privacy Impact Assessment of Defence Intelligence activities, and will engage the OPC for further input once this assessment is completed.
Reviews in progress
NSIRA launched a review of the Defence Intelligence Enterprise to map intelligence collection, and obtain information on the governance frameworks, authorities and structures of defence intelligence with a view towards assisting future review planning. This information was further supplemented by a corollary review of Intelligence Oversight, Review and Compliance within DND/CAF’s defence intelligence system. Although there are no findings or recommendations stemming from these inquiries, NSIRA members will receive a briefing note and presentation from NSIRA staff on key observations gained through this process. The expected completion is fall of 2021.
NSIRA has also begun to follow-up on issues identified during last year’s CFNCIU review. NSIRA’s Counter-Intelligence Operational Collection and Privacy Review will further examine CFNCIU’s practices concerning subject interview and database access to information management/information technology systems; this latter assessment will require access by NSIRA staff to DND/CAF computer networks to validate how these systems are used when conducting counter-intelligence inquiries.
NSIRA has also initiated an examination of DND/CAF’s human intelligence (HUMINT) capabilities, primarily through review of the governance of this specialized collection activity. The review will cover the evolution of HUMINT within DND/CAF, including consideration of recent internal initiatives aimed at improving governance and guidance for HUMINT. In the fall of 2021 NSIRA staff will travel to DND/CAF’s HUMINT training centre, and will conduct wide-ranging interviews of HUMINT senior leadership, trainers, and practitioners. The review will lay the foundation for a full operational review of HUMINT sources in various theatres of operation.
As a result of recent disclosures from DND/CAF through the Scoping Review of the Defence Intelligence Enterprise, NSIRA will also examine DND/CAF’s Open Source Intelligence and Medical Intelligence collection activities beginning at the end of 2021. This review will assess the governance and compliance of these activities.
COVID-19 has affected timelines and scheduling significantly, resulting in delays of up to six months. While COVID presented challenges affecting timelines and impacting review work, both DND/CAF and the National Security and Intelligence Review and Oversight Coordination Secretariat were attentive to NSIRA requests, providing access to information, people and assets when required.
Global Affairs Canada
NSIRA completed its first dedicated review of a Global Affairs Canada program. The review period was January 1, 2017 to December 31, 2019, although information from outside this period was used to conduct a full assessment of specific aspects of this program. Challenges related to COVID-19 resulted in methodological adjustments such as the use of secure video-teleconferencing in place of in-person interviews for some of the employees.
While clients of the program find it both unique and valuable to the Government of Canada, the review identified several areas of improvement. NSIRA made a number of recommendations aimed at improving this program. Global Affairs Canada has agreed to “positively address all of the recommendations” and has committed to responding to NSIRA in the near future. Due to the highly sensitive nature of this review, NSIRA will not be publishing anything further at this time.
Royal Canadian Mounted Police
In 2021, NSIRA will finish a review of a specialized RCMP intelligence unit, and it will launch a review of the RCMP’s National Security Program’s human source activities. Going forward, NSIRA plans to increase the number of reviews involving the RCMP. For example, the agency will review how the RCMP and CSIS have responded to the threat posed by ideologically motivated violent extremism.
Immigration, Refugees and Citizenship Canada
NSIRA is currently conducting a scoping review of Immigration, Refugees and Citizenship Canada in order to delineate its national security role and responsibilities. While the department has no intelligence collection programs, Immigration, Refugees and Citizenship Canada has an intricate mandate with shared legal authorities and operational responsibilities for ensuring the integrity of the immigration system and mitigating threats to national security from abroad.
Canada Border Services Agency
NSIRA has initiated its plan to conduct in-depth reviews of the most sensitive security and intelligence activities of the Canada Border Services Agency (CBSA), as identified by NSICOP: scenario-based targeting, surveillance, confidential human sources, lookouts and joint force operations. A review of air passenger targeting is currently underway, focusing on how the CBSA uses predictive analyses, including what is termed “scenario-based targeting,” to identify inbound air travellers for further scrutiny in relation to national security threats. Reviews of the CBSA’s use of confidential human sources and surveillance activities are slated for completion in 2022.
Cross departmental reviews
Avoiding complicity in mistreatment by Foreign Entities Act
On September 4, 2019, the Governor in Council issued written directions to the Deputy Heads of 12 departments and agencies under the new Avoiding Complicity in Mistreatment by Foreign Entities Act (Avoiding Complicity Act). The Avoiding Complicity Act and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. To do this, the Avoiding Complicity Act and the directions lay out a series of requirements that need to be met or implemented by departments when handling information. Under subsection 8(2.2) of the NSIRA Act, NSIRA is required to annually review implementation of all directions sent to departments and agencies.
While this was the inaugural annual review under the NSIRA Act, it builds on previous work in this area undertaken by NSIRA and its predecessor SIRC. NSIRA’s review on the 2017 Ministerial Direction on Information Sharing with Foreign Entities is an example. NSIRA is building on this previous review and strongly supports that review’s findings and recommendations. It was essential to ensure that both NSIRA and the departments being reviewed met their obligations under the Avoiding Complicity Act and the NSIRA Act. The approach used to gather information during a global pandemic was purposely designed for this first and unique review period. The full 2019 review of the Avoiding Complicity Act has been redacted and released on its website.
To capture a complete view on the departmental implementation, NSIRA requested information that related directly to every department’s specific obligations under the Avoiding Complicity Act and the directions. The responses and associated information captured departmental activities related to the Avoiding Complicity Act during the review period, and what procedures, policies, tools, etc. (frameworks) were leveraged to support these activities. No case studies were undertaken for this review. However, the information gathered has helped establish a baseline for overarching issues the community is facing. Building on this, future reviews will begin to examine specific sharing framework challenges and questions, and look closely at specific cases and departmental legal opinions to guide review findings.
While NSIRA was pleased with the considerable efforts made by many departments new to the Avoiding Complicity Act in building up their supporting frameworks, it was clear during this review that departments were employing very different approaches to guide their information handling activities. The responses received demonstrate various inconsistencies across the departments. Having a consistent and coordinated approach when addressing the concerns related the Avoiding Complicity Act is not a requirement for implementation, however, NSIRA believes that there is value in such an approach.
Additionally, as the directives received under the Avoiding Complicity Act do not describe the specific means by which departments ‘implement’ them, it is incumbent on the departments and agencies to ensure that they have sufficiently robust frameworks and programs in place to fully support an assertion of implementation. Therefore, the information gathered during this review went beyond a strict assessment of implementation, and also considered the aspects required to better support this implementation. Going forward, this approach will help establish the foundation for subsequent reviews. Drawing on the findings and concerns identified here, NSIRA will continue to consider aspects that will ultimately improve underlying frameworks, thereby supporting an improved implementation of the Avoiding Complicity Act across the community.
Disclosure of information under the Security of Canada Information Disclosure Act
Enacted in 2019, the purpose of the Security of Canada Information Disclosure Act (SCIDA) is to encourage and facilitate the disclosure of information between Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada. NSIRA has a statutory requirement to conduct an annual review of disclosures made under the SCIDA.
In 2020, NSIRA completed the 2019 Annual Report on the Disclosure of Information under the Security of Canada Information Disclosure Act. The report covers the period from when SCIDA came into force on June 21, 2019 to December 31 of that year. During the reporting period, federal institutions made 114 disclosures of information under SCIDA. The report notes that institutions made good progress in institutionalizing this new legislation. The report provides historical and contextual information on SCIDA and how it fits alongside other legal mechanisms for the sharing of information. The report also includes anonymized scenario examples of SCIDA disclosures, and criteria for future assessment. NSIRA intends to work closely with the OPC for future iterations of this report. Outcomes of NSIRA’s subsequent review of disclosures under SCIDA will be discussed in the 2020 report on the disclosure of information under this SCIDA.
Biometrics
NSIRA has advanced its commitment made last year to map the collection and use of biometrics across the government in relation to its security and intelligence activities. A horizontal review of biometrics in the border continuum is currently underway, focusing on activities conducted by the CBSA, Immigration, Refugees and Citizenship Canada and Transport Canada. The activities under review include the issuance and verification of travel documents — with an emphasis on air travel — and the screening of foreign nationals seeking admission to Canada. A subsequent review will examine the use of biometrics in security intelligence and national security related policing activities.
Conclusion
Given the ongoing pandemic and lessons emerging from current reviews, in some instances NSIRA have modified the plan put forward in NSIRA’s 2019 Annual Report. Its work on economic security, for example, benefited from a scoping exercise involving several departments to help it better understand the authorities in this area, and to help it determine whether to pursue further work on this issue. Similarly, following a scoping exercise, a decision on whether to review public health intelligence awaited considerations of the conclusions of an independent report commissioned by the Minister of Health in this area that has now been released.
Over the next year, NSIRA will continue to engage with departments and agencies through focused reviews. Some of these will be organized around broad horizontal themes that may include multiple departments, requiring a coordinated approach. NSIRA is committed to working collaboratively with departments, particularly on the establishment of an access regime that supports independent verification and accountability.
Complaints investigations
3.1 2020 challenges
The pandemic has had an adverse impact on the timely conduct of NSIRA’s investigations. As of March 2020, inevitable delays resulted from the provincial stay- at-home orders and public health guidelines that were issued. Just as NSIRA was affected by limited access to classified documents as a result, so too were the for federal government parties to investigations that are obliged to provide information to NSIRA. Consequently, in several ongoing matters, NSIRA granted adjournments and extensions of deadlines for procedural steps, including the filing of submissions and evidentiary material. While this was regrettable, NSIRA adapted to the challenging circumstances of the pandemic as best as possible and advanced investigative procedures in an innovative manner whenever possible, such as conducting some proceedings in writing and holding case management conferences and meetings virtually.
Despite the procedural setbacks in 2020, NSIRA was able to complete one complaint investigation and issue a final report. NSIRA also issued formal decisions to close three other files. In addition, it succeeded in completing a complex process reform initiative that will see the modernization and streamlining of the investigative process.
3.2 Complaints investigation process: Reform and next steps
While the pandemic affected complaints investigations, NSIRA made considerable progress on reforming the processes governing such investigations. In the course of the year, NSIRA undertook a process reform initiative to modernize the complaints investigation model to meet its goal of ensuring efficiency and transparency. Two priorities guided the modernization of the process, namely, access to justice for self-represented complainants and the creation of streamlined and less formal procedural steps.
NSIRA created new Rules of Procedures to reflect this new model and completed an extensive consultation exercise with stakeholders in the public and private sectors to achieve the most effective and considered final product. These new Rules of Procedure have been in effect since July 2021.
NSIRA also implemented a new policy statement that provides a commitment to the public to increase transparency in its investigations by publishing redacted and de- personalized complaints investigation reports.
In the year ahead, NSIRA will update its website to include improved procedural guidance to inform members of the public on how to make complaints and navigate the investigative process. Part of the update to NSIRA’s website will involve implementing a secure portal for the online filing of complaints and for protected communications to assist in effectively managing NSIRA’s complaints case load.
In the future, NSIRA also plans on conducting a trend analysis for complaints, which will involve a broad initiative to appropriately collect race-based and other demographic information. The objectives of this initiative are to improve access to justice by improving awareness and understanding of the investigation process. The overall aim is to document the different groups among civilian complainants and identify the frequency of complaints that include allegations of racial or other forms of bias, and to determine whether there are disparities; whether there are differences with respect to the types of complaints made against national security and intelligence organizations based on different groups; whether complaints investigation outcomes vary by group; and whether civilian satisfaction with NSIRA’s investigation process varies by group.
NSIRA’s investigation case load: The year ahead
On concluding efforts to case manage NSIRA’s ongoing investigations in the context of the challenges presented by the pandemic in 2020, NSIRA will look ahead to the coming year with a reformed investigation process that will assist in implementing modern and fair procedures to advance these cases, complemented by an improved website that will promote access and transparency in the investigations process.
NSIRA will also see a substantial increase in its caseload in 2021 as a result of close to 60 new investigations added to its existing inventory. These complaints were referred to NSIRA in April 2021 by the Canadian Human Rights Commission pursuant to subsection 45(2) of the Canadian Human Rights Act. This high-volume caseload will significantly challenge NSIRA’s case management. NSIRA will be implementing procedural efficiencies as much as possible while meeting procedural fairness requirements.
3.3 2020 complaints
Summary of final report
Allegations against CSIS’s role in cancellation/denial of site access clearance
Background
The Complainant filed a complaint against CSIS requesting an investigation of CSIS’s role or involvement in the cancellation and/or denial of site access screening requests for employment with a private company at a government building.
Allegation
The Complainant alleged CSIS improperly used information collected and made an improper inference of a security threat which led to the denial of a site access clearance.
Investigation
NSIRA considered the evidence given by summoned witnesses, the documentation submitted by the parties as well as other relevant material made available during the course of the investigation of the complaint, including classified documents disclosed to NSIRA by CSIS. NSIRA also heard evidence provided by the Complainant.
Sections 13 and 15 of the CSIS Act give CSIS the authority to provide security assessments to departments of the Government of Canada and to conduct investigations as required. CSIS receives applications from government departments for persons seeking a security clearance or site access clearance and their role is defined in section 2 of the CSIS Act. CSIS presented evidence on the steps that are followed in CSIS’s process, the Treasury Board Secretariat’s Standard on Security Screening, and the fact that the client department decides whether to grant a clearance. As such, CSIS only provides background information and an assessment from a national security perspective so that government departments have the information it needs to make an informed decision.
NSIRA also heard evidence from CSIS with respect to some information shared with the client department that requested the site access clearance and how it pertained to both reliability and loyalty. CSIS acknowledged that some information shared with the client department took place in an informal setting and that it should not have occurred in such way. It was noted that after open source information was shared, the client department cancelled its request and CSIS closed its file.
The Complainant expressed a belief that CSIS was responsible for denying his application for a site access clearance.
NSIRA acknowledged the Complainant’s perception that CSIS denied his request for a site access clearance, but the evidence demonstrated that CSIS did not make the decision. The decision was made by the government department and CSIS had no further involvement in the matter.
Findings
NSIRA found that:
CSIS did not improperly use the open source information that was shared;
CSIS acknowledges that the sharing of information would not have been approved by management; and
CSIS did not deny the Complainant’s request for a site access clearance, but rather it was the government department that made the decision to cancel the request.
Conclusion
NSIRA determined that the complaint is unsupported.
Summaries of complaints deemed abandoned
Allegations against CSIS for sharing information with foreign authorities and impact on border crossing
The Complainant filed a complaint against CSIS about the sharing of information with foreign authorities that led to having difficulty with border crossings. NSIRA commenced its investigation and had an informal case management conference with the parties for the purposes of resolving the complaint. As a result of this resolution meeting, the Complainant undertook to take steps to resolve any ongoing issues. NSIRA attempted to communicate with the Complainant on several occasions to determine whether the ongoing issues were resolved. NSIRA determined that reasonable attempts had been made to communicate with the Complainant and issued reasons deeming the complaint abandoned as per NSIRA’s Rules of Procedure. The complaint investigation file was closed.
Allegations against CSIS’s role in delaying security assessment regarding a permanent residency application
The Complainant filed a complaint against CSIS alleging that it caused a significant delay in submitting the security assessment for a permanent residency application. During the investigation, NSIRA attempted to communicate with the Complainant on several occasions regarding the possibility of engaging in informal resolution discussions with CSIS. NSIRA determined that reasonable attempts had been made to communicate with the Complainant and issued reasons deeming that the complaint had been abandoned as per NSIRA’s Rules of Procedure. The complaint investigation file was closed.
Allegations against the RCMP for improper conduct during arrest
This complaint was referred to NSIRA by the Civilian Review and Complaints Commission for the RCMP, pursuant to subsection 45.53(4.1) of the RCMP Act. The complaint alleged that members of the Royal Canadian Mounted Police (RCMP) failed to inform the Complainant of the Complainant’s rights and obligations during an interaction that occurred the day before an arrest for a terrorism hoax and public mischief, use of excessive force and other allegations. During the course of launching its investigation, NSIRA attempted to establish contact with the Complainant on several occasions. NSIRA found that reasonable attempts had been made to communicate with the Complainant and had exhausted all options. Accordingly, NSIRA issued reasons deeming the complaint had been abandoned as per NSIRA’s Rules of Procedure. The complaint investigation file was closed.
Conclusion
In 2020, NSIRA’s teams worked under exigent conditions and yet were able to outperform. NSIRA is grateful to them for having conducted the reviews in an efficient manner. As mentioned in this annual report, NSIRA have ambitious plans for ongoing and future work, all while continuing to grow its own capacity and to strengthen its relationships with the departments and agencies under its review. In 2020, NSIRA’s staff complement grew from 30 to 58 individuals, its CSE Review Team began operations in offices on site at CSE, and NSIRA neared completion of a new facility for staff, all while carefully and responsibly adapting to the challenges of the pandemic.
In the spirit of coordinating and complementing other review and oversight entities, NSIRA continued to strengthen its relationships with various counterparts, including the Five Eyes Intelligence Oversight and Review Council, the National Security and Intelligence Committee of Parliamentarians, and the Office of the Privacy Commissioner of Canada. NSIRA also remains dedicated to robust and mutually- beneficial engagement with non-governmental stakeholders. NSIRA hopes both to raise awareness of its mandate amongst various communities — including students — as well as to receive input to help us further its work and refine its agenda. NSIRA strongly encourages feedback and input and hopes you found this report useful and helpful. No matter your background, please reach out to us and share your thoughts about this report, as well as NSIRA’s review and complaints work.
NSIRA is very grateful for the perseverance, diligence, and passion of its staff for continuing to produce meaningful work and achieve important results despite the challenges of the pandemic in 2020. As NSIRA grows as an organization, including in staff numbers, it looks forward to continuing to promote accountability in the Canadian security and intelligence community.
The report focuses on NSIRA’s initial review work from July 2019 through December 2019, and also includes discussion of previously unreleased reviews by predecessor organizations, namely the Security Intelligence Review Committee (SIRC) and the Office of the Communications Security Establishment Commissioner (OCSEC). We discuss Canada’s complex, interwoven approach to national security through the cross-cutting themes of intelligence collection, safeguarding, information sharing, and intelligence informed actions. Highlights include:
Legal issues regarding new technologies;
Ongoing concerns related to the duty of candour owed by CSIS to the Federal Court;
Issues concerning CSIS’s use of the polygraph;
CSE privacy protection practices; and,
Inconsistent approaches to how Canada avoids mistreatment when sharing information abroad.
NSIRA’s mandate also brings together the investigation of complaints related to national security made by members of the public. The report describes issues related to complaints from 2019, emphasizing our commitment to modernizing the complaints investigation process to ensure greater timeliness and accessibility. We also raise concerns concerning gaps in the current legal framework for “whistleblowing as it relates to the national security community.”
Our annual report discusses our organization’s underlining values, particularly our desire to be more accessible in our work, reach a broader audience, and have our review priorities and complaints process informed by engaging communities who feel they are affected by national security and intelligence activities.
“We hope that our annual report will both inform Canadians as to how their national security agencies protect us and give them confidence that strong accountability and transparency mechanisms are in place and working as intended. We look forward to engaging Canadians on the report’s findings.”
–The Honourable Dr. Ian Holloway, P.C., C.D., Q.C. (NSIRA Interim Chair)—
On behalf of the National Security and Intelligence Review Agency, it is my pleasure to present you with our first annual report. Consistent with subsection 38(1) of the National Security and Intelligence Review Agency Act, the report includes information about our activities in 2019, as well as our findings and recommendations. Pursuant to transitional provisions 12(1) and 12(2) of the National Security Act, 2017, this report also includes information that our predecessor organizations, the Security Intelligence Review Committee and the Office of the Communications Security Establishment Commissioner, had not yet reported on publicly.
In accordance with paragraph 52(1)(b) of the National Security and Intelligence Review Agency Act, our report was prepared after consultation with the deputy heads concerned in an effort to ensure that it does not contain information the disclosure of which would be injurious to national security, national defence or international relations, or is information that is subject to solicitor-client privilege or the professional secrecy of advocates and notaries or to litigation privilege.
Yours sincerely,
The Honourable Dr. Ian Holloway, P.C., C.D., Q.C. Acting Chair National Security and Intelligence Review Agency
Committee message
We are proud to present the first annual report of the National Security and Intelligence Review Agency (NSIRA) for work undertaken in 2019. Our enabling legislation requires us to present a report to Parliament each year with respect to our activities during the previous calendar year, including any reviews not yet made public by our predecessor organizations, the Security Intelligence Review Committee, and the Office of the Communications Security Establishment Commissioner. In doing so, our report discusses our activities within a framework that addresses the complex, multi-agency and interwoven approach to national security that exists in Canada.
We are primarily a retrospective body, meaning we generally look at activities that have already taken place and make conclusions regarding their compliance with the law and ministerial direction. We also examine the reasonableness and necessity of a department’s exercise of its powers. We are very conscious of the need for timely access to our findings by parliamentarians and all Canadians. NSIRA is committed to releasing redacted reviews as soon as possible after they are provided to the appropriate minister(s). We hope that our annual report will be a mechanism to reflect on broader trends and themes that cut across the full range of our work. We feel strongly that this approach is embedded in our mandate, and is supported by the government’s own push for greater transparency in national security.
Openness also means deepening the dialogue with Canadians on national security. We have broadened our exposure to a diverse set of viewpoints to ensure our review plan reflects the concerns and priorities of all Canadians. This is particularly important in the context of anti-racism movements that are taking place around the world. We hope that engagement with diverse communities will help our organization learn about how we can best contribute to the fight against racism and discrimination in the national security and intelligence field. Engagement with Canadian experts, with cultural communities and with civil society has already begun as we build our social media presence and our capacity to organize videoconferences and in-person meetings. We have met several stakeholders in Ottawa, Victoria, Toronto and Calgary — and more activities are planned in the year ahead. Internationally, we work with and share our experiences with parallel review bodies as a member of the Five Eyes Intelligence Oversight and Review Council, which is made up of our partners in Australia, New Zealand, the United Kingdom and the United States.
We are mindful of the need to avoid overlap with other review bodies and to make the best use of resources within the national security community that are in place to facilitate our work. We know that for many departments and agencies, external review is a new endeavour that will take time to adjust to. We are very pleased with the level of cooperation and support we are seeing. We have developed and shared our three-year review plan, which we hope will clarify our work priorities and give the organizations that we will be reviewing time to adjust and prepare. Our legislation is unequivocal as to our access to information: we are entitled to timely access to anything that is in the possession or under the control of a department in relation to our reviews (except only Cabinet confidences). The integrity of our work demands this access. Our public reports will accordingly record any shortcomings in this regard. To avoid duplication and to enhance the quality of Canada’s system of national security accountability, we are committed to cooperating with other oversight and review bodies, including the Intelligence Commissioner’s Office, the National Security and Intelligence Committee of Parliamentarians, the Office of the Privacy Commissioner of Canada (OPC), the Civilian Review and Complaints Commission for the RCMP and the Office of the Auditor General of Canada.
NSIRA also brings together under one roof the investigation of complaints related to national security that are made by members of the public. We have a mandate to investigate complaints into the activities of the Canadian Security Intelligence Service, the Communications Security Establishment and national security-related activities of the Royal Canadian Mounted Police. Additionally, we can investigate complaints arising from an individual whose security clearance is denied or revoked, as well as referrals from the Canadian Human Rights Commission and certain matters under the Citizenship Act. We are confident that this consolidation of complaints investigations will help to ensure that Canadians’ national security-related grievances can be addressed with the greatest degree of consistency, quality and timeliness possible. A particular task we are undertaking over the next year is to improve the efficiency of the complaints process.
We would be remiss if we did not address the unique and challenging environment facing us all at this moment. The COVID-19 pandemic has had far-reaching consequences the world over that we are perhaps only beginning to understand. Throughout much of 2020, NSIRA staff have been working from home, with minimal access to the office and, therefore, minimal access to classified physical and electronic documents that must be kept within a secure space. We are very proud of the extraordinary work of our staff, who have kept momentum alive during this difficult period, and who continue to put measures in place to enhance our organizational adaptability. We also expect that organizations that are subject to our review and complaints investigations will continue to allocate personnel to these vital functions, and continue to prioritize national security accountability as they too adjust to an ever-changing situation.
At this time, we would like to express our gratitude to three NSIRA members whose terms concluded this year: the Honourable Pierre Blais, the Honourable L. Yves Fortier, and Murray Rankin, NSIRA’s first Chair. Their collegiality and leadership during a time of transition were greatly appreciated, and their contributions to national security accountability in Canada continue to be deeply felt.
We are honoured to have been chosen to be the first members of NSIRA. We are committed to providing meaningful findings and recommendations on the extent to which Canada’s national security community is complying with the law and on the necessity and reasonableness of its actions. We look forward to the challenge facing us in this increasingly complex environment.
The Honourable Dr. Ian Holloway, P.C., C.D., Q.C. (Acting Chair) The Honourable Marie Deschamps, C.C. Professor Craig Forcese The Honourable Marie-Lucie Morin, P.C., C.M. The Honourable Pierre Blais, P.C. (Member until May 2020) The Honourable L. Yves Fortier, P.C., C.C., O.Q., Q.C. (Member until October 2020) Murray Rankin, Q.C. (Member and Chair until September 2020)
Executive summary
Information pertaining to the transition from the Security Intelligence Review Committee (SIRC) to the National Security and Intelligence Review Agency (NSIRA), corporate milestones, organizational values and objectives, and other relevant elements, are briefly described in the introduction, and are supplemented with more detailed material in various annexes as well as on NSIRA’s website.
Review findings and themes discussed in this report reflect NSIRA’s work over the first several months of our mandate, beginning in July 2019. They also build on work done by SIRC and the Office of the Communications Security Establishment Commissioner (OCSEC), including reviews that these organizations had not yet released prior to the establishment of NSIRA. Summaries of these reviews are found in Annexes A and B. We discuss findings and themes in this report according to the “information continuum”: collection, safeguarding, sharing and action.
A key challenge for departments and agencies in Canada is to ensure that their use of new technology conforms to privacy laws and respects Canadians’ rights under the Canadian Charter of Rights and Freedoms (the Charter). NSIRA is aware of instances where an agency used technology in ways that exceeded legal authorities. Notably, one of NSIRA’s first reviews concerned the Canadian Security Intelligence Service’s (CSIS) use of publicly available geolocation data. NSIRA concluded that CSIS’s use of this data without a warrant risked breaching section 8 of the Charter, which protects against unreasonable search and seizure. NSIRA submitted a report under section 35 of the NSIRA Act, to the Minister of Public Safety and Emergency Preparedness regarding the possible unlawful activity.
The report provides an overview of some longstanding issues with regard to the failure of CSIS to meet its duty of candour to the Federal Court, most recently in relation to its human source activities. Specifically, CSIS did not inform the Court that CSIS’s warrant applications were based on intelligence that had likely been collected by illegal means. The Court also observed failings with regard to the Department of Justice’s role in the situation. In response, the Government referred the matter to NSIRA for review under paragraph 8(1)(c) of the NSIRA Act. Over the next year, NSIRA will dedicate significant resources to a review stemming from this Federal Court decision.
NSIRA has prioritized safeguarding (i.e., how the government protects people, information and assets) as a review theme we will examine on a yearly basis. In our first year, NSIRA completed one safeguarding review of CSIS, and commenced another within the Department of National Defence (DND). Of note, our observations with regard to the polygraph (i.e., “lie detector test”) during the security clearance process, highlight a number of shortcomings, including:
CSIS was unable to justify the capacity of examiners — who are not medical practitioners — to ask medical-related questions of the examinees.
There were unequal outcomes or consequences for polygraph exams conducted on external applicants to CSIS vs. current employees.
This finding raises broader issues. Although the Treasury Board Secretariat (TBS) Standard on Security Screening, created in 2014, cites the use of the polygraph as an appropriate tool for assessing candidates seeking an Enhanced Top Secret clearance, TBS was unable to provide any policy rationale for the use of this tool. NSIRA brought a number of shortcomings to the attention of TBS. The standard is currently under internal review at TBS, and we are awaiting the results.
NSIRA made several findings and corresponding recommendations for the Communications Security Establishment (CSE) to improve its documentation, mitigation and privacy protection practices in relation to its Privacy Incidents File.
In 2019, NSIRA launched our first interagency review, an assessment of the implementation of the 2017 Ministerial Direction on Avoiding Complicity in Mistreatment by Foreign Entities by: the Canada Border Services Agency, CSE, CSIS, DND, Global Affairs Canada, and the Royal Canadian Mounted Police. NSIRA found significant variation among the six departments and agencies in terms of their success in implementing the 2017 ministerial direction. While some departments or agencies, such as CSIS and CSE, had fairly advanced procedures for implementing the ministerial direction, the review highlighted some shortcomings. Some departments and agencies face challenges in operationalizing this direction. Some also face challenges in establishing decision-making mechanisms that are independent from the operational front line in cases where there is a risk of mistreatment. One of the key issues that NSIRA’s review identified was the inconsistent application of the “substantial risk of mistreatment” threshold across departments – under the 2017 directions and their successors, sharing is prohibited where there is a “substantial risk of mistreatment of an individual by a foreign entity”. How departments and agencies assess this standard will be a future area of inquiry.
In 2020–21, NSIRA is modernizing the process for addressing complaints. Our goal will not change: to provide a just and efficient investigation and resolution of complaints. Two priorities will guide the modernization: access to justice for self-represented complainants, and the need for a broader spectrum of tools to streamline the resolution of complaints.
In previous correspondence to the Attorney General, NSIRA identified legislative gaps related to whistleblower protections in Canada’s national security community and the corresponding negative implications resulting from these gaps. In the interim, NSIRA will be implementing internal procedures to address concerns brought forward by members of the security and intelligence community.
In 2019, NSIRA launched a series of public engagements to increase awareness of our new organization, expand our network, and deepen our understanding of Canadians’ concerns relating to national security and intelligence activities. Over the coming year NSIRA intends to continue our outreach and engagement program, with a focus on four key areas: expanding our network to help us address issues related to new and emerging technologies (including artificial intelligence); broadening our dialogue with stakeholders to inform NSIRA’s future review priorities; building new relationships with community groups, in an effort to demystify the complaints investigation process; and scaling up recruitment efforts to ensure NSIRA continues to build an elite workforce with a diverse set of skills and backgrounds.
To enhance transparency, NSIRA also intends to proactively redact and release future NSIRA reports as they are approved throughout the year, rather than waiting for the release of our annual report to disclose our findings and recommendations. The organization is working with departments and agencies to ensure that this new approach is as timely and efficient as possible, and both protects vital national security and intelligence information, and provides the public with as much insight as possible into the results of NSIRA’s reviews.
Introduction
01. The National Security and Intelligence Review Agency (NSIRA) began operations July 12, 2019, as part of the transformation of Canada’s national security accountability framework. As a result, this inaugural annual report covers only a six-month period, from July to the end of the 2019 calendar year. During that time and continuing into 2020, NSIRA did a great deal of work to ensure the successful transition from the Security Intelligence Review Committee (SIRC), to a larger organization with a much broader mandate.
02. Because the NSIRA website provides detailed information relating to NSIRA’s mandate, the types of reviews undertaken, the process and lifecycle of a review, and the complaints investigation process, this report does not discuss these topics.
03. Instead, it focuses on NSIRA’s initial work on reviews, our complaints investigations, and our public engagement and transparency efforts. The emphasis on analysis of recent findings and trends in review draws on previously unreleased SIRC and Office of the Communications Security Establishment Commissioner reviews going back to 2018 and 2019, respectively, as well as NSIRA reviews completed in the first several months of operation. Summaries of these individual reports are available in Annexes A and B.
04. Part 1 outlines our organizational values and NSIRA’s approach to building a new institution.
05. Part 2 provides detailed analysis of themes that cut across many of these reviews, drawing linkages and establishing a platform for future work.
06. Part 3 deals with our complaints investigations and briefly discusses themes from 2019 and priorities for the year ahead, with an emphasis on modernizing the complaints investigation process to ensure greater timeliness and accessibility. Summaries and statistics relating to complaints investigations are available in Annexes C and D.
07. Part 4 outlines NSIRA’s efforts and our vision in addressing engagement and transparency, which are key priorities for the organization.
08. Key accomplishments and ongoing priorities with respect to NSIRA’s corporate services, including measures taken to adapt to an expanded mandate, are detailed in Annex E.
09. This is NSIRA’s first annual report, and we have structured it in a way that aims to be useful and engaging for the reader, while it serves its intended function, namely, to make an important contribution to Canadians’ dialogue on national security and intelligence issues. We are interested in feedback on how to make it as helpful and accessible as possible in achieving this aim.
Part 1: Institution building
10. The creation of NSIRA, following the proclamation of the National Security Act, 2017, represented a considerable step forward in the development of national security and intelligence accountability in Canada. Over the past two decades, national security and intelligence operations have become increasingly interconnected within the Government of Canada. This resulted in a number of departments and agencies that had not traditionally been part of the security and intelligence community now playing key roles in this area. However, review bodies’ powers did not evolve with the changing national security and intelligence landscape, and their ability to review agencies and make contributions remained compartmentalized.
11. NSIRA’s creation remedies these long-standing gaps in Canada’s national security architecture and significantly strengthens the framework for national security accountability. NSIRA has taken over the mandates of our predecessors to review the operations of the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), respectively, but we also have an additional and novel mandate to review any activity in the federal government that relates to national security or intelligence. Alongside this expanded mandate, NSIRA has unfettered access to classified information in the possession or under the control of any department or agency (except Cabinet confidences). This allows NSIRA to break down the previously compartmentalized approach to review and accountability, and replace it with horizontal, in-depth interagency review. As such, Canada now has one of the world’s most extensive systems for independent review of national security in the world.
12. Since July 2019, the NSIRA Secretariat has focused on ensuring a successful and effective transition to a much larger organization with a much broader mandate. This included emphasis on the following: securing new accommodations; effective staffing and knowledge development; establishing strong working relationships with departments and agencies, as well as other Canadian review bodies; and delivering on our mandatory reporting requirements. NSIRA absorbed a staff complement from the Security Intelligence Review Committee (SIRC), who had expertise in review and complaints investigation related to CSIS. Sustained effort to recruit staff and build knowledge of the broader security and intelligence community will continue in the year ahead.
Review
13. In the early months of our mandate, NSIRA developed a three-year review plan. This plan will help develop a systematic approach to deciding what to review and how to set priorities. Besides helping to guide resource allocation and staffing decisions in the medium term, the review plan provides clarity to the departments and agencies we review and prevents overlap with other review bodies.
14. Part of the challenge inherent in NSIRA’s mandate is thinking differently about how to organize and undertake reviews. The interagency mandate allows for reviews to be planned and undertaken in a horizontal manner, involving several departments and agencies from the start. Similarly, NSIRA is also working in a horizontal manner internally, to incorporate legal and technical experts into reviews more systematically, so that considerations in these areas are built into reviews from the start.
15. Within this plan, in-depth review of CSIS and CSE remain organizational priorities. NSIRA is also developing foundational knowledge of national security and intelligence activities conducted in federal government institutions that have not traditionally been subject to review. Through a series of increasingly complex and in-depth reviews conducted over the upcoming years, NSIRA will seek to provide a holistic and detailed picture of activities, programs or key themes in the national security and intelligence community.
16. When conducting reviews, whether simple scoping exercises or more complex projects, NSIRA considers a number of elements to develop conclusions, findings and recommendations. These include the lawfulness, compliance with directives and policies, reasonableness, necessity, and proportionality of security and intelligence activities. These considerations help NSIRA ensure that Canadians are confident that national security and intelligence activities undertaken by the Government of Canada are thoroughly reviewed and assessed.
Complaints investigations
17. In addition to NSIRA’s review mandate, the organization has the responsibility to investigate national security-related complaints. This includes hearing complaints from the public regarding actions taken by CSIS and CSE, national security-related complaints regarding the Royal Canadian Mounted Police (RCMP), and complaints related to the revocation or denial of security clearances.
18. NSIRA acknowledges that the complaints investigation framework inherited from SIRC has been far too slow and too complex. An analysis of the number of complaints filed annually and the number outside NSIRA’s jurisdiction to investigate also reveals a clear knowledge gap with respect to NSIRA’s role in this regard. For these reasons, NSIRA has begun to reform the complaints process, including increasing access, timeliness and accountability.
NSIRA’s values
19. NSIRA inherited a number of values, practices and expertise from the review agencies that came before. Nonetheless, NSIRA is dedicated to undertaking our work in a new way — one that emphasizes outreach, engagement and transparency. As such, NSIRA has begun a comprehensive program of engagement with civil society, community groups, academics and others, based on a number of objectives including but not limited to:
informing NSIRA’s review plan;
raising awareness of and demystifying the complaints investigation process;
leveraging and creating communities of interest on key issues (for instance, on artificial intelligence); and
recruiting talented Canadians.
20. The new organization wants to break with previous practices that resulted in findings and recommendations being publicly reported only once per year. To increase transparency, NSIRA is committed to the release of unclassified versions of reviews as they become available after redaction and translation. By making our reviews available to the public, NSIRA hopes to increase transparency and accountability, and to open the door to extensive discussions and debate in the public sphere. Consequently, a priority is to draft reports that avoid classified information because the intent is to release them; this “write to release” approach will facilitate the redaction process, where necessary, and ensure more timely and effective release of information.
21. NSIRA is committed to:
openness and transparency, in an effort to better connect with Canadians;
methodological excellence to ensure the quality of our work; and
forward thinking and innovation, including how we consider the impacts of new technology and an ever-changing national security environment.
22. To achieve our numerous and complex objectives, NSIRA relies on a skilled and experienced workforce. As the organization grows, NSIRA will continue to recruit talented candidates that reflect Canada’s diverse and inclusive nature.
23. NSIRA understands the importance of organizational health and wellness as fundamental to success. The organization wishes to be an employer of choice that promotes and provides a healthy work environment. Although the COVID-19 pandemic has raised unprecedented challenges, NSIRA remains focused on further adapting to the sweeping changes brought by the pandemic. Ensuring the physical and mental health and wellness of our staff remains a cornerstone of the organization’s strategy as we develop creative ways to maintain effectiveness and efficiency while working in a distributed manner.
24. In addition to maintaining a broad expertise within the organization, NSIRA has been focusing on building a strong network of partnerships to help define our research priorities and deliver on our mandate. NSIRA has been working with other organizations within the Canadian review and accountability system, such as the National Security and Intelligence Committee of Parliamentarians (NSICOP) and the Office of the Privacy Commissioner of Canada (OPC), on issues of common interest to maximize both the effectiveness and efficiency of national security review agencies, while limiting duplication of efforts.
25. NSIRA made a great deal of progress in all aspects of our mandate throughout the first few months of operation in 2019. Many ambitious projects are under way for the year ahead, in order to progress on building an institution that is fit to play a broad and constructive role in Canada’s system for national security accountability.
Part 2: Review
Section I — The information continuum
This part outlines NSIRA’s framework for discussing findings and trends in review, and provides detailed analysis according to the four categories within this framework. This part does not go into detail about review methodology and prioritization. In short, as we expand our knowledge base of national security and intelligence activities across the Government of Canada, NSIRA aims to undertake increasingly complex reviews over the next three years.
27. Members of NSIRA are planning to proactively redact and publicly release full reviews, along with unclassified executive summaries, as they are approved and translated, rather than having to wait for the annual report to showcase the organization’s review work. This new practice opens up opportunities for the annual report to discuss and dissect lessons learned throughout the year in new and interesting ways. Rather than discussing the findings and recommendations of each review individually (or vertically), as had been done in the Security Intelligence Review Committee (SIRC) and Office of the Communications Security Establishment Commissioner (OCSEC) annual reports, NSIRA will focus on the entire body of work horizontally, and ask what broad lessons, trends or themes emerge. NSIRA believes that this will allow for a more comprehensive analysis of findings and will help to develop more holistic and interconnected review planning.
28. The following discussion is organized according to what NSIRA calls the “information continuum.” This continuum is meant to reflect the lifecycle of information, from how it is collected and safeguarded, to how it is shared and, ultimately, how it is used to inform real-world actions undertaken for national security or intelligence purposes.
29. NSIRA acknowledges that the information continuum differs from the national security and intelligence information cycle. The continuum is not a unidirectional process, and all concepts mentioned in it are intertwined. However, we hope that presenting our findings within this framework will facilitate a reader’s understanding of key themes and priorities within the national security and intelligence environment. Future annual reports might adopt a different structure depending on the recommendations NSIRA receives and the information we wish to communicate.
Section II — Collection
30. Collection is the first step in the information continuum described in this report. It refers to all forms of information gathering by the Government of Canada’s departments and agencies that relates to national security or intelligence. It covers information that is gathered directly by these federal institutions, in Canada and abroad, as well as information received from other federal entities and other orders of government, such as information from provincial or municipal law enforcement. The receipt of information from foreign entities is also a form of collection, but given the special human rights considerations governing such activity, this report discusses this topic in the section on information sharing.
31. Departments and agencies collect information using a range of techniques. Some recruit human sources to collect information on the agency’s behalf. Others intercept telecommunications through a variety of technical means, such as wiretaps. Telecommunications, in this context, refers to both the gathering of communications content (e.g., intercepting a voice conversation or email) and metadata (e.g., telecommunications subscriber information or information related to Internet connections). Importantly, collection here refers to information that is gathered by Government of Canada institutions both covertly and overtly, and includes publicly available information. The distinction between what is publicly available and what is not has been controversial, and it is a subject that NSIRA will review in the future. Often, the information collected relates only to one person or a handful of people; in other instances, departments and agencies collect data in bulk.
32. Obviously, the collection of certain information by departments and agencies can intrude into the private affairs of Canadians. Indeed, of the many types of national security and intelligence activities that NSIRA is mandated to review, collection is the area with the most potential to impinge on the privacy rights of Canadians. Nonetheless, Canadians expect their private lives, communications and online activities to remain free from state surveillance unless the intrusion complies with the law (including, where required, pre-authorization by an independent judicial officer), and that the collection is reasonable, and goes no further than necessary to achieve a legitimate goal, such as the investigation of a criminal offence or the investigation of a threat to the security of Canada. For these reasons, scrutinizing the government’s collection of information will be a permanent area of focus for NSIRA.
Legal frameworks
33. The legal frameworks governing information collection by government departments and agencies are complex, and vary from department to department, and agency to agency. There are a few overarching principles, however. In simple terms, all departments and agencies are subject to the Canadian Charter of Rights and Freedoms (the Charter) and must ensure that their collection of information is “reasonable” under section 8 of the Charter, which protects against “unreasonable search and seizure” of their persons, property and information. This means that where state action intrudes on a person’s reasonable expectation of privacy, the search must generally be pre-authorized by an independent judicial officer — typically a judge issuing a warrant. In limited circumstances, however, warrantless collection of information in which a person has a reasonable expectation of privacy is permissible, so long as it is authorized by a law that is considered reasonable in striking an appropriate balance between privacy and the state interest being pursued, and the search is conducted reasonably.
34. In Canada, the police and other peace officers seek a number of different authorizations permitting intrusive searches and seizures that implicate a person’s reasonable expectation of privacy. These “lawful access” authorizations include search warrants, production orders to obtain documents or records, and warrants authorizing the interception of private communications. The Canadian Security Intelligence Service (CSIS) can seek warrants from the Federal Court authorizing the interception of any communication or the obtaining of any information, record, document or thing. The procedures followed for obtaining these authorizations vary depending on the statute governing the agency seeking it, and also depend on the search’s intrusiveness. The Communications Security Establishment (CSE), for its part, collects information outside of Canada in accordance with its various mandates related to foreign intelligence and cybersecurity. Where those collection activities might otherwise contravene an act of Parliament or interfere with the reasonable expectation of privacy of a Canadian or any person in Canada, CSE must obtain ministerial authorizations from the Minister of National Defence. Before they come into effect, CSE’s ministerial authorizations under its foreign intelligence mandate and its cybersecurity and information assurance mandate must be approved by the Intelligence Commissioner, who is a retired judge.
35. Regardless of the sensitivity of the information being collected, a department or agency must have a legal authority to collect it. Departments and agencies receive such legal authority from their enabling statutes (for example, the CSIS Act for CSIS; the CSE Act for CSE), as well as from common law powers, especially for the RCMP.
36. These statutes also set important limits, often by spelling out what information departments are permitted to collect, when and to what extent. For instance, CSE is prohibited from directing its collection against Canadians or persons in Canada. But it is not always possible to know in advance which information involves Canadians and which does not. As a result, CSE may sometimes collect information relating to Canadians and persons in Canada incidentally — that is, without deliberately seeking it. CSE must handle this information in accordance with the CSE Act and the ministerial authorizations that it has received from the Minister of National Defence.
Ministerial direction and policy
37. The collection of information by the Government of Canada is guided not only by the law, but also by a range of ministerial directions and internal policies. Ministerial direction represents the formal guidance issued by a minister to a department or agency. Though not a statutory instrument, a ministerial direction has a more robust legal status than mere departmental internal policy, and often serves to set out a minister’s expectations regarding how a department should function, and how it should interpret its legal powers. These directions are used, for example, to implement the Government of Canada’s Intelligence Priorities, which are periodically approved by Cabinet. The Intelligence Priorities set out those areas that the Government of Canada has identified as requiring the greatest need for information. Ministers then direct departments to allocate collection resources accordingly, although they must always remain within the scope of their legal collection mandates. When NSIRA reviews a collection activity related to national security or intelligence, we review not just compliance with the law, but also compliance with ministerial direction and internal policy.
Collection challenges
Technology and privacy
38. Criminals and those who pose a threat to national security are constantly adopting the latest technologies to shield their activities from scrutiny. This places pressure on investigative agencies, in Canada and abroad, to maintain their capacity to collect usable information. As a result, Canada’s national security and intelligence agencies must employ new technologies quickly to circumvent or get ahead of the capabilities of their subjects of investigation.
39. Unfortunately, many new technologies can be used in ways that erode privacy. The rise of the Internet and mobile communications means that individuals now generate far more information and metadata about themselves than in the past. At the same time, intelligence collectors are facing a progressive loss of direct access to private communications stemming from the increasing ubiquity of strong encryption. In part for these reasons, there has been heightened interest worldwide in the bulk collection of information and metadata in recent decades. This raw material is then sifted and analyzed to glean insights and patterns. For example, use of smartphones leaves digital traces that, particularly when assembled or later identified, can reveal contacts, patterns of movement and other intimate details. A key difference between bulk collection and more traditional techniques, such as wiretaps, is that the vast majority of the information collected relates to ordinary citizens who are not subjects of investigation. The risks that such techniques pose for personal privacy are clear.
40. A major challenge for departments and agencies in Canada is to ensure that their use of new technology conforms to privacy laws and respects Charter rights. Generally, this requires departments and agencies to engage the federal Department of Justice to obtain advice on the legal parameters that govern the use of the technology, and then to put in place a strong policy framework and obtain the necessary authorizations before beginning to use a new technology. Often this is exactly what happens. But NSIRA is also aware of instances where technology was used in ways that exceeded legal authorities. These are described below. Some of these examples are drawn from NSIRA’s reviews to date, while others are drawn from SIRC’s history of reviewing CSIS.
41. On a few occasions in recent years, CSIS used new collection techniques without first fully understanding and addressing their legal and policy implications. In these cases, legal and policy work lagged behind the operational imperative to maintain and improve collection capabilities. This risked — and at times compromised — the lawfulness of the collection activity and the privacy of Canadians. The first example is from an NSIRA review:
a) Geolocation: One of NSIRA’s first reviews concerned CSIS’s use of publicly available geolocation data. This review raised pressing questions regarding the use of data that is publicly available, but that nevertheless engages a person’s reasonable expectation of privacy. NSIRA concluded that CSIS’s use of this data without a warrant risked breaching section 8 of the Charter, which protects against unreasonable search and seizure. NSIRA’s review examined the decision-making process that led CSIS to use this data without a warrant, and found that CSIS lacked the policies or procedures to ensure that before the data was used CSIS sought legal advice to avoid unlawful use of the data. On March 16, 2020, we submitted a report under section 35 of the NSIRA Act to the Minister of Public Safety and Emergency Preparedness describing the possible unlawful activity. Under section 35, NSIRA must refer to the relevant minister any national security or intelligence activity that might not be in compliance with the law. The minister is then required to forward the report to the Attorney General.
42. Other examples can be drawn from the period before NSIRA was created, which were reported by the former review bodies, SIRC and OCSEC:
a) CSIS metadata: A 2014 SIRC review assessed whether CSIS’s collection, use and retention of metadata collected under the authority of a Federal Court warrant was carried out lawfully and appropriately. At the time, CSIS warrants required any communications or metadata collected incidentally (i.e., not related to the subjects of the warrant) to be destroyed, unless certain conditions were met, including if there were reasonable grounds to believe that the information “may assist” in the investigation of a threat to the security of Canada. CSIS concluded that the words “may assist” established a low threshold, and accordingly retained and used the metadata, despite the data having been collected incidentally. SIRC was given no indication that CSIS had informed the Federal Court of the nature and scope of its activities. SIRC therefore recommended that CSIS make the Court aware of the extent of its retention and use of metadata collected under warrant. Alerted by SIRC’s recommendation, the Federal Court concluded in October 2016 that CSIS could not retain the information unless it was related to a threat to the security of Canada, because CSIS’s collection mandate in section 12 of the CSIS Act includes the qualifier that CSIS can collect information or intelligence only “to the extent that it is strictly necessary.” The Court found that CSIS’s authority to retain information was informed by this limit. Therefore, it held that CSIS had exceeded its lawful authority in retaining much of the metadata collected under warrant. The Court also found that CSIS had failed in its duty of candour to the Court. As discussed below, the question of retention of electronic “datasets” is a matter now more fully regulated by the CSIS Act, following amendments made by the National Security Act, 2017.
b) CSE metadata: Technological advances have created vast amounts of information in the digital realm. Agencies often turn to automation to apply privacy protection measures to large amounts of information efficiently. In 2013, CSE notified its previous review body, OCSEC, that metadata containing Canadian identity information had not been properly minimized by software. This software failure resulted in Canada’s Five Eyes allies receiving data that Canadian laws prohibit CSE from sharing. CSE suspended sharing certain types of metadata while it developed a solution to rectify this problem. Although this was the only instance in which CSE was found by OCSEC not to have complied with the law, related issues arose periodically, including the incomplete reporting on private communications. OCSEC found this to be the result of human and system error. Many of the observations raised historically by OCSEC centred on the interaction of human and technical elements involved in collection and subsequent reporting activities.
c) Datasets: In 2016, SIRC reviewed CSIS’s use of datasets. These datasets were not collected under the authority of a warrant. The review examined whether the collection of such datasets met the statutory test for collection by CSIS under section 12 of the CSIS Act, which is that information can be collected only to the extent “strictly necessary.” Most of the datasets were not directly related to national security threats. SIRC found that there was no comprehensive governance framework guiding the collection, retention and use of bulk datasets. There was also no requirement to assess the datasets to ensure that they met the requirement of being “strictly necessary” to advise the government on suspected threats. These events pushed CSIS to reconsider the legal underpinnings of its collection of datasets. Amendments to the CSIS Act included in the National Security Act, 2017, have since provided CSIS with an explicit authority to collect, retain and use datasets containing personal information that is not directly and immediately related to a threat to the security of Canada. As noted in the final SIRC certificate, pending the coming into force of the National Security Act, 2017, CSIS continued its dataset program despite the legal risks that had been identified.
43. These examples illustrate how the adoption of new collection technologies also poses a challenge for review bodies, who must equip themselves with the technical expertise needed to ensure that the implications of the technologies being deployed are fully understood. This is particularly important given that the use of many new technologies is a closely guarded secret and thus shielded from public scrutiny. As such, it is largely up to review and oversight bodies to scrutinize the use of these technologies. NSIRA’s plans to address this issue are set out in the section on “Future priorities.”
Candour
44. CSIS has struggled to overcome an institutional culture of secrecy that has contributed to failures to fully disclose certain activities and information to the Federal Court, to the Minister of Public Safety and Emergency Preparedness, and to review bodies. A lack of candour can be particularly problematic where it intersects with the use of new technology. The difference between collection that is lawful or unlawful often hinges on very specific details regarding the information that the technology will enable CSIS to collect. A key consideration is whether that information will reveal intimate details of the lifestyle and personal choices of an individual. The breadth of the information collected and other details of its use can also affect a technology’s level of intrusiveness. It is thus vital that oversight and review bodies are made fully aware of departmental activities in order to fulfil their mandates. The broader the scrutiny of a new technology’s use, the more that its implications will be thoroughly considered.
45. Three times in recent years, the Federal Court has found that CSIS failed in its duty of candour toward the Court during warrant applications. In two of the three instances, CSIS omitted certain information regarding the use of technology to collect information. The omissions compromised the Court’s ability to properly exercise its judicial control function. Indeed, it is worth noting that the Court is not required to approve CSIS warrants, even if CSIS meets the basic statutory requirements. The Court must also be satisfied that the warrant powers are reasonable in light of all the circumstances, and must therefore be given all the information it needs to make this key assessment. The Court is also permitted to place any conditions on CSIS warrants that it considers to be in the public interest, and must therefore be able to appreciate the privacy implications of new technologies.
46. The Minister of Public Safety and Emergency Preparedness also plays an important role overseeing the activities of CSIS because of his or her statutory responsibilities related to the CSIS warrant process. Before CSIS can submit a warrant application to the Federal Court, the application must first be approved by the Minister. The Minister — and the officials in Public Safety Canada who advise the Minister — must therefore be provided with all relevant information. It is notable that the Minister has felt it necessary to issue ever-more precise and detailed direction to CSIS specifying that the organization must keep the Minister informed of its activities. The most recent example, the 2019 Ministerial Direction for Accountability, specified that CSIS must inform the Minister of activities “where a novel authority, technique, or technology, is used. This includes novel uses of existing authorities, techniques, or technologies.”
Human source activities
47. Most recently, CSIS failed to meet its duty of candour to the Court in relation to its human source activities. CSIS sometimes pays human sources to collect intelligence. Often, the access these sources have to valuable information is directly related to their personal involvement in terrorism or other threat activities. In paying these individuals for their information, CSIS runs the risk of violating the laws that prohibit paying any money or providing any other resources that support terrorism or other criminal activity. For years, CSIS relied on the doctrine of Crown immunity to provide a legal justification for its actions and to remain within the ambit of the rule of law. The law in Canada has evolved in recent decades, however, making the use of Crown immunity increasingly tenuous as a justification.
48. In 2015 and 2016, SIRC raised a number of questions regarding the legality of CSIS’s human source activities. Notably, SIRC recommended that CSIS obtain legal clarification regarding the continued viability of its reliance on Crown immunity. In response, CSIS obtained legal advice in early 2017 that concluded that Crown immunity could no longer be used to justify activities that would ordinarily be unlawful. This set off a chain of events inside government that culminated in the creation of a new statutory regime allowing CSIS to take actions that would otherwise be unlawful in the course of its human source operations. This new regime was introduced as part of Bill C-59, the National Security Act, 2017, which came into force in mid-2019. While Bill C-59 was before Parliament, however, CSIS decided to continue several human source operations, given their intelligence value, despite the fact that they seemed to violate the law. CSIS only decided to halt these activities in January 2019.
49. In March 2019, SIRC completed its certification of the 2017–18 annual report submitted by the Director of CSIS to the Minister of Public Safety and Emergency Preparedness. Prior to the National Security Act, 2017, SIRC was required to certify the lawfulness of the activities described in each of CSIS’s reports to the Minister. The 2017–18 report discussed CSIS’s continued reliance on Crown immunity in the context of its human source activities. SIRC reviewed the situation and concluded that CSIS had in fact been advised that Crown immunity could no longer be used as a legal defence. As a result, in its certificate, SIRC found that CSIS had knowingly broken the law. SIRC also made clear that although CSIS’s operations could have been important from the standpoint of national security, this in no way excused it from adhering to the rule of law.
50. Starting in early 2018, the Federal Court began to question the legal basis of CSIS’s human source activities independently of SIRC. These questions led to a series of proceedings that culminated, as mentioned, in the Court finding CSIS to have breached its duty of candour to the Court. Specifically, CSIS did not inform the Court that CSIS’s warrant applications were based on intelligence likely collected by illegal means. The Court also observed certain failings with regard to the Department of Justice’s role in the situation. The Court recommended that there be a broader, independent review of the systemic, governance and cultural shortcomings and failures at CSIS and the Department of Justice that resulted in CSIS engaging in illegal activity and in the related breach of its duty of candour to the Court.
51. In response to the identified shortcomings, the government referred the matter to NSIRA for review under paragraph 8(1)(c) of the NSIRA Act. This review, conducted both at the request of the Minister and also under NSIRA’s autonomous review authority in section 8 of the Act, is now under way. Two members of NSIRA, the Honourable Marie Deschamps, C.C., a former Justice of the Supreme Court of Canada, and Professor Craig Forcese of the Faculty of Law at the University of Ottawa, are jointly leading the review.
52. These events are troubling. CSIS not only broke the law, but CSIS and its legal counsel also failed to disclose important matters to the Federal Court, which they were required to do. CSIS also failed to provide key legal opinions to SIRC, or else provided them many years too late, even though SIRC had a legal right to this information.
Future priorities
53. NSIRA’s review mandate has three principal parts: the review of CSIS, the review of CSE, and the review of the national security or intelligence activities of all other federal entities. The review of CSIS and CSE will always remain central to NSIRA’s mission, but over the coming years, NSIRA will systematically map and review other departments’ collection activities. In so doing, NSIRA will scrutinize collection activities to ensure that they are lawful, reasonable and necessary. In other words, NSIRA will not only consider whether a department can collect information, but also whether it reasonably should do so in light of the department’s mandate and the implications for privacy.
54. In our reviews, NSIRA will emphasize scrutiny of a department’s or agency’s use of technology, and particularly new or emerging technologies that pose the greatest risks. NSIRA’s reviews will make recommendations with an eye to improving departmental processes to manage the legal and privacy risks associated with the use of technology. When relevant, NSIRA will examine departmental candour with ministers and oversight bodies, consistent with Canada’s broader system of accountability for national security and intelligence.
55. To achieve these goals, NSIRA will invest in building in-house technological expertise, through a combination of hiring technological experts, training and reaching out to the broader technological community. NSIRA will also collaborate with allied accountability bodies through a forum known as the Five Eyes Intelligence Oversight and Review Council (FIORC). NSIRA will seek to stay current with regard to new and emerging technologies, including artificial intelligence, machine learning and quantum computing, and related concerns such as “big data.” Our goal is to be able to review departmental use of these technologies and their effects in a timely and effective manner.
56. NSIRA has also worked — and will continue to work — with the Office of the Privacy Commissioner of Canada (OPC) and the National Security and Intelligence Committee of Parliamentarians (NSICOP) on matters of joint concern to ensure that the broadest range of perspectives are brought to bear.
CSIS
57. Over the next year, much of NSIRA’s review scrutiny of CSIS will be dedicated to the review stemming from the Federal Court decision discussed above.
58. In addition, NSIRA will systematically map CSIS’s use of technology and its warrant powers. NSIRA will then undertake reviews of the technologies and powers that are deemed to pose the greatest risks. In this way, NSIRA will gain knowledge of CSIS’s most intrusive activities over time. NSIRA will also increase scrutiny of the warrant process in order to monitor CSIS’s candour to the Federal Court.
59. In addition, the National Security Act, 2017, gave CSIS a suite of new powers. NSIRA will review CSIS’s use of these powers in the coming years so as to help inform Parliament’s statutory review of the National Security Act, 2017, which will begin in 2022 or 2023. In particular, NSIRA will review CSIS’s use of datasets, including those that are publicly available, as well as the new justification regime for CSIS activities, that are undertaken in support of collection, which would otherwise be unlawful. NSIRA is also required each year to review at least one aspect of CSIS’s activities under its threat reduction mandate. This mandate authorizes CSIS to go beyond the collection of information in order to take active measures to “reduce” threats to the security of Canada. Over the coming years, NSIRA will take stock of CSIS’s use of these powers since they were acquired in 2015.
CSE
60. CSE uses a range of collection powers and technologies in its everyday operations. Over time, NSIRA intends to comprehensively review the full suite of collection techniques in place at CSE. NSIRA will start by focusing on certain collection techniques that are authorized under a ministerial authorization and comparing them to techniques that are authorized through other channels. As well, NSIRA will examine how CSE addresses incidentally intercepted information, especially the information of Canadians or persons in Canada, and how it decides whether to retain the information.
61. The rapid technological evolution in areas such as quantum computing, 5G and artificial intelligence will affect the work of CSE, perhaps more than any other federal entity. These technologies could also result in the collection of new information or the development of new collection techniques. Using our growing technical expertise in these areas, NSIRA will conduct both general and targeted reviews of the use of these technologies.
62. CSE has also received new powers in the National Security Act, 2017, including the ability to carry out defensive and offensive cyber operations. CSE cannot use these powers to collect information, separately from authorizations issued under its foreign intelligence or cybersecurity mandates. As CSE begins to conduct these operations, NSIRA will review them to ensure they are not being used for — or do not result in — the collection of information.
Other government departments
63. For entities other than CSIS and CSE, NSIRA’s initial reviews will build foundational knowledge of departments with significant collection programs. Of note, NSICOP has already reviewed the security and intelligence activities of the Canada Border Services Agency (CBSA) and of the Department of National Defence (DND) and Canadian Armed Forces (CAF). These reviews identified certain areas of risk, including the use of what is termed “scenario-based targeting,” which is used to screen travellers entering the country, as well as the CBSA’s use of covert surveillance in Canada. NSIRA will build on NSICOP’s work with in-depth reviews of the collection activities of these departments and agencies.
64. NSIRA also intends to map collection through the rest of the federal national security and intelligence apparatus. In particular, NSIRA will explore the collection programs of the RCMP by looking in detail at the RCMP’s national security criminal investigation program, and by examining how the RCMP collects intelligence in support of those investigations. Throughout, NSIRA will be mindful of public concerns with respect to law enforcement, and pay due attention to the RCMP’s activities in sensitive sectors and to any appearance of bias.
65. Within the next three years, NSIRA will examine the collection activities of Global Affairs Canada (GAC). NSIRA will also map the collection and use of biometrics across the government in relation to its security and intelligence activities. This review will examine the collection and use of biometrics by Immigration, Refugees and Citizenship Canada, the CBSA and Transport Canada in relation to their national security responsibilities and canvass the use of biometrics by CSIS and the RCMP in security intelligence and national security-related police investigations.
66. Among the novel and complex areas of collection that NSIRA will also review is the collection of financial intelligence. Financial intelligence is a core component of national security collection, especially in relation to terrorism. It is also central to large law enforcement intelligence operations, especially those that involve money laundering and terrorist financing. Canada’s financial intelligence centre of expertise and responsibility is the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). NSIRA will review FINTRAC’s activities and examine FINTRAC’s relationship with domestic partners.
67. Over the course of the next year, NSIRA will also conduct targeted reviews of DND/CAF. NSIRA has already begun to review the Canadian Forces National Counter-Intelligence Unit to determine how this unit conducts its counter-intelligence gathering activities and, in particular, how the unit’s activities correspond to legal and governance frameworks by focusing on cases of right-wing extremism. NSIRA will also review the Defence Intelligence Enterprise, to gain a general overview and to learn how it is positioned within DND/CAF governance frameworks and authorities. In light of recent media coverage, this review will focus on medical and open-source intelligence.
Medical intelligence and public health intelligence
68. Given the current COVID-19 pandemic, NSIRA will explore how the Government of Canada collects intelligence on medical issues or in relation to the health of Canadians. This is known as medical intelligence, or public health intelligence. At present, NSIRA does not have a firm understanding of what the government considers to be medical intelligence or the extent to which medical intelligence is used. To rectify this gap, NSIRA will review the Public Health Agency of Canada, as well as DND/CAF, whose American counterpart operates the National Center for Medical Intelligence. In Canada, medical issues are usually not part of the public discourse as to what should or should not constitute the government’s intelligence priorities. Medical intelligence will be a completely new area for NSIRA, and it is hoped that it will provoke a useful conversation in light of current events.
Section III — Safeguarding
69. Safeguarding refers to the protection of people, information and other government assets within the national security and intelligence portfolio. Information collected, analyzed and used within this community is often sensitive, either due to the sources and methods from which it is derived, or because of attendant legal protections.
70. There are real consequences when safeguarding measures fail. Should hostile actors like terrorists or foreign governments gain access to information on human sources, for example, this could put lives at risk. Likewise, if hostile actors learn details on electronic methods of collection, this could lead them to apply countermeasures, which could limit Canadian knowledge on key security and intelligence priorities. There is also reputational risk to the Canadian security and intelligence community if allies perceive that the sensitive information they share with Canada, in trust, is not being adequately protected. It is therefore incumbent on the government to ensure that such information is secured from exploitation, compromise or other unauthorized disclosure.
71. Several security breaches in recent years illustrate that the Canadian national security system has not been immune from the risks associated with “insider threats.” The first contemporary public reminder of this risk was the successful prosecution of Jeffrey Delisle. He was a Canadian Navy Sub-Lieutenant who, in 2007, began releasing classified information to the Russian government. On November 30, 2013, Qing Quentin Huang was arrested and charged with attempting to communicate safeguarded information to the Chinese embassy in Ottawa. Mr. Huang had been employed in a sector providing specialized services to the government. Last year, police laid charges against Cameron Ortis, a civilian executive within the RCMP, who was charged with leaking classified information to foreign entities. Both the Huang and Ortis cases remain before the courts.
Safeguarding policy and legal thresholds
72. Safeguarding is neither a legal term of art nor a precisely defined policy term. It encompasses several distinct elements clustered together due to their impact on the protection of people, information and assets. For this reason, the rules for safeguarding begin with the two main policy instruments that govern the management of security within the Government of Canada: the Policy on Government Security and the Directive on Security Management. These policy instruments outline the various requirements for organizations and employees to contribute to security in the workplace.
73. The Treasury Board Secretariat (TBS) is the lead government agency responsible for setting the minimum standards, or safeguards, used to support these policy instruments, covering:
information and identity assurance;
individual security screening;
physical security;
information technology security;
emergency and business continuity management; and
government contracting.
74. Department- and agency-specific policies and procedures across the security and intelligence community — derived from the TBS standards — also set out additional security requirements. As important as it is to define what safeguarding is, it is equally important to understand what it is not. In this context, safeguarding does not refer to measures directed at persons who do not have access to sensitive government information or assets.
75. Employees in the security and intelligence community are also subject to liability for any violation of the provisions of the Security of Information Act (SOIA), which sets out various offences related to the handling of classified material. For instance, the SOIA defines “special operational information” as information that the Government of Canada is taking measures to safeguard.
76. One of the important objectives of the SOIA is to prohibit the unlawful disclosure of sensitive information. However, a mechanism allows for situations where an individual believes that the disclosure of such information is in the public interest — that is, whistleblowing — for example, in preventing public servants from committing a crime in the course of their duties. Whistleblowing protections guard against violations of public trust that erode the confidence of the public in the government’s practices. Whistleblowing protections give an individual a potential legitimate defence against prosecution under some offences in the SOIA.
77. Because the stakes can be high for disclosing safeguarded information, the SOIA outlines a series of preconditions that would enable an accused person to avoid criminal liability for such disclosures. If they are met, the Court will perform a balancing exercise to determine whether the disclosure was in the public interest. These preconditions include weighing factors like the extent or risk of harm created by the disclosure and the seriousness of the alleged offence. However, where the accused is alleging an offence has been committed (and except where disclosure of information is necessary to avoid grievous bodily harm or death), the judge may find the public interest favoured disclosure only where the accused first reported the wrongdoing. NSIRA is the final step in this reporting chain.
Safeguarding themes
78. The concept of safeguarding has an impact on NSIRA’s work in three crucial ways. First, as discussed above NSIRA has procedures for receiving reporting of wrongdoing by whistleblowers. Second, NSIRA must ensure that our members, employees and systems safeguard sensitive information, assets and people from compromise. Third, in both our review and complaint investigation activities, NSIRA plays a crucial role in assessing if the governance systems used to deter, detect and mitigate such risks are compliant, reasonable and necessary.
79. NSIRA has prioritized safeguarding as a review theme to be examined yearly. In selecting this as a review priority, we will help determine the extent to which the security and intelligence community is appropriately safeguarding its employees, information and assets, and will report on whether such practices are lawful, reasonable and necessary to reduce the identified risks. To this end, in our first year NSIRA completed one safeguarding review relating to CSIS, and started another within DND. The latter review was ongoing at the time of writing. When these two reviews are considered holistically along with available open-source information, broader observations can be made about safeguarding.
80. A key observation is the importance of maintaining security vigilance. Currently, the security system engages in high-intensity scrutiny at predetermined intervals — e.g., initial screening on hiring, five-year updates to security clearances, yearly employee security awareness week — and then periods between these intervals where security is less prominent. Moreover, if other priorities take precedence, the time between intervals could increase. In the case of Mr. Delisle, for instance, his Top Secret security clearance had lapsed and was not properly updated prior to his arrival at the government facility where he committed his crimes. Had proper clearance renewal standards been followed, his loyalty to Canada would have been assessed and other vulnerabilities scrutinized.
81. Another important observation is the essential role of clear, concise and updated policies in setting standards across the government. As already mentioned, TBS establishes the minimum security standards for government departments and agencies to follow. Gaps in these standards could create a domino effect, with each department and agency creating their own policies and procedures. Such gaps could lead not only to an absence of standardization across government, but also, in certain cases, to the unreasonable and unnecessary application of security practices.
The polygraph
82. A final observation relates to the government’s use of the polygraph for screening security and intelligence employees. Commonly referred to as a lie detector test, the polygraph is a technology that measures and records several physiological indicators such as blood pressure, pulse, respiration and skin conductivity while a person responds to a number of questions. “Deceptive” answers produce physiological responses that can, so it is alleged, be differentiated from those associated with “non-deceptive” answers.
83. The TBS Standard on Security Screening, created in 2014, cites the use of the polygraph as an appropriate tool, among others, for assessing candidates seeking an Enhanced Top Secret (ETS) clearance. CSIS, in conducting security assessments for its staff, uses the results of the polygraph as a determinative element when granting ETS clearances, rather than an instructive element, to be considered as part of a series of relevant factors. If an outside candidate, employee or individual contracting with the Government of Canada is denied a security clearance that is necessary to obtain or keep federal employment or a contract, the individual can make a complaint to NSIRA pursuant to section 18 of the NSIRA Act. If NSIRA’s jurisdiction is established, the complaint would be investigated by an NSIRA member. This could include, for example, a complaint where a CSIS employee was terminated solely because of the revocation of a security clearance, and the Deputy Head of CSIS could have based the decision to revoke the clearance on the results of a polygraph test. Given the highly invasive and controversial nature of this technology, NSIRA decided to examine the use of the polygraph within our latest safeguarding review of CSIS. We sought to determine the justifications for its use, and the extent to which such determinations are reasonable and necessary.
84. Several key observations were derived from this analysis. First, this tool can have profound negative impacts on an employee’s mental health if not used appropriately. Second, CSIS was unable justify the merits of examiners — who are not medical practitioners — to ask medical-related questions of the people they examine. Third, the outcomes or consequences for polygraph exams conducted on external applicants compared with CSIS employees differed. [ Text removed – As of November 20, 2020, NSIRA and CSIS could not agree on how all of the facts of this review should be presented in an unclassified, public document]. Essentially, a successful polygraph is a determinative factor for external applicants in obtaining an ETS clearance through CSIS. Fourth, CSIS requires policy clarity for cases where employees fail the polygraph examination. Finally, CSIS did not conduct a privacy impact assessment (PIA) for the use of the polygraph, despite a PIA being required by government policy when a department or agency is dealing with “personal information.”
85. These issues raised in the CSIS context are related to a much broader consideration: namely, the extent to which the government’s overarching policy document, the Standard on Security Screening, provides adequate guidance for departments and agencies when they implement this safeguarding measure. For example, this standard requires the use of the polygraph for all ETS clearances, but it is silent on any guidance on the implementation of this requirement, including the conditions for the reasonable use of the polygraph. Rather, such key considerations are left to the discretion of specific departments and agencies.
86. The OPC has also raised concerns with TBS as to how the polygraph examination is used as an enhanced screening requirement under the 2014 Standard on Security Screening. In July 2017 correspondence, for example, the OPC noted particular concerns surrounding its effectiveness, sensitivity and privacy implications, and the potential adverse consequences associated with polygraph examinations.
87. These contemporary observations are not new. In seven consecutive annual reports, ranging from 1985–86 to 1991–92, SIRC requested that CSIS stop using the polygraph. One of the key concerns raised by successive committees were SIRC’s “grave doubts” about the use of the technology, pointing to the fact that test results could be wrong 10% of the time or more. As well, Canadian courts have refused to admit the results of a polygraph as evidence in criminal trials. The Supreme Court of Canada has found that they are unreliable and risky, and would not assist the Court in determining a person’s guilt or innocence.
88. After consideration of the foregoing, on December 12, 2019, NSIRA sent a letter to TBS seeking access to the legal advice prepared for Treasury Board on how the polygraph complies with Canadian legal requirements, as well as a summary of the evidentiary basis used to establish the requirement for using the polygraph, and any assessments of how the use of the polygraph achieves its intended goal. The TBS response failed to answer NSIRA’s questions. However, the letter did acknowledge that the next round of security policy modifications was under way.
89. When SIRC recommended in 1985 that CSIS should cease using the polygraph, it was meant to allow the government time to reach definitive conclusions about whether this technique should be employed by Canadian agencies and, if so, under what circumstances and under what rules. SIRC requested what sound government policy instruments should always require: namely, that there are consistent approaches across government; that risks are managed; and that policies exhibit public service values such as probity, prudence, equity and transparency. NSIRA has not been provided with evidence that suggests that the use of the polygraph meets all of these policy requirements. To this end, future reviews will examine the polygraph’s use outside of CSIS, and based on the information assessed, NSIRA will make a definitive determination about the legality and utility of this instrument.
Future review priorities
90. NSIRA will conduct several reviews of safeguarding practices in the coming years, in an effort to ensure that we are covering as broad a spectrum as possible of security and intelligence community actors. These safeguarding reviews will allow NSIRA to remain involved in relevant key priorities of the field, such as legality, privacy, science-based tools and international best practices.
91. As an independent agency charged with assessing propriety and legality at the core of our mandate, we make our own assessment of the lawfulness of the actions of the security and intelligence community. This forms the basis for NSIRA findings, recommendations and reporting. To this end, NSIRA intends to maintain a strong focus on assessing the process for the input of expert legal advice. Within the context of specific reviews, NSIRA will review the Department of Justice’s role in providing legal analysis to security and intelligence stakeholders.
92. Considering the primacy of privacy in much of the information collected and used by the government in this field, another priority is the need to evaluate the government’s respect for privacy rights, regardless of the policy merits of the safeguarding measure. One of NSIRA’s fellow accountability organizations, the OPC, plays a key role in helping ensure government compliance with Canadian privacy legislation. NSIRA will continue to work collaboratively with the OPC on future safeguarding reviews.
93. In keeping with NSIRA’s mandate to assess the reasonableness and necessity of a department’s exercise of its powers, NSIRA intends to go beyond assessing whether safeguarding measures are legally sound and privacy compliant. NSIRA’s mandate includes reviewing for necessity and reasonableness. For any government to continue to build an adaptive security system, scientific evidence and data-driven analysis must inform which safeguarding tools and processes are necessary. Currently, NSIRA is concerned that there is an absence of transparent and defensible science underpinning policy decisions for selecting security measures. Therefore, our future reviews will include the examination of scientific justifications for specific safeguarding measures.
94. Finally, NSIRA will assess the potential for the government to further advance collaborative practices through additional outreach with foreign partners in allied countries. Although it is known that exchanges of this nature are routine within certain sectors of the security and intelligence community, another feature of these exchanges that should be examined is the extent to which these outreach and coordination efforts relate to safeguarding measures and the extent to which they help revitalize the government’s security posture. NSIRA’s reviews will also provide insight into this component of international best practices.
95. Five safeguarding reviews are planned over the coming years to ensure coverage of as broad a spectrum as possible of security and intelligence community actors. The first will address an aspect of security screening within GAC. The second safeguarding review will relate to CSE’s use of the polygraph for employee security screening; this will be in addition to the yearly reviews of CSE that routinely cover various cybersecurity initiatives used to protect government systems from exploitation. The third review will consider the use of biometrics across the Canadian government. The final two reviews will examine aspects of the RCMP (i.e., the division devoted to Operations Research within this police force, while the other will evaluate the security/safeguarding implications of the Ortis case, using the RCMP’s own internal reviews as a starting point for our analysis).
96. This series of reviews relating to safeguarding will help to provide Parliament and all Canadians with facts about the adequacy of security practices within the security and intelligence community, and ideally, help improve such safeguarding measures. Most importantly, NSIRA exists to ensure that whatever government security standards are ultimately created, they are tested through expert scrutiny and their application is reported on to encourage sustained public debate.
Section IV— Sharing
97. Departments and agencies complement the information they collect on their own with robust information sharing both domestically and internationally. Counter-terrorism, in particular, requires an integrated response, one that involves multiple departments and agencies, in Canada and internationally. Indeed, this is one of the lessons that has been learned post-9/11, but it comes with its own risks and a concomitant need for caution.
98. Information sharing in the security and intelligence community, however, is a broader issue than sharing information to prevent acts of terrorism. Departments share not only to prevent acts of terrorism, but also to counter espionage, foreign interference and the proliferation of restricted technologies. They also share information to advance Canada’s foreign policy and defence priorities. Moreover, they share information broadly — within the security and intelligence community; outside that community with other federal, provincial, municipal and private sector organizations; and with foreign partners.
99. Equally noteworthy is the impact of technology on information sharing. Departments are able not only to collect vast amounts of information, but also to share that information more quickly and easily than ever before. And the burgeoning field of data analytics encourages the sharing of information that can then be analyzed.
100. Against this backdrop, information sharing raises issues of privacy and potential mistreatment abroad, as well as the need to protect sensitive sources and methods when information is shared. These are important issues for Canadians and for policy-makers, and so they will be for NSIRA as well in our review work.
Legal framework for sharing
101. A complex legal framework governs departments’ information sharing. The Privacy Act is an overarching piece of legislation; it is not limited to issues pertaining to the sharing of personal information for national security purposes. The Act sets out specific rules regarding when and why federal government agencies are permitted to share personal information. More recently, Parliament also enacted the Security of Canada Information Disclosure Act (SCIDA), discussed below.
102. In addition, agencies such as CSE, CSIS and the RCMP are subject to specific provisions in their governing statutes for sharing information. Departments can also share information for specific purposes under specific legislation. For example, under the Customs Act, CBSA officials can share customs information where that information is reasonably regarded by the official to be information relating to the national security or defence of Canada. Likewise, in certain circumstances, FINTRAC and law enforcement bodies receive and disclose financial information pursuant to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
103. Departments’ information sharing can also be shaped by international agreements and resolutions, as well as guidance from their respective ministers.
Information-sharing challenges
104. On the basis of three commissions of inquiry in the past 15 years — as well as numerous reviews by NSIRA’s predecessors OCSEC and SIRC — we can safely say that the key challenges of sharing information for national security purposes domestically and internationally are well documented.
105. Justice Major’s Commission of Inquiry into the bombing of Air India Flight 182 addressed several questions, including whether there was effective cooperation and sharing of information between CSIS and the RCMP. Ultimately, the inquiry concluded that the failure of domestic agencies to share information effectively contributed in a material way to the tragic downing of the Air India flight.
106. Since then, CSIS and the RCMP have taken steps to strengthen their information sharing and cooperation. The objective of a CSIS national security investigation is to provide security intelligence to the government; the RCMP collects evidence to be used in a judicial process. While collecting for these different purposes, the two agencies have a shared interest in protecting their respective sources and investigative techniques.
107. In national security investigations, intelligence agencies — most notably CSIS — can be reluctant to share information with the police. Police themselves might want to maintain a distance from intelligence information because it could eventually be subject to disclosure; disclosure disputes can delay or disrupt criminal prosecutions. From a public safety perspective, the limited sharing between intelligence and police agencies could be harmful. This was Justice Major’s central conclusion. It can complicate coordination and impede or delay the range of public safety actions available to the government. This is known as the “intelligence to evidence” dilemma.
108. To address this issue, CSIS and the RCMP have developed a One Vision framework. The framework seeks to enhance cooperation and streamline information sharing.
109. The intelligence to evidence issue was a key part of the country-wide national security consultations that the government undertook in 2016. Ultimately, the government did not bring forward any legislative amendments to specifically address this issue. During our first year, however, NSIRA heard from an external expert that CSIS and the RCMP continue to wrestle with this challenge. The two organizations are undertaking a thorough review to find ways they can remove unnecessary impediments to information sharing and facilitate successful enforcement. Given the importance of the CSIS-RCMP relationship, NSIRA has launched an in-depth case study, to be completed later in 2020, that examines this relationship.
Clear authority for sharing
110. Historically, departments wanting to share national security information regarding threats to Canadian citizens and interests have been concerned about the lack of an independent authority to do so. The Privacy Act’s “consistent use” provision can be used in the national security context where there is a reasonable and direct connection to the original purpose for which the information was obtained. However, this legislation is not specific to the national security context. Overall, it was believed that the complexity of the legal landscape was impeding the sharing of information with national security and intelligence agencies.
111. In response, the government passed the Security of Canada Information Sharing Act (SCISA) in 2015. It created a single legislative authority for federal government institutions to disclose information on an activity that “undermines the security of Canada.” The intent in doing so was to improve the effectiveness and timeliness of sharing threat-related information, including by departments and agencies that are outside the core security and intelligence community. In separate reviews of disclosures under SCISA, however, both SIRC and the OPC were critical of departments’ internal controls and record keeping.
112. The legislation was amended and renamed SCIDA as part of the National Security Act, 2017. Further, NSIRA now has a statutory requirement, pursuant to subsection 39(1) of the NSIRA Act, to conduct a review of disclosures made under SCIDA. To ensure robust review of these disclosures, and in keeping with the statutory authority to coordinate to avoid unnecessary duplication of work, NSIRA and the OPC have agreed to work together on these review efforts.
113. NSIRA is also looking beyond SCIDA to other aspects of the challenge of having clear authority to share information for national security purposes. In our first year, NSIRA has elected to conduct three reviews that feature CSE’s incidental collection and use of Canadian identity information, including disclosure of such information to departments. When sharing intelligence reports with other departments and agencies, CSE typically suppresses Canadian identity information, which is collected incidentally in the course of its foreign intelligence activities and its cybersecurity and information assurance activities. However, departments and agencies that can demonstrate they have the legal authority and operational justification to receive the Canadian identity information can submit to CSE a request for disclosure of the information. NSIRA expects to complete a review later in 2020 that focuses on the lawfulness and appropriateness of Canadian identity information disclosures, and a review that focuses on CSE’s ministerial authorizations and ministerial orders.
Review of CSE’s Privacy Incidents File
114. One review featuring Canadian identity information was NSIRA’s first completed review relating to CSE. The review examines CSE’s Privacy Incidents File, which records privacy incidents discovered by CSE. A privacy incident occurs when the privacy of a Canadian, or a person in Canada, is put at risk in a manner that runs counter to, or is not provided for, in CSE’s policies. The review of the Privacy Incidents File was an annual review conducted by OCSEC, CSE’s former independent review body. For this review, based on an examination of a selected sample of incidents reported in the Privacy Incidents File for the period of July 1, 2018, to July 31, 2019, NSIRA commended CSE’s timely response to reporting and mitigating privacy incidents. However, NSIRA made five additional findings and corresponding recommendations for CSE to improve its documentation, mitigation and privacy protection practices.
Sharing with international partners and the risk of mistreatment
115. Justice O’Connor’s inquiry into the actions of Canadian officials in relation to Maher Arar examined the circumstances under which a Canadian citizen, Maher Arar, was rendered to Syria and tortured. A key outcome of the inquiry was its conclusion that sharing inaccurate or non-caveated information with foreign partners can result in the mistreatment and torture of individuals, as it did with Mr. Arar.
116. The government responded by issuing a series of ministerial directions on information sharing with foreign partners, culminating in the Avoiding Complicity in Mistreatment by Foreign Entities Act (Complicity Avoidance Act), which came into force in 2019 and required written direction be issued by the Governor in Council (GIC) to the deputy head of multiple departments and agencies. The GIC directions have codified the expectations of departments and agencies. In particular, there is now a clear prohibition for any sharing of information that would result in a substantial risk of mistreatment of an individual. Additionally, they limit the use of any information that was likely obtained through the mistreatment of an individual.
117. Throughout its history, SIRC paid careful attention to CSIS’s information-sharing practices with foreign partners. It also specifically addressed the operationalization of the relevant ministerial direction. Its attention to these issues continued through 2018–19, through two separate reviews of CSIS foreign stations. The first of these reviews focused on the need for CSIS to institute and follow a rigorous decision-making process with respect to sharing information with foreign partners, supported by foreign arrangements anchored in thorough assessments of the human rights records of Canada’s foreign partners.
118. The second foreign station review also examined CSIS’s relationships with foreign partners within the geographic region encompassed by the station. In this case, all of the foreign partners are deemed high risk from a human rights perspective and, thus, restrictions have been placed on all foreign arrangements in the station’s area of responsibility.
119. One of NSIRA’s first reviews examined changes to CSIS’s procedures and policies on information sharing by means of a detailed examination of three cases, identified as high risk, that had been reviewed by CSIS’s Information Sharing Evaluation Committee. The review yielded two recommendations meant to ensure that decisions are made at a level commensurate with the assessment of risk, and that legal opinions are sought, as appropriate, to ensure compliance with the law and ministerial directions when sharing information with a foreign entity.
120. As part of our governing statute, NSIRA is now required to review departments’ implementation of GIC directions on information sharing with foreign partners under the Complicity Avoidance Act. To date, the GIC has issued these directions to 12 departments, including several that have never before received formal direction specific to information sharing with foreign partners.
121. To prepare for this new responsibility, NSIRA launched our first interagency review, an assessment of how six departments and agencies— the CBSA, CSE, CSIS, DND, GAC and the RCMP — were implementing the 2017 Ministerial Direction on Avoiding Complicity in Mistreatment by Foreign Entities, which was the basis of the direction under the Complicity Avoidance Act. The purpose of the review was also to provide a future roadmap for departments that, pursuant to the Complicity Avoidance Act, received this direction for the first time in 2019.
122. NSIRA found significant variation among the six departments and agencies in terms of their success in implementing the 2017 ministerial direction. Some, like CSE, have developed and rolled out comprehensive policy suites to guide their information sharing with foreign partners. Some departments face challenges in operationalizing this direction. Some also face challenges in establishing decision-making mechanisms that are independent from the operational front line in cases where there is a risk of mistreatment. One of the key issues that NSIRA’s review identified was the inconsistent application of the “substantial risk” threshold across departments and agencies. This will be an area of inquiry in the future.
Future priorities
123. NSIRA has a specific statutory requirement to review the implementation of GIC direction under the Complicity Avoidance Act, and to review disclosures under SCIDA. These reviews are annual requirements, reflecting the potential risks to Canadians when departments and agencies share under these respective statutory mandates. NSIRA will be attentive to those risks, including the potential risks to privacy posed by information sharing. At the same time, however, NSIRA intends to map and review the full range of information sharing in which departments engage — under different statutes and legal sources, as well as internationally and with one another, provincial and territorial agencies, and the private sector.
124. Over our first three years, NSIRA will begin to explore information sharing across the security and intelligence community. We will focus on key partnerships, and how departments and agencies collaborate in keeping Canadians safe and achieving Canada’s foreign policy and defence objectives. The scope of information sharing is broad, and NSIRA hopes to build our understanding of this issue over time.
125. NSIRA has begun a building block review of CSIS-RCMP collaboration and information sharing in relation to a particular investigation. One of the objectives of this review is to document the challenges that the two agencies face in relation to the intelligence to evidence dilemma.
126. NSIRA will examine other key partnerships within the security and intelligence community, including information sharing between CSIS and CBSA to prevent people or goods posing a threat to national security from crossing the border. We will also examine how CSE and CSIS collaborate to collect foreign intelligence that is useful for Canadian policy-makers.
127. NSIRA will also look at horizontal arrangements, and information sharing across different levels of government. For example, we will assess institutionalized measures to promote sharing and cooperation, such as in relation to Integrated National Security Enforcement Team investigations. These teams are led by the RCMP and include representatives from other federal agencies, as well as representatives from municipal police services and provincial police in the case of Ontario and Quebec. NSIRA will also look at information sharing outside of the counter-terrorism context, including how departments and agencies protect Canada’s economic security, beginning with actions under the Investment Canada Act and extending to include the full spectrum of tools at the government’s disposal.
128. NSIRA will examine information sharing with private sector organizations, such as information that the Canadian Centre for Cyber Security collects from organizations to prevent or mitigate cyber attacks by hostile state actors, or that chartered banks report to FINTRAC for investigating suspicious financial transactions.
129. Finally, NSIRA recognizes that in examining information sharing with foreign partners, we can see and understand only Canadian actions. NSIRA therefore participates in international fora such as FIORC, which brings together review bodies from Canada, Australia, New Zealand, the United Kingdom and the United States to stay up to date with (unclassified) trends internationally and to share best practices. Given the close relationship that exists among the Five Eyes intelligence agencies, information sharing has been a topic of discussion at FIORC. These discussions are one way for NSIRA to address the potential gap in accountability that exists with respect to international cooperation.
130. In sum, cooperation and information sharing among members of Canada’s security and intelligence community have always been essential features of Canada’s national security efforts. In practice, this means that there will be very little of NSIRA’s review work that will not include attention to information sharing in some form or another. NSIRA will be attentive to the risks of sharing, as well as the need for effective and timely sharing.
Section V— Action
131. “Actions” refer to any activities undertaken by a federal government department or agency to influence an outcome relating to national security or intelligence. Actions can also come as a result of intelligence collection and/or intelligence sharing. Intelligence is one aspect of the information and analysis that shape how actions are construed and implemented. The action itself, and the influence of intelligence, can be visible (overt) or invisible (covert) to Canadians. A visible action would eventually be known to the recipient, while the occurrence of an invisible action might never be known.
132. The former review bodies, SIRC and OCSEC, could conduct only agency-specific reviews of the key “collectors”: CSIS and CSE. Their reviews of national security activities tended to focus on collection, safeguarding and information sharing. This briefly changed when Parliament enacted the Anti-terrorism Act, 2015, and SIRC began to undertake reviews of CSIS’s new mandate to reduce threats to the security of Canada. SIRC provided the only after-the-fact review of these extraordinary new powers. However, SIRC’s reviews remained confined to CSIS’s actions — a narrow subset of the broad array of national security-related actions taken every day across Canada’s security and intelligence community.
133. NSIRA’s mandate goes beyond intelligence and its collectors, extending to any national security-related activity of any department or agency. Our statutory authorities equip us with the power to review the full range of “action” activities. Such activities have rarely been subject to any form of independent review, and NSIRA is able to ensure that they now are.
134. The National Security Act, 2017, established clear mandates for the main intelligence collectors subject to review, CSIS and CSE, to act in certain circumstances against perceived national security threats. For CSIS, this new legislation updated its threat reduction mandate. For CSE, the Act established active cyber operations (ACO) and defensive cyber operations (DCO) as aspects of its mandate. These new authorities merely supplement the many existing authorities that enable over a dozen other federal security and intelligence departments and agencies to take actions relating to national security, making the “action” cluster of activities vast. For instance, actions within the security and intelligence community include the interception of people and goods at the border by the CBSA and criminal arrest (including, potentially, preventive detention) by the RCMP.
135. The range of actions within NSIRA’s mandate to review “any activity carried out by a department that relates to national security or intelligence” is broad, and includes such actions as denying a person entry into Canada, revoking a Canadian’s passport, placing a person on the Secure Air Travel Act list (Canada’s “No Fly List”), disrupting a person’s affairs through a threat reduction measure, detaining an alleged terrorist or carrying out military actions in an armed conflict. Sometimes, a high-level strategic decision can also be an action activity, such as a policy choice on a national priority like securing the Arctic.
136. NSIRA’s reviews in this area overlap with other priority subject areas. We can review national security action activities that stem from intelligence collection, national security actions unrelated to intelligence collection, and national security actions that lead to intelligence collection. As an example of this last category, a CAF tactical raid during an overseas mission could yield new sources of intelligence that might then seed an NSIRA review in that area.
137. Due to the largely secretive nature of national security and intelligence actions, the effects and impacts are often unseen by the larger public. NSIRA is acutely conscious of concerns expressed during our outreach to civil society with how actions of the security and intelligence agencies might affect the lives of Canadians. This amplifies earlier concerns, primarily centred on privacy issues stemming from information collection and sharing. As a result, one of our key tenets is, to the extent possible, to bring transparency and accountability to our reviews of the actions of the security and intelligence community.
Past review observations
138. As mentioned, before the National Security Act, 2017, reviews did not typically extend to the realm of action activities. For this reason, NSIRA has only a modest archive of domestic review materials from which to extrapolate themes in action reviews. NSIRA’s current focus is to build on foundational reviews to derive key themes. This report discusses NSIRA’s approach to future review in the next section. Nevertheless, some themes have emerged from past reviews of CSIS’s threat reduction measures (TRMs) — which were the only action activities reviewed in the past.
139. From the introduction of its TRM mandate in 2015 to August 2020, CSIS has not sought a warrant from the Federal Court for TRM activities. When introduced, TRM powers raised legal questions and potential issues related to the Charter. The National Security Act, 2017, addressed many of these ambiguities, and enacted new provisions that strengthened Charter protections. NSIRA will closely monitor CSIS’s use of TRMs and review its assessments of when warrants are required for TRMs. NSIRA will also be attentive to how CSIS executes any TRM conducted under the authority of a warrant — and pay close attention to the extent of CSIS’s compliance with all court directions and conditions.
CSE
140. Other themes arising in our review of action activities stem from the widespread commentary within civil society relating to CSE’s new powers to conduct ACOs and DCOs. Prior to the National Security Act, 2017, CSE’s mandates limited the organization (primarily) to observation and collection. Now, under its ACO/DCO mandates, CSE can direct actions through the global information infrastructure at the activities of foreign individuals or foreign entities outside Canada. CSE can conduct ACO activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities or activities of entities as they relate to international affairs, defence or security. CSE can conduct DCO activities on or through the global information infrastructure to help protect the electronic information and information infrastructures of federal institutions or those designated as being important to the Government of Canada. These powers have equivalents among those available to Five Eyes partners. They also empower CSE to play a significant, but unprecedented, role in national security action activities.
141. Civil liberties groups have identified ACO/DCO activities as a principal concern with the National Security Act, 2017, and point specifically to the absence of independent oversight (that is, pre-authorization) of these activities. Under the current statutory regime, in order for CSE to lawfully conduct ACO/DCO, the Minister of National Defence must authorize all such activities. This authorization requires the Minister to conclude that there are reasonable grounds to believe that the activity is reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities. Additionally, the Minister of Foreign Affairs must approve ACO activities and must be consulted on DCO activities.
142. Ministerial authorizations for ACO/DCO activities do not require the approval of the Intelligence Commissioner, which is not the case for foreign intelligence and cybersecurity activities. There is, therefore, no scrutiny by an arm’s-length, independent body of ACO/DCO authorizations prior to their approval. This is why NSIRA considers our reviews of ACO/DCO actions to be particularly important. Unlike in the case of CSIS TRMs, CSE has no statutory obligation to notify NSIRA when it undertakes ACO/DCO activities. NSIRA intends, however, to focus proactively on these activities.
143. Although legislation limits powers such as TRMs and ACO/DCO, these activities occur in secret. This is in contrast with other types of national security actions, such as arrests made by police, which are overt and can be challenged in open court. NSIRA considers the opacity of certain types of actions to warrant future reviews. The more secret the national security action, the more essential it is for NSIRA to conduct rigorous review.
Law enforcement
144. Prior to the enactment of the National Security Act, 2017, the RCMP’s national security-related activities were reviewed by the Civilian Review and Complaints Commission for the RCMP. Those national security-related actions are now reviewed by NSIRA. The enactment of new offences — especially terrorism offences — and a focus on terrorism have drawn police into a greater national security role. Police investigate crime, and have a role in preventing its occurrence. In doing so, police might investigate, among other things, terrorism offences, while at the same time being involved in community-based programs directed at countering radicalization to violence. They can also engage in crime prevention or risk mitigation actions that do not lead to full prosecutions. The traditional tool for holding police accountable is the criminal justice system. For example, police conduct will be scrutinized during a criminal trial. However, accountability mechanisms are less robust where police pursue national security threat disruption strategies that are not challenged in the courts. Therefore, we believe that NSIRA’s review functions will become particularly important in these circumstances.
145. The CBSA’s scrutiny of people and goods crossing the border can be triggered by intelligence shared from domestic and foreign partners or derived from its own collection and assessment efforts. CBSA actions include searches at the border and the seizure or interdiction of goods, currency and people. These searches and the CBSA’s determination that a non-Canadian might be inadmissible can have implications for people’s liberty, privacy, freedom of movement and commercial interests. NSIRA’s task is to review the CBSA’s national security and intelligence activities in an effort, among other things, to ensure that it fully complies with its legal requirements. This is especially true as, at present, no independent body currently can hear public complaints against the CBSA.
Future priorities
146. In our reviews of action activities, NSIRA makes findings and recommendations on an organization’s compliance with the law and any applicable ministerial direction and the reasonableness and necessity of its exercise of its powers. NSIRA is in a unique position to assess the Government of Canada’s visible or invisible actions and to provide assurance to Canadians that their national security and intelligence agencies are accountable in order to protect Canada’s national security interests and defend the rights and freedoms of Canadians and people residing in Canada.
147. NSIRA’s strategic plan focuses on reviewing three types of action activities: operational actions, law enforcement actions and administrative actions, defined below. In each of the following categories, NSIRA has identified certain action activities of interest that we will scrutinize in future reviews. The items listed are not necessarily part of NSIRA’s review plan but serve to highlight the breadth of situations that fall within reviews of the “action” activities undertaken by the security and intelligence community.
Operational: covert action activities in direct support of a national security objective. Operational actions of interest to NSIRA include: CSE’s use of ACO/DCO, to be reviewed annually; CSIS TRMs, to be reviewed annually; and CAF’s operations in theatre and on the battlefield.
Law enforcement: covert or overt action activities to enforce laws, investigate crimes and make arrests. Law enforcement action activities on which NSIRA might concentrate, while being sensitive to the administration of justice and the concept of police independence in investigative decisions, include the CBSA’s targeting that leads to the identification and/or interception of high-risk people, goods and conveyances that pose a threat to the security of Canadians, and RCMP investigations that could lead to detention, arrest or prosecution.
Administrative: visible action activities taken in the act or process of administering a statutory power entrusted by Parliament to the federal government. Administrative action activities on which NSIRA might focus include: GAC’s implementation of foreign policy and trade sanctions; the Investment Canada Act reviews of investments that could be injurious to national security; the decision to add a person to the Secure Air Travel Act list under the Passenger Protect Program; and national security-related admissibility issues.
148. As NSIRA’s capacity to conduct reviews expands, we will compile a complete picture of the actions that national security and intelligence agencies take in exercising their mandates, and assess these actions for legal compliance, reasonableness and necessity.
Under the NSIRA Act, one of NSIRA’s core functions is to investigate complaints in the following instances:
complaints with respect to an activity carried out by the Canadian Security Intelligence Service (CSIS) or the Communications Security Establishment (CSE);
complaints referred by the Civilian Review and Complaints Commission for the RCMP (CRCC) with respect to an activity by the Royal Canadian Mounted Police (RCMP) that is closely related to national security; and
complaints regarding the denial or revocation of security clearances to federal government employees and contractors.
150. Through the National Security Act, 2017, NSIRA inherited the complaints functions of the Security Intelligence Review Committee (SIRC) and the Office of the CSE Commissioner, which investigated complaints related to CSIS and CSE, respectively. In addition, NSIRA absorbed responsibility for investigating national security-related complaints against the RCMP. NSIRA also inherited SIRC’s complaints investigation infrastructure, but it was evident early in our mandate that the SIRC model needed to be enhanced to provide more timely and efficient investigations. NSIRA has therefore begun to rework the Rules of Procedure and enhance the overall process. NSIRA has also worked collaboratively with the RCMP and the CRCC to effectively manage national security-related complaints against the RCMP.
Section II— Synopsis of trends and key themes
151. NSIRA has experienced an increase in the volume of complaints we receive, specifically complaints against CSIS, as well as complaints relating to security clearances. In comparison to the complaints statistics in the SIRC annual report for 2017–18 and statistics for 2018–19, NSIRA has seen an increase of 40% for newly opened complaint files. In particular, complaints against CSIS have doubled and security clearance complaints have increased by 30%. NSIRA did not investigate most of the recent complaints against CSIS because we concluded that they were not in NSIRA’s jurisdiction — they did not concern an activity carried out by CSIS, or NSIRA was satisfied that the complaints were trivial, frivolous or made in bad faith.
152. The majority of the complaints received relating to the alleged denial or revocation of a security clearance did not fall within NSIRA’s mandate. Rather, it turned out they were related to a complainant’s reliability status or enhanced reliability status. NSIRA may only investigate complaints relating to security clearances, not reliability status matters. Complaints relating to reliability status generally must be challenged on judicial review in the Federal Court. As a result, NSIRA investigated very few security clearance complaints. A lesson drawn from the past year is that departments and agencies should ensure that they provide clear and accurate information regarding an individual’s rights of review and redress, and correctly identify both the nature of the security status at issue and the body to whom the person may complain as a result of being denied that status. By the same token, NSIRA is taking steps to increase the public’s awareness of our mandate, while also ensuring that complainants are informed of their redress mechanisms early on so that their rights to seek a remedy are preserved.
153. With respect to security clearance complaints investigated both by NSIRA and SIRC, some of the key issues revolved around out-of-country background checks and cases in which there was insufficient information to grant an individual a security clearance. One of the lessons derived from these types of complaints is that departments must ensure that individuals receive a written notice informing them of the reasons for the decision, if that is possible in the circumstances (i.e., such disclosure is not prohibited under federal legislation). Going forward, NSIRA will continue to encourage the parties to make efforts to informally resolve complaints at the earliest opportunity.
Section III— Whistleblower protection
154. The Public Servants Disclosure Protection Act (PSDPA) is whistleblowing legislation that offers federal public sector employees an external mechanism to report ethical breaches and to complain about reprisals that they believe they have suffered. The PSDPA, however, specifically excludes members of CSIS, CSE and the Canadian Armed Forces (CAF), as well as all people who wish to make a disclosure pertaining to special operational information. CSIS, CSE and the CAF have implemented internal mechanisms for disclosure of wrongdoing, pursuant to their requirements under the PSDPA. However, the current structure offers no external reporting mechanisms for disclosures that pertain to special operational information and/or for employees from CSIS, CSE or the CAF.
155. As discussed above, a “public interest defence” is available, in certain circumstances, to Canadian whistleblowers who are permanently bound to secrecy and who have been charged with certain offences under the Security of Information Act (SOIA). This defence is available only if the accused has followed the steps outlined in the SOIA before making the disclosure to the public. The SOIA identifies NSIRA as a forum in which, under certain conditions, this kind of disclosure of wrongdoing can be made. However, the SOIA does not describe how this process is meant to function procedurally nor does it articulate the role, if any, that NSIRA should play in accepting disclosures of wrongdoing from CSIS, CSE or CAF employees.
156. In previous correspondence to the Attorney General, NSIRA identified these legislative gaps and the negative implications for national security that can occur when democratic countries have deficient protocols for whistleblowing within their national security and intelligence communities. In the interim, NSIRA will be implementing internal procedures to address concerns brought forward by members of the security and intelligence community. If the concern brought to NSIRA is not within the scope of the public interest defence under section 15 of the SOIA, NSIRA can examine the matter if it relates to NSIRA’s review mandate, pursuant to subsection 8(1) of the NSIRA Act.
157. Canada’s threat environment and national security landscape require effective and robust protections for Canada’s national secrets and for the public servants who keep these secrets. Potential legislative amendments to enhance current whistleblowing protections for members of the security and intelligence community could include amendments to the SOIA, to the PSDPA or to the NSIRA Act. A key component of any legislative amendment would be external accountability and protections akin to those of the Office of the Integrity Commissioner under the PSDPA.
Section IV— Priorities for the year ahead
158. In 2020, NSIRA is modernizing the complaints process. NSIRA’s goal remains the just, efficient investigation and resolution of complaints. Modernization is needed to adapt to the changing complaints landscape. Two priorities will guide the modernization: access to justice for self-represented complainants and a broader spectrum of tools to streamline the resolution of complaints.
159. To this end, NSIRA is updating our website and revising our forms to provide clearer directions for potential complainants. We intend to place greater emphasis on explaining NSIRA’s jurisdiction, and how to file complaints, which should assist in a complaint starting in a timely fashion and in the correct forum. Further, the website will contain a guide for self-represented complainants, so they can better navigate each step of the process and have their complaint resolved in an appropriate way.
160. One size never fits all. Each complaint that NSIRA receives calls for a unique approach. As noted, we are currently updating our Rules of Procedure. The new rules will allow for greater flexibility, efficiency and transparency. Some of the changes under consideration are the following: a discussion of expectations with a complainant at the outset; a new process for quickly deciding jurisdiction; an interview with the complainant; more options for informal resolution; quick and standardized disclosure of information between the parties; and, a requirement for declassified file summaries and chronologies. NSIRA believes these changes will allow complaints investigations to proceed more quickly and in a more efficient manner.
Part 4: Engagement and transparency
As expressed in the National Security Act, 2017 preamble, “enhanced accountability and transparency are vital to ensuring public trust and confidence in Government of Canada institutions that carry out national security or intelligence activities.” Along with public engagement, these are core values for NSIRA and we consider each to be vital to ensuring that we fulfil our mandate. The benefits of public engagement have been underscored in recent years, including through the national security consultations undertaken by the government in 2016. Engagement with stakeholders during our first year of operation helped establish connections and relationships that we will build on in the years ahead. As outlined in this section, NSIRA has taken strong steps in our first year of operation to promote increased transparency of national security and intelligence activities. In addition to our own initiatives, NSIRA will continue to encourage departments and agencies to promote transparency of their activities, including in fulfilment of the National Security Transparency Commitment.
Section I— Engagement
162. In 2019, NSIRA launched a series of public engagements to increase awareness about the organization, to expand our network, and to deepen our understanding of Canadians’ concerns with respect to national security and intelligence activities. In 2019 and into 2020, we undertook engagement sessions throughout the country with various stakeholders, including academics, civil society, law enforcement and government organizations.
163. These sessions provided a valuable opportunity for NSIRA to hear from stakeholders about programs and issues that they recommended for NSIRA review, as well as the privacy and civil liberties risks they felt these programs presented. The uniformly positive feedback that NSIRA received from stakeholders demonstrated the value of these engagements.
164. Internationally, NSIRA continues to be actively involved with the Five Eyes Intelligence Oversight and Review Council, which allows NSIRA to: advance our knowledge of cross-cutting international themes in the area of national security and intelligence accountability; share priorities and compare best practices; collaborate on key issues of mutual interest; and promote coordinated review of issues of international importance.
165. Over the coming year NSIRA intends to continue our program of outreach and engagement. We will take advantage of opportunities to connect with stakeholders nationally and internationally via videoconference and, where possible, in person. In the year ahead, engagement will focus on four key areas:
expanding our network with respect to issues related to new and emerging technologies (including artificial intelligence), to better understand their use as well as the risks and opportunities they present from a national security accountability perspective;
broadening our dialogue with stakeholders to inform future review priorities;
building new relationships with community groups to demystify the complaints investigation process; and
scaling up recruitment efforts to ensure we continue to build an elite workforce with a diverse set of skills and backgrounds.
Section II— Transparency
166. NSIRA has taken a number of steps to increase openness and transparency related to our work and the work of the national security and intelligence community. We established a Twitter account early in our mandate, which we are using to share content, provide updates on our work and provide a platform for dialogue on security-related issues.
Redaction and writing for release
167. Over recent months, NSIRA has begun publishing reports from our predecessor organization, the Security Intelligence Review Committee (SIRC), that had been redacted for release to individuals who had applied to see the reports through the Access to Information Act. Under the Access to Information Act, the reports only had to be made available to the applicant. To support transparency, NSIRA plans to gradually publish online redacted versions of all SIRC reviews, from 1985 to 2019, which involves more than 270 reports.
168. To complement this initiative, NSIRA also wishes to proactively redact and release future NSIRA reports as they are approved and translated throughout the year, rather than waiting for the release of our annual report to publicize our findings and recommendations. This aims to enhance the timeliness and relevance of NSIRA’s work to public discourse on national security and intelligence issues. It also means that we can devote more time and space in future annual reports to discussing and analyzing horizontal or thematic trends, rather than individual (or vertical) reviews or issues.
169. NSIRA is working with departments and agencies to ensure that this new approach takes place in such a way that vital national security and intelligence information is protected, while at the same time providing the public with as much insight as possible into the results of our reviews. On a case-by-case basis, relevant ministers will be offered an opportunity to raise concerns with respect to the release of specific reports.
170. To facilitate redaction efforts and release reports in an efficient and timely manner, NSIRA has committed to making efforts to “write for release.” This method includes writing as much as possible at an unclassified level, including unclassified executive summaries; clearly identifying within a report what portions contain classified information; and leaving classified information out of the body of the report where possible and, instead, including it in footnotes or annexes.
Conclusion
171. We are very proud of NSIRA’s achievements during our first five months of operation. We have an ambitious agenda for the year ahead, despite the constraints imposed by the pandemic. We have set in motion a review plan that covers multiple issues over the coming year and will involve numerous departments and agencies. We are in the midst of significantly overhauling our complaints investigation process, with the aim of making it more accessible for all. We will also expand our corporate infrastructure to facilitate our growth over the years ahead, including through the acquisition of additional office space and the hiring of talented new staff.
172. We look forward to deepening our relations with other review and oversight bodies in Canada and internationally, as well as with diverse stakeholder groups to ensure that our work is as effective and as meaningful as possible. On that note, we hope that this report is useful. We encourage all readers to tell us their thoughts on the format, the content, and any aspects that we can improve in the next iteration.
173. We are very grateful to our staff for continuing to achieve strong results despite the challenges that the ongoing pandemic has presented. We look forward to tackling the many challenges and opportunities that await us in the year ahead.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!