In 2011, the Government of Canada implemented a general framework for Addressing Risks of Mistreatment in Sharing Information with Foreign Entities. The framework aimed to establish a coherent and consistent approach across government when sharing and receiving information with Foreign Entities. Following this, Ministerial Direction was issued to applicable departments in 2011 on Information Sharing with Foreign Entities, and then again in 2017 on Avoiding Complicity in Mistreatment by Foreign Entities.
On July 13, 2019, the Avoiding Complicity Act came into force. This Act codifies and enshrines Canada’s commitments in respect to the Canadian Charter of Rights and Freedoms, and Canada’s international legal obligations on prohibiting torture and other cruel and inhumane treatment.
On September 4, 2019, pursuant to section 3 of the Act, the Governor in Council (GiC) issued written directions to the Deputy Heads of the following 12 departments and agencies: Canada Border Services Agency (CBSA), Canada Revenue Agency (CRA), Canadian Security Intelligence Service (CSIS), Communications Security Establishment (CSE), Department of Fisheries and Oceans Canada (DFO), Department of National Defence and Canadian Armed Forces (DND/CAF), Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Global Affairs Canada (GAC), Immigration, Refugees, and Citizenship Canada (IRCC), Public Safety Canada (PS), the Royal Canadian Mounted Police (RCMP) and Transport Canada (TC).
The GiC issued directions focused on three aspects of handling information when interacting with a foreign entity: the disclosure of information, the requesting of information, and the use of any information received.
Pursuant to section 7 of the Act, every Deputy Head having received direction must, before March 1 of each year, submit to the appropriate Minister a report regarding the implementation of those directions during the previous calendar year. Following this, every Deputy Head must, as soon as feasible after submitting the report, make a version of it available to the public.
The Avoiding Complicity in Mistreatment by Foreign Entities Act (Avoiding Complicity Act or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, September 4, 2019, to the end of the previous calendar year, December 31, 2019. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Act.
While this was the inaugural annual review under the NSIRA Act, it builds upon previous work in this area undertaken by NSIRA and its predecessor SIRC. NSIRA’s review on the 2017 Ministerial Direction on information sharing with Foreign Entities is an example. The results from this previous review were sent to applicable departments in July 2020. NSIRA is building upon this previous review and strongly supports the findings and recommendations within it. As of the date of this report, departmental responses have not been received regarding the recommendations provided in NSIRA’s July 2020 Ministerial Direction review.
(U) It was essential to ensure that both NSIRA and the departments being reviewed met their obligations under the Avoiding Complicity Act and the NSIRA Act. The approach used to gather information during a global pandemic was purposely designed for this first and unique review period.
To capture a complete view on the departmental implementation, NSIRA requested information that related directly to every department’s specific obligations under the Act and the directions. The responses and associated information captured departmental activities related to the Act during the review period, and what procedures, policies, tools, etc. (frameworks) were leveraged to support these activities. NSIRA believes that having a robust framework is an essential part of an effective implementation of the directions departments have received.
Beyond the specific requirements of implementation, the information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken since the review period to build and formalize their frameworks. This information and knowledge will help set up the foundation for future reviews and assist efforts on creating consistent implementation across departments. While many of the issues discussed in this report go beyond the specific requirements of the directions, their consideration is critical to the overall improvement of the implementation process and how departments ultimately support the Act. No case studies were undertaken for this review. However, the information gathered has helped establish a baseline for overarching issues the community is facing. Building on this, future reviews will begin to examine specific sharing framework challenges and questions and look closely at specific cases and departmental legal opinions to guide review findings.
While NSIRA was pleased with the considerable efforts made by many departments new to the Avoiding Complicity Act in building up their supporting frameworks, it was clear during this review that departments are employing very different approaches to guide their information handling activities. The responses received demonstrate various inconsistencies across the departments. Having a consistent and coordinated approach when addressing the concerns related the Act is not a requirement for implementation, however, NSIRA believes that there is value in such an approach. And while departments will always require unique aspects in their sharing frameworks to address the unique characteristics of their mandates and activities, to improve the implementation process, a goal all involved likely have, the identification and sharing of best practices is critical.
For example, determining the best means for having a unified approach when engaging with foreign entities of concern or ensuring that an information sharing activity is consistently evaluated for risk by all departments. The recommendations provided on these issues in this review capture what NSIRA believes to be important concerns and considerations for supporting and improving departmental implementation.
Additionally, as the directives received under the Act do not describe the specific means by which departments ‘implement’ them, it is incumbent on the community to ensure that they have sufficiently robust frameworks and programs in place to fully support an assertion of implementation. Therefore, the information gathered during this review went beyond a strict assessment of implementation, but also considered the aspects required to better support this implementation. Going forward, this approach will help establish the foundation for subsequent reviews. Drawing on the findings and concerns identified here, NSIRA will continue to consider aspects that will ultimately improve underlying frameworks, thereby supporting an improved implementation of the Act across the community.
Authorities
This review was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Avoiding Complicity Act.
Introduction
Focus of the Act
In the same spirit as the Ministerial Direction (MD) that preceded it, the Avoiding Complicity Act and its associated directions seek to prevent the mistreatment of any individual due to the exchange of information between a Government of Canada department and a foreign entity. The Act also aims to limit the use of information received from a foreign entity that may have been obtained through the mistreatment of an individual. While the previous MD guided the activities of a selection of Canada’s security and intelligence departments, the Act broadened this scope to capture all departments whose interactions with foreign entities included information exchanges where such a concern may apply.
The focus of the Act is to ensure departments take the necessary steps during their information sharing activities to avoid contributing in any way to the mistreatment of an individual. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. There is an expectation that each department will satisfy these requirements by leveraging departmentally established mechanisms and procedures, or frameworks that will allow each department to confidently demonstrate how it has responded to its responsibilities under the Act.
During the first year that the Act was in force, written directions using nearly identical language were sent to the Deputy Heads of 12 departments. In regard to disclosure, the directions read as follows: “If the disclosure of information to a foreign entity would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not disclose the information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”
With respect to requesting information, the directions state: “If the making of a request to a foreign entity for information would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not make the request for information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”
Lastly, as it relates to the use of information, the directions indicate: “The Deputy Head must ensure that information that is likely to have been obtained through the mistreatment of an individual by a foreign entity is not used by the Department
(a) in any way that creates a substantial risk of further mistreatment;
(b) as evidence in any judicial, administrative or other proceeding; or (c) in any way that deprives someone of their rights or freedoms, unless the Deputy Head or, in exceptional circumstances, a senior official designated by the Deputy Head determines that the use of the information is necessary to prevent loss of life or significant personal injury and authorizes the use accordingly.”
At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. This determination is done on a case-by-case basis. Each department is responsible for making these determinations as it applies to its activities. Following the outcome of a department’s determination of these important questions, cases may be approved, denied, or elevated to the Deputy Head for consideration. For the latter cases, this then results in additional reporting requirements for the Deputy Head. Throughout this process, there is also a requirement to ensure the accuracy, reliability, and limitations of use of all information being handled.
Review Objectives
After the Avoiding Complicity Act came into force in July 2019, the Governor in Council’s written directions were sent to each applicable department in September 2019. The period for this year’s review is September 4, 2019 to December 31, 2019. The short timeframe (approximately 4 months) associated with this year’s review means that departments are being assessed, in large part, on what they would already have had in place to address risks of mistreatment associated with information sharing, or what they were able to implement in a four-month window. NSIRA is cognizant that for the departments that were not previously subject to the 2017 MD on Avoiding Complicity in Mistreatment by Foreign Entities, the timeframe to implement the written directions was somewhat limited, as it would have been challenging to create and operationalize new procedures such that they would be reflected in the department’s activities during the period being reviewed.
While it was essential to ensure that both NSIRA and the departments being reviewed met their obligations, these challenges were kept in mind when evaluating the objectives for this first review. Given these considerations, the objectives of this year’s review were to determine whether:
departments had fully implemented the directions received under the Act in conformity with the obligations set out therein;
departments had established and operationalized frameworks that sufficiently enabled them to meet the obligations set out in the Act and directions; and,
there was consistency in implementation across applicable departments.
Methodology and assessment focus
To capture a complete view of the departmental implementation of the Act, NSIRA constructed a series of questions related directly to every department’s obligations under the Act and the directions. The responses and associated information captured what specific activities took place during the review period and what departmental frameworks were leveraged to adequately support these activities.
The information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken to build and formalize their frameworks to meet their obligations under the Act and directions. The information provided and the knowledge gained will help set up the foundation for future reviews and help create consistent implementation across departments.
The method used to gather information during a global pandemic was designed for this first and unique review period. We believe it allowed departments to quickly and efficiently indicate both whether the directions had been implemented, and what frameworks, processes, and policies had been leveraged or put in place.
Responses to many of the RFI questions were simply yes/no answers. Often, answers were dependent on what information handling activities took place with foreign entities by the department during the review period. As such, a number of questions could be returned with ‘not applicable’, and this was an acceptable response. Many of the questions were related to specific and easily defined requirements under the Act and its associated directions, e.g. ‘was a report submitted to the Minister?’ or ‘Did the Deputy Minister inform the applicable bodies of all their decision made under the act?’.
Other questions were designed to capture the details of the underlying processes that supported a department’s implementation, i.e. a department may indicate that they ensured no substantial risk of mistreatment was present in any of their information sharing activities, but how did they support this claim? Likewise, for an assertion that a possible substantial risk of mistreatment had been mitigated, what was in place that allowed a department to make this assertion? Therefore, this series of questions required sufficiently detailed responses to fully capture what a department had in place that allowed it to confidently state that it has met its implementation obligations under the Act and the issued directions.
Finally, a portion of the questions was intended to capture the level of uniformity in implementation across departments. This includes such things as country/entity assessments, triage practices, and record keeping. Much of this information will also help with recommendations going forward. This multi-faceted approach resulted in three main areas being evaluated to assess implementation for this review period and help set the groundwork for future reviews.
Departments have clear and comprehensive frameworks, policies, and guidelines such that they can demonstrate how they have fully implemented the directions under the Act.
All reporting requirements associated with both the Act and its applicable directions have been met.
Differences or gaps associate with areas such as country/entities assessments, record keeping, case triage, etc., such that consistent implementation across departments would be challenging.
Summary of the results table
The table in Annex A captures a summary of both the departmental responses to the implementation questions and NSIRA’s assessment regarding these responses. The assessment was based on the associated details provided by departments in the context of the specific information requested. As explained above, many of the responses were returned as not applicable (n/a). Since many implementation requirements are connected to specific activities, the absence of such activities would mean that the requirement does not come into play. The best example of this for the current review is the absence of any Deputy Minister level determinations. All 12 departments indicated that they did not have any cases referred to the Deputy Minister level for determination. All additional reporting requirements associated with this level of decision were not applicable and thus considered satisfied.
If a specific requirement was not met, it was flagged. The relatively few instances of this were connected with departments not meeting certain reporting obligations under the Act. In all cases, the department involved pre-identified these missing requirements and indicated that efforts were underway to address them.
The concerns and findings captured in the table (and others) are discussed subsequently. A concern was flagged in two situations: where there was an uncertainty associated with a department’s ability to support their implementation requirements; and cross-cutting issues related to general aspects of all of the frameworks described, both of which led to the findings and recommendations proposed.
Findings and Recommendations
Realities of Implementation for 2019
A challenge for departments for this first review was associated with one of the assessment items listed above, i.e. whether they had established frameworks to demonstrate how they supported the implementation of the directions they received.
With the Avoiding Complicity Act coming into force in July 2019, it was not feasible that departments would create and stand-up new frameworks for information exchanges in time for the period being reviewed. Although the Act did specify several Deputy Heads that were to receive directions, it only included those who received the previous 2017 MD. The remaining new departments received their directions in September 2019. Regardless of this two-month difference, each department would have been required to rely on, to some extent, existing procedures when handling information sharing with foreign entities during the review period.
This put the departments that had previously formalized policies and processes at an advantage when implementing the directions. For those departments who were not subject to the previous 2017 MD on information sharing, NSIRA considered how they leveraged and adjusted what was already in place to respond to their new responsibilities under the Act. What we then expected to see, for all departments, was what subsequent steps were taken during the review period and afterwards, to either adjust or create frameworks to better meet implementation requirements going forward. NSIRA noted that in response to questions on frameworks for handling information and mitigating risk, several of the departments new to the considerations of the Act provided extensive detail on their efforts and progress on building out their frameworks to support the directives. References to having these frameworks formalized over the subsequent year were also encouraging.
Finding no. 1: NSIRA found that several departments, new to the considerations of the Act, described considerable progress being made during the review period and afterwards to build out formalized frameworks to support implementation.
Importance of establishing operational framework
As discussed, having fully established operational frameworks in place for this review period may not have been feasible for the departments that did not previously have processes to support their activities. This, however, did not exempt a department from the requirements of implementation. Each department was still expected to leverage what it currently had in place to properly address the concerns associated with the Avoiding Complicity Act. Furthermore, there was a logical follow-on expectation that departments would take subsequent steps to build out formal frameworks to address any perceived gaps to support the implementation of the Act going forward if necessary.
After reviewing the responses received, NSIRA is concerned that departments with minimal information sharing activities taking place during their operations have yet to address the necessity of having a robust framework in place, regardless of how often that framework is leveraged. For example, although PS and TC may primarily act as facilitators or coordinators for information exchanges on specific programs, they are still interacting with foreign entities, and therefore are required to fully assess their interactions with a foreign entity in this regard.
If a department without a formal framework assesses that it has few or no cases associated with the Act, then it may believe it is adequately positioned to address any sharing concerns should they arise. This, however, is not the case. Even single instances of information exchange in which the concerns of the Act may apply require a framework to support it properly. In many cases, it will be the framework itself that properly identifies whether a sharing activity raises concerns under the Act. If there is no formal process in place, then this identification becomes problematic. Simply saying that there are no cases or activities associated with the Act is not sufficient. That determination can only be made after a sharing activity is scrutinized through the lens of a robust framework. Going forward, all departments who receive directions should demonstrate a formal framework that ensures all information sharing activities are adequately evaluated against the considerations of the Act.
Finding no. 2: NSIRA found that departments conducting minimal information exchanges with foreign entities have not yet fully addressed the importance of having an official information sharing framework in place.
Recommendation no. 1: NSIRA recommends that all departments in receipt of directions under the Act have an official framework that ensures they can fully support their implementation of the directions.
Community coordination and best practices
While departmental coordination and the sharing of best practices are not a requirement of the Avoiding Complicity Act or the directions, NSIRA considered such an approach’s value. What became clear during this first review was that every department employs a very different framework to guide their information sharing activities with foreign entities. This is to be expected to some extent, given the different mandates, sharing requirements, and areas of focus associated with each department. However, these differences are also a reflection of the independent, internal development that has taken place for the different frameworks being used. While the departments receiving directions under the Act do interact on this subject to some extent, to date, based on the responses provided, it appears that the majority of the work done by the departments to build supporting frameworks to address their responsibilities associated with the Act have been done so independently. There was little to no overlap with how departments described the various aspects of their frameworks, even amongst the departments subject to the earlier MD on this issue.
There would be value in departments collectively identifying the key aspects common or required in all information exchanges with foreign entities and then working together to craft best practices, irrespective of what a department currently has in place. This process should draw on all available resources to make this determination. Each department can then turn to their existing frameworks to consider where and how they can be adjusted to match this community-agreed upon ideal. This is not to say that aspects of what a department already has in place in their framework will not ultimately be seen as the best practice. Several departments do have robust sharing frameworks in place, and these will contribute significantly to this exercise. However, arriving at this determination independently will provide an additional level of confidence.
Department-specific challenges, of course, cannot be ignored. In fact, they will weigh in strongly on such a conversation. Departments share information under their mandates for various reasons, and this will mean that coordination on certain aspects of a sharing framework may not be possible. However, this needs to be evaluated. It is important that what already exists, or what is hard change, does not unduly influence what may be best. This approach will create uniformity (where possible) across the community and provide a starting point for ‘must haves’ for each department to evaluate their existing processes against.
The Public Safety Information Sharing Coordination Group (ISCG) was established to support departments on information sharing. As such, it is in an ideal position to help mitigate issues arising from the lack of coordination. Leading such efforts would build on the work already being done by this group. During recent discussions with NSIRA, the ISCG indicated that the tracking of lessons learned and the sharing of best practices was not yet routine. Going forward, there would be value in a more coordinated effort when departments are updating/changing their framework. Ensuring that this coordination takes place will require support and leadership by senior-level officials. This will help in sharing best practices once identified, and establish more consistent approaches across departments.
Finding no. 3: NSIRA found that the differences and variability in departmental frameworks demonstrate a previous lack of coordination across the community and a need to identify best practices.
Recommendation no. 2: NSIRA recommends that departments coordinate to identify best practices for all essential components of information sharing frameworks and that the ISCG is leveraged to ensure these practices are shared where possible across the community to support the implementation of the Act.
Framework application inconsistency
A series of questions in this review was related to aspects of consistency in how departments apply their frameworks. From this series, a comparison was made on how many times an information sharing/use event triggered an evaluation of any kind against the considerations of the Avoiding Complicity Act, versus how many of these triaged cases were elevated or referred up for decision. The results helped gauge two important aspects of a framework: One, the threshold requirements, i.e. how often a sharing activity triggers an evaluation of any kind; and two, the decision making power given to the operators who are initially handling these activities.
The feedback and the responses received demonstrate potential inconsistencies in both aspects across departments. For example, several departments indicated zero cases as being triaged/evaluated under the concerns of the Act during the review period, yet also specified that they are involved in regular information sharing or, specified that no information received from foreign entities was derived from mistreatment. These responses appear to be inconsistent as it would be problematic to participate in information sharing or to make such mistreatment determinations without the activity being evaluated on some level.
Other departments indicated a larger number of cases as initial triaged/evaluated, but also indicated that none of them were elevated in their decision making process for higher-level decisions. This would seem to suggest that all determinations were being made at the operational level. Such a result puts significant weight on the operator and the initial assessment tools they are leveraging if they are making all determinations independently. This reinforces the importance of a robust framework to help make these determinations, as previously indicated in Finding no. 2. As a result of these differences, potential challenges arise on accurately assessing the volume of cases being handled by departments, the tracking of those cases deemed to present a substantial risk, those which can be mitigated for, and those where the risk was not found to be substantial or even present.
These responses may result from how each department defines a ‘case’ or how it records a case, or they may be a result of differences in how a department’s decision-making process is leveraged. NSIRA’s concern is that these differences may indicate an inconsistency in application thresholds at different departments. As such, the following results were viewed as a potential issue based on the responses received:
if a department was involved in any kind for information exchange with a foreign entity during the review period, but did not indicate that any cases were formally triaged/evaluated; or
if there was a significant number of cases triaged, but none were elevated to a higher level for determination.
Such results do not necessarily indicate a problem as aspects of a framework may be able to account for this, however, looking further into how and why the department’s framework produced these outcomes is important. Future reviews will be able to do this. Consistent initial steps for information sharing activities, including triage/evaluation thresholds and documentation, are critical to the effective application of a framework, and ultimately to identifying best practices.
Finding no. 4: NSIRA found that there are inconsistencies in the application of existing sharing frameworks between departments, specifically concerning information evaluation thresholds, and decisions being elevated for senior level determinations,
Recommendation no. 3: NSIRA recommends that departments establish consistent thresholds for triggers in their information sharing frameworks, including initial evaluations against the concerns of the Act, when a case is to be elevated in the decision process, and how this is documented.
Country and entity assessments
A key recommendation of NSIRA’s previous review on information sharing related to the country/entity assessments being used by departments to inform their decision making process when sharing or using information with a foreign entity. While the use of country/entity assessments is not a required aspect of implementing the directions under the Act, NSIRA continues to support this tool as an important aspect of any sharing framework. In its previous review, NSIRA determined that having a firm grasp on the human rights situation, as well as any other pertinent information associated with a country/entity, was essential to making an informed decision on whether there should be concerns, caveats, or limitations when handling information with that country/entity. Moreover, having such information captured to ensure all departments consistently approach these countries/entities is critical. At the time of the previous review, the following recommendation was made:
a unified set of assessments of the human rights situations in foreign countries including as standardized ‘risk of mistreatment’ classification level for each country; and
to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.
It is important to note that there has been no formal response from departments on this previous recommendation as of the date of this report. Furthermore, during this report, two departments continue to raise concerns with NSIRA’s stance on this issue during the consultation process. While NSIRA continues to support this recommendation, as explained below, further discussions with departments on how to approach this matter may be warranted, specifically on the distinction between how this recommendation may apply to a foreign country/entity vs a specific foreign partner a department may be dealing with.
Based on the responses provided on this topic for the current review period, there is still inconsistency in this area. While almost all departments indicated that country/entity assessments were a standard part of their framework, the responses also indicate differences in which country assessments are used, how they are leveraged, and who is responsible for updating them. For example, several departments rely on their own in-house created assessments, while others leverage the assessments created by Global Affairs Canada and others. While departments who indicated that they are leveraging country/entity assessment tools in their process also indicated that these assessments captured human rights concerns, this has yet to be independently evaluated. NSIRA is concerned that these differences could result in different approaches/stances being taken by departments when dealing with the same foreign entity. While the country/entity assessments tools themselves are not necessarily in question, the fact that every department is not leveraging or does not have access to all useful or applicable information is.
NSIRA remains of the view that having a consistent stance on all countries and entities when implementing the requirements of the Act is important. Issues such as mistreatment and human rights should not be decided at a departmental level, but on a whole-of-government level. While mindful of classification levels, ensuring all departments have access to the same relevant information associated with a foreign country/entity is critical to making an informed decision. Due to the nature of their work, departments may be privy to unique information on a country/entity, some or all of which can be shared. This would lead to fully informed assessments that allow for a consistent approach when dealing with any country/entity. In addition to improving duplication of effort in this area by departments, NSIRA continues to see standardized country and entity assessments, which can be accessed and contributed to by all departments, as key to moving toward a more consistent and effective implementation of the Act across the community
Finding no. 5: NSIRA found a lack of unification and standardization in the country and entity assessments being leveraged by departments, resulting in inconsistencies in approach/stance by the community when interacting with Foreign Entities of concern related to the Act.
Recommendation no. 4: NSIRA recommends that departments identify a means to establish unified and standardized country and entity risk assessment tools to support a consistent approach by departments when interacting with Foreign Entities of concern under the Act.
Conclusion
While aspects of implementation can be easily quantified and evaluated e.g. reporting requirements to a Minister, others, which support implementation are more difficult to measure, e.g.:
What does a sufficiently robust framework for assessing and mitigating risk when sharing with a foreign entity look like?
Does this depend on the specific requirements and activities of the department; or,
Are there steps that should always be involved when vetting a foreign entity under the considerations of the Act?
Measuring and weighing the answers to such questions is challenging. They are more nuanced, and can’t be as easily quantified. Regardless, they must be considered and addressed. Drawing on the considerations and concerns identified in this review will help departments to ask the questions that will improve their underlying frameworks with the following goals in mind:
To identify the essential/key elements that need to be a part of any framework for it to address the concerns associated with the Avoiding Complicity Act sufficiently; and,
To have all identified best practices implemented as consistently as possible across departments.
Future reviews will push towards these goals by seeking answers to those questions above. By looking more closely at specific case studies, departmental legal opinions, items of inconsistency, and the departmental frameworks that are already demonstrating best practices that should be shared. Ultimately the results of such efforts will contribute to improving the implementation of the Act across the community.
The report focuses on NSIRA’s initial review work from July 2019 through December 2019, and also includes discussion of previously unreleased reviews by predecessor organizations, namely the Security Intelligence Review Committee (SIRC) and the Office of the Communications Security Establishment Commissioner (OCSEC). We discuss Canada’s complex, interwoven approach to national security through the cross-cutting themes of intelligence collection, safeguarding, information sharing, and intelligence informed actions. Highlights include:
Legal issues regarding new technologies;
Ongoing concerns related to the duty of candour owed by CSIS to the Federal Court;
Issues concerning CSIS’s use of the polygraph;
CSE privacy protection practices; and,
Inconsistent approaches to how Canada avoids mistreatment when sharing information abroad.
NSIRA’s mandate also brings together the investigation of complaints related to national security made by members of the public. The report describes issues related to complaints from 2019, emphasizing our commitment to modernizing the complaints investigation process to ensure greater timeliness and accessibility. We also raise concerns concerning gaps in the current legal framework for “whistleblowing as it relates to the national security community.”
Our annual report discusses our organization’s underlining values, particularly our desire to be more accessible in our work, reach a broader audience, and have our review priorities and complaints process informed by engaging communities who feel they are affected by national security and intelligence activities.
“We hope that our annual report will both inform Canadians as to how their national security agencies protect us and give them confidence that strong accountability and transparency mechanisms are in place and working as intended. We look forward to engaging Canadians on the report’s findings.”
–The Honourable Dr. Ian Holloway, P.C., C.D., Q.C. (NSIRA Interim Chair)—
On behalf of the National Security and Intelligence Review Agency, it is my pleasure to present you with our first annual report. Consistent with subsection 38(1) of the National Security and Intelligence Review Agency Act, the report includes information about our activities in 2019, as well as our findings and recommendations. Pursuant to transitional provisions 12(1) and 12(2) of the National Security Act, 2017, this report also includes information that our predecessor organizations, the Security Intelligence Review Committee and the Office of the Communications Security Establishment Commissioner, had not yet reported on publicly.
In accordance with paragraph 52(1)(b) of the National Security and Intelligence Review Agency Act, our report was prepared after consultation with the deputy heads concerned in an effort to ensure that it does not contain information the disclosure of which would be injurious to national security, national defence or international relations, or is information that is subject to solicitor-client privilege or the professional secrecy of advocates and notaries or to litigation privilege.
Yours sincerely,
The Honourable Dr. Ian Holloway, P.C., C.D., Q.C. Acting Chair National Security and Intelligence Review Agency
Committee message
We are proud to present the first annual report of the National Security and Intelligence Review Agency (NSIRA) for work undertaken in 2019. Our enabling legislation requires us to present a report to Parliament each year with respect to our activities during the previous calendar year, including any reviews not yet made public by our predecessor organizations, the Security Intelligence Review Committee, and the Office of the Communications Security Establishment Commissioner. In doing so, our report discusses our activities within a framework that addresses the complex, multi-agency and interwoven approach to national security that exists in Canada.
We are primarily a retrospective body, meaning we generally look at activities that have already taken place and make conclusions regarding their compliance with the law and ministerial direction. We also examine the reasonableness and necessity of a department’s exercise of its powers. We are very conscious of the need for timely access to our findings by parliamentarians and all Canadians. NSIRA is committed to releasing redacted reviews as soon as possible after they are provided to the appropriate minister(s). We hope that our annual report will be a mechanism to reflect on broader trends and themes that cut across the full range of our work. We feel strongly that this approach is embedded in our mandate, and is supported by the government’s own push for greater transparency in national security.
Openness also means deepening the dialogue with Canadians on national security. We have broadened our exposure to a diverse set of viewpoints to ensure our review plan reflects the concerns and priorities of all Canadians. This is particularly important in the context of anti-racism movements that are taking place around the world. We hope that engagement with diverse communities will help our organization learn about how we can best contribute to the fight against racism and discrimination in the national security and intelligence field. Engagement with Canadian experts, with cultural communities and with civil society has already begun as we build our social media presence and our capacity to organize videoconferences and in-person meetings. We have met several stakeholders in Ottawa, Victoria, Toronto and Calgary — and more activities are planned in the year ahead. Internationally, we work with and share our experiences with parallel review bodies as a member of the Five Eyes Intelligence Oversight and Review Council, which is made up of our partners in Australia, New Zealand, the United Kingdom and the United States.
We are mindful of the need to avoid overlap with other review bodies and to make the best use of resources within the national security community that are in place to facilitate our work. We know that for many departments and agencies, external review is a new endeavour that will take time to adjust to. We are very pleased with the level of cooperation and support we are seeing. We have developed and shared our three-year review plan, which we hope will clarify our work priorities and give the organizations that we will be reviewing time to adjust and prepare. Our legislation is unequivocal as to our access to information: we are entitled to timely access to anything that is in the possession or under the control of a department in relation to our reviews (except only Cabinet confidences). The integrity of our work demands this access. Our public reports will accordingly record any shortcomings in this regard. To avoid duplication and to enhance the quality of Canada’s system of national security accountability, we are committed to cooperating with other oversight and review bodies, including the Intelligence Commissioner’s Office, the National Security and Intelligence Committee of Parliamentarians, the Office of the Privacy Commissioner of Canada (OPC), the Civilian Review and Complaints Commission for the RCMP and the Office of the Auditor General of Canada.
NSIRA also brings together under one roof the investigation of complaints related to national security that are made by members of the public. We have a mandate to investigate complaints into the activities of the Canadian Security Intelligence Service, the Communications Security Establishment and national security-related activities of the Royal Canadian Mounted Police. Additionally, we can investigate complaints arising from an individual whose security clearance is denied or revoked, as well as referrals from the Canadian Human Rights Commission and certain matters under the Citizenship Act. We are confident that this consolidation of complaints investigations will help to ensure that Canadians’ national security-related grievances can be addressed with the greatest degree of consistency, quality and timeliness possible. A particular task we are undertaking over the next year is to improve the efficiency of the complaints process.
We would be remiss if we did not address the unique and challenging environment facing us all at this moment. The COVID-19 pandemic has had far-reaching consequences the world over that we are perhaps only beginning to understand. Throughout much of 2020, NSIRA staff have been working from home, with minimal access to the office and, therefore, minimal access to classified physical and electronic documents that must be kept within a secure space. We are very proud of the extraordinary work of our staff, who have kept momentum alive during this difficult period, and who continue to put measures in place to enhance our organizational adaptability. We also expect that organizations that are subject to our review and complaints investigations will continue to allocate personnel to these vital functions, and continue to prioritize national security accountability as they too adjust to an ever-changing situation.
At this time, we would like to express our gratitude to three NSIRA members whose terms concluded this year: the Honourable Pierre Blais, the Honourable L. Yves Fortier, and Murray Rankin, NSIRA’s first Chair. Their collegiality and leadership during a time of transition were greatly appreciated, and their contributions to national security accountability in Canada continue to be deeply felt.
We are honoured to have been chosen to be the first members of NSIRA. We are committed to providing meaningful findings and recommendations on the extent to which Canada’s national security community is complying with the law and on the necessity and reasonableness of its actions. We look forward to the challenge facing us in this increasingly complex environment.
The Honourable Dr. Ian Holloway, P.C., C.D., Q.C. (Acting Chair) The Honourable Marie Deschamps, C.C. Professor Craig Forcese The Honourable Marie-Lucie Morin, P.C., C.M. The Honourable Pierre Blais, P.C. (Member until May 2020) The Honourable L. Yves Fortier, P.C., C.C., O.Q., Q.C. (Member until October 2020) Murray Rankin, Q.C. (Member and Chair until September 2020)
Executive summary
Information pertaining to the transition from the Security Intelligence Review Committee (SIRC) to the National Security and Intelligence Review Agency (NSIRA), corporate milestones, organizational values and objectives, and other relevant elements, are briefly described in the introduction, and are supplemented with more detailed material in various annexes as well as on NSIRA’s website.
Review findings and themes discussed in this report reflect NSIRA’s work over the first several months of our mandate, beginning in July 2019. They also build on work done by SIRC and the Office of the Communications Security Establishment Commissioner (OCSEC), including reviews that these organizations had not yet released prior to the establishment of NSIRA. Summaries of these reviews are found in Annexes A and B. We discuss findings and themes in this report according to the “information continuum”: collection, safeguarding, sharing and action.
A key challenge for departments and agencies in Canada is to ensure that their use of new technology conforms to privacy laws and respects Canadians’ rights under the Canadian Charter of Rights and Freedoms (the Charter). NSIRA is aware of instances where an agency used technology in ways that exceeded legal authorities. Notably, one of NSIRA’s first reviews concerned the Canadian Security Intelligence Service’s (CSIS) use of publicly available geolocation data. NSIRA concluded that CSIS’s use of this data without a warrant risked breaching section 8 of the Charter, which protects against unreasonable search and seizure. NSIRA submitted a report under section 35 of the NSIRA Act, to the Minister of Public Safety and Emergency Preparedness regarding the possible unlawful activity.
The report provides an overview of some longstanding issues with regard to the failure of CSIS to meet its duty of candour to the Federal Court, most recently in relation to its human source activities. Specifically, CSIS did not inform the Court that CSIS’s warrant applications were based on intelligence that had likely been collected by illegal means. The Court also observed failings with regard to the Department of Justice’s role in the situation. In response, the Government referred the matter to NSIRA for review under paragraph 8(1)(c) of the NSIRA Act. Over the next year, NSIRA will dedicate significant resources to a review stemming from this Federal Court decision.
NSIRA has prioritized safeguarding (i.e., how the government protects people, information and assets) as a review theme we will examine on a yearly basis. In our first year, NSIRA completed one safeguarding review of CSIS, and commenced another within the Department of National Defence (DND). Of note, our observations with regard to the polygraph (i.e., “lie detector test”) during the security clearance process, highlight a number of shortcomings, including:
CSIS was unable to justify the capacity of examiners — who are not medical practitioners — to ask medical-related questions of the examinees.
There were unequal outcomes or consequences for polygraph exams conducted on external applicants to CSIS vs. current employees.
This finding raises broader issues. Although the Treasury Board Secretariat (TBS) Standard on Security Screening, created in 2014, cites the use of the polygraph as an appropriate tool for assessing candidates seeking an Enhanced Top Secret clearance, TBS was unable to provide any policy rationale for the use of this tool. NSIRA brought a number of shortcomings to the attention of TBS. The standard is currently under internal review at TBS, and we are awaiting the results.
NSIRA made several findings and corresponding recommendations for the Communications Security Establishment (CSE) to improve its documentation, mitigation and privacy protection practices in relation to its Privacy Incidents File.
In 2019, NSIRA launched our first interagency review, an assessment of the implementation of the 2017 Ministerial Direction on Avoiding Complicity in Mistreatment by Foreign Entities by: the Canada Border Services Agency, CSE, CSIS, DND, Global Affairs Canada, and the Royal Canadian Mounted Police. NSIRA found significant variation among the six departments and agencies in terms of their success in implementing the 2017 ministerial direction. While some departments or agencies, such as CSIS and CSE, had fairly advanced procedures for implementing the ministerial direction, the review highlighted some shortcomings. Some departments and agencies face challenges in operationalizing this direction. Some also face challenges in establishing decision-making mechanisms that are independent from the operational front line in cases where there is a risk of mistreatment. One of the key issues that NSIRA’s review identified was the inconsistent application of the “substantial risk of mistreatment” threshold across departments – under the 2017 directions and their successors, sharing is prohibited where there is a “substantial risk of mistreatment of an individual by a foreign entity”. How departments and agencies assess this standard will be a future area of inquiry.
In 2020–21, NSIRA is modernizing the process for addressing complaints. Our goal will not change: to provide a just and efficient investigation and resolution of complaints. Two priorities will guide the modernization: access to justice for self-represented complainants, and the need for a broader spectrum of tools to streamline the resolution of complaints.
In previous correspondence to the Attorney General, NSIRA identified legislative gaps related to whistleblower protections in Canada’s national security community and the corresponding negative implications resulting from these gaps. In the interim, NSIRA will be implementing internal procedures to address concerns brought forward by members of the security and intelligence community.
In 2019, NSIRA launched a series of public engagements to increase awareness of our new organization, expand our network, and deepen our understanding of Canadians’ concerns relating to national security and intelligence activities. Over the coming year NSIRA intends to continue our outreach and engagement program, with a focus on four key areas: expanding our network to help us address issues related to new and emerging technologies (including artificial intelligence); broadening our dialogue with stakeholders to inform NSIRA’s future review priorities; building new relationships with community groups, in an effort to demystify the complaints investigation process; and scaling up recruitment efforts to ensure NSIRA continues to build an elite workforce with a diverse set of skills and backgrounds.
To enhance transparency, NSIRA also intends to proactively redact and release future NSIRA reports as they are approved throughout the year, rather than waiting for the release of our annual report to disclose our findings and recommendations. The organization is working with departments and agencies to ensure that this new approach is as timely and efficient as possible, and both protects vital national security and intelligence information, and provides the public with as much insight as possible into the results of NSIRA’s reviews.
Introduction
01. The National Security and Intelligence Review Agency (NSIRA) began operations July 12, 2019, as part of the transformation of Canada’s national security accountability framework. As a result, this inaugural annual report covers only a six-month period, from July to the end of the 2019 calendar year. During that time and continuing into 2020, NSIRA did a great deal of work to ensure the successful transition from the Security Intelligence Review Committee (SIRC), to a larger organization with a much broader mandate.
02. Because the NSIRA website provides detailed information relating to NSIRA’s mandate, the types of reviews undertaken, the process and lifecycle of a review, and the complaints investigation process, this report does not discuss these topics.
03. Instead, it focuses on NSIRA’s initial work on reviews, our complaints investigations, and our public engagement and transparency efforts. The emphasis on analysis of recent findings and trends in review draws on previously unreleased SIRC and Office of the Communications Security Establishment Commissioner reviews going back to 2018 and 2019, respectively, as well as NSIRA reviews completed in the first several months of operation. Summaries of these individual reports are available in Annexes A and B.
04. Part 1 outlines our organizational values and NSIRA’s approach to building a new institution.
05. Part 2 provides detailed analysis of themes that cut across many of these reviews, drawing linkages and establishing a platform for future work.
06. Part 3 deals with our complaints investigations and briefly discusses themes from 2019 and priorities for the year ahead, with an emphasis on modernizing the complaints investigation process to ensure greater timeliness and accessibility. Summaries and statistics relating to complaints investigations are available in Annexes C and D.
07. Part 4 outlines NSIRA’s efforts and our vision in addressing engagement and transparency, which are key priorities for the organization.
08. Key accomplishments and ongoing priorities with respect to NSIRA’s corporate services, including measures taken to adapt to an expanded mandate, are detailed in Annex E.
09. This is NSIRA’s first annual report, and we have structured it in a way that aims to be useful and engaging for the reader, while it serves its intended function, namely, to make an important contribution to Canadians’ dialogue on national security and intelligence issues. We are interested in feedback on how to make it as helpful and accessible as possible in achieving this aim.
Part 1: Institution building
10. The creation of NSIRA, following the proclamation of the National Security Act, 2017, represented a considerable step forward in the development of national security and intelligence accountability in Canada. Over the past two decades, national security and intelligence operations have become increasingly interconnected within the Government of Canada. This resulted in a number of departments and agencies that had not traditionally been part of the security and intelligence community now playing key roles in this area. However, review bodies’ powers did not evolve with the changing national security and intelligence landscape, and their ability to review agencies and make contributions remained compartmentalized.
11. NSIRA’s creation remedies these long-standing gaps in Canada’s national security architecture and significantly strengthens the framework for national security accountability. NSIRA has taken over the mandates of our predecessors to review the operations of the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), respectively, but we also have an additional and novel mandate to review any activity in the federal government that relates to national security or intelligence. Alongside this expanded mandate, NSIRA has unfettered access to classified information in the possession or under the control of any department or agency (except Cabinet confidences). This allows NSIRA to break down the previously compartmentalized approach to review and accountability, and replace it with horizontal, in-depth interagency review. As such, Canada now has one of the world’s most extensive systems for independent review of national security in the world.
12. Since July 2019, the NSIRA Secretariat has focused on ensuring a successful and effective transition to a much larger organization with a much broader mandate. This included emphasis on the following: securing new accommodations; effective staffing and knowledge development; establishing strong working relationships with departments and agencies, as well as other Canadian review bodies; and delivering on our mandatory reporting requirements. NSIRA absorbed a staff complement from the Security Intelligence Review Committee (SIRC), who had expertise in review and complaints investigation related to CSIS. Sustained effort to recruit staff and build knowledge of the broader security and intelligence community will continue in the year ahead.
Review
13. In the early months of our mandate, NSIRA developed a three-year review plan. This plan will help develop a systematic approach to deciding what to review and how to set priorities. Besides helping to guide resource allocation and staffing decisions in the medium term, the review plan provides clarity to the departments and agencies we review and prevents overlap with other review bodies.
14. Part of the challenge inherent in NSIRA’s mandate is thinking differently about how to organize and undertake reviews. The interagency mandate allows for reviews to be planned and undertaken in a horizontal manner, involving several departments and agencies from the start. Similarly, NSIRA is also working in a horizontal manner internally, to incorporate legal and technical experts into reviews more systematically, so that considerations in these areas are built into reviews from the start.
15. Within this plan, in-depth review of CSIS and CSE remain organizational priorities. NSIRA is also developing foundational knowledge of national security and intelligence activities conducted in federal government institutions that have not traditionally been subject to review. Through a series of increasingly complex and in-depth reviews conducted over the upcoming years, NSIRA will seek to provide a holistic and detailed picture of activities, programs or key themes in the national security and intelligence community.
16. When conducting reviews, whether simple scoping exercises or more complex projects, NSIRA considers a number of elements to develop conclusions, findings and recommendations. These include the lawfulness, compliance with directives and policies, reasonableness, necessity, and proportionality of security and intelligence activities. These considerations help NSIRA ensure that Canadians are confident that national security and intelligence activities undertaken by the Government of Canada are thoroughly reviewed and assessed.
Complaints investigations
17. In addition to NSIRA’s review mandate, the organization has the responsibility to investigate national security-related complaints. This includes hearing complaints from the public regarding actions taken by CSIS and CSE, national security-related complaints regarding the Royal Canadian Mounted Police (RCMP), and complaints related to the revocation or denial of security clearances.
18. NSIRA acknowledges that the complaints investigation framework inherited from SIRC has been far too slow and too complex. An analysis of the number of complaints filed annually and the number outside NSIRA’s jurisdiction to investigate also reveals a clear knowledge gap with respect to NSIRA’s role in this regard. For these reasons, NSIRA has begun to reform the complaints process, including increasing access, timeliness and accountability.
NSIRA’s values
19. NSIRA inherited a number of values, practices and expertise from the review agencies that came before. Nonetheless, NSIRA is dedicated to undertaking our work in a new way — one that emphasizes outreach, engagement and transparency. As such, NSIRA has begun a comprehensive program of engagement with civil society, community groups, academics and others, based on a number of objectives including but not limited to:
informing NSIRA’s review plan;
raising awareness of and demystifying the complaints investigation process;
leveraging and creating communities of interest on key issues (for instance, on artificial intelligence); and
recruiting talented Canadians.
20. The new organization wants to break with previous practices that resulted in findings and recommendations being publicly reported only once per year. To increase transparency, NSIRA is committed to the release of unclassified versions of reviews as they become available after redaction and translation. By making our reviews available to the public, NSIRA hopes to increase transparency and accountability, and to open the door to extensive discussions and debate in the public sphere. Consequently, a priority is to draft reports that avoid classified information because the intent is to release them; this “write to release” approach will facilitate the redaction process, where necessary, and ensure more timely and effective release of information.
21. NSIRA is committed to:
openness and transparency, in an effort to better connect with Canadians;
methodological excellence to ensure the quality of our work; and
forward thinking and innovation, including how we consider the impacts of new technology and an ever-changing national security environment.
22. To achieve our numerous and complex objectives, NSIRA relies on a skilled and experienced workforce. As the organization grows, NSIRA will continue to recruit talented candidates that reflect Canada’s diverse and inclusive nature.
23. NSIRA understands the importance of organizational health and wellness as fundamental to success. The organization wishes to be an employer of choice that promotes and provides a healthy work environment. Although the COVID-19 pandemic has raised unprecedented challenges, NSIRA remains focused on further adapting to the sweeping changes brought by the pandemic. Ensuring the physical and mental health and wellness of our staff remains a cornerstone of the organization’s strategy as we develop creative ways to maintain effectiveness and efficiency while working in a distributed manner.
24. In addition to maintaining a broad expertise within the organization, NSIRA has been focusing on building a strong network of partnerships to help define our research priorities and deliver on our mandate. NSIRA has been working with other organizations within the Canadian review and accountability system, such as the National Security and Intelligence Committee of Parliamentarians (NSICOP) and the Office of the Privacy Commissioner of Canada (OPC), on issues of common interest to maximize both the effectiveness and efficiency of national security review agencies, while limiting duplication of efforts.
25. NSIRA made a great deal of progress in all aspects of our mandate throughout the first few months of operation in 2019. Many ambitious projects are under way for the year ahead, in order to progress on building an institution that is fit to play a broad and constructive role in Canada’s system for national security accountability.
Part 2: Review
Section I — The information continuum
This part outlines NSIRA’s framework for discussing findings and trends in review, and provides detailed analysis according to the four categories within this framework. This part does not go into detail about review methodology and prioritization. In short, as we expand our knowledge base of national security and intelligence activities across the Government of Canada, NSIRA aims to undertake increasingly complex reviews over the next three years.
27. Members of NSIRA are planning to proactively redact and publicly release full reviews, along with unclassified executive summaries, as they are approved and translated, rather than having to wait for the annual report to showcase the organization’s review work. This new practice opens up opportunities for the annual report to discuss and dissect lessons learned throughout the year in new and interesting ways. Rather than discussing the findings and recommendations of each review individually (or vertically), as had been done in the Security Intelligence Review Committee (SIRC) and Office of the Communications Security Establishment Commissioner (OCSEC) annual reports, NSIRA will focus on the entire body of work horizontally, and ask what broad lessons, trends or themes emerge. NSIRA believes that this will allow for a more comprehensive analysis of findings and will help to develop more holistic and interconnected review planning.
28. The following discussion is organized according to what NSIRA calls the “information continuum.” This continuum is meant to reflect the lifecycle of information, from how it is collected and safeguarded, to how it is shared and, ultimately, how it is used to inform real-world actions undertaken for national security or intelligence purposes.
29. NSIRA acknowledges that the information continuum differs from the national security and intelligence information cycle. The continuum is not a unidirectional process, and all concepts mentioned in it are intertwined. However, we hope that presenting our findings within this framework will facilitate a reader’s understanding of key themes and priorities within the national security and intelligence environment. Future annual reports might adopt a different structure depending on the recommendations NSIRA receives and the information we wish to communicate.
Section II — Collection
30. Collection is the first step in the information continuum described in this report. It refers to all forms of information gathering by the Government of Canada’s departments and agencies that relates to national security or intelligence. It covers information that is gathered directly by these federal institutions, in Canada and abroad, as well as information received from other federal entities and other orders of government, such as information from provincial or municipal law enforcement. The receipt of information from foreign entities is also a form of collection, but given the special human rights considerations governing such activity, this report discusses this topic in the section on information sharing.
31. Departments and agencies collect information using a range of techniques. Some recruit human sources to collect information on the agency’s behalf. Others intercept telecommunications through a variety of technical means, such as wiretaps. Telecommunications, in this context, refers to both the gathering of communications content (e.g., intercepting a voice conversation or email) and metadata (e.g., telecommunications subscriber information or information related to Internet connections). Importantly, collection here refers to information that is gathered by Government of Canada institutions both covertly and overtly, and includes publicly available information. The distinction between what is publicly available and what is not has been controversial, and it is a subject that NSIRA will review in the future. Often, the information collected relates only to one person or a handful of people; in other instances, departments and agencies collect data in bulk.
32. Obviously, the collection of certain information by departments and agencies can intrude into the private affairs of Canadians. Indeed, of the many types of national security and intelligence activities that NSIRA is mandated to review, collection is the area with the most potential to impinge on the privacy rights of Canadians. Nonetheless, Canadians expect their private lives, communications and online activities to remain free from state surveillance unless the intrusion complies with the law (including, where required, pre-authorization by an independent judicial officer), and that the collection is reasonable, and goes no further than necessary to achieve a legitimate goal, such as the investigation of a criminal offence or the investigation of a threat to the security of Canada. For these reasons, scrutinizing the government’s collection of information will be a permanent area of focus for NSIRA.
Legal frameworks
33. The legal frameworks governing information collection by government departments and agencies are complex, and vary from department to department, and agency to agency. There are a few overarching principles, however. In simple terms, all departments and agencies are subject to the Canadian Charter of Rights and Freedoms (the Charter) and must ensure that their collection of information is “reasonable” under section 8 of the Charter, which protects against “unreasonable search and seizure” of their persons, property and information. This means that where state action intrudes on a person’s reasonable expectation of privacy, the search must generally be pre-authorized by an independent judicial officer — typically a judge issuing a warrant. In limited circumstances, however, warrantless collection of information in which a person has a reasonable expectation of privacy is permissible, so long as it is authorized by a law that is considered reasonable in striking an appropriate balance between privacy and the state interest being pursued, and the search is conducted reasonably.
34. In Canada, the police and other peace officers seek a number of different authorizations permitting intrusive searches and seizures that implicate a person’s reasonable expectation of privacy. These “lawful access” authorizations include search warrants, production orders to obtain documents or records, and warrants authorizing the interception of private communications. The Canadian Security Intelligence Service (CSIS) can seek warrants from the Federal Court authorizing the interception of any communication or the obtaining of any information, record, document or thing. The procedures followed for obtaining these authorizations vary depending on the statute governing the agency seeking it, and also depend on the search’s intrusiveness. The Communications Security Establishment (CSE), for its part, collects information outside of Canada in accordance with its various mandates related to foreign intelligence and cybersecurity. Where those collection activities might otherwise contravene an act of Parliament or interfere with the reasonable expectation of privacy of a Canadian or any person in Canada, CSE must obtain ministerial authorizations from the Minister of National Defence. Before they come into effect, CSE’s ministerial authorizations under its foreign intelligence mandate and its cybersecurity and information assurance mandate must be approved by the Intelligence Commissioner, who is a retired judge.
35. Regardless of the sensitivity of the information being collected, a department or agency must have a legal authority to collect it. Departments and agencies receive such legal authority from their enabling statutes (for example, the CSIS Act for CSIS; the CSE Act for CSE), as well as from common law powers, especially for the RCMP.
36. These statutes also set important limits, often by spelling out what information departments are permitted to collect, when and to what extent. For instance, CSE is prohibited from directing its collection against Canadians or persons in Canada. But it is not always possible to know in advance which information involves Canadians and which does not. As a result, CSE may sometimes collect information relating to Canadians and persons in Canada incidentally — that is, without deliberately seeking it. CSE must handle this information in accordance with the CSE Act and the ministerial authorizations that it has received from the Minister of National Defence.
Ministerial direction and policy
37. The collection of information by the Government of Canada is guided not only by the law, but also by a range of ministerial directions and internal policies. Ministerial direction represents the formal guidance issued by a minister to a department or agency. Though not a statutory instrument, a ministerial direction has a more robust legal status than mere departmental internal policy, and often serves to set out a minister’s expectations regarding how a department should function, and how it should interpret its legal powers. These directions are used, for example, to implement the Government of Canada’s Intelligence Priorities, which are periodically approved by Cabinet. The Intelligence Priorities set out those areas that the Government of Canada has identified as requiring the greatest need for information. Ministers then direct departments to allocate collection resources accordingly, although they must always remain within the scope of their legal collection mandates. When NSIRA reviews a collection activity related to national security or intelligence, we review not just compliance with the law, but also compliance with ministerial direction and internal policy.
Collection challenges
Technology and privacy
38. Criminals and those who pose a threat to national security are constantly adopting the latest technologies to shield their activities from scrutiny. This places pressure on investigative agencies, in Canada and abroad, to maintain their capacity to collect usable information. As a result, Canada’s national security and intelligence agencies must employ new technologies quickly to circumvent or get ahead of the capabilities of their subjects of investigation.
39. Unfortunately, many new technologies can be used in ways that erode privacy. The rise of the Internet and mobile communications means that individuals now generate far more information and metadata about themselves than in the past. At the same time, intelligence collectors are facing a progressive loss of direct access to private communications stemming from the increasing ubiquity of strong encryption. In part for these reasons, there has been heightened interest worldwide in the bulk collection of information and metadata in recent decades. This raw material is then sifted and analyzed to glean insights and patterns. For example, use of smartphones leaves digital traces that, particularly when assembled or later identified, can reveal contacts, patterns of movement and other intimate details. A key difference between bulk collection and more traditional techniques, such as wiretaps, is that the vast majority of the information collected relates to ordinary citizens who are not subjects of investigation. The risks that such techniques pose for personal privacy are clear.
40. A major challenge for departments and agencies in Canada is to ensure that their use of new technology conforms to privacy laws and respects Charter rights. Generally, this requires departments and agencies to engage the federal Department of Justice to obtain advice on the legal parameters that govern the use of the technology, and then to put in place a strong policy framework and obtain the necessary authorizations before beginning to use a new technology. Often this is exactly what happens. But NSIRA is also aware of instances where technology was used in ways that exceeded legal authorities. These are described below. Some of these examples are drawn from NSIRA’s reviews to date, while others are drawn from SIRC’s history of reviewing CSIS.
41. On a few occasions in recent years, CSIS used new collection techniques without first fully understanding and addressing their legal and policy implications. In these cases, legal and policy work lagged behind the operational imperative to maintain and improve collection capabilities. This risked — and at times compromised — the lawfulness of the collection activity and the privacy of Canadians. The first example is from an NSIRA review:
a) Geolocation: One of NSIRA’s first reviews concerned CSIS’s use of publicly available geolocation data. This review raised pressing questions regarding the use of data that is publicly available, but that nevertheless engages a person’s reasonable expectation of privacy. NSIRA concluded that CSIS’s use of this data without a warrant risked breaching section 8 of the Charter, which protects against unreasonable search and seizure. NSIRA’s review examined the decision-making process that led CSIS to use this data without a warrant, and found that CSIS lacked the policies or procedures to ensure that before the data was used CSIS sought legal advice to avoid unlawful use of the data. On March 16, 2020, we submitted a report under section 35 of the NSIRA Act to the Minister of Public Safety and Emergency Preparedness describing the possible unlawful activity. Under section 35, NSIRA must refer to the relevant minister any national security or intelligence activity that might not be in compliance with the law. The minister is then required to forward the report to the Attorney General.
42. Other examples can be drawn from the period before NSIRA was created, which were reported by the former review bodies, SIRC and OCSEC:
a) CSIS metadata: A 2014 SIRC review assessed whether CSIS’s collection, use and retention of metadata collected under the authority of a Federal Court warrant was carried out lawfully and appropriately. At the time, CSIS warrants required any communications or metadata collected incidentally (i.e., not related to the subjects of the warrant) to be destroyed, unless certain conditions were met, including if there were reasonable grounds to believe that the information “may assist” in the investigation of a threat to the security of Canada. CSIS concluded that the words “may assist” established a low threshold, and accordingly retained and used the metadata, despite the data having been collected incidentally. SIRC was given no indication that CSIS had informed the Federal Court of the nature and scope of its activities. SIRC therefore recommended that CSIS make the Court aware of the extent of its retention and use of metadata collected under warrant. Alerted by SIRC’s recommendation, the Federal Court concluded in October 2016 that CSIS could not retain the information unless it was related to a threat to the security of Canada, because CSIS’s collection mandate in section 12 of the CSIS Act includes the qualifier that CSIS can collect information or intelligence only “to the extent that it is strictly necessary.” The Court found that CSIS’s authority to retain information was informed by this limit. Therefore, it held that CSIS had exceeded its lawful authority in retaining much of the metadata collected under warrant. The Court also found that CSIS had failed in its duty of candour to the Court. As discussed below, the question of retention of electronic “datasets” is a matter now more fully regulated by the CSIS Act, following amendments made by the National Security Act, 2017.
b) CSE metadata: Technological advances have created vast amounts of information in the digital realm. Agencies often turn to automation to apply privacy protection measures to large amounts of information efficiently. In 2013, CSE notified its previous review body, OCSEC, that metadata containing Canadian identity information had not been properly minimized by software. This software failure resulted in Canada’s Five Eyes allies receiving data that Canadian laws prohibit CSE from sharing. CSE suspended sharing certain types of metadata while it developed a solution to rectify this problem. Although this was the only instance in which CSE was found by OCSEC not to have complied with the law, related issues arose periodically, including the incomplete reporting on private communications. OCSEC found this to be the result of human and system error. Many of the observations raised historically by OCSEC centred on the interaction of human and technical elements involved in collection and subsequent reporting activities.
c) Datasets: In 2016, SIRC reviewed CSIS’s use of datasets. These datasets were not collected under the authority of a warrant. The review examined whether the collection of such datasets met the statutory test for collection by CSIS under section 12 of the CSIS Act, which is that information can be collected only to the extent “strictly necessary.” Most of the datasets were not directly related to national security threats. SIRC found that there was no comprehensive governance framework guiding the collection, retention and use of bulk datasets. There was also no requirement to assess the datasets to ensure that they met the requirement of being “strictly necessary” to advise the government on suspected threats. These events pushed CSIS to reconsider the legal underpinnings of its collection of datasets. Amendments to the CSIS Act included in the National Security Act, 2017, have since provided CSIS with an explicit authority to collect, retain and use datasets containing personal information that is not directly and immediately related to a threat to the security of Canada. As noted in the final SIRC certificate, pending the coming into force of the National Security Act, 2017, CSIS continued its dataset program despite the legal risks that had been identified.
43. These examples illustrate how the adoption of new collection technologies also poses a challenge for review bodies, who must equip themselves with the technical expertise needed to ensure that the implications of the technologies being deployed are fully understood. This is particularly important given that the use of many new technologies is a closely guarded secret and thus shielded from public scrutiny. As such, it is largely up to review and oversight bodies to scrutinize the use of these technologies. NSIRA’s plans to address this issue are set out in the section on “Future priorities.”
Candour
44. CSIS has struggled to overcome an institutional culture of secrecy that has contributed to failures to fully disclose certain activities and information to the Federal Court, to the Minister of Public Safety and Emergency Preparedness, and to review bodies. A lack of candour can be particularly problematic where it intersects with the use of new technology. The difference between collection that is lawful or unlawful often hinges on very specific details regarding the information that the technology will enable CSIS to collect. A key consideration is whether that information will reveal intimate details of the lifestyle and personal choices of an individual. The breadth of the information collected and other details of its use can also affect a technology’s level of intrusiveness. It is thus vital that oversight and review bodies are made fully aware of departmental activities in order to fulfil their mandates. The broader the scrutiny of a new technology’s use, the more that its implications will be thoroughly considered.
45. Three times in recent years, the Federal Court has found that CSIS failed in its duty of candour toward the Court during warrant applications. In two of the three instances, CSIS omitted certain information regarding the use of technology to collect information. The omissions compromised the Court’s ability to properly exercise its judicial control function. Indeed, it is worth noting that the Court is not required to approve CSIS warrants, even if CSIS meets the basic statutory requirements. The Court must also be satisfied that the warrant powers are reasonable in light of all the circumstances, and must therefore be given all the information it needs to make this key assessment. The Court is also permitted to place any conditions on CSIS warrants that it considers to be in the public interest, and must therefore be able to appreciate the privacy implications of new technologies.
46. The Minister of Public Safety and Emergency Preparedness also plays an important role overseeing the activities of CSIS because of his or her statutory responsibilities related to the CSIS warrant process. Before CSIS can submit a warrant application to the Federal Court, the application must first be approved by the Minister. The Minister — and the officials in Public Safety Canada who advise the Minister — must therefore be provided with all relevant information. It is notable that the Minister has felt it necessary to issue ever-more precise and detailed direction to CSIS specifying that the organization must keep the Minister informed of its activities. The most recent example, the 2019 Ministerial Direction for Accountability, specified that CSIS must inform the Minister of activities “where a novel authority, technique, or technology, is used. This includes novel uses of existing authorities, techniques, or technologies.”
Human source activities
47. Most recently, CSIS failed to meet its duty of candour to the Court in relation to its human source activities. CSIS sometimes pays human sources to collect intelligence. Often, the access these sources have to valuable information is directly related to their personal involvement in terrorism or other threat activities. In paying these individuals for their information, CSIS runs the risk of violating the laws that prohibit paying any money or providing any other resources that support terrorism or other criminal activity. For years, CSIS relied on the doctrine of Crown immunity to provide a legal justification for its actions and to remain within the ambit of the rule of law. The law in Canada has evolved in recent decades, however, making the use of Crown immunity increasingly tenuous as a justification.
48. In 2015 and 2016, SIRC raised a number of questions regarding the legality of CSIS’s human source activities. Notably, SIRC recommended that CSIS obtain legal clarification regarding the continued viability of its reliance on Crown immunity. In response, CSIS obtained legal advice in early 2017 that concluded that Crown immunity could no longer be used to justify activities that would ordinarily be unlawful. This set off a chain of events inside government that culminated in the creation of a new statutory regime allowing CSIS to take actions that would otherwise be unlawful in the course of its human source operations. This new regime was introduced as part of Bill C-59, the National Security Act, 2017, which came into force in mid-2019. While Bill C-59 was before Parliament, however, CSIS decided to continue several human source operations, given their intelligence value, despite the fact that they seemed to violate the law. CSIS only decided to halt these activities in January 2019.
49. In March 2019, SIRC completed its certification of the 2017–18 annual report submitted by the Director of CSIS to the Minister of Public Safety and Emergency Preparedness. Prior to the National Security Act, 2017, SIRC was required to certify the lawfulness of the activities described in each of CSIS’s reports to the Minister. The 2017–18 report discussed CSIS’s continued reliance on Crown immunity in the context of its human source activities. SIRC reviewed the situation and concluded that CSIS had in fact been advised that Crown immunity could no longer be used as a legal defence. As a result, in its certificate, SIRC found that CSIS had knowingly broken the law. SIRC also made clear that although CSIS’s operations could have been important from the standpoint of national security, this in no way excused it from adhering to the rule of law.
50. Starting in early 2018, the Federal Court began to question the legal basis of CSIS’s human source activities independently of SIRC. These questions led to a series of proceedings that culminated, as mentioned, in the Court finding CSIS to have breached its duty of candour to the Court. Specifically, CSIS did not inform the Court that CSIS’s warrant applications were based on intelligence likely collected by illegal means. The Court also observed certain failings with regard to the Department of Justice’s role in the situation. The Court recommended that there be a broader, independent review of the systemic, governance and cultural shortcomings and failures at CSIS and the Department of Justice that resulted in CSIS engaging in illegal activity and in the related breach of its duty of candour to the Court.
51. In response to the identified shortcomings, the government referred the matter to NSIRA for review under paragraph 8(1)(c) of the NSIRA Act. This review, conducted both at the request of the Minister and also under NSIRA’s autonomous review authority in section 8 of the Act, is now under way. Two members of NSIRA, the Honourable Marie Deschamps, C.C., a former Justice of the Supreme Court of Canada, and Professor Craig Forcese of the Faculty of Law at the University of Ottawa, are jointly leading the review.
52. These events are troubling. CSIS not only broke the law, but CSIS and its legal counsel also failed to disclose important matters to the Federal Court, which they were required to do. CSIS also failed to provide key legal opinions to SIRC, or else provided them many years too late, even though SIRC had a legal right to this information.
Future priorities
53. NSIRA’s review mandate has three principal parts: the review of CSIS, the review of CSE, and the review of the national security or intelligence activities of all other federal entities. The review of CSIS and CSE will always remain central to NSIRA’s mission, but over the coming years, NSIRA will systematically map and review other departments’ collection activities. In so doing, NSIRA will scrutinize collection activities to ensure that they are lawful, reasonable and necessary. In other words, NSIRA will not only consider whether a department can collect information, but also whether it reasonably should do so in light of the department’s mandate and the implications for privacy.
54. In our reviews, NSIRA will emphasize scrutiny of a department’s or agency’s use of technology, and particularly new or emerging technologies that pose the greatest risks. NSIRA’s reviews will make recommendations with an eye to improving departmental processes to manage the legal and privacy risks associated with the use of technology. When relevant, NSIRA will examine departmental candour with ministers and oversight bodies, consistent with Canada’s broader system of accountability for national security and intelligence.
55. To achieve these goals, NSIRA will invest in building in-house technological expertise, through a combination of hiring technological experts, training and reaching out to the broader technological community. NSIRA will also collaborate with allied accountability bodies through a forum known as the Five Eyes Intelligence Oversight and Review Council (FIORC). NSIRA will seek to stay current with regard to new and emerging technologies, including artificial intelligence, machine learning and quantum computing, and related concerns such as “big data.” Our goal is to be able to review departmental use of these technologies and their effects in a timely and effective manner.
56. NSIRA has also worked — and will continue to work — with the Office of the Privacy Commissioner of Canada (OPC) and the National Security and Intelligence Committee of Parliamentarians (NSICOP) on matters of joint concern to ensure that the broadest range of perspectives are brought to bear.
CSIS
57. Over the next year, much of NSIRA’s review scrutiny of CSIS will be dedicated to the review stemming from the Federal Court decision discussed above.
58. In addition, NSIRA will systematically map CSIS’s use of technology and its warrant powers. NSIRA will then undertake reviews of the technologies and powers that are deemed to pose the greatest risks. In this way, NSIRA will gain knowledge of CSIS’s most intrusive activities over time. NSIRA will also increase scrutiny of the warrant process in order to monitor CSIS’s candour to the Federal Court.
59. In addition, the National Security Act, 2017, gave CSIS a suite of new powers. NSIRA will review CSIS’s use of these powers in the coming years so as to help inform Parliament’s statutory review of the National Security Act, 2017, which will begin in 2022 or 2023. In particular, NSIRA will review CSIS’s use of datasets, including those that are publicly available, as well as the new justification regime for CSIS activities, that are undertaken in support of collection, which would otherwise be unlawful. NSIRA is also required each year to review at least one aspect of CSIS’s activities under its threat reduction mandate. This mandate authorizes CSIS to go beyond the collection of information in order to take active measures to “reduce” threats to the security of Canada. Over the coming years, NSIRA will take stock of CSIS’s use of these powers since they were acquired in 2015.
CSE
60. CSE uses a range of collection powers and technologies in its everyday operations. Over time, NSIRA intends to comprehensively review the full suite of collection techniques in place at CSE. NSIRA will start by focusing on certain collection techniques that are authorized under a ministerial authorization and comparing them to techniques that are authorized through other channels. As well, NSIRA will examine how CSE addresses incidentally intercepted information, especially the information of Canadians or persons in Canada, and how it decides whether to retain the information.
61. The rapid technological evolution in areas such as quantum computing, 5G and artificial intelligence will affect the work of CSE, perhaps more than any other federal entity. These technologies could also result in the collection of new information or the development of new collection techniques. Using our growing technical expertise in these areas, NSIRA will conduct both general and targeted reviews of the use of these technologies.
62. CSE has also received new powers in the National Security Act, 2017, including the ability to carry out defensive and offensive cyber operations. CSE cannot use these powers to collect information, separately from authorizations issued under its foreign intelligence or cybersecurity mandates. As CSE begins to conduct these operations, NSIRA will review them to ensure they are not being used for — or do not result in — the collection of information.
Other government departments
63. For entities other than CSIS and CSE, NSIRA’s initial reviews will build foundational knowledge of departments with significant collection programs. Of note, NSICOP has already reviewed the security and intelligence activities of the Canada Border Services Agency (CBSA) and of the Department of National Defence (DND) and Canadian Armed Forces (CAF). These reviews identified certain areas of risk, including the use of what is termed “scenario-based targeting,” which is used to screen travellers entering the country, as well as the CBSA’s use of covert surveillance in Canada. NSIRA will build on NSICOP’s work with in-depth reviews of the collection activities of these departments and agencies.
64. NSIRA also intends to map collection through the rest of the federal national security and intelligence apparatus. In particular, NSIRA will explore the collection programs of the RCMP by looking in detail at the RCMP’s national security criminal investigation program, and by examining how the RCMP collects intelligence in support of those investigations. Throughout, NSIRA will be mindful of public concerns with respect to law enforcement, and pay due attention to the RCMP’s activities in sensitive sectors and to any appearance of bias.
65. Within the next three years, NSIRA will examine the collection activities of Global Affairs Canada (GAC). NSIRA will also map the collection and use of biometrics across the government in relation to its security and intelligence activities. This review will examine the collection and use of biometrics by Immigration, Refugees and Citizenship Canada, the CBSA and Transport Canada in relation to their national security responsibilities and canvass the use of biometrics by CSIS and the RCMP in security intelligence and national security-related police investigations.
66. Among the novel and complex areas of collection that NSIRA will also review is the collection of financial intelligence. Financial intelligence is a core component of national security collection, especially in relation to terrorism. It is also central to large law enforcement intelligence operations, especially those that involve money laundering and terrorist financing. Canada’s financial intelligence centre of expertise and responsibility is the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). NSIRA will review FINTRAC’s activities and examine FINTRAC’s relationship with domestic partners.
67. Over the course of the next year, NSIRA will also conduct targeted reviews of DND/CAF. NSIRA has already begun to review the Canadian Forces National Counter-Intelligence Unit to determine how this unit conducts its counter-intelligence gathering activities and, in particular, how the unit’s activities correspond to legal and governance frameworks by focusing on cases of right-wing extremism. NSIRA will also review the Defence Intelligence Enterprise, to gain a general overview and to learn how it is positioned within DND/CAF governance frameworks and authorities. In light of recent media coverage, this review will focus on medical and open-source intelligence.
Medical intelligence and public health intelligence
68. Given the current COVID-19 pandemic, NSIRA will explore how the Government of Canada collects intelligence on medical issues or in relation to the health of Canadians. This is known as medical intelligence, or public health intelligence. At present, NSIRA does not have a firm understanding of what the government considers to be medical intelligence or the extent to which medical intelligence is used. To rectify this gap, NSIRA will review the Public Health Agency of Canada, as well as DND/CAF, whose American counterpart operates the National Center for Medical Intelligence. In Canada, medical issues are usually not part of the public discourse as to what should or should not constitute the government’s intelligence priorities. Medical intelligence will be a completely new area for NSIRA, and it is hoped that it will provoke a useful conversation in light of current events.
Section III — Safeguarding
69. Safeguarding refers to the protection of people, information and other government assets within the national security and intelligence portfolio. Information collected, analyzed and used within this community is often sensitive, either due to the sources and methods from which it is derived, or because of attendant legal protections.
70. There are real consequences when safeguarding measures fail. Should hostile actors like terrorists or foreign governments gain access to information on human sources, for example, this could put lives at risk. Likewise, if hostile actors learn details on electronic methods of collection, this could lead them to apply countermeasures, which could limit Canadian knowledge on key security and intelligence priorities. There is also reputational risk to the Canadian security and intelligence community if allies perceive that the sensitive information they share with Canada, in trust, is not being adequately protected. It is therefore incumbent on the government to ensure that such information is secured from exploitation, compromise or other unauthorized disclosure.
71. Several security breaches in recent years illustrate that the Canadian national security system has not been immune from the risks associated with “insider threats.” The first contemporary public reminder of this risk was the successful prosecution of Jeffrey Delisle. He was a Canadian Navy Sub-Lieutenant who, in 2007, began releasing classified information to the Russian government. On November 30, 2013, Qing Quentin Huang was arrested and charged with attempting to communicate safeguarded information to the Chinese embassy in Ottawa. Mr. Huang had been employed in a sector providing specialized services to the government. Last year, police laid charges against Cameron Ortis, a civilian executive within the RCMP, who was charged with leaking classified information to foreign entities. Both the Huang and Ortis cases remain before the courts.
Safeguarding policy and legal thresholds
72. Safeguarding is neither a legal term of art nor a precisely defined policy term. It encompasses several distinct elements clustered together due to their impact on the protection of people, information and assets. For this reason, the rules for safeguarding begin with the two main policy instruments that govern the management of security within the Government of Canada: the Policy on Government Security and the Directive on Security Management. These policy instruments outline the various requirements for organizations and employees to contribute to security in the workplace.
73. The Treasury Board Secretariat (TBS) is the lead government agency responsible for setting the minimum standards, or safeguards, used to support these policy instruments, covering:
information and identity assurance;
individual security screening;
physical security;
information technology security;
emergency and business continuity management; and
government contracting.
74. Department- and agency-specific policies and procedures across the security and intelligence community — derived from the TBS standards — also set out additional security requirements. As important as it is to define what safeguarding is, it is equally important to understand what it is not. In this context, safeguarding does not refer to measures directed at persons who do not have access to sensitive government information or assets.
75. Employees in the security and intelligence community are also subject to liability for any violation of the provisions of the Security of Information Act (SOIA), which sets out various offences related to the handling of classified material. For instance, the SOIA defines “special operational information” as information that the Government of Canada is taking measures to safeguard.
76. One of the important objectives of the SOIA is to prohibit the unlawful disclosure of sensitive information. However, a mechanism allows for situations where an individual believes that the disclosure of such information is in the public interest — that is, whistleblowing — for example, in preventing public servants from committing a crime in the course of their duties. Whistleblowing protections guard against violations of public trust that erode the confidence of the public in the government’s practices. Whistleblowing protections give an individual a potential legitimate defence against prosecution under some offences in the SOIA.
77. Because the stakes can be high for disclosing safeguarded information, the SOIA outlines a series of preconditions that would enable an accused person to avoid criminal liability for such disclosures. If they are met, the Court will perform a balancing exercise to determine whether the disclosure was in the public interest. These preconditions include weighing factors like the extent or risk of harm created by the disclosure and the seriousness of the alleged offence. However, where the accused is alleging an offence has been committed (and except where disclosure of information is necessary to avoid grievous bodily harm or death), the judge may find the public interest favoured disclosure only where the accused first reported the wrongdoing. NSIRA is the final step in this reporting chain.
Safeguarding themes
78. The concept of safeguarding has an impact on NSIRA’s work in three crucial ways. First, as discussed above NSIRA has procedures for receiving reporting of wrongdoing by whistleblowers. Second, NSIRA must ensure that our members, employees and systems safeguard sensitive information, assets and people from compromise. Third, in both our review and complaint investigation activities, NSIRA plays a crucial role in assessing if the governance systems used to deter, detect and mitigate such risks are compliant, reasonable and necessary.
79. NSIRA has prioritized safeguarding as a review theme to be examined yearly. In selecting this as a review priority, we will help determine the extent to which the security and intelligence community is appropriately safeguarding its employees, information and assets, and will report on whether such practices are lawful, reasonable and necessary to reduce the identified risks. To this end, in our first year NSIRA completed one safeguarding review relating to CSIS, and started another within DND. The latter review was ongoing at the time of writing. When these two reviews are considered holistically along with available open-source information, broader observations can be made about safeguarding.
80. A key observation is the importance of maintaining security vigilance. Currently, the security system engages in high-intensity scrutiny at predetermined intervals — e.g., initial screening on hiring, five-year updates to security clearances, yearly employee security awareness week — and then periods between these intervals where security is less prominent. Moreover, if other priorities take precedence, the time between intervals could increase. In the case of Mr. Delisle, for instance, his Top Secret security clearance had lapsed and was not properly updated prior to his arrival at the government facility where he committed his crimes. Had proper clearance renewal standards been followed, his loyalty to Canada would have been assessed and other vulnerabilities scrutinized.
81. Another important observation is the essential role of clear, concise and updated policies in setting standards across the government. As already mentioned, TBS establishes the minimum security standards for government departments and agencies to follow. Gaps in these standards could create a domino effect, with each department and agency creating their own policies and procedures. Such gaps could lead not only to an absence of standardization across government, but also, in certain cases, to the unreasonable and unnecessary application of security practices.
The polygraph
82. A final observation relates to the government’s use of the polygraph for screening security and intelligence employees. Commonly referred to as a lie detector test, the polygraph is a technology that measures and records several physiological indicators such as blood pressure, pulse, respiration and skin conductivity while a person responds to a number of questions. “Deceptive” answers produce physiological responses that can, so it is alleged, be differentiated from those associated with “non-deceptive” answers.
83. The TBS Standard on Security Screening, created in 2014, cites the use of the polygraph as an appropriate tool, among others, for assessing candidates seeking an Enhanced Top Secret (ETS) clearance. CSIS, in conducting security assessments for its staff, uses the results of the polygraph as a determinative element when granting ETS clearances, rather than an instructive element, to be considered as part of a series of relevant factors. If an outside candidate, employee or individual contracting with the Government of Canada is denied a security clearance that is necessary to obtain or keep federal employment or a contract, the individual can make a complaint to NSIRA pursuant to section 18 of the NSIRA Act. If NSIRA’s jurisdiction is established, the complaint would be investigated by an NSIRA member. This could include, for example, a complaint where a CSIS employee was terminated solely because of the revocation of a security clearance, and the Deputy Head of CSIS could have based the decision to revoke the clearance on the results of a polygraph test. Given the highly invasive and controversial nature of this technology, NSIRA decided to examine the use of the polygraph within our latest safeguarding review of CSIS. We sought to determine the justifications for its use, and the extent to which such determinations are reasonable and necessary.
84. Several key observations were derived from this analysis. First, this tool can have profound negative impacts on an employee’s mental health if not used appropriately. Second, CSIS was unable justify the merits of examiners — who are not medical practitioners — to ask medical-related questions of the people they examine. Third, the outcomes or consequences for polygraph exams conducted on external applicants compared with CSIS employees differed. [ Text removed – As of November 20, 2020, NSIRA and CSIS could not agree on how all of the facts of this review should be presented in an unclassified, public document]. Essentially, a successful polygraph is a determinative factor for external applicants in obtaining an ETS clearance through CSIS. Fourth, CSIS requires policy clarity for cases where employees fail the polygraph examination. Finally, CSIS did not conduct a privacy impact assessment (PIA) for the use of the polygraph, despite a PIA being required by government policy when a department or agency is dealing with “personal information.”
85. These issues raised in the CSIS context are related to a much broader consideration: namely, the extent to which the government’s overarching policy document, the Standard on Security Screening, provides adequate guidance for departments and agencies when they implement this safeguarding measure. For example, this standard requires the use of the polygraph for all ETS clearances, but it is silent on any guidance on the implementation of this requirement, including the conditions for the reasonable use of the polygraph. Rather, such key considerations are left to the discretion of specific departments and agencies.
86. The OPC has also raised concerns with TBS as to how the polygraph examination is used as an enhanced screening requirement under the 2014 Standard on Security Screening. In July 2017 correspondence, for example, the OPC noted particular concerns surrounding its effectiveness, sensitivity and privacy implications, and the potential adverse consequences associated with polygraph examinations.
87. These contemporary observations are not new. In seven consecutive annual reports, ranging from 1985–86 to 1991–92, SIRC requested that CSIS stop using the polygraph. One of the key concerns raised by successive committees were SIRC’s “grave doubts” about the use of the technology, pointing to the fact that test results could be wrong 10% of the time or more. As well, Canadian courts have refused to admit the results of a polygraph as evidence in criminal trials. The Supreme Court of Canada has found that they are unreliable and risky, and would not assist the Court in determining a person’s guilt or innocence.
88. After consideration of the foregoing, on December 12, 2019, NSIRA sent a letter to TBS seeking access to the legal advice prepared for Treasury Board on how the polygraph complies with Canadian legal requirements, as well as a summary of the evidentiary basis used to establish the requirement for using the polygraph, and any assessments of how the use of the polygraph achieves its intended goal. The TBS response failed to answer NSIRA’s questions. However, the letter did acknowledge that the next round of security policy modifications was under way.
89. When SIRC recommended in 1985 that CSIS should cease using the polygraph, it was meant to allow the government time to reach definitive conclusions about whether this technique should be employed by Canadian agencies and, if so, under what circumstances and under what rules. SIRC requested what sound government policy instruments should always require: namely, that there are consistent approaches across government; that risks are managed; and that policies exhibit public service values such as probity, prudence, equity and transparency. NSIRA has not been provided with evidence that suggests that the use of the polygraph meets all of these policy requirements. To this end, future reviews will examine the polygraph’s use outside of CSIS, and based on the information assessed, NSIRA will make a definitive determination about the legality and utility of this instrument.
Future review priorities
90. NSIRA will conduct several reviews of safeguarding practices in the coming years, in an effort to ensure that we are covering as broad a spectrum as possible of security and intelligence community actors. These safeguarding reviews will allow NSIRA to remain involved in relevant key priorities of the field, such as legality, privacy, science-based tools and international best practices.
91. As an independent agency charged with assessing propriety and legality at the core of our mandate, we make our own assessment of the lawfulness of the actions of the security and intelligence community. This forms the basis for NSIRA findings, recommendations and reporting. To this end, NSIRA intends to maintain a strong focus on assessing the process for the input of expert legal advice. Within the context of specific reviews, NSIRA will review the Department of Justice’s role in providing legal analysis to security and intelligence stakeholders.
92. Considering the primacy of privacy in much of the information collected and used by the government in this field, another priority is the need to evaluate the government’s respect for privacy rights, regardless of the policy merits of the safeguarding measure. One of NSIRA’s fellow accountability organizations, the OPC, plays a key role in helping ensure government compliance with Canadian privacy legislation. NSIRA will continue to work collaboratively with the OPC on future safeguarding reviews.
93. In keeping with NSIRA’s mandate to assess the reasonableness and necessity of a department’s exercise of its powers, NSIRA intends to go beyond assessing whether safeguarding measures are legally sound and privacy compliant. NSIRA’s mandate includes reviewing for necessity and reasonableness. For any government to continue to build an adaptive security system, scientific evidence and data-driven analysis must inform which safeguarding tools and processes are necessary. Currently, NSIRA is concerned that there is an absence of transparent and defensible science underpinning policy decisions for selecting security measures. Therefore, our future reviews will include the examination of scientific justifications for specific safeguarding measures.
94. Finally, NSIRA will assess the potential for the government to further advance collaborative practices through additional outreach with foreign partners in allied countries. Although it is known that exchanges of this nature are routine within certain sectors of the security and intelligence community, another feature of these exchanges that should be examined is the extent to which these outreach and coordination efforts relate to safeguarding measures and the extent to which they help revitalize the government’s security posture. NSIRA’s reviews will also provide insight into this component of international best practices.
95. Five safeguarding reviews are planned over the coming years to ensure coverage of as broad a spectrum as possible of security and intelligence community actors. The first will address an aspect of security screening within GAC. The second safeguarding review will relate to CSE’s use of the polygraph for employee security screening; this will be in addition to the yearly reviews of CSE that routinely cover various cybersecurity initiatives used to protect government systems from exploitation. The third review will consider the use of biometrics across the Canadian government. The final two reviews will examine aspects of the RCMP (i.e., the division devoted to Operations Research within this police force, while the other will evaluate the security/safeguarding implications of the Ortis case, using the RCMP’s own internal reviews as a starting point for our analysis).
96. This series of reviews relating to safeguarding will help to provide Parliament and all Canadians with facts about the adequacy of security practices within the security and intelligence community, and ideally, help improve such safeguarding measures. Most importantly, NSIRA exists to ensure that whatever government security standards are ultimately created, they are tested through expert scrutiny and their application is reported on to encourage sustained public debate.
Section IV— Sharing
97. Departments and agencies complement the information they collect on their own with robust information sharing both domestically and internationally. Counter-terrorism, in particular, requires an integrated response, one that involves multiple departments and agencies, in Canada and internationally. Indeed, this is one of the lessons that has been learned post-9/11, but it comes with its own risks and a concomitant need for caution.
98. Information sharing in the security and intelligence community, however, is a broader issue than sharing information to prevent acts of terrorism. Departments share not only to prevent acts of terrorism, but also to counter espionage, foreign interference and the proliferation of restricted technologies. They also share information to advance Canada’s foreign policy and defence priorities. Moreover, they share information broadly — within the security and intelligence community; outside that community with other federal, provincial, municipal and private sector organizations; and with foreign partners.
99. Equally noteworthy is the impact of technology on information sharing. Departments are able not only to collect vast amounts of information, but also to share that information more quickly and easily than ever before. And the burgeoning field of data analytics encourages the sharing of information that can then be analyzed.
100. Against this backdrop, information sharing raises issues of privacy and potential mistreatment abroad, as well as the need to protect sensitive sources and methods when information is shared. These are important issues for Canadians and for policy-makers, and so they will be for NSIRA as well in our review work.
Legal framework for sharing
101. A complex legal framework governs departments’ information sharing. The Privacy Act is an overarching piece of legislation; it is not limited to issues pertaining to the sharing of personal information for national security purposes. The Act sets out specific rules regarding when and why federal government agencies are permitted to share personal information. More recently, Parliament also enacted the Security of Canada Information Disclosure Act (SCIDA), discussed below.
102. In addition, agencies such as CSE, CSIS and the RCMP are subject to specific provisions in their governing statutes for sharing information. Departments can also share information for specific purposes under specific legislation. For example, under the Customs Act, CBSA officials can share customs information where that information is reasonably regarded by the official to be information relating to the national security or defence of Canada. Likewise, in certain circumstances, FINTRAC and law enforcement bodies receive and disclose financial information pursuant to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
103. Departments’ information sharing can also be shaped by international agreements and resolutions, as well as guidance from their respective ministers.
Information-sharing challenges
104. On the basis of three commissions of inquiry in the past 15 years — as well as numerous reviews by NSIRA’s predecessors OCSEC and SIRC — we can safely say that the key challenges of sharing information for national security purposes domestically and internationally are well documented.
105. Justice Major’s Commission of Inquiry into the bombing of Air India Flight 182 addressed several questions, including whether there was effective cooperation and sharing of information between CSIS and the RCMP. Ultimately, the inquiry concluded that the failure of domestic agencies to share information effectively contributed in a material way to the tragic downing of the Air India flight.
106. Since then, CSIS and the RCMP have taken steps to strengthen their information sharing and cooperation. The objective of a CSIS national security investigation is to provide security intelligence to the government; the RCMP collects evidence to be used in a judicial process. While collecting for these different purposes, the two agencies have a shared interest in protecting their respective sources and investigative techniques.
107. In national security investigations, intelligence agencies — most notably CSIS — can be reluctant to share information with the police. Police themselves might want to maintain a distance from intelligence information because it could eventually be subject to disclosure; disclosure disputes can delay or disrupt criminal prosecutions. From a public safety perspective, the limited sharing between intelligence and police agencies could be harmful. This was Justice Major’s central conclusion. It can complicate coordination and impede or delay the range of public safety actions available to the government. This is known as the “intelligence to evidence” dilemma.
108. To address this issue, CSIS and the RCMP have developed a One Vision framework. The framework seeks to enhance cooperation and streamline information sharing.
109. The intelligence to evidence issue was a key part of the country-wide national security consultations that the government undertook in 2016. Ultimately, the government did not bring forward any legislative amendments to specifically address this issue. During our first year, however, NSIRA heard from an external expert that CSIS and the RCMP continue to wrestle with this challenge. The two organizations are undertaking a thorough review to find ways they can remove unnecessary impediments to information sharing and facilitate successful enforcement. Given the importance of the CSIS-RCMP relationship, NSIRA has launched an in-depth case study, to be completed later in 2020, that examines this relationship.
Clear authority for sharing
110. Historically, departments wanting to share national security information regarding threats to Canadian citizens and interests have been concerned about the lack of an independent authority to do so. The Privacy Act’s “consistent use” provision can be used in the national security context where there is a reasonable and direct connection to the original purpose for which the information was obtained. However, this legislation is not specific to the national security context. Overall, it was believed that the complexity of the legal landscape was impeding the sharing of information with national security and intelligence agencies.
111. In response, the government passed the Security of Canada Information Sharing Act (SCISA) in 2015. It created a single legislative authority for federal government institutions to disclose information on an activity that “undermines the security of Canada.” The intent in doing so was to improve the effectiveness and timeliness of sharing threat-related information, including by departments and agencies that are outside the core security and intelligence community. In separate reviews of disclosures under SCISA, however, both SIRC and the OPC were critical of departments’ internal controls and record keeping.
112. The legislation was amended and renamed SCIDA as part of the National Security Act, 2017. Further, NSIRA now has a statutory requirement, pursuant to subsection 39(1) of the NSIRA Act, to conduct a review of disclosures made under SCIDA. To ensure robust review of these disclosures, and in keeping with the statutory authority to coordinate to avoid unnecessary duplication of work, NSIRA and the OPC have agreed to work together on these review efforts.
113. NSIRA is also looking beyond SCIDA to other aspects of the challenge of having clear authority to share information for national security purposes. In our first year, NSIRA has elected to conduct three reviews that feature CSE’s incidental collection and use of Canadian identity information, including disclosure of such information to departments. When sharing intelligence reports with other departments and agencies, CSE typically suppresses Canadian identity information, which is collected incidentally in the course of its foreign intelligence activities and its cybersecurity and information assurance activities. However, departments and agencies that can demonstrate they have the legal authority and operational justification to receive the Canadian identity information can submit to CSE a request for disclosure of the information. NSIRA expects to complete a review later in 2020 that focuses on the lawfulness and appropriateness of Canadian identity information disclosures, and a review that focuses on CSE’s ministerial authorizations and ministerial orders.
Review of CSE’s Privacy Incidents File
114. One review featuring Canadian identity information was NSIRA’s first completed review relating to CSE. The review examines CSE’s Privacy Incidents File, which records privacy incidents discovered by CSE. A privacy incident occurs when the privacy of a Canadian, or a person in Canada, is put at risk in a manner that runs counter to, or is not provided for, in CSE’s policies. The review of the Privacy Incidents File was an annual review conducted by OCSEC, CSE’s former independent review body. For this review, based on an examination of a selected sample of incidents reported in the Privacy Incidents File for the period of July 1, 2018, to July 31, 2019, NSIRA commended CSE’s timely response to reporting and mitigating privacy incidents. However, NSIRA made five additional findings and corresponding recommendations for CSE to improve its documentation, mitigation and privacy protection practices.
Sharing with international partners and the risk of mistreatment
115. Justice O’Connor’s inquiry into the actions of Canadian officials in relation to Maher Arar examined the circumstances under which a Canadian citizen, Maher Arar, was rendered to Syria and tortured. A key outcome of the inquiry was its conclusion that sharing inaccurate or non-caveated information with foreign partners can result in the mistreatment and torture of individuals, as it did with Mr. Arar.
116. The government responded by issuing a series of ministerial directions on information sharing with foreign partners, culminating in the Avoiding Complicity in Mistreatment by Foreign Entities Act (Complicity Avoidance Act), which came into force in 2019 and required written direction be issued by the Governor in Council (GIC) to the deputy head of multiple departments and agencies. The GIC directions have codified the expectations of departments and agencies. In particular, there is now a clear prohibition for any sharing of information that would result in a substantial risk of mistreatment of an individual. Additionally, they limit the use of any information that was likely obtained through the mistreatment of an individual.
117. Throughout its history, SIRC paid careful attention to CSIS’s information-sharing practices with foreign partners. It also specifically addressed the operationalization of the relevant ministerial direction. Its attention to these issues continued through 2018–19, through two separate reviews of CSIS foreign stations. The first of these reviews focused on the need for CSIS to institute and follow a rigorous decision-making process with respect to sharing information with foreign partners, supported by foreign arrangements anchored in thorough assessments of the human rights records of Canada’s foreign partners.
118. The second foreign station review also examined CSIS’s relationships with foreign partners within the geographic region encompassed by the station. In this case, all of the foreign partners are deemed high risk from a human rights perspective and, thus, restrictions have been placed on all foreign arrangements in the station’s area of responsibility.
119. One of NSIRA’s first reviews examined changes to CSIS’s procedures and policies on information sharing by means of a detailed examination of three cases, identified as high risk, that had been reviewed by CSIS’s Information Sharing Evaluation Committee. The review yielded two recommendations meant to ensure that decisions are made at a level commensurate with the assessment of risk, and that legal opinions are sought, as appropriate, to ensure compliance with the law and ministerial directions when sharing information with a foreign entity.
120. As part of our governing statute, NSIRA is now required to review departments’ implementation of GIC directions on information sharing with foreign partners under the Complicity Avoidance Act. To date, the GIC has issued these directions to 12 departments, including several that have never before received formal direction specific to information sharing with foreign partners.
121. To prepare for this new responsibility, NSIRA launched our first interagency review, an assessment of how six departments and agencies— the CBSA, CSE, CSIS, DND, GAC and the RCMP — were implementing the 2017 Ministerial Direction on Avoiding Complicity in Mistreatment by Foreign Entities, which was the basis of the direction under the Complicity Avoidance Act. The purpose of the review was also to provide a future roadmap for departments that, pursuant to the Complicity Avoidance Act, received this direction for the first time in 2019.
122. NSIRA found significant variation among the six departments and agencies in terms of their success in implementing the 2017 ministerial direction. Some, like CSE, have developed and rolled out comprehensive policy suites to guide their information sharing with foreign partners. Some departments face challenges in operationalizing this direction. Some also face challenges in establishing decision-making mechanisms that are independent from the operational front line in cases where there is a risk of mistreatment. One of the key issues that NSIRA’s review identified was the inconsistent application of the “substantial risk” threshold across departments and agencies. This will be an area of inquiry in the future.
Future priorities
123. NSIRA has a specific statutory requirement to review the implementation of GIC direction under the Complicity Avoidance Act, and to review disclosures under SCIDA. These reviews are annual requirements, reflecting the potential risks to Canadians when departments and agencies share under these respective statutory mandates. NSIRA will be attentive to those risks, including the potential risks to privacy posed by information sharing. At the same time, however, NSIRA intends to map and review the full range of information sharing in which departments engage — under different statutes and legal sources, as well as internationally and with one another, provincial and territorial agencies, and the private sector.
124. Over our first three years, NSIRA will begin to explore information sharing across the security and intelligence community. We will focus on key partnerships, and how departments and agencies collaborate in keeping Canadians safe and achieving Canada’s foreign policy and defence objectives. The scope of information sharing is broad, and NSIRA hopes to build our understanding of this issue over time.
125. NSIRA has begun a building block review of CSIS-RCMP collaboration and information sharing in relation to a particular investigation. One of the objectives of this review is to document the challenges that the two agencies face in relation to the intelligence to evidence dilemma.
126. NSIRA will examine other key partnerships within the security and intelligence community, including information sharing between CSIS and CBSA to prevent people or goods posing a threat to national security from crossing the border. We will also examine how CSE and CSIS collaborate to collect foreign intelligence that is useful for Canadian policy-makers.
127. NSIRA will also look at horizontal arrangements, and information sharing across different levels of government. For example, we will assess institutionalized measures to promote sharing and cooperation, such as in relation to Integrated National Security Enforcement Team investigations. These teams are led by the RCMP and include representatives from other federal agencies, as well as representatives from municipal police services and provincial police in the case of Ontario and Quebec. NSIRA will also look at information sharing outside of the counter-terrorism context, including how departments and agencies protect Canada’s economic security, beginning with actions under the Investment Canada Act and extending to include the full spectrum of tools at the government’s disposal.
128. NSIRA will examine information sharing with private sector organizations, such as information that the Canadian Centre for Cyber Security collects from organizations to prevent or mitigate cyber attacks by hostile state actors, or that chartered banks report to FINTRAC for investigating suspicious financial transactions.
129. Finally, NSIRA recognizes that in examining information sharing with foreign partners, we can see and understand only Canadian actions. NSIRA therefore participates in international fora such as FIORC, which brings together review bodies from Canada, Australia, New Zealand, the United Kingdom and the United States to stay up to date with (unclassified) trends internationally and to share best practices. Given the close relationship that exists among the Five Eyes intelligence agencies, information sharing has been a topic of discussion at FIORC. These discussions are one way for NSIRA to address the potential gap in accountability that exists with respect to international cooperation.
130. In sum, cooperation and information sharing among members of Canada’s security and intelligence community have always been essential features of Canada’s national security efforts. In practice, this means that there will be very little of NSIRA’s review work that will not include attention to information sharing in some form or another. NSIRA will be attentive to the risks of sharing, as well as the need for effective and timely sharing.
Section V— Action
131. “Actions” refer to any activities undertaken by a federal government department or agency to influence an outcome relating to national security or intelligence. Actions can also come as a result of intelligence collection and/or intelligence sharing. Intelligence is one aspect of the information and analysis that shape how actions are construed and implemented. The action itself, and the influence of intelligence, can be visible (overt) or invisible (covert) to Canadians. A visible action would eventually be known to the recipient, while the occurrence of an invisible action might never be known.
132. The former review bodies, SIRC and OCSEC, could conduct only agency-specific reviews of the key “collectors”: CSIS and CSE. Their reviews of national security activities tended to focus on collection, safeguarding and information sharing. This briefly changed when Parliament enacted the Anti-terrorism Act, 2015, and SIRC began to undertake reviews of CSIS’s new mandate to reduce threats to the security of Canada. SIRC provided the only after-the-fact review of these extraordinary new powers. However, SIRC’s reviews remained confined to CSIS’s actions — a narrow subset of the broad array of national security-related actions taken every day across Canada’s security and intelligence community.
133. NSIRA’s mandate goes beyond intelligence and its collectors, extending to any national security-related activity of any department or agency. Our statutory authorities equip us with the power to review the full range of “action” activities. Such activities have rarely been subject to any form of independent review, and NSIRA is able to ensure that they now are.
134. The National Security Act, 2017, established clear mandates for the main intelligence collectors subject to review, CSIS and CSE, to act in certain circumstances against perceived national security threats. For CSIS, this new legislation updated its threat reduction mandate. For CSE, the Act established active cyber operations (ACO) and defensive cyber operations (DCO) as aspects of its mandate. These new authorities merely supplement the many existing authorities that enable over a dozen other federal security and intelligence departments and agencies to take actions relating to national security, making the “action” cluster of activities vast. For instance, actions within the security and intelligence community include the interception of people and goods at the border by the CBSA and criminal arrest (including, potentially, preventive detention) by the RCMP.
135. The range of actions within NSIRA’s mandate to review “any activity carried out by a department that relates to national security or intelligence” is broad, and includes such actions as denying a person entry into Canada, revoking a Canadian’s passport, placing a person on the Secure Air Travel Act list (Canada’s “No Fly List”), disrupting a person’s affairs through a threat reduction measure, detaining an alleged terrorist or carrying out military actions in an armed conflict. Sometimes, a high-level strategic decision can also be an action activity, such as a policy choice on a national priority like securing the Arctic.
136. NSIRA’s reviews in this area overlap with other priority subject areas. We can review national security action activities that stem from intelligence collection, national security actions unrelated to intelligence collection, and national security actions that lead to intelligence collection. As an example of this last category, a CAF tactical raid during an overseas mission could yield new sources of intelligence that might then seed an NSIRA review in that area.
137. Due to the largely secretive nature of national security and intelligence actions, the effects and impacts are often unseen by the larger public. NSIRA is acutely conscious of concerns expressed during our outreach to civil society with how actions of the security and intelligence agencies might affect the lives of Canadians. This amplifies earlier concerns, primarily centred on privacy issues stemming from information collection and sharing. As a result, one of our key tenets is, to the extent possible, to bring transparency and accountability to our reviews of the actions of the security and intelligence community.
Past review observations
138. As mentioned, before the National Security Act, 2017, reviews did not typically extend to the realm of action activities. For this reason, NSIRA has only a modest archive of domestic review materials from which to extrapolate themes in action reviews. NSIRA’s current focus is to build on foundational reviews to derive key themes. This report discusses NSIRA’s approach to future review in the next section. Nevertheless, some themes have emerged from past reviews of CSIS’s threat reduction measures (TRMs) — which were the only action activities reviewed in the past.
139. From the introduction of its TRM mandate in 2015 to August 2020, CSIS has not sought a warrant from the Federal Court for TRM activities. When introduced, TRM powers raised legal questions and potential issues related to the Charter. The National Security Act, 2017, addressed many of these ambiguities, and enacted new provisions that strengthened Charter protections. NSIRA will closely monitor CSIS’s use of TRMs and review its assessments of when warrants are required for TRMs. NSIRA will also be attentive to how CSIS executes any TRM conducted under the authority of a warrant — and pay close attention to the extent of CSIS’s compliance with all court directions and conditions.
CSE
140. Other themes arising in our review of action activities stem from the widespread commentary within civil society relating to CSE’s new powers to conduct ACOs and DCOs. Prior to the National Security Act, 2017, CSE’s mandates limited the organization (primarily) to observation and collection. Now, under its ACO/DCO mandates, CSE can direct actions through the global information infrastructure at the activities of foreign individuals or foreign entities outside Canada. CSE can conduct ACO activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities or activities of entities as they relate to international affairs, defence or security. CSE can conduct DCO activities on or through the global information infrastructure to help protect the electronic information and information infrastructures of federal institutions or those designated as being important to the Government of Canada. These powers have equivalents among those available to Five Eyes partners. They also empower CSE to play a significant, but unprecedented, role in national security action activities.
141. Civil liberties groups have identified ACO/DCO activities as a principal concern with the National Security Act, 2017, and point specifically to the absence of independent oversight (that is, pre-authorization) of these activities. Under the current statutory regime, in order for CSE to lawfully conduct ACO/DCO, the Minister of National Defence must authorize all such activities. This authorization requires the Minister to conclude that there are reasonable grounds to believe that the activity is reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities. Additionally, the Minister of Foreign Affairs must approve ACO activities and must be consulted on DCO activities.
142. Ministerial authorizations for ACO/DCO activities do not require the approval of the Intelligence Commissioner, which is not the case for foreign intelligence and cybersecurity activities. There is, therefore, no scrutiny by an arm’s-length, independent body of ACO/DCO authorizations prior to their approval. This is why NSIRA considers our reviews of ACO/DCO actions to be particularly important. Unlike in the case of CSIS TRMs, CSE has no statutory obligation to notify NSIRA when it undertakes ACO/DCO activities. NSIRA intends, however, to focus proactively on these activities.
143. Although legislation limits powers such as TRMs and ACO/DCO, these activities occur in secret. This is in contrast with other types of national security actions, such as arrests made by police, which are overt and can be challenged in open court. NSIRA considers the opacity of certain types of actions to warrant future reviews. The more secret the national security action, the more essential it is for NSIRA to conduct rigorous review.
Law enforcement
144. Prior to the enactment of the National Security Act, 2017, the RCMP’s national security-related activities were reviewed by the Civilian Review and Complaints Commission for the RCMP. Those national security-related actions are now reviewed by NSIRA. The enactment of new offences — especially terrorism offences — and a focus on terrorism have drawn police into a greater national security role. Police investigate crime, and have a role in preventing its occurrence. In doing so, police might investigate, among other things, terrorism offences, while at the same time being involved in community-based programs directed at countering radicalization to violence. They can also engage in crime prevention or risk mitigation actions that do not lead to full prosecutions. The traditional tool for holding police accountable is the criminal justice system. For example, police conduct will be scrutinized during a criminal trial. However, accountability mechanisms are less robust where police pursue national security threat disruption strategies that are not challenged in the courts. Therefore, we believe that NSIRA’s review functions will become particularly important in these circumstances.
145. The CBSA’s scrutiny of people and goods crossing the border can be triggered by intelligence shared from domestic and foreign partners or derived from its own collection and assessment efforts. CBSA actions include searches at the border and the seizure or interdiction of goods, currency and people. These searches and the CBSA’s determination that a non-Canadian might be inadmissible can have implications for people’s liberty, privacy, freedom of movement and commercial interests. NSIRA’s task is to review the CBSA’s national security and intelligence activities in an effort, among other things, to ensure that it fully complies with its legal requirements. This is especially true as, at present, no independent body currently can hear public complaints against the CBSA.
Future priorities
146. In our reviews of action activities, NSIRA makes findings and recommendations on an organization’s compliance with the law and any applicable ministerial direction and the reasonableness and necessity of its exercise of its powers. NSIRA is in a unique position to assess the Government of Canada’s visible or invisible actions and to provide assurance to Canadians that their national security and intelligence agencies are accountable in order to protect Canada’s national security interests and defend the rights and freedoms of Canadians and people residing in Canada.
147. NSIRA’s strategic plan focuses on reviewing three types of action activities: operational actions, law enforcement actions and administrative actions, defined below. In each of the following categories, NSIRA has identified certain action activities of interest that we will scrutinize in future reviews. The items listed are not necessarily part of NSIRA’s review plan but serve to highlight the breadth of situations that fall within reviews of the “action” activities undertaken by the security and intelligence community.
Operational: covert action activities in direct support of a national security objective. Operational actions of interest to NSIRA include: CSE’s use of ACO/DCO, to be reviewed annually; CSIS TRMs, to be reviewed annually; and CAF’s operations in theatre and on the battlefield.
Law enforcement: covert or overt action activities to enforce laws, investigate crimes and make arrests. Law enforcement action activities on which NSIRA might concentrate, while being sensitive to the administration of justice and the concept of police independence in investigative decisions, include the CBSA’s targeting that leads to the identification and/or interception of high-risk people, goods and conveyances that pose a threat to the security of Canadians, and RCMP investigations that could lead to detention, arrest or prosecution.
Administrative: visible action activities taken in the act or process of administering a statutory power entrusted by Parliament to the federal government. Administrative action activities on which NSIRA might focus include: GAC’s implementation of foreign policy and trade sanctions; the Investment Canada Act reviews of investments that could be injurious to national security; the decision to add a person to the Secure Air Travel Act list under the Passenger Protect Program; and national security-related admissibility issues.
148. As NSIRA’s capacity to conduct reviews expands, we will compile a complete picture of the actions that national security and intelligence agencies take in exercising their mandates, and assess these actions for legal compliance, reasonableness and necessity.
Under the NSIRA Act, one of NSIRA’s core functions is to investigate complaints in the following instances:
complaints with respect to an activity carried out by the Canadian Security Intelligence Service (CSIS) or the Communications Security Establishment (CSE);
complaints referred by the Civilian Review and Complaints Commission for the RCMP (CRCC) with respect to an activity by the Royal Canadian Mounted Police (RCMP) that is closely related to national security; and
complaints regarding the denial or revocation of security clearances to federal government employees and contractors.
150. Through the National Security Act, 2017, NSIRA inherited the complaints functions of the Security Intelligence Review Committee (SIRC) and the Office of the CSE Commissioner, which investigated complaints related to CSIS and CSE, respectively. In addition, NSIRA absorbed responsibility for investigating national security-related complaints against the RCMP. NSIRA also inherited SIRC’s complaints investigation infrastructure, but it was evident early in our mandate that the SIRC model needed to be enhanced to provide more timely and efficient investigations. NSIRA has therefore begun to rework the Rules of Procedure and enhance the overall process. NSIRA has also worked collaboratively with the RCMP and the CRCC to effectively manage national security-related complaints against the RCMP.
Section II— Synopsis of trends and key themes
151. NSIRA has experienced an increase in the volume of complaints we receive, specifically complaints against CSIS, as well as complaints relating to security clearances. In comparison to the complaints statistics in the SIRC annual report for 2017–18 and statistics for 2018–19, NSIRA has seen an increase of 40% for newly opened complaint files. In particular, complaints against CSIS have doubled and security clearance complaints have increased by 30%. NSIRA did not investigate most of the recent complaints against CSIS because we concluded that they were not in NSIRA’s jurisdiction — they did not concern an activity carried out by CSIS, or NSIRA was satisfied that the complaints were trivial, frivolous or made in bad faith.
152. The majority of the complaints received relating to the alleged denial or revocation of a security clearance did not fall within NSIRA’s mandate. Rather, it turned out they were related to a complainant’s reliability status or enhanced reliability status. NSIRA may only investigate complaints relating to security clearances, not reliability status matters. Complaints relating to reliability status generally must be challenged on judicial review in the Federal Court. As a result, NSIRA investigated very few security clearance complaints. A lesson drawn from the past year is that departments and agencies should ensure that they provide clear and accurate information regarding an individual’s rights of review and redress, and correctly identify both the nature of the security status at issue and the body to whom the person may complain as a result of being denied that status. By the same token, NSIRA is taking steps to increase the public’s awareness of our mandate, while also ensuring that complainants are informed of their redress mechanisms early on so that their rights to seek a remedy are preserved.
153. With respect to security clearance complaints investigated both by NSIRA and SIRC, some of the key issues revolved around out-of-country background checks and cases in which there was insufficient information to grant an individual a security clearance. One of the lessons derived from these types of complaints is that departments must ensure that individuals receive a written notice informing them of the reasons for the decision, if that is possible in the circumstances (i.e., such disclosure is not prohibited under federal legislation). Going forward, NSIRA will continue to encourage the parties to make efforts to informally resolve complaints at the earliest opportunity.
Section III— Whistleblower protection
154. The Public Servants Disclosure Protection Act (PSDPA) is whistleblowing legislation that offers federal public sector employees an external mechanism to report ethical breaches and to complain about reprisals that they believe they have suffered. The PSDPA, however, specifically excludes members of CSIS, CSE and the Canadian Armed Forces (CAF), as well as all people who wish to make a disclosure pertaining to special operational information. CSIS, CSE and the CAF have implemented internal mechanisms for disclosure of wrongdoing, pursuant to their requirements under the PSDPA. However, the current structure offers no external reporting mechanisms for disclosures that pertain to special operational information and/or for employees from CSIS, CSE or the CAF.
155. As discussed above, a “public interest defence” is available, in certain circumstances, to Canadian whistleblowers who are permanently bound to secrecy and who have been charged with certain offences under the Security of Information Act (SOIA). This defence is available only if the accused has followed the steps outlined in the SOIA before making the disclosure to the public. The SOIA identifies NSIRA as a forum in which, under certain conditions, this kind of disclosure of wrongdoing can be made. However, the SOIA does not describe how this process is meant to function procedurally nor does it articulate the role, if any, that NSIRA should play in accepting disclosures of wrongdoing from CSIS, CSE or CAF employees.
156. In previous correspondence to the Attorney General, NSIRA identified these legislative gaps and the negative implications for national security that can occur when democratic countries have deficient protocols for whistleblowing within their national security and intelligence communities. In the interim, NSIRA will be implementing internal procedures to address concerns brought forward by members of the security and intelligence community. If the concern brought to NSIRA is not within the scope of the public interest defence under section 15 of the SOIA, NSIRA can examine the matter if it relates to NSIRA’s review mandate, pursuant to subsection 8(1) of the NSIRA Act.
157. Canada’s threat environment and national security landscape require effective and robust protections for Canada’s national secrets and for the public servants who keep these secrets. Potential legislative amendments to enhance current whistleblowing protections for members of the security and intelligence community could include amendments to the SOIA, to the PSDPA or to the NSIRA Act. A key component of any legislative amendment would be external accountability and protections akin to those of the Office of the Integrity Commissioner under the PSDPA.
Section IV— Priorities for the year ahead
158. In 2020, NSIRA is modernizing the complaints process. NSIRA’s goal remains the just, efficient investigation and resolution of complaints. Modernization is needed to adapt to the changing complaints landscape. Two priorities will guide the modernization: access to justice for self-represented complainants and a broader spectrum of tools to streamline the resolution of complaints.
159. To this end, NSIRA is updating our website and revising our forms to provide clearer directions for potential complainants. We intend to place greater emphasis on explaining NSIRA’s jurisdiction, and how to file complaints, which should assist in a complaint starting in a timely fashion and in the correct forum. Further, the website will contain a guide for self-represented complainants, so they can better navigate each step of the process and have their complaint resolved in an appropriate way.
160. One size never fits all. Each complaint that NSIRA receives calls for a unique approach. As noted, we are currently updating our Rules of Procedure. The new rules will allow for greater flexibility, efficiency and transparency. Some of the changes under consideration are the following: a discussion of expectations with a complainant at the outset; a new process for quickly deciding jurisdiction; an interview with the complainant; more options for informal resolution; quick and standardized disclosure of information between the parties; and, a requirement for declassified file summaries and chronologies. NSIRA believes these changes will allow complaints investigations to proceed more quickly and in a more efficient manner.
Part 4: Engagement and transparency
As expressed in the National Security Act, 2017 preamble, “enhanced accountability and transparency are vital to ensuring public trust and confidence in Government of Canada institutions that carry out national security or intelligence activities.” Along with public engagement, these are core values for NSIRA and we consider each to be vital to ensuring that we fulfil our mandate. The benefits of public engagement have been underscored in recent years, including through the national security consultations undertaken by the government in 2016. Engagement with stakeholders during our first year of operation helped establish connections and relationships that we will build on in the years ahead. As outlined in this section, NSIRA has taken strong steps in our first year of operation to promote increased transparency of national security and intelligence activities. In addition to our own initiatives, NSIRA will continue to encourage departments and agencies to promote transparency of their activities, including in fulfilment of the National Security Transparency Commitment.
Section I— Engagement
162. In 2019, NSIRA launched a series of public engagements to increase awareness about the organization, to expand our network, and to deepen our understanding of Canadians’ concerns with respect to national security and intelligence activities. In 2019 and into 2020, we undertook engagement sessions throughout the country with various stakeholders, including academics, civil society, law enforcement and government organizations.
163. These sessions provided a valuable opportunity for NSIRA to hear from stakeholders about programs and issues that they recommended for NSIRA review, as well as the privacy and civil liberties risks they felt these programs presented. The uniformly positive feedback that NSIRA received from stakeholders demonstrated the value of these engagements.
164. Internationally, NSIRA continues to be actively involved with the Five Eyes Intelligence Oversight and Review Council, which allows NSIRA to: advance our knowledge of cross-cutting international themes in the area of national security and intelligence accountability; share priorities and compare best practices; collaborate on key issues of mutual interest; and promote coordinated review of issues of international importance.
165. Over the coming year NSIRA intends to continue our program of outreach and engagement. We will take advantage of opportunities to connect with stakeholders nationally and internationally via videoconference and, where possible, in person. In the year ahead, engagement will focus on four key areas:
expanding our network with respect to issues related to new and emerging technologies (including artificial intelligence), to better understand their use as well as the risks and opportunities they present from a national security accountability perspective;
broadening our dialogue with stakeholders to inform future review priorities;
building new relationships with community groups to demystify the complaints investigation process; and
scaling up recruitment efforts to ensure we continue to build an elite workforce with a diverse set of skills and backgrounds.
Section II— Transparency
166. NSIRA has taken a number of steps to increase openness and transparency related to our work and the work of the national security and intelligence community. We established a Twitter account early in our mandate, which we are using to share content, provide updates on our work and provide a platform for dialogue on security-related issues.
Redaction and writing for release
167. Over recent months, NSIRA has begun publishing reports from our predecessor organization, the Security Intelligence Review Committee (SIRC), that had been redacted for release to individuals who had applied to see the reports through the Access to Information Act. Under the Access to Information Act, the reports only had to be made available to the applicant. To support transparency, NSIRA plans to gradually publish online redacted versions of all SIRC reviews, from 1985 to 2019, which involves more than 270 reports.
168. To complement this initiative, NSIRA also wishes to proactively redact and release future NSIRA reports as they are approved and translated throughout the year, rather than waiting for the release of our annual report to publicize our findings and recommendations. This aims to enhance the timeliness and relevance of NSIRA’s work to public discourse on national security and intelligence issues. It also means that we can devote more time and space in future annual reports to discussing and analyzing horizontal or thematic trends, rather than individual (or vertical) reviews or issues.
169. NSIRA is working with departments and agencies to ensure that this new approach takes place in such a way that vital national security and intelligence information is protected, while at the same time providing the public with as much insight as possible into the results of our reviews. On a case-by-case basis, relevant ministers will be offered an opportunity to raise concerns with respect to the release of specific reports.
170. To facilitate redaction efforts and release reports in an efficient and timely manner, NSIRA has committed to making efforts to “write for release.” This method includes writing as much as possible at an unclassified level, including unclassified executive summaries; clearly identifying within a report what portions contain classified information; and leaving classified information out of the body of the report where possible and, instead, including it in footnotes or annexes.
Conclusion
171. We are very proud of NSIRA’s achievements during our first five months of operation. We have an ambitious agenda for the year ahead, despite the constraints imposed by the pandemic. We have set in motion a review plan that covers multiple issues over the coming year and will involve numerous departments and agencies. We are in the midst of significantly overhauling our complaints investigation process, with the aim of making it more accessible for all. We will also expand our corporate infrastructure to facilitate our growth over the years ahead, including through the acquisition of additional office space and the hiring of talented new staff.
172. We look forward to deepening our relations with other review and oversight bodies in Canada and internationally, as well as with diverse stakeholder groups to ensure that our work is as effective and as meaningful as possible. On that note, we hope that this report is useful. We encourage all readers to tell us their thoughts on the format, the content, and any aspects that we can improve in the next iteration.
173. We are very grateful to our staff for continuing to achieve strong results despite the challenges that the ongoing pandemic has presented. We look forward to tackling the many challenges and opportunities that await us in the year ahead.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!