Review of Government of Canada Institutions’ Disclosures of Information Under the Security of Canada Information Disclosure Act in 2023: Backgrounder
Review of Federal Institutions’ Disclosures of Information under the Security of Canada Information Disclosure Act in 2023
Backgrounder
Backgrounder
The Security of Canada Information Disclosure Act (SCIDA) is intended to facilitate information sharing across government for national security purposes. Disclosures under SCIDA tend to include considerable personal information, such as passport information, citizenship status, and information gathered by diplomatic missions.
NSIRA is responsible for annually reviewing disclosures made during the previous calendar year and submits a report with its findings and recommendations to the Minister of Public Safety.
Annual reviews of disclosures by NSIRA are key to ensuring that Government of Canada (GC) institutions use SCIDA in a manner that respects the Canadian Charter of Rights and Freedoms and the privacy rights of the individuals whose information is being disclosed.
This report describes the results of a review by NSIRA of SCIDA disclosures made in 2023. It was tabled in Parliament by the Minister of Public Safety, as required under subsection 39(2) of the NSIRA Act, on June 13 2025.
Since NSIRA began reviewing GC institutions’ compliance with the Act five years ago, it has made recommendations to promote higher levels of compliance among GC institutions. This has resulted in those institutions adjusting their practices and increasingly demonstrating an improved understanding of their obligations.
This year, for the first time in SCIDA’s history, NSIRA has found full compliance with the Act. As such, the report contains seven recommendations aimed at improving the practices of GC institutions to ensure that this high level of compliance is maintained.
Department of National Defence/Canadian Armed Forces
FINTRAC
Financial Transactions and Reports Analysis Centre of Canada
GAC
Global Affairs Canada
GC
Government of Canada
IRCC
Immigration, Refugees and Citizenship Canada
NSIRA
National Security and Intelligence Review Agency
PHAC
Public Health Agency of Canada
PS
Public Safety Canada
RCMP
Royal Canadian Mounted Police
SCIDA
Security of Canada Information Disclosure Act
TC
Transport Canada
Glossary of Terms
Contribution test
The first part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (paragraph 5(1)(a)).
Proportionality test
The second part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will not affect any person’s privacy interest more than reasonably necessary in the circumstances (paragraph 5(1)(b)).
Executive Summary
The objective of this review was to determine whether Government of Canada (GC) institutions complied with the Security of Canada Information Disclosure Act (SCIDA)’s requirements for disclosure and record keeping in 2023. The review assessed GC institutions’ use of information-sharing arrangements, consistent with SCIDA’s guiding principles. The review also documented the volume of SCIDA disclosures and highlighted patterns in the SCIDA’s use across GC institutions and over time.
This is the fifth year that GC institutions have used the SCIDA and that NSIRA has reviewed their compliance with the act. Each year, NSIRA has made recommendations aimed at promoting compliance with the Act. Over the last five years, GC institutions have adjusted their practices and are increasingly demonstrating an improved understanding of their obligations. As a result, for the first time in SCIDA’s history, NSIRA found full compliance with the SCIDA. This allowed NSIRA to focus its review on in-depth analysis of the SCIDA’s contribution and proportionality tests.
For instance, some Immigration, Refugees and Citizenship Canada (IRCC) disclosures, albeit compliant with the SCIDA, presented a heightened risk of non-compliance with these two tests. One disclosure involving protest activity raised concerns regarding how IRCC arrived at the conclusion that the disclosure was related to activity that undermined the security of Canada, and thus complied with paragraph 5(1)(a) of the SCIDA. Three disclosures also raised concerns with regard to the amount of personal information that IRCC disclosed following its proportionality assessment, pursuant to paragraph 5(1)(b).
CSIS request letters, on which IRCC often relies to assess compliance with subsection 5(1), were at times unclear. This hindered IRCC’s effort to satisfy itself that the disclosure was authorised under the SCIDA.
IRCC provided templated statements on accuracy and reliability that were not always relevant or specific to the circumstances of the disclosure. In one case, the Canada Border Services Agency (CBSA) made a verbal disclosure that did not include an explicit statement about accuracy and reliability at time of disclosure. In addition, CBSA’s record of disclosure form contradicts the SCIDA by suggesting that the provision of information on accuracy and reliability is optional.
As encouraged by the SCIDA’s guiding principles, and as recommended by NSIRA previously, IRCC and the Communication Security Establishment signed an informationsharing agreement.
NSIRA made seven recommendations to mitigate risks of non-compliance and enshrine best practices in future years.
1. Introduction
Authority
This review was conducted pursuant to subsections 8(1)(b) and 39(1) of the National Security and Intelligence Review Agency Act (NSIRA Act).
The review satisfies the NSIRA Act’s section 39 requirement for NSIRA to submit a report to the Minister of Public Safety on disclosures made under the Security of Canada Information Disclosure Act (SCIDA, Act) during the previous calendar year.
Scope of the Review
The objective of this review was to determine whether Government of Canada (GC) institutions complied with the SCIDA’s requirements for disclosure and record keeping. The review assessed GC institutions’ use of information-sharing arrangements, consistent with SCIDA’s guiding principles. The review also documented the volume of SCIDA disclosures and highlighted patterns in the SCIDA’s use across GC institutions and over time.
The review included all GC institutions that disclosed or received information under the SCIDA in 2023: the Canada Border Services Agency (CBSA), Communications Security Establishment (CSE), Canadian Security Intelligence Service (CSIS), Global Affairs Canada (GAC), Immigration, Refugees and Citizenship Canada (IRCC), and Royal Canadian Mounted Police (RCMP). The review also included Public Safety Canada (PS), which provides SCIDA-related policy guidance and training across the GC.
Methodology
NSIRA assessed administrative compliance with the SCIDA’s record keeping obligations in respect of all disclosures made in 2023.
NSIRA assessed substantive compliance with the SCIDA’s disclosure requirements for a targeted sample of 27 disclosures, selected according to the parameters described in Annex A.
Review Statements
The NSIRA Act grants NSIRA rights of timely access to any information in the possession or under the control of a department (except for cabinet confidences) and to receive from the department any documents and explanations NSIRA deems necessary. NSIRA monitors cooperation with access requests, including the completeness and accuracy of disclosures, which inform its overall assessment of a department’s responsiveness in each review.
All reviewees met NSIRA’s expectations for responsiveness during this review.
2. Background
The SCIDA provides an explicit, stand-alone authority to disclose information between GC institutions in order to protect Canada against activities that undermine its security. Its stated purpose is to encourage and facilitate such disclosures.
Section 9 of the SCIDA prescribes record-keeping obligations for all institutions who disclose or receive information under the Act. Subsection 9(3) requires that these records be provided to NSIRA within 30 days after the end of each calendar year.
Subsection 5(1) of the SCIDA authorizes GC institutions to disclose information –subject to any prohibitions or restrictions in other legislation or regulations – to designated recipient institutions if the disclosing institution is satisfied that (a) the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (the “contribution test”); and (b) the information will not affect any person’s privacy interest more than is reasonably necessary in the circumstances (the “proportionality test”).
Subsection 5(2) requires disclosing institutions to, at the time of the disclosure,also provide information regarding the disclosure’s accuracy and the reliability ofthe manner in which it was obtained.
When a GC institution receives information under the Act, subsection 5.1(1)requires that the institution destroy or return any unnecessary personal informationas soon as feasible after receiving it.
The SCIDA’s guiding principles reinforce the notion that effective and responsible disclosure of information protects Canada and Canadians. Of note, subsection 4(c)suggests that GC institutions enter into an information-sharing arrangement when they regularly disclose information to the same recipient.
3. Findings, Analysis, and recommendations
Volume and Nature of Disclosures
In 2023, GC institutions made a total of 269 disclosures under the SCIDA (see Table 1).
Table 1: Number of SCIDA disclosures made in 2023, by disclosing and recipient institution [all disclosures (proactive disclosures)]
Designated Recipient Institutions
Disclosing Institution
CBSA
CFIA
CNSC
CRA
CSE
CSIS
DND/CAF
Finance
FINTRAC
GAC
Health
IRCC
PHAC
PSC
RCMP
TC
TOTAL (proactive)
CBSA
–
–
–
–
–
–
–
–
–
–
–
–
–
–
2
(2)
–
2
(2)
GAC
–
–
–
–
1
(1)
10
(0)
–
–
–
–
–
–
4
(0)
–
15
(1)
–
53
(32)
IRCC
–
–
–
–
58
(0)
194
(7)
–
–
–
–
–
–
–
–
–
–
252
(7)
TOTAL (proactive)
–
–
–
–
59
(1)
204
(7)
–
–
–
–
–
1
(0)
–
–
6
(2)
–
263
(10)
The number of disclosures increased 55% since 2022, reversing the slight downward trend in the number of disclosures observed across prior years. This shift is largely due to a 246% increase in disclosures from IRCC to CSIS. CSIS attributes this increase to a policy shift that led them to use the SCIDA to request information that IRCC previously provided under the Privacy Act.
As in previous years, disclosing institutions made the vast majority of disclosures following a request. Only 4% of disclosures were sent proactively by the disclosing institution.
Record Keeping Requirements – Section 9
Finding 1. NSIRA found that every institution that disclosed or received information pursuant to SCIDA in 2023 complied with their record keeping obligations under section 9, but some records were inaccurate or imprecise.
Section 9 of the SCIDA prescribes record-keeping obligations for all disclosing institutions, as well as institutions who receive information pursuant to a disclosure. These requirements include, among others, that records of the disclosure describe the information as well as indicate whether the information was destroyed or retained by the recipient. NSIRA’s cross-reference of records provided by disclosing and recipient institutions revealed some inaccuracies that were clarified through discussion with the institutions following receipt of their records:
Under paragraph 9(2)(a), CSE mislabelled the number of subjects that the disclosure pertained to in four (of 59) instances;
Under paragraph 9(2)(e), CSIS records included contradictory information as to whether the information received has been destroyed or retained; and
Under paragraph 9(1)(a), IRCC records included contradictory descriptions of the information disclosed.
NSIRA was unable to reconcile the information provided in relation to one case where the CBSA made a verbal disclosure to the RCMP. Based on the initial records provided by the RCMP and CBSA, NSIRA could not determine with certainty what personal information was shared, and when. In response to a recommendation from NSIRA’s SCIDA review for 2022, the CBSA developed a record of disclosure form to serve as a record overview. In this instance, the form was incomplete and contradicted the copy of the disclosure that was also provided to NSIRA.
As it did last year, NSIRA underscores the importance of administrative precision in preparing records, and notes that a record overview – when correctly prepared –supports compliance with SCIDA record keeping requirements.
NSIRA identified several instances in which the disclosing institution did not provide an explicit statement, under paragraph 9(1)(e), regarding the information that was relied on to satisfy the disclosing institution of the proportionality test. Three of these disclosures were included in NSIRA’s targeted sample for assessing the contribution and proportionality tests.
Contribution and Proportionality Tests – Subsection 5(1)
Finding 2. NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves under the contribution and proportionality tests in compliance with subsection 5(1) of the SCIDA.
To assess compliance with subsection 5(1), NSIRA first considered the explicit statements prepared by disclosing institutions under paragraph 9(1)(e), describing the information that was relied on to satisfy themselves that the disclosure was authorized under the Act. When an explicit statement was provided, NSIRA analysed and corroborated these statements by reviewing all other documents provided by GC institutions related to a given disclosure. Additional documents provided did not raise any concern with paragraphs 5(1)(a) and 5(1)(b) compliance.
For all 27 disclosures included in the sample, the disclosing institution provided anexplicit statement that demonstrated that they had satisfied themselves that thedisclosure would contribute to the recipient’s jurisdiction or its responsibilities.24.
For 24 of the 27 disclosures, the disclosing institution provided an explicit statement that demonstrated they had satisfied themselves that no one’s privacy would be affected more than reasonably necessary in the circumstances. In the remaining three disclosures, despite having no explicit statement, other documents provided by the disclosing institutions nevertheless demonstrated that they had satisfied themselves of the proportionality test.25.
While NSIRA found that institutions were generally compliant with paragraphs5(1)(a) and 5(1)(b), IRCC’s contribution and proportionality assessments demonstrated some deficiencies. These deficiencies form the basis of findings 3and 4.
Recommendation 1. NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
SCIDA’s Exception for Advocacy, Protest, or Dissent
Finding 3. NSIRA found that IRCC did not, in one instance, independently consider whether its disclosure related to activities that fell under the SCIDA exception for advocacy, protest, or dissent. Instead, IRCC satisfied itself of the SCIDA’s contribution test based on assumptions about how CSIS assessed activities that undermine the security of Canada.
The contribution test under paragraph 5(1)(a) requires the disclosing institution to assess whether the disclosure relates to activities that undermine the security of Canada. These activities are defined by the Act and include, for example, espionage, covert foreign-influenced activities, terrorism, and significant or widespread interference with critical infrastructure. In its definition of activities that undermine the security of Canada, subsection 2(2) of the SCIDA includes an exception for advocacy, protest, dissent, or artistic expression. These, in and of themselves, do not constitute activities that undermine the security of Canada. The legislated exception helps to distinguish between legitimate forms of political dissent and national security threats.
In one instance, CSIS requested detailed information from IRCC related to an individual. The request sought current and past passport applications and these contain a great deal of personal information3.CSIS justified its request with anexcerpt from a news article which cited a quote uttered publicly by the individualduring a protest.
IRCC did not request any additional rationale from CSIS. It disclosed the individual’s passport application, including some associate’s information, along with the individual’s passport number, place of issue, and dates of issue and expiry.
In response to a query from NSIRA regarding on what basis it satisfied itself of the contribution test, IRCC explained that it “relies on the partner to accurately describe that the individual is tied to an activity that may undermine the security of Canada.” The IRCC official who authorized the disclosure further explained that IRCC assumed that CSIS had not relied solely on the individual’s statements quoted in the news article given the limits of CSIS’s authority to investigate lawful advocacy, protest or dissent under the CSIS Act.
The CSIS Act includes an exemption preventing CSIS from investigating lawful advocacy, protest or dissent, without the presence of threat related activities itemised in the CSIS Act. However, the SCIDA’s use of “activity that undermines the security of Canada” is a purposeful departure from the CSIS Act’s “threat to the security of Canada”. The distinction reflects legislative intent that the disclosing institution perform its own, fit-for-purpose assessment.
Subsection 5(1) of the SCIDA explicitly places the onus on the disclosing entity to assure itself that the disclosure is authorized. The process by which an institution satisfies itself should be grounded in an independent and factual assessment. In that context, a mere acquiesce of a request would not be sufficient, nor would a de facto reliance on the recipient respecting their enabling legislation. The threshold of satisfaction imports an objective standard that must be based on facts.
PS guidance notes that although the threshold imposed by subsection 5(1) does not hold institutions to perfection, they must make all reasonable efforts to satisfy themselves that the information will contribute to the recipient’s national security mandate. When encountering activities occurring in the context of political dissent or a protest, NSIRA expects institutions with a national security mandate to exercise caution when requesting information relating to an activity protected under the Canadian Charter of Rights and Freedoms (Charter) to further an investigation. At the same time, in this case, IRCC should have obtained more information prior to disclosure, to substantiate what activities were undermining the security of Canada to ensure the exception did not apply.
Recommendation 2. NSIRA recommends that IRCC amend their SCIDA policy to underscore that IRCC must independently assess whether the disclosure is authorized. This assessment should consider whether the activity amounts to one of the exceptions to the SCIDA’s definition of activities that undermine the security of Canada.
IRCC’s New Approach to Proportionality Assessments
Finding 4. NSIRA found that, throughout the course of 2023, IRCC improved the rigour of its proportionality assessments regarding disclosure of passport information. However, NSIRA identified three instances where IRCC disclosed visa information without applying the same rigorous approach, which risked disclosing more personal information than reasonably necessary in the circumstances.
In summer 2023, IRCC adopted a “higher” standard to satisfy itself that no person’s privacy interest would be affected more than reasonably necessary when disclosing passport information to CSIS. According to IRCC, this shift was prompted by a previous NSIRA recommendation that IRCC be explicit in their records that the proportionality test was met. Not only did IRCC adjust their record keeping practices, but they also turned their attention to the substantive issue at hand. Indeed, IRCC closely examined the privacy impact their disclosures may have when responding to CSIS requests.
As a result, when dealing with the absence of additional rationale from CSIS, IRCC became more conservative in the disclosure of information. For example, IRCC began redacting associate’s information in passport applications, limiting the provision of historical applications, and refraining from disclosing applications of minors. They adopted an iterative approach to disclosing passport information, which cultivated a more appropriate weighting of individuals’ privacy interests vis-à-vis the recipient’s investigative needs.
IRCC’s new approach to assessing the proportionality of passport information disclosures was not well-received by CSIS, who characterize their receipt of redacted passport applications as a “massive” hindrance to section 12 investigations. In internal correspondence, a CSIS analyst noted that they would prefer that “IRCC not filter down the info and let them [CSIS] make the assessment based on the knowledge of [national security] threats”.
Still, the discretionary nature of SCIDA disclosures make it such that IRCC may choose what information to disclose, if any. IRCC’s SCIDA Standard Operating Procedure states that requests for disclosure must provide sufficient information to justify the release of associate’s information. Under the SCIDA, it is entirely within IRCC’s purview to seek and obtain such justification prior to disclosing information.
IRCC’s increased attention to privacy interests in the context of passport application disclosures was not imparted to disclosures of information collected from visa applications. It is important to note that this distinction is not a factor that should be considered when assessing proportionality. Under the SCIDA, the privacy interests of citizens and non-citizens must be similarly assessed, and only treated differently in a visa application if no reasonable expectation of privacy is assessed.
Annex B presents the details of three disclosures in relation to which IRCC disclosed visa information to CSIS, concerning over 20 individuals, without having first established facts relevant to the conduct of an informed proportionality assessment. In these cases, either the identities of the subject of the request were unknown or the link between the subject of the disclosure and the threat had yet to be established. NSIRA would have expected IRCC to follow a more iterative approach to disclosing this information, consistent with its approach to passport disclosures in the later part of 2023. Such an iterative approach would have entailed disclosing only basic information until a greater connection to the activity that undermined the security of Canada could be established or the identity of the individual could be confirmed.
Additionally, the cases presented in Annex B are not fully consistent with IRCC policy, which underscores that “disclosing […] more personal information than is necessary could constitute a breach of a person’s reasonable expectation of privacy, a right protected by the Canadian Charter of Rights and Freedoms”. This is an important consideration since the proportionality of a given disclosure may be a factor in determining its Charter reasonableness.
Under the SCIDA regime, and as explained in PS guidance, the proportionality testis conducted to help determine the scope of what can be disclosed, and not necessarily whether the disclosure should occur. Thus, it would have been warranted for IRCC to assess how the sharing of each piece of information would impact the privacy of the individuals in question.
Recommendation 3. NSIRA recommends that IRCC apply an iterative approach to its proportionality assessments, with a view to disclosing only the minimum information reasonably necessary in the circumstances to enable the recipient institution to further their investigation.
CSIS Request Letters
Finding 5. NSIRA found that CSIS requests to IRCC used inconsistent terminology and were often unclear about the relationship between the subject of the request and its investigation. At times, this lack of clear communication hindered IRCC’s efforts to satisfy itself that the disclosure was authorised under the SCIDA.
96% of IRCC disclosures to CSIS were in response to a request. IRCC used the information in CSIS’s request letters to assure itself that a disclosure met both the contribution and the proportionality tests. While IRCC is always at liberty to request more information from CSIS to satisfy itself that the disclosure is authorized, in the majority of disclosures requested by CSIS, IRCC based its assessments solely on the information provided by CSIS in the request letter.
NSIRA reviewed all request letters sent by CSIS to IRCC. CSIS used a wide variety of terms to describe the nature of its interest in the subject of a request, such as:
The subject came to the attention of the Service
The subject is of interest for possible involvement in
The subject is of interest in connection with
The subject is believed to be an associate of a target
The subject is related to the threat
The individual is the subject of a Service investigation
The subject is part of a Service investigation
The subject is very closely associated to a CSIS subject of investigation
In most cases, CSIS did not define these terms or provide any more information on why the subject was of interest.
Furthermore, CSIS used the same (or similar) words when referring to different levels of interest. For example, “associated with” and “part of a Service Investigation” were used in requests for individuals with no known involvement in threat related activities and for individuals who CSIS has reason to suspect are involved in threat activities. In another instance, CSIS’s request letter stated that the subjects were related to the threat, but the connection between the threat and the individuals had not been established.
As a result of these inconsistencies and lack of clarity, IRCC could not understand key nuances relevant to its proportionality assessments. This issue is compounded by the fact the CSIS tended to request “any and all information” associated with the subject(s) of a request.
The relationship between the information requested and an investigation is an important factor considered by IRCC when assessing proportionality. Indeed, IRCC’s new approach to assessing proportionality takes into consideration the fact that information on associates contained in passport applications may not be material to the investigation. As a result, IRCC has often opted to redact some associate’s information, unless CSIS provided some indication that they are, or could be, implicated in the threat activity. In one of the several instances where CSIS stated that the subject of the request was “very closely associated to a CSIS subject of investigation”, IRCC requested an explanation to clearly link the subject of the request to the investigation. When CSIS did not provide it, IRCC opted to cancel the disclosure as it was not satisfied that the disclosure would meet the proportionality test.
It is essential that CSIS convey information in a clear and consistent manner given that IRCC takes this information into account in conducting its proportionality assessments. This is especially true when IRCC is disclosing associate’s information. When requesting information under the SCIDA, recipient institutions should, as a matter of course, facilitate disclosing institutions’ compliance with SCIDA thresholds by using clear and consistent terminology.
In late 2023, CSIS began centralizing its process for requesting IRCC SCIDA disclosures and developed a standard request form, which should help with consistency. As no requests were made in 2023 using these standard forms, NSIRA could not assess the effect of these changes in practice.
Recommendation 4. NSIRA recommends that CSIS use consistent terminology, and be clear about the nature of the link that has been established between the subject of a request and its investigation, to assist IRCC in satisfying itself of the proportionality test.
Reliability and Accuracy Statement – Subsection 5(2)
Finding 6. NSIRA found that disclosing institutions provided information regarding the accuracy of the information and reliability of the manner in which it was obtained in relation to all disclosures. However, CBSA made one verbal disclosure that did not include an explicit statement on accuracy and reliability.
Under the SCIDA, departments are required to provide information on the accuracy and the reliability of the manner in which the information being disclosed was obtained. They must do so at the time of the disclosure.
All written disclosures made in 2023 contained a statement on accuracy and reliability. However, CBSA made one proactive verbal disclosure of a tip to the RCMP, previously described in paragraph 19, in which it did not provide an explicit statement regarding accuracy and reliability at the time of disclosure.
Although the same information was shared again in writing two weeks later, an explicit, written statement on accuracy and reliability was only shared with the RCMP nearly two months later, when the CBSA disclosed additional information about the subject.
Subsection 5(2) states that “information” regarding accuracy and reliability “must” be provided at time of disclosure. NSIRA assesses in this case that, by its very nature, relaying that the information disclosed was derived from a tip conveyed information regarding accuracy and reliability to the RCMP. That said, an explicit, written statement is considered best practice. While verbal disclosures are not prohibited by the SCIDA, PS guidance notes that “[i]nformal communication cannot be used in lieu of the formal disclosure process or to replace the formal recordkeeping obligations.”
Recommendation 5. NSIRA recommends that institutions avoid making verbal disclosures whenever possible. When they must occur, verbal disclosures should explicitly convey the requisite information on accuracy and reliability.
Finding 7. NSIRA found that CBSA’s record of disclosure form contradicts the SCIDA by allowing officials to opt out of providing information regarding accuracy and reliability.
Although CBSA policy correctly reflects the mandatory nature of providinginformation on accuracy and reliability, its new record of disclosure form does not.The form includes a yes/no checkbox to indicate whether a statement confirmingthe accuracy and reliability was provided to the recipient institution. If the CBSAofficial selects “no”, they are prompted to explain why they elected to not provide astatement. This implies that it is discretionary and leaves the opportunity for CBSAto opt out of the requirement.
Further, the form does not specify that the statement must be provided at the timeof disclosure, as the SCIDA specifically demands.
Recommendation 6. NSIRA recommends that CBSA harmonize its record of disclosure form with the SCIDA to convey the mandatory nature of providing information on accuracy and reliability at the time of the disclosure.
Finding 8. NSIRA found that IRCC used templated language to describe the disclosure’s accuracy and reliability that was not always relevant or specific to the circumstances of the disclosure.
All IRCC disclosures made in 2023 included the same accuracy and reliability statement:
The information in this disclosure was provided by the Subject as part of their various applications to IRCC. The Subject declared that the information they provided as part of their applications was truthful, complete and correct. The information in this disclosure is accurate and reliable in so far as the Subject was truthful in their submissions to our Department. IRCC holds no information that would call into question the accuracy and reliability of the information provided by the Subject.
There are several cases where this statement provided by IRCC did not reflect the specific circumstances of the disclosure. For example, the statement above was included in a disclosure where no immigration or passport records were found and the only information disclosed was the lack of records. The same statement was used in disclosures of child general passport applications, which are actually completed by parents or legal guardians rather than by the subject themselves. When solely disclosing citizenship status to CSE, IRCC still included the same statement, despite the information disclosed not being provided by the subject as part of their application. In one case, the IRCC used the same statement in the disclosure but nevertheless contradicted itself by also stating that there was some reason to believe the information might not be accurate.
All of these cases point to a tendency of copying the accuracy and reliability information without giving sufficient attention to the relevance of the statement.
When instructing on the accuracy and reliability statement, the PS SCIDA guide suggests that “formulaic (templated) language should be avoided, unless the nature and source of information disclosed is derived from a routine process.” IRCC produces a large number of disclosures every year. While some language can be recycled, it is necessary that the statement remain an accurate representation of each disclosure. NSIRA has previously recommended that statements be clear and specific to the circumstances of the disclosure.
Recommendation 7. NSIRA recommends that IRCC tailor its statements on accuracy and reliability as to ensure that each disclosure’s statement is specific to the circumstances of the case.
Information Sharing Agreement – Subsection 4(c)
Finding 9. NSIRA found that disclosures between IRCC and CSE that occurred following the enactment of their new information sharing agreement were compliant with both the SCIDA and their information sharing agreement.
In past SCIDA reviews, NSIRA noted that some departments regularly use the SCIDA in a manner that warrants information sharing arrangements (ISA), as encouraged by subsection 4(c) of SCIDA. In 2022, NSIRA recommended that IRCC and CSE develop an ISA to govern their SCIDA disclosures.
In August 2023, IRCC and CSE signed an ISA. As a whole, the new ISA between IRCC and CSE supports compliance with SCIDA, with all key legislated requirements from SCIDA being included in the ISA. The agreement also adheres to the guidance on preparing ISAs recently developed by PS.
Of the 24 disclosures made after the ISA implementation, all were deemed compliant with the new agreement. NSIRA looked at each disclosure made under the ISA and assessed them against a majority of the requirements outlined in the agreement.
4. Conclusion
This is the fifth year that GC institutions have used the SCIDA and that NSIRA has reviewed their compliance with the act. Each year, NSIRA has made recommendations aimed at promoting compliance with the Act. Over the last five years, GC institutions have adjusted their practices and are increasingly demonstrating an improved understanding of their obligations. As a result, for the first time in SCIDA’s history, NSIRA found full compliance with the SCIDA.
This review assessed GC institutions’ compliance with requirements for recordkeeping in respect of all 269 disclosures that were made and received in 2023. It assessed their compliance with requirements for disclosure in relation to a targeted sample of 27 disclosures. All were compliant with SCIDA requirements, but NSIRA found that IRCC’s contribution and proportionality assessments demonstrated some deficiencies. An increased understanding of the activities that undermine the security of Canada would support a more thorough proportionality assessment and greater utility of the disclosed information.
NSIRA made recommendations aimed at promoting compliance with SCIDA, particularly with regard to how departments determine whether the contribution and proportionality tests have been met.
Annex A. Sample of Disclosures
Disclosures were selected for the sample based on the content of records provided to NSIRA under subsection 9(3), according to the following parameters:
At least two disclosures per discloser-recipient pair, if available;
At least one proactive disclosure per discloser, if available;
At least one requested disclosure per recipient, if available;
All disclosures identified by recipient institutions as including personal information that was destroyed or returned under the SCIDA, subsection5.1(1);
All disclosures for which there is a high-level discrepancy in the discloser and recipient records;
All disclosures made by an institution that is not listed in Schedule 3 of the SCIDA;
All disclosures received by institutions added to Schedule 3 in the preceding year; and
All disclosures that, based on the review team’s preliminary assessment, present a heightened risk of non-compliance under section 5.
Annex B. Cases Relating to IRCC’s Disclosure of Visa Information
Disclosure 1 (Economic Security Threat)
IRCC proactively disclosed to CSIS the visa applications of several individuals who received a work permit in various research fields linked to economic security threat. These applications included personal information such as employment history, travel history, contact information, photos, passport information, and associate’s information. This was part of IRCC’s effort to proactively identify and share with CSIS information about individuals that may engage in activities that pose a threat to Canada’s economic prosperity.
While the national security concern posed by these types of economic security threats is well documented, the role that these individuals played in that space was unknown. IRCC selected the individuals in question based on one threat related criteria, but the other criteria used to narrow the pool individuals from several hundreds to a few individuals were unrelated to the threat the individuals posed. Indeed, IRCC chose these additional arbitrary criteria mainly for practical reasons.
For greater clarity, there was no information indicating that any of the several individuals in question were involved in activities that undermine the security of Canada. Most of these applications were not initially referred to CSIS for security screening by IRCC, meaning that the visa officer was fully satisfied that the applicants posed no threat. In one case, the application was sent for security screening but CSIS returned a favorable recommendation and the individual was granted a visa.
The proactive sharing of complete visa application packages with CSIS risked affecting these individuals’ privacy more than was reasonably necessary in the circumstances.
Disclosure 2 (Foreign Entity)
CSIS requested passport information about any individuals with a valid visa currently working for a specific foreign entity. IRCC did not have any passport applications for the individuals that matched the search criteria, but nevertheless disclosed entire visa applications for some individuals. IRCC also provided information about individuals who had previously worked at the foreign entity, and individuals who did not have a valid visa. This misalignment between what was requested and what was disclosed does not reflect a proper tailoring of information to meet SCIDA’s contribution and proportionality tests.
None of these individuals had been linked to a specific activity that undermined the security of Canada, either at the time of the request nor following the disclosure. CSIS and IRCC’s inability to characterize the nature of the individuals’ relationship to threat activities created a risk that IRCC’s disclosure may have affected their privacy more than was reasonably necessary in the circumstances.
Disclosure 3 (Bulk Data)
CSIS sent a letter to IRCC requesting the disclosure of information within immigration applications on individuals including a spreadsheet with certain identifying personal information (called “selectors”). While large data-set requests and disclosures are not prohibited by the SCIDA, the requirements imposed by the contribution and proportionality tests must be applied to every discrete piece of information disclosed. As such, this type of information would need to be responsibly assessed prior to disclosure.
While the CSIS request letter provides extensive rationale as to why the threat actor named in the request letter poses a threat to national security, the IRCC officials that authorized the disclosure did not have contemporaneous information on how these selectors, and, by extension the individuals linked to these selectors, are linked to the threat actor.
Nevertheless, IRCC disclosed significant personal details pertaining to several individuals. For example, the disclosure included a foreign state visa refusal, information about military service, a personal picture, and other documents that would have been provided as part of a visa application.
This disclosure included more information than what CSIS requested. Given that the identity of the individuals are unconfirmed, as CSIS’s request clearly stated that the purpose of this request was for identification, this suggests that IRCC risked disclosing more than the least amount of personal information necessary for CSIS to further its investigation.
While the legislative burden to ensure that the disclosure is authorized under SCIDA falls on the disclosing entity, in this case IRCC, it may be very complex fora disclosing entity to discharge its obligation under paragraphs 5(1)(a) and 5(1)(b)with these types of large data-sets requests, particularly when the requester provides very little rationale linking each selector or individual to the activity that undermines the security of Canada.
Annex C. Overview of SCIDA Disclosures in Prior Years
Disclosing Institution
Designated Recipient Institutions under the SCIDA, Schedule 3
CBSA
GAC
CNSC
CRA
CSE
CSIS
DND/CAF
Finance
FINTRAC
GAC
Health
IRCC
PHAC
PS
RCMP
TC
TOTAL
2022
CBSA
–
–
–
–
–
–
–
–
–
–
–
–
–
–
4
–
4
GAC
–
39
2
–
–
–
–
–
–
–
–
–
–
–
12
–
53
IRCC
–
59
56
–
–
–
–
–
–
–
–
–
–
–
–
–
115
RCMP
–
–
–
–
–
–
–
–
–
–
–
–
–
–
1
–
1
TOTAL
–
59
95
2
–
–
–
–
–
–
–
–
–
–
16
–
173
2021
DND/CAF
–
–
–
–
–
–
–
–
–
–
2
–
–
–
–
–
2
GAC
–
–
–
–
–
–
–
–
–
–
–
–
–
–
2
–
44
IRCC
–
68
79
–
–
–
–
–
–
–
–
2
–
1
–
–
149
TOTAL
–
68
122
–
–
–
2
–
–
–
–
2
–
1
2
–
195
2020
CBSA
–
–
–
–
–
–
–
–
–
–
1
–
–
–
–
–
4
GAC
–
–
–
–
–
–
–
–
–
–
–
–
25
–
–
13
40
IRCC
–
60
61
–
–
–
–
–
–
–
–
–
1
–
37
–
159
RCMP
–
–
1
–
–
–
–
–
–
–
–
1
–
–
–
–
3
TC
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
2
2
Other¹⁰
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
1
TOTAL
–
61
88
1
–
–
3
–
–
–
–
6
–
55
1
–
215
2019
CBSA
–
–
–
–
–
–
–
–
–
–
–
–
–
–
1
–
3
GAC
–
–
–
–
–
–
–
–
–
–
–
–
23
–
–
–
42
IRCC
–
5
17
–
–
–
–
–
–
–
–
–
1
–
36
–
59
RCMP
–
4
1
–
–
–
–
–
–
–
–
–
–
3
–
–
8
TC
–
–
–
–
–
–
–
–
–
–
–
–
–
–
1
–
2
TOTAL
–
4
5
–
41
–
1
–
–
–
1
–
–
–
–
–
114
Annex D. Findings and Recommendations
Record Keeping Requirements – Section 9
Finding 1. NSIRA found that every institution that disclosed or received information pursuant to SCIDA in 2023 complied with their record keeping obligations under section 9, but some records were inaccurate or imprecise.
Contribution and Proportionality Tests – Subsection 5(1)
Finding 2. NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves under the contribution and proportionality tests in compliance with subsection 5(1) of the SCIDA.
Recommendation 1. NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
Finding 3. NSIRA found that IRCC did not, in one instance, independently consider whether its disclosure related to activities that fell under the SCIDA exception for advocacy, protest, or dissent. Instead, IRCC satisfied itself of the SCIDA’s contribution test based on assumptions about how CSIS assessed activities that undermine the security of Canada.
Recommendation 2. NSIRA recommends that IRCC amend their SCIDA policy to underscore that IRCC must independently assess whether the disclosure is authorized. This assessment should consider whether the activity amounts to one of the exceptions to the SCIDA’s definition of activities that undermine the security of Canada.
Finding 4. NSIRA found that, throughout the course of 2023, IRCC improved the rigour of its proportionality assessments regarding disclosure of passport information. However, NSIRA identified three instances where IRCC disclosed visa information without applying the same rigorous approach, which risked disclosing more personal information than reasonably necessary in the circumstances.
Recommendation 3. NSIRA recommends that IRCC apply an iterative approach to its proportionality assessments, with a view to disclosing only the minimum information reasonably necessary in the circumstances to enable the recipient institution to further their investigation.
Finding 5. NSIRA found that CSIS requests to IRCC used inconsistent terminology and were often unclear about the relationship between the subject of the request and its investigation. At times, this lack of clear communication hindered IRCC’s efforts to satisfy itself that the disclosure was authorised under the SCIDA.
Recommendation 4. NSIRA recommends that CSIS use consistent terminology, and be clear about the nature of the link that has been established between the subject of a request and its investigation, to assist IRCC in satisfying itself of the proportionality test.
Reliability and Accuracy Statement – Subsection 5(2)
Finding 6. NSIRA found that disclosing institutions provided information regarding the accuracy of the information and reliability of the manner in which it was obtained in relation to all disclosures. However, CBSA made one verbal disclosure that did not include an explicit statement on accuracy and reliability.
Recommendation 5. NSIRA recommends that institutions avoid making verbal disclosures whenever possible. When they must occur, verbal disclosures should explicitly convey the requisite information on accuracy and reliability.
Finding 7. NSIRA found that CBSA’s record of disclosure form contradicts the SCIDA by allowing officials to opt out of providing information regarding accuracy and reliability.
Recommendation 6. NSIRA recommends that CBSA harmonize its record of disclosure form with the SCIDA, to convey the mandatory nature of providing information on accuracy and reliability at the time of the disclosure.
Finding 8. NSIRA found that IRCC used templated language to describe the disclosure’s accuracy and reliability that was not always relevant or specific to the circumstances of the disclosure.
Recommendation 7. NSIRA recommends that IRCC tailor its statements on accuracy and reliability as to ensure that each disclosure’s statement is specific to the circumstances of the case.
Information Sharing Agreement – Subsection 4(c)
Finding 9. NSIRA found that disclosures between IRCC and CSE that occurred following the enactment of their new information sharing agreement were compliant with both the SCIDA and their information sharing agreement.
Review of Government of Canada Institutions’ Disclosures of Information Under the Security of Canada Information Disclosure Act in 2022: Backgrounder
Review of Government of Canada Institutions’ Disclosures of Information Under the Security of Canada Information Disclosure Act in 2022
Backgrounder
Backgrounder
ISSN: 2817-7525
This report presents findings and recommendations made in NSIRA’s annual review of disclosures of information under the Security of Canada Information Disclosure Act (SCIDA). It was tabled in Parliament by the Minister of Public Safety, as required under subsection 39(2) of the NSIRA Act, on November 1st, 2023.
The SCIDA provides an explicit, stand-alone authority to disclose information between Government of Canada institutions in order to protect Canada against activities that undermine its security. Its stated purpose is to encourage and facilitate such disclosures.
This report provides an overview of the SCIDA’s use in 2022. In doing so, it:
documents the volume and nature of information disclosures made under the SCIDA;
assesses compliance with the SCIDA; and
highlights patterns in the SCIDA’s use across Government of Canada institutions and over time.
The report contains six recommendations designed to increase standardization across the Government of Canada in a manner that is consistent with institutions’ demonstrated best practices and the SCIDA’s guiding principles.
The Privacy Act (PA) gives individuals the right of access to information about themselves that is under the control of a government institution, subject to certain specific and limited exemptions and exclusions. The PA also protects the privacy of individuals by giving them substantial control over the collection, use and disclosure of their personal information, and by preventing others from having access to that information.
Section 72 of the PA requires the head of each government institution to prepare an annual report on the administration of the PA within the institution that is to be tabled in both Houses of Parliament.
This report to Parliament, which is prepared and tabled pursuant to section 72 of the PA, describes the activities of the National Security and Intelligence Review Agency Secretariat in administering the PA during the period of April 1, 2023 to March 31, 2024 (the reporting period).
If you require more information or wish to make a request under the PA or the Access to Information Act, please direct your inquiries to the following:
Access to Information and Privacy Office National Security and Intelligence Review Agency Secretariat P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5 Email: ATIP@nsira-ossnr.gc.ca
Who We Are
Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.
The NSIRA Secretariat (the Secretariat) assists NSIRA in fulfilling its mandate. The Secretariat headed by an Executive Director, is designated as the government institution for the purposes of administering the PA and the Access to Information Act.
Mandate
The Secretariat supports NSIRA in its dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matter that a Minister of the Crown refers to NSIRA.
NSIRA’s reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, as well as whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Investigations
NSIRA is also responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:
any activity of CSIS or of CSE;
decisions to deny or revoke certain federal government security clearances;
any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act;
reports made under section 19 of the Citizenship Act; and
matters referred under section 45 of the Canadian Human Rights Act.
Access to Information and Privacy Office – Organizational Structure
The Secretariat’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the Secretariat meets its responsibilities under the PA and the Access to Information Act.
For the reporting period, the Secretariat’s ATIP Office consisted of:
1 full-time Access to Information Consultant;
1 part-time Privacy Consultant;
1 full-time ATIP Coordinator, who managed the Secretariat’s ATIP Office, and fulfilled the normal duties as Manager of Administrative Services for the Secretariat and NSIRA Members; and
the Secretariat’s Senior Counsel, Internal Services as well as Senior General Counsel supported the ATIP office when required.
The Secretariat’s ATIP Office is responsible for the following:
monitoring compliance with ATIP legislation and relevant procedures and policies;
processing requests under both the PA and the Access to Information Act;
developing and maintaining policies, procedures, and guidelines to ensure that the Secretariat respects the PA and the Access to Information Act;
maintaining Personal Information Banks and conducting privacy impact assessments;
preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
representing the Secretariat in dealings with the Treasury Board of Canada Secretariat (TBS), the information and privacy commissioners, and other government departments and agencies in matters pertaining to the PA and the Access to Information Act.
During the reporting period, the Secretariat was a party to a service agreement under section 73.1 of the PA in which the Secretariat received administrative support from the Privy Council Office related to the tabling of the annual report in Parliament. The Secretariat was also a party to a service agreement under section 71.1 of the PA in which the Secretariat received ATIP Online services from TBS.
To assist the Secretariat’s ATIP Office in meeting its overall legislative obligations, the Secretariat relied on a collaborative internal group of subject matter experts from all divisions.
Delegation Order
As the Head of the Secretariat, the Executive Director is responsible for the administration of the PA within the institution. Pursuant to section 73 of the PA, the Executive Director has delegated the ATIP Manager and ATIP Officer, as well as individuals acting in these positions, to perform certain and specific powers, duties, and functions for the administration of the PA. These positions have limited delegation of authority under the PA and the Access to Information Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Delegation Order can be found in Appendix A (page 9).
Performance 2023-2024
Performance in Processing Privacy Requests
In addition to 5 requests that were outstanding from the previous reporting periods, the Secretariat’s ATIP Office received 22 formal requests during the current reporting period, bringing the total number of formal request to 27. Of these, the Secretariat’s ATIP Office closed 25 requests and processed approximately 4843 pages during the reporting period. 2 requests were carried over to the following reporting period.
Statistical Reports for 2023-2024
The Secretariat’s 2023-2024 Statistical Report on the PA and Supplemental ATIP Statistical Report for 2023-2024 were both previously validated by TBS.
Extensions and Completion Time of Closed Requests
During the reporting period, the Secretariat’s ATIP Office invoked extensions while processing 2 formal requests: 1 extension was completed within of 16 to 30 days, and 1 request was taken to seek an internal consultation. Both did not require extensions to consult with third parties.
Of the requests completed during the reporting period:
1 request, or 4% of the requests completed, was disclosed in its entirety. This request was completed within 16 to 30 days;
1 request, or 4% of the requests completed, was disclosed in part. This request was completed within 121 to 180 days;
16 requests, or 64% of the requests completed, resulted in no records. 1 request was completed within 0 to 15 days, 6 requests were completed within 16 to 30 days, 6 requests were completed within 31 to 60 days, and 3 requests were completed within 61 to 120 days;
1 request, or 4% of the requests completed, was abandoned and completed; and
6 requests, or 24% of the requests completed, were neither confirmed nor denied.
The Secretariat’s responses to many requests required an intensive review of complex records, including extensive internal and external consultations. During the reporting period, the Secretariat’s on-time response rate decreased to 56% from 58.3% in the 2022-2023 reporting period due to a significant increase in the number of pages processed for formal requests.
Consultations
During the reporting period, no privacy consultations were received.
Complaints and Investigations
Subsection 29(1) of the PA describes how the Office of the Privacy Commissioner (OPC) receives and investigates complaints from individuals regarding the processing of requests under the PA. During the reporting period, the Secretariat’s ATIP Office received 16 complaints, 2 of which were related to Access requests.
In addition, 1 privacy breach-related investigation initiated by the Privacy Commissioner in Fiscal Year 2020-2021 continued during the reporting period and remained active on March 31, 2024.
Training and Awareness
The Secretariat took a customized approach to training subject matter experts on their legislative requirements, roles, and responsibilities. The Secretariat’s ATIP Office encouraged employees to take the ATIP training courses offered by the Canada School of Public Service (CSPS). New employees were required to complete an online training session entitled Fundamentals of Access to Information and Privacy within six months of joining the Secretariat and in January 2024, an internal ATIP training session was held.
To ensure in-depth training is taken by employees of the NSIRA Secretariat who have functional or delegated responsibility for the administration of the PAand Privacy Regulations, the Senior Counsel, Internal Services participated in the 2023 Canadian Privacy Symposium offered by the International Association of Privacy Professionals. In addition, the ATIP Manager attended the 2023 Canadian Access and Privacy Association Conference as well as the 26th Annual Vancouver International Privacy & Security Summit.
Policies, Guidelines, and Procedures
During the reporting period, the Secretariat implemented several initiatives to assist the Secretariat’s ATIP Office to operate more efficiently. For example, the Secretariat revised its Privacy Breach Plan and Procures Manual, revised its Privacy Protocol Template, and established a Privacy Risk Register.
Initiatives and Projects to Improve Privacy
During the reporting period, the Secretariat’s Information Technology division continued to develop an ATIP software tool for the Secretariat’s classified and unclassified systems.
Summary of Key Issues and Actions Taken on Complaints
The Secretariat meaningfully engaged with the OPC on all 16 active investigations during the reporting period and disclosed additional records in 1 of the 2 Access related complaints.
Material Privacy Breaches
During the reporting period, no material privacy breaches occurred.
Privacy Impact Assessments
During the reporting period, the Secretariat completed a Privacy Impact Assessment (PIA) of its investigations-related activities, which was shared with TBS and the OPC. In addition, the Secretariat made further revisions to its PIA on the creation of NSIRA in response to feedback received from TBS and continued to engage with TBS on PIB registration.
Public Interest Disclosures
During the reporting period, no public interest disclosures occurred.
Monitoring Compliance
Legislative deadlines for access requests were strictly monitored by using several Microsoft Lists trackers. The ATIP Manager organized ad hoc meetings to discuss request-related activities (such as whether internal consultations were necessary), determine deadlines, and ensure that all division members were informed of the status of requests. At bi-weekly team meetings with the Senior General Counsel and Senior Counsel, Internal Services, the ATIP Manager raised and discussed compliance with legislative and policy obligations. The Executive Director was also briefed on all ATIP compliance issues.
For contracts issued during the reporting period, the Secretariat included a Standard Procurement Clause on the Handling of Personal Information or a Supplemental General Condition on Personal Information from Public Services and Procurement Canada’s Standard Acquisition Clauses and Conditions Manual.
Appendices
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2023–2024 Statistical Report on the Privacy Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2022-04-01 – 2023-03-31
Section 1: Request Under the Access to Information Act
1.1 Number of Requests
Number of Requests
Received during reporting period
22
Outstanding from previous reporting period
5
Outstanding from more than one reporting period
0
Total
27
Closed during reporting period
25
Carried over to next reporting period
2
Carried over within legislated timeline
2
Carried over beyond legislated timeline
0
1.2 Channels of requests
Source
Number of Requests
Online
22
E-mail
0
Mail
0
In person
0
Phone
0
Fax
0
Total
22
Section 2: Informal requests
2.1 Number of informal requests
Number of Requests
Received during reporting period
1
Outstanding from previous reporting periods
0
Outstanding from more than one reporting period
0
Total
1
Closed during reporting period
0
Carried over to next reporting period
1
2.2 Channels of informal requests
Source
Number of Requests
Online
0
E-Mail
1
Mail
0
In person
0
Phone
0
Fax
0
Total
1
2.3 Completion time of informal requests
Completion Time
1 to 15 days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More than 365 Days
Total
0
0
0
0
0
0
0
0
2.4 Pages released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
0
0
0
0
0
0
0
0
0
0
Section 3: Requests Closed During the Reporting Period
3.1 Disposition and completion time
Disposition of Requests
Completion Time
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
1
0
0
0
0
0
1
Disclosed in part
0
0
0
0
1
0
0
1
All exempted
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
No records exist
1
6
6
3
0
0
0
16
Request abandoned
1
0
0
0
0
0
0
1
Neither confirmed nor denied
0
4
1
0
1
0
0
6
Total
2
11
7
3
2
0
0
25
3.2 Exemptions
Section
Numbers of Requests
18(2)
0
19(1)(a)
0
19(1)(b)
0
19(1)(c)
0
19(1)(d)
0
19(1)(e)
0
19(1)(f)
0
20
0
21
0
22(1)(a)(i)
0
22(1)(a)(ii)
0
22(1)(a)(iii)
0
22(1)(b)
0
22(1)(c)
0
22(2)
0
22.1
0
22.2
0
22.3
0
22.4
0
23(a)
0
23(b)
0
24(a)
0
24(b)
0
25
0
26
1
27
1
27.1
0
28
0
3.3 Exclusions
Section
Numbers of Requests
69(1)(a)
0
69(1)(b)
0
69.1
0
70(1)
0
70(1)(a)
0
70(1(b)
0
70(1)(c)
0
70(1)(d)
0
70(1)(e)
0
70(1)(f)
0
70.1
0
3.4 Format of information released
Paper
Electronic
Other
E-record
Data set
Video
Audio
0
2
0
0
0
0
3.5 Complexity
3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed
Number of Pages Disclosed
Number of Requests
4843
4843
9
3.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
All disclosed
1
0
0
0
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
1
4843
0
0
All exempted
0
0
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
0
0
Request abandoned
1
0
0
0
0
0
0
0
0
0
Neither confirmed nor denied
6
0
0
0
0
0
0
0
0
0
Total
8
0
0
0
0
0
1
4843
0
0
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
3.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Total
0
0
0
0
0
0
3.5.7 Other complexities
Disposition
Consultation Required
Assessment of Fees
Legal Advice Sought
Other
Total
All disclosed
0
0
0
0
0
Disclosed in part
0
1
0
0
1
All exempted
0
0
0
0
0
All excluded
0
0
0
0
0
Request abandoned
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
Total
0
1
0
0
1
3.6 Closed requests
3.6.1 Requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines
14
Percentage of requests closed within legislated timelines (%)
56
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines
Principal Reason
Interference with Operations/Workload
External Consultation
Internal Consultation
Other
11
10
0
1
0
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines
Number of Requests Past Legislated Timeline Where No Extension Was Taken
Number of Requests Past Legislated Timeline Where an Extension Was Taken
Total
1 to 15 Days
4
0
4
16 to 30 Days
2
0
2
31 to 60 Days
2
0
2
61 to 120 Days
1
1
2
121 to 180 Days
0
1
1
181 to 365 Days
0
0
0
More than 365 Days
0
0
0
Total
9
2
11
3.8 Requests for translation
Translation Requests
Accepted
Refused
Total
English to French
0
0
0
French to English
0
0
0
Total
0
0
0
Section 4: Disclosures Under Subsections 8(2) and 8(5)
Paragraph 8(2)(e)
Paragraph 8(2)(m)
Subsection 8(5)
Total
0
0
0
0
Section 5: Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received
Number
Notations attached
0
Requests for correction accepted
0
Total
0
Section 6: Extensions
6.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken
15(a)(i) Interference with operations
9(1)(b) Consultation
9(1)(b) Consultation
Further review required to determine exemptions
Large volume of pages
Large volume of requests
Documents are difficult to obtain
Cabinet Confidence Section (Section 70)
External
Internal
2
0
1
0
0
0
0
1
0
6.2 Length of extensions
Length of Extensions
15(a)(i) Interference with operations
9(1)(b) Consultation
9(1)(b) Consultation
Further review required to determine exemptions
Large volume of pages
Large volume of requests
Documents are difficult to obtain
Cabinet Confidence Section (Section 70)
External
Internal
1 to 15 days
0
0
0
0
0
0
0
0
16 to 30 days
0
1
0
0
0
0
1
0
31 days or greater
0
Total
0
1
0
0
0
0
1
0
Section 7: Consultations Received From Other Institutions and Organizations
7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations
Other Government of Canada Institutions
Number of Pages to Review
Other Organizations
Number of Pages to Review
Received during reporting period
0
0
0
0
Outstanding from the previous reporting period
0
0
0
0
Total
0
0
0
0
Closed during the reporting period
0
0
0
0
Carried over within regotiated timelines
0
0
0
0
Carried over beyond negotiated timelines
0
0
0
0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
Section 8: Completion Time of Consultations on Cabinet Confidences
8.1 Requests with Legal Services
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
8.2 Requests with Privy Council Office
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
Section 9: Complaints and Investigations Notices Received
Section 31
Section 33
Section 35
Court action
Total
3
10
3
0
16
Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBS)
10.1 Privacy Impact Assessments
Number of PIA(s) completed
Number of PIAs modified
1
1
10.2 Institution-specific and Central Personal Information Banks
Personal Information Banks
Active
Created
Terminated
Modified
Institution-specific
0
0
0
0
Central
0
0
0
0
Total
0
0
0
0
Section 11: Privacy Breaches
11.1 Material Privacy Breaches reported
Number of material privacy breaches reported to TBS
Number of material privacy breaches reported to OPC
0
0
11.2 Non-Material Privacy Breaches
Number of non-material privacy breaches
0
Section 12: Resources Related to the Privacy Act
12.1 Allocated Costs
Expenditures
Amount
Salaries
$100,000
Overtime
$0
Goods and Services
$15,475
Professional services contracts
$15,475
Other
$0
Total
$115,475
12.2 Human Resources
Resources
Person Years Dedicated to Access to Information Activities
Full-time employees
1.000
Part-time and casual employees
0.000
Regional Staff
0.000
Consultants and agency personnel
0.300
Students
0.500
Total
1.800
Note: Enter values to three decimal places.
Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act
Section 1: Open Requests and Complaints Under the Access to Information Act
1.1 Enter the number of open requests that are outstanding from previous reporting periods.
Number of weeks
Able to receive requests by mail
52
Able to receive requests by email
52
Able to receive requests through the digital request service
52
1.2 Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal Year Open Complaints Were Received by Institution
Number of Open Complaints
Received in 2023-24
0
Received in 2022-23
0
Received in 2021-22
0
Received in 2020-21
0
Received in 2019-21
0
Received in 2018-19
0
Received in 2017-18
0
Received in 2016-17
0
Received in 2015-26
0
Received in 2014-15 or earlier
0
Section 2: Open Requests and Complaints Under the Privacy Act
2.1 Enter the number of open requests that are outstanding from previous reporting periods.
Fiscal Year Open Complaints Were Received by Institution
Open Requests that are Within Legislated Timelines as of March 31, 2024
Open Requests that are Beyond Legislated Timelines as of March 31, 2024
Total
Received in 2023-24
2
0
2
Received in 2022-23
0
0
0
Received in 2021-22
0
0
0
Received in 2020-21
0
0
0
Received in 2019-21
0
0
0
Received in 2018-19
0
0
0
Received in 2017-18
0
0
0
Received in 2016-17
0
0
0
Received in 2015-26
0
0
0
Received in 2014-15 or earlier
0
0
0
Total
2
0
2
2.2 Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal Year Open Complaints Were Received by Institution
Number of Open Complaints
Received in 2023-24
0
Received in 2022-23
7
Received in 2021-22
0
Received in 2020-21
0
Received in 2019-21
0
Received in 2018-19
0
Received in 2017-18
0
Received in 2016-17
0
Received in 2015-26
0
Received in 2014-15 or earlier
0
Total
7
Section 3: Social Insurance Number
Has your institution begun a new collection or a new consistent use of the SIN in 2023-24
No
Section 4: Universal Access under the Privacy Act
How many requests were received from foreign nationals outside of Canada in 2023-24
The Access to Information Act (ATIA) gives Canadian citizens and permanent residents, as well as any person or corporation present in Canada, the right of access to information under the control of a government institution, subject to certain specific and limited exemptions and exclusions.
Section 94 of the ATIA requires the head of each government institution to prepare an annual report on the administration of the ATIA within the institution that is to be tabled in both Houses of Parliament. In addition, section 20 of the Service Fees Act requires the responsible authority to report to Parliament each fiscal year on all statutory fees processed during the reporting period.
This report to Parliament, which is prepared and tabled pursuant to section 94 of the ATIA and section 20 of the Service Fees Act, describes the activities of the National Security and Intelligence Review Agency Secretariat in administering these Acts during the period of April 1, 2023 to March 31, 2024 (the reporting period).
If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:
Access to Information and Privacy Office National Security and Intelligence Review Agency P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5 Email: ATIP@nsira-ossnr.gc.ca
Who we are
Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.
The NSIRA Secretariat (the Secretariat) assists NSIRA in fulfilling its mandate. The Secretariat headed by an Executive Director, is designated as the government institution for the purposes of administering the ATIA and the Privacy Act.
Mandate
The Secretariat supports NSIRA in its dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matter that a Minister of the Crown refers to NSIRA.
NSIRA’s reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, as well as whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Investigations
NSIRA is also responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:
any activity of CSIS or of CSE;
decisions to deny or revoke certain federal government security clearances;
any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
reports made under section 19 of the Citizenship Act, and
matters referred under section 45 of the Canadian Human Rights Act.
Access to Information and Privacy Office – Organizational Structure
The Secretariat’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the Secretariat meets its responsibilities under the ATIA and the Privacy Act.
For the reporting period, the Secretariat’s ATIP Office consisted of:
1 full-time Access to Information Consultant;
1 part-time Privacy Consultant;
1 full-time ATIP Coordinator, who managed the Secretariat’s ATIP Office, and fulfilled the normal duties as Manager of Administrative Services for the Secretariat and NSIRA Members; and
the Secretariat’s Senior Counsel, Internal Services as well as Senior General Counsel supported the Secretariat’s ATIP Office when required.
The Secretariat’s ATIP Office is responsible for the following:
monitoring compliance with ATIP legislation and relevant procedures and policies;
processing requests under both the ATIA and the Privacy Act;
developing and maintaining policies, procedures, and guidelines to ensure that the Secretariat respects the ATIA and the Privacy Act;
maintaining Personal Information Banks and conducting privacy impact assessments;
preparing annual reports to Parliament and other statutory reports, as well as other materials that might be required by central agencies; and
representing the Secretariat in dealings with the Treasury Board of Canada Secretariat (TBS), the information and privacy commissioners, and other government departments and agencies in matters pertaining to the ATIA and the Privacy Act.
During the reporting period, the Secretariat was a party to a service agreement under section 96 of the ATIA in which the Secretariat received administrative support from the Privy Council Office related to the tabling of the Annual Report in Parliament. The Secretariat was also a party to a service agreement under section 92 of the ATIA, in which the Secretariat received ATIP Online services from TBS.
Part 2: Proactive Publications
The Secretariat ensured that the following proactive publication legislative requirements were met during the reporting period with the assistance of its Finance division:
travel expenses;
hospitality expenses;
reports tabled in Parliament; and
contracts over $10,000.00
To assist the Secretariat’s ATIP Office in meeting its overall legislative obligations, the Secretariat relied on a collaborative internal group of subject matter experts from all divisions.
Delegation Order
As the Head of the Secretariat, the Executive Director is responsible for the administration of the ATIA within the institution. Pursuant to section 95 of the ATIA, the Executive Director has delegated the ATIP Manager and ATIP Officer, as well as individuals acting in these positions, to perform certain and specific powers, duties, and functions for the administration of the ATIA. These positions have limited delegation of authority under the ATIA and the Privacy Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Delegation Order can be found in Appendix A (page 13).
Performance 2023-2024
Performance in Processing Access Requests
In addition to 5 requests that were outstanding from previous reporting periods, the Secretariat’s ATIP Office received 16 formal requests during the current reporting period, bringing the total number of formal requests to 21. Of these, the Secretariat’s ATIP Office closed 16 requests and processed approximately 15,323 pages during the reporting period. 5 requests were carried over to the following reporting period, 3 of the carried over requests were received during the reporting period.
Statistical Reports for 2023-2024
The Secretariat’s 2023-2024 Statistical Report on the ATIA and Supplemental ATIP Statistical Report for 2023-2024 were both previously validated by TBS.
Extensions and Completion Time of Closed Requests
During the reporting period, the Secretariat’s ATIP Office invoked extensions while processing 7 formal requests: 5 extensions of 31 to 60 days, 0 extensions of 61 to 120 days, 1 extension of 121 to 180 days, 0 extensions of 181 to 365 days, and 1 extension of 365 days or more, all of which required extensions to consult with third parties.
Of the requests completed during the reporting period,
1 request, or 6.25% of the requests completed, was disclosed in its entirety. This request was completed within 181 to 365 days;
5 requests, or 31.25% of the requests completed, were disclosed in part. 1 request was completed within 16 to 30 days, 1 request was completed within 61 to 120 days, 1 request was completed within 121 to 180 days, and 2 requests were completed after 365 days;
0 requests, or 0% of the requests completed, were all exempted;
10 requests, or 62.50% of the requests completed, resulted in no records. 1 request was completed within 16 to 30 days, 2 request were completed within 31 to 60 days, and 7 requests were completed within 61 to 120 days;
0 requests, or 0% of the requests completed, were abandoned and completed; and
0 requests, or 0% of the requests completed, were neither confirmed nor denied.
The responses to many requests required an intensive review of complex records, including extensive internal and external consultations due to a significant portion of the Secretariat’s information holdings consisting of sensitive and classified records created or originally received by other government institutions owing to NSIRA’s mandate. During the reporting period, the Secretariat’s on-time response rate decreased to 18.7% from 33.3% in the 2022-2023 reporting year due to a significant increase in the number of pages processed for formal requests.
Consultations
During the reporting period, the Secretariat’s ATIP Office received 20 consultation requests from other government institutions. 3 requests were completed within 0 to 15 days, 3 requests were completed within 16 to 30 days, 5 requests were completed within 31 to 60 days, 8 requests were completed within 61 to 120 days, and 1 request was completed within 121 to 180 days. The Secretariat’s ATIP Office closed all 20 consultations during the reporting period and processed approximately 549 pages.
Requests Treated Informally
During the reporting period, the Secretariat’s ATIP Office received 18 informal requests for records previously released under the ATIA, closed 6 informal requests, and carried over 12 informal requests into the 2024-2025 reporting period.
Complaints and Investigations of Access Requests
Subsection 30(1) of the ATIA describes how the Office of the Information Commissioner (OIC) receives and investigates complaints from individuals regarding the processing of requests under the ATIA. The Secretariat’s ATIP Office received 3 access complaints during the reporting period. 1 of these complaints was discontinued during the reporting period, while the other 2 complaints remained active on March 31, 2024.
Training and Awareness
The Secretariat took a customized approach to training subject matter experts on their legislative requirements, roles, and responsibilities. The Secretariat’s ATIP Office encouraged employees to take the ATIP training courses offered by the Canada School of Public Service (CSPS). The Executive Director held an awareness session for the Secretariat’s management team on the new Directive on Proactive Publication in the Fall of 2023 and senior management was briefed on Amending the Access to Information Regulations in June 2023. In addition, new employees were required to complete an online training session entitled Fundamentals of Access to Information and Privacy within six months of joining the Secretariat and in January 2024, an internal ATIP training session was held.
Policies, Guidelines, and Procedures
The Secretariat’s ATIP Office implemented certain efficiency-enhancing measures, such as online tracking tools, and continued to seek new opportunities to improve the efficiency and timeliness of request processing. For example, the Executive Director designated two officials within the Secretariat who were responsible for supporting the Executive Director’s accountability for proactive publication under various policies and guidelines specified under the ATIA.
The Secretariat continued to engaged with Library and Archives Canada on obtaining institution-specific disposition authorities.
Proactive Publication under Part 2 of the ATIA
In accordance with subsection 81(b) of the ATIA, the Secretariat is listed as a government entity subject to the following proactive publication requirements:
Travel expenses (section 82);
Hospitality expenses (section 83);
Reports tabled in Parliament (section 84);
Contracts over $10,000.00 (section 86);
Grants and Contributions over $25,000.00 (section 87); and
Briefing materials (section 88)
During the reporting period, the Secretariat’s proactive publications were published on open.canada.ca. of the total proactive publication requirements that were due during the reporting period, 80% were published within the legislated timelines.
Legislative Requirement
Section
Publication Timeline
Institutional Requirement
All Government Institutions as defined in section 3 of the Access to Information Act
Travel Expenses
82
Within 30 days after the end of the month of reimbursement
open.canada.ca
Hospitality Expenses
83
Within 30 days after the end of the month of reimbursement
open.canada.ca
Reports tabled in Parliament
84
Within 30 days after tabling
open.canada.ca
Government entities or Departments, agencies, and other bodies subject to the Act and listed in Schedules I, I.1, or II of the Financial Administration Act
Contracts over $10,000
86
Q1-3: Within 30 days after the quarter Q4: Within 60 days after the quarter
open.canada.ca
Grants & Contributions over $25,000
87
Within 30 days after the quarter
N/A
Packages of briefing materials prepared for new or incoming deputy heads or equivalent
88(a)
Within 120 days after appointment
N/A
Titles and reference numbers of memoranda prepared for a deputy head or equivalent, that is received by their office
88(b)
Within 30 days after the end of the month received
N/A
Packages of briefing materials prepared for a deputy head or equivalent’s appearance before a committee of Parliament
88(c)
Within 120 days after appearance
N/A
Government institutions that are departments named in Schedule I to the Financial Administration Act or portions of the core public administration named in Schedule IV to that Act
Reclassification of positions
85
Within 30 days after the quarter
N/A
Ministers
Packages of briefing materials prepared by a government institution for new or incoming ministers
74(a)
Within 120 days after appointment
N/A
Titles and reference numbers of memoranda prepared by a government institution for the minister, that is received by their office
74(b)
Within 30 days after the end of the month received
N/A
Package of question period notes prepared by a government institution for the minister and in use on the last sitting day of the House of Commons in June and December
74(c)
Within 30 days after last sitting day of the House of Commons in June and December
N/A
Packages of briefing materials prepared by a government institution for a minister’s appearance before a committee of Parliament
74(d)
Within 120 days after appearance
N/A
Travel Expenses
75
Within 30 days after the end of the month of reimbursement
N/A
Hospitality Expenses
76
Within 30 days after the end of the month of reimbursement
N/A
Contracts over $10,000
77
Q1-3: Within 30 days after the quarter Q4: Within 60 days after the quarter
N/A
Ministers’ Offices Expenses
78
Within 120 days after the fiscal year
N/A
Initiatives and Projects to Improve Access to Information
During the reporting period, the Secretariat’s Information Technology division continued to improve our ATIP software tool for the Secretariat’s classified and unclassified systems.
Summary of Key Issues and Actions Taken on Complaints
During the reporting period, 3 complaints were received. 1 complaint was discontinued during the reporting period, while the other 2 complaints remained active on March 31, 2024.
Access to Information Act Fees for the Purposes of the Service Fees Act
The Service Fees Act requires a responsible authority to report annually to Parliament on the fees collected by the institution.
With respect to fees collected under the ATIA, the information below is reported in accordance with the requirements of section 20 of the Service Fees Act:
Enabling authority:Access to Information Act
Fee payable: $5.00 application fee is the only fee charged for an ATI request
Total revenue: $65.00
Fees waived: $15.00
Cost of operating the program: $360,421.00
Monitoring Compliance
Legislative deadlines for access to information requests were strictly monitored by using several Microsoft Lists trackers, as were proactive publication requirements. The ATIP Manager organized ad hoc meetings to discuss request-related activities (such as whether internal consultations were necessary), determine deadlines, and ensure that all division members were informed of the status of requests. At bi-weekly team meetings with the Senior General Counsel and Senior Counsel, Internal Services, the ATIP Manager raised and discussed compliance with legislative and policy obligations. The Executive Director was also briefed on all ATIP compliance issues.
During the reporting period, the Secretariat also continued to assess the feasibility of making information previously released under the ATIA available on its public-facing website.
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2023-2024 Statistical Report on the Access to Information Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2023-04-01 – 2024-03-31
Section 1: Request Under the Access to Information Act
1.1 Number of Requests
Number of Requests
Received during reporting period
16
Outstanding from previous reporting period
3
Outstanding from more than one reporting period
2
Total
21
Closed during reporting period
16
Carried over to next reporting period
5
Carried over within legislated timeline
3
Carried over beyond legislated timeline
2
1.2 Sources of requests
Source
Number of Requests
Media
2
Academia
3
Business (private sector)
2
Organization
1
Public
8
Decline to Identify
0
Total
16
1.3 Channels of requests
Source
Number of Requests
Online
12
E-mail
0
Mail
4
In person
0
Phone
0
Fax
0
Total
16
Section 2: Informal requests
2.1 Number of informal requests
Number of Requests
Received during reporting period
18
Outstanding from previous reporting periods
0
Outstanding from more than one reporting period
0
Total
18
Closed during reporting period
6
Carried over to next reporting period
12
2.2 Channels of informal requests
Source
Number of Requests
Online
11
E-Mail
7
Mail
0
In person
0
Phone
0
Fax
0
Total
18
2.3 Completion time of informal requests
Completion Time
1 to 15 days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More than 365 Days
Total
0
2
0
4
0
0
0
6
2.4 Pages released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
2
25
0
0
0
0
0
0
0
0
2.5 Pages re-released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
4
93
0
0
0
0
0
0
0
0
Section 3: Applications to the Information Commissioner on Declining to Act on Requests
Number of Requests
Outstanding from previous reporting period
0
Sent during reporting period
1
Total
1
Approved by the Information Commissioner during reporting period
0
Declined by the Information Commissioner during reporting period
1
Withdrawn during reporting period
0
Carried over to next reporting period
0
Section 4: Requests Closed During the Reporting Period
4.1 Disposition and completion time
Disposition of Requests
Completion Time
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
0
0
0
0
1
0
1
Disclosed in part
0
1
0
1
1
0
2
5
All exempted
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
No records exist
0
1
2
7
0
0
0
10
Request transferred
0
0
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
Decline to act with the approval of the Information Commisioner
0
0
0
0
0
0
0
0
Total
0
2
2
8
1
1
2
16
4.2 Exemptions
Section
Numbers of Requests
13(1)(a)
1
13(1)(b)
0
13(1)(c)
0
13(1)(d)
0
13(1)(e)
0
14
0
14(a)
0
14(b)
0
15(1) – I. A. *
1
15(1) – Def. *
2
15(1) – S.A. *
0
16(1)(a)(i)
2
16(1)(a)(ii)
0
16(1)(a)(iii)
1
16(1)(b)
1
16(1)(c)
1
16(1)(d)
0
16(2)
0
16(2)(a)
0
16(2)(b)
0
16(2)(c)
0
16(3)
0
16.1(1)(a)
0
16.1(1)(b)
0
16.1(1)(c)
0
16.1(1)(d)
0
16.2(1)
0
16.3
0
16.31
0
16.4(1)(a)
0
16.4(1)(b)
0
16.5
0
16.6
0
17
0
18(a)
0
18(b)
0
18(c)
0
18(d)
0
18.1(1)(a)
0
18.1(1)(b)
0
18.1(1)(c)
0
18.1(1)(d)
0
19(1)
2
20(1)(a)
0
20(1)(b)
0
20(1)(b.1)
0
20(1)(c)
0
20(1)(d)
0
20.1
0
20.2
0
20.4
0
21(1)(a)
2
21(1)(b)
0
21(1)(c)
0
21(1)(d)
0
22
0
22.1(1)
0
23
3
23.1
0
24(1)
1
26
0
* I.A.: International Affairs * Def.: Defence of Canada * S.A.: Subversive Activities
4.3 Exclusions
Section
Numbers of Requests
68(a)
0
68(b)
0
68(c)
0
68.1
0
68.2(a)
0
68.2(b)
0
69(1)
0
69(1)(a)
0
69(1)(b)
0
69(1)(c)
0
69(1)(d)
0
69(1)(e)
0
69(1)(f)
0
69(1)(g) re (a)
0
69(1)(g) re (b)
0
69(1)(g) re (c)
0
69(1)(g) re (d)
0
69(1)(g) re (e)
0
69(1)(g) re (f)
0
69.1(1)
0
4.4 Format of information released
Paper
Electronic
Other
E-record
Data set
Video
Audio
1
5
0
0
0
0
4.5 Complexity
4.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed
Number of Pages Disclosed
Number of Requests
15323
15323
6
4.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
All disclosed
1
40
0
0
0
0
0
0
0
0
Disclosed in part
3
185
1
102
0
0
0
0
0
14966
All exempted
0
0
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
0
0
Declined to act with the approval of the information Commissioner
0
0
0
0
0
0
0
0
0
0
Total
4
225
1
102
0
0
0
0
1
14996
4.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
4.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
4.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
4.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
4.5.7 Other complexities
Disposition
Consultation Required
Legal Advice Sought
Other
Total
All disclosed
0
0
0
0
Disclosed in part
2
4
0
6
All exempted
0
0
0
0
All excluded
0
0
0
0
Request abandoned
0
0
0
0
Neither confirmed nor denied
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
Total
2
4
0
6
4.6 Closed requests
4.6.1 Requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines
3
Percentage of requests closed within legislated timelines (%)
18.75
4.7 Deemed refusals
4.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines
Principal Reason
Interference with Operations/Workload
External Consultation
Internal Consultation
Other
13
12
1
0
0
4.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines
Number of Requests Past Legislated Timeline Where No Extension Was Taken
Number of Requests Past Legislated Timeline Where an Extension Was Taken
Total
1 to 15 Days
0
0
0
16 to 30 Days
1
0
1
31 to 60 Days
2
5
7
61 to 120 Days
2
0
2
121 to 180 Days
0
1
1
181 to 365 Days
1
0
1
More than 365 Days
0
1
1
Total
6
7
13
4.8 Requests for translation
Translation Requests
Accepted
Refused
Total
English to French
0
0
0
French to English
0
0
0
Total
0
0
0
Section 5: Extensions
5.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was taken
9(1)(a) Interference With Operations/Workload
9(1)(b) Consultation
9(1)(c) Third-Party Notice
Section 69
Other
All disclosed
0
0
0
0
Disclosed in part
3
3
0
0
All exempted
0
0
0
0
All excluded
0
0
0
0
Request abandoned
0
0
0
0
No records exist
0
1
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
Total
3
4
0
0
5.2 Length of extensions
Length of Extensions
9(1)(a) Interference With Operations/Workload
9(1)(b) Consultation
9(1)(c) Third-Party Notice
Section 69
Other
30 days or less
0
0
0
0
31 to 60 days
3
2
0
0
61 to 120 days
0
0
0
0
121 to 180 days
0
0
0
0
181 to 365 days
0
0
0
0
365 days or more
0
0
0
0
Total
3
4
0
0
Section 6: Fees
Fee Type
Fee Collected
Fee Waived
Fee Refunded
Number of Requests
Amount
Number of Requests
Amount
Number of Requests
Amount
Application
13
$65.00
3
$0.00
0
$0.00
Other fees
0
$0.00
0
$0.00
0
$0.00
Total
13
$65.00
3
$0.00
0
$0.00
Section 7: Consultations Received From Other Institutions and Organizations
7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations
Other Government of Canada Institutions
Number of Pages to Review
Other Organizations
Number of Pages to Review
Received during reporting period
20
549
0
0
Outstanding from the previous reporting period
0
0
0
0
Total
4
189
0
0
Closed during the reporting period
20
549
0
0
Carried over within negotiated timelines
0
0
0
0
Carried over beyond negotiated timelines
0
0
0
0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
2
1
1
0
0
0
4
Disclose in part
3
1
4
6
1
0
0
15
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
1
0
0
0
1
Other
0
0
0
0
0
0
0
0
Total
3
3
5
8
1
0
0
20
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
Section 8: Completion Time of Consultations on Cabinet Confidences
8.1 Requests with Legal Services
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
8.2 Requests with Privy Council Office
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
Section 9: Investigations and Reports of finding
9.1 Investigations
Section 32 Notice of intention to investigate
Subsection 30(5) Ceased to investigate
Section 35 Formal Representations
2
1
0
9.2 Investigations and Reports of finding
Section 37(1) Initial Reports
Section 37(2) Final Reports
Received
Containing recommendations issued by the Information Commissioner
Containing orders issued by the Information Commissioner
Received
Containing recommendations issued by the Information Commissioner
Containing orders issued by the Information Commissioner
0
0
0
2
0
0
Section 10: Court Action
10.1 Court actions on complaints
Section 41
Complainant (1)
Institution (2)
Third Party (3)
Privacy Commissioner (4)
Total
0
0
0
0
0
10.2 Court actions on third party notifications under paragraph 28(1)(b)
Section 44 – under paragraph 28(1)(b)
0
Section 11: Resources Related to the Access to Information Act
11.1 Allocated Costs
Expenditures
Amount
Salaries
$90,000
Overtime
$0
Goods and Services
$270,421
Professional services contracts
$270,421
Other
$0
Total
$360,421
11.2 Human Resources
Resources
Person Years Dedicated to Access to Information Activities
Full-time employees
0.000
Part-time and casual employees
1.000
Regional Staff
0.000
Consultants and agency personnel
1.000
Students
0.500
Total
2.500
Note: Enter values to three decimal places.
Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act
Section 1: Open Requests and Complaints Under the Access to Information Act
1.1 Enter the number of open requests that are outstanding from previous reporting periods
Fiscal Year Open Requests Were Received
Open Requests that are Within Legislated Timelines as March 31, 2024
Open Requests that are Beyond Legislated Timelines as of March 31, 2024
Total
Received in 2023-24
3
0
3
Received in 2022-23
0
1
1
Received in 2021-22
0
0
0
Received in 2020-21
0
1
1
Received in 2019-20
0
0
0
Received in 2018-19
0
0
0
Received in 2017-18
0
0
0
Received in 2016-17
0
0
0
Received in 2015-16
0
0
0
Received in 2014-15 or earlier
0
0
0
Total
3
2
5
1.2 Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods
Fiscal Year Open Complaints were received by institutions
Number of Open Complaints
Received in 2023-24
0
Received in 2022-23
0
Received in 2021-22
0
Received in 2020-21
0
Received in 2019-20
0
Received in 2018-19
0
Received in 2017-18
0
Received in 2016-17
0
Received in 2015-16
0
Received in 2014-15 or earlier
0
Total
0
Section 2: Open Requests and Complaints Under the Privacy Act
2.1 Number of open requests that are outstanding from previous reporting periods.
Fiscal Year Open Requests Were Received
Open Requests that are Within Legislated Timelines as March 31, 2024
Open Requests that are Beyond Legislated Timelines as of March 31, 2024
Total
Received in 2023-24
2
0
2
Received in 2022-23
0
0
0
Received in 2021-22
0
0
0
Received in 2020-21
0
0
0
Received in 2019-20
0
0
0
Received in 2018-19
0
0
0
Received in 2017-18
0
0
0
Received in 2016-17
0
0
0
Received in 2015-16
0
0
0
Received in 2014-15 or earlier
0
0
0
Total
2
0
2
2.2 Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods
Fiscal Year Open Complaints were received by institutions
Number of Open Complaints
Received in 2023-24
0
Received in 2022-23
7
Received in 2021-22
0
Received in 2020-21
0
Received in 2019-20
0
Received in 2018-19
0
Received in 2017-18
0
Received in 2016-17
0
Received in 2015-16
0
Received in 2014-15 or earlier
0
Total
7
Section 3: Social Insurance Number
Has your institution begun a new collection or a new consistent use of the SIN in 2023-24?
No
How many requests were received from foreign nationals outside of Canada in 2023-24?
Review of Air Passenger Targeting by the Canada Border Services Agency (CBSA): Government Responses
Review of Air Passenger Targeting by the Canada Border Services Agency (CBSA)
Government Responses
NSIRA Recommendation 1: NSIRA recommends that the CBSA document its triaging practices in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions.
GOC Response: The CBSA agrees with this recommendation. The CBSA will complete a review of its APT triaging practices to ensure practices are in place which will enable effective verification of compliance with statutory and regulatory restrictions.
NSIRA Recommendation 2: NSIRA recommends that the CBSA ensure, in an ongoing manner, that its triaging practices are based on information and/or intelligence that justifies the use of each indicator. This justification should be well-documented to enable effective internal and external verification of whether the CBSA’s triaging practices comply with its non-discrimination obligations.
GOC Response: The CBSA agrees with this recommendation. While we are satisfied that justification for triaging and targeting practices exist, the CBSA acknowledges that better documentation practices could be implemented to enable effective internal and external verification of whether the CBSA’s triaging practices comply with its non-discrimination obligations. The CBSA’s Scenario Based Targeting Governance Framework will be updated to include information and/or intelligence that justifies the use of each indicator. Annual reviews of scenarios will continue to be conducted and documented to confirm that each active scenario is supported by recent and reliable intelligence.
NSIRA Recommendation 3: NSIRA recommends that the CBSA ensure that any Air Passenger Targeting related distinctions on protected grounds that are capable of reinforcing, perpetuating, or exacerbating a disadvantage constitute a reasonable limit on travellers’ equality rights under the Charter.
GOC Response: The CBSA agrees with this recommendation. The CBSA will review its APT practices to ensure that distinctions based on protected grounds are reasonable and can be demonstrably justified in the border administration and enforcement context.
NSIRA Recommendation 4: NSIRA recommends that the CBSA develop more robust and regular oversight for Air Passenger Targeting to ensure that its practices are not discriminatory. This should include updates to the CBSA’s policies, procedures, training, and other guidance, as appropriate.
GOC Response: The CBSA agrees with this recommendation. The CBSA acknowledges that policies, procedures, training, and other guidance, as appropriate can be improved to ensure robust and regular oversight for Air Passenger Targeting to ensure that its practices are not discriminatory. The CBSA will complete a review of its policies, procedures, guidelines and training to ensure practices are not discriminatory.
NSIRA Recommendation 5: NSIRA recommends that the CBSA start gathering and assessing the necessary data to identify, analyze, and mitigate discrimination-related risks. This includes disaggregated demographic data, data on the effects of Air Passenger Targeting on secondary examinations that may be apparent from related human rights complaints, and data on a baseline comparator group.
GOC Response: The CBSA agrees with this recommendation. To that end, the CBSA is taking deliberate steps to develop its capacity to capture and analyze reliable and accurate data in non-intrusive ways. The Agency is working on developing standard and consistent positions and frameworks on the collection, use, management and governance of disaggregated data, developing metrics and indicators to measure the impact of decisions and policies on different groups; using data to build more inclusive and representative policies and strategies, and; identifying possible discrimination and bias.
Department of National Defence/Canadian Armed Forces
FINTRAC
Financial Transactions and Reports Analysis Centre of Canada
GAC
Global Affairs Canada
GC
Government of Canada
IRCC
Immigration, Refugees and Citizenship Canada
NSIRA
National Security and Intelligence Review Agency
PHAC
Public Health Agency of Canada
PS
Public Safety Canada
RCMP
Royal Canadian Mounted Police
SCIDA
Security of Canada Information Disclosure Act
TC
Transport Canada
Glossary of Terms
Contribution test
The first part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (paragraph 5(1)(a)).
Proportionality test
The second part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will not affect any person’s privacy interest more than reasonably necessary in the circumstances (paragraph 5(1)(b)).
Executive summary
This review provides an overview of the Security of Canada Information Disclosure Act (SCIDA)’s use in 2022. In doing so, it documents the volume and nature of information disclosures made under the SCIDA; assesses compliance with the SCIDA; and highlights patterns in the SCIDA’s use across Government of Canada (GC) institutions and over time.
In 2022, four disclosing institutions made a total of 173 disclosures to five recipient institutions. The National Security and Intelligence Review Agency (NSIRA) found that institutions complied with the SCIDA’s requirements for disclosure and record keeping in relation to the majority of these disclosures. Instances of non-compliance related to subsection 9(3), regarding the timeliness of records copied to NSIRA; subsection 5.1(1), regarding the timeliness of destruction or return of personal information; and subsection 5(2), regarding the provision of a statement on accuracy and reliability. The observed non-compliance did not point to any systemic failures in GC institutions’ implementation of the SCIDA.
NSIRA also made findings in relation to practices that, although compliant with the SCIDA, left room for improvement. These findings related to:
the use of information sharing arrangements;
the format of records prepared by institutions and copied to NSIRA, including the characteristics of effective records;
the nature of information provided under paragraph 9(1)(e) and relied upon in the conduct of assessments under subsection 5(1);
the provision of statements regarding accuracy and reliability prepared under subsection 5(2); and
the timeliness of administrative processes supporting information disclosure.
NSIRA made six recommendations designed to increase standardization across the GC in a manner that is consistent with institutions’ demonstrated best practices and the SCIDA’s guiding principles.
Overall, NSIRA observed improvements in reviewee performance as compared with findings from prior years’ reports and over the course of the review. These improvements include corrective actions taken by reviewees in response to NSIRA’s requests for information in support of this review.
1. Introduction
Authority
This review was conducted pursuant to paragraph 8(1)(b) and subsection 39(1) of the National Security and Intelligence Review Agency Act (NSIRA Act).
Scope of the Review
This review provides an overview of the Security of Canada Information Disclosure Act (SCIDA)’s use in 2022. In doing so, it:
Documents the volume and nature of information disclosures made under the SCIDA;
Assesses Government of Canada (GC) institutions’ compliance with the SCIDA’s requirements for record keeping;
Assesses GC institutions’ compliance with the SCIDA’s requirements for disclosure, including the destruction or return of personal information, as appropriate; and
Highlights patterns in the SCIDA’s use across GC institutions and over time.
The review’s scope was defined by records provided to NSIRA under the SCIDA, subsection 9(3) (see Annex A for a copy of institutions’ section 9 obligations under the Act). As such, the review’s assessment of compliance was limited to the seven GC institutions identified within these records as either disclosers or recipients (Canada Border Services Agency [CBSA], Communications Security Establishment [CSE], Canadian Security Intelligence Service [CSIS], Department of National Defence/Canadian Armed Forces [DND/CAF], Global Affairs Canada [GAC], Immigration, Refugees and Citizenship Canada [IRCC], and the Royal Canadian Mounted Police [RCMP]); and to instances of information disclosure where the SCIDA was identified by these institutions as an authority for disclosure. The review also included Public Safety Canada (PS) in its capacity as manager of the Strategic Coordination Centre on Information Sharing, which provides SCIDA-related policy guidance and training across the GC.
The review satisfies the NSIRA Act’s section 39 requirement for NSIRA to report to the Minister of Public Safety on disclosures made under the SCIDA during the previous calendar year.
Methodology
The review’s primary source of information was records provided to NSIRA by disclosing and recipient institutions under the SCIDA, subsection 9(3). NSIRA also identified a targeted sample of disclosures for which it requested and assessed all associated documents provided by both the disclosing and recipient institution. This information was supplemented by a document review of institutions’ SCIDA policies and procedures, and related explanations.
NSIRA assessed administrative compliance with the SCIDA’s record-keeping obligations in relation to all disclosures identified in the records provided to NSIRA under subsection 9(3) (N=173). Where these records were incomplete, NSIRA provided an opportunity for institutions to supply the missing records. NSIRA accounted for such late submissions in its assessment of compliance with subsections 9(1) and 9(2).
NSIRA assessed substantive compliance with the SCIDA’s disclosure requirements in relation to the sample of disclosures (n=19). The sample was designed to reflect a non-representative cross-section of the SCIDA’s use, with particular attention to areas at higher risk of non-compliance. Disclosures were selected for the sample based on the content of records provided to NSIRA under subsection 9(3), according to defined parameters (see Annex B, Sample of Disclosures).
Review Statements
NSIRA found that, overall, its expectations for responsiveness by CSE, CSIS, DND/CAF, GAC, IRCC, PS, and RCMP during this review were met. Its expectations for responsiveness by CBSA were partially met, as CBSA required repeated follow-up to provide the requested information.
NSIRA was able to verify information for this review in a manner that met NSIRA’s expectations.
2. Backgrounder
The SCIDA provides an explicit, stand-alone authority to disclose information between GC institutions in order to protect Canada against activities that undermine its security. Its stated purpose is to encourage and facilitate such disclosures.
Section 9 of the SCIDA prescribes record-keeping obligations for all institutions who (1) disclose or (2) receive information under the Act. Each paragraph under subsections 9(1) and 9(2) identifies particular elements that must be set out in the records prepared and kept by each institution (see Annex A). Subsection 9(3) requires that these records be provided to NSIRA within 30 days after the end of each calendar year.
Subsection 5(1) of the SCIDA authorizes GC institutions to disclose information – subject to any prohibitions or restrictions in other legislation or regulations – to designated recipient institutions, if the disclosing institution is satisfied that (a) the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (the “contribution test”); and (b) the information will not affect any person’s privacy interest more than is reasonably necessary in the circumstances (the “proportionality test”).
Subsection 5(2) requires institutions that disclose information under subsection (1) to, at the time of the disclosure, also provide information regarding its accuracy and the reliability of the manner in which it was obtained.
When a GC institution receives information under the Act, subsection 5.1(1) requires that the institution destroy or return any unnecessary personal information as soon as feasible after receiving it.
The Act’s guiding principles underscore the importance of effectiveness and responsibility across disclosure activities. Of note, subsection 4(c) sets out that information sharing arrangements are appropriate in particular circumstances.
3. Findings, Analysis, and recommendations
Volume and Nature of Disclosures
In 2022, four disclosing institutions made a total of 173 disclosures to five recipient institutions (see Table 1). 79% (n=136) of these disclosures were requested by the recipient institution. The other 21% of disclosures (n=37) were sent proactively by the disclosing institution.
Table 1: Number of SCIDA disclosures made in 2022, by disclosing and recipient institution [all disclosures (proactive disclosures)]
Designated Recipient Institutions
Disclosing Institution
CBSA
CFIA
CNSC
CRA
CSE
CSIS
DND/CAF
Finance
FINTRAC
GAC
Health
IRCC
PHAC
PSC
RCMP
TC
TOTAL (proactive)
CBSA
–
–
–
–
–
–
–
–
–
–
–
–
–
–
4
(3)
–
4
(3)
GAC
–
–
–
–
–
39
(18)
2
(2)
–
–
–
–
–
–
–
12
(12)
–
53
(32)
IRCC
–
–
–
–
59
(0)
56
(2)
–
–
–
–
–
–
–
–
–
–
115
(2)
RCMP
–
–
–
–
–
–
–
–
–
–
–
1
(0)
–
–
–
–
1
(0)
TOTAL (proactive)
–
–
–
–
59
(0)
95
(20)
2
(2)
–
–
–
–
1
(0)
–
–
16
(15)
–
173
(37)
The total number of disclosures made under the SCIDA since its implementation reflects a slight downward trend, with a generally constant proportion of requested versus proactive disclosures for the years in which this data was collected (see Figure 1).
Figure 1: Number of SCIDA disclosures over time
In 2022, these disclosures were made and received by institutions that had each disclosed or received information, as the case may be, in at least two prior review years (see Annex C, Overview of SCIDA Disclosures in Prior Years).
Finding 1:NSIRA found that CSE, CSIS, GAC, and IRCC regularly use the SCIDA in a manner that warrants information sharing arrangements, as encouraged by subsection 4(c) of the SCIDA.
CSE, CSIS, GAC, and IRCC were the most frequent users of the SCIDA in 2022. The number of disclosures between these institutions was comparable to those observed by NSIRA in prior years (see Annex C), indicating the occurrence of regular exchange over time.
NSIRA also observed regular patterns in the purpose and nature of the information exchanged between these institutions in 2022, as described in Table 2. These information exchanges were not governed by up-to-date information sharing arrangements.
Table 2: Nature of disclosures between the SCIDA’s most frequent users
GAC-to-CSIS (N=39)
IRCC-to-CSIS (N=56)
IRCC-to-CSE (N=59)
GAC information holdings relevant to threats to the security of Canada
Often (85%) made in direct response, or as a follow-up, to CSIS requests
IRCC information holdings relevant to threats to the security of Canada
Almost always (96%) made in response to CSIS requests
IRCC confirmation of Canadian status of named individuals of interest, required to ensure lawfulness of CSE operational activities
All (100%) made in response to CSE requests
NSIRA has previously recommended that information sharing arrangements be updated (for GAC and CSIS) or created (for IRCC and CSE) to govern certain information exchanges made under the SCIDA.
Recommendation 1: NSIRA recommends that information sharing arrangements be used to govern regular SCIDA disclosures between GAC and CSIS; IRCC and CSIS; as well as IRCC and CSE.
Record Keeping
Copy to NSIRA: Subsection 9(3)
Finding 2: NSIRA found that CBSA, DND/CAF, and IRCC were non-compliant with subsection 9(3) of the SCIDA, as they failed to provide all records created under subsections 9(1) or 9(2) to NSIRA within the legislated timeframe.
Requests for information from NSIRA during the course of this review prompted the late production of additional records relating to paragraphs under subsections 9(1) or 9(2) from each of CBSA, DND/CAF, and IRCC (see Table 3).
Table 3: Number [and associated subsection 9(1) or 9(2) paragraph] of late records leading to non-compliance with subsection 9(3), by cause
Administrative Error
Delayed Preparation of Records
CBSA
2 [paragraph 9(1)(e)]
–
DND/CAF
–
2 [paragraphs 9(2)(e-g)]
IRCC
6 [paragraph 9(1)(e)]
1 [paragraphs 9(2)(e-g)]
CBSA and IRCC were non-compliant with subsection 9(3) due to administrative error; the records they eventually supplied had existed at the time of the reporting deadline, but were not copied to NSIRA as required.
NSIRA expected that all records would be prepared within 30 days after the end of the calendar year, in order to meet the subsection 9(3) requirement to provide a copy of those records to NSIRA within that timeframe.
DND/CAF and IRCC were non-compliant with subsection 9(3) on account of delayed preparation of records; they did not prepare the records referred to in Table 3 within 30 days after the end of the calendar year, and therefore did not provide a copy of them to NSIRA within the legislated timeframe.
NSIRA underscores the importance of administrative precision and timeliness in preparing records and copying them to NSIRA.
Format of Records
Finding 3: NSIRA found improved compliance outcomes in instances where departments prepared record overview spreadsheets under subsections 9(1) and 9(2) of the SCIDA that displayed the following characteristics:
a row for each disclosure made or received;
columns explicitly tied to each individual paragraph under section 9; and
additional columns to capture relevant administrative details, such as whether the disclosure was requested or proactive; the date of the request (if applicable); and any applicable file reference numbers.
The SCIDA does not specify a format for records prepared under section 9. Accordingly, in 2022, GC institutions fulfilled their record-keeping obligations in different ways.
Most institutions provided NSIRA with an overview of each disclosure made or received. These overviews were submitted to NSIRA as spreadsheets that generally captured the information required in records under subsections 9(1) and 9(2).
Most institutions also provided NSIRA with a copy of the disclosure itself and a selection of related documents. These documents often included email consultations with legal services, disclosure request letters, and other correspondence between disclosing and recipient institutions. The scope of requests for information in the course of the review was minimized in cases where institutions provided such documents.
DND/CAF and IRCC (for its one disclosure receipt) were the only institutions that originally provided NSIRA with a copy of the raw disclosure, including transmittal details, in the absence of a record overview or other related documents.
NSIRA observed that DND/CAF and IRCC’s choice in records format for these disclosures contributed to their non-compliance with subsection 9(3), described in Table 3. The information elicited under paragraphs 9(2)(e-g) cannot by definition be found within a copy of the disclosure itself, as it relates to action taken by recipient institutions following the disclosure’s receipt. A copy of the disclosure on its own is therefore insufficient to comply with all requirements under subsection 9(2).
Both DND/CAF and IRCC were infrequent recipients of disclosures under the SCIDA in 2022, accounting for only two and one disclosures, respectively. Each of the more frequent recipients of information (CSE, CSIS, and RCMP) included express columns in their record overview spreadsheets to capture whether and, if applicable, when personal information was destroyed or returned, per the requirements of paragraphs 9(2)(e-g).
NSIRA also observed that CBSA and IRCC’s choice in records format contributed to their non-compliance with subsection 9(3) due to administrative error. These institutions did not account for the full scope of information required under paragraph 9(1)(e) in their record overview spreadsheets.
The information relied upon to satisfy the disclosing institution that a disclosure is authorized under the Act is not required to be conveyed within the disclosure itself. Completing an appropriately-specified record overview spreadsheet is therefore an effective way to ensure that the corresponding information is documented and conveyed to NSIRA ahead of the legislated deadline.
The RCMP’s record overview spreadsheet was particularly effective in demonstrating compliance with the Act. The spreadsheet included columns that were explicitly tied to individual paragraphs under section 9, with additional fields limited to RCMP administrative information such as file and database reference numbers.
Spreadsheets designed in this way enable institutions’ efficient self-assessment against the requirements of the Act. They also facilitate the task of review by clearly matching the information provided with its corresponding requirement under the SCIDA, and by organizing disclosures and receipts of information in a manner that supports cross-verification.
Recommendation 2: NSIRA recommends that all GC institutions prepare record overviews to clearly address the requirements of subsections 9(1) and 9(2) of the SCIDA; and provide them to NSIRA along with a copy of the disclosure itself and, where relevant, a copy of the request.
Preparing and Keeping Records: Subsections 9(1) and 9(2)
Finding 4: NSIRA found that all GC institutions complied with their obligation to prepare and keep records that set out the information prescribed under subsections 9(1) and 9(2) of the SCIDA.
Finding 5: NSIRA found that more than half of the descriptions provided by CBSA and IRCC under paragraph 9(1)(e) of the SCIDA did not explicitly address their satisfaction that the disclosure was authorized under paragraph 5(1)(b), the proportionality test.
Although NSIRA expected an express statement describing the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under the SCIDA, in this review, NSIRA considered any records that demonstrated the corresponding assessment had been conducted.
IRCC n’a pas fait de déclaration expresse précisant que les communications demandées par le SCRS, qui représentent 57 % (n=54) de l’ensemble de ses communications, lui semblaient satisfaisantes du point de vue du critère de proportionnalité. En revanche, IRCC a fourni des copies des lettres de demande et de l’information communiquée en guise de réponse, ce qui confirme que la communication était manifestement conforme aux besoins précis de la demande (et donc témoigne d’une évaluation de la proportionnalité).
L’ASFC n’a pas fourni de déclaration expresse concernant sa satisfaction au regard du critère de proportionnalité pour 75 % (n=3) de ses communications. Elle a plutôt démontré qu’elle tenait compte du principe de proportionnalité en fournissant divers documents justificatifs, y compris de la correspondance interne.
La feuille de calcul utilisée par AMC pour donner une vue d’ensemble de ses documents a été particulièrement efficace pour répondre aux exigences de l’alinéa 9(1)e). L’analyse détaillée qu’elle a consignée en ce qui concerne les critères de contribution et de proportionnalité lui a permis de remplir ses obligations en matière de conservation des dossiers et de démontrer qu’elle respectait en substance le paragraphe 5(1).
Recommendation 3: NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
Disclosure of Information
Contribution and Proportionality Tests: Paragraphs 5(1)(a) and 5(1)(b)
Finding 6: NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves of both the contribution and proportionality tests, in compliance with subsection 5(1) of the SCIDA.
Finding 7: NSIRA found that GAC satisfied itself under the SCIDA’s paragraph 5(1)(a) contribution test based on an incorrect understanding of the recipient’s national security mandate in two cases.
The threshold for compliance with subsection 5(1) is that the disclosing institution has satisfied itself of the contribution and proportionality tests, and that it has done so prior to having made the disclosure.
In relation to the two disclosures that it made proactively to DND/CAF, GAC provided a rationale for the information’s contribution to DND/CAF’s mandate in respect of national security. Upon receipt of the information, however, DND/CAF did not agree with GAC’s assessment and therefore assessed that the SCIDA was not an appropriate disclosure mechanism in the circumstances.
Informal communication between the two institutions may have allowed DND/CAF and GAC to resolve this issue prior to the disclosure. When such communications occur, it is important that they be limited to the information necessary to confirm that the information contributes to the recipient’s mandate in respect of activities that undermine the security of Canada.
Recommendation 4: NSIRA recommends that GC institutions contemplating the use of proactive disclosures under the SCIDA communicate with the recipient institution, ahead of making the disclosure, to inform their assessments under subsection 5(1).
Statement Regarding Accuracy and Reliability: Subsection 5(2)
Finding 8: NSIRA found, within the sample of disclosures reviewed, that CBSA and GAC (in one and two disclosures, respectively) were non-compliant with the SCIDA’s subsection 5(2) requirement to provide a statement regarding accuracy and reliability.
Finding 9: NSIRA found, in relation to the remaining disclosures within the sample, that GAC, IRCC, and RCMP included their statements regarding accuracy and reliability within the disclosures themselves, whereas CBSA provided its statements in the disclosures’ cover letters.
Providing the statement on accuracy and reliability in a cover letter for the disclosure satisfies the Act’s requirement to provide the statement at the time of disclosure. However, separating the statement from the information disclosed increases the risk that the information may be subsequently used without awareness of relevant qualifiers. The location of the statement on accuracy and reliability – and not just its contemporaneous provision to the recipient – is therefore relevant to its value added.
Recommendation 5: NSIRA recommends that all disclosing institutions include statements regarding accuracy and reliability within the same document as the disclosed information.
Requirement to Destroy or Return Personal Information: Subsection 5.1(1)
Finding 10: NSIRA found that DND/CAF destroyed information under the SCIDA subsection 5.1(1), but they were non-compliant with the requirement to do so “as soon as feasible after receiving it.”
DND/CAF determined, upon receipt of the two disclosures it received from GAC, that the personal information contained within the disclosures should not be retained. The information, however, was not destroyed until April 2023 – 12 days following a request for information from NSIRA to provide a copy of records that set out whether and when the information had been destroyed or returned. The date of destruction was 299 and 336 days following DND/CAF’s receipt of each disclosure.
Taking into consideration the elapsed time between receipt of the information and its destruction, as well as DND/CAF’s timely conclusion that the information should not be retained, DND/CAF’s ultimate destruction of the information was non-compliant with the requirement to destroy the information “as soon as feasible after receiving it.” Its delay in this respect was also inconsistent with the responsible use and management of the information.
DND/CAF was the only institution to identify any disclosures as containing information that was destroyed or returned under subsection 5.1(1) in 2022. NSIRA did not identify any other disclosures within the sample for which personal information disclosed should have been destroyed or returned.
Purpose and Principles: Effective and responsible disclosure of information
Finding 11: NSIRA found delays between when a disclosure was authorized for sending and when it was received by the individual designated by the head of the recipient institution to receive it in at least 20% (n=34) of disclosures.
These 34 disclosures include 29 for which there was a delay between the dates provided by disclosing and recipient institutions in their section 9 records, as well as an additional five for which CSIS reported both the date of administrative receipt within the institution and the subsequent date of receipt by the person designated by the head to receive it (i.e., the relevant operational unit).
NSIRA attributes most of these delays to expected dynamics in classified information sharing: the individual authorizing the disclosure is not always the same individual who administratively sends it to the recipient, and the person who administratively receives the disclosure is not always the same person who is designated by the head to receive it.
In the majority of cases, the observed delays were shorter than one week. In nine cases, however, the delay ranged from 30 to 233 days.
Such delays mean that information is not processed and actioned within the recipient institution until long after it was sent – or intended to be sent – by the individual authorizing the disclosure. While these delays do not amount to non-compliance with the SCIDA, they are inconsistent with the Act’s purpose and guiding principles.
Recommendation 6: NSIRA recommends that GC institutions review their administrative processes for sending and receiving disclosures under the SCIDA, and correct practices that cause delays.
4. Conclusion
The SCIDA’s requirements for disclosure and record keeping apply to both disclosing and recipient institutions in all cases where the SCIDA is invoked as a mechanism for disclosure. This review assessed GC institutions’ compliance with requirements for record keeping in respect of all 173 disclosures that were made and received in 2022. It assessed their compliance with requirements for disclosure in relation to a targeted sample of 19 disclosures.
NSIRA found that institutions complied with the SCIDA’s requirements for disclosure and record keeping in relation to the majority of disclosures. GC institutions’ non-compliance with subsection 9(3) was driven by irregularities in the reporting of 11 disclosures. Observed non-compliance with substantive requirements under subsection 5(2) related to three disclosures; and non-compliance with subsection 5.1(1) related to two disclosures. These instances of non-compliance do not point to any systemic failures in GC institutions’ implementation of the SCIDA.
Within this context, NSIRA observed improvements in reviewee performance as compared with findings from prior years’ reports and over the course of the review. Of note, NSIRA’s requests for information in support of this review prompted corrective action by CBSA, DND/CAF, and IRCC that would have otherwise amounted to non-compliance with requirements under section 9.
NSIRA also observed several practices that, although compliant with the SCIDA, leave room for improvement. NSIRA’s recommendations in this review are designed to increase standardization across the GC in a manner that is consistent with institutions’ demonstrated best practices and the SCIDA’s guiding principles.
Annex A. Record Keeping Obligations for Disclosing and Recipient Institutions
Obligation – disclosing institution
Obligation — recipient institution
9 (1) Every Government of Canada institution that discloses information under this Act must prepare and keep records that set out
(2) Every Government of Canada institution that receives information under this Act must prepare and keep records that set out
(a) a description of the information;
(a) a description of the information;
(b) the name of the individual who authorized its disclosure;
(b) the name of the institution that disclosed it;
(c) the name of the recipient Government of Canada institution;
(c) the name or position of the head of the recipient institution — or of the person designated by the head — who received the information;
(d) the date on which it was disclosed;
(d) the date on which it was received by the recipient institution;
(e) a description of the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under this Act; and
(e) whether the information has been destroyed or returned under subsection 5.1(1);
(f) if the information has been destroyed under subsection 5.1(1), the date on which it was destroyed;
(g) if the information was returned under subsection 5.1(1) to the institution that disclosed it, the date on which it was returned; and
(f) any other information specified by the regulations.
(h) any other information specified by the regulations.
Copy to National Security and Intelligence Review Agency
Within 30 days after the end of each calendar year, every Government of Canada institution that disclosed information under section 5 during the year and every Government of Canada institution that received such information must provide the National Security and Intelligence Review Agency with a copy of every record it prepared under subsection (1) or (2), as the case may be, with respect to the information.
Annex B. Sample of Disclosures
Disclosures were selected for the sample based on the content of records provided to NSIRA under subsection 9(3), according to the following parameters:
At least two disclosures per discloser-recipient pair, if available;
At least one proactive disclosure per discloser, if available;
At least one requested disclosure per recipient, if available;
All disclosures identified by recipient institutions as including personal information that was destroyed or returned under the SCIDA, subsection 5.1(1);
All disclosures for which there is a high-level discrepancy in the discloser and recipient records (i.e., a record of receipt, but no record of disclosure; a substantive misalignment in the description of the information; greater than seven days’ discrepancy in the date sent and received; date of receipt earlier than the date of sending);
All disclosures made by an institution that is not listed in Schedule 3 of the SCIDA; and
All disclosures received by institutions added to Schedule 3 in the preceding year.
Annex C. Overview of SCIDA Disclosures in Prior Years
Drawing on information published in previous NSIRA reports, Table 5 summarizes the number and distribution of disclosures made under the SCIDA in prior years.
Table 5: Number of SCIDA disclosures, by disclosing and recipient institution, 2019-2021
Designated Recipient Institutions
Disclosing Institution
CBSA
CFIA
CNSC
CRA
CSE
CSIS
DND/CAF
Finance
FINTRAC
GAC
Health
IRCC
PHAC
PSC
RCMP
TC
TOTAL (proactive)
2021
DND/CAF
–
–
–
–
–
2
–
–
–
–
–
–
–
–
–
–
2
GAC
–
–
–
–
–
41
–
–
–
–
–
1
–
–
2
–
44
IRCC
–
–
–
–
68
79
–
–
–
2
–
–
–
–
–
–
149
TOTAL
–
–
–
–
68
122
–
–
–
2
–
1
–
–
2
–
195
2020
CBSA
–
–
–
–
–
1
–
–
–
–
–
–
–
–
3
–
4
GAC
–
–
–
–
1
25
–
–
–
–
–
1
–
–
13
–
40
IRCC
–
–
–
–
60
61
–
–
–
–
–
–
–
–
37
1
159
RCMP
–
–
–
–
–
–
1
–
–
3
–
5
–
–
–
–
9
TC
–
–
–
–
–
–
–
–
–
–
–
–
–
–
2
–
2
Other
–
–
–
–
–
1
–
–
–
–
–
–
–
–
–
–
1
TOTAL
–
–
–
–
61
88
1
–
–
3
–
6
–
–
55
1
215
2019
CBSA
–
–
–
–
–
1
–
–
–
–
–
–
–
–
2
–
3
GAC
–
–
–
–
–
23
–
–
–
–
–
3
–
1
15
–
42
IRCC
–
–
–
–
5
17
1
–
–
–
–
–
–
–
36
–
59
RCMP
–
–
–
4
–
–
–
–
1
3
–
1
–
–
–
–
9
TC
–
–
–
–
–
–
–
–
–
–
–
–
–
–
1
–
1
TOTAL
–
–
–
4
5
41
1
–
1
3
–
4
–
1
54
–
114
Annex D. Findings and Recommendations
Findings
NSIRA found that CSE, CSIS, GAC, and IRCC regularly use the SCIDA in a manner that warrants information sharing arrangements, as encouraged by subsection 4(c) of the SCIDA.
NSIRA found that CBSA, DND/CAF, and IRCC were non-compliant with subsection 9(3) of the SCIDA, as they failed to provide all records created under subsections 9(1) or 9(2) to NSIRA within the legislated timeframe.
NSIRA found improved compliance outcomes in instances where departments prepared record overview spreadsheets under subsections 9(1) and 9(2) of the SCIDA that displayed the following characteristics:
a row for each disclosure made or received;
columns explicitly tied to each individual paragraph under section 9; and
additional columns to capture relevant administrative details, such as whether the disclosure was requested or proactive; the date of the request (if applicable); and any applicable file reference numbers.
NSIRA found that all GC institutions complied with their obligation to prepare and keep records that set out the information prescribed under subsections 9(1) and 9(2) of the SCIDA.
NSIRA found that more than half of the descriptions provided by CBSA and IRCC under paragraph 9(1)(e) of the SCIDA did not explicitly address their satisfaction that the disclosure was authorized under paragraph 5(1)(b), the proportionality test.
NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves of both the contribution and proportionality tests, in compliance with subsection 5(1) of the SCIDA.
NSIRA found that GAC satisfied itself under the SCIDA’s paragraph 5(1)(a) contribution test based on an incorrect understanding of the recipient’s national security mandate in two cases.
NSIRA found, within the sample of disclosures reviewed, that CBSA and GAC (in one and two disclosures, respectively) were non-compliant with the SCIDA’s subsection 5(2) requirement to provide a statement regarding accuracy and reliability.
NSIRA found, in relation to the remaining disclosures within the sample, that GAC, IRCC, and RCMP included their statements regarding accuracy and reliability within the disclosures themselves, whereas CBSA provided its statements in the disclosures’ cover letters.
NSIRA found that DND/CAF destroyed information under the SCIDA subsection 5.1(1), but they were non-compliant with the requirement to do so “as soon as feasible after receiving it.”
NSIRA found delays between when a disclosure was authorized for sending and when it was received by the individual designated by the head of the recipient institution to receive it in at least 20% (n=34) of disclosures.
Recommendations
NSIRA recommends that information sharing arrangements be used to govern regular SCIDA disclosures between GAC and CSIS; IRCC and CSIS; as well as IRCC and CSE.
NSIRA recommends that all GC institutions prepare record overviews to clearly address the requirements of subsections 9(1) and 9(2) of the SCIDA; and provide them to NSIRA along with a copy of the disclosure itself and, where relevant, a copy of the request.
NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
NSIRA recommends that GC institutions contemplating the use of proactive disclosures under the SCIDA communicate with the recipient institution, ahead of making the disclosure, to inform their assessments under subsection 5(1).
NSIRA recommends that all disclosing institutions include statements regarding accuracy and reliability within the same document as the disclosed information.
NSIRA recommends that GC institutions review their administrative processes for sending and receiving disclosures under the SCIDA, and correct practices that cause delays.
The Access to Information Act gives Canadian citizens and permanent residents, as well as any person or corporation present in Canada, a right of access to information contained in government records, subject to certain specific and limited exceptions.
Section 94(1) of the Act requires the head of each government institution to prepare an annual report on the administration of the Act within the institution and to submit the report to Parliament. In addition, section 20 of the Service Fees Act requires institutions to report on all statutory fees processed during the reporting period.
This report to Parliament, which is prepared and tabled in accordance with section 94 of the Access to Information Act and section 20 of the Service Fees Act, describes the activities of the National Security and Intelligence Review Agency (NSIRA) Secretariat in administering these Acts during the period of April 1, 2022 to March 31, 2023.
If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:
Access to Information and Privacy Office National Security and Intelligence Review Agency P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5 Email: ATIP@nsira-ossnr.gc.ca
Who we are
Established in July 2019, NSIRA is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.
The NSIRA Secretariat assists NSIRA in fulfilling its mandate. It is the NSIRA Secretariat, headed by an Executive Director, that is the government institution for the purposes of the Access to Information Act and the Privacy Act.
Mandate
NSIRA has a dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matters that a minister of the Crown refers to NSIRA.
NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Investigations
NSIRA is responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:
any activity of CSIS or of CSE;
decisions to deny or revoke certain federal government security clearances;
any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
reports made under section 19 of the Citizenship Act, and
matters referred under section 45 of the Canadian Human Rights Act.
Access to Information and Privacy Office
NSIRA’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the NSIRA Secretariat meets its responsibilities under the Access to Information Act and the Privacy Act.
For the reporting period, the NSIRA ATIP office consisted of:
1 Full-time Access to Information Consultant;
1 Part-time Privacy Consultant; and
1 Full-time ATIP Manager who fulfilled the duties that would normally be carried out by an ATIP Coordinator, as well as managed the ATIP Office, in addition to fulfilling normal duties as Manager of Administrative Services for the Secretariat and Agency Members.
NSIRA Secretariat Corporate Legal Counsel and Senior General Counsel supported the ATIP office on an as required basis.
The ATIP Office is responsible for the following:
monitoring compliance with ATIP legislation and relevant procedures and policies;
processing requests under both the Access to Information Act and the Privacy Act;
developing and maintaining policies, procedures, and guidelines to ensure that the NSIRA Secretariat respected the Access to Information Act and the Privacy Act;
maintaining Personal Information Banks and conducting privacy impact assessments.
preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
representing the NSIRA Secretariat in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act.
The NSIRA Secretariat was a party to a service agreement under section 96 of the Access to Information Act during the reporting period, pursuant to which it received administrative services from the Privy Council Office related to the tabling of the Access to Information Act annual report in Parliament. The NSIRA Secretariat was also a party to a service agreement under section 92 of the Act, pursuant to which it received ATIP Online services from the Treasury Board of Canada Secretariat.
The NSIRA Secretariat ensured that the following proactive publication legislative requirements were met during the reporting period with the assistance of its Finance team:
Travel expenses;
Hospitality expenses;
Reports tabled in Parliament; and
Contracts over $10,000.
To assist the ATIP Office in meeting its overall legislative obligations, the NSIRA Secretariat relied on a collaborative internal group of subject matter points of contact from all its branches.
Delegation Order
The Executive Director, as the Head of the NSIRA Secretariat, is responsible for the administration of the Access to Information Act within the institution. Pursuant to section 95 of the Access to Information Act, the Executive Director has delegated the ATIP Manager and ATIP Officer – as well as persons acting in these positions – to perform powers, duties, and functions for the administration of the Act. These positions have limited delegation of authority under the Act and the Privacy Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Access to Information Act Delegation Order can be found in Appendix A.
Performance 2022-2023
Performance in Processing Access Requests
During the reporting period, from April 1, 2022 to March 31, 2023, the NSIRA Secretariat received 11 formal requests in addition to 10 requests that were outstanding from previous reporting periods, bringing the total number of requests to 21. Of these, the NSIRA Secretariat closed 15 requests in 2022-23, and 6 were carried over to the next reporting period. Five of the carried-over requests were received during the 2022-23 reporting period, of which two open requests are within the legislated timelines as of March 31, 2023, and four are beyond the legislated timelines, including one request that was received during the 2018-19 reporting period.
Statistical Reports for 2022-2023
The institution’s 2022-2023 Statistical Report on the Access to Information Act and Supplemental ATIP Statistical Report for 2022-2023 are found in Appendices B and C.
Extensions and Completion Time of Closed Requests
During the reporting period, the NSIRA Secretariat invoked extensions in processing 10 requests: 1 extension of 31 to 60 days, 3 extensions of 61 to 120 days, 2 extensions of 121 to 180 days, 2 extensions of 181 to 365 days, and 2 extensions of 365 days or more, all of which included extensions necessary to consult with third parties.
Of the requests completed during the reporting period,
2 requests, or 13.33% of the requests completed, were disclosed in its entirety. 1 request completed within 16 to 30 days, and 1 request completed within 181 to 365 days.
7 requests, or 46.66% of the requests completed, were disclosed in part. 3 requests completed within 61 to 120 days, 2 requests completed within 181 to 365 days, and 2 requests completed more than 365 days.
2 requests, or 13.33% of the requests completed, were all exempted. 1 request completed within 1 to 15 days, and 1 request completed within 31 to 60 days.
1 request, or 6.66% of the requests completed, resulted in no records. This request was completed within 16 to 30 days.
1 request, or 6.66% of the requests completed was abandoned and completed within 1 to 15 days.
2 requests, or 13.33% of the requests completed, were neither confirmed nor denied. 1 request completed within 16 to 30 days, and 1 request completed within 31 to 60 days.
The NSIRA Secretariat’s responses to many requests required intensive review of complex records, including extensive internal and external consultations due to a significant portion of our information holdings consisting of sensitive and classified records created or originally received by other government institutions owing to NSIRA’s mandate. In 2022-23, the NSIRA Secretariat’s on-time response rate decreased extensively to 33% from 80% in the previous reporting year.
Consultations
The NSIRA Secretariat was consulted on 4 requests this fiscal year. All 4 requests were completed within 61 to 120 days. The NSIRA Secretariat closed all consultations and carried over none into 2023-2024.
Requests Treated Informally
In 2022-2023, the NSIRA Secretariat responded to 2 informal requests for records previously released under the Access to Information Act and carried over one into 2023-2024.
Impact of COVID-19 measures
During the reporting period, the NSIRA Secretariat was not affected by measures related to the COVID‑19 pandemic.
Complaints and Investigations of Access Requests
Subsection 30(1) of the Act describes how the Office of the Information Commissioner receives and investigates complaints from individuals regarding the processing of requests under the Act. The NSIRA Secretariat received three new complaints during the reporting period. One of these complaints was discontinued during the reporting period, while the other two complaints remained active on March 31, 2023.
Moreover, one complaint received in fiscal year 2021-2022 was closed as “well-founded” during this reporting period. This complaint concerned the NSIRA Secretariat’s delay in providing a fulsome response to a large request that was made to NSIRA’s predecessor, the Security Intelligence Review Committee (SIRC), before the established legislative deadline. The delay was largely due to extended external consultations.
Training and Awareness
During the reporting period, access to information training requirements were identified for all NSIRA Secretariat employees, as well as for those with functional or delegated responsibility for the administration of the Access to Information Act, in accordance with the Directive on Access to Information Requests. The Canada School of Public Service course Access to Information and Privacy Fundamentals (COR502) was included as mandatory training in all employees’ training curriculum.
Privacy policies, guidelines, procedures and initiatives
The NSIRA Secretariat updated the Delegation Order during the reporting period. We also engaged with Library and Archives Canada on obtaining institution-specific disposition authorities, as we are currently operating under the former SIRC’s disposition authorities.
Proactive Publication under Part 2 of the ATIA
In accordance with paragraph 81(b) of the Access to Information Act, the NSIRA Secretariat is a government entity subject to the following proactive publication requirements:
Briefing materials (section 88)
During the reporting period, NSIRA Secretariat proactive publications were published on open.canada.ca.
Of the total proactive publication requirements that were due during the reporting period, 80% were published within the legislated timelines.
Initiatives and Projects to Improve Access to Information
The NSIRA Secretariat’s IT team began work to develop an ATIP software tool for our classified and unclassified systems. The NSIRA Secretariat also signed a memorandum of understanding with TBS to make full use of ATIP online and implemented the tool during the reporting period.
Summary of Key Issues and Actions Taken on Complaints
The NSIRA Secretariat hired a consultant to help process the large aforementioned access request made to its predecessor; a request that was subsequently the subject of a delay complaint made in FY 2021-2022 and deemed well-founded by the Information Commissioner during the reporting period. The NSIRA Secretariat took concrete action during the reporting period to comply with the Commissioner’s order to provide a fulsome response to the request “forthwith”, including but not limited to streamlining the consultation process with another government institution and disclosing additional records to the requestor.
Access to Information Act Fees for the Purposes of the Service Fees Act
The Service Fees Act requires a responsible authority to report annually to Parliament on the fees collected by the institution.
With respect to fees collected under the Access to Information Act, the information below is reported in accordance with the requirements of section 20 of the Service Fees Act.
Enabling authority:Access to Information Act
Fee payable: $5.00 application fee is the only fee charged for an ATI request
Total revenue: $30
$25
Cost of operating the program: $294,640
Monitoring Compliance
In order to meet legislative deadlines for access to information requests, deadlines for individual requests are strictly monitored by using MS Outlook reminders. The ATIP Manager organizes ad hoc meetings to discuss request-related activities (such as whether inter-institutional consultations are necessary), determine deadlines and ensure that all team members are informed of the status of files. At bi-weekly team meetings with the Senior General Counsel and Corporate Counsel, the ATIP Manager raises and discusses compliance with legislative and policy obligations. The Executive Director is also briefed on all ATIP compliance issues.
The NSIRA Secretariat has a document setting out the procedures to be followed in carrying out our monthly proactive disclosure, together with the associated expectations and timelines, in order to monitor the accuracy and completeness of the information proactively published under Part 2 of the Act.
During the reporting period, the NSIRA Secretariat also began assessing the feasibility of making information previously released under the Access to Information Act available on its public-facing website.
For contracts issued during the reporting period, the NSIRA Secretariat included a General Condition on Access to Information from Public Services and Procurement Canada’s Standard Acquisition Clauses and Conditions Manual.
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2022-2023 Statistical Report on the Access to Information Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2022-04-01 – 2023-03-31
Section 1: Request Under the Access to Information Act
1.1 Number of Requests
Number of Requests
Received during reporting period
11
Outstanding from previous reporting period
9
Outstanding from more than one reporting period
1
Total
21
Closed during reporting period
15
Carried over to next reporting period
6
Carried over within legislated timeline
2
Carried over beyond legislated timeline
4
1.2 Sources of requests
Source
Number of Requests
Media
0
Academia
0
Business (private sector)
0
Organization
0
Public
10
Decline to Identify
1
Total
11
1.3 Channels of requests
Source
Number of Requests
Online
10
E-mail
0
Mail
1
In person
0
Phone
0
Fax
0
Total
11
Section 2: Informal requests
2.1 Number of informal requests
Number of Requests
Received during reporting period
3
Outstanding from previous reporting periods
0
Outstanding from more than one reporting period
0
Total
3
Closed during reporting period
2
Carried over to next reporting period
1
2.2 Channels of informal requests
Source
Number of Requests
Online
0
E-Mail
3
Mail
0
In person
0
Phone
0
Fax
0
Total
3
2.3 Completion time of informal requests
Completion Time
1 to 15 days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More than 365 Days
Total
2
0
0
0
0
0
0
2
2.4 Pages released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
2
65
0
0
0
0
0
0
0
0
2.5 Pages re-released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
0
0
0
0
0
0
0
0
0
0
Section 3: Applications to the Information Commissioner on Declining to Act on Requests
Number of Requests
Outstanding from previous reporting period
0
Sent during reporting period
0
Total
0
Approved by the Information Commissioner during reporting period
0
Declined by the Information Commissioner during reporting period
0
Withdrawn during reporting period
0
Carried over to next reporting period
0
Section 4: Requests Closed During the Reporting Period
4.1 Disposition and completion time
Disposition of Requests
Completion Time
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
1
0
0
0
1
0
2
Disclosed in part
0
0
0
3
0
2
2
7
All exempted
1
0
1
0
0
0
0
2
All excluded
0
0
0
0
0
0
0
0
No records exist
0
1
0
0
0
0
0
1
Request transferred
0
0
0
0
0
0
0
0
Request abandoned
1
0
0
0
0
0
0
1
Neither confirmed nor denied
0
1
1
0
0
0
0
2
Decline to act with the approval of the Information Commisioner
0
0
0
0
0
0
0
0
Total
2
3
2
3
0
3
2
15
4.2 Exemptions
Section
Numbers of Requests
13(1)(a)
0
13(1)(b)
0
13(1)(c)
0
13(1)(d)
0
13(1)(e)
0
14
0
14(a)
0
14(b)
0
15(1) – I. A. *
0
15(1) – Def. *
5
15(1) – S.A. *
1
16(1)(a)(i)
3
16(1)(a)(ii)
0
16(1)(a)(iii)
0
16(1)(b)
1
16(1)(c)
4
16(1)(d)
0
16(2)
0
16(2)(a)
0
16(2)(b)
0
16(2)(c)
0
16(3)
0
16.1(1)(a)
0
16.1(1)(b)
0
16.1(1)(c)
0
16.1(1)(d)
0
16.2(1)
0
16.3
0
16.31
0
16.4(1)(a)
0
16.4(1)(b)
0
16.5
0
16.6
0
17
0
18(a)
0
18(b)
0
18(c)
0
18(d)
0
18.1(1)(a)
0
18.1(1)(b)
0
18.1(1)(c)
0
18.1(1)(d)
0
19(1)
2
20(1)(a)
0
20(1)(b)
0
20(1)(b.1)
0
20(1)(c)
0
20(1)(d)
0
20.1
0
20.2
0
20.4
0
21(1)(a)
0
21(1)(b)
0
21(1)(c)
0
21(1)(d)
0
22
0
22.1(1)
0
23
1
23.1
0
24(1)
1
26
0
* I.A.: International Affairs * Def.: Defence of Canada * S.A.: Subversive Activities
4.3 Exclusions
Section
Numbers of Requests
68(a)
0
68(b)
0
68(c)
0
68.1
0
68.2(a)
0
68.2(b)
0
69(1)
0
69(1)(a)
0
69(1)(b)
0
69(1)(c)
0
69(1)(d)
0
69(1)(e)
0
69(1)(f)
0
69(1)(g) re (a)
0
69(1)(g) re (b)
0
69(1)(g) re (c)
0
69(1)(g) re (d)
0
69(1)(g) re (e)
0
69(1)(g) re (f)
0
69.1(1)
0
4.4 Format of information released
Paper
Electronic
Other
E-record
Data set
Video
Audio
0
9
0
0
0
0
4.5 Complexity
4.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed
Number of Pages Disclosed
Number of Requests
856
856
14
4.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
All disclosed
1
7
1
322
0
0
0
0
0
0
Disclosed in part
6
247
1
280
0
0
0
0
0
0
All exempted
2
0
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
0
0
Request abandoned
1
0
0
0
0
0
0
0
0
0
Neither confirmed nor denied
2
0
0
0
0
0
0
0
0
0
Declined to act with the approval of the information Commissioner
0
0
0
0
0
0
0
0
0
0
Total
12
254
2
602
0
0
0
0
0
0
4.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
4.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
4.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
4.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
4.5.7 Other complexities
Disposition
Consultation Required
Legal Advice Sought
Other
Total
All disclosed
0
0
0
0
Disclosed in part
0
0
0
0
All exempted
0
0
0
0
All excluded
0
0
0
0
Request abandoned
0
0
0
0
Neither confirmed nor denied
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
Total
0
0
0
0
4.6 Closed requests
4.6.1 Requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines
5
Percentage of requests closed within legislated timelines (%)
33.33333333
4.7 Deemed refusals
4.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines
Principal Reason
Interference with Operations/Workload
External Consultation
Internal Consultation
Other
10
0
10
0
0
4.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines
Number of Requests Past Legislated Timeline Where No Extension Was Taken
Number of Requests Past Legislated Timeline Where an Extension Was Taken
Total
1 to 15 Days
0
0
0
16 to 30 Days
0
0
0
31 to 60 Days
0
2
2
61 to 120 Days
0
3
3
121 to 180 Days
0
0
0
181 to 365 Days
0
3
3
More than 365 Days
0
2
2
Total
0
10
10
4.8 Requests for translation
Translation Requests
Accepted
Refused
Total
English to French
0
0
0
French to English
0
0
0
Total
0
0
0
Section 5: Extensions
5.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was taken
9(1)(a) Interference With Operations/Workload
9(1)(b) Consultation
9(1)(c) Third-Party Notice
Section 69
Other
All disclosed
0
0
2
0
Disclosed in part
0
0
7
0
All exempted
0
0
1
0
All excluded
0
0
0
0
Request abandoned
0
0
0
0
No records exist
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
Total
0
0
10
0
5.2 Length of extensions
Length of Extensions
9(1)(a) Interference With Operations/Workload
9(1)(b) Consultation
9(1)(c) Third-Party Notice
Section 69
Other
30 days or less
0
0
0
0
31 to 60 days
0
0
1
0
61 to 120 days
0
0
3
0
121 to 180 days
0
0
2
0
181 to 365 days
0
0
2
0
365 days or more
0
0
2
0
Total
0
0
10
0
Section 6: Fees
Fee Type
Fee Collected
Fee Waived
Fee Refunded
Number of Requests
Amount
Number of Requests
Amount
Number of Requests
Amount
Application
0
$30.00
5
$0.00
0
$0.00
Other fees
0
$0.00
0
$0.00
0
$0.00
Total
6
$30.00
5
$0.00
0
$0.00
Section 7: Consultations Received From Other Institutions and Organizations
7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations
Other Government of Canada Institutions
Number of Pages to Review
Other Organizations
Number of Pages to Review
Received during reporting period
4
189
0
0
Outstanding from the previous reporting period
0
0
0
0
Total
4
189
0
0
Closed during the reporting period
4
189
0
0
Carried over within negotiated timelines
0
0
0
0
Carried over beyond negotiated timelines
0
0
0
0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
4
0
0
0
4
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
4
0
0
0
4
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
Section 8: Completion Time of Consultations on Cabinet Confidences
8.1 Requests with Legal Services
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
8.2 Requests with Privy Council Office
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
Section 9: Investigations and Reports of finding
9.1 Investigations
Section 32 Notice of intention to investigate
Subsection 30(5) Ceased to investigate
Section 35 Formal Representations
3
0
0
9.2 Investigations and Reports of finding
Section 37(1) Initial Reports
Section 37(2) Final Reports
Received
Containing recommendations issued by the Information Commissioner
Containing orders issued by the Information Commissioner
Received
Containing recommendations issued by the Information Commissioner
Containing orders issued by the Information Commissioner
1
1
1
1
1
1
Section 10: Court Action
10.1 Court actions on complaints
Section 41
Complainant (1)
Institution (2)
Third Party (3)
Privacy Commissioner (4)
Total
0
0
0
0
0
10.2 Court actions on third party notifications under paragraph 28(1)(b)
Section 44 – under paragraph 28(1)(b)
0
Section 11: Resources Related to the Access to Information Act
11.1 Allocated Costs
Expenditures
Amount
Salaries
$100,000
Overtime
$0
Goods and Services
$194,640
Professional services contracts
$194,640
Other
$0
Total
$294,640
11.2 Human Resources
Resources
Person Years Dedicated to Access to Information Activities
Full-time employees
0.000
Part-time and casual employees
1.000
Regional Staff
0.000
Consultants and agency personnel
1.000
Students
1.000
Total
3.000
Note: Enter values to three decimal places.
Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act
Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act
Number of weeks
Able to receive requests by mail
52
Able to receive requests by email
52
Able to receive requests through the digital request service
52
Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act
2.1 Number of weeks your institution was able to process paper records in different classification levels
No capacity
Partial Capacity
Full capacity
Total
Unclassified Paper Records
0
0
52
52
Protected B Paper Records
0
0
52
52
Secret and Top Secret Paper Records
0
0
52
52
2.2 Number of weeks your institution was able to process electronic records in different classification levels
No capacity
Partial Capacity
Full capacity
Total
Unclassified Paper Records
0
0
52
52
Protected B Paper Records
0
0
52
52
Secret and Top Secret Paper Records
0
0
52
52
Section 3: Open Requests and Complaints Under the Privacy Act
3.1 Number of open requests that are outstanding from previous reporting periods.
Fiscal Year Open Requests Were Received
Open Requests that are Within Legislated Timelines as
Open Requests that are Beyond Legislated Timelines as of March 31, 2023
Total
Received in 2022-23
2
3
5
Received in 2021-22
0
0
0
Received in 2020-21
0
0
0
Received in 2019-20
0
0
0
Received in 2018-19
0
1
1
Received in 2017-18
0
0
0
Received in 2016-17
0
0
0
Received in 2015-16
0
0
0
Received in 2014-15
0
0
0
Received in 2013-14 or earlier
0
0
0
3.2 Number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods
Fiscal Year Open Complaints were received by institutions
Open Requests that are Within Legislated Timelines as
The Privacy Act gives individuals the right to access information about themselves that is held by the National Security and Intelligence Review Agency Secretariat, subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.
Section 72 of the act requires the head of each government institution to prepare an annual report on the administration of the act within the institution and to submit the report to Parliament.
This report to Parliament, which is prepared and tabled in accordance with section 72 of the Privacy Act, describes the activities of the National Security and Intelligence Review Agency Secretariat in administering the Act during the period of April 1, 2022 to March 31, 2023.
If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:
Access to Information and Privacy Office National Security and Intelligence Review Agency P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5 Email: ATIP@nsira-ossnr.gc.ca
Who we are
Established in July 2019, NSIRA is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.
The NSIRA Secretariat assists NSIRA in fulfilling its mandate. It is the NSIRA Secretariat, headed by an Executive Director, that is the government institution for the purposes of the Privacy Act and the Access to Information Act.
Mandate
The NSIRA Secretariat supports NSIRA in its dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matters that a minister of the Crown refers to NSIRA.
NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Investigations
NSIRA is responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:
any activity of CSIS or of CSE;
decisions to deny or revoke certain federal government security clearances;
any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
reports made under section 19 of the Citizenship Act, and
matters referred under section 45 of the Canadian Human Rights Act.
Access to Information and Privacy Office – Organizational Structure
NSIRA’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the NSIRA Secretariat meets its responsibilities under the Access to Information Act and the Privacy Act. For the reporting period, the NSIRA ATIP office consisted of:
1 Full-time Access to Information Consultant;
1 Part-time Privacy Consultant; and
1 Full-time ATIP Manager who fulfilled the duties that would normally be carried out by an ATIP Coordinator, as well as managed the ATIP Office in addition to fulfilling normal duties as Manager of Administrative Services for the Secretariat and Agency Members.
NSIRA Secretariat Senior General Counsel and Corporate Counsel supported the ATIP Office on an as required basis.
The ATIP Office is responsible for the following:
monitoring compliance with ATIP legislation and relevant procedures and policies;
processing requests under both the Access to Information Act and the Privacy Act;
developing and maintaining policies, procedures, and guidelines to ensure that the NSIRA Secretariat respected the Access to Information Act and the Privacy Act;
maintaining Personal Information Banks and conducting privacy impact assessments.
preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
representing the NSIRA Secretariat in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act.
The NSIRA Secretariat was a party to a service agreement under section 73.1 of the Privacy Act during the reporting period, pursuant to which it received administrative services from the Privy Council Office related to the tabling of the Privacy Act annual report in Parliament. The NSIRA Secretariat was also a party to a service agreement under section 71.1 of the Act, pursuant to which it received ATIP Online services from the Treasury Board of Canada Secretariat.
To assist the ATIP Office in meeting its overall legislative obligations, the NSIRA Secretariat relied on a collaborative internal group of subject matter points of contact from all its branches.
Delegation Order
The Executive Director, as the Head of the NSIRA Secretariat, is responsible for the administration of the Privacy Act within the institution. Pursuant to section 73 of the Privacy Act, the Executive Director has delegated the ATIP Manager and ATIP Officer – as well as persons acting in these positions – to perform powers, duties, and functions for the administration of the Act. These positions have limited delegation of authority under the Act and the Access to Information Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Privacy Act Delegation Order can be found in Appendix A.
Performance 2022-2023
Performance in Processing Privacy Requests
During the reporting period, from April 1, 2022 to March 31, 2023, the NSIRA Secretariat received 12 formal requests. All 12 requests were completed during the reporting period. No requests were carried over from the previous reporting period.
Statistical Reports for 2022-2023
The institution’s 2022-2023 Statistical Report on the Privacy Act and Supplemental ATIP Statistical Report for 2022-2023 are found in Appendices B and C.
Extensions and Completion Time of Closed Requests
During the reporting period, the NSIRA Secretariat invoked extensions in processing 5 requests: 3 extensions of 31 to 60 days, and 2 extensions of 61 to 120 days, all of which included extensions necessary to consult with third parties.
Of the requests completed during the reporting period:
1 request, or 8.33% of the requests completed, was disclosed in its entirety. This request was completed within 16 to 30 days.
4 requests, or 33.33% of the requests completed, were disclosed in part. 1 request completed within 16 to 30 days, 2 requests completed within 31 to 60 days, and 1 request completed within 61 to 120 days.
7 requests, or 58.33% of the requests completed, resulted in no records. 1 request completed within 1 to 15 days, 4 requests completed within 16 to 30 days, 1 request completed within 31 to 60 days, and 1 request completed within 61 to 120 days.
The NSIRA Secretariat’s responses to many requests required intensive review of complex records, including extensive internal and external consultations. In 2022-23, the NSIRA Secretariat’s on-time response rate decreased to 58.33% from 71% in the previous reporting year.
Consultations
No consultations were received by the NSIRA Secretariat during the reporting period.
Impact of COVID-19 Measures
During the reporting period, the NSIRA Secretariat was not affected by measures related to the COVID‑19 pandemic.
Complaints and Investigations
During the reporting period, the NSIRA Secretariat received 9 privacy complaints, 2 of which were related to access. All 9 complaints remained active on March 31, 2023.
Moreover, one privacy breach-related investigation initiated by the Privacy Commissioner in fiscal year 2020-2021 continued during the reporting period and remained active on March 31, 2023.
Training and Awareness
During the reporting period, privacy training requirements were identified for all NSIRA Secretariat employees, as well as for those with functional or delegated responsibility for the administration of the Privacy Act, in accordance with the Directive on Personal Information Requests and Correction of Personal Information. The Canada School of Public Service course Access to Information and Privacy Fundamentals (COR502) was included as mandatory training in all employees’ training curriculum.
In addition, an all-staff lunch and learn session was held in August 2022 to provide employees with a debrief of the International Association of Privacy Professionals Privacy Conference.
Policies, Guidelines, and Procedures
The NSIRA Secretariat updated the Delegation Order during the reporting period and also established its internal Directive on Managing Security and Safety Events in March 2023, which provides for coordination with the ATIP Office and Office of Primary Interest when a security event involves a suspected or actual privacy breach.
Initiatives and Projects to Improve Privacy
The NSIRA Secretariat’s IT team began work to develop an ATIP software tool for our classified and unclassified systems. The NSIRA Secretariat also signed a memorandum of understanding with TBS to make full use of ATIP Online and implemented the tool during the reporting period.
Summary of Key Issues and Actions Taken on Complaints
As previously outlined, all 9 complaints received during the reporting period remained active on March 31, 2023. The NSIRA Secretariat meaningfully engaged with the Office of the Privacy Commissioner on all active investigations and disclosed additional records in 1 of the 2 access-related complaints.
Material Privacy Breaches
In the 2022-2023 reporting period, no material privacy breaches occurred.
Privacy Impact Assessments
The NSIRA Secretariat did not complete any PIAs in 2022-2023. During the reporting period, the NSIRA Secretariat received feedback from TBS for its PIA on the creation of NSIRA — which had been submitted to TBS in FY 2021-2022 — and undertook revisions to the PIA. During the reporting period, the NSIRA Secretariat also launched a PIA exercise pertaining to its investigations-related activities.
Public Interest Disclosures
No disclosures were made pursuant to paragraph 8(2)(m) of the Privacy Act during the reporting period.
Monitoring Compliance
In order to meet the legislative deadlines for privacy requests, deadlines for individual requests are strictly monitored by using MS Outlook reminders. The ATIP Manager organizes ad hoc meetings to discuss request-related activities (such as whether inter-institutional consultations are necessary), determine deadlines and ensure that all team members are informed of the status of files. At bi-weekly team meetings with the Senior General Counsel and Corporate Counsel, the ATIP Manager raises and discusses compliance with legislative and policy obligations. The Executive Director is also briefed on all ATIP compliance issues.
For contracts issued during the reporting period, the NSIRA Secretariat included a Standard Procurement Clause on the Handling of Personal Information or a Supplemental General Condition on Personal Information from Public Services and Procurement Canada’s Standard Acquisition Clauses and Conditions Manual.
Appendices
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2022-2023 Statistical Report on the Privacy Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2022-04-01 – 2023-03-31
Section 1: Request Under the Access to Information Act
1.1 Number of Requests
Number of Requests
Received during reporting period
12
Outstanding from previous reporting period
0
Outstanding from more than one reporting period
0
Total
12
Closed during reporting period
12
Carried over to next reporting period
0
Carried over within legislated timeline
0
Carried over beyond legislated timeline
0
1.2 Channels of requests
Source
Number of Requests
Online
10
E-mail
2
Mail
0
In person
0
Phone
0
Fax
0
Total
12
Section 2: Informal requests
2.1 Number of informal requests
Number of Requests
Received during reporting period
0
Outstanding from previous reporting periods
0
Outstanding from more than one reporting period
0
Total
0
Closed during reporting period
0
Carried over to next reporting period
0
2.2 Channels of informal requests
Source
Number of Requests
Online
0
E-Mail
0
Mail
0
In person
0
Phone
0
Fax
0
Total
0
2.3 Completion time of informal requests
Completion Time
1 to 15 days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More than 365 Days
Total
0
0
0
0
0
0
0
0
2.4 Pages released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
0
0
0
0
0
0
0
0
0
0
Section 3: Requests Closed During the Reporting Period
3.1 Disposition and completion time
Disposition of Requests
Completion Time
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
1
0
0
0
0
0
1
Disclosed in part
0
1
2
1
0
0
0
4
All exempted
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
No records exist
1
4
1
1
0
0
0
7
Request abandoned
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
Total
1
6
3
2
0
0
0
12
3.2 Exemptions
Section
Numbers of Requests
18(2)
0
19(1)(a)
0
19(1)(b)
0
19(1)(c)
0
19(1)(d)
0
19(1)(e)
0
19(1)(f)
0
20
0
21
1
22(1)(a)(i)
3
22(1)(a)(ii)
0
22(1)(a)(iii)
0
22(1)(b)
4
22(1)(c)
0
22(2)
0
22.1
0
22.2
0
22.3
0
22.4
0
23(a)
0
23(b)
0
24(a)
0
24(b)
0
25
0
26
0
27
2
27.1
0
28
0
3.3 Exclusions
Section
Numbers of Requests
69(1)(a)
0
69(1)(b)
0
69.1
0
70(1)
0
70(1)(a)
0
70(1(b)
0
70(1)(c)
0
70(1)(d)
0
70(1)(e)
0
70(1)(f)
0
70.1
0
3.4 Format of information released
Paper
Electronic
Other
E-record
Data set
Video
Audio
0
5
0
0
0
0
3.5 Complexity
3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed
Number of Pages Disclosed
Number of Requests
795
795
5
3.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
All disclosed
1
1
0
0
0
0
0
0
0
0
Disclosed in part
3
150
0
0
1
644
0
0
0
0
All exempted
0
0
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
0
0
Total
4
151
0
0
1
644
0
0
0
0
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
3.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Total
0
0
0
0
0
0
3.5.7 Other complexities
Disposition
Consultation Required
Assessment of Fees
Legal Advice Sought
Other
Total
All disclosed
0
0
0
0
0
Disclosed in part
0
0
0
0
0
All exempted
0
0
0
0
0
All excluded
0
0
0
0
0
Request abandoned
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
Total
0
0
0
0
0
3.6 Closed requests
3.6.1 Requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines
7
Percentage of requests closed within legislated timelines (%)
58.33333333
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines
Principal Reason
Interference with Operations/Workload
External Consultation
Internal Consultation
Other
5
0
3
0
2
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines
Number of Requests Past Legislated Timeline Where No Extension Was Taken
Number of Requests Past Legislated Timeline Where an Extension Was Taken
Total
1 to 15 Days
0
1
1
16 to 30 Days
1
0
1
31 to 60 Days
1
1
2
61 to 120 Days
1
0
1
121 to 180 Days
0
0
0
181 to 365 Days
0
0
0
More than 365 Days
0
0
0
Total
3
2
5
3.8 Requests for translation
Translation Requests
Accepted
Refused
Total
English to French
0
0
0
French to English
0
0
0
Total
0
0
0
Section 4: Disclosures Under Subsections 8(2) and 8(5)
Paragraph 8(2)(e)
Paragraph 8(2)(m)
Subsection 8(5)
Total
0
0
0
0
Section 5: Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received
Number
Notations attached
0
Requests for correction accepted
0
Total
0
Section 6: Extensions
6.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken
15(a)(i) Interference with operations
9(1)(b) Consultation
9(1)(b) Consultation
Further review required to determine exemptions
Large volume of pages
Large volume of requests
Documents are difficult to obtain
Cabinet Confidence Section (Section 70)
External
Internal
3
0
1
0
0
0
2
0
0
6.2 Length of extensions
Length of Extensions
15(a)(i) Interference with operations
9(1)(b) Consultation
9(1)(b) Consultation
Further review required to determine exemptions
Large volume of pages
Large volume of requests
Documents are difficult to obtain
Cabinet Confidence Section (Section 70)
External
Internal
1 to 15 days
0
1
0
0
0
2
0
0
16 to 30 days
0
0
0
0
0
3
0
0
31 days or greater
0
Total
0
1
0
0
0
2
0
0
Section 7: Consultations Received From Other Institutions and Organizations
7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations
Other Government of Canada Institutions
Number of Pages to Review
Other Organizations
Number of Pages to Review
Received during reporting period
0
0
0
0
Outstanding from the previous reporting period
0
0
0
0
Total
0
0
0
0
Closed during the reporting period
0
0
0
0
Carried over within regotiated timelines
0
0
0
0
Carried over beyond negotiated timelines
0
0
0
0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
Section 8: Completion Time of Consultations on Cabinet Confidences
8.1 Requests with Legal Services
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
8.2 Requests with Privy Council Office
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
Section 9: Complaints and Investigations Notices Received
Section 31
Section 33
Section 35
Court action
Total
1
8
0
0
9
Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBS)
10.1 Privacy Impact Assessments
Number of PIA(s) completed
Number of PIAs modified
0
0
10.2 Institution-specific and Central Personal Information Banks
Personal Information Banks
Active
Created
Terminated
Modified
Institution-specific
0
0
0
0
Central
0
0
0
0
Total
0
0
0
0
Section 11: Privacy Breaches
11.1 Material Privacy Breaches reported
Number of material privacy breaches reported to TBS
Number of material privacy breaches reported to OPC
0
0
11.2 Non-Material Privacy Breaches
Number of non-material privacy breaches
0
Section 12: Resources Related to the Privacy Act
12.1 Allocated Costs
Expenditures
Amount
Salaries
$60,000
Overtime
$0
Goods and Services
$5,000
Professional services contracts
$5,000
Other
$0
Total
$65,000
12.2 Human Resources
Resources
Person Years Dedicated to Access to Information Activities
Full-time employees
0.000
Part-time and casual employees
1.000
Regional Staff
0.000
Consultants and agency personnel
0.500
Students
0.000
Total
1.500
Note: Enter values to three decimal places.
Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act
Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act
Number of weeks
Able to receive requests by mail
52
Able to receive requests by email
52
Able to receive requests through the digital request service
52
Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act
2.1 Number of weeks your institution was able to process paper records in different classification levels
No capacity
Partial Capacity
Full capacity
Total
Unclassified Paper Records
0
0
52
52
Protected B Paper Records
0
0
52
52
Secret and Top Secret Paper Records
0
0
52
52
2.2 Number of weeks your institution was able to process electronic records in different classification levels
No capacity
Partial Capacity
Full capacity
Total
Unclassified Paper Records
0
0
52
52
Protected B Paper Records
0
0
52
52
Secret and Top Secret Paper Records
0
0
52
52
Section 3: Open Requests and Complaints Under the Privacy Act
3.1 Number of open requests that are outstanding from previous reporting periods.
Fiscal Year Open Requests Were Received
Open Requests that are Within Legislated Timelines as
Open Requests that are Beyond Legislated Timelines as of March 31, 2023
Total
Received in 2022-23
0
0
0
Received in 2021-22
0
0
0
Received in 2020-21
0
0
0
Received in 2019-20
0
0
0
Received in 2018-19
0
0
0
Received in 2017-18
0
0
0
Received in 2016-17
0
0
0
Received in 2015-16
0
0
0
Received in 2014-15
0
0
0
Received in 2013-14 or earlier
0
0
0
3.2 Number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods
Fiscal Year Open Complaints were received by institutions
Open Requests that are Within Legislated Timelines as
Received in 2022-23
9
Received in 2021-22
0
Received in 2020-21
0
Received in 2019-20
0
Received in 2018-19
0
Received in 2017-18
0
Received in 2016-17
0
Received in 2015-16
0
Received in 2014-15
0
Received in 2013-14 or earlier
0
Total
9
Section 4: Social Insurance Number
Has your institution begun a new collection or a new consistent use of the SIN in 2022-23?
No
Section 5: Universal Access under the Privacy Act
How many requests were received from confirmed foreign nationals outside of Canada in 2022-2023?
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
