The Privacy Act (PA) gives individuals the right of access to information about themselves that is under the control of a government institution, subject to certain specific and limited exemptions and exclusions. The PA also protects the privacy of individuals by giving them substantial control over the collection, use and disclosure of their personal information, and by preventing others from having access to that information.
Section 72 of the PA requires the head of each government institution to prepare an annual report on the administration of the PA within the institution that is to be tabled in both Houses of Parliament.
This report to Parliament, which is prepared and tabled pursuant to section 72 of the PA, describes the activities of the National Security and Intelligence Review Agency Secretariat in administering the PA during the period of April 1, 2023 to March 31, 2024 (the reporting period).
If you require more information or wish to make a request under the PA or the Access to Information Act, please direct your inquiries to the following:
Access to Information and Privacy Office National Security and Intelligence Review Agency Secretariat P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5 Email: ATIP@nsira-ossnr.gc.ca
Who We Are
Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.
The NSIRA Secretariat (the Secretariat) assists NSIRA in fulfilling its mandate. The Secretariat headed by an Executive Director, is designated as the government institution for the purposes of administering the PA and the Access to Information Act.
Mandate
The Secretariat supports NSIRA in its dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matter that a Minister of the Crown refers to NSIRA.
NSIRA’s reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, as well as whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Investigations
NSIRA is also responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:
any activity of CSIS or of CSE;
decisions to deny or revoke certain federal government security clearances;
any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act;
reports made under section 19 of the Citizenship Act; and
matters referred under section 45 of the Canadian Human Rights Act.
Access to Information and Privacy Office – Organizational Structure
The Secretariat’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the Secretariat meets its responsibilities under the PA and the Access to Information Act.
For the reporting period, the Secretariat’s ATIP Office consisted of:
1 full-time Access to Information Consultant;
1 part-time Privacy Consultant;
1 full-time ATIP Coordinator, who managed the Secretariat’s ATIP Office, and fulfilled the normal duties as Manager of Administrative Services for the Secretariat and NSIRA Members; and
the Secretariat’s Senior Counsel, Internal Services as well as Senior General Counsel supported the ATIP office when required.
The Secretariat’s ATIP Office is responsible for the following:
monitoring compliance with ATIP legislation and relevant procedures and policies;
processing requests under both the PA and the Access to Information Act;
developing and maintaining policies, procedures, and guidelines to ensure that the Secretariat respects the PA and the Access to Information Act;
maintaining Personal Information Banks and conducting privacy impact assessments;
preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
representing the Secretariat in dealings with the Treasury Board of Canada Secretariat (TBS), the information and privacy commissioners, and other government departments and agencies in matters pertaining to the PA and the Access to Information Act.
During the reporting period, the Secretariat was a party to a service agreement under section 73.1 of the PA in which the Secretariat received administrative support from the Privy Council Office related to the tabling of the annual report in Parliament. The Secretariat was also a party to a service agreement under section 71.1 of the PA in which the Secretariat received ATIP Online services from TBS.
To assist the Secretariat’s ATIP Office in meeting its overall legislative obligations, the Secretariat relied on a collaborative internal group of subject matter experts from all divisions.
Delegation Order
As the Head of the Secretariat, the Executive Director is responsible for the administration of the PA within the institution. Pursuant to section 73 of the PA, the Executive Director has delegated the ATIP Manager and ATIP Officer, as well as individuals acting in these positions, to perform certain and specific powers, duties, and functions for the administration of the PA. These positions have limited delegation of authority under the PA and the Access to Information Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Delegation Order can be found in Appendix A (page 9).
Performance 2023-2024
Performance in Processing Privacy Requests
In addition to 5 requests that were outstanding from the previous reporting periods, the Secretariat’s ATIP Office received 22 formal requests during the current reporting period, bringing the total number of formal request to 27. Of these, the Secretariat’s ATIP Office closed 25 requests and processed approximately 4843 pages during the reporting period. 2 requests were carried over to the following reporting period.
Statistical Reports for 2023-2024
The Secretariat’s 2023-2024 Statistical Report on the PA and Supplemental ATIP Statistical Report for 2023-2024 were both previously validated by TBS.
Extensions and Completion Time of Closed Requests
During the reporting period, the Secretariat’s ATIP Office invoked extensions while processing 2 formal requests: 1 extension was completed within of 16 to 30 days, and 1 request was taken to seek an internal consultation. Both did not require extensions to consult with third parties.
Of the requests completed during the reporting period:
1 request, or 4% of the requests completed, was disclosed in its entirety. This request was completed within 16 to 30 days;
1 request, or 4% of the requests completed, was disclosed in part. This request was completed within 121 to 180 days;
16 requests, or 64% of the requests completed, resulted in no records. 1 request was completed within 0 to 15 days, 6 requests were completed within 16 to 30 days, 6 requests were completed within 31 to 60 days, and 3 requests were completed within 61 to 120 days;
1 request, or 4% of the requests completed, was abandoned and completed; and
6 requests, or 24% of the requests completed, were neither confirmed nor denied.
The Secretariat’s responses to many requests required an intensive review of complex records, including extensive internal and external consultations. During the reporting period, the Secretariat’s on-time response rate decreased to 56% from 58.3% in the 2022-2023 reporting period due to a significant increase in the number of pages processed for formal requests.
Consultations
During the reporting period, no privacy consultations were received.
Complaints and Investigations
Subsection 29(1) of the PA describes how the Office of the Privacy Commissioner (OPC) receives and investigates complaints from individuals regarding the processing of requests under the PA. During the reporting period, the Secretariat’s ATIP Office received 16 complaints, 2 of which were related to Access requests.
In addition, 1 privacy breach-related investigation initiated by the Privacy Commissioner in Fiscal Year 2020-2021 continued during the reporting period and remained active on March 31, 2024.
Training and Awareness
The Secretariat took a customized approach to training subject matter experts on their legislative requirements, roles, and responsibilities. The Secretariat’s ATIP Office encouraged employees to take the ATIP training courses offered by the Canada School of Public Service (CSPS). New employees were required to complete an online training session entitled Fundamentals of Access to Information and Privacy within six months of joining the Secretariat and in January 2024, an internal ATIP training session was held.
To ensure in-depth training is taken by employees of the NSIRA Secretariat who have functional or delegated responsibility for the administration of the PAand Privacy Regulations, the Senior Counsel, Internal Services participated in the 2023 Canadian Privacy Symposium offered by the International Association of Privacy Professionals. In addition, the ATIP Manager attended the 2023 Canadian Access and Privacy Association Conference as well as the 26th Annual Vancouver International Privacy & Security Summit.
Policies, Guidelines, and Procedures
During the reporting period, the Secretariat implemented several initiatives to assist the Secretariat’s ATIP Office to operate more efficiently. For example, the Secretariat revised its Privacy Breach Plan and Procures Manual, revised its Privacy Protocol Template, and established a Privacy Risk Register.
Initiatives and Projects to Improve Privacy
During the reporting period, the Secretariat’s Information Technology division continued to develop an ATIP software tool for the Secretariat’s classified and unclassified systems.
Summary of Key Issues and Actions Taken on Complaints
The Secretariat meaningfully engaged with the OPC on all 16 active investigations during the reporting period and disclosed additional records in 1 of the 2 Access related complaints.
Material Privacy Breaches
During the reporting period, no material privacy breaches occurred.
Privacy Impact Assessments
During the reporting period, the Secretariat completed a Privacy Impact Assessment (PIA) of its investigations-related activities, which was shared with TBS and the OPC. In addition, the Secretariat made further revisions to its PIA on the creation of NSIRA in response to feedback received from TBS and continued to engage with TBS on PIB registration.
Public Interest Disclosures
During the reporting period, no public interest disclosures occurred.
Monitoring Compliance
Legislative deadlines for access requests were strictly monitored by using several Microsoft Lists trackers. The ATIP Manager organized ad hoc meetings to discuss request-related activities (such as whether internal consultations were necessary), determine deadlines, and ensure that all division members were informed of the status of requests. At bi-weekly team meetings with the Senior General Counsel and Senior Counsel, Internal Services, the ATIP Manager raised and discussed compliance with legislative and policy obligations. The Executive Director was also briefed on all ATIP compliance issues.
For contracts issued during the reporting period, the Secretariat included a Standard Procurement Clause on the Handling of Personal Information or a Supplemental General Condition on Personal Information from Public Services and Procurement Canada’s Standard Acquisition Clauses and Conditions Manual.
Appendices
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2023–2024 Statistical Report on the Privacy Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2022-04-01 – 2023-03-31
Section 1: Request Under the Access to Information Act
1.1 Number of Requests
Number of Requests
Received during reporting period
22
Outstanding from previous reporting period
5
Outstanding from more than one reporting period
0
Total
27
Closed during reporting period
25
Carried over to next reporting period
2
Carried over within legislated timeline
2
Carried over beyond legislated timeline
0
1.2 Channels of requests
Source
Number of Requests
Online
22
E-mail
0
Mail
0
In person
0
Phone
0
Fax
0
Total
22
Section 2: Informal requests
2.1 Number of informal requests
Number of Requests
Received during reporting period
1
Outstanding from previous reporting periods
0
Outstanding from more than one reporting period
0
Total
1
Closed during reporting period
0
Carried over to next reporting period
1
2.2 Channels of informal requests
Source
Number of Requests
Online
0
E-Mail
1
Mail
0
In person
0
Phone
0
Fax
0
Total
1
2.3 Completion time of informal requests
Completion Time
1 to 15 days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More than 365 Days
Total
0
0
0
0
0
0
0
0
2.4 Pages released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
0
0
0
0
0
0
0
0
0
0
Section 3: Requests Closed During the Reporting Period
3.1 Disposition and completion time
Disposition of Requests
Completion Time
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
1
0
0
0
0
0
1
Disclosed in part
0
0
0
0
1
0
0
1
All exempted
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
No records exist
1
6
6
3
0
0
0
16
Request abandoned
1
0
0
0
0
0
0
1
Neither confirmed nor denied
0
4
1
0
1
0
0
6
Total
2
11
7
3
2
0
0
25
3.2 Exemptions
Section
Numbers of Requests
18(2)
0
19(1)(a)
0
19(1)(b)
0
19(1)(c)
0
19(1)(d)
0
19(1)(e)
0
19(1)(f)
0
20
0
21
0
22(1)(a)(i)
0
22(1)(a)(ii)
0
22(1)(a)(iii)
0
22(1)(b)
0
22(1)(c)
0
22(2)
0
22.1
0
22.2
0
22.3
0
22.4
0
23(a)
0
23(b)
0
24(a)
0
24(b)
0
25
0
26
1
27
1
27.1
0
28
0
3.3 Exclusions
Section
Numbers of Requests
69(1)(a)
0
69(1)(b)
0
69.1
0
70(1)
0
70(1)(a)
0
70(1(b)
0
70(1)(c)
0
70(1)(d)
0
70(1)(e)
0
70(1)(f)
0
70.1
0
3.4 Format of information released
Paper
Electronic
Other
E-record
Data set
Video
Audio
0
2
0
0
0
0
3.5 Complexity
3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed
Number of Pages Disclosed
Number of Requests
4843
4843
9
3.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
All disclosed
1
0
0
0
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
1
4843
0
0
All exempted
0
0
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
0
0
Request abandoned
1
0
0
0
0
0
0
0
0
0
Neither confirmed nor denied
6
0
0
0
0
0
0
0
0
0
Total
8
0
0
0
0
0
1
4843
0
0
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
3.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Total
0
0
0
0
0
0
3.5.7 Other complexities
Disposition
Consultation Required
Assessment of Fees
Legal Advice Sought
Other
Total
All disclosed
0
0
0
0
0
Disclosed in part
0
1
0
0
1
All exempted
0
0
0
0
0
All excluded
0
0
0
0
0
Request abandoned
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
Total
0
1
0
0
1
3.6 Closed requests
3.6.1 Requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines
14
Percentage of requests closed within legislated timelines (%)
56
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines
Principal Reason
Interference with Operations/Workload
External Consultation
Internal Consultation
Other
11
10
0
1
0
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines
Number of Requests Past Legislated Timeline Where No Extension Was Taken
Number of Requests Past Legislated Timeline Where an Extension Was Taken
Total
1 to 15 Days
4
0
4
16 to 30 Days
2
0
2
31 to 60 Days
2
0
2
61 to 120 Days
1
1
2
121 to 180 Days
0
1
1
181 to 365 Days
0
0
0
More than 365 Days
0
0
0
Total
9
2
11
3.8 Requests for translation
Translation Requests
Accepted
Refused
Total
English to French
0
0
0
French to English
0
0
0
Total
0
0
0
Section 4: Disclosures Under Subsections 8(2) and 8(5)
Paragraph 8(2)(e)
Paragraph 8(2)(m)
Subsection 8(5)
Total
0
0
0
0
Section 5: Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received
Number
Notations attached
0
Requests for correction accepted
0
Total
0
Section 6: Extensions
6.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken
15(a)(i) Interference with operations
9(1)(b) Consultation
9(1)(b) Consultation
Further review required to determine exemptions
Large volume of pages
Large volume of requests
Documents are difficult to obtain
Cabinet Confidence Section (Section 70)
External
Internal
2
0
1
0
0
0
0
1
0
6.2 Length of extensions
Length of Extensions
15(a)(i) Interference with operations
9(1)(b) Consultation
9(1)(b) Consultation
Further review required to determine exemptions
Large volume of pages
Large volume of requests
Documents are difficult to obtain
Cabinet Confidence Section (Section 70)
External
Internal
1 to 15 days
0
0
0
0
0
0
0
0
16 to 30 days
0
1
0
0
0
0
1
0
31 days or greater
0
Total
0
1
0
0
0
0
1
0
Section 7: Consultations Received From Other Institutions and Organizations
7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations
Other Government of Canada Institutions
Number of Pages to Review
Other Organizations
Number of Pages to Review
Received during reporting period
0
0
0
0
Outstanding from the previous reporting period
0
0
0
0
Total
0
0
0
0
Closed during the reporting period
0
0
0
0
Carried over within regotiated timelines
0
0
0
0
Carried over beyond negotiated timelines
0
0
0
0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
Section 8: Completion Time of Consultations on Cabinet Confidences
8.1 Requests with Legal Services
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
8.2 Requests with Privy Council Office
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
Section 9: Complaints and Investigations Notices Received
Section 31
Section 33
Section 35
Court action
Total
3
10
3
0
16
Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBS)
10.1 Privacy Impact Assessments
Number of PIA(s) completed
Number of PIAs modified
1
1
10.2 Institution-specific and Central Personal Information Banks
Personal Information Banks
Active
Created
Terminated
Modified
Institution-specific
0
0
0
0
Central
0
0
0
0
Total
0
0
0
0
Section 11: Privacy Breaches
11.1 Material Privacy Breaches reported
Number of material privacy breaches reported to TBS
Number of material privacy breaches reported to OPC
0
0
11.2 Non-Material Privacy Breaches
Number of non-material privacy breaches
0
Section 12: Resources Related to the Privacy Act
12.1 Allocated Costs
Expenditures
Amount
Salaries
$100,000
Overtime
$0
Goods and Services
$15,475
Professional services contracts
$15,475
Other
$0
Total
$115,475
12.2 Human Resources
Resources
Person Years Dedicated to Access to Information Activities
Full-time employees
1.000
Part-time and casual employees
0.000
Regional Staff
0.000
Consultants and agency personnel
0.300
Students
0.500
Total
1.800
Note: Enter values to three decimal places.
Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act
Section 1: Open Requests and Complaints Under the Access to Information Act
1.1 Enter the number of open requests that are outstanding from previous reporting periods.
Number of weeks
Able to receive requests by mail
52
Able to receive requests by email
52
Able to receive requests through the digital request service
52
1.2 Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal Year Open Complaints Were Received by Institution
Number of Open Complaints
Received in 2023-24
0
Received in 2022-23
0
Received in 2021-22
0
Received in 2020-21
0
Received in 2019-21
0
Received in 2018-19
0
Received in 2017-18
0
Received in 2016-17
0
Received in 2015-26
0
Received in 2014-15 or earlier
0
Section 2: Open Requests and Complaints Under the Privacy Act
2.1 Enter the number of open requests that are outstanding from previous reporting periods.
Fiscal Year Open Complaints Were Received by Institution
Open Requests that are Within Legislated Timelines as of March 31, 2024
Open Requests that are Beyond Legislated Timelines as of March 31, 2024
Total
Received in 2023-24
2
0
2
Received in 2022-23
0
0
0
Received in 2021-22
0
0
0
Received in 2020-21
0
0
0
Received in 2019-21
0
0
0
Received in 2018-19
0
0
0
Received in 2017-18
0
0
0
Received in 2016-17
0
0
0
Received in 2015-26
0
0
0
Received in 2014-15 or earlier
0
0
0
Total
2
0
2
2.2 Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal Year Open Complaints Were Received by Institution
Number of Open Complaints
Received in 2023-24
0
Received in 2022-23
7
Received in 2021-22
0
Received in 2020-21
0
Received in 2019-21
0
Received in 2018-19
0
Received in 2017-18
0
Received in 2016-17
0
Received in 2015-26
0
Received in 2014-15 or earlier
0
Total
7
Section 3: Social Insurance Number
Has your institution begun a new collection or a new consistent use of the SIN in 2023-24
No
Section 4: Universal Access under the Privacy Act
How many requests were received from foreign nationals outside of Canada in 2023-24
The Access to Information Act (ATIA) gives Canadian citizens and permanent residents, as well as any person or corporation present in Canada, the right of access to information under the control of a government institution, subject to certain specific and limited exemptions and exclusions.
Section 94 of the ATIA requires the head of each government institution to prepare an annual report on the administration of the ATIA within the institution that is to be tabled in both Houses of Parliament. In addition, section 20 of the Service Fees Act requires the responsible authority to report to Parliament each fiscal year on all statutory fees processed during the reporting period.
This report to Parliament, which is prepared and tabled pursuant to section 94 of the ATIA and section 20 of the Service Fees Act, describes the activities of the National Security and Intelligence Review Agency Secretariat in administering these Acts during the period of April 1, 2023 to March 31, 2024 (the reporting period).
If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:
Access to Information and Privacy Office National Security and Intelligence Review Agency P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5 Email: ATIP@nsira-ossnr.gc.ca
Who we are
Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.
The NSIRA Secretariat (the Secretariat) assists NSIRA in fulfilling its mandate. The Secretariat headed by an Executive Director, is designated as the government institution for the purposes of administering the ATIA and the Privacy Act.
Mandate
The Secretariat supports NSIRA in its dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matter that a Minister of the Crown refers to NSIRA.
NSIRA’s reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, as well as whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Investigations
NSIRA is also responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:
any activity of CSIS or of CSE;
decisions to deny or revoke certain federal government security clearances;
any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
reports made under section 19 of the Citizenship Act, and
matters referred under section 45 of the Canadian Human Rights Act.
Access to Information and Privacy Office – Organizational Structure
The Secretariat’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the Secretariat meets its responsibilities under the ATIA and the Privacy Act.
For the reporting period, the Secretariat’s ATIP Office consisted of:
1 full-time Access to Information Consultant;
1 part-time Privacy Consultant;
1 full-time ATIP Coordinator, who managed the Secretariat’s ATIP Office, and fulfilled the normal duties as Manager of Administrative Services for the Secretariat and NSIRA Members; and
the Secretariat’s Senior Counsel, Internal Services as well as Senior General Counsel supported the Secretariat’s ATIP Office when required.
The Secretariat’s ATIP Office is responsible for the following:
monitoring compliance with ATIP legislation and relevant procedures and policies;
processing requests under both the ATIA and the Privacy Act;
developing and maintaining policies, procedures, and guidelines to ensure that the Secretariat respects the ATIA and the Privacy Act;
maintaining Personal Information Banks and conducting privacy impact assessments;
preparing annual reports to Parliament and other statutory reports, as well as other materials that might be required by central agencies; and
representing the Secretariat in dealings with the Treasury Board of Canada Secretariat (TBS), the information and privacy commissioners, and other government departments and agencies in matters pertaining to the ATIA and the Privacy Act.
During the reporting period, the Secretariat was a party to a service agreement under section 96 of the ATIA in which the Secretariat received administrative support from the Privy Council Office related to the tabling of the Annual Report in Parliament. The Secretariat was also a party to a service agreement under section 92 of the ATIA, in which the Secretariat received ATIP Online services from TBS.
Part 2: Proactive Publications
The Secretariat ensured that the following proactive publication legislative requirements were met during the reporting period with the assistance of its Finance division:
travel expenses;
hospitality expenses;
reports tabled in Parliament; and
contracts over $10,000.00
To assist the Secretariat’s ATIP Office in meeting its overall legislative obligations, the Secretariat relied on a collaborative internal group of subject matter experts from all divisions.
Delegation Order
As the Head of the Secretariat, the Executive Director is responsible for the administration of the ATIA within the institution. Pursuant to section 95 of the ATIA, the Executive Director has delegated the ATIP Manager and ATIP Officer, as well as individuals acting in these positions, to perform certain and specific powers, duties, and functions for the administration of the ATIA. These positions have limited delegation of authority under the ATIA and the Privacy Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Delegation Order can be found in Appendix A (page 13).
Performance 2023-2024
Performance in Processing Access Requests
In addition to 5 requests that were outstanding from previous reporting periods, the Secretariat’s ATIP Office received 16 formal requests during the current reporting period, bringing the total number of formal requests to 21. Of these, the Secretariat’s ATIP Office closed 16 requests and processed approximately 15,323 pages during the reporting period. 5 requests were carried over to the following reporting period, 3 of the carried over requests were received during the reporting period.
Statistical Reports for 2023-2024
The Secretariat’s 2023-2024 Statistical Report on the ATIA and Supplemental ATIP Statistical Report for 2023-2024 were both previously validated by TBS.
Extensions and Completion Time of Closed Requests
During the reporting period, the Secretariat’s ATIP Office invoked extensions while processing 7 formal requests: 5 extensions of 31 to 60 days, 0 extensions of 61 to 120 days, 1 extension of 121 to 180 days, 0 extensions of 181 to 365 days, and 1 extension of 365 days or more, all of which required extensions to consult with third parties.
Of the requests completed during the reporting period,
1 request, or 6.25% of the requests completed, was disclosed in its entirety. This request was completed within 181 to 365 days;
5 requests, or 31.25% of the requests completed, were disclosed in part. 1 request was completed within 16 to 30 days, 1 request was completed within 61 to 120 days, 1 request was completed within 121 to 180 days, and 2 requests were completed after 365 days;
0 requests, or 0% of the requests completed, were all exempted;
10 requests, or 62.50% of the requests completed, resulted in no records. 1 request was completed within 16 to 30 days, 2 request were completed within 31 to 60 days, and 7 requests were completed within 61 to 120 days;
0 requests, or 0% of the requests completed, were abandoned and completed; and
0 requests, or 0% of the requests completed, were neither confirmed nor denied.
The responses to many requests required an intensive review of complex records, including extensive internal and external consultations due to a significant portion of the Secretariat’s information holdings consisting of sensitive and classified records created or originally received by other government institutions owing to NSIRA’s mandate. During the reporting period, the Secretariat’s on-time response rate decreased to 18.7% from 33.3% in the 2022-2023 reporting year due to a significant increase in the number of pages processed for formal requests.
Consultations
During the reporting period, the Secretariat’s ATIP Office received 20 consultation requests from other government institutions. 3 requests were completed within 0 to 15 days, 3 requests were completed within 16 to 30 days, 5 requests were completed within 31 to 60 days, 8 requests were completed within 61 to 120 days, and 1 request was completed within 121 to 180 days. The Secretariat’s ATIP Office closed all 20 consultations during the reporting period and processed approximately 549 pages.
Requests Treated Informally
During the reporting period, the Secretariat’s ATIP Office received 18 informal requests for records previously released under the ATIA, closed 6 informal requests, and carried over 12 informal requests into the 2024-2025 reporting period.
Complaints and Investigations of Access Requests
Subsection 30(1) of the ATIA describes how the Office of the Information Commissioner (OIC) receives and investigates complaints from individuals regarding the processing of requests under the ATIA. The Secretariat’s ATIP Office received 3 access complaints during the reporting period. 1 of these complaints was discontinued during the reporting period, while the other 2 complaints remained active on March 31, 2024.
Training and Awareness
The Secretariat took a customized approach to training subject matter experts on their legislative requirements, roles, and responsibilities. The Secretariat’s ATIP Office encouraged employees to take the ATIP training courses offered by the Canada School of Public Service (CSPS). The Executive Director held an awareness session for the Secretariat’s management team on the new Directive on Proactive Publication in the Fall of 2023 and senior management was briefed on Amending the Access to Information Regulations in June 2023. In addition, new employees were required to complete an online training session entitled Fundamentals of Access to Information and Privacy within six months of joining the Secretariat and in January 2024, an internal ATIP training session was held.
Policies, Guidelines, and Procedures
The Secretariat’s ATIP Office implemented certain efficiency-enhancing measures, such as online tracking tools, and continued to seek new opportunities to improve the efficiency and timeliness of request processing. For example, the Executive Director designated two officials within the Secretariat who were responsible for supporting the Executive Director’s accountability for proactive publication under various policies and guidelines specified under the ATIA.
The Secretariat continued to engaged with Library and Archives Canada on obtaining institution-specific disposition authorities.
Proactive Publication under Part 2 of the ATIA
In accordance with subsection 81(b) of the ATIA, the Secretariat is listed as a government entity subject to the following proactive publication requirements:
Travel expenses (section 82);
Hospitality expenses (section 83);
Reports tabled in Parliament (section 84);
Contracts over $10,000.00 (section 86);
Grants and Contributions over $25,000.00 (section 87); and
Briefing materials (section 88)
During the reporting period, the Secretariat’s proactive publications were published on open.canada.ca. of the total proactive publication requirements that were due during the reporting period, 80% were published within the legislated timelines.
Legislative Requirement
Section
Publication Timeline
Institutional Requirement
All Government Institutions as defined in section 3 of the Access to Information Act
Travel Expenses
82
Within 30 days after the end of the month of reimbursement
open.canada.ca
Hospitality Expenses
83
Within 30 days after the end of the month of reimbursement
open.canada.ca
Reports tabled in Parliament
84
Within 30 days after tabling
open.canada.ca
Government entities or Departments, agencies, and other bodies subject to the Act and listed in Schedules I, I.1, or II of the Financial Administration Act
Contracts over $10,000
86
Q1-3: Within 30 days after the quarter Q4: Within 60 days after the quarter
open.canada.ca
Grants & Contributions over $25,000
87
Within 30 days after the quarter
N/A
Packages of briefing materials prepared for new or incoming deputy heads or equivalent
88(a)
Within 120 days after appointment
N/A
Titles and reference numbers of memoranda prepared for a deputy head or equivalent, that is received by their office
88(b)
Within 30 days after the end of the month received
N/A
Packages of briefing materials prepared for a deputy head or equivalent’s appearance before a committee of Parliament
88(c)
Within 120 days after appearance
N/A
Government institutions that are departments named in Schedule I to the Financial Administration Act or portions of the core public administration named in Schedule IV to that Act
Reclassification of positions
85
Within 30 days after the quarter
N/A
Ministers
Packages of briefing materials prepared by a government institution for new or incoming ministers
74(a)
Within 120 days after appointment
N/A
Titles and reference numbers of memoranda prepared by a government institution for the minister, that is received by their office
74(b)
Within 30 days after the end of the month received
N/A
Package of question period notes prepared by a government institution for the minister and in use on the last sitting day of the House of Commons in June and December
74(c)
Within 30 days after last sitting day of the House of Commons in June and December
N/A
Packages of briefing materials prepared by a government institution for a minister’s appearance before a committee of Parliament
74(d)
Within 120 days after appearance
N/A
Travel Expenses
75
Within 30 days after the end of the month of reimbursement
N/A
Hospitality Expenses
76
Within 30 days after the end of the month of reimbursement
N/A
Contracts over $10,000
77
Q1-3: Within 30 days after the quarter Q4: Within 60 days after the quarter
N/A
Ministers’ Offices Expenses
78
Within 120 days after the fiscal year
N/A
Initiatives and Projects to Improve Access to Information
During the reporting period, the Secretariat’s Information Technology division continued to improve our ATIP software tool for the Secretariat’s classified and unclassified systems.
Summary of Key Issues and Actions Taken on Complaints
During the reporting period, 3 complaints were received. 1 complaint was discontinued during the reporting period, while the other 2 complaints remained active on March 31, 2024.
Access to Information Act Fees for the Purposes of the Service Fees Act
The Service Fees Act requires a responsible authority to report annually to Parliament on the fees collected by the institution.
With respect to fees collected under the ATIA, the information below is reported in accordance with the requirements of section 20 of the Service Fees Act:
Enabling authority:Access to Information Act
Fee payable: $5.00 application fee is the only fee charged for an ATI request
Total revenue: $65.00
Fees waived: $15.00
Cost of operating the program: $360,421.00
Monitoring Compliance
Legislative deadlines for access to information requests were strictly monitored by using several Microsoft Lists trackers, as were proactive publication requirements. The ATIP Manager organized ad hoc meetings to discuss request-related activities (such as whether internal consultations were necessary), determine deadlines, and ensure that all division members were informed of the status of requests. At bi-weekly team meetings with the Senior General Counsel and Senior Counsel, Internal Services, the ATIP Manager raised and discussed compliance with legislative and policy obligations. The Executive Director was also briefed on all ATIP compliance issues.
During the reporting period, the Secretariat also continued to assess the feasibility of making information previously released under the ATIA available on its public-facing website.
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2023-2024 Statistical Report on the Access to Information Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2023-04-01 – 2024-03-31
Section 1: Request Under the Access to Information Act
1.1 Number of Requests
Number of Requests
Received during reporting period
16
Outstanding from previous reporting period
3
Outstanding from more than one reporting period
2
Total
21
Closed during reporting period
16
Carried over to next reporting period
5
Carried over within legislated timeline
3
Carried over beyond legislated timeline
2
1.2 Sources of requests
Source
Number of Requests
Media
2
Academia
3
Business (private sector)
2
Organization
1
Public
8
Decline to Identify
0
Total
16
1.3 Channels of requests
Source
Number of Requests
Online
12
E-mail
0
Mail
4
In person
0
Phone
0
Fax
0
Total
16
Section 2: Informal requests
2.1 Number of informal requests
Number of Requests
Received during reporting period
18
Outstanding from previous reporting periods
0
Outstanding from more than one reporting period
0
Total
18
Closed during reporting period
6
Carried over to next reporting period
12
2.2 Channels of informal requests
Source
Number of Requests
Online
11
E-Mail
7
Mail
0
In person
0
Phone
0
Fax
0
Total
18
2.3 Completion time of informal requests
Completion Time
1 to 15 days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More than 365 Days
Total
0
2
0
4
0
0
0
6
2.4 Pages released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
2
25
0
0
0
0
0
0
0
0
2.5 Pages re-released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
4
93
0
0
0
0
0
0
0
0
Section 3: Applications to the Information Commissioner on Declining to Act on Requests
Number of Requests
Outstanding from previous reporting period
0
Sent during reporting period
1
Total
1
Approved by the Information Commissioner during reporting period
0
Declined by the Information Commissioner during reporting period
1
Withdrawn during reporting period
0
Carried over to next reporting period
0
Section 4: Requests Closed During the Reporting Period
4.1 Disposition and completion time
Disposition of Requests
Completion Time
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
0
0
0
0
1
0
1
Disclosed in part
0
1
0
1
1
0
2
5
All exempted
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
No records exist
0
1
2
7
0
0
0
10
Request transferred
0
0
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
Decline to act with the approval of the Information Commisioner
0
0
0
0
0
0
0
0
Total
0
2
2
8
1
1
2
16
4.2 Exemptions
Section
Numbers of Requests
13(1)(a)
1
13(1)(b)
0
13(1)(c)
0
13(1)(d)
0
13(1)(e)
0
14
0
14(a)
0
14(b)
0
15(1) – I. A. *
1
15(1) – Def. *
2
15(1) – S.A. *
0
16(1)(a)(i)
2
16(1)(a)(ii)
0
16(1)(a)(iii)
1
16(1)(b)
1
16(1)(c)
1
16(1)(d)
0
16(2)
0
16(2)(a)
0
16(2)(b)
0
16(2)(c)
0
16(3)
0
16.1(1)(a)
0
16.1(1)(b)
0
16.1(1)(c)
0
16.1(1)(d)
0
16.2(1)
0
16.3
0
16.31
0
16.4(1)(a)
0
16.4(1)(b)
0
16.5
0
16.6
0
17
0
18(a)
0
18(b)
0
18(c)
0
18(d)
0
18.1(1)(a)
0
18.1(1)(b)
0
18.1(1)(c)
0
18.1(1)(d)
0
19(1)
2
20(1)(a)
0
20(1)(b)
0
20(1)(b.1)
0
20(1)(c)
0
20(1)(d)
0
20.1
0
20.2
0
20.4
0
21(1)(a)
2
21(1)(b)
0
21(1)(c)
0
21(1)(d)
0
22
0
22.1(1)
0
23
3
23.1
0
24(1)
1
26
0
* I.A.: International Affairs * Def.: Defence of Canada * S.A.: Subversive Activities
4.3 Exclusions
Section
Numbers of Requests
68(a)
0
68(b)
0
68(c)
0
68.1
0
68.2(a)
0
68.2(b)
0
69(1)
0
69(1)(a)
0
69(1)(b)
0
69(1)(c)
0
69(1)(d)
0
69(1)(e)
0
69(1)(f)
0
69(1)(g) re (a)
0
69(1)(g) re (b)
0
69(1)(g) re (c)
0
69(1)(g) re (d)
0
69(1)(g) re (e)
0
69(1)(g) re (f)
0
69.1(1)
0
4.4 Format of information released
Paper
Electronic
Other
E-record
Data set
Video
Audio
1
5
0
0
0
0
4.5 Complexity
4.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed
Number of Pages Disclosed
Number of Requests
15323
15323
6
4.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
All disclosed
1
40
0
0
0
0
0
0
0
0
Disclosed in part
3
185
1
102
0
0
0
0
0
14966
All exempted
0
0
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
0
0
Declined to act with the approval of the information Commissioner
0
0
0
0
0
0
0
0
0
0
Total
4
225
1
102
0
0
0
0
1
14996
4.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
4.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
4.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
4.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
4.5.7 Other complexities
Disposition
Consultation Required
Legal Advice Sought
Other
Total
All disclosed
0
0
0
0
Disclosed in part
2
4
0
6
All exempted
0
0
0
0
All excluded
0
0
0
0
Request abandoned
0
0
0
0
Neither confirmed nor denied
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
Total
2
4
0
6
4.6 Closed requests
4.6.1 Requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines
3
Percentage of requests closed within legislated timelines (%)
18.75
4.7 Deemed refusals
4.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines
Principal Reason
Interference with Operations/Workload
External Consultation
Internal Consultation
Other
13
12
1
0
0
4.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines
Number of Requests Past Legislated Timeline Where No Extension Was Taken
Number of Requests Past Legislated Timeline Where an Extension Was Taken
Total
1 to 15 Days
0
0
0
16 to 30 Days
1
0
1
31 to 60 Days
2
5
7
61 to 120 Days
2
0
2
121 to 180 Days
0
1
1
181 to 365 Days
1
0
1
More than 365 Days
0
1
1
Total
6
7
13
4.8 Requests for translation
Translation Requests
Accepted
Refused
Total
English to French
0
0
0
French to English
0
0
0
Total
0
0
0
Section 5: Extensions
5.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was taken
9(1)(a) Interference With Operations/Workload
9(1)(b) Consultation
9(1)(c) Third-Party Notice
Section 69
Other
All disclosed
0
0
0
0
Disclosed in part
3
3
0
0
All exempted
0
0
0
0
All excluded
0
0
0
0
Request abandoned
0
0
0
0
No records exist
0
1
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
Total
3
4
0
0
5.2 Length of extensions
Length of Extensions
9(1)(a) Interference With Operations/Workload
9(1)(b) Consultation
9(1)(c) Third-Party Notice
Section 69
Other
30 days or less
0
0
0
0
31 to 60 days
3
2
0
0
61 to 120 days
0
0
0
0
121 to 180 days
0
0
0
0
181 to 365 days
0
0
0
0
365 days or more
0
0
0
0
Total
3
4
0
0
Section 6: Fees
Fee Type
Fee Collected
Fee Waived
Fee Refunded
Number of Requests
Amount
Number of Requests
Amount
Number of Requests
Amount
Application
13
$65.00
3
$0.00
0
$0.00
Other fees
0
$0.00
0
$0.00
0
$0.00
Total
13
$65.00
3
$0.00
0
$0.00
Section 7: Consultations Received From Other Institutions and Organizations
7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations
Other Government of Canada Institutions
Number of Pages to Review
Other Organizations
Number of Pages to Review
Received during reporting period
20
549
0
0
Outstanding from the previous reporting period
0
0
0
0
Total
4
189
0
0
Closed during the reporting period
20
549
0
0
Carried over within negotiated timelines
0
0
0
0
Carried over beyond negotiated timelines
0
0
0
0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
2
1
1
0
0
0
4
Disclose in part
3
1
4
6
1
0
0
15
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
1
0
0
0
1
Other
0
0
0
0
0
0
0
0
Total
3
3
5
8
1
0
0
20
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
Section 8: Completion Time of Consultations on Cabinet Confidences
8.1 Requests with Legal Services
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
8.2 Requests with Privy Council Office
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
Section 9: Investigations and Reports of finding
9.1 Investigations
Section 32 Notice of intention to investigate
Subsection 30(5) Ceased to investigate
Section 35 Formal Representations
2
1
0
9.2 Investigations and Reports of finding
Section 37(1) Initial Reports
Section 37(2) Final Reports
Received
Containing recommendations issued by the Information Commissioner
Containing orders issued by the Information Commissioner
Received
Containing recommendations issued by the Information Commissioner
Containing orders issued by the Information Commissioner
0
0
0
2
0
0
Section 10: Court Action
10.1 Court actions on complaints
Section 41
Complainant (1)
Institution (2)
Third Party (3)
Privacy Commissioner (4)
Total
0
0
0
0
0
10.2 Court actions on third party notifications under paragraph 28(1)(b)
Section 44 – under paragraph 28(1)(b)
0
Section 11: Resources Related to the Access to Information Act
11.1 Allocated Costs
Expenditures
Amount
Salaries
$90,000
Overtime
$0
Goods and Services
$270,421
Professional services contracts
$270,421
Other
$0
Total
$360,421
11.2 Human Resources
Resources
Person Years Dedicated to Access to Information Activities
Full-time employees
0.000
Part-time and casual employees
1.000
Regional Staff
0.000
Consultants and agency personnel
1.000
Students
0.500
Total
2.500
Note: Enter values to three decimal places.
Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act
Section 1: Open Requests and Complaints Under the Access to Information Act
1.1 Enter the number of open requests that are outstanding from previous reporting periods
Fiscal Year Open Requests Were Received
Open Requests that are Within Legislated Timelines as March 31, 2024
Open Requests that are Beyond Legislated Timelines as of March 31, 2024
Total
Received in 2023-24
3
0
3
Received in 2022-23
0
1
1
Received in 2021-22
0
0
0
Received in 2020-21
0
1
1
Received in 2019-20
0
0
0
Received in 2018-19
0
0
0
Received in 2017-18
0
0
0
Received in 2016-17
0
0
0
Received in 2015-16
0
0
0
Received in 2014-15 or earlier
0
0
0
Total
3
2
5
1.2 Enter the number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods
Fiscal Year Open Complaints were received by institutions
Number of Open Complaints
Received in 2023-24
0
Received in 2022-23
0
Received in 2021-22
0
Received in 2020-21
0
Received in 2019-20
0
Received in 2018-19
0
Received in 2017-18
0
Received in 2016-17
0
Received in 2015-16
0
Received in 2014-15 or earlier
0
Total
0
Section 2: Open Requests and Complaints Under the Privacy Act
2.1 Number of open requests that are outstanding from previous reporting periods.
Fiscal Year Open Requests Were Received
Open Requests that are Within Legislated Timelines as March 31, 2024
Open Requests that are Beyond Legislated Timelines as of March 31, 2024
Total
Received in 2023-24
2
0
2
Received in 2022-23
0
0
0
Received in 2021-22
0
0
0
Received in 2020-21
0
0
0
Received in 2019-20
0
0
0
Received in 2018-19
0
0
0
Received in 2017-18
0
0
0
Received in 2016-17
0
0
0
Received in 2015-16
0
0
0
Received in 2014-15 or earlier
0
0
0
Total
2
0
2
2.2 Enter the number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods
Fiscal Year Open Complaints were received by institutions
Number of Open Complaints
Received in 2023-24
0
Received in 2022-23
7
Received in 2021-22
0
Received in 2020-21
0
Received in 2019-20
0
Received in 2018-19
0
Received in 2017-18
0
Received in 2016-17
0
Received in 2015-16
0
Received in 2014-15 or earlier
0
Total
7
Section 3: Social Insurance Number
Has your institution begun a new collection or a new consistent use of the SIN in 2023-24?
No
How many requests were received from foreign nationals outside of Canada in 2023-24?
The Access to Information Act gives Canadian citizens and permanent residents, as well as any person or corporation present in Canada, a right of access to information contained in government records, subject to certain specific and limited exceptions.
Section 94(1) of the Act requires the head of each government institution to prepare an annual report on the administration of the Act within the institution and to submit the report to Parliament. In addition, section 20 of the Service Fees Act requires institutions to report on all statutory fees processed during the reporting period.
This report to Parliament, which is prepared and tabled in accordance with section 94 of the Access to Information Act and section 20 of the Service Fees Act, describes the activities of the National Security and Intelligence Review Agency (NSIRA) Secretariat in administering these Acts during the period of April 1, 2022 to March 31, 2023.
If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:
Access to Information and Privacy Office National Security and Intelligence Review Agency P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5 Email: ATIP@nsira-ossnr.gc.ca
Who we are
Established in July 2019, NSIRA is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.
The NSIRA Secretariat assists NSIRA in fulfilling its mandate. It is the NSIRA Secretariat, headed by an Executive Director, that is the government institution for the purposes of the Access to Information Act and the Privacy Act.
Mandate
NSIRA has a dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matters that a minister of the Crown refers to NSIRA.
NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Investigations
NSIRA is responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:
any activity of CSIS or of CSE;
decisions to deny or revoke certain federal government security clearances;
any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
reports made under section 19 of the Citizenship Act, and
matters referred under section 45 of the Canadian Human Rights Act.
Access to Information and Privacy Office
NSIRA’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the NSIRA Secretariat meets its responsibilities under the Access to Information Act and the Privacy Act.
For the reporting period, the NSIRA ATIP office consisted of:
1 Full-time Access to Information Consultant;
1 Part-time Privacy Consultant; and
1 Full-time ATIP Manager who fulfilled the duties that would normally be carried out by an ATIP Coordinator, as well as managed the ATIP Office, in addition to fulfilling normal duties as Manager of Administrative Services for the Secretariat and Agency Members.
NSIRA Secretariat Corporate Legal Counsel and Senior General Counsel supported the ATIP office on an as required basis.
The ATIP Office is responsible for the following:
monitoring compliance with ATIP legislation and relevant procedures and policies;
processing requests under both the Access to Information Act and the Privacy Act;
developing and maintaining policies, procedures, and guidelines to ensure that the NSIRA Secretariat respected the Access to Information Act and the Privacy Act;
maintaining Personal Information Banks and conducting privacy impact assessments.
preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
representing the NSIRA Secretariat in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act.
The NSIRA Secretariat was a party to a service agreement under section 96 of the Access to Information Act during the reporting period, pursuant to which it received administrative services from the Privy Council Office related to the tabling of the Access to Information Act annual report in Parliament. The NSIRA Secretariat was also a party to a service agreement under section 92 of the Act, pursuant to which it received ATIP Online services from the Treasury Board of Canada Secretariat.
The NSIRA Secretariat ensured that the following proactive publication legislative requirements were met during the reporting period with the assistance of its Finance team:
Travel expenses;
Hospitality expenses;
Reports tabled in Parliament; and
Contracts over $10,000.
To assist the ATIP Office in meeting its overall legislative obligations, the NSIRA Secretariat relied on a collaborative internal group of subject matter points of contact from all its branches.
Delegation Order
The Executive Director, as the Head of the NSIRA Secretariat, is responsible for the administration of the Access to Information Act within the institution. Pursuant to section 95 of the Access to Information Act, the Executive Director has delegated the ATIP Manager and ATIP Officer – as well as persons acting in these positions – to perform powers, duties, and functions for the administration of the Act. These positions have limited delegation of authority under the Act and the Privacy Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Access to Information Act Delegation Order can be found in Appendix A.
Performance 2022-2023
Performance in Processing Access Requests
During the reporting period, from April 1, 2022 to March 31, 2023, the NSIRA Secretariat received 11 formal requests in addition to 10 requests that were outstanding from previous reporting periods, bringing the total number of requests to 21. Of these, the NSIRA Secretariat closed 15 requests in 2022-23, and 6 were carried over to the next reporting period. Five of the carried-over requests were received during the 2022-23 reporting period, of which two open requests are within the legislated timelines as of March 31, 2023, and four are beyond the legislated timelines, including one request that was received during the 2018-19 reporting period.
Statistical Reports for 2022-2023
The institution’s 2022-2023 Statistical Report on the Access to Information Act and Supplemental ATIP Statistical Report for 2022-2023 are found in Appendices B and C.
Extensions and Completion Time of Closed Requests
During the reporting period, the NSIRA Secretariat invoked extensions in processing 10 requests: 1 extension of 31 to 60 days, 3 extensions of 61 to 120 days, 2 extensions of 121 to 180 days, 2 extensions of 181 to 365 days, and 2 extensions of 365 days or more, all of which included extensions necessary to consult with third parties.
Of the requests completed during the reporting period,
2 requests, or 13.33% of the requests completed, were disclosed in its entirety. 1 request completed within 16 to 30 days, and 1 request completed within 181 to 365 days.
7 requests, or 46.66% of the requests completed, were disclosed in part. 3 requests completed within 61 to 120 days, 2 requests completed within 181 to 365 days, and 2 requests completed more than 365 days.
2 requests, or 13.33% of the requests completed, were all exempted. 1 request completed within 1 to 15 days, and 1 request completed within 31 to 60 days.
1 request, or 6.66% of the requests completed, resulted in no records. This request was completed within 16 to 30 days.
1 request, or 6.66% of the requests completed was abandoned and completed within 1 to 15 days.
2 requests, or 13.33% of the requests completed, were neither confirmed nor denied. 1 request completed within 16 to 30 days, and 1 request completed within 31 to 60 days.
The NSIRA Secretariat’s responses to many requests required intensive review of complex records, including extensive internal and external consultations due to a significant portion of our information holdings consisting of sensitive and classified records created or originally received by other government institutions owing to NSIRA’s mandate. In 2022-23, the NSIRA Secretariat’s on-time response rate decreased extensively to 33% from 80% in the previous reporting year.
Consultations
The NSIRA Secretariat was consulted on 4 requests this fiscal year. All 4 requests were completed within 61 to 120 days. The NSIRA Secretariat closed all consultations and carried over none into 2023-2024.
Requests Treated Informally
In 2022-2023, the NSIRA Secretariat responded to 2 informal requests for records previously released under the Access to Information Act and carried over one into 2023-2024.
Impact of COVID-19 measures
During the reporting period, the NSIRA Secretariat was not affected by measures related to the COVID‑19 pandemic.
Complaints and Investigations of Access Requests
Subsection 30(1) of the Act describes how the Office of the Information Commissioner receives and investigates complaints from individuals regarding the processing of requests under the Act. The NSIRA Secretariat received three new complaints during the reporting period. One of these complaints was discontinued during the reporting period, while the other two complaints remained active on March 31, 2023.
Moreover, one complaint received in fiscal year 2021-2022 was closed as “well-founded” during this reporting period. This complaint concerned the NSIRA Secretariat’s delay in providing a fulsome response to a large request that was made to NSIRA’s predecessor, the Security Intelligence Review Committee (SIRC), before the established legislative deadline. The delay was largely due to extended external consultations.
Training and Awareness
During the reporting period, access to information training requirements were identified for all NSIRA Secretariat employees, as well as for those with functional or delegated responsibility for the administration of the Access to Information Act, in accordance with the Directive on Access to Information Requests. The Canada School of Public Service course Access to Information and Privacy Fundamentals (COR502) was included as mandatory training in all employees’ training curriculum.
Privacy policies, guidelines, procedures and initiatives
The NSIRA Secretariat updated the Delegation Order during the reporting period. We also engaged with Library and Archives Canada on obtaining institution-specific disposition authorities, as we are currently operating under the former SIRC’s disposition authorities.
Proactive Publication under Part 2 of the ATIA
In accordance with paragraph 81(b) of the Access to Information Act, the NSIRA Secretariat is a government entity subject to the following proactive publication requirements:
Briefing materials (section 88)
During the reporting period, NSIRA Secretariat proactive publications were published on open.canada.ca.
Of the total proactive publication requirements that were due during the reporting period, 80% were published within the legislated timelines.
Initiatives and Projects to Improve Access to Information
The NSIRA Secretariat’s IT team began work to develop an ATIP software tool for our classified and unclassified systems. The NSIRA Secretariat also signed a memorandum of understanding with TBS to make full use of ATIP online and implemented the tool during the reporting period.
Summary of Key Issues and Actions Taken on Complaints
The NSIRA Secretariat hired a consultant to help process the large aforementioned access request made to its predecessor; a request that was subsequently the subject of a delay complaint made in FY 2021-2022 and deemed well-founded by the Information Commissioner during the reporting period. The NSIRA Secretariat took concrete action during the reporting period to comply with the Commissioner’s order to provide a fulsome response to the request “forthwith”, including but not limited to streamlining the consultation process with another government institution and disclosing additional records to the requestor.
Access to Information Act Fees for the Purposes of the Service Fees Act
The Service Fees Act requires a responsible authority to report annually to Parliament on the fees collected by the institution.
With respect to fees collected under the Access to Information Act, the information below is reported in accordance with the requirements of section 20 of the Service Fees Act.
Enabling authority:Access to Information Act
Fee payable: $5.00 application fee is the only fee charged for an ATI request
Total revenue: $30
$25
Cost of operating the program: $294,640
Monitoring Compliance
In order to meet legislative deadlines for access to information requests, deadlines for individual requests are strictly monitored by using MS Outlook reminders. The ATIP Manager organizes ad hoc meetings to discuss request-related activities (such as whether inter-institutional consultations are necessary), determine deadlines and ensure that all team members are informed of the status of files. At bi-weekly team meetings with the Senior General Counsel and Corporate Counsel, the ATIP Manager raises and discusses compliance with legislative and policy obligations. The Executive Director is also briefed on all ATIP compliance issues.
The NSIRA Secretariat has a document setting out the procedures to be followed in carrying out our monthly proactive disclosure, together with the associated expectations and timelines, in order to monitor the accuracy and completeness of the information proactively published under Part 2 of the Act.
During the reporting period, the NSIRA Secretariat also began assessing the feasibility of making information previously released under the Access to Information Act available on its public-facing website.
For contracts issued during the reporting period, the NSIRA Secretariat included a General Condition on Access to Information from Public Services and Procurement Canada’s Standard Acquisition Clauses and Conditions Manual.
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2022-2023 Statistical Report on the Access to Information Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2022-04-01 – 2023-03-31
Section 1: Request Under the Access to Information Act
1.1 Number of Requests
Number of Requests
Received during reporting period
11
Outstanding from previous reporting period
9
Outstanding from more than one reporting period
1
Total
21
Closed during reporting period
15
Carried over to next reporting period
6
Carried over within legislated timeline
2
Carried over beyond legislated timeline
4
1.2 Sources of requests
Source
Number of Requests
Media
0
Academia
0
Business (private sector)
0
Organization
0
Public
10
Decline to Identify
1
Total
11
1.3 Channels of requests
Source
Number of Requests
Online
10
E-mail
0
Mail
1
In person
0
Phone
0
Fax
0
Total
11
Section 2: Informal requests
2.1 Number of informal requests
Number of Requests
Received during reporting period
3
Outstanding from previous reporting periods
0
Outstanding from more than one reporting period
0
Total
3
Closed during reporting period
2
Carried over to next reporting period
1
2.2 Channels of informal requests
Source
Number of Requests
Online
0
E-Mail
3
Mail
0
In person
0
Phone
0
Fax
0
Total
3
2.3 Completion time of informal requests
Completion Time
1 to 15 days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More than 365 Days
Total
2
0
0
0
0
0
0
2
2.4 Pages released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
2
65
0
0
0
0
0
0
0
0
2.5 Pages re-released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
0
0
0
0
0
0
0
0
0
0
Section 3: Applications to the Information Commissioner on Declining to Act on Requests
Number of Requests
Outstanding from previous reporting period
0
Sent during reporting period
0
Total
0
Approved by the Information Commissioner during reporting period
0
Declined by the Information Commissioner during reporting period
0
Withdrawn during reporting period
0
Carried over to next reporting period
0
Section 4: Requests Closed During the Reporting Period
4.1 Disposition and completion time
Disposition of Requests
Completion Time
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
1
0
0
0
1
0
2
Disclosed in part
0
0
0
3
0
2
2
7
All exempted
1
0
1
0
0
0
0
2
All excluded
0
0
0
0
0
0
0
0
No records exist
0
1
0
0
0
0
0
1
Request transferred
0
0
0
0
0
0
0
0
Request abandoned
1
0
0
0
0
0
0
1
Neither confirmed nor denied
0
1
1
0
0
0
0
2
Decline to act with the approval of the Information Commisioner
0
0
0
0
0
0
0
0
Total
2
3
2
3
0
3
2
15
4.2 Exemptions
Section
Numbers of Requests
13(1)(a)
0
13(1)(b)
0
13(1)(c)
0
13(1)(d)
0
13(1)(e)
0
14
0
14(a)
0
14(b)
0
15(1) – I. A. *
0
15(1) – Def. *
5
15(1) – S.A. *
1
16(1)(a)(i)
3
16(1)(a)(ii)
0
16(1)(a)(iii)
0
16(1)(b)
1
16(1)(c)
4
16(1)(d)
0
16(2)
0
16(2)(a)
0
16(2)(b)
0
16(2)(c)
0
16(3)
0
16.1(1)(a)
0
16.1(1)(b)
0
16.1(1)(c)
0
16.1(1)(d)
0
16.2(1)
0
16.3
0
16.31
0
16.4(1)(a)
0
16.4(1)(b)
0
16.5
0
16.6
0
17
0
18(a)
0
18(b)
0
18(c)
0
18(d)
0
18.1(1)(a)
0
18.1(1)(b)
0
18.1(1)(c)
0
18.1(1)(d)
0
19(1)
2
20(1)(a)
0
20(1)(b)
0
20(1)(b.1)
0
20(1)(c)
0
20(1)(d)
0
20.1
0
20.2
0
20.4
0
21(1)(a)
0
21(1)(b)
0
21(1)(c)
0
21(1)(d)
0
22
0
22.1(1)
0
23
1
23.1
0
24(1)
1
26
0
* I.A.: International Affairs * Def.: Defence of Canada * S.A.: Subversive Activities
4.3 Exclusions
Section
Numbers of Requests
68(a)
0
68(b)
0
68(c)
0
68.1
0
68.2(a)
0
68.2(b)
0
69(1)
0
69(1)(a)
0
69(1)(b)
0
69(1)(c)
0
69(1)(d)
0
69(1)(e)
0
69(1)(f)
0
69(1)(g) re (a)
0
69(1)(g) re (b)
0
69(1)(g) re (c)
0
69(1)(g) re (d)
0
69(1)(g) re (e)
0
69(1)(g) re (f)
0
69.1(1)
0
4.4 Format of information released
Paper
Electronic
Other
E-record
Data set
Video
Audio
0
9
0
0
0
0
4.5 Complexity
4.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed
Number of Pages Disclosed
Number of Requests
856
856
14
4.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
All disclosed
1
7
1
322
0
0
0
0
0
0
Disclosed in part
6
247
1
280
0
0
0
0
0
0
All exempted
2
0
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
0
0
Request abandoned
1
0
0
0
0
0
0
0
0
0
Neither confirmed nor denied
2
0
0
0
0
0
0
0
0
0
Declined to act with the approval of the information Commissioner
0
0
0
0
0
0
0
0
0
0
Total
12
254
2
602
0
0
0
0
0
0
4.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
4.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
4.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
4.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
4.5.7 Other complexities
Disposition
Consultation Required
Legal Advice Sought
Other
Total
All disclosed
0
0
0
0
Disclosed in part
0
0
0
0
All exempted
0
0
0
0
All excluded
0
0
0
0
Request abandoned
0
0
0
0
Neither confirmed nor denied
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
Total
0
0
0
0
4.6 Closed requests
4.6.1 Requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines
5
Percentage of requests closed within legislated timelines (%)
33.33333333
4.7 Deemed refusals
4.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines
Principal Reason
Interference with Operations/Workload
External Consultation
Internal Consultation
Other
10
0
10
0
0
4.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines
Number of Requests Past Legislated Timeline Where No Extension Was Taken
Number of Requests Past Legislated Timeline Where an Extension Was Taken
Total
1 to 15 Days
0
0
0
16 to 30 Days
0
0
0
31 to 60 Days
0
2
2
61 to 120 Days
0
3
3
121 to 180 Days
0
0
0
181 to 365 Days
0
3
3
More than 365 Days
0
2
2
Total
0
10
10
4.8 Requests for translation
Translation Requests
Accepted
Refused
Total
English to French
0
0
0
French to English
0
0
0
Total
0
0
0
Section 5: Extensions
5.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was taken
9(1)(a) Interference With Operations/Workload
9(1)(b) Consultation
9(1)(c) Third-Party Notice
Section 69
Other
All disclosed
0
0
2
0
Disclosed in part
0
0
7
0
All exempted
0
0
1
0
All excluded
0
0
0
0
Request abandoned
0
0
0
0
No records exist
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
Total
0
0
10
0
5.2 Length of extensions
Length of Extensions
9(1)(a) Interference With Operations/Workload
9(1)(b) Consultation
9(1)(c) Third-Party Notice
Section 69
Other
30 days or less
0
0
0
0
31 to 60 days
0
0
1
0
61 to 120 days
0
0
3
0
121 to 180 days
0
0
2
0
181 to 365 days
0
0
2
0
365 days or more
0
0
2
0
Total
0
0
10
0
Section 6: Fees
Fee Type
Fee Collected
Fee Waived
Fee Refunded
Number of Requests
Amount
Number of Requests
Amount
Number of Requests
Amount
Application
0
$30.00
5
$0.00
0
$0.00
Other fees
0
$0.00
0
$0.00
0
$0.00
Total
6
$30.00
5
$0.00
0
$0.00
Section 7: Consultations Received From Other Institutions and Organizations
7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations
Other Government of Canada Institutions
Number of Pages to Review
Other Organizations
Number of Pages to Review
Received during reporting period
4
189
0
0
Outstanding from the previous reporting period
0
0
0
0
Total
4
189
0
0
Closed during the reporting period
4
189
0
0
Carried over within negotiated timelines
0
0
0
0
Carried over beyond negotiated timelines
0
0
0
0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
4
0
0
0
4
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
4
0
0
0
4
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
Section 8: Completion Time of Consultations on Cabinet Confidences
8.1 Requests with Legal Services
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
8.2 Requests with Privy Council Office
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
Section 9: Investigations and Reports of finding
9.1 Investigations
Section 32 Notice of intention to investigate
Subsection 30(5) Ceased to investigate
Section 35 Formal Representations
3
0
0
9.2 Investigations and Reports of finding
Section 37(1) Initial Reports
Section 37(2) Final Reports
Received
Containing recommendations issued by the Information Commissioner
Containing orders issued by the Information Commissioner
Received
Containing recommendations issued by the Information Commissioner
Containing orders issued by the Information Commissioner
1
1
1
1
1
1
Section 10: Court Action
10.1 Court actions on complaints
Section 41
Complainant (1)
Institution (2)
Third Party (3)
Privacy Commissioner (4)
Total
0
0
0
0
0
10.2 Court actions on third party notifications under paragraph 28(1)(b)
Section 44 – under paragraph 28(1)(b)
0
Section 11: Resources Related to the Access to Information Act
11.1 Allocated Costs
Expenditures
Amount
Salaries
$100,000
Overtime
$0
Goods and Services
$194,640
Professional services contracts
$194,640
Other
$0
Total
$294,640
11.2 Human Resources
Resources
Person Years Dedicated to Access to Information Activities
Full-time employees
0.000
Part-time and casual employees
1.000
Regional Staff
0.000
Consultants and agency personnel
1.000
Students
1.000
Total
3.000
Note: Enter values to three decimal places.
Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act
Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act
Number of weeks
Able to receive requests by mail
52
Able to receive requests by email
52
Able to receive requests through the digital request service
52
Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act
2.1 Number of weeks your institution was able to process paper records in different classification levels
No capacity
Partial Capacity
Full capacity
Total
Unclassified Paper Records
0
0
52
52
Protected B Paper Records
0
0
52
52
Secret and Top Secret Paper Records
0
0
52
52
2.2 Number of weeks your institution was able to process electronic records in different classification levels
No capacity
Partial Capacity
Full capacity
Total
Unclassified Paper Records
0
0
52
52
Protected B Paper Records
0
0
52
52
Secret and Top Secret Paper Records
0
0
52
52
Section 3: Open Requests and Complaints Under the Privacy Act
3.1 Number of open requests that are outstanding from previous reporting periods.
Fiscal Year Open Requests Were Received
Open Requests that are Within Legislated Timelines as
Open Requests that are Beyond Legislated Timelines as of March 31, 2023
Total
Received in 2022-23
2
3
5
Received in 2021-22
0
0
0
Received in 2020-21
0
0
0
Received in 2019-20
0
0
0
Received in 2018-19
0
1
1
Received in 2017-18
0
0
0
Received in 2016-17
0
0
0
Received in 2015-16
0
0
0
Received in 2014-15
0
0
0
Received in 2013-14 or earlier
0
0
0
3.2 Number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods
Fiscal Year Open Complaints were received by institutions
Open Requests that are Within Legislated Timelines as
The Privacy Act gives individuals the right to access information about themselves that is held by the National Security and Intelligence Review Agency Secretariat, subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.
Section 72 of the act requires the head of each government institution to prepare an annual report on the administration of the act within the institution and to submit the report to Parliament.
This report to Parliament, which is prepared and tabled in accordance with section 72 of the Privacy Act, describes the activities of the National Security and Intelligence Review Agency Secretariat in administering the Act during the period of April 1, 2022 to March 31, 2023.
If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:
Access to Information and Privacy Office National Security and Intelligence Review Agency P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5 Email: ATIP@nsira-ossnr.gc.ca
Who we are
Established in July 2019, NSIRA is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.
The NSIRA Secretariat assists NSIRA in fulfilling its mandate. It is the NSIRA Secretariat, headed by an Executive Director, that is the government institution for the purposes of the Privacy Act and the Access to Information Act.
Mandate
The NSIRA Secretariat supports NSIRA in its dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matters that a minister of the Crown refers to NSIRA.
NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Investigations
NSIRA is responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:
any activity of CSIS or of CSE;
decisions to deny or revoke certain federal government security clearances;
any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
reports made under section 19 of the Citizenship Act, and
matters referred under section 45 of the Canadian Human Rights Act.
Access to Information and Privacy Office – Organizational Structure
NSIRA’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the NSIRA Secretariat meets its responsibilities under the Access to Information Act and the Privacy Act. For the reporting period, the NSIRA ATIP office consisted of:
1 Full-time Access to Information Consultant;
1 Part-time Privacy Consultant; and
1 Full-time ATIP Manager who fulfilled the duties that would normally be carried out by an ATIP Coordinator, as well as managed the ATIP Office in addition to fulfilling normal duties as Manager of Administrative Services for the Secretariat and Agency Members.
NSIRA Secretariat Senior General Counsel and Corporate Counsel supported the ATIP Office on an as required basis.
The ATIP Office is responsible for the following:
monitoring compliance with ATIP legislation and relevant procedures and policies;
processing requests under both the Access to Information Act and the Privacy Act;
developing and maintaining policies, procedures, and guidelines to ensure that the NSIRA Secretariat respected the Access to Information Act and the Privacy Act;
maintaining Personal Information Banks and conducting privacy impact assessments.
preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
representing the NSIRA Secretariat in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act.
The NSIRA Secretariat was a party to a service agreement under section 73.1 of the Privacy Act during the reporting period, pursuant to which it received administrative services from the Privy Council Office related to the tabling of the Privacy Act annual report in Parliament. The NSIRA Secretariat was also a party to a service agreement under section 71.1 of the Act, pursuant to which it received ATIP Online services from the Treasury Board of Canada Secretariat.
To assist the ATIP Office in meeting its overall legislative obligations, the NSIRA Secretariat relied on a collaborative internal group of subject matter points of contact from all its branches.
Delegation Order
The Executive Director, as the Head of the NSIRA Secretariat, is responsible for the administration of the Privacy Act within the institution. Pursuant to section 73 of the Privacy Act, the Executive Director has delegated the ATIP Manager and ATIP Officer – as well as persons acting in these positions – to perform powers, duties, and functions for the administration of the Act. These positions have limited delegation of authority under the Act and the Access to Information Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Privacy Act Delegation Order can be found in Appendix A.
Performance 2022-2023
Performance in Processing Privacy Requests
During the reporting period, from April 1, 2022 to March 31, 2023, the NSIRA Secretariat received 12 formal requests. All 12 requests were completed during the reporting period. No requests were carried over from the previous reporting period.
Statistical Reports for 2022-2023
The institution’s 2022-2023 Statistical Report on the Privacy Act and Supplemental ATIP Statistical Report for 2022-2023 are found in Appendices B and C.
Extensions and Completion Time of Closed Requests
During the reporting period, the NSIRA Secretariat invoked extensions in processing 5 requests: 3 extensions of 31 to 60 days, and 2 extensions of 61 to 120 days, all of which included extensions necessary to consult with third parties.
Of the requests completed during the reporting period:
1 request, or 8.33% of the requests completed, was disclosed in its entirety. This request was completed within 16 to 30 days.
4 requests, or 33.33% of the requests completed, were disclosed in part. 1 request completed within 16 to 30 days, 2 requests completed within 31 to 60 days, and 1 request completed within 61 to 120 days.
7 requests, or 58.33% of the requests completed, resulted in no records. 1 request completed within 1 to 15 days, 4 requests completed within 16 to 30 days, 1 request completed within 31 to 60 days, and 1 request completed within 61 to 120 days.
The NSIRA Secretariat’s responses to many requests required intensive review of complex records, including extensive internal and external consultations. In 2022-23, the NSIRA Secretariat’s on-time response rate decreased to 58.33% from 71% in the previous reporting year.
Consultations
No consultations were received by the NSIRA Secretariat during the reporting period.
Impact of COVID-19 Measures
During the reporting period, the NSIRA Secretariat was not affected by measures related to the COVID‑19 pandemic.
Complaints and Investigations
During the reporting period, the NSIRA Secretariat received 9 privacy complaints, 2 of which were related to access. All 9 complaints remained active on March 31, 2023.
Moreover, one privacy breach-related investigation initiated by the Privacy Commissioner in fiscal year 2020-2021 continued during the reporting period and remained active on March 31, 2023.
Training and Awareness
During the reporting period, privacy training requirements were identified for all NSIRA Secretariat employees, as well as for those with functional or delegated responsibility for the administration of the Privacy Act, in accordance with the Directive on Personal Information Requests and Correction of Personal Information. The Canada School of Public Service course Access to Information and Privacy Fundamentals (COR502) was included as mandatory training in all employees’ training curriculum.
In addition, an all-staff lunch and learn session was held in August 2022 to provide employees with a debrief of the International Association of Privacy Professionals Privacy Conference.
Policies, Guidelines, and Procedures
The NSIRA Secretariat updated the Delegation Order during the reporting period and also established its internal Directive on Managing Security and Safety Events in March 2023, which provides for coordination with the ATIP Office and Office of Primary Interest when a security event involves a suspected or actual privacy breach.
Initiatives and Projects to Improve Privacy
The NSIRA Secretariat’s IT team began work to develop an ATIP software tool for our classified and unclassified systems. The NSIRA Secretariat also signed a memorandum of understanding with TBS to make full use of ATIP Online and implemented the tool during the reporting period.
Summary of Key Issues and Actions Taken on Complaints
As previously outlined, all 9 complaints received during the reporting period remained active on March 31, 2023. The NSIRA Secretariat meaningfully engaged with the Office of the Privacy Commissioner on all active investigations and disclosed additional records in 1 of the 2 access-related complaints.
Material Privacy Breaches
In the 2022-2023 reporting period, no material privacy breaches occurred.
Privacy Impact Assessments
The NSIRA Secretariat did not complete any PIAs in 2022-2023. During the reporting period, the NSIRA Secretariat received feedback from TBS for its PIA on the creation of NSIRA — which had been submitted to TBS in FY 2021-2022 — and undertook revisions to the PIA. During the reporting period, the NSIRA Secretariat also launched a PIA exercise pertaining to its investigations-related activities.
Public Interest Disclosures
No disclosures were made pursuant to paragraph 8(2)(m) of the Privacy Act during the reporting period.
Monitoring Compliance
In order to meet the legislative deadlines for privacy requests, deadlines for individual requests are strictly monitored by using MS Outlook reminders. The ATIP Manager organizes ad hoc meetings to discuss request-related activities (such as whether inter-institutional consultations are necessary), determine deadlines and ensure that all team members are informed of the status of files. At bi-weekly team meetings with the Senior General Counsel and Corporate Counsel, the ATIP Manager raises and discusses compliance with legislative and policy obligations. The Executive Director is also briefed on all ATIP compliance issues.
For contracts issued during the reporting period, the NSIRA Secretariat included a Standard Procurement Clause on the Handling of Personal Information or a Supplemental General Condition on Personal Information from Public Services and Procurement Canada’s Standard Acquisition Clauses and Conditions Manual.
Appendices
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2022-2023 Statistical Report on the Privacy Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2022-04-01 – 2023-03-31
Section 1: Request Under the Access to Information Act
1.1 Number of Requests
Number of Requests
Received during reporting period
12
Outstanding from previous reporting period
0
Outstanding from more than one reporting period
0
Total
12
Closed during reporting period
12
Carried over to next reporting period
0
Carried over within legislated timeline
0
Carried over beyond legislated timeline
0
1.2 Channels of requests
Source
Number of Requests
Online
10
E-mail
2
Mail
0
In person
0
Phone
0
Fax
0
Total
12
Section 2: Informal requests
2.1 Number of informal requests
Number of Requests
Received during reporting period
0
Outstanding from previous reporting periods
0
Outstanding from more than one reporting period
0
Total
0
Closed during reporting period
0
Carried over to next reporting period
0
2.2 Channels of informal requests
Source
Number of Requests
Online
0
E-Mail
0
Mail
0
In person
0
Phone
0
Fax
0
Total
0
2.3 Completion time of informal requests
Completion Time
1 to 15 days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More than 365 Days
Total
0
0
0
0
0
0
0
0
2.4 Pages released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
0
0
0
0
0
0
0
0
0
0
Section 3: Requests Closed During the Reporting Period
3.1 Disposition and completion time
Disposition of Requests
Completion Time
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
1
0
0
0
0
0
1
Disclosed in part
0
1
2
1
0
0
0
4
All exempted
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
No records exist
1
4
1
1
0
0
0
7
Request abandoned
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
Total
1
6
3
2
0
0
0
12
3.2 Exemptions
Section
Numbers of Requests
18(2)
0
19(1)(a)
0
19(1)(b)
0
19(1)(c)
0
19(1)(d)
0
19(1)(e)
0
19(1)(f)
0
20
0
21
1
22(1)(a)(i)
3
22(1)(a)(ii)
0
22(1)(a)(iii)
0
22(1)(b)
4
22(1)(c)
0
22(2)
0
22.1
0
22.2
0
22.3
0
22.4
0
23(a)
0
23(b)
0
24(a)
0
24(b)
0
25
0
26
0
27
2
27.1
0
28
0
3.3 Exclusions
Section
Numbers of Requests
69(1)(a)
0
69(1)(b)
0
69.1
0
70(1)
0
70(1)(a)
0
70(1(b)
0
70(1)(c)
0
70(1)(d)
0
70(1)(e)
0
70(1)(f)
0
70.1
0
3.4 Format of information released
Paper
Electronic
Other
E-record
Data set
Video
Audio
0
5
0
0
0
0
3.5 Complexity
3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed
Number of Pages Disclosed
Number of Requests
795
795
5
3.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
All disclosed
1
1
0
0
0
0
0
0
0
0
Disclosed in part
3
150
0
0
1
644
0
0
0
0
All exempted
0
0
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
0
0
Total
4
151
0
0
1
644
0
0
0
0
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
3.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Total
0
0
0
0
0
0
3.5.7 Other complexities
Disposition
Consultation Required
Assessment of Fees
Legal Advice Sought
Other
Total
All disclosed
0
0
0
0
0
Disclosed in part
0
0
0
0
0
All exempted
0
0
0
0
0
All excluded
0
0
0
0
0
Request abandoned
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
Total
0
0
0
0
0
3.6 Closed requests
3.6.1 Requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines
7
Percentage of requests closed within legislated timelines (%)
58.33333333
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines
Principal Reason
Interference with Operations/Workload
External Consultation
Internal Consultation
Other
5
0
3
0
2
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines
Number of Requests Past Legislated Timeline Where No Extension Was Taken
Number of Requests Past Legislated Timeline Where an Extension Was Taken
Total
1 to 15 Days
0
1
1
16 to 30 Days
1
0
1
31 to 60 Days
1
1
2
61 to 120 Days
1
0
1
121 to 180 Days
0
0
0
181 to 365 Days
0
0
0
More than 365 Days
0
0
0
Total
3
2
5
3.8 Requests for translation
Translation Requests
Accepted
Refused
Total
English to French
0
0
0
French to English
0
0
0
Total
0
0
0
Section 4: Disclosures Under Subsections 8(2) and 8(5)
Paragraph 8(2)(e)
Paragraph 8(2)(m)
Subsection 8(5)
Total
0
0
0
0
Section 5: Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received
Number
Notations attached
0
Requests for correction accepted
0
Total
0
Section 6: Extensions
6.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken
15(a)(i) Interference with operations
9(1)(b) Consultation
9(1)(b) Consultation
Further review required to determine exemptions
Large volume of pages
Large volume of requests
Documents are difficult to obtain
Cabinet Confidence Section (Section 70)
External
Internal
3
0
1
0
0
0
2
0
0
6.2 Length of extensions
Length of Extensions
15(a)(i) Interference with operations
9(1)(b) Consultation
9(1)(b) Consultation
Further review required to determine exemptions
Large volume of pages
Large volume of requests
Documents are difficult to obtain
Cabinet Confidence Section (Section 70)
External
Internal
1 to 15 days
0
1
0
0
0
2
0
0
16 to 30 days
0
0
0
0
0
3
0
0
31 days or greater
0
Total
0
1
0
0
0
2
0
0
Section 7: Consultations Received From Other Institutions and Organizations
7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations
Other Government of Canada Institutions
Number of Pages to Review
Other Organizations
Number of Pages to Review
Received during reporting period
0
0
0
0
Outstanding from the previous reporting period
0
0
0
0
Total
0
0
0
0
Closed during the reporting period
0
0
0
0
Carried over within regotiated timelines
0
0
0
0
Carried over beyond negotiated timelines
0
0
0
0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
Section 8: Completion Time of Consultations on Cabinet Confidences
8.1 Requests with Legal Services
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
8.2 Requests with Privy Council Office
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
Section 9: Complaints and Investigations Notices Received
Section 31
Section 33
Section 35
Court action
Total
1
8
0
0
9
Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBS)
10.1 Privacy Impact Assessments
Number of PIA(s) completed
Number of PIAs modified
0
0
10.2 Institution-specific and Central Personal Information Banks
Personal Information Banks
Active
Created
Terminated
Modified
Institution-specific
0
0
0
0
Central
0
0
0
0
Total
0
0
0
0
Section 11: Privacy Breaches
11.1 Material Privacy Breaches reported
Number of material privacy breaches reported to TBS
Number of material privacy breaches reported to OPC
0
0
11.2 Non-Material Privacy Breaches
Number of non-material privacy breaches
0
Section 12: Resources Related to the Privacy Act
12.1 Allocated Costs
Expenditures
Amount
Salaries
$60,000
Overtime
$0
Goods and Services
$5,000
Professional services contracts
$5,000
Other
$0
Total
$65,000
12.2 Human Resources
Resources
Person Years Dedicated to Access to Information Activities
Full-time employees
0.000
Part-time and casual employees
1.000
Regional Staff
0.000
Consultants and agency personnel
0.500
Students
0.000
Total
1.500
Note: Enter values to three decimal places.
Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act
Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act
Number of weeks
Able to receive requests by mail
52
Able to receive requests by email
52
Able to receive requests through the digital request service
52
Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act
2.1 Number of weeks your institution was able to process paper records in different classification levels
No capacity
Partial Capacity
Full capacity
Total
Unclassified Paper Records
0
0
52
52
Protected B Paper Records
0
0
52
52
Secret and Top Secret Paper Records
0
0
52
52
2.2 Number of weeks your institution was able to process electronic records in different classification levels
No capacity
Partial Capacity
Full capacity
Total
Unclassified Paper Records
0
0
52
52
Protected B Paper Records
0
0
52
52
Secret and Top Secret Paper Records
0
0
52
52
Section 3: Open Requests and Complaints Under the Privacy Act
3.1 Number of open requests that are outstanding from previous reporting periods.
Fiscal Year Open Requests Were Received
Open Requests that are Within Legislated Timelines as
Open Requests that are Beyond Legislated Timelines as of March 31, 2023
Total
Received in 2022-23
0
0
0
Received in 2021-22
0
0
0
Received in 2020-21
0
0
0
Received in 2019-20
0
0
0
Received in 2018-19
0
0
0
Received in 2017-18
0
0
0
Received in 2016-17
0
0
0
Received in 2015-16
0
0
0
Received in 2014-15
0
0
0
Received in 2013-14 or earlier
0
0
0
3.2 Number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods
Fiscal Year Open Complaints were received by institutions
Open Requests that are Within Legislated Timelines as
Received in 2022-23
9
Received in 2021-22
0
Received in 2020-21
0
Received in 2019-20
0
Received in 2018-19
0
Received in 2017-18
0
Received in 2016-17
0
Received in 2015-16
0
Received in 2014-15
0
Received in 2013-14 or earlier
0
Total
9
Section 4: Social Insurance Number
Has your institution begun a new collection or a new consistent use of the SIN in 2022-23?
No
Section 5: Universal Access under the Privacy Act
How many requests were received from confirmed foreign nationals outside of Canada in 2022-2023?
The Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, January 1, 2020, to the end of the previous calendar year, December 31, 2020. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under ACA.
This was the first ACA review to cover a full calendar year. Many of the reviewed departments noted that the pandemic impacted their information sharing activities, thus impacting the number of cases requiring further review as per the ACA. As such, NISIRA found that from January 1, 2020 to December 31, 2020, no cases under the ACA were escalated to deputy heads in any department.
As part of the review, NSIRA examined the case triage process of all twelve departments. NSIRA found that even when departments employ similar methodologies and sources of information to inform their determination of whether or not a case involving the same country of concern should be escalated, significant divergences in the evaluation of risk and the required level of approval emerge.
In keeping with NSIRA’s 2020 Annual Report which emphasized the implementation of a “trust but verify” approach for assessing information provided over the course of a review, NSIRA continues to work on various verification strategies with the Canadian intelligence community. However, due to the continuing COVID-19 pandemic, implementation of verification processes was not possible across all twelve departments which fall under the ACA. Notwithstanding, the information provided by departments has been independently verified by NSIRA through documentation analysis and meetings with department subject matter experts, as warranted. Further work is underway to continue developing an access model for the independent verification of information relevant to ACA considerations.
The Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, January 1, 2020, to the end of the previous calendar year, December 31, 2020. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under ACA.
This was the first ACA review to cover a full calendar year. Many of the reviewed departments noted that the pandemic impacted their information sharing activities, thus impacting the number of cases requiring further review as per the ACA. As such, NISIRA found that from January 1, 2020 to December 31, 2020, no cases under the ACA were escalated to deputy heads in any department.
While NSIRA was pleased with the considerable efforts made by many departments new to ACA in building their frameworks, Canada Boarder Services Agency (CBSA) and Public Safety did not finalize their policy frameworks in support of the Directions received under the ACA for the review period.
As part of the review, NSIRA examined the case triage process of all twelve departments. NSIRA found that even when departments employ similar methodologies and sources of information to inform their determination of whether or not a case involving the same country of concern should be escalated, significant divergences in the evaluation of risk and the required level of approval emerge.
A case sent to both GAC and CSIS was reviewed by NSIRA for its implications under the ACA. While the information was ultimately not shared with the requesting foreign entity, nonetheless, NSIRA found that the risk of mistreatment was substantial and the decision should have been referred to the Deputy Minister of Foreign Affairs as the accountable deputy minister for this request.
Mitigation measures used by departments were also reviewed this year, since they are an integral part in the information sharing process for departments. NSIRA observed that there are gaps in departments’ ability to verify whether a country or entity has actually complied with caveats or assurances because of the difficulty in tracking compliance to mitigation measures.
NSIRA believes that it is now in a position to conduct in-depth case study assessments of individual departments’ adherence to the ACA and Directions, irrespective of whether or not a department reported any cases to its deputy head. Finally, future reviews will follow up on the ongoing implementation of NSIRA’s past recommendations.
In keeping with NSIRA’s 2020 Annual Report which emphasized the implementation of a “trust but verify” approach for assessing information provided over the course of a review, NSIRA continues to work on various verification strategies with the Canadian intelligence community. However, due to the continuing COVID-19 pandemic, implementation of verification processes was not possible across all twelve departments which fall under the ACA. Notwithstanding, the information provided by departments has been independently verified by NSIRA through documentation analysis and meetings with department subject matter experts, as warranted. Further work is underway to continue developing an access model for the independent verification of information relevant to ACA considerations.
Authorities
This review was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA or the Act).
Introduction
Review background
Departments and agencies in the Government of Canada routinely share information with a range of foreign entities. However such practices can sometimes bring into play a risk of mistreatment for individuals who are the subjects of these exchanges or other individuals. It is therefore incumbent upon the Government of Canada to evaluate and mitigate the risks that this sharing entails.
In 2011, the Government of Canada implemented a general framework for Addressing Risks of Mistreatment in Sharing Information with Foreign Entities. The aim of the framework was to establish a coherent approach across government when sharing with and receiving information from foreign entities. Following this, Ministerial Direction was issued to applicable departments in 2011 (Information Sharing with Foreign Entities), and then again in 2017 (Avoiding Complicity in Mistreatment by Foreign Entities).
On July 13, 2019, the ACA came into force. The preamble of the Act recognizes Canada’s commitments with respect to the Canadian Charter of Rights and Freedoms, and Canada’s international legal obligations on prohibiting torture and other cruel and inhumane treatment. The Act also recognizes that information needs to be shared to enable the Government to fulfill its fundamental responsibility to protect Canada’s national security and the safety of Canadians.
On September 4, 2019, pursuant to section 3 of the ACA, the Governor in Council (GiC) issued written directions (Orders in Council (OiCs) or Directions) to the deputy heads of 12 departments and agencies. This added six new Canadian entities in addition to those that were already associated with the 2011 and 2017 Directions.
This report is NSIRA’s first full year assessment of the implementation of the Directions issued under ACA for the 2020 calendar year. The review builds upon two previous reviews conducted in respect of avoiding complicity in mistreatment. The first was in respect to the 2017 Ministerial Directions, while the second assessed the Directions issued under the ACA, but was limited to the four months from when the Directions were issued to the end of the 2019 calendar year.
ACA and Directions
The ACA and the Directions issued under its authority seek to prevent the mistreatment of any individual due to the exchange of information between a Government of Canada department or agency and a foreign entity. The Act and the Directions also aim to limit the use of information received from a foreign entity that is likely to have been obtained through the mistreatment of an individual.
Under the authority of subsection 3(1) of the Act, the Directions issued to the 12 departments and agencies are near identical in language and focus on the three aspects of handling information when interacting with a foreign entity: the disclosure of information, the requesting of information, and the use of any information received.
In regards to disclosure of information, the Directions state:
If the disclosure of information to a foreign entity would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that the Department officials do not disclose the information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.
With respect to requesting information, the Directions read as follows:
If the making of a request to a foreign entity for information would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not make the request for information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.
Lastly, as it relates to the use of information, the Directions provide:
The Deputy Head must ensure that information that is likely to have been obtained through the mistreatment of an individual by a foreign entity is not used by the Department (a) in any way that creates a substantial risk of further mistreatment; (b) as evidence in any judicial, administrative or other proceeding; or (c) in any way that deprives someone of their rights or freedoms, unless the Deputy Head or, in exceptional circumstances, a senior official designated by the Deputy Head determines that the use of the information is necessary to prevent loss of life or significant personal injury and authorizes the use accordingly.
The consideration of substantial risk figures prominently in subsection 3(1) of the Act as well as the Directions. In considering whether to disclose or request information, a department must determine whether a substantial risk is present and if so whether it can be mitigated. As noted in the previous reviews on information sharing, the ACA does not define “substantial risk”. Departments refer to a definition of this term as set out in the 2017 Ministerial Directions as a general starting point when conducting assessments under the ACA. The 2017 Ministerial Directions define substantial risk as:
‘Substantial risk’ is a personal, present and foreseeable risk of mistreatment that is real and is based on something more than mere theory or speculation. In most cases, the test of a substantial risk of mistreatment would be satisfied when it is more likely than not there would be mistreatment; however, in some cases, particularly where the risk if of severe harm, the standard of substantial risk may be satisfied at a lower level of probability.
Based on the outcome of these determinations, the decision may be to approve, deny, or elevate to the Deputy Head for his or her consideration. Substantial risk is also contemplated in the consideration of the use of information received from a foreign entity. If it is evaluated that the information was likely obtained from the mistreatment of an individual, the department is prohibited from using the information in any way that creates a substantial risk of further mistreatment.
Throughout the process to determine whether to disclose or use information, the Directions require that the accuracy, reliability, and limitations of use of all information being handled are appropriately described and characterized.
Additionally, reporting requirements are found at sections 7 and 8 of the Act as well as within the Directions. Among these requirements, the Minister responsible for the department must provide a copy of the department’s annual report in respect of the implementation of the Directions during the previous calendar year as soon as feasible to NSIRA, the National Security and Intelligence Committee of Parliamentarians (NSICoP) and, if applicable, the Civilian Review and Complaints Commission (CRCC) for the Royal Canadian Mounted Police. Reporting requirements as articulated in the Directions oblige the reporting of decisions which were considered by the Deputy Head in regards to disclosure, requesting of information, or authorizing use of information that would deprive someone of their rights or freedoms be made as soon as feasible to the responsible Minister, NSIRA, and NSICoP.
Review Objectives and Methodology
The review period was January 1, 2020 to December 31, 2020. The objectives of this review included:
Following-up on departments’ implementation of the directives received under the ACA;
Assessing departments’ operationalization of frameworks/processes that enable them to meet the obligations set out in the ACA and directives; and
Assessing coordination and consistency in implementation across applicable departments.
Additionally, NSIRA evaluated all twelve ACA member departments’ ‘case triage’ frameworks (i.e., the combination of policy assessment criteria and a pre-determined ‘escalation ladder’ for cases that require higher levels of managerial approvals). Refer to annexes B to M that provide additional details on each departments’ triage process. Finally, NSIRA reviewed the use and policies around departmental mitigation measures.
FINDINGS
Reporting and Framework Updates
As per the Act, all twelve departments fulfilled their obligations to report to their respective ministers and NSIRA on progress made in operationalizing frameworks and identifying cases escalated to the deputy head level.
Of the nine departments who had reported to NSIRA last year that they had finalized frameworks, all continued to refine assessment protocols over the 2020 review period. Based on submissions to NSIRA, TC has developed a corporate policy to highlight the department’s ACA-related requirements. However, CBSA and PS had yet to finalize their ACA policy. As a result, employees may not have adequate and up to date guidance on how to make determinations related to the ACA.
NSIRA Finding #1: NSIRA found that CBSA and PS did not finalize their policy frameworks in support of Directions received under the ACA over the review period.
Referrals to Deputy Head
The Directions specify that when departmental officials are unable to determine whether the risk of mistreatment arising from a disclosure of or request for information can be mitigated, the matter must be referred to the Deputy Head. The Directions also require the Deputy Head, or in exceptional circumstances a senior official designated by the Deputy Head, to determine the matter where the use of information that is likely to have been obtained through mistreatment of an individual by a foreign entity would in any way deprive an individual of their rights or freedoms and the use of this information is necessary to prevent loss of life or significant injury. In 2020, no cases were escalated to the deputy head level. NSIRA sought clarification on the absence of cases referred; the most common reason provided by departments for this outcome was that cases were either mitigated before deputy head involvement and/or this was a result of an overall reduction in the number of foreign information exchanges generally due to the ongoing pandemic.
NSIRA Finding #2: NSIRA found that from January 1, 2020 to December 31, 2020, no cases under the ACA were escalated to deputy heads in any department.
Case Triage
Typically, when departments are making ACA applicability decisions, they employ varying “case triage” processes, that is, the combination of policy assessment criteria and a pre-determined ‘escalation ladder’ for cases that require higher levels of managerial assessment. NSIRA closely evaluated all twelve ‘case triage’ frameworks of the departments subject to the ACA (Refer to Annex B-M). In carrying out this work, NSIRA noted some issues in the implementation of triage systems; for example, there were instances of not having one designed and of information being outdated.
NSIRA observed that there were two main types of initial case triage processes: case-by-case, where the framework places the onus on the working level official to first make determinations based on policy assessment tools, relevant training, and individual experience; and country assessment rating, which emphasizes the initial use of a country-based risk level that may trigger case escalation. A country assessment rating is a representation of the assessed risk of mistreatment associated to a country, based on a number of criteria and often derived from a range of sources.
Initial Case Triage Category 1: Case-by-Case
All departments use working level officials to determine whether there is a risk of mistreatment. When a working level officials’ assessment is inconclusive as to whether a substantial risk of mistreatment exists, they will defer the decision to a higher management authority. NSIRA has developed Figure 1 to illustrate this type of triage process where the working level official consults assessment tools at his or her disposal to determine whether a substantial risk of mistreatment exists.
Initial Case Triage Category 2: Informed by Country Assessment Rating
CSIS, CSE, FINTRAC, and RCMP require working level officials to use country assessment ratings that may trigger case escalation. For example, NSIRA has developed Figure 2 to illustrate this type of triage process where country assessment ratings may trigger case escalation.
Case Escalation
In addition to the two categories of case triage frameworks identified above, all departments except for FINTRAC, PS, CSE and TC make use of internal consultation groups/senior decision making committees when cases are identified as requiring consultation/escalation (e.g. working groups and senior management committee secretariats). The following table illustrates the various consultation groups across departments that would make determinations related to the ACA.
The general purpose of consultation groups is to serve as a single point of contact for employees who require assistance in assessing foreign information sharing activities or interpreting policy and procedure. Senior decision making committees are responsible for making determinations on the information exchange. They are the final decision making authority prior to escalation to the deputy head. NSIRA observed that leveraging the overall expertise of these groups may assist officials in consistently applying assessment criteria, as well as provide greater oversight for information exchanges with foreign entities.
Consistency in Implementation Across Departments
Beginning with the 2017 Ministerial Directions on Avoiding Complicity in Mistreatment by Foreign Entities, it was required that departments maintain policies and procedures to assess the risks of information sharing relationships with foreign entities. While not specified in the Act or Directions, departments continue to implement country and entity assessments, a practice NSIRA has supported. NSIRA has previously raised concerns regarding the absence of unified and standardized approach to departments’ country assessments. The PCO-led community response to last year’s recommendation on this element stated in part that:
The information sharing activities of these organizations all serve either an intelligence, law enforcement, or administrative purpose with each carrying different risk profiles, privacy concerns, and legal authorities. Individual departments and agencies are responsible for establishing specific thresholds or triggers in their information sharing frameworks that are appropriate for their operational contexts. It is the view of the Government of Canada that applying the same threshold across all organizations for triggering, evaluating, and elevating cases is not necessarily practical nor essential to ensuring that each department or agency is operating in compliance with the Act.
In order to engage in the questions to which the divergence of thresholds gives rise, NSIRA asked departments to rank bi-lateral information exchanges with foreign partners in terms of volume, excluding exchanges with [***example of foreign entity information sharing***]. Nine of the twelve departments identified ███████ as a foreign exchange entity, a country which is widely recognized as having human rights concerns.
NSIRA then selected only those departments that initially utilize country assessment ratings as a triage method (i.e. FINTRAC, RCMP, CSIS and CSE). [***description of how departments determined foreign entity example***]. Nonetheless, in carrying out this analysis, NSIRA observed that all four departments relied on a combination of open source human rights reports and consultations with other departments. Additionally, RCMP, CSIS and CSE utilize classified intelligence sources.
However, although these departments utilize a similar approach when assessing a country, the assigned rating for ████ was not consistent. CSIS assigned █████████████; FINTRAC and RCMP assigned a [***description of department’s specific ratings***] ; and finally, CSE assigned a ██████ rating.
NISRA examined to what degree country ratings affected the level of approval required for an information exchange. Because CSE has assigned a rating of █████ when they receive a request from ████, a CSE official could require [***description of the factors used to determine the appropriate level process***] CSE acknowledged that its “human rights assessments do not necessarily correlate with the risk level assigned to an instance of sharing,” and nor do they “necessarily correlate to levels of approval or to restrictions to sharing.” [***description of the factors used to determine the appropriate level process***]
In contrast, according to their framework and methodology, an exchange with any one of the █████ authorities listed in the RCMP’s country and entity assessment list could result in an [***description of department’s specific ratings***] because █████ is associated with a country assessment rating. When an entity is yellow, the employee must consider whether or not there is a risk of mistreatment by looking at a list of criteria. If one or more of these criteria exist, the employee must send the case to a senior management committee. NSIRA observes that where the RCMP has a red country rating, the working level official must escalate to the senior management committee. Therefore, unlike CSE and CSIS, country ratings within the RCMP have direct impacts on approval levels.
NSIRA’s ACA report from last year recommended that departments should identify a means to establish unified and standardized country and entity risk assessment tools to support a consistent approach when interacting with Foreign Entities of concern. While PCO disagreed with this recommendation, NSIRA believes that there remain concerns regarding divergences in country and risk assessments.
NSIRA Finding #3: NSIRA found that even when departments employ similar methodologies and sources of information to inform their determination of whether or not a case involving the same country of concern should be scalated, significant divergences in the evaluation of risk and the required level of approval emerge.
Following this review, NSIRA intends to further scrutinize the processes employed regarding ACA triage and decision making by reviewing GAC and RCMP.
A case study as provided for in Box 1 exemplifies the divergent nature on the evaluation of risk where two departments’ considered responding to an identical request made by a foreign entity.
Box 1: A divergent decision-making process
[***description of the case study***] The foreign entity provided this information to GAC and CSIS and requested confirmation [***description of the information sharing request***]
In considering whether to respond to this request, GAC determined that the human rights record of the country in question generally and of the foreign entity specifically making the request were of significant concern. GAC’s senior decision making committee, working under the presumption that the individual’s detention was ongoing, considered whether the disclosure of this information “would not substantially increase the detainee’s risk of mistreatment.” The senior decision making committee determined that confirmation of the individual’s previous employment status with GAC was permissible, subject to the determination of CSIS’s assessment.
Ultimately, the decision by CSIS was made by a DG-level executive and, as the foreign entity was listed by CSIS as a restricted partner, information was not shared.
The assessment by GAC’s senior decision-making committee is of concern. The Act and the Directions impose that departments consider whether disclosing or requesting information “would result in a substantial risk of mistreatment.” [***legal advice to department***]
NSIRA agrees with this interpretation of the law, but not with its implementation by GAC in this case. GAC’s position was that responding to the request “would not aggravate” the risk of mistreatment. However, NSIRA is of a different view. Regardless of the information sought, the human rights record of the foreign entity and of the foreign country was of significant concern, and GAC was operating under the presumption that the individual may have already been subjected to mistreatment. While GAC’s sharing could not have accounted for any mistreatment that could have occurred earlier, responding to the request given the facts of this case would have nonetheless resulted in a substantial risk of mistreatment. Therefore, this case should have been refered to the Deputy Minister of Foreign Affairs for consideration.
NSIRA also observes that this case was triaged at different levels within GAC and CSIS. In GAC’s triage process, the decision was made at the higher senior decision-making committee that disclosure was permissible. Comparatively, CSIS’s decision-making process was completed prior to reaching their senior-level committee and yielded the opposite result. The different levels of decision-making and different outcomes underscore a problematic inconsistency in how each organization considers the same information to be disclosed to the same foreign entity. Furthermore, while a department responsible for the information may consult with other departments as to whether disclosure of information is permissible, it cannot abdicate this responsibility and decision-making to another department.
NSIRA Finding #4: NSIRA found a procedural gap of concern in a case study involving the disclosure of information, even though information was ultimately not shared. The risk of mistreatment was substantial and the decision should have been referred to the Deputy Minister of Foreign Affairs as the accountable deputy minister for this request.
Mitigation Measures
Use of Mitigation Measures
To decrease the risk of mistreatment, departments will employ mitigation measures such as caveats, assurances, sanitization, and redactions. The most common mitigation measures are caveats and assurances. Caveats are specific stipulations appended to information to limit or prohibit certain uses of information unless otherwise authorized by the issuing department. For example, any departments use a ‘third party’ caveat that restricts further dissemination of the information to other departments (domestic and foreign), unless the originating department is consulted on the request to share.
Assurances are not specific to a single information exchange; rather, these are agreements with foreign entities (whether formal or informal), which aim to help ensure that a particular foreign entity understands Canada’s position on human rights and that the entity, in turn, agrees to comply with this expected behaviour. For example, when formulating a risk mitigation strategy for an information exchange, departments will consider written or verbal assurances, who provided the assurance (i.e. working level official or agency head), and whether the assurance is considered credible and reliable.
Furthermore, CSIS, CSE, and GAC have highlighted a number of differences in the types of assurances sought, including a number of informal and formal methods. For example, verbal assurances, scheduled formal assurances, and ad-hoc written assurances can be sought by various levels.
In a related issue, NSIRA observed that there are [***description and an example of a Department’s ability to track compliance***] CSIS, GAC, and CSE indicated that there is ████████████████████████████████████████████████████████████ is not specific to the ACA but is nonetheless key ████████████ when exchanging information with the Government of Canada.
Given that no cases were escalated to the level of deputy head, departments’ lower-level use of mitigation strategies would have taken on considerable prominence in decision making. In a subsequent review, NSIRA intends to further investigate policies of mitigation measures pertaining to their use and tracking.
CONCLUSION
This review assessed departments’ implementation of the directives received under the ACA and their operationalization of frameworks to address ACA requirements.
NSIRA’s first review of departments’ implementation of the Act and Directions was limited to a four month period (September-December 2019). As such, this review constitutes the first examination of the ACA over the course of one full year. NSIRA believes that it is now in a position to conduct in-depth case study assessments of individual departments’ adherence to the ACA and Directions, irrespective of whether or not a department reported any cases to its deputy head. Additionally, future reviews will follow up on the ongoing implementation of NSIRA’s past recommendations.
Annex A: Findings
NSIRA Finding #1: NSIRA found that CBSA and PS did not finalize their policy frameworks in support of Directions received under the ACA over the review period.
NSIRA Finding #2: NSIRA found that from January 1, 2020 to December 31, 2020, no cases under the ACA were escalated to deputy heads in any department.
NSIRA Finding #3: NSIRA found that even when departments employ similar methodologies and sources of information to inform their determination of whether or not a case involving the same country of concern should be escalated, significant divergences in the evaluation of risk and the required level of approval emerge.
NSIRA Finding #4: NSIRA found a procedural gap of concern in a case study involving the disclosure of information, even though information was ultimately not shared. The risk of mistreatment was substantial and the decision should have been referred to the Deputy Minister of Foreign Affairs as the accountable deputy minister for this request.
Annex B: Canada Border Services Agency
Framework updates: In 2018, Canada Border Services Agency (CBSA) issued a high-level policy document in response to the 2017 MD. Since then, CBSA has drafted updated policies and procedures that have not yet been finalized.
Working Groups: CBSA Avoiding Complicity in Mistreatment Working Group (ACMWG)
Senior Management Committee: Senior Management Risk Assessment Committee (SMRAC). This committee convenes on an as needed basis, to assess cases that have a potential for mistreatment.
[***description of CBSA’s decision making methodology***]
Country Assessment: In-house risk scoring template under development
Mitigation Measures: The CBSA is currently working to strengthen its formal framework/process for deciding whether substantial risk of mistreatment associated with a given request can be mitigated.
Annex C: Canada Revenue Agency
Framework Updates: The Canada Revenue Agency (CRA) indicated that it did not make any changes to its framework since last year’s response. The department continues to refine its processes and has developed the Canada Revenue Agency Exchange of Information Procedures in the Context of Avoiding Complicity in the Mistreatment by Foreign Entities Act.
[***departmental cabinet confidence***]
Working group: The CRA formed a Risk Assessment Working Group (RAWG) that developed a methodology to assess the human rights records of its information exchange partners, so that senior management can make informed assessments of the risk of mistreatment.
Canada has a large network of international partners with 94 tax treaties and 24 Tax Information Exchange Agreements. Canada is also a party to the Convention on Mutual Administrative Assistance in Tax Matters (MAAC), which includes 144 signatories. These International Legal Agreements allow the CRA to exchange information on request, spontaneously and automatically. Each legal agreement includes secrecy provisions (caveats) that govern appropriate use and disclosure. In addition, members of the Global Forum (Global Forum) on Transparency and Exchange of Information for Tax Purposes are subject to peer reviews on a cyclical basis, including on Confidentiality and Data Safeguard .
Senior Management Committee: During the review period a senior committee was not in place, however there was a formal process to escalate reviews/risk assessment through the Director, Director General and ultimately the Assistant Commissioner of the Compliance Programs Branch (CPB) who is accountable for the administration of the ACA.
Additionally, in July 2021, the CRA established an ACA governance framework that includes the ACA Panel, a senior management consultative committee to support risk assessments, reporting, recommendations, and priorities. The panel currently consists of DGs and Directors within the CPB and the Legislative Policy and Regulatory Affairs Branch. Also in July 2021, the CRA established an executive level committee to consider and develop recommendations on case specific engagements as well as issue identification and guidance. The committee consists of Directors across several directorates of the CRA that manage programs that are directly impacted by/reliant on exchange of information with other jurisdictions.
Triage: The initial assessment is done by a working level employee and requires, at minimum, director approval. The case may escalate to the DG and the AC and so on if there is doubt about risk mitigation.
In cases where risk was identified, there were challenges in conducting full assessments to determine if the risk was substantial, the CRA delayed disclosing the information until the full assessment could be completed. This was largely in part due to COVID-19. As such, files that normally would have been referred were temporarily put on hold and no action was taken during the review period.
The CRA informed NSIRA that funding from the November 2020 Fall Economic Statement was allocated to the creation of a dedicated risk assessment team. It is anticipated that the development and regular updating of country-level assessments and the preparation of individual-level risk assessments will transition to this new dedicated team housed within the CPB, in summer 2021.
The team will also be responsible for:
Creating and formalizing the framework for consulting with CRA senior management and other government departments and agencies;
Advising CRA officials who engage in exchange of information (EOI);
Identifying mitigation and other factors specific to the type of information that CRA exchanges and that would impact risk assessment;
Preparing annual and other reporting required under the Act and Directions;
Providing awareness and training sessions; and
Continuously improving documentation, policies, guidance, and procedures.
Country/Entity Assessments: Since January 2020, the CRA has completed their own set of mistreatment risk assessments for each potential information exchange, including the use of information received from the CRA’s information exchange partners in consultation with other Government of Canada partners. The CRA can only exchange information with another jurisdiction pursuant to a treaty, tax convention or other legal instrument that permits exchange of tax information.
The CRA uses a colour coded system to rate the risk related to a country: green; yellow; red. However, for specific or spontaneous exchanges of information, the CRA completes an analysis based on the specifics of the file to supplement the country specific risk assessment.
Mitigation Measures: Mitigation measures, including caveats (data safeguards and confidentiality provisions) are embedded in all legal instruments that govern and allow for all the CRA’s exchanges of information, while peer reviews of jurisdictions’ legal frameworks and administrative practices provide assurances of exchange partners’ compliance with international standards for exchange of tax information. According to CRA, all information exchanged during the review period were subject to these mitigation measures. Due to COVID19, and for the period under review, the CRA put on hold all exchanges where it was deemed there may be a residual potentially significant risk of mistreatment until a process and mitigation measures were in place, including to redact information. However, the CRA routinely redacted personal information where it would not impact the substance of the exchange for those mitigated risk exchanges that did proceed during this period.
Annex D: Communications Security Establishment
Framework Updates: No changes made to the framework in 2020. It is the same procedure as the last review period.
Working group: Based on the RFI, there are no working groups leveraged to assess the level of risk of mistreatment. The Mistreatment Risk Assessment Process follows a process that has been refined continuously since its inception in 2012. The higher the level of risk (low, medium, high, substantial), the higher approval authority required to exchange or use information.
Senior Management Committee: There is no Senior Management Committee. As explained above, CSE relies on an approval authority scale based on the level of risk (from low to substantial). Senior level officials are involved in the process when there are medium and high-risk cases, which require Director and Director General/Deputy Chief approval, respectively.
Triage: A CSE official performs an initial assessment by consulting the Mistreatment Risk Assessment (MRA), which considers equity concerns, geolocation and identity information, human rights assurances, risk of detention and a profile of the recipients’ human rights practices.
Low (For Low Risk Nations)
If the MRA indicates a low level of risk, the official will need Supervisor [***specific unit***], approval if they wish to proceed with the information exchange or use.
Low (For non-Low Risk Nations)
If the MRA indicates a low level of risk, the official will need Manager [***specific unit***], approval if they wish to proceed with the information exchange or use.
Medium
If the MRA indicates a medium level of risk, the official will need Director, Disclosure and Information Sharing approval if they wish to proceed with the information exchange or use.
High
If the MRA indicates a high level of risk, the official will need Director General, Policy Disclosure and Review or Deputy Chief, PolCom approval if they wish to proceed with the information exchange or use.
Substantial
If the MRA indicates a substantial level of risk, the official may not proceed with the information exchange or use.
Country Assessments: CSE establishes its own country assessments (which CSE refers to as Human Rights Assessments) by using information from OGDs, its own reporting, and open source information. Foreign entity arrangements are reviewed annually. These HRAs are part of CSE’s MRAs.
There are two types of MRAs: Annual and Case-by-case. Annual MRAs include foreign entities with whom CSE regularly exchanges information, [***description of the foreign entities with whom CSE exchanges information***] Caseby-case MRAs are conducted in response to particular requests. Case-by-case MRAs often concern individuals and information sharing activities. There are Abbreviated MRAs, which are a sub case-by-case MRA, and they are conducted for Limited Risk Nations. These nations are considered low risk by CSE.
When making MRAs, CSE does the following:
assesses the purpose of the information sharing;
verifies there are mistreatment risk management measures in existing information sharing arrangements;
reviews CSE’s internal records on the foreign entity under consideration;
consults other available Government of Canada assessments and reports related to the foreign entity;
assesses the anticipated effectiveness of risk mitigation measures; and
evaluates a foreign entity’s compliance with past assurances, based on available information.
CSE consults with GAC, DND, and the Ministers of Foreign Affairs and National Defence for some MRAs, usually case-by-case ones. CSE may also consult GAC for human rights-related advice in certain instances.
Mitigation Measures: CSE considers a number of mitigation factors, such as risk of detention, [***statement regarding information sharing obligations of partners***] caveats, formal assurances, and bilateral relationships. CSE’s principle mitigation measure is Second Party assurances. [***statement regarding information sharing obligations of partners***]
Identifying/Sensitizing: The DG, Policy Disclosure and Review or the DC PolCom review high-risk cases. 303 information-sharing requests were assessed for risk of mistreatment and 10 of them (3%) were referred to the Director, Disclosure & Information Sharing. For the 2020 review period, the Deputy Chief, Policy and Communications was responsible for ACA accountability and quality assurance.
Annex E: Canadian Security Intelligence Service
[***Info-graphic of CSIS’s Risk Assessment process***]
Framework Updates: While there were no changes during the 2020 review period, CSIS modified its procedure on January 2021. Most notably, cases will only be escalated to ISEC if the DG cannot determine if the substantial risk can be mitigated. In addition, CSIS merged the [***statement regarding internal process***] CSIS updated its human rights ‘Assurances’ procedures as a stand-alone policy. This policy requires CSIS Stations to seek assurances from [***statement regarding internal process***] coordination responsibilities for ISEC were moved to the ██████████. Through that, the █████ became ISEC’s Chair.
Triage: CSIS working-level officials do the initial assessment. This assessment requires the official to determine if one or more of the four risk criteria are met. These criteria are:
“Based on the available information about the foreign entity, if the information is disclosed or requested, is there a probability that the foreign entity will engage in torture or other forms of cruel, inhuman or degrading treatment or punishment against an individual(s)?”
“If the information is disclosed or requested, is there a probability that the foreign entity will disseminate the information in an unauthorized manner to a 3rd party, which may result in torture or other forms of cruel, inhuman or degrading treatment or punishment against an individual(s) by that 3rd party?”
“If the information is disclosed or requested, is there a probability that it may result in the extraordinary rendition of an individual(s) by the foreign entity which would lead to the individual(s) being tortured or subject to other forms of cruel, inhuman or degrading treatment or punishment?
“If the information is disclosed or requested, is there a probability or an extrajudicial killing of an individual(s) by the foreign entity or other security entities within the country?”
Four scenarios could occur before a case lands at ISEC:
[***description of four possible scenarios and the assessment criteria used to determine risk mitigation and/or ecalation***]
Working Group: While there is a senior management committee, there is no working level group on the operations side.
Senior Management Committee: ISEC is CSIS’s senior-level review committee for foreign information sharing activities. It is composed of CSIS senior managers and representatives from DoJ and GAC. This committee is responsible to determine if a case poses a substantial risk and if it can be mitigated. If ISEC cannot determine if the substantial risk is mitigatable, the case is referred to the Director. Of note, GAC and DoJ are no longer voting members on ISEC but will continue to provide feedback and advice.
Country Assessments: CSIS conducts its own country assessments. Each information exchange arrangement with a foreign entity has its own Arrangement Profile (AP). APs include a summary of the human rights summary.
Mitigation Measures: CSIS relies on a few mitigation measures. First, CSIS widely uses ‘Form of Words’, which include caveats. Second, CSIS uses assurances and relies on standardized templates provided to foreign entities. CSIS may also tailor assurances to address specific concerns, such as extra-judicial killings.
Identifying/Sensitizing Information: ██████ is responsible for CSIS’s information sharing framework. [***name of a specific unit***] is responsible for official policy management. Concerned program areas are responsible for applying related polices and procedures for ACA-related activities.
Annex F: DFO
Framework Updates: Fisheries and Oceans Canada (DFO) did not make any changes to last year’s approach.
Triage: The initial assessment is made by the person receiving the request for information sharing or who first comes into possession of information derived from a foreign source. Risk is determined on a case-by-case basis.
The sector-level analyst/officer does the initial assessment and relies on OGD assessments to determine the level of risk. They determine the level of risk in relation to the specific case and whether they assess that there is a substantial risk or not will impact the level of approval. If the analyst/officer does not think there is risk, the case may proceed. This, according to the decision screen and information received, does not require any manager or senior level approval.
If the analyst/officer believes or is unsure that there is a substantial risk, the senior-level Internal Review Committee (IRC) must seek DM approval.
Working Group: Internal Review Committee
Senior Management Committee: DFO employs the use of a decision screen and the IRC as demonstrated above. It is unclear whether DFO has developed guidance to help officials and management accurately and consistently determine the risk of mistreatment.
Country Assessments: DFO relies on country assessments conducted by GAC (as well as DFO legal services, RCMP and CSIS as needed) to make mistreatment risk determinations.
Mitigation measures: DFO indicated that it employs the use of caveats and assurances as necessary but has not yet had to seek such assurances. As such, there is no tracking mechanism in place. The Department is able to retroactively determine when, how, and why a decision was made through its record keeping system. A process is in place to record the details of each case, its evaluation process, and any resulting actions and decisions.
Annex G: Department of National Defence/Canadian Armed Forces
Framework Updates: The Department of National Defence (DND) indicated that there were no changes to its framework since last year’s response.
Triage: The process of assessing risk is largely the same across all three forms of information sharing transactions. The process involves examining country human rights conditions, and researching specific partner entities, including any reports of mistreatment. Adverse information on a foreign partner is reviewed by the Defence Information Sharing Working Group (DISWG) and recommendations are made to the implicated L1s on how to manage information sharing activities (request, disclosure, or use). There are no differences in the types of mitigation measures employed across the three forms of information sharing. The primary governance document Release and Disclosure Officers (RDOs) and Release and Disclosure Authorities (RDAs) must adhere to is the CDI Interim Functional Directive: Information Sharing with Certain Foreign States and their Entities.
Working Group: The Defence Information Sharing Working Group (DISWG) is a working-level committee led by the Release and Disclosure Coordination Office (RDCO) within CFINTCOM that serves as an advisory body to operation Commanders regarding issues covered under the ACA. This Working Group exists as a platform for open dialogue related to information sharing arrangements and transactions. This group convenes monthly, or as required.
Senior Management Committee: The Defence Information Sharing Assessment Committee (DISAC) is chaired by the Chief of Defence Intelligence / Commander CFINTCOM . The DISAC’s primary object is to act as an advisory committee for the Deputy Minister and the Chief of Defence Staff in support of their decision making regarding issues pertaining to the ACA.
Country Assessments: Currently, RDCO has established a list of low-risk countries that can be referred to by other L1s. Inclusion in this list indicates CDI’s confidence that sharing information with government entities of that foreign state can take place without a substantial risk of mistreatment. Moreover, RDCO has developed a draft methodology for Country Human Rights Profiles to classify countries as low, medium, or high risk but has only begun producing country human rights profiles on a few medium and high-risk countries and the methodology has not yet formally approved. These profiles will be used by other L1s in the development of specific Partner Entity Assessments and to inform the overall risk assessment of sharing information with foreign entities.
Information Management: There is no common shared system or repository for all RDOs. Information decisions are recorded by RDOs at the unit level. In some cases, all transactions are recorded using a spreadsheet and should include all details relating to the collection, retention, dissemination or destruction of the information, but the precise format will vary. CFINTCOM is working to standardize RDO logs across DND/CAF. From an information management perspective, there have been no changes since last year’s report. Records of discussion of all DISWG meetings are kept centrally within RDCO/CFINTCOM and it is possible to retroactively determine how and why a decision or recommendation was made.
Mitigation Measures: DND uses mitigation measures to reduce the risk of mistreatment. For example, DND uses measures such as the sanitization of information, the inclusion of caveats, and/or the seeking of assurances, including on low-risk cases in order to err on the side of caution.
Annex H: FINTRAC
Framework Updates: The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) did not make any changes to their framework for the 2020 review year.
Triage: Who does the initial assessment will depend on the risk level classification of the country. If it’s green, the intelligence analyst (IA) does the risk assessment. If it’s yellow, the IA’s team leader does the risk assessment. If it’s red, Senior Level does the risk assessment. Regardless of the determined risk level, Senior Level must ultimately approve or decline the information exchange/use.
Partnerships and Working Groups: FINTRAC makes use of external organizations, such as the Egmont group, to ensure that member organizations are adhering to global standards against mistreatment. If one of these groups is found to have breached their duty of care, and is expelled from the group, then FINTRAC will cease to exchange information until the matter has been rectified. FINTRAC enters Memoranda of Understandings (MOUs) with nations who wish to exchange information with them. To do so, each nation is assessed using a variety of criteria to determine their risk rating and whether an MOU should be established.
FINTRAC also regularly participates in ISCG meetings alongside other departments.
Senior Management Committee: FINTRAC does not have a senior management committee to determine risk like other departments. Instead, they rely on senior management and the Director to make final decisions on cases.
Country Assessments: FINTRAC established its own country assessments. Establishing each country assessment involves gathering pertinent information on the human rights situation in the country and using indicators to assess the risk level of mistreatment of each country. During the development of the country assessment process, FINTRAC consulted with other agencies/government departments captured under the ACA.
The Manager of International Relationships is responsible for monitoring and assessing the human rights profile of countries with which FINTRAC shares an MOU.
Mitigation Measures: Caveats and assurances are established at the signing of an MOU and repeated whenever sharing information with any foreign entity. The sharing of information is not allowed without a signed MOU.
Annex I: Global Affairs Canada
Framework Updates: Global Affairs Canada (GAC) indicated that no changes to their framework was made during the current review period.
Triage: There is not one unified set of processes at GAC for determining whether information being used by the department is likely to have been obtained through the mistreatment of an individual by a foreign entity. If an official determines that information that he or she has received is likely to have been obtained through the mistreatment of an individual by a foreign entity and that official still wants to use the information, they are instructed in their training to consult with their Program management at HQ. Should that manager be unable to make a determination on their own as to whether the use would comply with the Act, they will consult the relevant departmental policy group and the department’s Legal Services Unit.
Working Groups: The Ministerial Direction Compliance Committee Secretariat
Senior Management Committees: The Ministerial Direction Compliance Committee (MDCC) meetings focuses on the following:
Has the information, the use of which is being sought, likely been derived from mistreatment?
What are the proposed measures to mitigate the risks? What is the likelihood of their success?
Consider the justifications for and proportionality of any potential involvement with the foreign state or entity that may result in mistreatment.
The MDCC Secretariat will create a record of decision and circulate it for comment by MDCC members. Once finalized, it will be kept by the Secretariat for future reporting. The MDCC Secretariat follows up with the requesting official for updates on the outcome of the situation and requests a final update from the requesting official once the situation is resolved. Currently the MDCC Secretariat consists of one person.
Country Assessments: Global Affairs Canada’s human rights reports provide an evidence-based overview of the human rights situation in a particular country, including significant human rights-related events, trends and developments and include a section focused on mistreatment. There are no scores for countries however, and it is up to the officials to assess the risk based on the information in the reports.
Mitigation Measures: The Legal Services Unit and/or Intelligence Policy and Programs division will provide guidance on the limitations and the prohibitions of the use of information obtained through mistreatment. They are also able to propose potential mitigation measures, such as sanitization of the information, if there is a risk of further mistreatment; of depriving someone of their rights or freedoms; or if the information could be used as evidence in any judicial, administrative or other proceeding.
Annex J: IRCC
Framework Updates: Immigration, Refugees and Citizenship Canada (IRCC) indicated that there were no changes to its procedures regarding the disclosure of information to foreign entities.
Triage: The initial assessment is done by the employee/officer receiving a request to disclose information. Officers are provided with a country assessment tool that provides a country-level risk assessment. If the country is listed as low-risk and the employee does not believe there are any risks of mistreatment, they may proceed with the exchange and record the details of that exchange (i.e., what information was exchanged; to which country, etc) into the Global Case Management System (GCMS). If the country is high-risk, or the officer believes that there is any risk of mistreatment and they wish to pursue with the case, then the officer is required to refer the case to IRM and Admissibility to assess the risk of the exchange.
Senior Management Committee: IRCC has the Avoiding Complicity Assessment Committee. The Committee is comprised of executives representing relevant policy, operations, legal and privacy branches within the Department. The purpose of the Committee is to reassess whether the circumstances of the case meet the “substantial risk” threshold, and to determine whether mitigations could be sufficiently imposed to allow for the disclosure. If the Committee is unable to unanimously determine if the risk can be mitigated, and there remains a need to disclose the information to the requesting foreign entity, then the case will be referred to the Deputy Minister for final decision.
Country Assessments: IRCC officers are instructed to refer to an initial country assessment tool when they are contemplating any disclosure or request for information from a foreign entity. This tool provides a general assessment of the country’s risk. If the country is identified as a high-risk country, then the officer is required to make a Consultation Request before disclosing, requesting or using information. If the country is identified as medium-risk, then it is recommended that the officer make a Consultation Request.
Mitigation Measures: Possible mitigation measures for a case where a substantial risk of mistreatment has been determined, if available, would be established in the Consultation Request assessment and, if necessary, in the Avoiding Complicity Assessment Committee’s recommendation. In either case, the mitigations will be manually recorded in the case file where they can be later recalled and noted in the Annual Report.
Annex K: Public Safety
Please note that the above flow charts are draft and have not yet been approved.
Framework Updates: Public Safety (PS) does not yet have a framework for deciding whether an exchange of information with a foreign entity would result in a substantial risk of mistreatment of an individual. PS noted, however, that it has drafted a departmental policy to support the department’s implementation of the Directions but it has not yet been approved by senior management.
Triage: PS officials at the operational level are responsible for identifying whether the disclosure of or request for information would result in a substantial risk of mistreatment of an individual. Prior to the disclosure of or request for information to/from a foreign entity, PS officials, as per the draft policy, are expected to:
review risk assessments and information sharing arrangements/agreements to determine risks;
identify mitigation measures as needed; and
seek DG approval for the disclosure or request; and the DG would determine whether the risk can or cannot be mitigated and whether the case should be referred to the DM for determination and decision.
PS officials at the operational level are responsible for identifying whether information for potential use was likely obtained through the mistreatment of an individual. As per the draft policy, prior to the use of information, PS officials are expected to:
conduct an assessment to determine if the information was likely obtained through the mistreatment of an individual, if not previously completed by PS officials or another government department, and mark it accordingly, based on DG-level determination;
assess and characterize the accuracy and reliability of the information; and,
advise their DG of the circumstance; and the DG would determine whether the information would be used as per section 3 of the Directions and refer the decision to the DM to determine if the use of information in any way that deprives someone their rights or freedoms is necessary to prevent the loss of life or significant personal injury.
For PS program areas where responsibilities for program delivery are shared among multiple Government of Canada departments, PS officials may use accuracy and reliability assessments conducted by another Government of Canada department for the express purpose of the specific information exchange. In these cases, and where PS does not have sufficient information (such as the source of the information) to conduct an assessment, it will require Government of Canada departments to attest to having conducted the assessment. This same principle applies risk assessments and assessments as to whether information was likely obtained through the mistreatment of an individual.
Working Group: The ISCG is the primary interdepartmental forum for supporting interdepartmental collaboration and information-sharing between members as they implement the Act and Directions and is regularly attended by all members.
PS participates in the ISCG in three ways as the:
chair, coordinator and PS policy lead;
area responsible for implementing the ACA;
legal counsel representative.
PS has also made progress with ISCG guidance. However, due to COVID-19, the ISCG was limited in its capacity to convene meetings.
Senior Management Committee: PS does not have a formal senior management committee to review high-risk cases. The Investigative Authorities and Accountability Policy (IAAP) unit supports program areas in the referral process to the Senior Assistant Deputy Minister (SADM) of the National and Cyber Security Branch for further examination. Acting as a senior Public Safety official, the SADM is responsible for referring cases to the Deputy Minister if they are unable to determine whether the risk of mistreatment can be mitigated.
Country Assessments: PS currently does not have any country assessments completed and plans to use other department’s assessments, but as outlined in its draft policy, PS expects to conduct country and entity assessments as part of its annual risk assessment process. The risk assessment process will ensure that an agreement with the foreign entity is in place prior to information sharing exchanges; review risk and country assessments developed by portfolio agencies (e.g. CSIS) and other departments (e.g. GAC), and consider human rights reporting from non-government entities.
The IAAP will coordinate, on an annual basis, risk assessments. To do so, IAAP may, for example, review human rights reports developed by Global Affairs Canada (GAC), country assessments prepared by portfolio agencies (e.g. CSIS), human rights reporting from non-government entities and country/entity specific material.
Mitigation Measures: PS currently has developed a draft policy to address mitigation measures and caveats. The draft policy will provide guidance to officials on how to assess risk and apply mitigation measure, while also defining approval levels and country assessment responsibilities.
Once a risk of mistreatment has been identified, the PS official is required to undertake a risk mitigation assessment prior to requesting the information. Approved risk mitigation mechanisms include:
the caveating of information,
obtaining assurance and/or
disclosing a limited amount of the information.
The policy also outlines requirements regarding the use of congruent mitigation mechanisms to collectively reduce the risk.
Annex L: Royal Canadian Mounted Police
Framework Updates: There were no changes to the Royal Canadian Mounted Police’s (RCMP) framework in 2020. RCMP has undertaken a number of internal reviews of its information sharing framework and continues to refine and optimize its processes.
RCMP also noted that it was in its final stages of rolling out an online training course specifically tailored to the ACA.
Triage: The Foreign Information Risk Advisory Committee (FIRAC) process may be initiated if and when an information exchange involves a country identified as high or medium risk. A low-risk case would only be sent if an official believes there is the potential for mistreatment.
All RCMP personnel are required to consider the risk of mistreatment before requesting, disclosing or using information and to engage the FIRAC process if there is a substantial risk identified to a specific individual(s) with a country of exchange.
An employee is almost always the one to perform the initial risk assessment. When an entity is green, the employee may exchange or use information without consulting FIRAC, unless they express doubts. When an entity is yellow, the employee must consider whether or not there is a substantial risk of mistreatment by looking at a list of criteria (similar to CSIS). If one or more of these criteria is present, the employee must send the case to FIRAC. If the entity is red, the employee must send the case to FIRAC for the initial assessment, unless no personal information is exchanged.
Working Group: Law Enforcement Assessment Group (LEAG). Full-length LEAG assessments include classified information from other Federal departments and agencies. The FIRAC Portal was developed to allow RCMP employees to access the assessments, and to further support compliance with the directions.
Senior Management Committee: FIRAC was established to facilitate the systematic and consistent review of RCMP files to ensure information exchanges do not involve or result in the mistreatment of any person.
FIRAC holds the responsibility to determine if a substantial risk exists and in cases where a substantial risk of mistreatment exists, make a recommendation on whether the proposed mitigating measures are adequate to mitigate the risk.
FIRAC’s recommendations are made by the Chair, upon the advice of the Committee, to the appropriate Assistant Commissioner / Executive Director responsible for the operational area seeking to disclose, request or use the information.
FIRAC determines if the risk is mitigatable or not. If it is, the case goes to the Assistant Commissioner. If it is not, FIRAC declines the exchange or use of information.
Country Assessments: An in-house country assessment model has been completed.
Countries are listed in alphabetical order, along with any specific foreign entities (i.e. police forces, military units, etc.) that have been assessed. For each entity, the risk level (Red-High, Yellow-Medium, Green-Low) is provided, as are the specific crime types and conditions.
Mitigation Measures: The RCMP leverages existing MOU’s with specific partners to partially mitigate underlying risk, in particular where mutually agreed standards around human rights exist as well as having a good track record for respecting caveats. Similarly, officials work with Liaison Officers to identify any relevant assurances or strategies, factors or conditions that could mitigate the risk of mistreatment posed by the information exchange, request for information or use of information.
All mitigation measures used are tracked through the FIRAC by filling in a FIRAC Request Form. Noting which mitigations/caveats are used is a mandatory part of the process.
Annex M: Transport Canada
Does not have a departmental framework for assessing ACA considerations, outside of the Passenger Protect Program (PPP).
Changes: Transport Canada (TC) developed a corporate policy in September 2020 to highlight the department’s ACA-related requirements, roles and responsibilities and remains a participant in PS framework.
Triage: Relies on PS’ framework for the Passenger Protect Program.
Should they have any concerns about a request for information from a foreign partner they will consult with other agencies, such as CSIS or GAC.
Working Group: TC is a voting member of the PPP Advisory Group but does not have any responsibility for drafting case briefs. At each meeting of the PPP Advisory Group, TC has ensured that all other voting members have acknowledged TC’s SATA-legislated responsibility for sharing the List with domestic and foreign air carriers, and its associated responsibilities under the ACA.
Senior Management Committee: TC does not have any senior management committee in place to further review cases with a potential for mistreatment.
Country Assessments: Rely on other government departments.TC relies on assessments by other departments such as PS and GAC.
Mitigation measures: The framework was established by Public Safety (lead on PPP), with consultations with the PPP partners (RCMP, CSIS, CBSA). TC has worked with PS to integrate mitigation measures into the operating procedures and protocols of PPP partners.
The Access to Information Act gives Canadian citizens and permanent residents, as well as any person or corporation present in Canada, a right of access to information contained in government records, subject to certain specific and limited exceptions.
Section 94(1) of the Act requires the head of each government institution to prepare an annual report on the administration of the Act within the institution and to submit the report to Parliament. In addition, section 20 of the Service Fees Act requires institutions to report on all statutory fees processed during the reporting period.
This report to Parliament, which is prepared and tabled in accordance with Section 94 of the Access to Information Act, and section 20 of the Service Fees Act, describes the activities of the National Security and Intelligence Review Agency Secretariat in administering these Acts during the period April 1, 2021 to March 31, 2022.
If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:
Access to Information and Privacy Office National Security and Intelligence Review Agency P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5 Email: ATIP@nsira-ossnr.gc.ca
Who we are
Established in July 2019, NSIRA is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.
The NSIRA Secretariat assists the Review Agency in fulfilling its mandate.
Mandate
NSIRA has a dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matters that a minister of the Crown refers to NSIRA.
NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Investigations
NSIRA is responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:
any activity of CSIS or of CSE;
decisions to deny or revoke certain federal government security clearances;
any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
reports made under section 19 of the Citizenship Act, and
matters referred under section 45 of the Canadian Human Rights Act.
Access to Information and Privacy Office
NSIRA’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the NSIRA Secretariat meets its responsibilities under the Access to Information Act and the Privacy Act.
For the reporting period, the NSIRA ATIP office consisted of:
1 full-time ATIP Coordinator
1 part-time ATIP Consultant
1 full-time Senior Director, who managed the ATIP office in addition to fulfilling normal duties as Senior Director of Corporate Services
NSIRA Legal Services supported the ATIP team on an as required basis.
The main activities of the ATIP Coordinator included:
monitoring compliance with ATIP legislation and relevant procedures and policies;
processing requests under both the Access to Information Act and the Privacy Act;
developing and maintaining policies, procedures, and guidelines to ensure that the NSIRA Secretariat respected the Access to Information Act and the Privacy Act;
maintaining Personal Information Banks and conducting privacy impact assessments.
preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
representing the NSIRA Secretariat in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act.
To assist the ATIP Office in meeting its legislative obligations, NSIRA relied on a collaborative internal group of subject matter points of contact from all its branches.
Delegation Order
The Executive Director, as the Head of the National Security and Intelligence Review Agency Secretariat and pursuant to s.95(1) of the ATIA, is responsible for the implementation of the ATIA for NSIRA. Through the most recent NSIRA delegation order, the Executive Director has designated the ATIP Coordinator and ATIP Officer to perform the powers, duties, functions, or administrative tasks pertaining to the ATIA. These functions have limited delegation of authority under the Act and the Privacy Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The recently amended ATIA delegation orders can be found in Appendix A.
Performance and Statistical Overview
Performance in Processing Access Requests
During the reporting period, the number of access requests received by NSIRA increased by 1300% (14) compared to the previous year (1). The Agency also managed one request that was pending from previous years, bringing the total number of cases to 15. Of these, NSIRA closed 5 requests in 2021- 22, and 10 were carried over to the next reporting period.
NSIRA’s responses to many requests required intensive review of complex records, including extensive internal and external consultations. In 2021-22, NSIRA’s on-time response rate decreased to 80% from 100% in the previous reporting year.
Consultations
NSIRA was consulted on 12 requests this fiscal year, compared to 7 in the previous reporting period. NSIRA closed 11 consultations and carried over one into 2022-2023.
Requests Treated Informally
In 2021-2022, NSIRA responded to 7 informal requests for records previously released under the ATIA process. This is an increase from no informal requests in 2020-2021. NSIRA responded to all 7 requests within 30 days of the request.
Complaints and Investigations of Access Requests
Subsection 30(1) of the Act describes how the Office of the Information Commissioner receives and investigates complaints from individuals regarding the processing of requests under the Act. NSIRA received one new complaint during the reporting period and worked closely with the Office of the Information Commissioner to resolve the complaint. This complaint concerned NSIRA’s delay in providing a response to a request before the established legislative deadline. NSIRA’s delay was largely due to extended external consultations; however, the complaint was closed as “well-founded” in 2022-2023 reporting period.
Access to Information Act fees for the Purposes of the Service Fees Act
In accordance with the Interim Directive on the Administration of the ATIA, issued on May 5, 2016, and the changes to the ATIA that came into force on June 21, 2019, NSIRA waived or refunded all fees prescribed by the Act and Regulations during the reporting period.
Training
In 2021–22, the ATIP office provided orientation sessions to new and current employees. In all, 3 separate sessions on access and privacy legislation were provided to 60 employees.
Privacy policies, guidelines, procedures and initiatives
NSIRA did not revise policies, guidelines, or procedures related to the Access to Information Act—or implement new ones—during the reporting period.
Monitoring processing time
Request processing times are monitored through the Access Pro software dashboard. The ATIP Coordinator notifies the Executive Director and suggests a course of action should any legislative timelines for responding to an ATIA request appear to be at risk.
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2019-2020 Statistical Report on the Access to Information Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2019-04-01 – 2020-03-31
Section 1: Request Under the Access to Information Act
1.1 Number of Requests
Number of Requests
Received during reporting period
14
Outstanding from previous reporting period
0
Outstanding from more than one reporting period
1
Total
15
Closed during reporting period
5
Carried over to next reporting period
10
Carried over within legislated timeline
9
Carried over beyond legislated timeline
1
1.2 Sources of requests
Source
Number of Requests
Media
4
Academia
0
Business (private sector)
0
Organization
0
Public
10
Decline to Identify
0
Total
14
1.3 Channels of requests
Source
Number of Requests
Online
12
E-mail
1
Mail
1
In person
0
Phone
0
Fax
0
Total
14
Section 2: Informal requests
2.1 Number of informal requests
Number of Requests
Received during reporting period
7
Outstanding from previous reporting periods
0
Outstanding from more than one reporting period
0
Total
7
Closed during reporting period
7
Carried over to next reporting period
0
2.2 Channels of informal requests
Source
Number of Requests
Online
7
E-Mail
0
Mail
0
In person
0
Phone
0
Fax
0
Total
7
2.3 Completion time of informal requests
Completion Time
1 to 15 days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More than 365 Days
Total
0
7
0
0
0
0
0
7
2.4 Pages released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
0
0
0
0
0
0
0
0
0
0
2.5 Pages re-released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
7
121
0
0
0
0
0
0
0
0
Section 3: Applications to the Information Commissioner on Declining to Act on Requests
Number of Requests
Outstanding from previous reporting period
0
Sent during reporting period
0
Total
0
Approved by the Information Commissioner during reporting period
0
Declined by the Information Commissioner during reporting period
0
Withdrawn during reporting period
0
Carried over to next reporting period
0
Section 4: Requests Closed During the Reporting Period
4.1 Disposition and completion time
Disposition of Requests
Completion Time
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
0
0
0
0
0
0
0
Disclosed in part
2
0
1
0
0
0
0
3
All exempted
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
No records exist
0
2
0
0
0
0
0
2
Request transferred
0
0
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
Decline to act with the approval of the Information Commisioner
0
0
0
0
0
0
0
0
Total
2
2
1
0
0
0
0
5
4.2 Exemptions
Section
Numbers of Requests
13(1)(a)
0
13(1)(b)
0
13(1)(c)
0
13(1)(d)
0
13(1)(e)
0
14
0
14(a)
0
14(b)
0
15(1) – I. A. *
0
15(1) – Def. *
2
15(1) – S.A. *
0
16(1)(a)(i)
0
16(1)(a)(ii)
0
16(1)(a)(iii)
0
16(1)(b)
1
16(1)(c)
2
16(1)(d)
0
16(2)
0
16(2)(a)
0
16(2)(b)
0
16(2)(c)
0
16(3)
0
16.1(1)(a)
0
16.1(1)(b)
0
16.1(1)(c)
0
16.1(1)(d)
0
16.2(1)
0
16.3
0
16.31
0
16.4(1)(a)
0
16.4(1)(b)
0
16.5
0
16.6
0
17
0
18(a)
0
18(b)
0
18(c)
0
18(d)
0
18.1(1)(a)
0
18.1(1)(b)
0
18.1(1)(c)
0
18.1(1)(d)
0
19(1)
2
20(1)(a)
0
20(1)(b)
0
20(1)(b.1)
0
20(1)(c)
0
20(1)(d)
0
20.1
0
20.2
0
20.4
0
21(1)(a)
1
21(1)(b)
0
21(1)(c)
0
21(1)(d)
0
22
0
22.1(1)
0
23
2
23.1
0
24(1)
1
26
0
* I.A.: International Affairs * Def.: Defence of Canada * S.A.: Subversive Activities
4.3 Exclusions
Section
Numbers of Requests
68(a)
0
68(b)
0
68(c)
0
68.1
0
68.2(a)
0
68.2(b)
0
69(1)
0
69(1)(a)
0
69(1)(b)
0
69(1)(c)
0
69(1)(d)
0
69(1)(e)
0
69(1)(f)
0
69(1)(g) re (a)
0
69(1)(g) re (b)
0
69(1)(g) re (c)
0
69(1)(g) re (d)
0
69(1)(g) re (e)
0
69(1)(g) re (f)
0
69.1(1)
0
4.4 Format of information released
Paper
Electronic
Other
E-record
Data set
Video
Audio
2
1
0
0
0
0
4.5 Complexity
4.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed
Number of Pages Disclosed
Number of Requests
63
63
3
4.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
All disclosed
0
0
0
0
0
0
0
0
0
0
Disclosed in part
3
63
0
0
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
0
0
Declined to act with the approval of the information Commissioner
0
0
0
0
0
0
0
0
0
0
Total
3
63
0
0
0
0
0
0
0
0
4.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
4.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
4.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
4.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
4.5.7 Other complexities
Disposition
Consultation Required
Legal Advice Sought
Other
Total
All disclosed
0
0
0
0
Disclosed in part
2
0
0
2
All exempted
0
0
0
0
All excluded
0
0
0
0
Request abandoned
0
0
0
0
Neither confirmed nor denied
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
Total
2
0
0
2
4.6 Closed requests
4.6.1 Requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines
4
Percentage of requests closed within legislated timelines (%)
80
4.7 Deemed refusals
4.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines
Principal Reason
Interference with Operations/Workload
External Consultation
Internal Consultation
Other
1
0
0
1
0
4.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines
Number of Requests Past Legislated Timeline Where No Extension Was Taken
Number of Requests Past Legislated Timeline Where an Extension Was Taken
Total
1 to 15 Days
1
0
1
16 to 30 Days
0
0
0
31 to 60 Days
0
1
0
61 to 120 Days
0
0
0
121 to 180 Days
0
0
0
181 to 365 Days
0
0
0
More than 365 Days
0
0
0
Total
1
0
1
4.8 Requests for translation
Translation Requests
Accepted
Refused
Total
English to French
0
0
0
French to English
0
0
0
Total
0
0
0
Section 5: Extensions
5.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was taken
9(1)(a) Interference With Operations/Workload
9(1)(b) Consultation
Section 69
Other
All disclosed
0
0
0
Disclosed in part
0
0
0
All exempted
0
0
0
All excluded
0
0
0
Request abandoned
No records exist
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
Total
0
0
0
5.2 Length of extensions
Length of Extensions
9(1)(a) Interference With Operations/Workload
9(1)(b) Consultation
Section 69
Other
30 days or less
0
0
0
31 to 60 days
0
0
0
61 to 120 days
0
0
0
121 to 180 days
0
0
0
181 to 365 days
0
0
0
365 days or more
0
0
0
Total
0
0
0
Section 6: Fees
Fee Type
Fee Collected
Fee Waived
Fee Refunded
Number of Requests
Amount
Number of Requests
Amount
Number of Requests
Amount
Application
0
$0.00
14
$0.00
0
$0.00
Other fees
0
$0.00
0
$0.00
0
$0.00
Total
0
$0.00
14
$0.00
0
$0.00
Section 7: Consultations Received From Other Institutions and Organizations
7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations
Other Government of Canada Institutions
Number of Pages to Review
Other Organizations
Number of Pages to Review
Received during reporting period
12
143
0
0
Outstanding from the previous reporting period
0
0
0
0
Total
12
143
0
0
Closed during the reporting period
11
123
0
0
Carried over within regotiated timelines
1
20
0
0
Carried over beyond negotiated timelines
0
0
0
0
7.2 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
Section 8: Completion Time of Consultations on Cabinet Confidences
8.1 Requests with Legal Services
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
8.2 Requests with Privy Council Office
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
Section 9: Investigations and Reports of finding
9.1 Investigations
Section 32 Notice of intention to investigate
Subsection 30(5) Ceased to investigate
Section 35 Formal Representations
0
0
1
9.2 Investigations and Reports of finding
Section 37(1) Initial Reports
Section 37(2) Final Reports
Received
Containing recommendations issued by the Information Commissioner
Containing orders issued by the Information Commissioner
Received
Containing recommendations issued by the Information Commissioner
Containing orders issued by the Information Commissioner
0
0
0
0
0
0
Section 10: Court Action
10.1 Court actions on complaints
Section 41
Complainant (1)
Institution (2)
Third Party (3)
Privacy Commissioner (4)
Total
0
0
0
0
0
10.2 Court actions on third party notifications under paragraph 28(1)(b)
Section 44 – under paragraph 28(1)(b)
0
Section 11: Resources Related to the Access to Information Act
11.1 Allocated Costs
Expenditures
Amount
Salaries
$24,082
Overtime
$0
Goods and Services
$0
Professional services contracts
$0
Other
$0
Total
$24,082
11.2 Human Resources
Resources
Person Years Dedicated to Access to Information Activities
Full-time employees
0.300
Part-time and casual employees
0.000
Regional Staff
0.000
Consultants and agency personnel
0.000
Students
0.000
Total
0.300
Note: Enter values to three decimal places.
Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act
Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act
Number of weeks
Able to receive requests by mail
52
Able to receive requests by email
52
Able to receive requests through the digital request service
52
Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act
2.1 Number of weeks your institution was able to process paper records in different classification levels
No capacity
Partial Capacity
Full capacity
Total
Unclassified Paper Records
0
0
52
52
Protected B Paper Records
0
0
52
52
Secret and Top Secret Paper Records
0
0
52
52
2.2 Number of weeks your institution was able to process electronic records in different classification levels
The Privacy Act gives individuals the right to access information about themselves that is held by the National Security and Intelligence Review Agency Secretariat, subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.
Section 72 of the act requires the head of each government institution to prepare an annual report on the administration of the act within the institution and to submit the report to Parliament.
This report to Parliament, which is prepared and tabled in accordance with Section 72 of the Privacy Act describes the activities of the National Security and Intelligence Review Agency Secretariat in administering the Act during the period of April 1, 2021 to March 31, 2022.
If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:
Access to Information and Privacy Office National Security and Intelligence Review Agency P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5 Email: ATIP@nsira-ossnr.gc.ca
Who we are
Established in July 2019, NSIRA is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.
The NSIRA Secretariat assists the Review Agency in fulfilling its mandate.
Mandate
NSIRA has a dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matters that a minister of the Crown refers to NSIRA.
NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Investigations
NSIRA is responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:
any activity of CSIS or of CSE;
decisions to deny or revoke certain federal government security clearances;
any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
reports made under section 19 of the Citizenship Act, and
matters referred under section 45 of the Canadian Human Rights Act.
Access to Information and Privacy Office
NSIRA’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the NSIRA Secretariat meets its responsibilities under the Access to Information Act and the Privacy Act. For the reporting period, the NSIRA ATIP office consisted of:
1 full-time ATIP Coordinator
1 part-time ATIP Consultant
1 full-time Senior Director, who managed the ATIP office in addition to fulfilling normal duties as Senior Director of Corporate Services
NSIRA Legal Services supported the ATIP team on an as required basis.
The main activities of the ATIP Coordinator included:
monitoring compliance with ATIP legislation and relevant procedures and policies;
processing requests under both the Access to Information Act and the Privacy Act;
developing and maintaining policies, procedures, and guidelines to ensure that the NSIRA Secretariat respected the Access to Information Act and the Privacy Act;
maintaining Personal Information Banks and conducting privacy impact assessments.
preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
representing the NSIRA Secretariat in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act.
To assist the ATIP Office in meeting its legislative obligations, NSIRA relied on a collaborative internal group of subject matter points of contact from all its branches.
Delegation Order
The Executive Director, as the Head of the National Security and Intelligence Review Agency Secretariat and pursuant to s.95(1) of the ATIA, is responsible for the implementation of the ATIA for NSIRA. Through the most recent NSIRA delegation order, the Executive Director has designated the ATIP Coordinator and ATIP Officer to perform the powers, duties, functions, or administrative tasks pertaining to the ATIA. These functions have limited delegation of authority under the Act and the Privacy Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The recently amended ATIA delegation orders can be found in Appendix A.
Performance and Statistical Overview
Performance in Processing Access Requests
During the reporting period, the number of privacy requests received by NSIRA increased by 75% (7) compared to the previous year (4). All requests were completed in 2021-22, and no requests were carried over the next year.
NSIRA’s responses to most requests required intensive review of complex records, including extensive internal and external consultations. In 2021-22, NSIRA’s on-time response rate decreased to 71% from 75% in the previous reporting year.
Consultations
NSIRA received one new consultation request from another government institution which was responded within 30 days of its receipt.
Corrections and Notations
For this reporting period, NSIRA did not receive any requests for corrections of personal information.
Complaints and Investigations of Privacy Requests
NSIRA did not receive any complaints pursuant to the Privacy Act during this reporting period. However, one investigation was initiated by the Office of the Privacy Commissioner (OPC) concerning the cyber-attack discussed under the “Breaches” section below.
Training
In 2021–22, the ATIP office provided orientation sessions to new and current employees. In all, 3 separate sessions on access and privacy legislation were provided to 60 employees.
Policies, guidelines, procedures and initiatives
During the reporting period, the NSIRA Secretariat:
Initiated work on a Privacy Policy, a Privacy Protocol, and on a Privacy Breach Plan and Procedures; and
Submitted a request to the Treasury Board Secretariat (TBS) for the approval of changes respecting Personal Information Banks.
Monitoring processing time
Request processing times are monitored through the Access Pro software dashboard. The ATIP Coordinator notifies the Executive Director and suggests a course of action should any legislative timelines for responding to a Privacy Act request appear to be at risk.
Breaches
In March 2021, NSIRA was the victim of a cyber-attack on its public-facing network. As required by the TBS’ Directive on Privacy Practices, NSIRA reported the breach to the OPC and the TBS. Consistent with the Privacy Act, TBS requirements and advice from the OPC, the affected individuals were notified of the breach and how it could affect them.
Privacy Impact Assessments
NSIRA has completed a Privacy Impact Assessment (PIA) of its operations.
NSIRA is in the process of completing a PIA regarding its complaint investigation process.
Disclosure of Personal Information Under Section 8(2)
No disclosures were made pursuant to subsection 8(2) during the reporting period.
Appendices
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2021-2022 Statistical Report on the Privacy Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2021-04-01 – 2022-03-31
Section 1: Request Under the Access to Information Act
1.1 Number of Requests
Number of Requests
Received during reporting period
7
Outstanding from previous reporting period
0
Outstanding from more than one reporting period
0
Total
7
Closed during reporting period
7
Carried over to next reporting period
0
Carried over within legislated timeline
0
Carried over beyond legislated timeline
0
1.2 Channels of requests
Source
Number of Requests
Online
4
E-mail
3
Mail
0
In person
0
Phone
0
Fax
0
Total
7
Section 2: Informal requests
2.1 Number of informal requests
Number of Requests
Received during reporting period
0
Outstanding from previous reporting periods
0
Outstanding from more than one reporting period
0
Total
0
Closed during reporting period
0
Carried over to next reporting period
0
2.2 Channels of informal requests
Source
Number of Requests
Online
0
E-Mail
0
Mail
0
In person
0
Phone
0
Fax
0
Total
0
2.3 Completion time of informal requests
Completion Time
1 to 15 days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More than 365 Days
Total
0
0
0
0
0
0
0
0
2.4 Pages released informally
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
0
0
0
0
0
0
0
0
0
0
Section 3: Requests Closed During the Reporting Period
3.1 Disposition and completion time
Disposition of Requests
Completion Time
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
0
0
0
0
0
0
0
Disclosed in part
0
0
1
2
0
0
0
3
All exempted
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
No records exist
2
2
0
0
0
0
0
4
Request abandoned
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
Total
2
2
1
2
0
0
0
7
3.2 Exemptions
Section
Numbers of Requests
18(2)
0
19(1)(a)
0
19(1)(b)
0
19(1)(c)
0
19(1)(d)
0
19(1)(e)
0
19(1)(f)
0
20
0
21
2
22(1)(a)(i)
0
22(1)(a)(ii)
0
22(1)(a)(iii)
0
22(1)(b)
1
22(1)(c)
0
22(2)
0
22.1
0
22.2
0
22.3
0
22.4
0
23(a)
0
23(b)
0
24(a)
0
24(b)
0
25
0
26
2
27
1
27.1
0
28
0
3.3 Exclusions
Section
Numbers of Requests
69(1)(a)
0
69(1)(b)
0
69.1
0
70(1)
0
70(1)(a)
0
70(1(b)
0
70(1)(c)
0
70(1)(d)
0
70(1)(e)
0
70(1)(f)
0
70.1
0
3.4 Format of information released
Paper
Electronic
Other
E-record
Data set
Video
Audio
1
2
0
0
0
0
3.5 Complexity
3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed
Number of Pages Disclosed
Number of Requests
768
768
3
3.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
All disclosed
0
0
0
0
0
0
0
0
0
0
Disclosed in part
1
71
2
697
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
0
0
Total
1
71
2
697
0
0
0
0
0
0
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
0
Total
0
0
0
0
0
0
3.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed
Number of Minutes Disclosed
Number of Requests
0
0
0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition
Less Than 60 Minutes Processed
60 – 120 Minutes Processed
More than 120 Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
Number of Requests
Minutes Processed
All disclosed
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
Total
0
0
0
0
0
0
3.5.7 Other complexities
Disposition
Consultation Required
Assessment of Fees
Legal Advice Sought
Other
Total
All disclosed
0
0
0
0
0
Disclosed in part
2
0
0
0
2
All exempted
0
0
0
0
0
All excluded
0
0
0
0
0
Request abandoned
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
Total
2
0
0
0
2
3.6 Closed requests
3.6.1 Requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines
5
Percentage of requests closed within legislated timelines (%)
71.42857143
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines
Principal Reason
Interference with Operations/Workload
External Consultation
Internal Consultation
Other
2
0
2
0
0
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines
Number of Requests Past Legislated Timeline Where No Extension Was Taken
Number of Requests Past Legislated Timeline Where an Extension Was Taken
Total
1 to 15 Days
0
0
0
16 to 30 Days
0
2
2
31 to 60 Days
0
0
0
61 to 120 Days
0
0
0
121 to 180 Days
0
0
0
181 to 365 Days
0
0
0
More than 365 Days
0
0
0
Total
0
2
2
3.8 Requests for translation
Translation Requests
Accepted
Refused
Total
English to French
0
0
0
French to English
0
0
0
Total
0
0
0
Section 4: Disclosures Under Subsections 8(2) and 8(5)
Paragraph 8(2)(e)
Paragraph 8(2)(m)
Subsection 8(5)
Total
0
0
0
0
Section 5: Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received
Number
Notations attached
0
Requests for correction accepted
0
Total
0
Section 6: Extensions
6.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken
15(a)(i) Interference with operations
9(1)(b) Consultation
9(1)(b) Consultation
Further review required to determine exemptions
Large volume of pages
Large volume of requests
Documents are difficult to obtain
Cabinet Confidence Section (Section 70)
External
Internal
3
0
0
0
0
0
3
0
0
6.2 Length of extensions
Length of Extensions
15(a)(i) Interference with operations
9(1)(b) Consultation
9(1)(b) Consultation
Further review required to determine exemptions
Large volume of pages
Large volume of requests
Documents are difficult to obtain
Cabinet Confidence Section (Section 70)
External
Internal
1 to 15 days
0
0
0
0
0
0
0
0
16 to 30 days
0
0
0
0
0
3
0
0
31 days or greater
0
0
Total
0
0
0
0
0
3
0
0
Section 7: Consultations Received From Other Institutions and Organizations
7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations
Other Government of Canada Institutions
Number of Pages to Review
Other Organizations
Number of Pages to Review
Received during reporting period
1
52
0
0
Outstanding from the previous reporting period
0
0
0
0
Total
1
52
0
0
Closed during the reporting period
1
52
0
0
Carried over within regotiated timelines
0
0
0
0
Carried over beyond negotiated timelines
0
0
0
0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
1
0
0
0
0
0
1
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
1
0
0
0
0
0
1
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
1
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
Section 8: Completion Time of Consultations on Cabinet Confidences
8.1 Requests with Legal Services
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
8.2 Requests with Privy Council Office
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
Section 9: Complaints and Investigations Notices Received
Section 31
Section 33
Section 35
Court action
Total
0
0
0
0
0
Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBS)
10.1 Privacy Impact Assessments
Number of PIA(s) completed
Number of PIAs modified
1
0
10.2 Institution-specific and Central Personal Information Banks
Personal Information Banks
Active
Created
Terminated
Modified
Institution-specific
2
0
0
0
Central
0
0
0
0
Total
2
0
0
0
Section 11: Privacy Breaches
11.1 Material Privacy Breaches reported
Number of material privacy breaches reported to TBS
Number of material privacy breaches reported to OPC
1
1
11.2 Non-Material Privacy Breaches
Number of non-material privacy breaches
0
Section 12: Resources Related to the Privacy Act
12.1 Allocated Costs
Expenditures
Amount
Salaries
$24,082
Overtime
$0
Goods and Services
$0
Professional services contracts
$97,006
Other
$0
Total
$121,088
12.2 Human Resources
Resources
Person Years Dedicated to Access to Information Activities
Full-time employees
0.300
Part-time and casual employees
0.000
Regional Staff
0.000
Consultants and agency personnel
0.500
Students
0.000
Total
0.800
Note: Enter values to three decimal places.
Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act
Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act
Number of weeks
Able to receive requests by mail
52
Able to receive requests by email
52
Able to receive requests through the digital request service
52
Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act
2.1 Number of weeks your institution was able to process paper records in different classification levels
No capacity
Partial Capacity
Full capacity
Total
Unclassified Paper Records
0
0
52
52
Protected B Paper Records
0
0
52
52
Secret and Top Secret Paper Records
0
0
52
52
2.2 Number of weeks your institution was able to process electronic records in different classification levels
In 2019-2020, NSIRA conducted its first interdepartmental review on the implementation of the 2017 Ministerial Directions on Avoiding Complicity in Mistreatment by Foreign Entities (2017 MD). The review set out to build NSIRA’s knowledge of the information sharing process adopted by the six departments that received the 2017 MD.
NSIRA conducted a case study for each department that had operationalized the 2017 MD. NSIRA noted significant differences in the six departments’ implementation and operationalization of information sharing processes. NSIRA found that CSE, CSIS and the RCMP had implemented the 2017 MD; DND/CAF was implementing the final elements of the 2017 MD; GAC had not yet fully implemented the 2017 MD; and, the CBSA had not yet operationalized the 2017 MD.
NSIRA examined and found differences in how high-risk decision-making is removed from operational personnel who may have a vested interest in the sharing. CSE and the RCMP had the most independent processes; GAC removed high-risk decision-making from front line personnel, while CSIS and DND/CAF decision makers had a direct operational interest in sharing information. NSIRA recommended that Departments ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.
NSIRA also found a lack of standardization in information sharing risk assessments for both foreign countries and foreign entities. This issue has been noted in other NSIRA information sharing reviews.
In 2019, parliament passed the Avoiding Complicity in Mistreatment by Foreign Entities Act, which in conjunction with the subsequent issued Orders in Council (OIC’s) codified many of the provisions of the 2017 MD and left the essential prohibitions and limits unchanged. Noteworthy, the six departments examined in this review are also the same departments for which there is an obligation to issue OICs pursuant to the Act. This review set out the foundation that has assisted and facilitated NSIRA’s subsequent mandated information sharing reviews.
Publishing this review aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work.
In 2011 and again in 2017, ministers issued direction (hereafter Ministerial Direction or MD) to a number of departments setting out how to manage the risks of mistreatment posed by the sharing of information with foreign entities. Most recently, Parliament passed the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA). In September 2019, direction under the ACMFEA was issued to twelve departments, six of which had never before received formal direction regarding information sharing with foreign entities.
This review set out to build NSIRA’s knowledge of the information sharing processes adopted by departments under the 2017 MD. The direction issued pursuant to the ACMFEA in September 2019 codified many provisions of the 2017 MD and left the essential prohibitions and limits unchanged. As such, this review provided a foundation that will expedite and facilitate NSIRA’s future information sharing reviews.
The review focused on the six departments that had received the 2017 MD: the Canadian Security Intelligence Service (CSIS), the Communications Security Establishment (CSE), the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CSBA), Global Affairs Canada (GAC), and the Department of National Defence and the Canadian Armed Forces (DND/CAF).
Observations and Recommendations
Degrees of implementation vary across departments
NSIRA noted significant differences between the six departments with regard to the level of implementation of information sharing processes. In summary:
CSE, CSIS and the RCMP have implemented the 2017 MD.
DND/CAF is in the process of implementing final elements of the 2017 MD.
GAC has not yet fully implemented the 2017 MD.
In practice, CBSA has not yet operationalized the 2017 MD.
The concept of “substantial risk” of mistreatment is not defined
Like the 2017 MD, the ACMFEA and its associated direction prohibit information sharing that would result in a “substantial risk” of mistreatment. Neither the ACMFEA nor its direction include a definition of substantial risk, however, despite the centrality of this concept to the regime. A definition of substantial risk existed in both the 2011 and 2017 MD; its absence now raises concerns about its interpretation in future.
Recommendation: The definition of “substantial risk” should be codified in law or public direction.
Departments vary with respect to the independence of their decision-making
CSE and the RCMP have the most independent processes.
The information sharing processes implemented by GAC to date remove high- risk decision-making from “front line” personnel.
At CSIS and DND/CAF, decision-makers typically have a direct operational interest in the sharing of information.
CBSA has not yet operationalized its information sharing processes.
Recommendation: Departments should ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.
Lack of standardized information sharing risk assessments
Under the 2017 MD, GAC, CSIS, CSE, and the RCMP all maintain their own sets of foreign country and/or entity profiles, while DND/CAF is currently developing its own as well. The existence of multiple different assessments is duplicative and unnecessary. It may also yield inconsistencies, as departments have at times come to quite different conclusions about foreign countries’ and entities’ human rights records and the associated risks of information sharing.
Recommendation: Departments should develop: (a) a unified set of assessments of the human rights situations in foreign countries including a standardized ‘risk of mistreatment’ classification level for each country; and (b) to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.
Benefits of internal information sharing process reviews
Finally, NSIRA noted that periodic internal reviews of information sharing policies and processes supported their successful functioning in the long term.
Recommendation: Departments should conduct periodic internal reviews of their policies and processes for sharing information with foreign entities in order to identify gaps and areas in need of improvement.
2. Authorities
This review was conducted under the authority of the National Security and Intelligence Review Agency Act (NSIRA Act), specifically paragraphs 8(1)(a) and 8(1)(b) as well as sections 9 and 11.
3. Introduction
Many departments and agencies in the Government of Canada routinely share information with foreign entities. Given that information sharing with entities in certain countries can result in a risk of mistreatment for individuals, it is incumbent upon the Government of Canada to evaluate and mitigate the risks that such sharing creates. This is particularly the case for information sharing related to national security and intelligence, where the information often relates to alleged participation in terrorism or other criminal activity.
Canada has made a number of binding commitments under the International Covenant on Civil and Political Rights (ICCPR), the Convention Against Torture and Other Cruel, Inhumane, or Degrading treatment or Punishment (CAT), and other international agreements. The prohibitions on mistreatment – including complicity in mistreatment – set out in these agreements are also considered to be customary international law. Some of Canada’s obligations have been incorporated into domestic law under section 269.1 of the Criminal Code.
In 2011 and again in 2017, ministers issued direction to a number of departments setting out how to manage the risks in information sharing with foreign entities. Most recently, Parliament passed Bill C-59, which included the ACMFEA. In September 2019, direction under the ACMFEA was issued to twelve departments, six of which had never before received formal direction regarding information sharing with foreign entities.
Subsection 8(2.2) of the NSIRA Act requires NSIRA to review annually every department’s implementation of the directions of the GiC issued under the ACMFEA. In 2020, the NSIRA will undertake its first such review. The purpose of the present review, however, was to build NSIRA’s knowledge and understanding of departments’ implementation of the 2017 MD. The direction issued pursuant to the ACMFEA in September 2019 codified many provisions of the 2017 MD and left the essential prohibitions and limits unchanged. As such, this review provided a valuable foundation that will expedite and facilitate NSIRA’s future information sharing reviews.
The review focused on the six departments that received the 2017 MD: CSIS, CSE, the RCMP, CBSA, GAC, and DND/CAF. NSIRA examined departments’ policies and processes as well as documents related to foreign arrangements. Where possible, NSIRA examined a single case study for each department in order to illustrate how information sharing works in practice. Given the high-level approach taken in this review, NSIRA opted to make a series of broad observations about the strengths and weaknesses of departments’ framework for information sharing with foreign entities, in the place of formal findings. Where NSIRA made recommendations, they were interdepartmental in scope.
This review focused on departmental policies and procedures for the disclosure and requesting of information involving a risk of mistreatment. It did not examine the use of information that may have been derived from mistreatment; NSIRA may review this topic in future.
4. Background
In 2011, the Government of Canada approved a general framework for “Addressing Risks of Mistreatment in Sharing Information with Foreign Entities”. The framework was the first multi-departmental set of instructions issued regarding information sharing and mistreatment. Its main aim was to establish a coherent and consistent approach across government when sharing information with foreign entities.
Later in 2011, a number of departments whose mandate related to national security and/or intelligence received Ministerial Direction on Information Sharing with Foreign Entities (the 2011 MD). Specifically, the 2011 MD was issued to CSIS, CSE, CBSA, and the RCMP. The 2011 MD, which was eventually released under the Access to Information Act, was subject to extensive criticism from non-governmental organizations, civil liberties groups, and others including the Canadian Bar Association. The main critique was that the 2011 MD did not clearly prohibit the disclosure or requesting of information entailing a “substantial risk” of mistreatment, but rather permitted departments to weigh the value of the information against the risk of mistreatment.
In 2017, the 2011 MD was replaced by a new Ministerial Direction on Avoiding Complicity in Mistreatment by Foreign Entities (the 2017 MD). The 2017 MD was received by CSIS, CSE, CBSA, and the RCMP – the departments that had received the 2011 MD – as well as by DND/CAF and GAC. The 2017 MD included numerous changes, but the most significant were clear prohibitions on the disclosure and requesting of information that would result in a substantial risk of mistreatment, as well as new limits on the use of information likely derived from mistreatment by a foreign entity. In addition, the new MD required departments to maintain policies and procedures to assess the risks of their information sharing relationships with foreign entities.
The 2017 MD further directed departments to cooperate in making assessments regarding foreign countries and entities. In response, Public Safety Canada (PS) established the Information Sharing Coordination Group (ISCG) comprised of PS and the six departments that had received the 2017 MD. The objective was to encourage interdepartmental discussions in support of a coordinated approach to the implementation of the MD.
On July 13, 2019, the ACMFEA came into force. The ACMFEA requires the GiC to issue direction to the six departments that had received the 2017 MD, and gives the GiC discretion to issue direction to other departments as well. On September 4, 2019, the GiC issued direction under the ACMFEA to twelve departments. In addition to the six mandatory departments, direction was issued to PS; the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC); Transport Canada; Immigration, Refugees and Citizenship Canada (IRCC); the Canada Revenue Agency (CRA); and Fisheries and Oceans Canada (DFO). These six new departments have now also joined the PS-led ISCG.
In practice, the information sharing regime set out by the ACMFEA and the subsequent GiC direction closely resembles the 2017 MD. The fundamental limits on Canadian departments’ scope to share information remain unchanged. Notably, however, the new regime omits certain aspects of the 2017 MD. The ACMFEA and its associated direction lack the 2017 MD’s requirement that departments maintain policies and procedures for assessing the risks associated with foreign information sharing arrangements, in collaboration with other departments. More importantly, the new system omits a definition of the threshold of “substantial risk”. The ramifications of this are discussed below.
5. Observations and Recommendations
Reporting
One of the new obligations placed on departments in the 2017 MD was a requirement that they provide an annual report to their minister that included:
All of the departments that were issued the 2017 MD fulfilled their obligation to report to their respective ministers by producing a report in late 2018 or early 2019 discussing the first year of activity under the MD. At the time of writing, however, not all of the departments have issued a public report. As this was a foundational review, NSIRA did not critically evaluate the reports.
Department
Report to Minister
Public report
Cases approved
Cases denied
CBSA
Provided
Published
0
0
CSIS12
Provided
Published
1
1
RCMP13
Provided
Published
25
4
CSE14
Provided
Published
1
0
DND/CAF
Provided
Not Published
0
0
GAC
Provided
Not Published
0
0
Implementation of the 2017 Ministerial Direction
When the 2017 MD was issued, departments that had already built information sharing policies and procedures under the 2011 MD found themselves at a significant advantage. CSIS, CSE, and the RCMP in particular were able to quickly adapt their existing systems to the 2017 MD. Accordingly, for departments that had not received the 2011 MD – or had not implemented it – the arrival of the 2017 MD proved more challenging.
CSE: NSIRA observes that CSE has fully implemented all of the elements of the 2017 MD. The MD’s requirements have been integrated directly into CSE’s operational policies and processes. A detailed overview of CSE’s information sharing framework and the results of the case study examined by NSIRA can be found at Annex D.
RCMP: In response to the 2017 MD, the RCMP overhauled their information sharing framework and stood up a new Law Enforcement Assessment Group (LEAG) that, amongst other things, assesses country human rights records and maintains a system for streaming information sharing requests according to risk. The RCMP is currently working to integrate these processes into their comprehensive operational manual. A detailed overview of the RCMP’s information sharing framework and the results of the case study examined by NSIRA can be found at Annex E.
CSIS: Following the issuance of the 2017 MD, CSIS quickly updated their policies and procedures. In 2018, CSIS also created a new system to implement the MD’s requirement to restrict information sharing with foreign entities that engage in mistreatment, with three levels of restriction depending on the seriousness of the problem. CSIS has informed NSIRA that it is overhauling its current policies and procedures. A detailed overview of CSIS’s current information sharing framework and the results of the case study examined by NSIRA can be found at Annex F.
DND/CAF: Although DND/CAF did not receive the 2011 MD, DND/CAF has had internal directives in place governing information sharing with foreign entities since 2010. The DND/CAF policy and process suite for information sharing was updated following the issuance of the 2017 MD to bring it into compliance with the new requirements. While DND/CAF vets partner forces, it does not yet have a fully developed system for assessing and managing the risks of sharing information with foreign entities. DND/CAF is, however, currently developing more extensive country risk profiles and a standardized assessment process that will be used to assess the risks of information sharing prior to establishing information sharing arrangements. A detailed overview of DND/CAF’s information sharing framework can be found at Annex G.
GAC: Following receipt of the 2017 MD, GAC established a new Ministerial Direction Compliance Committee (MDCC) in December 2018. The MDCC’s objective is to review requests for information sharing that may engage the MD. This is the extent of GAC’s policies and processes pursuant to the MD, however. GAC lacks any policies or procedures setting out how employees are to assess instances of possible information sharing to ensure that all appropriate cases reach the MDCC. It is insufficient to merely inform employees that they are responsible for assessing a complex legal threshold – the concept of a “substantial risk” of mistreatment at the core of the 2011 and 2017 MD as well as the ACMFEA – without guidance as to how they should proceed. As such, NSIRA observes that GAC has not yet fully implemented the 2017 MD.
GAC (cont.): Of note, GAC produces human rights reports on countries that are widely used within government to assist in assessing the risks of sharing with foreign entities. Following the 2017 MD, GAC added a subsection specific to mistreatment to these reports. A detailed overview of GAC’s information sharing framework and the results of the case study examined by NSIRA can be found at Annex H.
CBSA: In October 2018, CBSA issued a revised high-level policy document in response to the 2017 MD. The document did not include concrete processes for identifying and handling instances of information sharing involving a risk of mistreatment, however. CBSA employees thus lack effective guidance with which to discharge their responsibilities under the MD. CBSA also has no process for assessing the risks associated with specific foreign countries and entities, as required by the MD. CBSA has since drafted processes and additional policies, but they have not yet been finalized or invoked. Given these significant gaps, NSIRA observes that CBSA has not yet operationalized the 2017 MD. CBSA has informed NSIRA, however, that it intends to introduce significant improvements over the coming year. A detailed overview of CBSA’s information sharing framework can be found at Annex I.
Additional observations are included in the department-specific annexes referenced above. It should also be noted that NSIRA examined departmental policies and processes at a high level, and as such future reviews may make additional findings and recommendations regarding policies and processes. Moreover, a number of departments are in the process of revamping their information sharing practices, including in particular CSIS and DND/CAF.
In its survey of departments, NSIRA noted varying levels of rigour and consistency with regard to record keeping. Accurate and detailed records of deliberations and reasoning in support of decision-making related to information sharing with foreign entities are necessary to support accountability, particularly in light of the Supreme Court’s recent decision in Vavilov. NSIRA may return to this subject in future years.
In June 2019, the RCMP conducted an internal review of the framework and policies in place for its information sharing policies and procedures. The review identified certain shortcomings with regard to policies, processes, training, and resourcing. Based on the draft provided, NSIRA observes that the review was candid and thorough. The review is currently being used to guide improvements. Periodic internal reviews – such as the one conducted by the RCMP – should be considered a best practice.
Recommendation no. 1: Departments should conduct periodic internal reviews of their policies and processes for sharing information with foreign entities in order to identify gaps and areas in need of improvement.
Independent Decision-Making
The concept of risk mitigation is key to the information sharing frameworks of departments. When information sharing would result in a substantial risk that an individual would be mistreated, the information can only be shared if the department takes measures to mitigate the risk of mistreatment such that the residual risk is no longer substantial. Much therefore depends on who, within departments, is authorized to make decisions regarding whether:
an instance of proposed information sharing would result in a substantial risk of mistreatment; and
the proposed mitigation measures are sufficient.
In looking at the various decision-making processes adopted by departments, NSIRA noted varying levels of independence from operational personnel. Of particular interest were processes where the individual making decisions has a direct operational interest in the sharing of the information, creating the potential for conflict between operational imperatives and departmental obligations to respect the MD.
At CSE, the complete Mistreatment Risk Assessment process is conducted by non-operational units. The centralization of information sharing decision-making in a single branch minimizes direct operational pressure while facilitating informed and objective decisions.
The RCMP process uses other mechanisms to ensure independent decision- making. Individual investigators, when they wish to share information, must consult a list of countries and types of information sharing that the RCMP has pre-determined as representing sufficient risk of mistreatment. If the proposed sharing matches the list, then the case is automatically referred to the Foreign Information Risk Advisory Committee (FIRAC). FIRAC comprises a range of senior officials from RCMP headquarters who are a step removed from the operational front-line. The RCMP’s system of referral to FIRAC based on clear criteria removes discretion from officers with a vested interest in the sharing of the information. These officers may not have a full understanding of the geopolitical context of the proposed information sharing and thus are not best-placed to assess whether a substantial risk of mistreatment would result.
GAC requests that Directors General and Heads of Mission refer all cases where proposed information sharing “presents the potential for substantial risk of mistreatment” to the MDCC. The decision as to whether the substantial risk can be mitigated is made centrally by the MDCC, which comprises senior officials from across the department as well as a legal representative. As noted above, however, GAC currently does not provide officials with guidance on how to determine whether the threshold for referral to the MDCC has been met.
Compared to CSE, GAC, and the RCMP, decision-making at CSIS and DND/CAF is much closer to operations. CSIS provides high-level guidance to desks on how to identify information sharing that may result in a substantial risk of mistreatment, but leaves final decision-making regarding whether the situation does in fact create a substantial risk, and whether the risk can be mitigated, to the Deputy Director General or the Director General of each branch. Only if CSIS has heavily restricted information sharing with the foreign entity in question – or else the branch is unsure whether the substantial risk can be mitigated – then the branch must refer the case to the Information Sharing Evaluation Committee (ISEC) for determination. As a result, most of CSIS’s information sharing decisions – even those involving a substantial risk of mistreatment – are made by officials with a direct operational stake in the outcome of the proposed information sharing.
Within DND/CAF, decisions regarding the sharing of information rest with officers within the military chain of command. NSIRA was informed that while routine information sharing is approved by designated lower-level officers in theatre, cases involving unusual circumstances, or where there is uncertainty as to whether a substantial risk of mistreatment exists or can be mitigated, are elevated to senior levels. Once passed up the chain of command, senior officers receive advice from a range of officials at headquarters.
CBSA, at the present time, does not have processes to assess substantial risk or to make decisions regarding whether such risks can be mitigated. In practice, therefore, the onus currently rests on CBSA officers, acting without guidance, to identify cases that invoke the 2017 MD and to manage the associated risks. CBSA has drafted a procedure for cases where there is uncertainty as to whether a substantial risk of mistreatment can be mitigated, but it has not yet been implemented.
Recommendation no. 2: Departments should ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.
Country Assessments
As noted above, a significant addition to the 2017 MD was the requirement that departments maintain policies and procedures to assess the risks of their information sharing relationships with foreign entities. Notably, the MD required departments to assess the human rights records of foreign countries generally and not just of specific foreign entities (i.e., police or intelligence services) within those countries. While the MD did not prohibit information sharing with foreign entities in countries with troubling human rights records, it implied that Canada’s relationships with such foreign entities could not be considered in isolation from the broader human rights environment in which these entities functioned.
In several instances, NSIRA noticed departments citing an absence of direct Government of Canada intelligence of mistreatment by a specific foreign entity in support of a proposed sharing of information, or else in support of a less restrictive information sharing policy towards the entity in question – despite ample reporting of systemic human rights abuses in the public domain. NSIRA observes that a lack of internal Government of Canada reporting of mistreatment by a specific foreign entity is not evidence that the entity does not engage in mistreatment. Departments must consider the full range of sources in assessing risk, including open sources such as the media and non-governmental organizations.
GAC, CSIS, CSE, and the RCMP all maintain their own sets of foreign country and/or entity profiles, while DND/CAF is currently developing its own as well. The existence of multiple different assessments is duplicative and unnecessary. and It may also yield significant inconsistencies, as departments have at times come to quite different conclusions about foreign countries’ and entities’ human rights records and the associated risks of information sharing. With the issuance of direction under the ACMFEA to twelve departments, this issue will likely grow. See Annex F for additional discussion of this point.
The ISCG seeks to guide departments in developing their human rights assessment processes by providing a forum to discuss best practices. PS informed NSIRA that the ISCG had not discussed plans to standardize these assessments.
Recommendation no. 3: Departments should develop:
a unified set of assessments of the human rights situations in foreign countries including a standardized ‘risk of mistreatment’ classification level for each country; and
to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.
The recommendation above does not preclude department-specific approaches to mitigating the risks of mistreatment. For instance, a department may be able to draw upon aspects of its relationship with a foreign entity to reduce the risk of mistreatment not available to other departments. These differences should not affect the initial determination of the underlying risk of mistreatment posed by information sharing with a foreign entity, however.
In India v. Badesha (2017), the Supreme Court of Canada recently provided guidance on contextual factors to be considered when assessing the reliability of assurances sought from foreign entities regarding mistreatment. Though not exhaustive, the decision provides departments with some guidance regarding the adequacy of assurances received.
Duty of Care
In reviewing GAC, NSIRA noted a tension between adherence to the 2017 MD and GAC’s duty of care with regard to the safety and security of mission staff abroad. Indeed, both cases of information sharing referred to the MDCC in 2019 involved threats to mission In one of the cases, information was shared with a foreign entity before the MDCC had had the chance to assess the risk of mistreatment. In this instance, the GAC official cited the need to protect the safety of mission staff (see Annex H).
NSIRA acknowledges the importance of mission security and the seriousness of the conundrums that can arise when the needs of mission security and GAC’s obligations with respect to information sharing collide. Yet the charged atmosphere of a mission under threat may not be the best venue for quick decision-making involving risks of mistreatment.
Substantial Risk
Like the 2017 MD, the ACMFEA and its associated direction prohibit information sharing that would result in a substantial risk of mistreatment. Neither the ACMFEA nor its direction include a definition of “substantial risk”, however, despite the centrality of this concept to the regime. A definition of substantial risk existed in both the 2011 and 2017 MD; its absence now raises concerns about its interpretation in the future.
In consultation with other departments, PS is developing a policy document that includes the same definition of substantial risk that was found in the 2011 and 2017 MD. The document also contains guidance on other requirements contained in the 2017 MD but that were omitted from the ACMFEA and its direction. When asked by NSIRA, the six departments that had been subject to the 2017 MD all stated that they intended to continue abiding by the established definition of substantial risk. This is reassuring, and should limit the potential for inconsistency between departments. Nonetheless, such a crucial definition should not be left up to individual departments to determine.
Recommendation no. 4: The definition of “substantial risk” should be codified in law or public direction.
The definition of substantial risk in the 2017 MD requires that mistreatment be “foreseeable”. As described in Annex G, DND/CAF’s assessment of foreseeability encompasses a number of factors, but a key component is that the risk of mistreatment be a “causal consequence” of DND/CAF information sharing. NSIRA observes that DND/CAF’s interpretation of foreseeability runs the risk of narrowing the definition of substantial risk and therefore the application of the 2017 MD. Given the importance of a clear and consistent understanding of “substantial risk” across departments, in future years NSIRA may review the application of the “substantial risk” threshold by DND/CAF – and other departments – to information sharing with foreign entities.
A substantial risk of mistreatment is defined as existing in cases where mistreatment is more likely than not. The definition includes a qualifier, however, that the threshold may be met at lower level of probability “where the risk is of severe harm”. This reflects a larger point that the assessment of substantial risk is not intended to be a narrowly mechanistic process of balancing probabilities. The 2017 MD notes that the Government of Canada “has no interest in actions associated with the use of torture or other cruel, inhumane or degrading treatment or punishment. Knowingly associating the Government of Canada with any of these actions would damage the credibility and effectiveness of any department or agency associated with them”. When interpreting the threshold of substantial risk, departments should always bear in mind the larger purpose of Canada’s framework for sharing information with foreign entities.
In order to give life to this framework, it is incumbent on departments, first, to ensure that their employees are trained to the point where they fully understand their legal obligations, and second, to establish clear and well-developed processes that foster and facilitate compliance in the broadest sense.
6. Conclusion
This review set out to build NSIRA’s knowledge of the information sharing processes adopted by departments under the 2017 MD. NSIRA noted significant differences between the six departments reviewed with respect to the level of implementation of information sharing processes. Processes also varied widely in terms of the level of independence of decision-making.
Although departmental information sharing frameworks will continue to evolve over time, this review will provide a baseline of comparison for future developments under the ACMFEA. The review also served to identify areas of potential concern that NSIRA may revisit in future years.
CSE Management Response to NSIRA Review of 2018-2019 Disclosures of Canadian Identifying Information
NSIRA delivered its classified review to the Minister of National Defence in November 2020.
Throughout NSIRA’s review of CSE’s disclosure process, CSE responded to NSIRA requests in a timely manner and offered to provide additional context and briefings to NSIRA regarding CSE processes.
Importance of independent external review
CSE values independent, external review of our activities, and we remain committed to a positive and ongoing dialogue with NSIRA and other review and oversight bodies.
This oversight frameworks allows us to deliver our important mission of foreign intelligence, cyber security and foreign cyber operations in a way that demonstrates accountability, and that builds trust and confidence with Canadians.
CSE operates within a culture of compliance, grounded in our understanding of and commitment to our legal and policy regime, and evidenced by our record of self-reporting and addressing incidents and errors that may occur.
We appreciate NSIRA and their continued work to provide Canadians with greater insight and understanding of the important work that CSE does on a regular basis to keep Canadians safe.
We accept the recommendations aimed at improving our processes, yet are concerned that the overall conclusions do not fully appreciate CSE’s commitment to, and work on protection of privacy.
Canadian Identifying Information and CSE’s Commitment to Privacy
CSE is Canada’s national lead for foreign signals intelligence and cyber operations, and the national technical authority for cybersecurity. We provide critical foreign intelligence and cyber defence services for the Government of Canada (GC). Protecting Canadian information and the privacy of Canadians is an essential part of our mission.
CSE does not direct its foreign signals intelligence activities at Canadians or anyone in Canada. The CSE Act, however, recognizes that incidental collection of Canadian communications or Canadian information may occur even when targeting only foreign entities outside Canada. CSE takes very seriously our responsibility to protect Canadian privacy interests that may occur as a result of this incidental collection.
In the event that Canadian information is incidentally acquired in foreign signals intelligence collection, CSE may include obfuscated references to Canadian individuals or organizations in intelligence reporting if those references are essential to understand the foreign intelligence.
The obfuscation of this Canadian Identifying Information (CII) in reporting represents one of many layered privacy measures that are applied at different points in CSE’s end-to-end intelligence process. These include, among others, legal and policy training and on-site support for intelligence analysts, mandatory annual privacy tests for all operational employees, data tagging and auto-deletion, strict retention limits, specific handling guidelines, escalating approvals for reporting that includes CII, compliance spot checks, and separate vetting processes for disclosing obfuscated information and taking action on intelligence reporting.
Pursuant to the Privacy Act, government clients who receive CSE foreign intelligence reports may ask for obfuscated CII to be “disclosed” to them if that information relates directly to their department’s operating program or activities. Any disclosed CII is provided solely to inform their understanding of the foreign intelligence presented in the report. Government officials may not take action, share or otherwise use the CII disclosed to them under the disclosure process.
CSE continually refines its CII disclosure process. For example, to help support audit and review, CSE implemented a requirement for government clients to provide an operational justification to support their CII disclosure requests. It is important to note, however, that this is a matter of internal policy and that the Privacy Act does not require the documentation of legal authorities before information can be collected and disclosed.
Review Recommendations
CSE is committed to continuous improvement. We know that the recommendations from independent external review play an important role in that improvement. CSE has 25 years of experience working with the Office of the CSE Commissioner and now NSIRA to help improve our processes. We thank these review bodies for their work to help build trust and confidence with Canadians.
CSE continuously refines our privacy-protection measures, including those associated with the disclosure process. Improvements made over the past decade have been informed by the recommendations made by the CSE Commissioner as part of his annual reviews of CSE’s CII disclosures. Prior to NSIRA taking over review duties, CSE had accepted and implemented 95% of the recommendations made by the CSE Commissioner. Those not adopted were duplicative or overtaken by events such as new legislation. In his final 2018-2019 review, the Commissioner confirmed that CSE’s disclosures of CII complied with the law and were done in accordance with ministerial direction.
In this NSIRA review, as with previous CSE Commissioner reviews, we appreciate and have accepted the recommendations aimed at improving our internal policies and practices.
Given the overlap in this review period between the two bodies, certain NSIRA recommendations duplicate some presented in the CSE Commissioner’s reviews. As a result, we are pleased to note that many have already been implemented at this time; other NSIRA recommendations are in the process of being implemented.
Review Findings
Throughout this CII disclosure review, CSE provided extensive feedback and context to NSIRA, and sought clarification regarding the assessment criteria used to determine adequacy or inadequacy of specific records, the vast majority of which were deemed adequate by NSIRA. Without explaining the methodology used to support the findings, we are concerned that broad generalizations based on specific aspects of certain records within a single privacy measure may leave the reader with an incorrect impression about CSE’s overall commitment to privacy protections for Canadians.
CSE’s case-by-case process for disclosing CII to authorized GC recipients is part of robust and comprehensive internal measures that protect Canadians’ privacy. We balance the sharing of our intelligence with the privacy and safety of Canadians at all times. CSE disclosure analysts receive training and follow internal policies, guidelines and standard operating procedures to guide decision making.
While committed to implementing the recommended process improvements contained in the report, CSE remains concerned by NSIRA’s overall conclusions and characterization of the disclosure process and its role in the broader privacy framework, which we have expressed to NSIRA.
Referral to Attorney General of Canada
The Minister of National Defence submitted NSIRA’s classified report to the Attorney General of Canada in January 2021, supported by a comprehensive analysis of each record identified by NSIRA in its review.
The analysis supports the view that our activities, including applying protections for the privacy of Canadians, were conducted within a robust system of accountability, including compliance with the Privacy Act.
Additional Information
Top Secret-cleared and special intelligence-indoctrinated GC clients received thousands of foreign intelligence reports via CSE’s mandate under the CSE Act. These reports corresponded to Cabinet-approved intelligence priorities and were delivered to government clients who had both the authority to receive them and the ‘need to know’ their contents.
These reports reflect a wide range of intelligence requirements, from support to Canadian military operations, espionage, terrorism and kidnappings to geostrategic concerns, cyber threats, foreign interference and global crises, among others. While only a very small percentage of these reports contain obfuscated CII, the underlying Canadian information is often essential for GC officials to understand the context of the threat and its Canadian nexus.
On November 25, 2020, the National Security and Intelligence Review Agency (NSIRA) presented the Minister of National Defence and the Minister of Public Safety with a classified compliance report on its review of CSE’s disclosures of Canadian identifying information (CII). In this review, NSIRA found that the CII disclosure regime lacked rigour and that its implementation may not have been in compliance with the Privacy Act. Additionally, NSIRA found that the Federal Court may not have been adequately informed about key elements of CSE’s disclosures of CII collected on the authority of warrants issued in relation to section 16 of the Canadian Security Intelligence Service (CSIS) Act. Given the findings of the review, NSIRA has published its unclassified summary of the compliance report.
In carrying out its foreign intelligence mandate, CSE may incidentally acquire information about Canadians or person(s) in Canada. CII is information that could be used to identify an individual, and is normally suppressed from reporting unless Government of Canada or foreign clients request these details and are able to demonstrate that they have operational justification and legal authority to receive it.
After a thorough review of CSE’s disclosures of CII, which also involved direct engagement with other Government of Canada departments that request CII, NSIRA made 6 findings and 11 recommendations. This unclassified summary provides an overview of the CII disclosure regime, and NSIRA’s observations related to the policies, procedures, training, and the legal authorities governing it.
Publishing this summary aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work. Looking forward, NSIRA will conduct future reviews of the CII disclosure regime to ensure that its recommendations are implemented in a way that will improve the CII disclosure program and that this program is compliant with the applicable legal framework.
As per section 8(1)(a) of the NSIRA Act, independent review of CSE’s activities is a statutory requirement for NSIRA. As such, NSIRA will continue to review CSE activities and report on compliance issues if they arise.
Subsequent to the collection of foreign signals intelligence by the Communications Security Establishment (CSE), any incidentally collected Canadian identifying information (CII) is suppressed in CSE’s intelligence reporting to protect the privacy of Canadians and persons in Canada. However, the Government of Canada (GC) and foreign clients of such reports can request the details of this information if they have lawful authority and operational justification.
The National Security and Intelligence Review Agency (NSIRA) conducted a review of CSE’s disclosures of CII to GC clients. In reviewing disclosures containing 2,351 Canadian identifiers over a five year period, NSIRA found that 28% of requests from all clients were not sufficiently justified to warrant the release of CII. . Nevertheless, during the period under review, CSE approved 99% of these requests for CII from its domestic clients. Given this and other findings related to CSE’s internal practices, NSIRA found that CSE’s implementation of its CII disclosure regime may not be in compliance with the Privacy Act.
Moreover, NSIRA found that CSE has released CII to GC clients from its technical and operational assistance to the Canadian Security Intelligence Service (CSIS) in relation to section 16 of the CSIS Act, in a manner that was likely not communicated to the Federal Court by CSIS.
This report is a summary of the more detailed, classified report provided to the Minister of National Defence on November 25, 2020.
Introduction
The Communications Security Establishment (CSE) may incidentally acquire information about Canadians or persons in Canada in its collection of foreign signals intelligence (SIGINT). Canadian identifying information (CII) refers to any information that can identify an individual, ranging from names to email addresses and IP addresses. CII is suppressed in intelligence reports to protect the privacy of Canadians and persons in Canada. Government of Canada (GC) and foreign clients may subsequently request the details of this information if they have lawful authority and operational justification to collect it. This information sharing regime has been in place since the 2001 enactment of CSE’s powers under the National Defence Act, and has been previously reviewed by the Office of the CSE Commissioner (OCSEC)
Following a review of CSE’s disclosures of CII, the National Security and Intelligence Review Agency (NSIRA) concluded that CSE’s implementation of its disclosure regime may not be in compliance with the Privacy Act. Therefore, pursuant to subsection 35(1) of the NSIRA Act, NSIRA submitted a compliance report to the Minister of National Defence on November 25, 2020.
CSE’s disclosure regime, in place for nearly two decades, is one of the most important national security information sharing structures in the federal government, surpassing the volume of disclosures processed through the information sharing mechanism under the Security of Canada Information Disclosure Act (SCIDA). Unlike CSE’s disclosure regime, information sharing processes under SCIDA have recently undergone comprehensive scrutiny and debate both in Parliament and by the public as part of the deliberation of Bill C-59.
CSE’s work results in special responsibilities to protect the privacy of Canadians. In this context, NSIRA assessed CSE’s operational structures, policies, and processes to determine the rigour of the CII disclosure regime. NSIRA found serious problems with several aspects of the governance and implementation of CSE’s CII disclosure regime. NSIRA also found that CSE discloses information collected pursuant to the authority of Federal Court issued warrants as part of its assistance to the Canadian Security Intelligence Service (CSIS). NSIRA believes that although the Federal Court is aware of CSIS’ disclosure of CII, the Court may not have been fully informed about the parallel disclosure process taking place at CSE. In January 2021, CSIS provided the Federal Court with a copy of NSIRA’s full, classified review, excluding information protected by solicitor-client privilege.
Methodology
As part of its review, NSIRA examined a selected sample of CII disclosures and their associated intelligence reports – initially from July 1, 2018 to July 31, 2019, though the review period was later expanded to cover July 1, 2015 to July 31, 2019 for certain types of disclosures. Over that period, CSE received requests for 3,708 Canadian identifiers. NSIRA received information about the outcome of all of these requests. Additionally, NSIRA was able to closely review requests pertaining to 2,351 identifiers.
In all, NSIRA examined electronic records, correspondence, intelligence reports, legal opinions, policies, procedures, documents pertaining to judicial proceedings, Ministerial Authorizations, and Ministerial Directives of relevance to CSE’s CII disclosure regime. CSE also responded to NSIRA’s questions throughout the review.
While this began as a review of solely CSE, it became evident that NSIRA also needed to engage with CSE’s Government of Canada clients of CII. In the spirit of its legislation, NSIRA “followed the thread” by engaging with a range of federal departments, from recurring clients of CII, such as CSIS and the Royal Canadian Mounted Police (RCMP), to less frequent clients, such as Innovation Science and Economic Development Canada (ISED). Through this engagement, NSIRA was able to understand the lifecycle of CII disclosures, from their origin within intelligence reporting to their eventual use by Government of Canada clients.
NSIRA also assessed CSE’s disclosures of CII arising from its assistance to CSIS in relation to section 16 of the CSIS Act. When CSE assists CSIS in that context, it is bound by the applicable Federal Court warrants’ conditions. While CSIS’ disclosures were not the subject of this review, they helped contextualize the adherence of CSE’s section 16 CII disclosures with the conditions and principles on which the Court issued the relevant warrants.
NSIRA also reviewed CSIS affidavits to the Federal Court in relation to Canadian information acquired through section 16 warrants, which served as the basis for a recent decision issued on this program by the Court (reported as 2020 FC 697). Given this window into the parallel practices and policy requirements of CSIS, NSIRA had the opportunity to contextualize CSE’s disclosures of CII arising from section 16 collection in a way that was unprecedented for an external review body.
Based on the records provided by CSE, CSIS, and other federal government entities, NSIRA made several findings and recommendations to improve the governance of CSE’s CII disclosure regime and to bring to the attention of the Federal Court important aspects of CSE’s disclosures of information acquired in relation to section 16 of the CSIS Act.
Legal Framework
For CSE to disclose Canadians’ personal information without their consent, both CSE and the CII recipient must comply with relevant legislation, which, for the period under review, consisted of the Privacy Act and the National Defence Act:
In assessing CSE’s disclosures, NSIRA applied a two-pronged test in line with the Privacy Act requirements: the institution holding the personal information must have a disclosure authority to disclose it to another institution, and the recipient institution must have a collection authority. These thresholds derive from existing Privacy Act jurisprudence. In other words:
CSE’s CII clients are required to meet the section 4 collection requirement of the Privacy Act by establishing a direct and immediate relationship (with no intermediary) between the information to be collected through a CII request and their operating programs or activities.
On CSE’s side, its disclosures of CII had to comply with section 8 of the Privacy Act, and the National Defence Act, which was the governing statute for CSE during the review period.
Because the disclosure authority within the National Defence Act required CSE to protect the privacy of Canadians, NSIRA assessed whether CSE evaluated each disclosure request rigorously on its own merits, including the operational justification provided by clients, to determine whether the requests were reasonable and whether the disclosure was appropriate under the Privacy Act regime.
CSE’s internal practices
NSIRA assessed CSE’s privacy protection measures for compliance with its legal responsibilities and Ministerial Direction. NSIRA assessed whether CSE’s CII disclosures are subject to a thorough, well-documented evaluation and approval process that demonstrates each disclosure’s compliance with legal and operational requirements. Specifically, NSIRA assessed whether CSE’s clients demonstrated their legal authority to collect CII, and did so in compliance with section 4 of the Privacy Act by showing a direct and immediate relationship between their mandated activities and the requested CII.
During the period under review, CSE received requests for 3,708 identifiers from 15 domestic departments, releasing 3,671 – which represents a release rate of 99%. This release rate was also reflected in the eventual sample of disclosures selected for detailed review by NSIRA. NSIRA expected to find disclosure requests of a consistently high quality commensurate with their near-absolute approval by CSE. Nevertheless, the findings below represent several areas in which NSIRA observed shortcomings.
Employee training and documentation requirements
CSE employees generally decide whether to release CII. NSIRA did not find evidence of written guidance or training to guide employees’ assessment of the substance of disclosure requests; instead, the training materials and procedures that employees receive primarily focus on the logistical processes to release CII.
In their assessment of CII requests, CSE personnel can take a range of actions, including conducting further research into a requesting department and its mandate or communicating with the requester to obtain clarity. NSIRA found that these actions are generally not documented for requests from domestic clients, and the approved disclosures only contain the requested CII without the reasons for approving the request. NSIRA was unable to confirm that CSE personnel were taking steps to communicate with a requestor to clarify incomplete or unclear disclosure requests.
While this is not a requirement in CSE’s policies for domestic requests, NSIRA observed detailed rationales provided by personnel responsible for approving and denying CII requests originating from foreign clients for CII. NSIRA believes CSE should require employees to document their assessment of requests from domestic clients, including the rationale for their approval.
In sum, NSIRA found that CSE’s employees do not receive sufficient written training and guidance on assessing the substance of disclosure requests and are not required to document mandatory actions and assessments they make when releasing CII. NSIRA recommended that CSE require, through procedures and policy, that employees document their decision-making and rationales and train them to assess the substance of disclosure requests in light of applicable legal obligations.
Management oversight
Certain types of disclosures are elevated for review and approval at a higher level within the organization. This is another process that lacked the appropriate documentation. Based on data compiled by NSIRA, all requests for CII reviewed at this level were approved, with no documentation of the rationale behind the decision to approve the remainder.
An internal monthly compliance check is conducted to confirm that releases of CII follow sufficient justification, that only the requested CII is released, and to determine whether any procedural errors have occurred. The compliance checks reviewed by NSIRA did not contain any analysis of the disclosure requests. While CSE explained that employees are informally coached if disclosures do not meet requirements, this is not documented within the compliance checks, which provide only statistical summaries of CII disclosures.
NSIRA found that personnel responsible for approving certain CII disclosures and conducting periodic compliance checks did not document their decision-making and assessment of requests. NSIRA recommended that similar to employees at the working level, CSE management must document their decision-making and rationales.
CSE’s assessment of CII disclosure requests
CSE’s CII disclosure request form requires that the requestor state an applicable legal authority for collecting the information. NSIRA observed requests where this information was not provided. In this context, NSIRA expected that CSE would follow up with requestors or assure itself through its own assessment that the requestor had the appropriate legal authority for collecting CII. NSIRA found no evidence that this process was taking place.
NSIRA used its ability to follow the thread of a disclosure and engaged some of CSE clients for CII regarding their legal authority to collect Canadians’ personal information. Where these departments had not indicated a legal authority to receive CII, NSIRA inquired directly with them about their legal authorities, receiving detailed legal assessments prepared in response to NSIRA’s questions. NSIRA found no documented evidence that CSE had similarly assured itself of the clients’ legal authorities at the time of disclosure.
As the custodian of incidentally collected CII, CSE has the responsibility to assure itself and document that both a collection and disclosure authority exist before sharing it with third party clients.
Next to a legal authority, the second key component of a disclosure request is the recipient’s operational justification for collecting the CII. A demonstrable operational nexus is required to justify a requester’s collection of CII in line with the Privacy Act regime.
NSIRA found that CSIS, the RCMP, and the Canada Border Services Agency (CBSA) generally demonstrated a clear link between the intelligence reporting and associated CII to their mandated activities, with some exceptions. This was a result of the strong operational justifications provided proactively by these clients, and does not reflect a more rigorous process on CSE’s end. Disclosures to these departments comprised approximately half of NSIRA’s sample.
CSE has accepted operational justifications provided by these and other clients that NSIRA found to be inadequate. In these cases, the clients’ justifications pertained to CII that was not demonstrably related to their mandate or operations.
From the sample of all disclosures reviewed by NSIRA, we found 69% to be justified, 28% to be insufficiently justified to warrant the release of CII, 2% that could not be evaluated, and 1% that CSE denied. Nevertheless, within this sample, CSE had approved these disclosure requests at a 99% rate.
CSE also released additional personal information to clients beyond that which was requested and explained this to be a standard practice. For example, NSIRA observed cases where CSE disclosed Canadians’ names and other personal information even when the recipient only asked CSE for a company’s identity. NSIRA observed other types of scenarios where CSE disclosed more identifiers than requested.
In sum, NSIRA found that CSE has not sufficiently assessed the legal authorities invoked by its clients and recommended that CSE and these clients obtain legal advice from the Department of Justice to determine the extent of their legal authority to collect CII. NSIRA further found that CSE’s implementation of its CII disclosure regime may not have been in compliance with the Privacy Act framework and recommended that CSE cease disclosing CII to clients other than CSIS, RCMP, and CBSA until it addresses the findings and recommendations contained in NSIRA’s review.
CSE’s governance of the disclosure regime
Many of the systemic issues presented in NSIRA’s review arise from CSE’s CII disclosure regime governance. CSE develops its internal policies, procedures, and legal assessments to which its disclosure clients are generally not privy. CSE’s existing arrangements with its clients govern operational issues such as security standards, information handling and system access. However, at an institutional level, NSIRA has not found a consistent understanding among CSE’s CII disclosure clients of the legal requirements underlying this practice.
A more transparent governance structure would allow all parties to understand and formally acknowledge at an institutional level the legal and operational requirements behind disclosing and collecting CII. It is not sufficient for CSE to manage the regime with its clients not privy to the policies, procedures, and legal requirements that underlie it.
NSIRA found that CSE’s governance of the CII disclosure regime does not foster an environment where its clients can take equal responsibility for CII disclosures. NSIRA recommended that CSE work with the Department of Justice and the Treasury Board of Canada Secretariat to establish Information Sharing Agreements with its regular domestic clients.
CSE’s disclosure of CII collected through its assistance to CSIS
Throughout the review, NSIRA encountered reporting and associated disclosures that pertained to activities of foreign persons within Canada. As CSE is prohibited from directing its activities at such persons, NSIRA submitted a series of questions and received briefings on the subject. NSIRA learned that CSE discloses CII collected as part of its assistance to CSIS in relation to section 16 of the CSIS Act.
Under section 16 of the CSIS Act, CSIS may assist the Minister of Foreign Affairs or the Minister of National Defence by collecting foreign intelligence within Canada in relation to Canada’s defence or international affairs. In turn, CSIS can apply to the Federal Court for a warrant, under section 21 of the CSIS Act, to obtain judicial authorization for intrusive collection powers in support of the section 16 investigation. Subsequently, CSIS may request CSE assistance if it does not have the tools or capacity to carry out this collection. CSE’s assistance takes the form of developing tools and techniques, intercepting target communications, decryption, report writing, and translation.
In its assistance to CSIS, CSE must respect the legal authorities and limitations imposed on CSIS by law and Federal Court warrants. In its documented requests for CSE assistance, CSIS does not explicitly request that CSE disclose the CII collected under warrant. Such disclosures are also absent from internal CSE plans that set out CSE’s support parameters. At the same time, both agencies insist that CSE can disclose such CII using its regular disclosure policies and procedures.
The practice of handling CII incidentally collected pursuant to section 16-related warrants has been the subject of ongoing treatment by the Federal Court. CSIS has described its own practices to the Court, including detailed summaries of how section 16 information is collected, its processing for intelligence reporting, and the rigorous disclosure regime associated with this reporting. CSIS also noted, in less detail and with omissions, some aspects of CSE’s parallel disclosure of CII collected through its assistance to CSIS under these warrants.
Overall, the stringent practices described by CSIS to the Court do not present a complete picture. For instance, CSIS’s limited distribution of section 16 intelligence reports and associated CII is not mirrored in CSE’s wider release of this information. Additionally, the senior approval levels that CSIS has in place for disclosing information about Canadian officials are also not reflected in CSE’s practices. In fact, CSE does not have a policy on how to treat Canadian officials’ information through its assistance mandate, and generally releases it at the working level. Further, CSE personnel are not generally aware that the information they are releasing originates from section 16 collection, and its associated Federal Court warrants and conditions. Moreover, CSIS has communicated to the Court that its own disclosure practice includes an assessment of a disclosure request by the operational branch responsible for the warrant, while CSE discloses such CII independent of CSIS operational branches.
In recent testimony before Parliament, CSE was asked how it operationalizes its assistance mandate. In its response, CSE stated that information collected under assistance is segregated, returned to CSIS, and belongs to CSIS, emphasizing that CSE effectively acts as an agent of CSIS in supporting section 16 activities. NSIRA is of the view that this is not a complete representation of the lifecycle of information collected by CSE in its assistance. By approving CSE’s section 16 intelligence reports, CSIS effectively releases ownership of this information to CSE, which was not conveyed to the Federal Court by CSIS in its affidavits detailing the reporting and use of section 16 information.
CSE’s treatment and dissemination of this information differs from the stringent standards communicated to the Court by CSIS, particularly when it pertains to Canadian public officials and other sensitive groups. NSIRA believes that fully describing the CII disclosure process during warrant applications is necessary to support the process of imposing any terms and conditions advisable in the public interest, as contemplated by paragraph 21(4)(f) of the CSIS Act.
Given the findings of the review, NSIRA recommended that the Federal Court be fully informed of CSE’s disclosure practices and that, in the interim, CSE cease disclosing CII incidentally collected under the authority of federal court warrants related to section 16 investigations.
Conclusion
NSIRA’s findings and observations over the course of this review indicate that CSE’s implementation of its disclosure regime may not be in compliance with its obligations under the Privacy Act. Throughout this review, CSE has defended practices that NSIRA believes do not reflect a commitment to rigorous implementation of the Privacy Act. Finally, CSE has released CII as part of its assistance to CSIS in a manner that contradicts the procedures communicated to the Federal Court.
Accordingly, NSIRA made a number of recommendations as outlined above, to improve the governance of CSE’s CII disclosure regime and to bring to the attention of the Federal Court important aspects of CSE’s disclosures of information acquired in relation to section 16 of the CSIS Act.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
