Language selection

Government of Canada / Gouvernement du Canada

Search


Quarterly Report: For the quarter ended September 30, 2023

Date of Publishing:

Introduction

This quarterly report has been prepared by management as required by section 65.1 of the Financial Administration Act and in the form and manner prescribed by the Directive on Accounting Standards, GC 4400 Departmental Quarterly Financial Report. This quarterly financial report should be read in conjunction with the 2023–24 Main Estimates.

This quarterly report has not been subject to an external audit or review.

Mandate

The National Security and Intelligence Review Agency (NSIRA) is an independent external review body that reports to Parliament. Established in July 2019, NSIRA is responsible for conducting reviews of the Government of Canada’s national security and intelligence activities to ensure that they are lawful, reasonable and necessary. NSIRA also hears public complaints regarding key national security agencies and their activities.

A summary description NSIRA’s program activities can be found in Part II of the Main Estimates.  Information on NSIRA’s mandate can be found on its website.

Basis of presentation

This quarterly report has been prepared by management using an expenditure basis of accounting. The accompanying Statement of Authorities includes the agency’s spending authorities granted by Parliament and those used by the agency, consistent with the 2023–24 Main Estimates. This quarterly report has been prepared using a special-purpose financial reporting framework (cash basis) designed to meet financial information needs with respect to the use of spending authorities.

The authority of Parliament is required before money can be spent by the government. Approvals are given in the form of annually approved limits through appropriation acts or through legislation in the form of statutory spending authorities for specific purposes.

Highlights of the fiscal quarter and fiscal year-to-date results

This section highlights the significant items that contributed to the net increase or decrease in authorities available for the year and actual expenditures for the quarter ended September 30, 2023.

NSIRA Secretariat spent approximately 33% of its authorities by the end of the second quarter, compared with 23% in the same quarter of 2022–23 (see graph 1).

Graph 1: Comparison of total authorities and total net budgetary expenditures, Q2 2023–24 and Q2 2022–23

Graph: Comparison of total authorities and total net budgetary expenditures - Text version follows
Comparison of total authorities and total net budgetary expenditures, Q2 2023–24 and Q2 2022–23
  2023-24 2022-23
Total Authorities $24.3 $29.7
Q2 Expenditures $3.8 $3.6
Year-to-Date Expenditures $8.1 $6.9

Significant changes to authorities

As at September 30, 2023, Parliament had approved $24.3 million in total authorities for use by NSIRA Secretariat for 2023–24 compared with $29.7 million as of September 30th, 2022, for a net decrease of $5.4 million or 18.2% (see graph 2).

Graph 2: Variance in authorities as at September 30, 2023

Graph: Variance in authorities as at September 30, 2023 - Text version follows
Variance in authorities as at June 30, 2023 (in millions)
  Fiscal year 2022-23 total available for use for the year ended March 31, 2023 Fiscal year 2023-24 total available for use for the year ended March 31, 2024
Vote 1 – Operating 28.0 22.6
Statutory 1.7 1.7
Total budgetary authorities 29.7 24.3

*Details may not sum to totals due to rounding*

The decrease of $5.4 million in authorities is mostly explained by a gradual reduction in NSIRA Secretariat’s ongoing operating funding due to an ongoing construction project nearing completion.

Significant changes to quarter expenditures

The second quarter expenditures totalled $3.8 million for an increase of $0.2 million when compared with $3.6 million spent during the same period in 2022–2023.  Table 1 presents budgetary expenditures by standard object.

Table 1

Variances in expenditures by standard object(in thousands of dollars) Fiscal year 2023–24: expended during the quarter ended September 30, 2023 Fiscal year 2022–23: expended during the quarter ended September 30, 2022 Variance $ Variance %
Personnel 3,014 2,903 111 4%
Transportation and communications 62 70 (8) (11%)
Information 4 0 4 100%
Professional and special services 504 578 (74) (13%)
Rentals 25 39 (14) (36%)
Repair and maintenance 3 33 (30) (91%)
Utilities, materials and supplies 50 12 38 317%
Acquisition of machinery and equipment 4 4 0 0%
Other subsidies and payment 118 3 115 3833%
Total gross budgetary expenditures 3,784 3,642 142 4%

Repair and maintenance

The decrease of $30,000 is due to the timing of invoicing for an ongoing capital project.

Utilities, materials and supplies

The increase of $38,000 is due to a temporarily unreconciled suspense account.

Other subsidies and payments

The increase of $115,000 is explained by an increase in payroll system overpayments which were subsequently resolved.

Significant changes to year-to-date expenditures

The year-to-date expenditures totalled $8.1 million for an increase of $1.1 million (17%) when compared with $6.9 million spent during the same period in 2022–23. Table 2 presents budgetary expenditures by standard object.

Table 2

Variances in expenditures by standard object(in thousands of dollars) Fiscal year 2023–24: year-to-date expenditures as of September 30, 2023 Fiscal year 2022–23: year-to-date expenditures as of September 30, 2022 Variance $ Variance %
Personnel 5,900 5,248 652 12%
Transportation and communications 192 114 78 68%
Information 4 5 (1) (20%)
Professional and special services 1,669 1,424 245 17%
Rentals 73 49 24 49%
Repair and maintenance 27 64 (37) (58%)
Utilities, materials and supplies 57 28 29 104%
Acquisition of machinery and equipment 52 13 39 300%
Other subsidies and payment 122 1 121 12100%
Total gross budgetary expenditures 8,096 6,946 1,150 17%

Personnel

The increase of $652,000 relates to an increase in average salary and an increase in full time equivalent (FTE) positions.

Transportation and communications

The increase of $78,000 is due to the timing of invoicing for the organization’s internet connections.

Professional and special services

The increase of $245,000 is explained by an increase in IT support costs and guard services associated to a capital construction project.

Repair and maintenance

The decrease of $37,000 is due to the timing of invoicing for an ongoing capital project.

Utilities, materials and supplies

The increase of $29,000 is due to a temporarily unreconciled suspense account.

Acquisition of machinery and equipment

The increase of $39,000 is mainly explained by the one-time purchase of a specialized laptop.

Other subsidies and payments

The increase of $121,000 is explained by an increase in payroll system overpayments which were subsequently resolved.

Risks and uncertainties

The Secretariat assisted NSIRA in its work with the departments and agencies subjected to reviews to ensure a timely and unfettered access to all the information necessary for the conduct of reviews. While work remains to be done on this front, we acknowledge the improvements in cooperation and support to the independent review process demonstrated by some reviewees.

There is a risk that the funding received to offset pay increases anticipated over the coming year will be insufficient to cover the costs of such increases and the year-over-year cost of services provided by other government departments/agencies is increasing significantly.

NSIRA Secretariat is closely monitoring pay transactions to identify and address over and under payments in a timely manner and continues to apply ongoing mitigating controls.

Mitigation measures for the risks outlined above have been identified and are factored into NSIRA Secretariat’s approach and timelines for the execution of its mandated activities.

Significant changes in relation to operations, personnel and programs

There have been two new Governor-in-Council appointments during the Second quarter, Ms. Colleen Swords and Mr. Jim Chu. 

There have been no changes to the NSIRA Secretariat Program.

Approved by senior officials:

John Davies
Deputy Head

Marc-André Cloutier
Director General, Corporate Services, Chief Financial Officer

Appendix

Statement of authorities (Unaudited)

(in thousands of dollars)

  Fiscal year 2023–24 Fiscal year 2022–23
  Total available for use for the year ending March 31, 2024 (note 1) Used during the quarter ended September 30, 2023 Year to date used at quarter-end Total available for use for the year ending March 31, 2023 (note 1) Used during the quarter ended September 30, 2022 Year to date used at quarter-end
Vote 1 – Net operating expenditures 22,564 3,345 7,218 27,931 3,210 6,082
Budgetary statutory authorities
Contributions to employee benefit plans 1,755 439 878 1,728 432 864
Total budgetary authorities (note 2) 24,319 3,784 8,096 29,659 3,642 6,946

Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.

Note 2: Details may not sum to totals due to rounding.

Departmental budgetary expenditures by standard object (unaudited)

(in thousands of dollars)

  Fiscal year 2023–24 Fiscal year 2022–23
  Planned expenditures for the year ending March 31, 2024 (note 1) Expended during the quarter ended September 30, 2023 Year to date used at quarter-end Planned expenditures for the year ending March 31, 2023 Expended during the quarter ended September 30, 2022 Year to date used at quarter-end
Expenditures
Personnel 13,303 3,014 5,900 13,245 2,903 5,248
Transportation and communications 650 62 192 597 70 114
Information 371 4 4 372 0 5
Professional and special services 4,906 504 1,669 4,914 578 1,424
Rentals 271 25 73 271 39 49
Repair and maintenance 4,580 24 27 9,722 33 64
Utilities, materials and supplies 73 50 57 173 12 28
Acquisition of machinery and equipment 132 4 52 232 4 13
Other subsidies and payments 33 118 122 133 3 1
Total gross budgetary expenditures
(note 2)
24,319 3,784 8,096 29,659 3,642 6,946

Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.

Note 2: Details may not sum to totals due to rounding.

Share this page
Date Modified:

National Security and Intelligence Review Agency Annual Report 2022

Backgrounder

Ottawa, Ontario, October 30, 2023 – The National Security and Intelligence Review Agency’s (NSIRA) fourth annual report was tabled in Parliament on October 30, 2023. 

This report provides an overview and discussion of NSIRA’s activities throughout 2022, including our findings and recommendations. Our growth and evolution as an agency, including our continued efforts to refine our approaches and processes, both in our reviews and investigations, allowed us to take on new and challenging work. The report also assesses our review work to date, highlighting important themes and trends that have emerged.  

Our report summarizes review and investigations work during the 2022 period and highlights our continued effort to enhance transparency by evaluating important aspects of our engagement with reviewed departments and agencies. Review highlights in the report include the following: 

  • The annual review of the Canadian Security Intelligence Service’s (CSIS) threat reduction measures (TRMs), and the annual review of CSIS’s activities to inform our report to the Minister of Public Safety; 
  • Reviews of the Communications Security Establishment’s (CSE) active and defensive cyber operations, a foreign intelligence collection program, as well as the annual review of CSE activities to inform our report to the Minister of National Defence;  
  • A review submitted to the Minister of National Defence under s. 35 of the NSIRA Act on particular human source handling activities undertaken by the Canadian Armed Forces that may not have been in compliance with the law; 
  • A review of the Canada Border Services Agency’s Air Passenger Targeting program; and 
  • Our mandated multi-departmental reviews with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act and sharing of information within the federal government under the Security of Canada Information Disclosure Act. 

During 2022, NSIRA continued modernizing its complaints investigations process, which helped us improve the consistency and efficiency of our work. While the pandemic continued to impact the investigative landscape, processes introduced will reduce delays moving forward. In addition to its other investigations work, NSIRA completed its investigation in relation to a group of 58 complaints referred by the Canadian Human Rights Commission.  

This annual report also highlights how the organization pursued greater engagement with partners, seeking and sharing best practices with like-minded review and oversight bodies. In addition, it discusses our organization’s corporate initiatives, including efforts to increase our capacity across our business lines, including technology and information management. 

NSIRA’s Members continue to be proud of the work of NSIRA’s Secretariat and the dedication and professionalism of its staff. 

Date of Publishing:

Dear Prime Minister,

On behalf of the National Security and Intelligence Review Agency, it is my pleasure to present you with our third annual report. Consistent with subsection 38(1) of the National Security and Intelligence Review Agency Act, the report includes information about our activities in 2021, as well as our findings and recommendations.

In accordance with paragraph 52(1)(b) of the National Security and Intelligence Review Agency Act, our report was prepared after consultation with relevant deputy heads, in an effort to ensure that it does not contain information the disclosure of which would be injurious to national security, national defence or international relations, or is information that is subject to solicitor-client privilege, the professional secrecy of advocates and notaries, or to litigation privilege.

Yours sincerely,

The Honourable Marie Deschamps, C.C.

Chair // National Security and Intelligence Review Agency

Message from the members

As we reflect on this past year’s work, the National Security and Intelligence Review Agency (NSIRA) is proud of what it has accomplished. We pushed past the challenges of the pandemic and pursued our mission with renewed energy and innovation, understanding that we can adapt and even thrive in this new environment. In 2022, our agency focused on building out and refining its processes as we empowered our review and complaints professionals in their work. These efforts enhanced our ability to meet the challenges of our review and investigations mandates, and thereby improve the transparency and accountability of the national security and intelligence activities across the federal government.

In addition to completing a wide array of reviews and investigations, we have stepped back to reflect on our work and activities over the first few years of our mandate. Despite being a relatively new agency, we are now in the position to make broader observations on the themes and trends in our work, and on the community we review. Indeed, as our experience grows, our approaches in our reviews and investigations mature and evolve. We meet our goals of increased efficiency and expertise through a commitment to address the challenges we face, and by seeking out best practices through expanded partnerships with like-minded domestic and international institutions.

During NSIRA’s brief history, ministers of the Crown have referred certain matters to us for review, as provided for in the National Security and Intelligence Review Agency Act. At the time of writing, we are in the process of such a referral. As this important review progresses, we will ensure that our commitment to independent and professional review is reflected in all our activities.

This report continues themes from previous annual reports by presenting an overview of our work, a discussion on our engagement with reviewees, and an account of the initiatives we undertook to ensure that our products are complete, thorough and professional. It is our belief that as we grow, we bring confidence to the Canadian public with each review and investigation we conduct.

We would like to thank our previous members, Ian Holloway and Faisal Mirza, for their commitment and contribution to advancing the important work of NSIRA during their tenure, and we wish them well in their future endeavours. Finally, we thank the staff of NSIRA’s Secretariat for their professionalism and dedication to fulfilling the agency’s mandate, and we have no doubt that the year ahead will bring further success for NSIRA

Marie Deschamps
Craig Forcese
Ian Holloway
Faisal Mirza
Marie-Lucie Morin

Executive Summary

In 2022, the National Security and Intelligence Review Agency (NSIRA) continued to execute its review and investigations mandates with the goal of improving national security and intelligence accountability and transparency in Canada. This related not only to the activities of the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), but also to other federal departments and agencies engaged in such activities, including:

  • the Department of National Defence (DND) and the Canadian Armed Forces (CAF);
  • the Canada Border Services Agency (CBSA); and
  • all departments and agencies engaging in national security or intelligence activities in the context of NSIRA’s yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act.

NSIRA has reflected on its work to date and found that a horizontal view of all its findings and recommendations over the past three years reveals the emergence of three major themes: governance; propriety; and information management and sharing. NSIRA observes that there is an interconnected and overlapping aspect to these issues, and as a result believes that improvements to governance could result in broader improvements across all themes.

Reviews

Canadian Security Intelligence Service

The following are highlights of the reviews completed in 2022 along with key outcomes. The number of reviews defined as completed does not include any ongoing reviews, or reviews completed in previous years but that went through or are in the process of going through consultations for their release to the public. Annex C lists all the findings and recommendations associated with reviews completed in 2022, along with the corresponding responses from reviewees, if provided.

In addition to the reviews discussed below, NSIRA determined that a number of ongoing reviews would be closed or terminated. These decisions, based on a variety of considerations, allow NSIRA to redirect its efforts and resources towards other important issues.

Canadian Security Intelligence Service

In 2022, NSIRA completed the following reviews on CSIS activities:

  • the third annual review of CSIS’s threat reduction measures, which provided an overview of all such measures conducted in 2021, and also focused on a subset of these measures to consider the implementation of each measure, how what happened aligned with what was originally proposed, and, relatedly, the role of legal risk; and
  • an annual review of CSIS’s activities, which informed, in part, NSIRA’s 2022 annual report to the Minister of Public Safety.

Communications Security Establishment

In 2022, NSIRA completed two dedicated reviews of CSE, and commenced an annual review of CSE activities:

  • a review of CSE’s active and defensive cyber operations (ACO/DCO), which is a continuation of NSIRA’s 2021 review of the governance of ACO/DCO by CSE and Global Affairs Canada;
  • a review of a sensitive CSE foreign intelligence collection program, which assistedNSIRA in better informing the Minister of National Defence about CSE’s activities; and
  • an annual review of CSE activities similar to that for CSIS, begun for the first time in 2022 and that informed, in part, NSIRA’s 2022 annual report to the Minister of National Defence.

Department of National Defence and the Canadian Armed Forces

In the course of a review of the Department of National Defence and Canadian Armed Forces (DND/CAF) human source handling activities, NSIRA issued to the Minister of National Defence a report on December 9, 2022, under section 35 of the National Security and Intelligence Review Agency Act in relation to a specific operation. Section 35 requires that NSIRA submit to the appropriate Minister a report with respect to any activity that is related to national security or intelligence that, in NSIRA’s opinion, may not be in compliance with the law. NSIRA will complete the broader review of DND/CAF’s human source handling activities in 2023.

Canada Border Services Agency

NSIRA completed its first in-depth review of national security or intelligence activities of the Canada Border Services Agency (CBSA) in 2022: a review of air passenger targeting. This review examined the CBSA’s pre-arrival risk assessment of passengers based on data collected by commercial air carriers. It evaluated whether the CBSA’s activities complied with legislative requirements and Canada’s non-discrimination obligations.

Multi-departmental reviews

NSIRA conducted two mandated multi-departmental reviews in 2022:

  • a review of directions issued with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act; and
  • a review of disclosures of information under the Security of Canada Information Disclosure Act.

Review work not resulting in a final report

During the past year NSIRA determined that certain ongoing review work would be closed or not result in a final report to a Minister. These decisions allow NSIRA to remain nimble and to pivot its work plan. Multiple considerations can lead to the decision to close a review, and doing so allows NSIRA to redirect efforts and resources.

Technology in review

In 2022, NSIRA expanded its Technology Directorate to keep pace with the national security and intelligence community’s evolving use of digital technologies. The team comprises technical experts and review professionals, who are supported by academic researchers. This expanded team launched NSIRA’s first technology-led review, focusing on the lifecycle of warranted CSIS information. In addition to directly supporting NSIRA’s reviews, the Technology Directorate also began hosting learning sessions and discussion forums designed to enhance NSIRA employees’ knowledge of broader technical issues.

Engagement with reviewees

NSIRA continues to address and improve on aspects of its interaction with reviewees during the review process. It saw both improvements and ongoing challenges, and seeks to provide full and transparent assessments in this regard. Updated criteria will be used to evaluate engagement. These criteria are critical for supporting NSIRA’s efforts during a review. This approach builds on the agency’s previous confidence statements and provides a more consistent and complete assessment on engagement.

NSIRA continues to optimize its methods for accessing, receiving and tracking the information required to complete reviews. This involves ongoing discussions and support from reviewees. Limitations and challenges to this process are addressed directly and are communicated publicly where possible.

Complaints investigations

As NSIRA marked its third year of existence in 2022 it continued maturing and modernizing the processes for fulfilling its investigations mandate. The jurisdiction assessment phase was standardized, incorporating a verification protocol for the three agencies for which NSIRA has complaints jurisdiction. To speed up the investigative process, investigative interviews are being used more often, taking over from the formal hearings NSIRA previously relied on.

The pandemic continued to impact the investigative landscape in the first half of 2022. COVID protocols conflicted with security protocols for investigations, which require in-person meetings. Processes introduced in 2022 are expected to reduce delays in the conduct of investigations on a forward basis.

The number of investigation activities last year remained high and included the completion of a referral of a group of 58 complaints by the Canadian Human Rights Commission.

Data management and service standards initiatives that were launched are expected to enhance complaint file management in the coming year.

Partnerships

During the past year, NSIRA expanded its engagement with valuable partners, both domestically and internationally, and has already reaped the benefits through the exchange of best practices. As a relatively new agency, NSIRA sees such relationships as a priority for its institutional development. NSIRA had the privilege of visiting many international partners as an active participant in the Five Eyes Intelligence Oversight and Review Council, and also engaged other European partners through various forums that bring together like-minded oversight, review and data protection agencies from all over the world.

Introduction

1.1 Who we are

Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament. Canadian review bodies before NSIRA did not have the ability to collaborate or share their classified information but were each limited to conducting reviews on a specified department or agency. By contrast, NSIRA has the authority to conduct an integrated review of Government of Canada national security and intelligence activities, and Canada now has one of the world’s most extensive systems for independent review of national security.

1.2 Mandate

NSIRA has a dual mandate to conduct reviews on and carry out investigations of complaints related to Canada’s national security or intelligence activities.

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the activities of any other federal department or agency that are related to national security or intelligence. Further, NSIRA reviews any national security or intelligence matters that a minister of the Crown refers to NSIRA.

Investigations

In addition to its review mandate, NSIRA is responsible for investigating complaints related to national security or intelligence. This duty is outlined in paragraph 8(1)(d) of the NSIRA Act, and involves investigating complaints about:

  • the activities of CSIS or CSE;
  • decisions to deny or revoke certain federal government security clearances; and
  • ministerial reports under the Citizenship Act that recommend denying certain citizenship applications.

This mandate also includes investigating national security-related complaints referred to NSIRA by the Civilian Review and Complaints Commission for the RCMP (the RCMP’s own complaints mechanism) and the Canadian Human Rights Commission.

Observations and themes

NSIRA has a horizontal, in-depth view of the Canadian national security landscape that allows for an assessment of Canada’s complex, interwoven approach to national security. NSIRA annual reports discuss its activities within that framework. This annual report provides an opportunity to reflect on NSIRA’s body of work horizontally, and consider what broad trends or themes emerge.

NSIRA findings and recommendations touch on many aspects of government activities and operations. Grouping all findings and recommendations according to topics that fall under three broad themes helps simplify a horizontal assessment of trends to date. This categorization and the terminology used may evolve over time.

The themes that emerge are governance; propriety; and information management and sharing. These themes appear year after year in NSIRA annual reports. The following topics are included in these themes:

Theme Topics
Governance
  • Policies, procedures, framework and other authorities
  • Internal oversight
  • Risk management, assessment and practices
  • Decision-making and accountability, including ministerial accountability and direction
  • Training, tools and staffing resources
Propriety
  • Reasonableness, necessity, efficacy and proportionality
  • Legal thresholds and advice, compliance and privacy interests
Information management and sharing
  • Collection, documentation, tracking, implementing, reporting, monitoring and safeguarding
  • Information sharing and disclosure
  • Keeping and providing accurate and up-to-date information, timeliness

These themes can be found in every NSIRA annual report, and this year’s is no exception. In this year’s annual report, the following examples illustrate the three themes:

Governance:

  • the review of disclosures under the Security of Canada Information Disclosure Act for 2021 identified that employees did not receive adequate guidance to fulfill their obligations, and recommended improvements to training;
  • the review of a CSE foreign intelligence activity identified several instances where the program’s activities were not adequately captured within CSE’s applications for certain ministerial authorizations, resulting in recommendations that CSE more effectively inform the Minister of National Defence about aspects of its bilateral relationships with certain partners, the extent of its participation in certain types of activities, and the testing and evaluation of products.

Propriety:

  • in a report issued to the Minister of National Defence under s.35 of the NSIRA Act, NSIRA explained that, in its opinion, certain activities undertaken by the Canadian Armed Forces may not have been in compliance with the law;
  • the review of the threat reduction measures of the Canadian Security Intelligence Service found that this agency did not meet its internal policy requirements regarding the timelines to submit threat reduction measure implementation reports.

Information management and sharing:

  • the Canada Border Services Agency air passenger targeting review noted that this agency does not document its triaging practices that use passenger data in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions.

A high-level overview of the past three annual reports shows the number of NSIRA findings and recommendations each year, broken down by theme. Over the three years, governance related findings and recommendations constituted 43% of the overall total. The comparable figures for propriety and information management (IM) and sharing categories were 26% and 31% respectively. The breakdown by year is captured in the following table:

Figure 1: Trends in findings and recommendations

Graph image: Trends in finding and recommendations - Text version follows
Trends in findings and recommendations
  2020 annual report 2021 annual report 2022 annual report
Governance 45% 41% 44%
Propriety 26% 27% 24%
Information Management and Sharing 29% 32% 32%

The interconnected nature of the problems identified in NSIRA reviews, along with the balance of themes illustrated in the graphic above, reveals a narrative. Indeed, issues rarely stand-alone – governance and IM and sharing issues may, for example, culminate in propriety challenges. The number of findings and recommendations over three years that touch on governance, propriety and IM and sharing matters suggest that these are issues deserving close attention. Employees are expected to succeed in meeting intelligence and national security service missions while adhering to policy and legal requirements. Here, improvements to staff training and development are likely to have the most significant impacts.

Review

Details provided on individual reviews are a high-level summary of their content and outcomes. Full versions of each review are available once they have been redacted for public release.

3.1 Canadian Security Intelligence Service reviews

NSIRA has a mandate to review any Canadian Security Intelligence Service (CSIS) activity. The NSIRA Act requires NSIRA to submit an annual report on CSIS activities each year to the Minister of Public Safety and Emergency Preparedness (with these responsibilities now divided into two portfolios, NSIRA currently submits these reports to the Minister of Public Safety). These classified reports include information related to CSIS’s compliance with the law and applicable ministerial directions, and the reasonableness and necessity of the exercise of CSIS’s powers.

In 2022, NSIRA completed one dedicated review of CSIS, and its annual review of CSIS activities, both summarized below. Furthermore, CSIS is implicated in other NSIRA multi- departmental reviews, such as the legally mandated annual reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, the results of which are described in Multi-departmental reviews.

Threat reduction measures review

This is NSIRA’s third annual review of CSIS threat reduction measures (TRMs), which are measures to reduce threats to the security of Canada, within or outside Canada. Section 12.1 of the Canadian Security Intelligence Service Act (CSIS Act) authorizes CSIS to take these measures.

NSIRA found that CSIS’s activities under its TRM mandate in 2021 were broadly consistent with these activities in preceding years. NSIRA observed that 2018 was an inflection point for CSIS’s use of the TRM mandate. In that year, CSIS proposed nearly as many TRMs as were proposed in total in the preceding three years — the first three of the mandate. In the following year, however, the number dropped slightly, before a more significant reduction in 2020. The number of proposed TRMs in 2021 went up slightly compared with the previous year, as did both approvals and implementations.

NSIRA selected three TRMs implemented in 2021 for a more intensive review, assessing the measures for compliance with applicable law, ministerial direction and policy. At the same time, NSIRA considered the implementation of each measure, including the alignment between what was proposed and what occurred, and the role of legal risk assessments for guiding CSIS activity, as well as the documentation of outcomes.

For all the measures reviewed, NSIRA found that CSIS met its obligations under the law, specifically the Canadian Charter of Rights and Freedoms and sections 12.1 and 12.2 of the CSIS Act. In addition to general legal compliance, NSIRA found that CSIS sufficiently established a “rational link” between the proposed measure and the identified threat.

In one case, NSIRA found that CSIS did not meet its obligations under the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety.

The TRM in question involved certain sensitive factors. NSIRA believes that the presence of these factors ought to have factored into the overall risk assessment of the measure. CSIS argued that risks associated with these factors relate primarily to reputational risk to CSIS, which it assessed in this case. Certain risks related to the sensitive factors, however, are not, and in this instance were not, captured by CSIS’s reputational risk assessment.

Similarly, the legal risk assessment for this TRM did not comply with ministerial direction. NSIRA recommended that legal risk assessments be conducted for TRMs involving these sensitive factors, and further, that CSIS consider and evaluate whether the current process for legal risk assessments complies with applicable ministerial direction.

A comparative analysis of the two legal risk assessments provided for the other TRMs under review underscored the practical utility of clear and specific legal direction for CSIS personnel. Clear direction allows investigators to be aware of, and understand, the legal parameters within which CSIS personnel can operate; it also permits reporting after an action is completed to document how implementation stayed within those legal parameters.

With respect to documenting outcomes, NSIRA further noted issues with how quickly CSIS produces certain reports after a TRM is implemented. Although NSIRA recognizes that overly burdensome documentation requirements can unduly inhibit CSIS activities, NSIRA nonetheless believes that the recommendations provided are prudent and reasonable. Relevant information, available in a timely manner, benefits CSIS operations.

Annual review of Canadian Security Intelligence Service activities

In 2022, NSIRA completed its annual review of CSIS activities, which aims to identify compliance-related challenges, general trends and emerging issues using CSIS documents in 12 categories (legislatively required and supplementary) from January 1, 2022, to December 31, 2022. Besides contributing to NSIRA’s Annual Report to the Minister of Public Safety on CSIS activities, the review may identify areas that merit new NSIRA reviews and may produce a briefing or report with its own observations, findings and recommendations. NSIRA provided its report on CSIS activities in 2021 to the Minister of Public Safety on October 12, 2022, and the Chair subsequently met with the Minister to discuss its contents as well as ongoing issues and challenges related to NSIRA review of CSIS.

Statistics and data

To achieve greater public accountability, NSIRA has requested that CSIS publish statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSIS operations, as well as display the evolution of activities from year to year.

Warrant applications

Section 21 of the CSIS Act authorizes CSIS to make an application to a judge for a warrant if it believes, on reasonable grounds, that more intrusive powers are required to investigate a particular threat to the security of Canada. Warrants may be used by CSIS, for example, to intercept communications, enter a location, or obtain information, records or documents. Each individual warrant application could include multiple individuals or request the use of multiple intrusive powers.

Table 1: Section 21 warrant applications made by the Canadian Security Intelligence Service, 2018 to 2022
  2018 2019 2020 2021 2022
Total section 21 applications 24 24 15 31 28
Total approved warrants 24 23 15 31 28
New warrants 10 9 2 13 6
Replacements 11 12 8 14 14
Supplemental 3 2 5 4 8
Total denied warrants 0 1 0 0 0

Threat reduction measures

CSIS is authorized to seek a judicial warrant for a TRM if it believes that certain intrusive measures, outlined in section 21 (1.1) of the CSIS Act, are required to reduce the threat. The CSIS Act is clear that when a proposed TRM would limit a right or freedom protected by the Canadian Charter of Rights and Freedoms or would otherwise be contrary to Canadian law, a judicial warrant authorizing the measure is required. To date, CSIS has sought no judicial authorizations to undertake warranted TRMs. TRMs approved in one year may be executed in future years. Operational reasons may also prevent an approved TRM from being executed.

Table 2: Total number of approved and executed threat reduction measures, 2015 to 2022
  2015 2016 2017 2018 2019 2020 2021 2022

Approved threat reduction measures

10 8 15 23 24 11 23 16
Executed 10 8 13 17 19 8 17 12

Warranted threat reduction measures

0 0 0 0 0 0 0 0

Canadian Security Intelligence Service targets

CSIS is mandated to investigate threats to the security of Canada, including espionage, foreign influenced activities, political, religious or ideologically motivated violence, and subversion.6 Section 12 of the CSIS Act sets out criteria permitting CSIS to investigate an individual, group or entity for matters related to these threats. Subjects of a CSIS investigation, whether they be individuals or groups, are called “targets.”

Table 3: Number of Canadian Security Intelligence Service targets, 2018 to 2022
  2018 2019 2020 2021 2022
Number of targets 430 467 360 352 340

Datasets

Data analytics is a key investigative tool for CSIS, providing it with the capacity to make connections and identify trends that are not possible through traditional methods of investigation. The National Security Act, 2017, which came into force in 2019, gave CSIS new powers, including a legal framework for it to collect, retain and use datasets. The framework authorizes CSIS to collect datasets (divided into Canadian, foreign and publicly available datasets) that have the ability to assist CSIS in the performance of its duties and functions. It also establishes safeguards for the protection of Canadian rights and freedoms, including privacy rights. These protections include enhanced requirements for ministerial accountability. Depending on the type of dataset, CSIS must meet different requirements before it is able to use a dataset.

The CSIS Act also requires that NSIRA be kept apprised of certain dataset-related activities. Reports prepared following the handling of datasets are to be provided to NSIRA, under certain conditions and within reasonable timeframes. While CSIS is not required to advise NSIRA of judicial authorizations or ministerial approvals for the collection of Canadian and foreign datasets, CSIS has been proactively keeping NSIRA apprised of these activities.

Table 4: Evaluation and retention of publicly available, Canadian and foreign datasets by the Canadian Security Intelligence Service, 2019 to 2022
  2019 2020 2021 2022
Publicly available datasets
   
Evaluated 9 6 4 4
Retained 9 6 2 4
Canadian datasets    
Evaluated 0 0 2 0
Retained (approved by Federal Court) 0 0 0 2
Denied by Federal Court 0 0 0 0
Foreign datasets    
Evaluated 10 0 0 1
Retained (approved by the Minister and Intelligence Commissioner 0 1 1 1
Denied by the Minister 0 0 0 0
Denied by the Intelligence Commissioner 0 0 0 0

Justification Framework

The National Security Act, 2017, also created a legal justification framework for CSIS’s intelligence collection operations. The framework establishes a limited justification for CSIS employees, and persons acting at their direction, to carry out activities that would otherwise constitute offences under Canadian law. CSIS’s Justification Framework is modelled on those already in place for Canadian law enforcement. The Justification Framework provides needed clarity to CSIS, and to Canadians, as to what CSIS may lawfully do in the course of its activities. It recognizes that it is in the public interest to ensure that CSIS employees can effectively carry out its intelligence collection duties and functions, including by engaging in otherwise unlawful acts or omissions, in the public interest and in accordance with the rule of law. The types of otherwise unlawful acts and omissions that are authorized by the Justification Framework are determined by the Minister and approved by the Intelligence Commissioner. There remain limitations to what activities can be undertaken, and nothing in the Justification Framework permits the commission of an act or omission that would infringe a right or freedom guaranteed by the Charter.

According to section 20.1 (2) of the CSIS Act, employees must be designated by the Minister of Public Safety and Emergency Preparedness to be covered under the Justification Framework while committing or directing an otherwise unlawful act or omission. Designated employees are CSIS employees who require the justification framework as part of their duties and functions. Designated employees are justified in committing an act or omission themselves (commissions by employees) and they may direct another person to commit an act or omission (directions to commit) as a part of their duties and functions.

Table 5: Authorizations, commissions and directions under the Justification Framework, 2019 to 2022
  2019 2020 2021 2022
Authorizations 83 147 178 172

Commissions by employees

17 39 51 61
Directions to commit 32 84 116 131
Emergency designations 0 0 0 0

Compliance

CSIS’s internal operational compliance program unit leads and manages overall compliance within CSIS. The objective of this unit is to promote a culture of compliance within CSIS by leading an approach for reporting and assessing potential non-compliance incidents to provide timely advice and guidance related to internal policies and procedures for employees. This program is the centre for processing all instances of potential non-compliance related to operational activities.

NSIRA notes that CSIS reports Charter violations as operational non-compliance. NSIRA will continue to monitor closely instances of non-compliance that relate to Canadian law and the Charter, and work with CSIS to improve transparency around these activities.

Table 6: Total number of non-compliance incidents processed by CSIS, 2019 to 2022
  2019 2020 2021 2022

Processed compliance incidents

53 99 85 59

Administrative

  53 64 42
Operational 40 19 21 17
Canadian law
1 2
Charter 6 5
Warrant conditions 6 3
CSIS governance 8 15

3.2 Communications Security Establishment reviews

Overview

NSIRA has the mandate to review any activity conducted by the Communications Security Establishment (CSE). NSIRA must also submit an annual report to the Minister of National Defence on CSE activities, including information related to CSE’s compliance with the law and applicable ministerial directions, and NSIRA’s assessment of the reasonableness and necessity of the exercise of CSE’s powers.

In 2022, NSIRA completed two dedicated reviews of CSE and commenced an annual review of CSE activities, all summarized below. Furthermore, CSE is implicated in other NSIRA multi- departmental reviews, such as the legally mandated annual reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, the results of which are described in Multi-departmental reviews.

Review of the Communications Security Establishment’s active and defensive cyber operations

The Communications Security Establishment Act (CSE Act) grants CSE the authority to conduct active cyber operations and defensive cyber operations (ACOs and DCOs). CSE ACOs and DCOs have become a tool of Government of Canada foreign and security policy. In 2021, NSIRA reviewed CSE’s governance of and the general planning and approval process for ACO and DCO activities. The governance review made several observations about the governance of ACOs and DCOs by CSE — and to a lesser extent, by Global Affairs Canada (GAC). Some of these observations identified gaps that resulted in recommendations. Building on the governance review, the report focused on CSE’s ACOs and DCOs themselves:

  • the operations;
  • the implementation of CSE’s governance; and
  • the legal framework in the context of specific ACOs and DCOs.

NSIRA incorporated GAC, CSIS, the Royal Canadian Mounted Police (RCMP) and DND/CAF into this review, given these organizations’ varying degrees of coordination or involvement in these CSE activities. NSIRA also inspected some technical elements of a case study ACO to verify aspects of the operation independently, as well as to deepen NSIRA’s understanding of how an ACO works. While NSIRA reviewed all ACOs and DCOs planned or conducted by CSE until mid-2021, this review focused on a sample of such ACOs or DCOs, each presenting unique characteristics.

Overall, NSIRA found that ACOs and DCOs that CSE planned or conducted during the period of review were lawful and noted improvements in GAC’s assessments for foreign policy risk and international law. NSIRA further observed that CSE developed and improved its processes for the planning and conduct of ACOs and DCOs in a way that reflected some of NSIRA’s observations from the governance review.

NSIRA also made findings pertaining to how CSE could improve aspects of ACO and DCO planning, as well as communication to the Minister of National Defence and coordination with other Government of Canada entities. More specifically, NSIRA identified areas of potential risk:

  • GAC’s capability to independently assess potential risks resulting from CSE ACOs and DCOs;
  • the accuracy of information provided, and issues related to delegation, within some of the applications for authorizations for ACOs and DCOs;
  • the degree to which CSE engaged with CSIS and the RCMP on ACOs and DCOs, and CSE explanations of how it determined whether the objective of an ACO or DCO could not reasonably be achieved by other means;
  • the extent to which CSE described the intelligence collection that may occur alongside or as a result of ACOs or DCOs in applications for ACO and DCO authorizations and in operational documentation; and
  • overlap between activities conducted under the ACO and DCO aspects of CSE’s mandate as well as under all four aspects of CSE’s mandate.

It should be noted that NSIRA faced significant challenges in accessing CSE information on this review. These access challenges had a negative impact on the review. As a result, NSIRA could not be confident in the completeness of information provided by CSE.

Review of a foreign intelligence activity

In 2022, NSIRA completed a review of a sensitive CSE foreign intelligence collection program. As part of this review, NSIRA made several findings and observations regarding the activities carried out as part of this program. Notably, NSIRA identified several instances where the program’s activities were not adequately captured within CSE’s applications for certain ministerial authorizations. As such, NSIRA recommended that CSE more effectively inform the Minister of National Defence about aspects of its bilateral relationships with certain partners, the extent of its participation in certain types of activities, and the testing and evaluation of products.

NSIRA also found several areas where the program lacked adequate governance structures, resulting in improper application of key policy and procedural requirements related to information sharing, confirmation of foreignness, and CSE’s mistreatment risk assessment process. NSIRA made recommendations to strengthen these processes, to establish governance structures specific to the program, and to improve other governance structures with broader applicability throughout CSE.

Annual review of Communications Security Establishment activities

In 2022, NSIRA launched the annual review of CSE activities, which aimed to identify compliance-related challenges, general trends and emerging issues using CSE documents in 11 categories (legislatively required and supplementary) from January 1, 2022, to December 31, 2022. Besides contributing to NSIRA’s Annual Report to the Minister of National Defence on CSE activities, the review may identify areas that merit new NSIRA reviews and may produce a briefing or report with its own observations, findings and recommendations. It is based largely on the structure of the annual review of CSIS activities but has been adapted to CSE. NSIRA’s Chair met with the Minister of National Defence on December 15, 2022 to discuss ongoing issues and challenges related to NSIRA reviews of CSE activities.

Statistics and data

To achieve greater accountability and transparency, NSIRA has requested statistics and data from CSE about public interest and compliance-related aspects of its activities. NSIRA is of the opinion these statistics will provide the public with important information related to the scope and breadth of CSE operations, as well as display the evolution of activities from year to year.

Ministerial authorizations and ministerial orders

Ministerial authorizations are issued to CSE by the Minister of National Defence. Those authorizations support specific foreign intelligence or cybersecurity activities or defensive or active cyber operations conducted by CSE pursuant to those aspects of the CSE mandate. Authorizations are issued when these activities could otherwise contravene an Act of Parliament or interfere with a reasonable expectation of privacy of a Canadian or a person in Canada.

Table 7: Ministerial authorizations issued, 2019 to 2022
Type of ministerial authorization Enabling section of the CSE Act Issued in 2019 Issued in 2020 Issued in 2021 Issued in 2022

Foreign intelligence

26(1)
3 3 3 3

Cybersecurity — federal and non-federal

27(1) and 27(2) 2 1 2 3
Defensive cyber operations 29(1) 1 1 1 1
Active cyber operations 30(1) 1 1 2 3

Note: This table lists ministerial authorizations that were issued in a given calendar year and may not necessarily reflect ministerial authorizations that were in effect at a given time. For example, if a ministerial authorization was issued in late 2021 and remained in effect in parts of 2022, it is counted solely as a 2021 ministerial authorization.

Ministerial orders are issued by the Minister for the purpose of (1) designating any electronic information, any information infrastructures or any class of electronic information or information infrastructures as electronic information or information infrastructures of importance to the Government of Canada (section 21(1) of the CSE Act); or (2) designating recipients of information related to Canadians or persons in Canada, that is, Canadian- identifying information (sections 45 and 44(1) of the CSE Act).

Table 8: Ministerial orders in effect as of 2022
Name of ministerial order Enabling section of the CSE Act

Designating electronic information and information infrastructures of importance to the Government of Canada

21(1)

Designating recipients of information relating to a Canadian or person in Canada acquired, used or analyzed under the cybersecurity and information assurance aspects of the CSE mandate

45 and 44(1)
Designating recipients of Canadian identifying information used, analyzed or retained under a foreign intelligence authorization pursuant to section 45 of the CSE Act
45 and 43

Designating electronic information and infrastructures of Ukraine as Systems of Importance

21(1)
Designating electronic information and infrastructures of Latvia as Systems of Importance 21(1)

Note: Ministerial orders remain in effect until rescinded by the Minister.

Foreign intelligence reporting

Under section 16 of the CSE Act, CSE is mandated to acquire information from or through the global information infrastructure. The CSE Act defines the global information infrastructure as including electromagnetic emissions, any equipment producing such emissions, communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those emissions, that equipment, those systems or those networks. CSE uses, analyzes and disseminates the information for providing foreign intelligence in accordance with the Government of Canada’s intelligence priorities.

Table 9: Number of foreign intelligence reports issued, 2019 to 2022
CSE foreign intelligence reporting 2019 2020 2021 2022

Number of reports released

N/A N/A 3,050 3,185

Number of departments/agencies

N/A >25 28 26
Number of specific clients within departments/agencies N/A >2,100 1,627 1,761

Note: NSIRA did not ask CSE for statistics related to foreign intelligence reporting for its 2019 public annual report. In 2020, statistics were requested, but were provided in general terms due to the classification of the data at the time, and CSE indicated that release of further detail, would be injurious to national security.

Information relating to a Canadian or a person in Canada

Information relating to a Canadian or a person in Canada (IRTC) is the information about Canadians or persons in Canada that may be incidentally collected by CSE while conducting foreign intelligence or cybersecurity activities under the authority of a ministerial authorization. Incidental collection refers to information acquired that CSE was not deliberately seeking, and where the activity that enabled the acquisition of this information was not directed at a Canadian or a person in Canada. According to CSE policy, IRTC is defined as any information recognized as having reference to a Canadian or person in Canada, regardless of whether that information could be used to identify that Canadian or person in Canada.

CSE was asked to release statistics or data about the regularity with which IRTC or “Canadian- collected information” is included in CSE’s end-product reporting. CSE responded that “this information remains at a classified level. We have determined that the release of thisinformation would be injurious to Canada’s international relations, national defence and security. Furthermore, the sharing of this information would provide an additional level of detail on the success of Canadian collection programs, our level of reliance on information from Five- Eye partners to produce intelligence, as well as a level of detail on Five-Eye use and reporting from Canadian collection that has not been previously made public.”

Canadian identifying information

CSE is prohibited from directing its activities at Canadians or persons in Canada. However, CSE’s collection methodologies sometimes result in incidentally acquiring such information. When such incidentally collected information is used in CSE’s foreign intelligence reporting, any part potentially identifying a Canadian or a person in Canada is suppressed to protect the privacy of the individual(s) in question. CSE may release unsuppressed Canadian-identifying information (CII) to designated recipients when the recipients have the legal authority and operational justification to receive it and when it is essential to international affairs, defence or security (including cyber security).

Table 10: Number of requests for disclosure of CII, 2021 and 2022
Type of request 2021 2022

Government of Canada requests

741 657

Five Eyes requests

90 62
Non-Five Eyes requests
0 0
Total 831 719

In 2022, of the 719 requests received, CSE reported having denied 65 requests. By the end of the year, 51 were still being processed.

CSE was asked to release the number of instances where CII is suppressed in CSE foreign intelligence or cyber security reporting. It indicated that “[d]isclosure of the number of instances where [CII] is suppressed in CSE intelligence reporting would be injurious to CSE’scapabilities. Such a disclosure would reveal information about CSE’s capabilities including theirlimitations. Thus, this information could be used by hostile security threats to counter CSE’s capabilities impeding CSE’s ability to protect Canada and its citizens.”

Privacy incidents and procedural errors

A privacy incident occurs when the privacy of a Canadian or a person in Canada is put at risk in a manner that runs counter to, or is not provided for, in CSE’s policies. CSE tracks such incidents via its Privacy Incidents File and, for privacy incidents that are attributable to a second-party partner or a domestic partner, its Second-party Privacy Incidents File.

Table 11: Number of privacy incidents recorded by CSE, 2021 and 2022
Type of incident 2021 2022
Privacy incidents 96 114
Second-party privacy incidents 33 23

Cyber security and information assurance

Under section 17 of the CSE Act, CSE is mandated to provide advice, guidance and services to help protect electronic information and information infrastructures of federal institutions, as well as those of non-federal entities that are designated by the Minister as being of importance to the Government of Canada.

The Canadian Centre for Cyber Security (Cyber Centre) is Canada’s unified authority on cybersecurity. The Cyber Centre, which is a part of CSE, provides expert guidance, services and education, while working in collaboration with stakeholders in the private and public sectors. The Cyber Centre handles incidents in government and designated institutions that include:

  • reconnaissance activity by sophisticated threat actors;
  • phishing incidents, that is, email containing malware;
  • unauthorized access to corporate information technology (IT) environments;
  • imminent ransomware attacks; and
  • zero-day exploits, which involves exploration of critical vulnerabilities in unpatched software.
Table 12: Number of cyber incident cases opened by CSE, 2022
Type of incident 2022
Federal institutions 1,070
Critical infrastructure 1,575
Total 2,645

Defensive and active cyber operations

Under section 18 of the CSE Act, CSE is mandated to conduct DCOs to help protect electronic information and information infrastructures of federal institutions, as well as those of non- federal entities that are designated by the Minister as being of importance to the Government of Canada from hostile cyber attacks.

Under section 19 of the CSE Act, CSE is mandated to conduct ACOs against foreign individuals, states, organizations or terrorist groups as they relate to international affairs, defence or security.

CSE was asked to release the number of DCOs and ACOs approved, and the number carried out, during 2022. CSE responded that it is “not in a position to provide this information for publication by NSIRA, as doing so would be injurious to Canada’s international relations,national defence, and national security.”

Technical and operational assistance

As part of the assistance aspect of CSE’s mandate, CSE receives requests for assistance from Canadian law enforcement and security agencies, as well as from the Department of National Defence and the Canadian Forces (DND/CAF).

Table 13: Number of requests for assistance received and actioned by CSE, 2020 to 2022
  2020 2021 2022
Approved 23 32 59
Not approved 1 3 Not applicable
Cancelled Not available Not available 1
Denied Not available Not available 2
Total received 24 35 62

3.3 Other departments

Overview

In addition to the CSIS and CSE reviews above, NSIRA completed the following reviews of departments and agencies in 2022:

  • A review of the Department of National Defence and the Canadian Armed Forces;
  • A review of the Canada Border Services Agency; and
  • NSIRA’s annual reviews of both the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, both of which involve a broader set of departments and agencies that make up the Canadian national security and intelligence community.

Department of National Defence and the Canadian Armed Forces

Report issued pursuant to section 35 of the NSIRA Act

In the course of a review of the Department of National Defence and the Canadian Armed Forces (DND/CAF) human source handling activities, which was still ongoing at the time of writing, NSIRA issued on December 9, 2022, a report under section 35 of the NSIRA Act to the Minister of National Defence. According to section 35, NSIRA must submit to the appropriate minister a report with respect to any activity that is related to national security or intelligence that, in NSIRA’s opinion, may not be in compliance with the law. The Minister of National Defence submitted a copy of this report to the Attorney General of Canada and included her comments indicating that her interpretation of the facts and law differs from NSIRA’s. NSIRA stands by its position and is of the view that the Minister’s position is based on a narrow interpretation of the facts and the law. NSIRA will complete the larger review of DND/CAF’s human source handling activities in 2023. While the section 35 report does not include recommendations, the broader review will examine accountability and oversight of the program, its risk framework, and DND/CAF’s discharge of its duty of care with respect to human sources. The review also assesses the lawfulness of the program and its related activities, as well as the sufficiency of its legal and policy foundations. In doing so, the report may include recommendations addressing the observations made in the section 35 report.

Canada Border Services Agency

Air passenger targeting review

The Canada Border Services Agency (CBSA) air passenger targeting program uses pre-arrival risk assessments to identify inbound air travellers at higher risk of being inadmissible to Canada or whose entry, or that of their goods, may otherwise contravene the CBSA’s program legislation.

The first step in these multi-stage assessments is to triage travellers based on the characteristics and travel patterns conveyed to the CBSA by commercial air carriers in AdvancePassenger Information and Passenger Name Record data. This triage may be manual (flight list targeting) or automated (scenario-based targeting). In both methods, the CBSA relies on information and intelligence from a variety of sources to determine which data elements to treat as indicators of risk in relation to particular enforcement issues, including those related to national security. Use of these indicators may lead the CBSA to differentiate among travellers in subsequent stages of targeting or at the border, with impacts on passengers’ time, privacy and equal treatment.

The review of air passenger targeting was NSIRA’s first in-depth assessment of the CBSA’s compliance with relevant law. It focused, first, on whether the CBSA complies with restrictions on the use of passenger data established by the Customs Act and the Protection of Passenger Information Regulations. Next, the review examined whether the CBSA’s use of these types of passenger data was discriminatory under the Canadian Human Rights Act and the Canadian Charter of Rights and Freedoms.

NSIRA found that the CBSA’s use of both types of passenger data in scenario-based targeting was for a purpose authorized by the Customs Act. For flight list targeting, however, the CBSA does not document the reasons underpinning its triage decisions. NSIRA was therefore unable to verify compliance of flight list targeting with the purpose limitations set out in the Customs Act. As well, the documentation did not allow NSIRA to verify that the CBSA’s use of Passenger Name Record data in either triage method complied with the Protection of Passenger Information Regulations, which require that access to retained data be for a purpose related to the identification of persons who have or may have committed a terrorism offence or serious transnational crime.

NSIRA also found that the CBSA did not consistently demonstrate an adequate justification for its selection of particular indicators as signals of increased risk. When adequate justification is not present, differentiating among passengers on the basis of prohibited grounds of discrimination (such as age, national or ethnic origin, or sex) creates a risk of discrimination.

NSIRA recommended that the CBSA document its triage practices in a manner that demonstrates compliance with the Customs Act and, where applicable, the Protection of Passenger Information Regulations. It recommended that the CBSA ensure, in an ongoing manner, that its selection of risk indicators be adequately justified based on well-documented information or intelligence. NSIRA further recommended that the CBSA develop more robust and regular oversight of air passenger targeting, including updates to policies, procedures, training and other guidance. NSIRA also recommended that the CBSA begin collecting the data necessary to identify, analyze and mitigate discrimination-related risks stemming from air passenger targeting.

3.4 Multi-departmental reviews

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2021

The review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act (SCIDA) in 2021 describes the results of a review of the 2021 disclosures made by federal institutions under this legislation. In 2022, NSIRA focused the review on Global Affairs Canada (GAC)’s proactive disclosures.

The SCIDA encourages and facilitates the disclosure of information between federal institutions to protect Canada against activities that undermine or threaten national security, subject to certain conditions. The SCIDA provides a two-part threshold that must be met before an institution can make a disclosure:

  • that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (paragraph 5(1)(a)); and
  • that the information will not affect any person’s privacy interest more than reasonably necessary in the circumstances (paragraph 5(1)(b)).

The SCIDA also includes provisions and guiding principles related to the management of disclosures, including accuracy and reliability statements and record keeping obligations.

NSIRA identified concerns that demonstrate the need for GAC to improve its training. NSIRA found that there is potential for confusion on whether the SCIDA is the appropriate mechanism for certain disclosures of national security–related information. For some disclosures, GAC did not meet the two-part threshold requirements of the SCIDA before disclosing the information, which was not compliant with the SCIDA. Two disclosures did not contain accuracy and reliability statements, as required under the SCIDA. With respect to record keeping, NSIRA recommended that departments document, at the same time as they are deciding to disclose information under the SCIDA, the information they are relying on to satisfy themselves that the disclosure is authorized under the Act (paragraph 9(1)(e)).

Review of departmental implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2021

This review focused on departmental implementation of directions received through orders in council issued under the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA). This was NSIRA’s third annual statutorily mandated review of the implementation of all directions issued under the ACA. It assessed departments’ implementation of the directives received under the ACA and their operationalization of frameworks to address ACA requirements. As such, this review constitutes the first in-depth examination of the ACA within individual departments.

This year’s review covered the 2021 calendar year and was split into three sections. Section one addressed the statutory obligations of all departments. Sections two and three were an in- depth analysis of how the Royal Canadian Mounted Police (RCMP) and Global Affairs Canada (GAC) have implemented the directions under the ACA. NSIRA used case studies, where possible, to examine these departments’ implementation of their ACA framework.

This was the third consecutive year where no cases were referred to the deputy head level in any department. This is a requirement of the orders in council when officials are unable to determine if the substantial risk can be mitigated. Future reviews will be attuned to the issue of case escalation and departmental processes for decision-making.

In the 2019 NSIRA Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities14, NSIRA recommended that “the definition of substantial risk should be codified in law or public direction.” NSIRA noted that some departments have accounted for this gap by relying on the definition of substantial risk in the 2017 ministerial directions. In light of the pending statutorily mandated review of the National Security Act, 2017 and the importance of the concept of substantial risk to the ACA regime, NSIRA reiterated its 2019 recommendation that the definition of substantial risk be codified in law.

In the review of departmental implementation of ACA in 2020, NSIRA identified the Canada Border Services Agency (CBSA) and Public Safety Canada as not yet having finalized their ACA policies. While the CBSA and Public Safety Canada continue to make advancements, these departments have not fully implemented an ACA framework and supporting policies and procedures.

The RCMP has a robust framework in place for the triage and processing of cases pertaining to the ACA. The in-depth analysis portion of this review found that the RCMP does not have a centralized system of documenting assurances and does not regularly monitor and update the assessment of the reliability of assurances. The RCMP has also not developed mechanisms to update country and entity profiles in a timely manner, and the information collected throughthe liaison officer during an operation is not centrally documented such that it can inform future assessments.

In the analysis of one of the RCMP’s Foreign Information Risk Advisory Committee case files, NSIRA found that the RCMP’s Assistant Commissioner’s rationale for rejecting the risk advisory committee’s advice did not adequately address concerns consistent with the provisions of the orders in council. In particular, NSIRA found that the Assistant Commissioner erroneously considered the importance of the potential future strategic relationship with a foreign entity in the assessment of potential risk of mistreatment of the individual.

NSIRA found that GAC is now strongly dependent on operational staff and heads of mission for decision-making and accountability under the ACA. This is a marked change from the findings of the 2019 review that found decision-making was done by the Ministerial Direction Compliance Committee at Headquarters.

GAC has also not conducted an internal mapping exercise to determine which business lines are most likely to be implicated by the ACA. Considering the low number of cases this year and the size of GAC, and that ACA training is not mandatory for staff, NSIRA has concerns that not all areas involved in information sharing within Global Affairs Canada are being properly informed of their ACA obligations.

NSIRA also notes that GAC has no formalized tracking or documentation mechanism for the follow-up of caveats and assurances. This is problematic as mission staff are rotational and may therefore have no knowledge of previous caveats and assurances related to prior information sharing instances.

3.5 Closed review work

This past year NSIRA determined that certain ongoing review work would be closed or not result in a final report to a Minister. These decisions allow NSIRA to remain nimble and to pivot its work plan. Considerations such as shifting priorities, resourcing demands, ongoing work taking place within the reviewed department, and deconfliction with partner review agencies can all be factors that lead to a decision to close a review. Such decisions allow NSIRA to redirect its efforts and resources towards other important issues, and thereby maximize the value of its work.

For example, a review of the Royal Canadian Mounted Police’s (RCMP) Operations Research Branch was closed. A contributing factor in this decision was that the RCMP branch in question ceased to operate. Another example is the decision to cease an ongoing review of how the RCMP handles encryption in the interception of private communications in national security criminal investigations. This review was cancelled to support deconfliction efforts with the National Security and Intelligence Committee of Parliamentarians (NSICOP), who were conducting a similar review. Finally, a review of the Financial Transactions and Reports Analysis Centre’s (FINTRAC) terrorist financing and information sharing regime, which was in its early stages, was cancelled at the same time that NSIRA decided to initiate a review of the Canada Revenue Agency’s (CRA) Review and Analysis Division, which delivers the CRA’s anti- terrorism mandate.

3.6 Technology in review

Integration of technology in review

Digital technologies continue to play a crucial role in the operational activities of Canada’s national security and intelligence community as agencies increasingly use new technologies to meet their mandates, propose new avenues for activities, and monitor new threats.

It remains essential for an accountability body like NSIRA to keep pace with the use of digital technologies in Canada’s national security and intelligence community. By staying apprised of rapidly changing technology ecosystems, NSIRA can ensure that the organizations it reviews are pursuing their mandates lawfully, reasonably and appropriately.

NSIRA’s Technology Directorate is a team of engineers, computer scientists, technologists andtechnology review professionals. The mandate of NSIRA’s Technology Directorate is to:

  • lead the review of Information Technology (IT) systems and capabilities;
  • assess a reviewed entity’s IT compliance with applicable laws, ministerial direction andpolicy;
  • conduct independent technical investigations;
  • recommend IT system and data safeguards to minimize the risk of legal non-compliance;
  • produce reports explaining and interpreting technical subjects;
  • lead the integration of technology themes into yearly NSIRA review plans;
  • leverage external expertise in the understanding and assessment of IT risks; and
  • support assigned NSIRA members in the investigation of complaints against CSIS, CSE or the RCMP when technical expertise is required to assess the evidence.

In 2022, the Technology Directorate grew from one full-time employee to three and welcomed a cooperative education student and two external researchers. With its increased capacity, the Technology Directorate expanded its analysis of technologies in many NSIRA reviews, started formalizing its research methodology, and began hosting micro-learning sessions and discussion forums focused on relevant technical issues, including dark patterns, open-source intelligence and encryption.

The Technology Directorate also began establishing an academic research network with the goal of supporting NSIRA reviews. To date, contributors to the research network have produced valuable internal memos, reports, and discussion forums, which have enhanced NSIRA’s knowledge of a broad set of technical issues.

During the last year, the Technology Directorate also launched NSIRA’s first technology-led review, which focuses on the lifecycle of CSIS information collected by technical capabilities under a Federal Court warrant. This review presents an opportunity for NSIRA to draw on technical standards and review processes used by its Five Eyes peers and the international review and oversight community. NSIRA has been using this review to develop a risk assessment model and technical inspection plan, expanding NSIRA’s broader review toolkit.

Future of technology in review

During the next year, NSIRA will continue to hire more full-time employees in the Technology Directorate, support cooperative education and use external researchers to add capacity. Doing so will augment NSIRA’s ability to keep pace with the rapidly changing and expanding use of digital technologies in Canada’s national security and intelligence ecosystem.

Building on the successes of its budding academic research network, the Technology Directorate intends to prioritize unclassified research on a number of topics, including open- source intelligence, advertising technologies and metadata (content versus non-content data).

NSIRA’s Technology Directorate will also support NSIRA’s complaint investigations team to understand where and when technology factors into their processes and pursuits.

3.7 Engagement with reviewees

Improvements and ongoing challenges

As discussed in previous annual reports, as a new review body, NSIRA experienced initial challenges in its interactions with departments and agencies being reviewed. These challenges are continually being addressed and NSIRA’s relationship with reviewees has matured. While work on this front is not done, reviewees have demonstrated improvements in cooperation and support to the independent review process. The following discussion captures general commentary on the overall engagement with reviewees that were the focus of the past year’s reviews. These overviews cover 2022 and up to the date of writing of this report. Related review-specific commentary or issues, where available, are discussed within each review’s overview above.

Canadian Security Intelligence Service

After temporary restrictions and adjustments related to COVID-19 were lifted, NSIRA returned to its pre-pandemic level of occupancy within CSIS headquarters for CSIS-related reviews. This includes dedicated workspace and building passes for NSIRA employees reviewing CSIS activities. NSIRA employees have direct access to CSIS databases, and CSIS provides any training necessary, when requested, to navigate and access those systems. Generally, CSIS responds to NSIRA requests for information in a reasonably timely manner. Delays and challenges occur on occasion, but communication between NSIRA and CSIS is constructive in resolving issues.

Communications Security Establishment

NSIRA continued to use the space it procured within CSE’s headquarters in the Edward Drake Building to conduct review-related business. There was little improvement in 2022 to NSIRA’s access requirements at CSE. However, as of 2023, NSIRA is piloting limited direct access to CSE’s primary corporate document repository, GCDOCS. Issues remain and NSIRA is not in a position to assess the pilot project’s utility. In some instances, CSE has improved its responsiveness to NSIRA information requests in terms of timeliness, although some challenges remain with the quality of responses. NSIRA continues to work diligently with CSE to address these concerns.

Department of National Defence

Discussions continue with respect to developing dedicated office space and access to networks. While there has been little advancement on longer-term solutions, DND/CAF has worked with NSIRA to provide access to relevant documents, including sensitive files. DND/CAF has provided good access to facilities and people. Generally, responses to requests for information have been timely; however, a lack of proactiveness in DND/CAF disclosures has required NSIRA to send additional requests to ensure completeness and accuracy of information. Overall, the communication between NSIRA and DND/CAF has been constructive.

Royal Canadian Mounted Police

The past year was marked by inconsistencies in the RCMP’s responsiveness to NSIRA’s requests for information. The RCMP has taken steps to add to its capacity to respond to NSIRA, and this has yielded positive results. NSIRA does not have direct access to information systems but has been granted access to the files relevant to the matters under review. NSIRA has, on multiple occasions, had to send additional requests to ensure the completeness of files provided. In most cases, materials are reviewed on site in the dedicated NSIRA office space that has been provided within RCMP Headquarters. Despite challenges earlier in the year, NSIRA generally had access to people, including RCMP regular members who are experts in the areas under review. Overall, the engagement between NSIRA and the RCMP has seen improvements.

Global Affairs Canada

GAC has been responsive to NSIRA’s requests, made effort to clarify requests, and facilitated all meetings requested. During the review of departmental implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2021, GAC provided NSIRA with documents requested within a reasonable time frame. NSIRA did not have direct access to GAC systems, however this did not have an impact on NSIRA’s ability to verify information or access sensitive files as GAC was able to transfer all materials requested either by email or through their secure portal.

Canada Border Services Agency

The CBSA has provided NSIRA with adequate access to information and people. Some challenges in terms of timeliness were resolved promptly after NSIRA sent notice of a pending advisory letter. These challenges appear to be related to the CBSA’s lengthy approval process for the release of documents to NSIRA. NSIRA does not have direct access to CBSA systems, but this has not impeded NSIRA’s access to sensitive files. Overall, the CBSA has been responsive to NSIRA requests, ensuring that CBSA employees are available to answer NSIRA’s questions.

Refining NSIRA’s confidence statements

Assessing responsiveness and verification

NSIRA continues to place importance on assessing the overall quality and efficiency of its interactions with reviewees. Previously, NSIRA captured this assessment in a “confidence statement,” which provided important additional context to the review, apprising readers of the extent to which NSIRA was able to verify necessary or relevant information, and therefore whether its confidence in the information was impacted. These statements were also informed by aspects such as access to information systems and delays in receiving requested information.

NSIRA has further refined and standardized its approach for evaluating the key aspects of its interactions with reviewees and going forward will evaluate the following criteria during each review:

  • timeliness of responses to requests for information;
  • quality of responses to requests for information;
  • access to systems;
  • access to people;
  • access to facilities;
  • professionalism; and
  • proactiveness.
Follow-up on timeliness and advisory letters

NSIRA’s 2021 public annual report committed to addressing the ongoing struggle for timely responses from reviewees for requested information. During the past year, all delays have been captured by a request for information tracking system. The results inform one of the criteria discussed above. Additionally, NSIRA continues to leverage its three-staged approach to address continued delays by sending advisory letters to senior officials and ultimately respective Ministers should delays persist. This advisory tool was used at five occasions in 2022, three of which were sent to CSE, and two to the RCMP.

Advisory letters sent to a reviewee during a review may be appended to the final report for both the appropriate minister’s and the public’s awareness of such delays. Combined with the updated assessment criteria discussed above, NSIRA works to provide transparency and awareness of both the challenges and successes on interactions with those reviewed.

Complaints investigations

4.1 Overview

In the three years since its establishment, NSIRA has focused on reforming the investigative process for complaints and developing procedures and practices to ensure the conduct of investigations is fair, timely and transparent. NSIRA previously reported on the creation of its Rules of Procedure, on its policy to commit to the publishing of redacted investigation reports, and on the implementation of the use of video technology. In the past year, NSIRA streamlined its jurisdictional assessment phase and its investigative process through the increased use of investigative interviews as the principal means of fact finding. These developments enabled NSIRA to deal with a significant volume of complaints over this reporting period.

After receiving a complaint, NSIRA must evaluate whether it is within NSIRA’s jurisdiction to investigate based on conditions stated in the National Security and Intelligence Review Agency Act (NSIRA Act). For complaints against the Canadian Security Intelligence Service (CSIS) or the Communications Security Establishment (CSE), NSIRA must be satisfied that the complaint against the respondent organization refers to an activity carried out by the organization and that the complaint is not trivial, frivolous or vexatious. For complaints referred from the Civilian Review and Complaints Commission (CRCC) of the Royal Canadian Mounted Police (RCMP), NSIRA must receive and investigate a complaint referred to it under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act if satisfied that the complaint is not trivial, frivolous or vexatious or made in bad faith. For security clearance denials, with impacts upon individuals as set out in the NSIRA Act, NSIRA must receive and investigate the complaint.

NSIRA has developed a robust process to review and independently verify respondent organization information, mindful of the interests of the complainant and the security imperatives of the organization.

In the past, the Security Intelligence Review Committee routinely dealt with complaints related to CSIS by recourse to formal hearings. While NSIRA retains this statutory power, it has sought to make increasing use of interviews to ascertain the evidence required to fully investigate and consider complaints. Considering the security constraints that limit the disclosure of information to complainants during formal hearings, investigative interviews permit NSIRA access to information in a timely manner and are expected to decrease the length of time toresolve complaints. This will be important as NSIRA deals with an increased complaint case load owing to its mandate (which includes complaints related to CSIS, CSE, RCMP and security clearances), as well as delays resulting from COVID-19 impacts over the last three years.

4.2 Ongoing initiatives

NSIRA has committed to establishing service standards for the investigation of complaints, with the goal of completing 90% of investigations within NSIRA service standards by March 2024. During 2022, NSIRA began developing these service standards, which also aim to encourage prompt and efficient administrative decision-making. The service standards will set internal time limits for certain investigative steps for each type of complaint, under normal circumstances. The service standards will specify the circumstances under which those time limits do not apply. The development of the service standards includes tracking and data collection on whether NSIRA is meeting its own service standards in the investigation of complaints. NSIRA will finalize and publish its service standards in 2023 and is committed to reporting on whether they were met.

For the year ahead, NSIRA will continue to improve its website to promote accessibility to the investigation of complaints. More specifically, NSIRA will develop an online password-protected portal through which complainants will be able to submit complaints and receive updates on the status of their file.

NSIRA began the last phase of the study on race-based data and the collection of demographic information jointly commissioned with the CRCC. The study is assessing the viability of the collection of identity-based and demographic data as part of the CRCC’s ongoing anti-racism initiatives. Improved, more precise and more consistent tracking, collection and measurement of data is necessary to support anti-racism efforts in government. In completing the study, the CRCC and NSIRA will be informed on:

  • meaningful and purposeful data collection;
  • challenges with the collection of data;
  • perspective on how the data collected can be applied to address any potential systemic barriers in NSIRA’s investigations process and its anti-racism initiatives; and
  • public sentiment of the retention of identity-based data.

NSIRA notes that some reforms to its legislation would make it easier to fulfill its investigations mandate. Among these would include an allowance for NSIRA members to have jurisdiction to complete any complaint investigation files they have begun, even if their appointment term expires. Broadened rights of access to individuals and premises of reviewed organizations would enhance verification activities.

4.3 Investigation report summaries

Allegations against CSIS’s role in delaying security assessments regarding permanent resident and temporary resident visa applications (07-403-30)

Background

The complainants filed a complaint against CSIS alleging that it caused delays in their permanent resident and temporary resident visa applications.

Investigations

During NSIRA’s investigation, CSIS provided its advice in relation to the complainants’ permanent resident applications. In light of this information, NSIRA requested confirmation from the complainants regarding whether they still wished to proceed with their complaint. The complainants clarified that they wanted to either receive monetary compensation or an explanation for the delay that occurred in relation to their file.

Conclusion

NSIRA informed the complainants that it does not have the authority to make remedial orders such as requiring CSIS to make monetary compensation to a complainant. However, NSIRA inquired whether CSIS was interested in participating in an informal resolution process to resolve some of or all the issues in the complaint. In the context of NSIRA’s informal resolution process, information was provided to the complainants regarding CSIS’s involvement in their permanent resident and temporary resident visa applications. NSIRA attempted to communicate with the complainants on several occasions to determine whether they had any questions that would assist in clarifying the circumstances of their complaint.

NSIRA determined that reasonable attempts had been made to communicate with the complainants and issued reasons deeming the complaint abandoned as per NSIRA’s Rules of Procedure. The complaint investigation file was closed.

Allegations against CSIS, Immigration, Refugees and Citizenship Canada, the Canada Border Services Agency, and Public Safety Canada in relation to their role in processing immigration applications (07-405-1 et al.)

Background

Under subsection 45(2) of the Canadian Human Rights Act, the Canadian Human Rights Commission (CHRC) referred 58 individual and group complaints to NSIRA. This matter constituted the first time NSIRA had received a section 45 referral from the CHRC.

The complainants, Iranian nationals, alleged that the Government of Canada discriminated against them on the basis of national or ethnic origin or race due to the delays in the processing of their temporary or permanent residency visa, or Canadian citizenship.

Under section 46 of the Canadian Human Rights Act, NSIRA is obliged to conduct an investigation and return a report to the CHRC. It further provides that on NSIRA’s report, the CHRC may dismiss the complaint or proceed to deal with the complaint.

NSIRA’s role in section 45 referrals is confined to scrutinizing the components of a matter that are based on considerations relating to the security of Canada and report findings of its investigation into classified information to the CHRC in an unclassified manner. NSIRA does not possess the authority to exercise the CHRC’s statutory discretion to refer the matter to the Canadian Human Rights Tribunal.

Investigation

During its investigation, NSIRA considered the evidence given by witnesses and submissions of their counsel during an investigative interview, and the documentation and submissions submitted by the government parties, including classified documents disclosed to NSIRA by CSIS, Immigration, Refugees and Citizenship Canada (IRCC), the Canada Border Services Agency (CBSA) and Public Safety Canada.

Importantly, NSIRA heard evidence from the government parties in relation to a particular mandatory indicator developed by the CBSA and used by IRCC officers in deciding referrals for security screening of Iranian immigration applications. Prior to reforms made by August 2018, one indicator was based entirely on Iranian nationality, coupled only with the age and sex of the applicant. Where an applicant met the criteria, IRCC officers would automatically refer the file to the CBSA and CSIS for security screening. The evidence showed that the government abandoned mandatory indicators in 2018 because of efficacy concerns and because it contributed to delays.

NSIRA further noted that IRCC did not keep a record of the particular indicator on which the referral was based. This hindered NSIRA’s ability to investigate the other indicators that may have affected the processing of a complainant’s immigration application. That being said, NSIRA acknowledged that an indicator tracking code system was being piloted at the time of the investigative interview. This technical solution would allow for the tracking of the IRCC officers’ decisions to refer immigration applications for security screening through a coding system identifying the reason for the referral.

Conclusion

NSIRA found that:

  • the mandatory age and sex indicator used by IRCC in processing immigration applications until May 2018 relied exclusively on nationality, age and sex, which are listed as prohibited grounds of discrimination in section 5 of the Canadian Human Rights Act;
  • the mandatory age and sex indicator produced a disadvantage (including in terms of delays) to those Iranians who were subjected to security screening and to those whose own files were linked to these applicants;
  • at the material times at issue in this matter, the application of that mandatory indicator was not justifiable on national security grounds; and
  • the security screening process applicable to citizenship applications in this matter did not produce a disadvantage based on grounds enumerated in the Canadian Human Rights Act, as citizenship applications received by IRCC are sent to CSIS for security screening, regardless of the applicant’s country of birth.

NSIRA submitted its report to the CHRC so that it can assess whether there is a reasonable basis in the evidence for a referral to the Canadian Human Rights Tribunal or whether to dismiss the complaints.

Investigation of a complaint regarding the revocation of a security clearance by the Chief of the Defence Staff (1170-17-7)

Background

The complainant was a regular force soldier who held a Top-Secret security clearance. The results of the complainant’s polygraph examination, although not exclusively relied on, were the primary influence in the security assessments of the complainant prepared by CSIS and the DND Departmental Security Officer. As a result of those assessments, the Chief of the Defence Staff (CDS) revoked the complainant’s security clearance. The complainant filed a complaint with NSIRA against the CDS over the revocation of the security clearance.

Investigation

During the Investigation, NSIRA heard from government witnesses from DND and CSIS about the polygraph examination, the investigation into the complainant, and the process leading to the revocation of the complainant’s security clearance. In addition to the oral evidence, the government parties filed documents and made submissions. NSIRA also considered the oral evidence and written submissions provided by the complainant.

NSIRA reviewed all of the evidence it received to determine whether there were reasonable grounds for the CDS to revoke the complainant’s security clearance and to ensure the accuracy of the information the CDS used to reach the decision to revoke.

NSIRA found several deficiencies in the way the complainant’s polygraph was handled, reported and disseminated. In addition, NSIRA found that exculpatory facts were not contextualized nor placed before the CDS prior to the decision to revoke.

Conclusion

NSIRA found that the information the CDS relied on to make the decision to revoke was not accurate. As a result, the decision to revoke the clearance was not reasonable.

NSIRA recommended that CSIS apologize to the complainant for the manner in which the polygraph was handled, reported and disseminated and that the CDS revisit the decision to revoke the complainant’s security clearance.

Review of the Royal Canadian Mounted Police’s report regarding a public complaint (07-407-3)

Background

The complainant filed a complaint with the CRCC related to the conduct of members of the RCMP. The complainant alleged that the RCMP carried out an unjustified and arbitrary arrest of their minor son, conducted a zealous and abusive search of the family home, and publicized the arrest.

In addition, the complainant alleged that the RCMP disclosed information to U.S. authorities, stated that the complainant’s son’s arrest form would be forgotten and destroyed, and violated the son’s safety and that of his family, their constitutional rights and their whistleblower rights.

The RCMP concluded, in a report sent to the complainant pursuant to section 45.64 of the Royal Canadian Mounted Police Act (RCMP Act), that the members had acted appropriately and consequently did not support any of the complainant’s allegations.

The complainant referred their complaint to the CRCC for review as they were not satisfied with the RCMP’s findings. The CRCC referred the complaint to NSIRA pursuant to subsection 45.53(4.1) of the RCMP Act.

Investigation

NSIRA determined that it had jurisdiction to review the request for review of the RCMP’s report under section 19 of the NSIRA Act.

NSIRA’s investigation included a review of:

  • the complaint;
  • the complainant’s request for review filed with the CRCC;
  • the RCMP investigation file related to the complaint, including documents provided by the complainant during the investigation; and
  • the RCMP’s operational file related to the complaint, including numerous audio and video recordings, as well as relevant policies and legislation.
Conclusion

NSIRA found that the RCMP’s conclusions in its report were reasonable.

Notwithstanding the foregoing, NSIRA pointed out to the RCMP the importance of the decision- maker and signatory of an RCMP report having no prior involvement with the file that is the subject of the complaint, in addition to the importance of complete and contemporaneous notetaking.

4.4 Statistics on complaints investigations

Investigation activity continued at significant levels in 2022 (see Annex D). One noteworthy difference in activity from 2021 to 2022 was the significant decline in the number of active investigations: from 81 in 2021 to 19 in this reporting period. This decrease is largely attributed to a referral of close to 60 related files from the CHRC, which were dealt with during this reporting period.

Under section 16 of the NSIRA Act, any person may make a complaint to NSIRA with respect to any activity carried out by CSIS; section 17 covers complaints related to CSE activities. However, for NSIRA to be able to accept a complaint, the complainant to CSIS must first send a letter of complaint to the Director of CSIS; for CSE complaints, a letter must first be sent to the CSE Chief. NSIRA will investigate the complaint if the complainant has not received a response within a period of time that NSIRA considers reasonable or if the complainant is dissatisfied with the response given. In that regard, NSIRA observed that in 2022, 53% of complainants did not receive a letter from CSIS in response to their letter of complaint to the Director of CSIS.

There is a need to increase awareness and understanding on the part of members of the public and complainants on NSIRA’s investigative mandate and process. For example, NSIRA members do not have the ability to make remedial orders, such as compensation, or to order a government department to pay damages to complainants. NSIRA continues to make improvements to its public website to raise this awareness and better inform the public and complainants on the investigations mandate and investigative procedures it follows.

Expanding NSIRA partnerships

NSIRA believes that establishing a community of practice in the business of independent review and oversight is essential and is actively contributing to this effort. During the past year, it resumed and expanded its engagement with valuable partners, both domestically and internationally, and has already reaped the benefits of these efforts.

International partnerships

NSIRA has identified international relationships with counterparts as a priority for its institutional development. During the past year, NSIRA benefited from excellent free-flowing and extensive interactions with its closest international partners. A better understanding of the parameters of the review and oversight activities of NSIRA’s international counterparts, and sharing best practices, are vital to the agency’s growth.

Five Eyes Intelligence Oversight and Review Council

Since its inception, NSIRA has been an active participant in the Five Eyes Intelligence Oversight and Review Council. The council comprises agencies with an oversight and review mandate concerning the national security activities in their respective countries (Canada, Australia, New Zealand, the United Kingdom and the United States). NSIRA participates alongside the Office of the Intelligence Commissioner as Canada’s delegation to the council. The group meets annually, and NSIRA participated in the Five Eyes Intelligence Oversight and Review Council conference in Washington D.C. in 2022. NSIRA has the distinct pleasure of hosting council partners in Ottawa in fall 2023.

NSIRA also frequently engages bilaterally with council partners at the working level. These exchanges allow NSIRA to better understand critical issues impacting its work, compare challenges and best practices in review and oversight methodology, and discuss views on subjects of mutual interest and concern. For instance, learning about council partners’ information access rights, and the legal framework enabling such access, has helped to contextualize some of NSIRA’s own access challenges.

NSIRA met with one of its council partners, the Investigatory Powers Commissioner’s Office in London, U.K. The Commissioner’s office has a broad mandate of activities that includes, among others, approving warrants authorized by the Secretary of State and the independent oversight of the use of the powers by the U.K.’s security and intelligence community. The multi-day meetings provided an opportunity to better understand each other’s respective organizations, exchange ideas and share best practices. NSIRA met with a number of departments with whom the Commissioner’s office engages and shadowed a day-long inspection carried out by the Commissioner’s office. Of particular interest was the Commissioner’s office’s approach for following up on the implementation of recommendations it provides and its insights on the production of annual reports. Support for this important partnership continues, and NSIRA has further engaged with Commissioner’s office staff to cement this strong relationship.

NSIRA was also able to complete working-level visits to the office of Australia’s Inspector- General of Intelligence and Security and to offices of some members of the U.S. inspector general community in Washington.

Additional European engagement

NSIRA also participated in the International Intelligence Oversight Forum, which brings together oversight, review and data protection agencies from all over the world. The event was productive and NSIRA had the additional benefit of constructive bilateral exchanges with participating institutions.

As part of its efforts to build strong relationships with continental European counterparts in like- minded jurisdictions with strong accountability mechanisms, NSIRA visited the Norwegian Parliamentary Oversight Committee on Intelligence and Security Services, the Danish Intelligence Oversight Board, the Netherlands’ Review Committee on the Intelligence and Security Services, and the Swiss Independent Oversight Authority for Intelligence Activities.

Each of these highly productive visits allowed NSIRA to learn from these partners and make its work more visible within this review community.

Stronger domestic coordination

NSIRA continued to invest in strengthening relationships with key domestic partners — the National Security and Intelligence Committee of Parliamentarians (NSICOP), the Civilian Review and Complaints Commission for the RCMP and the Office of the Intelligence Commissioner, as well as the various agents of Parliament who play a key role in government accountability.

NSIRA and NSICOP have complementary roles in enhancing accountability for federal national security and intelligence activities and are required by law to cooperate in the fulfillment of their respective mandates. Regular cooperation meetings are held at various levels and the two agencies continue to refine ways to cooperate and coordinate. NSIRA and NSICOP have supported each other’s work by communicating regularly on review plans to avoid duplication and to make adjustments where required. These coordination efforts contributed to NSIRA’s decision to cease work on an RCMP encryption review. NSIRA has also provided, after ministerial consultation, many of its final reports to NSICOP. For its part, NSICOP has provided NSIRA with its classified reports and background briefings. These exchanges have allowed both organizations to refine their review topics and methodologies. NSICOP’s and NSIRA’s legal teams have also engaged productively, with a view to working through common access challenges, among other things. These frequent and in-depth exchanges serve as an important foundation for a cohesive and robust national security and intelligence review apparatus, and NSIRA and NSICOP enjoy a level of cooperation that is among the strongest of their international counterparts.

As discussed under Ongoing initiatives, NSIRA and the Civilian Review and Complaints Commission for the RCMP have jointly commissioned a study on race-based data and the collection of demographic information. This study will inform each organization’s approach to developing and implementing an identity-based data strategy in the context of its complaints investigations. The study is currently in its last phase and is expected to be completed in fiscal year 2023–2024.

In 2022, the NSIRA Secretariat joined a network of legal professionals from across the various agents of Parliament. As a separate agency and separate employer mandated with supporting independent oversight, NSIRA’s Secretariat benefits from collaborating with this community of practice through discussions on legal issues of common interest, professional development and knowledge transfer initiatives.

Emerging cooperation in technology

Building partnerships allows NSIRA’s growing Technology Directorate to gather diverse perspectives, collaborate on common goals, refine methodologies, and build on established best practices. In 2022, the team focused on building relationships with peers who share mandates on technical topics, such as privacy-enhancing technologies, automated decision- making and service design. Within Canada, this included collaboration with the Office of the Privacy Commissioner’s Technology Analysis Directorate, the artificial intelligence team at the Treasury Board Secretariat’s Office of the Chief Information Officer, and the Canadian Digital Service.

International and academic collaborations offered access to rich technical knowledge and expertise of other review and oversight bodies. Knowledge management, talent retention and evolving technical capabilities became the focal point of regular engagement with teams at the Investigatory Powers Commissioner’s Office, Australia’s Inspector-General of Intelligence and Security, and the Norwegian Parliamentary Oversight Committee on Intelligence and Security Services. Finally, 2022 gave rise to NSIRA’s external research program aimed at informing and supporting reviews already in progress with relevant and timely technical expertise. Building on the past year’s efforts, the Technology Directorate intends to continue developing domestic and international partnerships, including expanding its network with academics, civil society and commercial leaders to ensure key technological issues factor into its approaches.

Conclusions

As NSIRA fulfills its role within Canada’s security and intelligence landscape, it is continually motivated by the vital importance of its mandate. This is expressed through each review and complaint investigation completed. In executing its mission in 2022, NSIRA continued to build best practices across the agency. This ongoing growth and evolution position it well to take on new challenges.

As the agency’s experience grows so too does its knowledge, and it is confident in its ability to be a leading voice in the review and investigations discourse. Partnerships and engagement with reviewees are maturing, and NSIRA is already reaping the benefits of significant effort on both fronts. Applying lessons learned from these partnerships allows NSIRA to iterate and improve its processes and approaches. While there is there is still much work ahead, the results are encouraging.

As NSIRA’s members consider the agency’s accomplishments this past year, they are proud of the diligence and enthusiasm that Secretariat staff have demonstrated. NSIRA has risen to the challenge of changing circumstances and growth and have done so with an outstanding professionalism. The agency looks forward to the year ahead as it carries on with its important work.

Annexes

Annex A: Abbreviations

Abbreviation Full Name
ACA Avoiding Complicity in Mistreatment by Foreign Entities Act
ACO active cyber operations
CAF Canadian Armed Forces
CBSA Canada Border Services Agency
Cyber Centre Canadian Centre for Cyber Security
CDS Chief of the Defence Staff
CHRC Canadian Human Rights Commission
CII Canadian-identifying information
CRA Canada Revenue Agency
CRCC Civilian Review and Complaints Commission for the RCMP
CSE Communications Security Establishment
CSIS Canadian Security Intelligence Service
DCO defensive cyber operations
DLS Directorate of Legal Services
DND Department of National Defence
DOJ Department of Justice
FINTRAC Financial Transactions and Reports Analysis Centre
FIRAC Foreign Information Risk Advisory Committee
GAC Global Affairs Canada
IRCC Immigration, Refugees and Citizenship Canada
IRTC Information relating to a Canadian or a person in Canada
IT Information technology
JPAF Joint Planning and Authorities Framework
MA Ministerial Authorization
NSICOP National Security and Intelligence Committee of Parliamentarians
NSIRA National Security and Intelligence Review Agency
NSLAG National Security Litigation and Advisory Group (Justice)
PS Public Safety Canada
RCMP Royal Canadian Mounted Police
SCIDA Security of Canada Information Disclosure Act
SIGINT Signals intelligence
TRM Threat reduction measure

Annex B: Financial overview, staffing, achievements and priorities

Financial overview

The NSIRA Secretariat is organized according to two main business lines: Mandate Management and Internal Services. The table below presents a comparison of spending between 2021 and 2022 for each of these two business lines.

(In dollars) Expenditures (2022) Expenditures (2021)
Mandate Management 7,679,950 7,523,552
Internal Services 11,033,465
8,926,178
Total 18,713,415 16,449,730

In the 2022 calendar year, the Secretariat spent $18.7 million, a $2.3 million (14%) increase from the $16.4 million spent in 2021. This spending increase is mainly attributed to the ramping up of a large infrastructure project and an increased use of external services for corporate activities.

Staffing

As of June 30, 2023, NSIRA Secretariat staff complement stood at 76. In an attempt to address hiring and retention challenges, the Secretariat implemented several initiatives including the introduction of an internal development program for its mandate management sector employees. The Program aims at promoting existing employees once they acquire the level of knowledge and competencies required to be promoted. The program is individualized, informed by regular review of progress in the achievement of core knowledge and competencies expectations. The Secretariat has also launched a program to hire recent Ph D. graduates in fields of expertise that are of interests to NSIRA’s mandate.

The Secretariat also continues to use modern and flexible staffing strategies, procedures and practices. It has adapted its operations and activities to allow, to the extent possible, a flexible hybrid work model.

Clearer articulation of its core competency profiles, operational methodologies and practices also enabled a more effective integration and onboarding of employees into the organization.

Having hired a dedicated employee responsible for the implementation of an employee wellness agenda combined with an active Mental Health and Wellness Committee, several initiatives have been delivered in an aim to foster workplace well-being and increased interactions between employees.

Progress on foundational initiatives

Accessibility, employment equity, diversity, and inclusion

Informed by its three-year action plan and its commitments to the Clerk of the Privy Council, the Secretariat’s internal committee responsible for accessibility, employment equity, diversity and inclusion invited guests and led discussions aimed at increasing awareness, celebrating the Secretariat’s diverse workforce, and identifying barriers and solutions with respect to these themes.

NSIRA also took concrete steps as part of its mandated activities to include, among other things, a Gender-based Analysis Plus lens into the design and implementation of its policies and programs. As a result, NSIRA’s renewed forward-looking review plan is informed by considerations related to anti-racism, equity and inclusion. These considerations apply to the process of selecting reviews to undertake, as well as to the analysis that takes place within individual reviews. NSIRA reviews routinely consider the potential for national security or intelligence activities to result in disparate outcomes for various communities and will continue to do so in the year ahead.

In 2022, NSIRA also continued to work with another review body to develop strategies for the collection, analysis and use of identity-based data. The goal of the exercise is to rely on public consultations to determine how the public perceives the collection, analysis and use of identity- based data in relation to mandate.

Finally, the Secretariat also developed and posted its inaugural accessibility plan on NSIRA’s external website. The plan outlines the steps that will be taken over the next three years to increase physical and information accessibility, both for employees within the organization as well as for Canadians more generally.

Facilities projects, technology and security

The Secretariat is in the process of retrofitting additional workspace to enable it to accommodate all its employees within the confines of one building. The construction phase is expected to be completed late in 2023. Over the course of 2022, the Secretariat worked closely with lead security agencies to ensure the fit-up meets best practices and established standards.

Transparency and privacy

The Secretariat continues to promote transparency by dedicating resources to redact, declassify and release previous reports from the Security Intelligence Review Committee, in addition to proactively releasing NSIRA’s reviews. In 2022, a major upgrade to NSIRA’s external website was initiated with the goal of increasing access to information including access to redacted review reports and recommendations. It is expected that the website will be released in 2023.

From a privacy perspective, the NSIRA Secretariat continued to make progress further to the privacy impact assessment exercise conducted in fiscal year 2021-2022 in relation to review activities and internal services. It also initiated a privacy impact assessment for the investigations function. This work is expected to be completed in fiscal year 2023-2024.

Considering the importance of privacy as part of its activities, NSIRA took concrete steps to implement best practices to protect the privacy of individuals as part of complaints investigations and as part of the conduct of reviews.

Annex C: Review findings and recommendations

This annex lists the full findings and recommendations for the National Security and Intelligence Review Agency (NSIRA) reviews completed in 2022, as well as reviewees’ management responses to NSIRA’s recommendations, to the fullest extent possible at the time of publication. NSIRA will update such information from all reviews when they are published on its website.

Canadian Security Intelligence Service review

Threat Reduction Measures Annual Review

NSIRA’s findings

NSIRA finds that the Canadian Security Intelligence Service’s (CSIS’s) use of its TRM mandate in 2021 was broadly consistent with its use in preceding years.

For all the cases reviewed, NSIRA finds that CSIS met its obligations under the law, specifically the Canadian Charter of Rights and Freedoms and sections 12.1 and 12.2 of the CSIS Act.

For all the cases reviewed, NSIRA finds that CSIS sufficiently established a “rational link”between the proposed measure and the identified threat.

For Case 1 and Case 2, NSIRA finds that CSIS met its obligations under the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety.

For Case 3, NSIRA finds that CSIS did not meet its obligations under the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety.

With respect to legal risk assessments, NSIRA finds that greater specificity regarding legal risks, and direction as to how said risks could be mitigated and/or avoided, resulted in more detailed outcome reporting vis-à-vis legal compliance.

For Case 2 and Case 3, NSIRA finds that CSIS did not meet its obligations with respect to one requirement of its Conduct of Operations, Section 12.1 Threat Reduction Measures, Version 4. CSIS did not meet its internal policy requirements regarding the timelines to submit TRM implementation reports.

For Case 3, NSIRA finds that the Intended Outcome Report was not completed in a timely manner.

NSIRA finds that current policy for the completion of Strategic Impact Reports may inhibit the timely production of important information.

NSIRA’s recommendations

Recommendation
Recommendation 1: NSIRA recommends that formal legal risk assessments be conducted for TRMs involving [*sensitive factors*].
Recommendation 2: NSIRA recommends that CSIS consider and evaluate whether legal risk assessments under TRM Modernization comply with applicable ministerial direction.
Recommendation 3: NSIRA recommends that CSIS work with the Department of Justice to ensure that legal risk assessments include clear and specific direction regarding possible legal risks and how they can be avoided/mitigated during implementation of the TRM.

Recommendation 4: NSIRA recommends that Implementation Reports specify how the legal risks identified in the legal risk assessment were avoided/mitigated during implementation of the TRM.

Recommendation 5: NSIRA recommends that CSIS specify in its Conduct of Operations, Section 12.1 Threat Reduction Measures when the Intended Outcome Report is required, as it does for the Strategic Impact Report.
Recommendation 6: NSIRA recommends that CSIS integrate in policy a requirement that the Strategic Impact Report be completed at the expiry of the TRM authority.

Communications Security Establishment reviews

Review of the Communications Security Establishment’s Governance of Active and Defensive Cyber Operations — Part 2

NSIRA’s recommendations

NSIRA finds that the Global Affairs Canada Foreign Policy Risk Assessment process, as well as the related international legal assessment, improved since the Governance Review, for Communications Security Establishment (CSE) active cyber operations (ACOs) and defensive cyber operations (DCOs).

NSIRA finds that Global Affairs Canada does not have capability to independently assess potential risks resulting from the techniques used in CSE ACOs and DCOs.

NSIRA finds that CSE and the Department of Justice demonstrated a thorough understanding of section 32 of the CSE Act. However, CSE does not appropriately consult with the Department of Justice at the [*specific step*]15 stage to ensure that the assessment of legal compliance remains valid.

NSIRA finds that CSE’s applications for authorizations issued under subsections 29(1) and 30(1) of the CSE Act for [*description*] activities did not include all the available information relevant to a meaningful assessment of the requirements in subsections 34(1) and (4) of the CSE Act.

NSIRA finds that there is potential for overlap between CSE and CSIS activities in the context of capabilities used by CSE to conduct its ACOs and DCOs. However, CSE did not consistentlyconsult with CSIS about CSE’s cyber operations.

NSIRA finds that despite close collaboration with Global Affairs Canada, and the Department of National Defence and Canadian Armed Forces on ACOs and DCOs, CSE did not demonstrate consistent engagement with CSIS or the Royal Canadian Mounted Police (RCMP) to determine whether the objective of an ACO or DCO could not reasonably be achieved by other means.

NSIRA finds that the Chief’s applications for active and defensive cyber operations activities for the period of review did not accurately describe the relationship between a cyber operation, and intelligence collection.

NSIRA finds that, in its [*a specific document*], CSE did not always provide clarity pertaining to foreign intelligence missions.

NSIRA finds that CSE’s ACOs and DCOs that were planned or conducted prior to July 30, 2021,including the case studies analyzed in this report, were lawful.

NSIRA finds that there is significant overlap between activities conducted under the ACO and DCO aspects of CSE’s mandate, as well as between all four aspects of CSE’s mandate.

NSIRA’s recommendations, and CSE response

Recommendation CSE and GAC Response (June 21st , 2023)
Recommendation 1: NSIRA recommends that Global Affairs Canada develop or otherwise leverage capability to enable it to independently assess potential risks resulting from the techniques used in CSE ACOs and DCOs. Disagree. CSE and GAC disagree with this recommendation.
In accordance with the CSE-GAC Governance Framework, GAC assesses CSE cyber operations for foreign policy risks and compliance with international law. CSE’s internal risk assessment process assesses the cyber operation for technical risks based on the techniques used.
Just as CSE relies upon GAC to provide expertise in foreign policy and international law, GAC relies upon CSE to provide expertise on technologies and techniques at the forefront of development.
Accurate assessment of all risks from a cyber operation relies on the continuation of open and honest dialogue and trust between GAC and CSE. As such, CSE will continue to share information with GAC on techniques, whenever their use may have an impact on GAC’s foreign policy risk assessment.
Recommendation 2: NSIRA recommends that the Department Justice be fully consulted at all stages of an ACO or DCO, particularly prior to operational execution. Agree in principle. CSE agrees with this recommendation in principle.
CSE believes that the advice and guidance provided by the Department of Justice (DOJ) representatives embedded in CSE's Directorate of Legal Services (DLS) is integral to CSE's success. CSE consults with DLS at all relevant stages of a cyber operation. As a matter of practice, CSE consults DLS throughout the Joint Planning and Authorities Framework (JPAF) process and at a key stage, and more consultation is conducted when an activity is new or novel.
Internal tools developed by DLS are used to ensure that activities do not contravene the prohibitions set out in the CSE Act and assist analysts in identifying when a higher risk necessitates further legal review. Additionally, CSE's internal operational policy team is consulted on all key stages.
Recommendation 3: NSIRA recommends that CSE abandon the practice of generic ACO and DCO applications to the Minister of National Defence, and instead submit individual applications. Disagree. CSE and GAC disagree with this recommendation.
When submitting an application for these particular ACO and DCO Ministerial Authorizations (MAs), CSE and GAC always ensure that the Minister of National Defence and the Minister of foreign Affairs are provided with a sufficient amount of information to make an informed decision as to whether CSE’s proposed activities are reasonable and proportionate against a specific set of objectives. To that end, these particular ACO and DCO MAs are structured around key objectives in countering a number of well-defined threats globally. In that sense, they are not “generic”, but their scope is broad enough to give CSE the flexibility to act against a wide range of targets, when the identity of threat actor or the location and context is unknown at the time of application.
For any operations assessed as falling under the authority of these MAs, the current governance framework allows for appropriate risk management of operations. CSE provides GAC with detailed mission plans for each operation, which allows for a proper assessment of foreign policy risks associated with CSE’s cyber operations.
Following Recommendation no. 1 from the Governance review (FCO 1), CSE and GAC increased the amount of information included in the 2021 application for this MA. The level of detail was improved further in the 2022 application. Moreover, CSE and GAC work collaboratively on any new MAs to both ensure that relevant foreign policy objectives are reflected and that authorized operations are sufficiently scoped. Whenever an activity does not fit within the category covered by these MAs, CSE will submit a new application specific to that circumstance.
Recommendation 4: NSIRA recommends that CSE always engage with CSIS, the RCMP, and any other federal departments or agencies as to whether those departments are in a position to reasonably achieve the objective of a cyber operation.
Agree. CSE agrees with this recommendation.
CSE values the importance of consulting with all relevant Government of Canada stakeholders. During the planning of operations, CSE has and will continue to strengthen its collaborative relationships with its partners, including engaging with CSIS, RCMP, and other relevant federal departments or agencies whose mandates may intersect with a planned ACO or DCO.
Recommendation 5: NSIRA recommends that the Chief’s applications for active and defensive cyber operations inform the Minister of National Defence that acquisition of information under a valid foreign intelligence, cybersecurity, or emergency authorization, [*description*]. Agree. CSE and GAC agree with this recommendation.
This recommendation has already been addressed in the applications for the 2022-23 ACO and DCO Ministerial Authorizations.
Recommendation 6: NSIRA recommends that documentation prepared as part of the CSE’s cyber operations framework provide clear links to all known applicable foreign intelligence (or cybersecurity) missions. Agree. CSE agrees with this recommendation.
Since the period under review, and partially stemming from NSIRA recommendations issued in the Governance review (FCO 1), CSE has implemented this change into its cyber operations framework. Under the current framework, the documentation now includes links to s.16 or s.17 operations that are directly relevant to a s.18 or s.19 cyber operation.
Recommendation 7: NSIRA recommends that CSE continue to refine, and to define, the distinctions between activities conducted under different aspects of its mandate, particularly between ACO and DCO activities, but also with regard to foreign intelligence and cybersecurity activities. Agree in principle. CSE agrees with this recommendation in principle.
CSE agrees with the principle of understanding the nuances of its mandate. The CSE Act (ss.15-20) expressly distinguishes between the five aspects of the mandate. Operations are planned with an understanding of the scope and boundaries of the authorizing aspect of the mandate. CSE works closely with the Directorate of Legal Services (DLS) and its Operational Policy team to ensure that operations are planned and conducted under the appropriate authorities.
In the body of its report, NSIRA acknowledges both the clarity of the Act and of CSE’s ability to explain why an operation should be authorized under a particular aspect of the mandate. CSE’s policies and procedures governing the planning and conduct of operations rely on the distinction between aspects of the mandate. CSE’s Mission Policy Suite addresses each aspect of the mandate and provides a distinction between ACOs and DCOs. The cyber operations framework provides for planning documentation that sets out why the objectives and nature of the planned operation align with the authorities of an ACO versus a DCO, notwithstanding the techniques being applied. Finally, CSE is in the process of launching updated legal and policy training to its operational staff.

Foreign intelligence review

NSIRA’s findings

NSIRA finds that CSE has not updated the Minister of National Defence since [*year*] on its relationship with a foreign partner.

NSIRA finds that in the context of a joint operation, CSE’s analytic exchanges with a partner did not comply with all of CSE’s internal policy requirements relating to such exchanges with its partners.

NSIRA finds that CSE’s applications to the Minister of National Defence for Foreign Intelligence Authorizations did not describe the full extent of CSE’s involvement in [*specific activity*].

NSIRA finds that CSE did not appropriately apply its Mistreatment Risk Assessment process to information shared with a foreign partner. CSE conducted a mistreatment risk assessment only after having already shared substantial information with the partner.

NSIRA finds that CSE did not appropriately justify its mistreatment risk for targets of an operation.

[*Finding not releasable in public report*]

NSIRA finds that CSE does not have a mechanism to obtain timely and concrete verification ofa person’s Canadian status in order to verify that it is not directing its activities at Canadians.

NSIRA finds that CSE has not developed policies and procedures to govern its participation in [*specific activity*].

NSIRA finds that CSE’s contributions to operations with its partners are not governed by any written arrangements with operational activities.

NSIRA finds that CSE’s contributions to operations led by a partner have not been accompanied with the operational planning and risk assessment as described by CSE to the Minister of National Defence.

NSIRA finds that CSE does not obtain operational plans or risk assessments developed by its partners leading the operations, nor contributes to the development of these plans or their associated parameters.

NSIRA finds that CSE’s application for the Authorization did not inform the Minister of National Defence that it intends to conduct testing and evaluation activities under the authority of the Authorization.

NSIRA’s recommendations, and CSE response

Recommendation CSE and GAC Response (March 14th , 2023)
Recommendation 1: CSE should update the Minister of National Defence on of its relationship with a foreign partner. Agree. CSE agrees with this recommendation.

CSE concurs and regularly updates the minister on topics of importance, including the status of relationships with international partners.

CSE plans to continue providing comprehensive updates to the Minister on its international engagements and relationships with foreign partners, including the named foreign partner.

Recommendation 2: CSE should comply with the Releasable SIGINT Products requirements pursuant to the Foreign Intelligence Mission Policy Suite when conducting analytic exchanges with its partners in the performance of all operational activities. Agree. CSE agrees with this recommendation.

CSE recognizes that despite having robust policies, practices, and procedures, improvements can still be made in outreach and training to mission staff. CSE is working on a comprehensive revision of its operational legal and policy training, and will consider this recommendation when developing its compliance plans for 2023–2024.

Recommendation 3: CSE should describe to the Minister of National Defence the full extent of its participation in any activities when applying for Foreign Intelligence Authorizations. Agree. CSE agrees with this recommendation.

CSE will include relevant details to clarify [specific activities] in its next Ministerial Authorization application at a level of detail consistent with Ministerial Authorization applications.

Recommendation 4: CSE must perform a Mistreatment Risk Assessment prior to sharing information with [*country*] in accordance with parameters established with the Minister of National Defence, Minister of Foreign Affairs, and the Privy Council Office in the development of CSE’s working arrangement with this partner. Agree in principle. CSE agrees with this recommendation in principle.

CSE is of the view that its policy instruments are already clear and that there are already established best practices when sharing information with foreign entities about identifiable individuals. CSE continually seeks to improve both the implementation of internal policies, and the training and internal outreach programs for its analysts.

Additionally, it is important to note that there exists a strong mitigating factor in the overarching agreements with [*country*] which contain explicit language regarding how SIGINT may be used, and with explicit prohibitions for purposes that could result in mistreatment.

Recommendation 5: When performing a Mistreatment Risk Assessment, CSE should specify why and how its risk rating applies to each individual implicated in the sharing of information with a foreign partner. Agree in principle. CSE agrees with this recommendation in principle.

Since 2011, CSE has continually refined its mistreatment risk assessment process and documentation. In certain cases where an initial assessment has determined that all of the conditions of information sharing will be identical across a category of individuals in an activity, CSE has determined that a group mistreatment risk assessment appropriately documents the risk profiles for all individuals associated with that activity. In the event that the information sharing conditions change, or specific characteristics related to an individual associated with the activity may change the risk, a separate assessment is conducted.

CSE has continued to improve our documentation to ensure that it better reflects the analysis behind the risk assessment and why a rationale would apply to a group of individuals under a single activity. As CSE’s operational activities continue to evolve, the mistreatment risk assessment process grows to reflect the requirements of those activities.

Recommendation 6: CSE should ensure that a foreignness assessment is completed prior to commencing collection and reporting on individuals. CSE should also develop policy requirements for the documentation, tracking, and management review of foreignness assessments. Agree in principle. CSE agrees with this recommendation in principle.

As part of the SIGINT process, and relying on a combination of policy, administrative, and technological means, CSE already documents a targeting justification demonstrating reasonable grounds to believe that a target is a foreign entity outside Canada. This auditable justification crystallizes the current state of knowledge about the foreignness of a target, at the time of targeting.

In addition, as analysts perform their duties and build knowledge about a target, a foreignness assessment persists throughout SIGINT analysis in a process that is guided by the Mission Policy Suite. Each new fragment of information acquired about a target increases the body of knowledge evaluated by an analyst, including more information about a target’s foreignness that may not have been available at the time of targeting.

If at any point the analyst no longer has reasonable grounds to believe that the target is a foreign entity outside Canada, the analyst must de-target the associated selectors and register a privacy incident with CSE’s Program for Operational Compliance team, who will guide internal processes through any additional required remedial steps, such as purging any collected information. In addition, a citizenship check can also be requested from Immigration, Refugees, and Citizenship Canada (IRCC) if sufficient information is available.

Recommendation 7: CSE should develop a mechanism with Immigration, Refugees and Citizenship Canada, or other federal institutions as appropriate, to facilitate timely and concrete confirmation of the Canadian status of individuals implicated in CSE’s operational activities. Agree. CSE agrees with this recommendation.

This recommendation was previously put forward in the SCIDA 2020 final report. CSE continues to pursue discussions with IRCC for an information sharing agreement. CSE is reengaging at both working and executive levels to facilitate progress.

It should be recognized that in order to produce more accurate results, a citizenship check needs to include specific information regarding an individual target, which is not always available to CSE. In the absence of that information, a citizenship check is not guaranteed to produce conclusive results, and cannot be considered as a concrete confirmation of citizenship status. In addition, it is CSE’s understanding that IRCC databases may not capture Canadians born with Canadian citizenship. The citizenship check process and associated timelines are fully within the jurisdiction of IRCC.

Recommendation 8: CSE should develop policies and procedures to govern its participation in [*specific activities*] within the program. Agree. CSE agrees with this recommendation.

CSE remains committed to building robust policy frameworks to govern its activities and ensure that its work continues at the highest level of integrity.

While at the time of review, policies and procedures specific to the program were still in development, CSE’s existing policies and procedures include principles that govern all foreign intelligence activities conducted under CSE authorities, including [*program*].

Recommendation 9: CSE should develop written arrangements with its partners implicated in activities, to set the parameters for collaborating on these activities. Disagree. CSE disagrees with this recommendation.

CSE has enjoyed a uniquely strong relationship with partners for [*amount of time*]. By leveraging shared capabilities, Canada benefits greatly, magnifying its ability to provide quality information exponentially. The cooperation with our partners means that we [*description*], with procedures in place to manage our interactions. CSE’s operations with partners are based on bilateral information sharing and technical cooperation arrangements.

Recommendation 10: When collaborating on an operation with a partner, CSE should prepare an operational plan and conduct a risk assessment associated with the activity with a view to ensuring an operation’s alignment with CSE’s priorities and risk tolerance levels. CSE should also ensure that parameters and any caveats for the partner’s [*specific activity*] be outlined and acknowledged. Agree. CSE agrees with this recommendation.

CSE policy outlines that, when conducting SIGINT operations, including joint operations with a partner, the activity be approved via an operational plan and risk assessment in order to exercise an aspect of the CSE mandate.

Collaboration that involves [*specific activity*] without participating in the resulting operation does not require operational plans or risk assessments to be created at CSE, but rather at the partner agency conducting the operation and adopting the risk. CSE will, however, ensure that the partner agency is aware of and acknowledges any caveats or parameters.

Recommendation 11: When applying for a Ministerial Authorization, CSE should disclose to the Minister any related testing or evaluation activities that it intends to undertake pursuant to paragraph 23(1)(c) of the CSE Act. Disagree. CSE disagrees with this recommendation.

The purpose of a ministerial authorization is to seek authorities for activities that would contravene an Act of Parliament or involve the acquisition of information that interferes with the reasonable expectation of privacy (REP) of a Canadian or any person in Canada. Testing activities, as per s.23(1)(c) of the CSE Act, are not carried out under the authorities of a ministerial authorization if they do not risk contravening an Act of Parliament or do not involve the acquisition of information that interferes with the REP of a Canadian or any person in Canada. In such cases, it is not required to request authorities to conduct testing activities from the Minister through a ministerial authorization. However, at the Chief’s discretion, CSE will inform the Minister of non- ministerial authorization activities through other means.

Paragraph 23(1)(c) provides an exception to CSE’s prohibition on directing its activities at a Canadian or any person in Canada when conducting testing or evaluating products, software and systems. This means that CSE may conduct these activities which will not be considered directed at a Canadian or any person in Canada.

Any foreign intelligence activities, including testing activities, that contravene an Act of Parliament or involve the acquisition of information that interferes with the REP of a Canadian or any person in Canada can only be conducted under the authorities of a ministerial authorization. In such cases, the activities must be conducted under the authorities of an existing ministerial authorization or will require that the Minister issue a new ministerial authorization, and the Minister would be fully informed of the activities being considered before being in a position to approve them.

Department of National Defence and the Canadian Armed Forces Review

Report issued pursuant to section 35 of the NSIRA Act

NSIRA’s finding

The report contained a finding that, in NSIRA’s opinion, certain activities undertaken by the Canadian Armed Forces may not have been in compliance with the law.

Department of National Defence and the Canadian Armed Forces (DND/CAF’s) response

DND/CAF recognize the importance of independent, external reviews of the Government of Canada’s national security and intelligence activities. We fully support NSIRA’s review mandate and take all of its reports seriously.

Upon receipt of NSIRA’s section 35 compliance report, DND/CAF conducted a comprehensive analysis and do not agree with NSIRA’s opinion. Our analysis supports that the reviewed activities were conducted in accordance with the law within a robust system of oversight and accountability. Furthermore, an earlier independent external review was consistent with our analysis and supported a number of recommendations that were implemented to strengthen the governance framework. The Minister is following the steps in order to meet all the requirements outlined in section 35 of the Act.

Canada Border Services Agency review

Air Passenger Targeting Review

NSIRA’s findings

The use of Advance Passenger Information and Passenger Name Record data by the Canada Border Services Agency (CBSA) in scenario-based targeting complied with section 107(3) of the Customs Act.

The CBSA does not document its triaging practices in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions.

The CBSA has not consistently demonstrated that an adequate justification exists for its Air Passenger Targeting triaging practices. This weakness in the link between the indicators used to triage passengers and the potential threats or contraventions they seek to identify creates a risk that Air Passenger Targeting triaging practices may be discriminatory.

The CBSA’s policies, procedures, and training are insufficiently detailed to adequately equip CBSA staff to identify potential discrimination-related risks and to take appropriate action to mitigate these risks in the exercise of their duties.

The CBSA’s oversight structures and practices are not rigorous enough to identify and mitigate potential discrimination-related risks, as appropriate. This is compounded by a lack of collection and assessment of relevant data.

NSIRA’s recommendations, and the CBSA’s responses

Recommendation Response (July 2022)
Recommendation 1: NSIRA recommends that the CBSA document its triaging practices in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions. Agree. The CBSA will complete a review of its air passenger targeting triaging practices to ensure practices are in place which will enable effective verification of compliance with statutory and regulatory restrictions.
Recommendation 2: NSIRA recommends that the CBSA ensure, in an ongoing manner, that its triaging practices are based on information and/or intelligence that justifies the use of each indicator. This justification should be well-documented to enable effective internal and external verification of whether the CBSA’s triaging practices comply with its non-discrimination obligations. Agree. While we are satisfied that justification for triaging and targeting practices exist, the CBSA acknowledges that better documentation practices could be implemented to enable effective internal and external verification of whether the CBSA’s triaging practices comply with its non- discrimination obligations.
The CBSA’s Scenario Based Targeting Governance Framework will be updated to include information and/or intelligence that justifies the use of each indicator.
Annual reviews of scenarios will continue to be conducted and documented to confirm that each active scenario is supported by recent and reliable intelligence.
Recommendation 3: NSIRA recommends that the CBSA ensure that any Air Passenger Targeting- related distinctions on protected grounds that are capable of reinforcing, perpetuating, or exacerbating a disadvantage constitute a reasonable limit on travellers’ equality rights under the Charter. Agree. The CBSA will review its air passenger targeting practices to ensure that distinctions based on protected grounds are reasonable and can be demonstrably justified in the border administration and enforcement context.
Recommendation 4: NSIRA recommends that the CBSA develop more robust and regular oversight for Air Passenger Targeting to ensure that its practices are not discriminatory. This should include updates to the CBSA’s policies, procedures, training, and other guidance, as appropriate.
Agree. The CBSA acknowledges that policies, procedures, training, and other guidance, as appropriate can be improved to ensure robust and regular oversight for Air Passenger Targeting to ensure that its practices are not discriminatory.
The CBSA will complete a review of its policies, procedures, guidelines and training to ensure practices are not discriminatory.
Recommendation 5: NSIRA recommends that the CBSA start gathering and assessing the necessary data to identify, analyze, and mitigate discrimination-related risks. This includes disaggregated demographic data, data on the effects of Air Passenger Targeting on secondary examinations that may be apparent from related human rights complaints, and data on a baseline comparator group.
Agree. To that end, the CBSA is taking deliberate steps to develop its capacity to capture and analyze reliable and accurate data in non-intrusive ways. The Agency is working on developing standard and consistent positions and frameworks on the collection, use, management and governance of disaggregated data, developing metrics and indicators to measure the impact of decisions and policies on different groups; using data to build more inclusive and representative policies and strategies, and; identifying possible discrimination and bias.

Multi-departmental reviews

Review of Federal Institutions’ Disclosures of Information under the Security of Canada Information Disclosure Act in 2021

NSIRA’s findings

NSIRA finds that, in 12 out of 13 disclosures, Global Affairs Canada demonstrated that it satisfied itself as to the contribution of the information to the recipient institution’s responsibilities in respect of activities that undermine the security of Canada, as required under paragraph 5(1)(a) of the SCIDA.

NSIRA finds that, without first conducting the analysis under paragraph 5(1)(a) of the SCIDA, departments risk disclosing information that does not pertain to the national security mandate of the recipient institution or to activities that undermine the security of Canada.

NSIRA finds that, in 1 of 13 disclosures, Global Affairs Canada consulted on more information than necessary to obtain confirmation from CSIS that the disclosure contributed to its mandate and was linked to activities that undermine the security of Canada.

NSIRA finds that, in 10 out of 13 disclosures, Global Affairs Canada demonstrated that it satisfied itself that the disclosure will not affect any person’s privacy interest more than reasonably necessary in the circumstances, as required under paragraph 5(1)(b) of the SCIDA.

NSIRA finds that 2 of 13 disclosures did not contain the accuracy and reliability statements as required by subsection 5(2) of the SCIDA.

NSIRA finds that Global Affairs Canada training on the SCIDA lacks sufficient illustrative examples required to provide employees with adequate guidance to fulfill their obligations under the SCIDA.

NSIRA’s recommendations, and government response

Recommendation Response (February 14th, 2023)
Recommendation 1: NSIRA recommends that consultations be limited to the information necessary to obtain confirmation from the potential recipient that the information contributes to its mandate and is linked to activities that undermine the security of Canada. Agree. Public Safety’s Step-by-Step SCIDA Guide 2022 (“SCIDA Guide 2022”) was updated and distributed to federal institutions in October 2022. Many of the updates to the SCIDA Guide 2022, that were based on practitioner feedback, directly address this recommendation. The updated SCIDA Guide 2022 specifies that preliminary consultations prior to a disclosure should only include general information to ensure that SCIDA thresholds are met before the disclosing institution proceeds with the disclosure. In addition, SCIDA training material was updated in September 2022 with a renewed emphasis on the need for disclosing institutions to strictly limit the information communicated with recipient institutions during preliminary consultations.

Multiple SCIDA trainings have been delivered to federal institutions using the new material. Public Safety will continue to work with federal institutions to provide them with access to training, guidance and other useful resources on the use of the SCIDA. Given the focus of this review, Public Safety will work closely with Global Affairs Canada to address this recommendation.

Recommendation 2: NSIRA recommends that in order to provide the most valuable and meaningful context for the recipient institution, accuracy and reliability statements should be clear and specific to the circumstances of the disclosure. Agree. Statements regarding the accuracy of the information and the reliability of the manner in which it was obtained are an essential part of the disclosure process. To ensure greater compliance with this requirement, the SCIDA Guide 2022 and its related templates, as well as the updated SCIDA training material, emphasize the importance of providing statements on the accuracy of the information and reliability of the manner in which it was obtained that are clear and specific to the circumstances of the disclosure.

Public Safety will continue to provide SCIDA training and guidance to federal institutions to highlight the requirement for statements of accuracy and reliability that are clear, complete, accurate and do not include formulaic language in support of disclosures under the SCIDA.

Recommendation 3: NSIRA recommends that all disclosing departments contemporaneously prepare descriptions of the information that was relied on to satisfy themselves that disclosures were authorized under the SCIDA. Agree. Record keeping is an essential component of the SCIDA, and records of disclosures must include an appropriately robust description of the information relied upon to satisfy the disclosing institution that the disclosure meets the thresholds of the SCIDA. The SCIDA Guide 2022 includes templates that support federal institutions with their record-keeping requirements. This includes sections where disclosing institutions must prepare and maintain records that set out a description of the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under the SCIDA. While paragraph 9(1)(e) of the SCIDA does not explicitly require departments to contemporaneously prepare descriptions of the information related to SCIDA disclosures, Public Safety takes note of NSIRA’s recommendation to do so in a timely manner.

Public Safety will continue to provide SCIDA training and guidance to federal institutions to highlight their recordkeeping obligations to ensure that all disclosures are authorized under the SCIDA and assist them in understanding their authorities for requesting and disclosing information under the Act.

Recommendation 4: NSIRA recommends that additional illustrative examples and scenarios be included in the SCIDA training, including for disclosure threshold requirements, accuracy and reliability statements and record-keeping requirements.

Agree. SCIDA training material was updated in September 2022 with multiple illustrative examples and case studies that provide further details on how to apply the disclosure threshold requirements, accuracy and reliability statements and record-keeping requirements. SCIDA training sessions have been delivered to federal institutions using the new material. Given the focus of this review, Public Safety will work closely with Global Affairs Canada to address this recommendation.

Review of departmental implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2021

NSIRA’s findings

NSIRA finds that the Canada Border Services Agency and Public Safety Canada still have not fully implemented an ACA framework and supporting policies and procedures are still under development.

NSIRA finds that from January 1, 2021, to December 31, 2021, no cases under the ACA were escalated to deputy heads in any department.

NSIRA finds that the RCMP has a robust framework in place for the triage of cases pertaining to the ACA.

NSIRA finds that the RCMP’s Foreign Information Risk Advisory Committee (FIRAC) risk assessments include objectives external to the requirements of the Orders in Council, such as the risk of not exchanging information.

NSIRA finds that the RCMP use of a two-part risk assessment, that of the country profile and that of the individual to determine if there is a substantial risk, including the particular circumstances of the individual in question within the risk assessment is a best practice.

NSIRA finds that the RCMP does not have a centralized system of documenting assurances and does not regularly monitor and update the assessment of the reliability of assurances.

NSIRA finds that the RCMP does not regularly update or have a schedule to update its Country and Entity Assessments. In many cases these assessments are more than four years old and are heavily dependent on an aggregation of open-source reporting.

NSIRA finds that information collected through the Liaison Officer in the course of an operation is not centrally documented such that it can inform future assessments.

NSIRA finds that FIRAC members concluded that the information sharing would result in a substantial risk of mistreatment that could not be mitigated. The Assistant Commissioner determined that it may be mitigated. This amounts to a disagreement between officials or a situation where “officials are unable to determine whether the risk can be mitigated”.

NSIRA finds that the Assistant Commissioner’s rationale for rejecting FIRAC’s advice did not adequately address concerns consistent with the provisions of the Orders in Council. In particular, NSIRA finds that the Assistant Commissioner erroneously considered the importance of the potential future strategic relationship with a foreign entity in the assessment of potential risk of mistreatment of the individual.

NSIRA finds that Global Affairs Canada is now strongly dependent on operational staff and Heads of Mission for decision-making and accountability under the ACA.

NSIRA finds that Global Affairs Canada has not demonstrated that all of its business lines are integrated into its framework under the ACA.

NSIRA finds that Global Affairs Canada has not made ACA training mandatory for all staff across relevant business lines. This could result in staff being involved in information exchanges without the proper training and knowledge of the implications of the ACA.

NSIRA finds that Global Affairs Canada has not regularly updated its Human Rights Reports. While many were updated during the 2021 review year, more than half have not been updated since 2019. This is particularly problematic when departments and agencies rely on these reports as a key source in assessing risk related to the ACA.

NSIRA finds that Global Affairs Canada does not have a standardized centralized approach for the tracking and documentation of assurances.

NSIRA’s recommendations

Recommendation
Recommendation 1: NSIRA recommends that the RCMP establish a centralized system to track caveats and assurances provided by foreign entities and where possible to monitor and document whether said caveats and assurances were respected.
Recommendation 2: NSIRA recommends that in cases where the RCMP Assistant Commissioner disagrees with FIRAC’s recommendation not to share the information, the case be automatically referred to the Commissioner.
Recommendation 3: NSIRA recommends that the assessment of substantial risk be limited to the provisions of the Orders in Council – namely the substantial risk of mistreatment and whether the risk may be mitigated – and external objectives such as fostering strategic relationships should not factor into this decision-making.

Recommendation 4: NSIRA recommends that FIRAC recommendations are referred to an Assistant Commissioner who is not responsible for the branch from which the case originates.

Recommendation 5: NSIRA recommends that GAC ensure that accountability for compliance with the ACA clearly rests with the Avoiding Mistreatment Compliance Committee.
Recommendation 6: NSIRA recommends that GAC conduct a formal internal mapping exercise of other possibly implicated business lines to ensure it is meeting its obligations set out in the ACA.
Recommendation 7: NSIRA recommends that GAC make ACA training mandatory for all rotational staff.

Recommendation 8: NSIRA recommends that GAC ensure countries’ Human Rights Reports are updated more regularly to ensure evolving human rights related issues are captured.

Recommendation 9: NSIRA recommends that GAC establish a centralized system to track caveats and assurances provided by foreign entities and document any instances of non-compliance for use in future risk assessments.

This review was approved in 2022. Under section 38 (1) of the NSIRA Act, NSIRA is therefore obliged to report on its findings and recommendations as part of its annual report for the calendar year 2022. A summary of this review is available in NSIRA’s Annual Report 2021.

NSIRA’s findings

NSIRA finds that the legal advice-seeking and giving process, and resource constraints at the Department of Justice’s National Security Litigation and Advisory Group (NSLAG) contribute to considerable delays, [*description of timeline*].

NSIRA finds that Justice legal opinions have sometimes been prepared without sufficient attention to the audience that needs to understand and act on them. Opinions have been focused on assessing legal risk, often late in the development of a CSIS activity, with limited effort made to propose alternative and legally sustainable means of arriving at the intended objective.

NSIRA finds that the Justice Legal Risk Management Framework is misunderstood at the working level at CSIS and further that it does not provide an appropriate framework for the unequivocal communication of unlawful conduct to CSIS.

NSIRA finds that difficulties in acquiring prompt and relevant legal advice have contributed to [*discussion of the detrimental effects on and risks to operations*] that may require legal advice. In consequence, the manner in which NSLAG has provided legal advice to CSIS has often not met the needs of CSIS operations.

NSIRA finds that Justice does not generate the necessary business analytics to track its service delivery performance to CSIS.

NSIRA finds that Justice has acknowledged that internal silos at NSLAG between the advisory and litigation wings have sometimes left warrant counsel unaware of emerging legal issues and that Justice has taken steps to resolve these issues.

NSIRA finds that Justice has committed to improve its advice-giving to CSIS, including moving toward “road map” style legal advice that involves working collaboratively and iteratively with CSIS to achieve operational goals within the bounds of the law.

NSIRA finds that CSIS has not always shared all relevant information with NSLAG, prompting a degree of mistrust and limiting Justice’s ability to provide responsive legal advice.

NSIRA finds that CSIS has a history of quick reforms, followed by neglect, high turnover of personnel leading to a loss of institutional knowledge, and resourcing that did not match stated priorities. CSIS does not track or measure the outcome of past reforms adequately and has no performance metrics for assessing success.

NSIRA finds that CSIS policies have not kept pace with operational reality, as they are often vague, dated, overlapping and contradictory. The absence of clear policy creates legal doubt or concerns, and gives rise to disparate interpretations of legal and operational standards.

NSIRA finds that there is little common understanding regarding the process or basis on which a warrant is prioritized. Frequent shifts in this process of prioritization have added to operational uncertainty. The prioritization process has made it very difficult to bring novel issues to the Court with the goal of addressing legal ambiguities through court decisions.

NSIRA finds that the actors involved in the warrant process do not have a common understanding of the rationale for each of the [*multiple*] of steps in the overarching warrant application scheme and are not always sure what role each approval step plays.

NSIRA finds that the proliferation of process in seeking warrants has created a system of diluted accountability widely regarded as slow and unwieldy, with delays caused by multiple levels of approval.

NSIRA finds there is no regular feedback process in which explanations for warrant-related decisions made at one level filter back to other levels. The absence of feedback is especially acute for the regional investigators.

NSIRA finds that often, the sole means to address legal uncertainty is to bring legal questions to the Federal Court through warrant applications. In consequence, an unwieldy warrant process makes resolution of legal doubt more difficult.

NSIRA finds that CSIS has struggled to ensure that all information material to the credibility of sources is properly contained in warrant applications. This “recurring omissions” problem stems from a misunderstanding of the Federal Court’s role in assessing the credibility of sources and from the presence of multiple, siloed information management systems. CSIS has undertaken reforms, but work remains to implement long-term sustainable solutions.

NSIRA finds that the Affiant Unit constitutes a vital and laudable reform within CSIS. However, the Affiant Unit is currently at risk of collapse. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission. The benefits of the Affiant Unit are currently in jeopardy because of governance, human resource, and training deficiencies.

NSIRA finds that the Affiant Unit’s placement in the [*Name*] branch is not commensurate with its functions and importance. This governance anomaly most likely contributes to administrative hurdles and resource challenges faced by the Affiant Unit.

NSIRA finds that without a functional Affiant Unit able to produce timely and accurate warrant applications, CSIS puts at risk access to warrants and the information collected under them.

NSIRA finds that the “independent counsel” role falls short of creating a thorough challenge function.

NSIRA finds that the CSIS regional warrants coordinators have not received sufficient training enabling them to translate the contents of the warrants into advice on proper warrant execution.

NSIRA finds that CSIS lacks long-term training programs for Intelligence Officers.

NSIRA finds that CSIS has failed to provide systematic training programs for “non-Intelligence Officers.”

NSIRA finds that the CSIS’s Learning and Development Branch has not been sufficiently resourced to develop and administer comprehensive training programs, especially in specialized areas not covered by the training offered for Intelligence Officers early in their career.

NSIRA finds that CSIS and Justice are at risk of not being able to fulfill their respective mandates. No one reform is likely to succeed unless each is pursued as part of a coherent package. No package will succeed unless backed by prioritization at senior levels, and the stable provision of resources, including people with the means and institutional knowledge to see reforms through. And no reform initiative will succeed unless accompanied by clear performance indicators, measured and analyzed regularly to track progress.

NSIRA’s recommendations and departmental responses

Recommendation Departmental response (March 29, 2022)
Recommendation 1: NSIRA recommends that Justice pursue its commitment to reforming the manner of providing legal advice to CSIS, and its stated commitment to “road map”-style advice as a best practice. In support of this objective and the provision of timely, operationally relevant advice, NSIRA further recommends that Justice implement the following:

  • Whether through an expanded “office hours” and liaison counsel program or otherwise, NSLAG must develop a legal support service operating full time, staffed by experienced lawyers empowered to provide operational advice in real time on which CSIS officers can rely, on the basis of settled Justice positions on recurring legal issues, accessible directly to CSIS officers across all regional offices and at all levels.
  • NSLAG develop a concise reference tool with its position on recurring issues and most common legal authorities invoked and make the tool accessible to counsel to support their real-time advice.
  • To minimize the need to resort to the formalized legal advice-seeking process, NSLAG (in coordination with CSIS) must involve counsel with CSIS officers at the early stage of the planning of key or novel operations and throughout their entire operational lifecycle to case-manage an iterative legal guidance process.
Agree. Prior to NSIRA issuing its report, Justice Canada has been working on a number of measures concerning policies and practices in the provision of legal services to CSIS. These measures include activities related to the duty of candour and the warrant acquisition process, best practices in the delivery of legal services, advising CSIS on legal risks associated with its operations, the sharing of information in the national security context, and tracking and responding to key performance indicators related to the delivery of legal services.

Justice is committed to improving the manner of providing legal services and ensuring practical and timely legal services. The measures undertaken to date and further measures underway support a coordinated approach for legal services, striking the right balance of resources across corporate and operational priorities. This includes providing legal advice in a more accessible, iterative manner, and supporting Counsel through interactive training to better understand and support their work in a proactive manner.

Justice and CSIS working together in an integrated fashion ensures that counsel are involved throughout an operation’s life-cycle, including the early stages. Early integration into operational planning supports the provision of timely and relevant legal advice as operations progress.

Justice has already modified its liaison counsel model. Liaison counsel are experienced counsel designated to support CSIS officers across regional offices and particular operations.

Enhancements to the role have resulted in liaison counsel providing timely and focused advice, supporting operational imperatives, and identifying trends and issues of concern to develop guidance documents and other practical tools.

Justice is developing a suite of practical tools and legal service delivery mechanisms to support CSIS. These include:

  • a user-friendly blog that describes relevant legal issues and concepts in plain-language and with a practical application to CSIS’s work;
  • a field guide for the practical application of legal concerns to CSIS’s operations that can be used by officers in the field and in real time;
  • interpretation and guidance documents; and,
  • knowledge management tools ensuring counsel can access legal precedents and interpretations.
Recommendation 2: NSIRA recommends that NSLAG (in coordination with CSIS) develop Key Performance Indicators to measure the delivery of legal services to CSIS.

Agree. Justice has developed business metrics to measure service delivery performance. Justice will continue to work with CSIS to invest in resources to conduct detailed business analytics to enhance the provision of legal services and make improvements to the existing system. Client feedback surveys are undertaken regularly.
Recommendation 3: NSIRA recommends that CSIS and Justice should include in their training programs interactive scenario-based training developing the operational intelligence activities expertise of NSLAG counsel and the legal knowledge of CSIS operational staff.

Agree. Justice has worked with CSIS to develop and deliver interactive scenario-based training and is committed to continuing that involvement.

Recommendation 4: To ensure Justice is able to give meaningful and responsive legal advice as recommended in recommendation #1, NSIRA recommends that CSIS invite Justice counsel to sit at the table at all stages of the lifecycle of key and novel operations, and that it fully and frankly brief counsel on operational objectives, intent, and details.

Agree. As set out above, Justice is working with CSIS to be involved sooner and more continuously across the lifecycle of operations to provide timely, focused and iterative legal services.
Recommendation 5: NSIRA recommends that Justice’s advice-giving must clearly and unequivocally communicate advice on the unlawfulness of client conduct, whether criminal or otherwise.

Agree. Justice is currently undertaking a review of its legal risk framework in order to improve both how legal risk is assessed, and also how risks are communicated to clients.
Recommendation 6: NSIRA recommends that CSIS adopt, and share internally, clear criteria for the warrant prioritization process.

Agree. CSIS will further refine the warrant prioritization process and work to set clear criteria.
Recommendation 7: NSIRA recommends that CSIS establish a new warrant process eliminating steps that do not make a significant contribution to a more accurate application. The process should assign clear lines of responsibility for the production of accurate applications. The reformed system should ensure that delays associated with managerial approvals are minimized, and that time is reallocated to those steps contributing to the preparation of the accurate applications.

Agree. Work on implementation is underway. CSIS and Justice are committed to streamlining warrant applications, templates, and requests as part of broader modernisation objectives.
Recommendation 8: NSIRA recommends that CSIS integrate the regional stakeholders (including the implicated investigators) at every key milestone of the warrants process.

Agree. CSIS has already undertaken related improvements to address this recommendation, including through the updated Affiant Unit business approach to warrant acquisition, which now includes regional stakeholders.
Recommendation 9: NSIRA recommends that CSIS adopt policies and procedures governing the reformed warrant process that clearly outlines the roles and responsibilities of each participant and the objective of each step in the warrant process and that these policies be kept current as the process evolves. Agree. The revised CSIS Justice Joint Policy on Duty of Candour and the associated guidance document outline the role of all CSIS employees (not just the affiants) in ensuring that disclosure obligations to the Court are met. In addition, CSIS has developed a s.21 warrant policy and the drafting of the related procedure is underway. In 2020 and 2021, CSIS provided Duty of Candour training to all operational employees through a special project.
Recommendation 10: To address the seeming inevitability of “recurring omissions”, NSIRA recommends that CSIS prioritize the development of [*an improved*] system for human source information management. CSIS should also continue initiatives meant to ensure that source handlers are assiduous in documenting and then reporting in source precis information going to credibility. Even with these reforms, the Affiant Unit should adopt procedures for verifying the information prepared by the regions. Agree. The recommendation endorses a CSIS initiative already underway. An Action Plan approved by the Executive in January 2021 identified the requirement, and CSIS stakeholders are advancing this initiative. CSIS developed a comprehensive requirements package, and identified a potential technical solution. The complexity of the technical development process means this will be a long process.
Recommendation 11: NSIRA recommends that CSIS recognize the importance of the Affiant Unit by assigning affiants and analysts an employment classification congruent with their responsibilities. Agree. CSIS has addressed this recommendation by classifying affiants at one level above the Intelligence Officer working level to recognize the complexity of their work and to attract/retain candidates. A competitive competition process is underway to staff the affiant positions and is anticipated to be completed by the end of March 2022.
Recommendation 12: NSIRA recommends that CSIS should create an Affiant Branch reporting directly to the CSIS Director. Disagree. The Service notes the concerns raised by the committee in its report regarding the Affiant’s Unit current placement in the organization’s hierarchy. This said, throughout the course of this review, CSIS has invested heavily in the Affiant Unit and its employees and has made significant changes to the warrant process and its governance. The Service is confident that these changes will be sufficient to address the concerns that resulted in this finding and recommendation, particularly as it relates to observations related to administrative and human resource challenges. In addition, the current placement of the Affiant Unit with other units with corresponding responsibilities for warrant acquisition best facilitates the provision of ongoing guidance and advice throughout the warrant lifecycle to ensure compliance and duty of candour obligations are met. Given its importance, CSIS commits to ongoing monitoring and evaluation of the Affiant Unit to ensure the concerns highlighted in the report do not re-occur.
Recommendation 13: NSIRA recommends that CSIS urgently resource the Affiant Unit to meet its responsibilities and ensure its sustainability. In deciding the size of the Affiant Unit, CSIS should assess how many warrants an affiant team might reasonably complete every year. Agree. In line with the recommendation, CSIS already increased the resourcing of the Affiant Unit and approved changes to the organizational chart in March 2021. As noted above, a staffing action is currently underway that aims to create a pool of qualified candidates which can be leveraged to help increase the Affiant Unit’s capacity.
Recommendation 14: NSIRA recommends that CSIS, in consultation with Justice, develop a comprehensive training course for all affiants and analysts, codifying best practices and methods for members of the Affiant Unit.

Agree. CSIS intends to provide fulsome training to the affiant unit, as recommended. In late 2021, initial consultations were held to identify appropriate training. Unfortunately, the pandemic has disrupted training efforts.

Justice is supporting CSIS in the development and delivery of all comprehensive and practical training for all those working on warrant applications. Cross-reference recommendations 3 and 18.



Recommendation 15: NSIRA recommends that NSLAG be staffed by a complement of counsel and support personnel sufficient to ensure that CSIS operations are not impeded by resource limitations at NSLAG. Agree. Justice and CSIS will continue to work together on resources and staffing issues.
Recommendation 16: NSIRA recommends that the function of the Independent Counsel as performed by National Security Group counsel at the Department of Justice should be eliminated, in favour of a new challenge function, analogous to the role a defence lawyer would play were warrants subject to an adversarial process, situated at Public Safety and supported by the Public Safety vetting team, and performed by a knowledgeable lawyer from the Public Prosecution Service of Canada, the private sector, or elsewhere, who is independent from Justice management and not otherwise involved in CSIS warrant applications. Agree. Public Safety will develop an enhanced vetting function, housed in Public Safety Canada, that reflects the principles and objectives set out by NSIRA. Public Safety Canada will develop the enhanced vetting function as part of the CSIS warrant acquisition process such that it provides a meaningful challenge function without adding undue complexity or delay. While this work is underway, Public Safety Canada will take steps to strengthen warrant vetting on an interim basis.
Recommendation 17: NSIRA recommends that CSIS regional warrants coordinator positions receive adequate training, and that CSIS professionalize the position and enable warrant coordinators to more effectively translate the content of warrants into advice on warrant execution. Agree. CSIS acknowledges the importance of training and of centers of expertise. CSIS is determining training requirements.
Recommendation 18: NSIRA recommends that CSIS adequately resource and regularly deliver evergreen scenario-based training programs for all CSIS employees, including;
  • annual, comprehensive, warrant training for all operational employees;
  • specialized onboarding training for all employees not part of the Intelligence Officer program; and
  • continued long-term training for all specialized personnel.
Agree. CSIS is committed to improving the training offered to all of its employees, as recommended. Scenario-based training, which helps employees understand the application of policies and procedures, is now an integral part of operational training, which includes the development of an annual operational workshop. A recently approved business case will significantly increase staffing in Learning & Development to further enable training of CSIS employees. This business case includes the creation of a new position responsible for developing an enhanced onboarding for all newly hired employees, as well as the creation of new positions to create and deliver additional learning opportunities for all operational employees. Cross- reference recommendations 3 and 14.



Recommendation 19: The recommendations within this review should be treated as a coherent package and that progress and outcomes in implementing these recommendations be tracked, allowing management, the Ministers of Public Safety and of Justice, and NSIRA, to assess the efficacy of reforms and course-correct if necessary. Agree. PS, CSIS, and Justice are committed to taking a holistic approach to the implementation of the recommendations and will track and course correct as required in this complex operating environment.
Recommendation 20: The full classified version of this report be shared with the designated judges of the Federal Court. Partially agree. The Attorney General of Canada has shared the full report, redacted for solicitor- client privilege, with the designated judges of the Federal Court of Canada.

Annex D: Statistics on complaints investigations

January 1, 2022, to December 31, 2022

INTAKE INQUIRIES 75
New complaints filed 75
National Security and Intelligence Review Agency Act (NSIRA Act), section 16, Canadian Security and Intelligence Service (CSIS) complaints

22
NSIRA Act, section 17, Communications Security Establishment (CSE) complaints 2
NSIRA Act, section 18, security clearances 3
NSIRA Act, section 19, Royal Canadian Mounted Police (RCMP) referred complaints 3
NSIRA Act, section 19, Citizenship Act 0
NSIRA Act, section 45, Canadian Human Rights Commission (CHRC) referrals 0
Accepted jurisdiction to investigate 6
  Accepted Declined
NSIRA Act, section 16, CSIS complaints 3 16
NSIRA Act, section 17, CSE complaints 0 1
NSIRA Act, section 18, security clearances 1 1
NSIRA Act, section 19, RCMP referred complaints 2 3
Active investigations (at the time of writing) 19
NSIRA Act, section 16, CSIS complaints 9
NSIRA Act, section 17, CSE complaints 0
NSIRA Act, section 18, security clearances 4
NSIRA Act, section 19, RCMP referred complaints 6
NSIRA Act, section 45, CHRC referrals 0
Total investigations closed 65
  Abandoned Final report Resolved informally Withdrawn
NSIRA Act, section 16, CSIS complaints 1 0 0 3
NSIRA Act, section 17, CSE complaints 0 0 0 0
NSIRA Act, section 18, security clearances 0 1 0 0
NSIRA Act, section 19, RCMP referred complaints 0 2 0 0
NSIRA Act, section 45, CHRC referrals 0 58 0 0
Total 1 61 0 3
Share this page
Date Modified:

Quarterly Report: For the quarter ended June 30, 2023

Date of Publishing:

Introduction

This quarterly report has been prepared by management as required by section 65.1 of the Financial Administration Act and in the form and manner prescribed by the Directive on Accounting Standards, GC 4400 Departmental Quarterly Financial Report. This quarterly financial report should be read in conjunction with the 2023–24 Main Estimates.

This quarterly report has not been subject to an external audit or review.

Mandate

The National Security and Intelligence Review Agency (NSIRA) is an independent external review body that reports to Parliament. Established in July 2019, NSIRA is responsible for conducting reviews of the Government of Canada’s national security and intelligence activities to ensure that they are lawful, reasonable and necessary. NSIRA also hears public complaints regarding key national security agencies and their activities.

A summary description NSIRA’s program activities can be found in Part II of the Main Estimates.  Information on NSIRA’s mandate can be found on its website.

Basis of presentation

This quarterly report has been prepared by management using an expenditure basis of accounting. The accompanying Statement of Authorities includes the agency’s spending authorities granted by Parliament and those used by the agency, consistent with the 2023–24 Main Estimates. This quarterly report has been prepared using a special-purpose financial reporting framework (cash basis) designed to meet financial information needs with respect to the use of spending authorities.

The authority of Parliament is required before money can be spent by the government. Approvals are given in the form of annually approved limits through appropriation acts or through legislation in the form of statutory spending authorities for specific purposes.

Highlights of the fiscal quarter and fiscal year-to-date results

This section highlights the significant items that contributed to the net increase or decrease in authorities available for the year and actual expenditures for the quarter ended June 30, 2023.

NSIRA spent approximately 19% of its authorities by the end of the first quarter, compared with 12% in the same quarter of 2022–23 (see graph 1).

Graph 1: Comparison of total authorities and total net budgetary expenditures, Q1 2023–24 and Q1 2022–23

Comparison of total authorities and total net budgetary expenditures, Q1 2023–24 and Q1 2022–23
  2023-24 2022-23
Total Authorities $23.0 $28.3
Q1 Expenditures $4.3 $3.3

Significant changes to authorities

As of June 30, 2023, Parliament had approved $23.0 million in total authorities for use by NSIRA for 2023–24 compared with $28.3 million as of June 30th, 2022, for a net decrease of $5.3 million or 8.1% (see graph 2).

Graph 2: Variance in authorities as at June 30, 2023

Variance in authorities as at June 30, 2023 (in millions)
  Fiscal year 2022-23 total available for use for the year ended March 31, 2023 Fiscal year 2023-24 total available for use for the year ended March 31, 2024
Vote 1 – Operating 26.5 21.3
Statutory 1.7 1.8
Total budgetary authorities 28.2 23.0

*Details may not sum to totals due to rounding*

The decrease of $5.3 million in authorities is mostly explained by a reduction in capital funding for infrastructure projects.

Significant changes to quarter expenditures

The first quarter expenditures totalled $4.3 million for an increase of $1 million when compared with $3.3 million spent during the same period in 2022–23.  Table 1 presents budgetary expenditures by standard object.

Table 1

Variances in expenditures by standard object(in thousands of dollars) Fiscal year 2023–24: expended during the quarter ended June 30, 2023 Fiscal year 2022–23: expended during the quarter ended June 30, 2022 Variance $ Variance %
Personnel 2,886 2,345 541 23%
Transportation and communications 130 44 86 195%
Information 0 5 (5) 100%
Professional and special services 1,165 846 319 38%
Rentals 48 10 38 380%
Repair and maintenance 24 31 (7) (23%)
Utilities, materials and supplies 7 16 (9) (56%)%
Acquisition of machinery and equipment 48 9 39 433%
Other subsidies and payment 4 (2) (6) (300%)
Total gross budgetary expenditures 4,312 3,304 1,008 31%

Personnel

The increase of $541,000 is largely caused by an increase in cost per FTE and change in the timing of Member’s pay.

Transportation and communications

The increase of $86,000 is explained by a change in the timing of invoicing for the internet connection.

Professional and special services

The increase of $319,000 is mainly explained by an increase in the cost of the maintenance and services in support of our classified IT network infrastructure. It also relates to the use of guard services for office accommodation fit-up.

Rentals

The increase of $38,000 is explained by a change in the timing of invoicing for the rent for temporary office space.

Acquisition of machinery and equipment

The increase of $39,000 is explained by a one-time purchase of a specialized laptop along with a wall mounted charging station and warranty.

Risks and uncertainties

The Secretariat assisted NSIRA in its work with the departments and agencies subjected to reviews to ensure a timely and unfettered access to all the information necessary for the conduct of reviews. While work remains to be done on this front, we acknowledge the improvements in cooperation and support to the independent review process demonstrated by some reviewees.

There is a risk that the funding received to offset pay increases anticipated over the coming year will be insufficient to cover the costs of such increases and the year-over-year cost of services provided by other government departments/agencies is increasing significantly.

NSIRA is closely monitoring pay transactions to identify and address over and under payments in a timely manner and continues to apply ongoing mitigating controls.

Mitigation measures for the risks outlined above have been identified and are factored into NSIRA’s approach and timelines for the execution of its mandated activities.

Significant changes in relation to operations, personnel and programs

There have been no new Governor-in-Council appointments during the first quarter.

Mr. Pierre Souligny, NSIRA’s Senior Director, Corporate Services and CFO since 2020, has retired. He has been replaced by Mr. Marc-André Cloutier.

Approved by senior officials:

John Davies
Deputy Head

Pierre Souligny
Chief Financial Officer

Appendix

Statement of authorities (Unaudited)

(in thousands of dollars)

  Fiscal year 2023–24 Fiscal year 2022–23
  Total available for use for the year ending March 31, 2024 (note 1) Used during the quarter ended June 30, 2023 Year to date used at quarter-end Total available for use for the year ending March 31, 2023 (note 1) Used during the quarter ended June 30, 2022 Year to date used at quarter-end
Vote 1 – Net operating expenditures 21,254 3,873 3,873 26,523 2,872 2,872
Budgetary statutory authorities
Contributions to employee benefit plans 1,728 439 439 1,728 432 432
Total budgetary authorities (note 2) 23,009 4,312 4,312 28,251 3,304 3,304

Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.

Note 2: Details may not sum to totals due to rounding.

Departmental budgetary expenditures by standard object (unaudited)

(in thousands of dollars)

  Fiscal year 2023–24 Fiscal year 2022–23
  Planned expenditures for the year ending March 31, 2024 (note 1) Expended during the quarter ended June 30, 2023 Year to date used at quarter-end Planned expenditures for the year ending March 31, 2023 Expended during the quarter ended June 30, 2022 Year to date used at quarter-end
Expenditures
Personnel 13,303 2,886 2,886 13,245 2,345 2,345
Transportation and communications 650 130 130 597 44 44
Information 372 0 0 372 5 5
Professional and special services 3,596 1,165 1,165 3,506 846 846
Rentals 271 48 48 271 10 10
Repair and maintenance 4,580 24 24 9,722 31 31
Utilities, materials and supplies 73 7 7 103 3 3
Acquisition of machinery and equipment 132 48 48 232 9 9
Other subsidies and payments 33 4 4 133 (2) (2)
Total gross budgetary expenditures
(note 2)
23,009 4,312 4,312 28,251 3,304 3,304

Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.

Note 2: Details may not sum to totals due to rounding.

Share this page
Date Modified:

Review of Departmental Implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2020

Completed Reviews

Review of Departmental Implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2020


Backgrounder

The Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, January 1, 2020, to the end of the previous calendar year, December 31, 2020. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under ACA.

This was the first ACA review to cover a full calendar year. Many of the reviewed departments noted that the pandemic impacted their information sharing activities, thus impacting the number of cases requiring further review as per the ACA. As such, NISIRA found that from January 1, 2020 to December 31, 2020, no cases under the ACA were escalated to deputy heads in any department.

As part of the review, NSIRA examined the case triage process of all twelve departments. NSIRA found that even when departments employ similar methodologies and sources of information to inform their determination of whether or not a case involving the same country of concern should be escalated, significant divergences in the evaluation of risk and the required level of approval emerge.

In keeping with NSIRA’s 2020 Annual Report which emphasized the implementation of a “trust but verify” approach for assessing information provided over the course of a review, NSIRA continues to work on various verification strategies with the Canadian intelligence community. However, due to the continuing COVID-19 pandemic, implementation of verification processes was not possible across all twelve departments which fall under the ACA. Notwithstanding, the information provided by departments has been independently verified by NSIRA through documentation analysis and meetings with department subject matter experts, as warranted. Further work is underway to continue developing an access model for the independent verification of information relevant to ACA considerations.

Date of Publishing:

Executive Summary

The Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, January 1, 2020, to the end of the previous calendar year, December 31, 2020. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under ACA.

This was the first ACA review to cover a full calendar year. Many of the reviewed departments noted that the pandemic impacted their information sharing activities, thus impacting the number of cases requiring further review as per the ACA. As such, NISIRA found that from January 1, 2020 to December 31, 2020, no cases under the ACA were escalated to deputy heads in any department.

While NSIRA was pleased with the considerable efforts made by many departments new to ACA in building their frameworks, Canada Boarder Services Agency (CBSA) and Public Safety did not finalize their policy frameworks in support of the Directions received under the ACA for the review period.

As part of the review, NSIRA examined the case triage process of all twelve departments. NSIRA found that even when departments employ similar methodologies and sources of information to inform their determination of whether or not a case involving the same country of concern should be escalated, significant divergences in the evaluation of risk and the required level of approval emerge.

A case sent to both GAC and CSIS was reviewed by NSIRA for its implications under the ACA. While the information was ultimately not shared with the requesting foreign entity, nonetheless, NSIRA found that the risk of mistreatment was substantial and the decision should have been referred to the Deputy Minister of Foreign Affairs as the accountable deputy minister for this request.

Mitigation measures used by departments were also reviewed this year, since they are an integral part in the information sharing process for departments. NSIRA observed that there are gaps in departments’ ability to verify whether a country or entity has actually complied with caveats or assurances because of the difficulty in tracking compliance to mitigation measures.

NSIRA believes that it is now in a position to conduct in-depth case study assessments of individual departments’ adherence to the ACA and Directions, irrespective of whether or not a department reported any cases to its deputy head. Finally, future reviews will follow up on the ongoing implementation of NSIRA’s past recommendations.

In keeping with NSIRA’s 2020 Annual Report which emphasized the implementation of a “trust but verify” approach for assessing information provided over the course of a review, NSIRA continues to work on various verification strategies with the Canadian intelligence community. However, due to the continuing COVID-19 pandemic, implementation of verification processes was not possible across all twelve departments which fall under the ACA. Notwithstanding, the information provided by departments has been independently verified by NSIRA through documentation analysis and meetings with department subject matter experts, as warranted. Further work is underway to continue developing an access model for the independent verification of information relevant to ACA considerations.

Authorities

This review was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA or the Act).

Introduction

Review background

Departments and agencies in the Government of Canada routinely share information with a range of foreign entities. However such practices can sometimes bring into play a risk of mistreatment for individuals who are the subjects of these exchanges or other individuals. It is therefore incumbent upon the Government of Canada to evaluate and mitigate the risks that this sharing entails.

In 2011, the Government of Canada implemented a general framework for Addressing Risks of Mistreatment in Sharing Information with Foreign Entities. The aim of the framework was to establish a coherent approach across government when sharing with and receiving information from foreign entities. Following this, Ministerial Direction was issued to applicable departments in 2011 (Information Sharing with Foreign Entities), and then again in 2017 (Avoiding Complicity in Mistreatment by Foreign Entities).

On July 13, 2019, the ACA came into force. The preamble of the Act recognizes Canada’s commitments with respect to the Canadian Charter of Rights and Freedoms, and Canada’s international legal obligations on prohibiting torture and other cruel and inhumane treatment. The Act also recognizes that information needs to be shared to enable the Government to fulfill its fundamental responsibility to protect Canada’s national security and the safety of Canadians.

On September 4, 2019, pursuant to section 3 of the ACA, the Governor in Council (GiC) issued written directions (Orders in Council (OiCs) or Directions) to the deputy heads of 12 departments and agencies. This added six new Canadian entities in addition to those that were already associated with the 2011 and 2017 Directions.

This report is NSIRA’s first full year assessment of the implementation of the Directions issued under ACA for the 2020 calendar year. The review builds upon two previous reviews conducted in respect of avoiding complicity in mistreatment. The first was in respect to the 2017 Ministerial Directions, while the second assessed the Directions issued under the ACA, but was limited to the four months from when the Directions were issued to the end of the 2019 calendar year.

ACA and Directions

The ACA and the Directions issued under its authority seek to prevent the mistreatment of any individual due to the exchange of information between a Government of Canada department or agency and a foreign entity. The Act and the Directions also aim to limit the use of information received from a foreign entity that is likely to have been obtained through the mistreatment of an individual.

Under the authority of subsection 3(1) of the Act, the Directions issued to the 12 departments and agencies are near identical in language and focus on the three aspects of handling information when interacting with a foreign entity: the disclosure of information, the requesting of information, and the use of any information received.

In regards to disclosure of information, the Directions state:

If the disclosure of information to a foreign entity would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that the Department officials do not disclose the information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.

With respect to requesting information, the Directions read as follows:

If the making of a request to a foreign entity for information would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not make the request for information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.

Lastly, as it relates to the use of information, the Directions provide:

The Deputy Head must ensure that information that is likely to have been obtained through the mistreatment of an individual by a foreign entity is not used by the Department
(a) in any way that creates a substantial risk of further mistreatment;
(b) as evidence in any judicial, administrative or other proceeding; or
(c) in any way that deprives someone of their rights or freedoms, unless the Deputy Head or, in exceptional circumstances, a senior official designated by the Deputy Head determines that the use of the information is necessary to prevent loss of life or significant personal injury and authorizes the use accordingly.

The consideration of substantial risk figures prominently in subsection 3(1) of the Act as well as the Directions. In considering whether to disclose or request information, a department must determine whether a substantial risk is present and if so whether it can be mitigated. As noted in the previous reviews on information sharing, the ACA does not define “substantial risk”. Departments refer to a definition of this term as set out in the 2017 Ministerial Directions as a general starting point when conducting assessments under the ACA. The 2017 Ministerial Directions define substantial risk as:

‘Substantial risk’ is a personal, present and foreseeable risk of mistreatment that is real and is based on something more than mere theory or speculation. In most cases, the test of a substantial risk of mistreatment would be satisfied when it is more likely than not there would be mistreatment; however, in some cases, particularly where the risk if of severe harm, the standard of substantial risk may be satisfied at a lower level of probability.

Based on the outcome of these determinations, the decision may be to approve, deny, or elevate to the Deputy Head for his or her consideration. Substantial risk is also contemplated in the consideration of the use of information received from a foreign entity. If it is evaluated that the information was likely obtained from the mistreatment of an individual, the department is prohibited from using the information in any way that creates a substantial risk of further mistreatment.

Throughout the process to determine whether to disclose or use information, the Directions require that the accuracy, reliability, and limitations of use of all information being handled are appropriately described and characterized.

Additionally, reporting requirements are found at sections 7 and 8 of the Act as well as within the Directions. Among these requirements, the Minister responsible for the department must provide a copy of the department’s annual report in respect of the implementation of the Directions during the previous calendar year as soon as feasible to NSIRA, the National Security and Intelligence Committee of Parliamentarians (NSICoP) and, if applicable, the Civilian Review and Complaints Commission (CRCC) for the Royal Canadian Mounted Police. Reporting requirements as articulated in the Directions oblige the reporting of decisions which were considered by the Deputy Head in regards to disclosure, requesting of information, or authorizing use of information that would deprive someone of their rights or freedoms be made as soon as feasible to the responsible Minister, NSIRA, and NSICoP.

Review Objectives and Methodology

The review period was January 1, 2020 to December 31, 2020. The objectives of this review included:

  • Following-up on departments’ implementation of the directives received under the ACA;
  • Assessing departments’ operationalization of frameworks/processes that enable them to meet the obligations set out in the ACA and directives; and
  • Assessing coordination and consistency in implementation across applicable departments.

Additionally, NSIRA evaluated all twelve ACA member departments’ ‘case triage’ frameworks (i.e., the combination of policy assessment criteria and a pre-determined ‘escalation ladder’ for cases that require higher levels of managerial approvals). Refer to annexes B to M that provide additional details on each departments’ triage process. Finally, NSIRA reviewed the use and policies around departmental mitigation measures.

FINDINGS

Reporting and Framework Updates

As per the Act, all twelve departments fulfilled their obligations to report to their respective ministers and NSIRA on progress made in operationalizing frameworks and identifying cases escalated to the deputy head level.

Of the nine departments who had reported to NSIRA last year that they had finalized frameworks, all continued to refine assessment protocols over the 2020 review period. Based on submissions to NSIRA, TC has developed a corporate policy to highlight the department’s ACA-related requirements. However, CBSA and PS had yet to finalize their ACA policy. As a result, employees may not have adequate and up to date guidance on how to make determinations related to the ACA.

NSIRA Finding #1: NSIRA found that CBSA and PS did not finalize their policy frameworks in support of Directions received under the ACA over the review period.

Referrals to Deputy Head

The Directions specify that when departmental officials are unable to determine whether the risk of mistreatment arising from a disclosure of or request for information can be mitigated, the matter must be referred to the Deputy Head. The Directions also require the Deputy Head, or in exceptional circumstances a senior official designated by the Deputy Head, to determine the matter where the use of information that is likely to have been obtained through mistreatment of an individual by a foreign entity would in any way deprive an individual of their rights or freedoms and the use of this information is necessary to prevent loss of life or significant injury. In 2020, no cases were escalated to the deputy head level. NSIRA sought clarification on the absence of cases referred; the most common reason provided by departments for this outcome was that cases were either mitigated before deputy head involvement and/or this was a result of an overall reduction in the number of foreign information exchanges generally due to the ongoing pandemic.

NSIRA Finding #2: NSIRA found that from January 1, 2020 to December 31, 2020, no cases under the ACA were escalated to deputy heads in any department.

Case Triage

Typically, when departments are making ACA applicability decisions, they employ varying “case triage” processes, that is, the combination of policy assessment criteria and a pre-determined ‘escalation ladder’ for cases that require higher levels of managerial assessment. NSIRA closely evaluated all twelve ‘case triage’ frameworks of the departments subject to the ACA (Refer to Annex B-M). In carrying out this work, NSIRA noted some issues in the implementation of triage systems; for example, there were instances of not having one designed and of information being outdated.

NSIRA observed that there were two main types of initial case triage processes: case-by-case, where the framework places the onus on the working level official to first make determinations based on policy assessment tools, relevant training, and individual experience; and country assessment rating, which emphasizes the initial use of a country-based risk level that may trigger case escalation. A country assessment rating is a representation of the assessed risk of mistreatment associated to a country, based on a number of criteria and often derived from a range of sources.

Initial Case Triage Category 1: Case-by-Case

All departments use working level officials to determine whether there is a risk of mistreatment. When a working level officials’ assessment is inconclusive as to whether a substantial risk of mistreatment exists, they will defer the decision to a higher management authority. NSIRA has developed Figure 1 to illustrate this type of triage process where the working level official consults assessment tools at his or her disposal to determine whether a substantial risk of mistreatment exists.

Figure 1: Case by Case Triage Diagram

Initial Case Triage Category 2: Informed by Country Assessment Rating

CSIS, CSE, FINTRAC, and RCMP require working level officials to use country assessment ratings that may trigger case escalation. For example, NSIRA has developed Figure 2 to illustrate this type of triage process where country assessment ratings may trigger case escalation.

Case Escalation

In addition to the two categories of case triage frameworks identified above, all departments except for FINTRAC, PS, CSE and TC make use of internal consultation groups/senior decision making committees when cases are identified as requiring consultation/escalation (e.g. working groups and senior management committee secretariats). The following table illustrates the various consultation groups across departments that would make determinations related to the ACA.

The general purpose of consultation groups is to serve as a single point of contact for employees who require assistance in assessing foreign information sharing activities or interpreting policy and procedure. Senior decision making committees are responsible for making determinations on the information exchange. They are the final decision making authority prior to escalation to the deputy head. NSIRA observed that leveraging the overall expertise of these groups may assist officials in consistently applying assessment criteria, as well as provide greater oversight for information exchanges with foreign entities.

Consistency in Implementation Across Departments

Beginning with the 2017 Ministerial Directions on Avoiding Complicity in Mistreatment by Foreign Entities, it was required that departments maintain policies and procedures to assess the risks of information sharing relationships with foreign entities. While not specified in the Act or Directions, departments continue to implement country and entity assessments, a practice NSIRA has supported. NSIRA has previously raised concerns regarding the absence of unified and standardized approach to departments’ country assessments. The PCO-led community response to last year’s recommendation on this element stated in part that:

The information sharing activities of these organizations all serve either an intelligence, law enforcement, or administrative purpose with each carrying different risk profiles, privacy concerns, and legal authorities. Individual departments and agencies are responsible for establishing specific thresholds or triggers in their information sharing frameworks that are appropriate for their operational contexts. It is the view of the Government of Canada that applying the same threshold across all organizations for triggering, evaluating, and elevating cases is not necessarily practical nor essential to ensuring that each department or agency is operating in compliance with the Act.

In order to engage in the questions to which the divergence of thresholds gives rise, NSIRA asked departments to rank bi-lateral information exchanges with foreign partners in terms of volume, excluding exchanges with [***example of foreign entity information sharing***]. Nine of the twelve departments identified ███████ as a foreign exchange entity, a country which is widely recognized as having human rights concerns.

NSIRA then selected only those departments that initially utilize country assessment ratings as a triage method (i.e. FINTRAC, RCMP, CSIS and CSE). [***description of how departments determined foreign entity example***]. Nonetheless, in carrying out this analysis, NSIRA observed that all four departments relied on a combination of open source human rights reports and consultations with other departments. Additionally, RCMP, CSIS and CSE utilize classified intelligence sources.

However, although these departments utilize a similar approach when assessing a country, the assigned rating for ████ was not consistent. CSIS assigned █████████████; FINTRAC and RCMP assigned a [***description of department’s specific ratings***] ; and finally, CSE assigned a ██████ rating.

NISRA examined to what degree country ratings affected the level of approval required for an information exchange. Because CSE has assigned a rating of █████ when they receive a request from ████, a CSE official could require [***description of the factors used to determine the appropriate level process***] CSE acknowledged that its “human rights assessments do not necessarily correlate with the risk level assigned to an instance of sharing,” and nor do they “necessarily correlate to levels of approval or to restrictions to sharing.” [***description of the factors used to determine the appropriate level process***]

In contrast, according to their framework and methodology, an exchange with any one of the █████ authorities listed in the RCMP’s country and entity assessment list could result in an [***description of department’s specific ratings***] because █████ is associated with a country assessment rating. When an entity is yellow, the employee must consider whether or not there is a risk of mistreatment by looking at a list of criteria. If one or more of these criteria exist, the employee must send the case to a senior management committee. NSIRA observes that where the RCMP has a red country rating, the working level official must escalate to the senior management committee. Therefore, unlike CSE and CSIS, country ratings within the RCMP have direct impacts on approval levels.

NSIRA’s ACA report from last year recommended that departments should identify a means to establish unified and standardized country and entity risk assessment tools to support a consistent approach when interacting with Foreign Entities of concern. While PCO disagreed with this recommendation, NSIRA believes that there remain concerns regarding divergences in country and risk assessments.

NSIRA Finding #3: NSIRA found that even when departments employ similar methodologies and sources of information to inform their determination of whether or not a case involving the same country of concern should be scalated, significant divergences in the evaluation of risk and the required level of approval emerge.

Following this review, NSIRA intends to further scrutinize the processes employed regarding ACA triage and decision making by reviewing GAC and RCMP.

A case study as provided for in Box 1 exemplifies the divergent nature on the evaluation of risk where two departments’ considered responding to an identical request made by a foreign entity.

Box 1: A divergent decision-making process

[***description of the case study***] The foreign entity provided this information to GAC and CSIS and requested confirmation [***description of the information sharing request***]

In considering whether to respond to this request, GAC determined that the human rights record of the country in question generally and of the foreign entity specifically making the request were of significant concern. GAC’s senior decision making committee, working under the presumption that the individual’s detention was ongoing, considered whether the disclosure of this information “would not substantially increase the detainee’s risk of mistreatment.” The senior decision making committee determined that confirmation of the individual’s previous employment status with GAC was permissible, subject to the determination of CSIS’s assessment.

Ultimately, the decision by CSIS was made by a DG-level executive and, as the foreign entity was listed by CSIS as a restricted partner, information was not shared.

The assessment by GAC’s senior decision-making committee is of concern. The Act and the Directions impose that departments consider whether disclosing or requesting information “would result in a substantial risk of mistreatment.” [***legal advice to department***]

NSIRA agrees with this interpretation of the law, but not with its implementation by GAC in this case. GAC’s position was that responding to the request “would not aggravate” the risk of mistreatment. However, NSIRA is of a different view. Regardless of the information sought, the human rights record of the foreign entity and of the foreign country was of significant concern, and GAC was operating under the presumption that the individual may have already been subjected to mistreatment. While GAC’s sharing could not have accounted for any mistreatment that could have occurred earlier, responding to the request given the facts of this case would have nonetheless resulted in a substantial risk of mistreatment. Therefore, this case should have been refered to the Deputy Minister of Foreign Affairs for consideration.

NSIRA also observes that this case was triaged at different levels within GAC and CSIS. In GAC’s triage process, the decision was made at the higher senior decision-making committee that disclosure was permissible. Comparatively, CSIS’s decision-making process was completed prior to reaching their senior-level committee and yielded the opposite result. The different levels of decision-making and different outcomes underscore a problematic inconsistency in how each organization considers the same information to be disclosed to the same foreign entity. Furthermore, while a department responsible for the information may consult with other departments as to whether disclosure of information is permissible, it cannot abdicate this responsibility and decision-making to another department.

NSIRA Finding #4: NSIRA found a procedural gap of concern in a case study involving the disclosure of information, even though information was ultimately not shared. The risk of mistreatment was substantial and the decision should have been referred to the Deputy Minister of Foreign Affairs as the accountable deputy minister for this request.

Mitigation Measures

Use of Mitigation Measures

To decrease the risk of mistreatment, departments will employ mitigation measures such as caveats, assurances, sanitization, and redactions. The most common mitigation measures are caveats and assurances. Caveats are specific stipulations appended to information to limit or prohibit certain uses of information unless otherwise authorized by the issuing department. For example, any departments use a ‘third party’ caveat that restricts further dissemination of the information to other departments (domestic and foreign), unless the originating department is consulted on the request to share.

Assurances are not specific to a single information exchange; rather, these are agreements with foreign entities (whether formal or informal), which aim to help ensure that a particular foreign entity understands Canada’s position on human rights and that the entity, in turn, agrees to comply with this expected behaviour. For example, when formulating a risk mitigation strategy for an information exchange, departments will consider written or verbal assurances, who provided the assurance (i.e. working level official or agency head), and whether the assurance is considered credible and reliable.

Furthermore, CSIS, CSE, and GAC have highlighted a number of differences in the types of assurances sought, including a number of informal and formal methods. For example, verbal assurances, scheduled formal assurances, and ad-hoc written assurances can be sought by various levels.

In a related issue, NSIRA observed that there are [***description and an example of a Department’s ability to track compliance***] CSIS, GAC, and CSE indicated that there is ████████████████████████████████████████████████████████████ is not specific to the ACA but is nonetheless key ████████████ when exchanging information with the Government of Canada.

Given that no cases were escalated to the level of deputy head, departments’ lower-level use of mitigation strategies would have taken on considerable prominence in decision making. In a subsequent review, NSIRA intends to further investigate policies of mitigation measures pertaining to their use and tracking.

CONCLUSION

This review assessed departments’ implementation of the directives received under the ACA and their operationalization of frameworks to address ACA requirements.

NSIRA’s first review of departments’ implementation of the Act and Directions was limited to a four month period (September-December 2019). As such, this review constitutes the first examination of the ACA over the course of one full year. NSIRA believes that it is now in a position to conduct in-depth case study assessments of individual departments’ adherence to the ACA and Directions, irrespective of whether or not a department reported any cases to its deputy head. Additionally, future reviews will follow up on the ongoing implementation of NSIRA’s past recommendations.

Annex A: Findings

NSIRA Finding #1: NSIRA found that CBSA and PS did not finalize their policy frameworks in support of Directions received under the ACA over the review period.

NSIRA Finding #2: NSIRA found that from January 1, 2020 to December 31, 2020, no cases under the ACA were escalated to deputy heads in any department.

NSIRA Finding #3: NSIRA found that even when departments employ similar methodologies and sources of information to inform their determination of whether or not a case involving the same country of concern should be escalated, significant divergences in the evaluation of risk and the required level of approval emerge.

NSIRA Finding #4: NSIRA found a procedural gap of concern in a case study involving the disclosure of information, even though information was ultimately not shared. The risk of mistreatment was substantial and the decision should have been referred to the Deputy Minister of Foreign Affairs as the accountable deputy minister for this request.

Annex B: Canada Border Services Agency

Annex B: Canada Border Services Agency Framework

Framework updates: In 2018, Canada Border Services Agency (CBSA) issued a high-level policy document in response to the 2017 MD. Since then, CBSA has drafted updated policies and procedures that have not yet been finalized.

Working Groups: CBSA Avoiding Complicity in Mistreatment Working Group (ACMWG)

Senior Management Committee: Senior Management Risk Assessment Committee (SMRAC). This committee convenes on an as needed basis, to assess cases that have a potential for mistreatment.

[***description of CBSA’s decision making methodology***]

Country Assessment: In-house risk scoring template under development

Mitigation Measures: The CBSA is currently working to strengthen its formal framework/process for deciding whether substantial risk of mistreatment associated with a given request can be mitigated.

Annex C: Canada Revenue Agency

Annex C: Canada Revenue Agency Framework

Framework Updates: The Canada Revenue Agency (CRA) indicated that it did not make any changes to its framework since last year’s response. The department continues to refine its processes and has developed the Canada Revenue Agency Exchange of Information Procedures in the Context of Avoiding Complicity in the Mistreatment by Foreign Entities Act.

[***departmental cabinet confidence***]

Working group: The CRA formed a Risk Assessment Working Group (RAWG) that developed a methodology to assess the human rights records of its information exchange partners, so that senior management can make informed assessments of the risk of mistreatment.

Canada has a large network of international partners with 94 tax treaties and 24 Tax Information Exchange Agreements. Canada is also a party to the Convention on Mutual Administrative Assistance in Tax Matters (MAAC), which includes 144 signatories. These International Legal Agreements allow the CRA to exchange information on request, spontaneously and automatically. Each legal agreement includes secrecy provisions (caveats) that govern appropriate use and disclosure. In addition, members of the Global Forum (Global Forum) on Transparency and Exchange of Information for Tax Purposes are subject to peer reviews on a cyclical basis, including on Confidentiality and Data Safeguard .

Senior Management Committee: During the review period a senior committee was not in place, however there was a formal process to escalate reviews/risk assessment through the Director, Director General and ultimately the Assistant Commissioner of the Compliance Programs Branch (CPB) who is accountable for the administration of the ACA.

Additionally, in July 2021, the CRA established an ACA governance framework that includes the ACA Panel, a senior management consultative committee to support risk assessments, reporting, recommendations, and priorities. The panel currently consists of DGs and Directors within the CPB and the Legislative Policy and Regulatory Affairs Branch. Also in July 2021, the CRA established an executive level committee to consider and develop recommendations on case specific engagements as well as issue identification and guidance. The committee consists of Directors across several directorates of the CRA that manage programs that are directly impacted by/reliant on exchange of information with other jurisdictions.

Triage: The initial assessment is done by a working level employee and requires, at minimum, director approval. The case may escalate to the DG and the AC and so on if there is doubt about risk mitigation.

In cases where risk was identified, there were challenges in conducting full assessments to determine if the risk was substantial, the CRA delayed disclosing the information until the full assessment could be completed. This was largely in part due to COVID-19. As such, files that normally would have been referred were temporarily put on hold and no action was taken during the review period.

The CRA informed NSIRA that funding from the November 2020 Fall Economic Statement was allocated to the creation of a dedicated risk assessment team. It is anticipated that the development and regular updating of country-level assessments and the preparation of individual-level risk assessments will transition to this new dedicated team housed within the CPB, in summer 2021.

The team will also be responsible for:

  • Creating and formalizing the framework for consulting with CRA senior management and other government departments and agencies;
  • Advising CRA officials who engage in exchange of information (EOI);
  • Identifying mitigation and other factors specific to the type of information that CRA exchanges and that would impact risk assessment;
  • Preparing annual and other reporting required under the Act and Directions;
  • Providing awareness and training sessions; and
  • Continuously improving documentation, policies, guidance, and procedures.

Country/Entity Assessments: Since January 2020, the CRA has completed their own set of mistreatment risk assessments for each potential information exchange, including the use of information received from the CRA’s information exchange partners in consultation with other Government of Canada partners. The CRA can only exchange information with another jurisdiction pursuant to a treaty, tax convention or other legal instrument that permits exchange of tax information.

The CRA uses a colour coded system to rate the risk related to a country: green; yellow; red. However, for specific or spontaneous exchanges of information, the CRA completes an analysis based on the specifics of the file to supplement the country specific risk assessment.

Mitigation Measures: Mitigation measures, including caveats (data safeguards and confidentiality provisions) are embedded in all legal instruments that govern and allow for all the CRA’s exchanges of information, while peer reviews of jurisdictions’ legal frameworks and administrative practices provide assurances of exchange partners’ compliance with international standards for exchange of tax information. According to CRA, all information exchanged during the review period were subject to these mitigation measures. Due to COVID19, and for the period under review, the CRA put on hold all exchanges where it was deemed there may be a residual potentially significant risk of mistreatment until a process and mitigation measures were in place, including to redact information. However, the CRA routinely redacted personal information where it would not impact the substance of the exchange for those mitigated risk exchanges that did proceed during this period.

Annex D: Communications Security Establishment

Annex D: Communications Security Establishment Framework

Framework Updates: No changes made to the framework in 2020. It is the same procedure as the last review period.

Working group: Based on the RFI, there are no working groups leveraged to assess the level of risk of mistreatment. The Mistreatment Risk Assessment Process follows a process that has been refined continuously since its inception in 2012. The higher the level of risk (low, medium, high, substantial), the higher approval authority required to exchange or use information.

Senior Management Committee: There is no Senior Management Committee. As explained above, CSE relies on an approval authority scale based on the level of risk (from low to substantial). Senior level officials are involved in the process when there are medium and high-risk cases, which require Director and Director General/Deputy Chief approval, respectively.

Triage: A CSE official performs an initial assessment by consulting the Mistreatment Risk Assessment (MRA), which considers equity concerns, geolocation and identity information, human rights assurances, risk of detention and a profile of the recipients’ human rights practices.

Low (For Low Risk Nations)

If the MRA indicates a low level of risk, the official will need Supervisor [***specific unit***], approval if they wish to proceed with the information exchange or use.

Low (For non-Low Risk Nations)

If the MRA indicates a low level of risk, the official will need Manager [***specific unit***], approval if they wish to proceed with the information exchange or use.

Medium

If the MRA indicates a medium level of risk, the official will need Director, Disclosure and Information Sharing approval if they wish to proceed with the information exchange or use.

High

If the MRA indicates a high level of risk, the official will need Director General, Policy Disclosure and Review or Deputy Chief, PolCom approval if they wish to proceed with the information exchange or use.

Substantial

If the MRA indicates a substantial level of risk, the official may not proceed with the information exchange or use.

Country Assessments: CSE establishes its own country assessments (which CSE refers to as Human Rights Assessments) by using information from OGDs, its own reporting, and open source information. Foreign entity arrangements are reviewed annually. These HRAs are part of CSE’s MRAs.

There are two types of MRAs: Annual and Case-by-case. Annual MRAs include foreign entities with whom CSE regularly exchanges information, [***description of the foreign entities with whom CSE exchanges information***] Caseby-case MRAs are conducted in response to particular requests. Case-by-case MRAs often concern individuals and information sharing activities. There are Abbreviated MRAs, which are a sub case-by-case MRA, and they are conducted for Limited Risk Nations. These nations are considered low risk by CSE.

When making MRAs, CSE does the following:

  • assesses the purpose of the information sharing;
  • verifies there are mistreatment risk management measures in existing information sharing arrangements;
  • reviews CSE’s internal records on the foreign entity under consideration;
  • consults other available Government of Canada assessments and reports related to the foreign entity;
  • assesses the anticipated effectiveness of risk mitigation measures; and
  • evaluates a foreign entity’s compliance with past assurances, based on available information.

CSE consults with GAC, DND, and the Ministers of Foreign Affairs and National Defence for some MRAs, usually case-by-case ones. CSE may also consult GAC for human rights-related advice in certain instances.

Mitigation Measures: CSE considers a number of mitigation factors, such as risk of detention, [***statement regarding information sharing obligations of partners***] caveats, formal assurances, and bilateral relationships. CSE’s principle mitigation measure is Second Party assurances. [***statement regarding information sharing obligations of partners***]

Identifying/Sensitizing: The DG, Policy Disclosure and Review or the DC PolCom review high-risk cases. 303 information-sharing requests were assessed for risk of mistreatment and 10 of them (3%) were referred to the Director, Disclosure & Information Sharing. For the 2020 review period, the Deputy Chief, Policy and Communications was responsible for ACA accountability and quality assurance.

Annex E: Canadian Security Intelligence Service

[***Info-graphic of CSIS’s Risk Assessment process***]

Framework Updates: While there were no changes during the 2020 review period, CSIS modified its procedure on January 2021. Most notably, cases will only be escalated to ISEC if the DG cannot determine if the substantial risk can be mitigated. In addition, CSIS merged the [***statement regarding internal process***] CSIS updated its human rights ‘Assurances’ procedures as a stand-alone policy. This policy requires CSIS Stations to seek assurances from [***statement regarding internal process***] coordination responsibilities for ISEC were moved to the ██████████. Through that, the █████ became ISEC’s Chair.

Triage: CSIS working-level officials do the initial assessment. This assessment requires the official to determine if one or more of the four risk criteria are met. These criteria are:

  • “Based on the available information about the foreign entity, if the information is disclosed or requested, is there a probability that the foreign entity will engage in torture or other forms of cruel, inhuman or degrading treatment or punishment against an individual(s)?”
  • “If the information is disclosed or requested, is there a probability that the foreign entity will disseminate the information in an unauthorized manner to a 3rd party, which may result in torture or other forms of cruel, inhuman or degrading treatment or punishment against an individual(s) by that 3rd party?”
  • “If the information is disclosed or requested, is there a probability that it may result in the extraordinary rendition of an individual(s) by the foreign entity which would lead to the individual(s) being tortured or subject to other forms of cruel, inhuman or degrading treatment or punishment?
  • “If the information is disclosed or requested, is there a probability or an extrajudicial killing of an individual(s) by the foreign entity or other security entities within the country?”

Four scenarios could occur before a case lands at ISEC:

[***description of four possible scenarios and the assessment criteria used to determine risk mitigation and/or ecalation***]

Working Group: While there is a senior management committee, there is no working level group on the operations side.

Senior Management Committee: ISEC is CSIS’s senior-level review committee for foreign information sharing activities. It is composed of CSIS senior managers and representatives from DoJ and GAC. This committee is responsible to determine if a case poses a substantial risk and if it can be mitigated. If ISEC cannot determine if the substantial risk is mitigatable, the case is referred to the Director. Of note, GAC and DoJ are no longer voting members on ISEC but will continue to provide feedback and advice.

Country Assessments: CSIS conducts its own country assessments. Each information exchange arrangement with a foreign entity has its own Arrangement Profile (AP). APs include a summary of the human rights summary.

Mitigation Measures: CSIS relies on a few mitigation measures. First, CSIS widely uses ‘Form of Words’, which include caveats. Second, CSIS uses assurances and relies on standardized templates provided to foreign entities. CSIS may also tailor assurances to address specific concerns, such as extra-judicial killings.

Identifying/Sensitizing Information: ██████ is responsible for CSIS’s information sharing framework. [***name of a specific unit***] is responsible for official policy management. Concerned program areas are responsible for applying related polices and procedures for ACA-related activities.

Annex F: DFO

Annex F: DFO Framework

Framework Updates: Fisheries and Oceans Canada (DFO) did not make any changes to last year’s approach.

Triage: The initial assessment is made by the person receiving the request for information sharing or who first comes into possession of information derived from a foreign source. Risk is determined on a case-by-case basis.

The sector-level analyst/officer does the initial assessment and relies on OGD assessments to determine the level of risk. They determine the level of risk in relation to the specific case and whether they assess that there is a substantial risk or not will impact the level of approval. If the analyst/officer does not think there is risk, the case may proceed. This, according to the decision screen and information received, does not require any manager or senior level approval.

If the analyst/officer believes or is unsure that there is a substantial risk, the senior-level Internal Review Committee (IRC) must seek DM approval.

Working Group: Internal Review Committee

Senior Management Committee: DFO employs the use of a decision screen and the IRC as demonstrated above. It is unclear whether DFO has developed guidance to help officials and management accurately and consistently determine the risk of mistreatment.

Country Assessments: DFO relies on country assessments conducted by GAC (as well as DFO legal services, RCMP and CSIS as needed) to make mistreatment risk determinations.

Mitigation measures: DFO indicated that it employs the use of caveats and assurances as necessary but has not yet had to seek such assurances. As such, there is no tracking mechanism in place. The Department is able to retroactively determine when, how, and why a decision was made through its record keeping system. A process is in place to record the details of each case, its evaluation process, and any resulting actions and decisions.

Annex G: Department of National Defence/Canadian Armed Forces

Annex G: Department of National Defence/Canadian Armed Forces Framework

Framework Updates: The Department of National Defence (DND) indicated that there were no changes to its framework since last year’s response.

Triage: The process of assessing risk is largely the same across all three forms of information sharing transactions. The process involves examining country human rights conditions, and researching specific partner entities, including any reports of mistreatment. Adverse information on a foreign partner is reviewed by the Defence Information Sharing Working Group (DISWG) and recommendations are made to the implicated L1s on how to manage information sharing activities (request, disclosure, or use). There are no differences in the types of mitigation measures employed across the three forms of information sharing. The primary governance document Release and Disclosure Officers (RDOs) and Release and Disclosure Authorities (RDAs) must adhere to is the CDI Interim Functional Directive: Information Sharing with Certain Foreign States and their Entities.

Working Group: The Defence Information Sharing Working Group (DISWG) is a working-level committee led by the Release and Disclosure Coordination Office (RDCO) within CFINTCOM that serves as an advisory body to operation Commanders regarding issues covered under the ACA. This Working Group exists as a platform for open dialogue related to information sharing arrangements and transactions. This group convenes monthly, or as required.

Senior Management Committee: The Defence Information Sharing Assessment Committee (DISAC) is chaired by the Chief of Defence Intelligence / Commander CFINTCOM . The DISAC’s primary object is to act as an advisory committee for the Deputy Minister and the Chief of Defence Staff in support of their decision making regarding issues pertaining to the ACA.

Country Assessments: Currently, RDCO has established a list of low-risk countries that can be referred to by other L1s. Inclusion in this list indicates CDI’s confidence that sharing information with government entities of that foreign state can take place without a substantial risk of mistreatment. Moreover, RDCO has developed a draft methodology for Country Human Rights Profiles to classify countries as low, medium, or high risk but has only begun producing country human rights profiles on a few medium and high-risk countries and the methodology has not yet formally approved. These profiles will be used by other L1s in the development of specific Partner Entity Assessments and to inform the overall risk assessment of sharing information with foreign entities.

Information Management: There is no common shared system or repository for all RDOs. Information decisions are recorded by RDOs at the unit level. In some cases, all transactions are recorded using a spreadsheet and should include all details relating to the collection, retention, dissemination or destruction of the information, but the precise format will vary. CFINTCOM is working to standardize RDO logs across DND/CAF. From an information management perspective, there have been no changes since last year’s report. Records of discussion of all DISWG meetings are kept centrally within RDCO/CFINTCOM and it is possible to retroactively determine how and why a decision or recommendation was made.

Mitigation Measures: DND uses mitigation measures to reduce the risk of mistreatment. For example, DND uses measures such as the sanitization of information, the inclusion of caveats, and/or the seeking of assurances, including on low-risk cases in order to err on the side of caution.

Annex H: FINTRAC

Annex H: FINTRAC Framework

Framework Updates: The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) did not make any changes to their framework for the 2020 review year.

Triage: Who does the initial assessment will depend on the risk level classification of the country. If it’s green, the intelligence analyst (IA) does the risk assessment. If it’s yellow, the IA’s team leader does the risk assessment. If it’s red, Senior Level does the risk assessment. Regardless of the determined risk level, Senior Level must ultimately approve or decline the information exchange/use.

Partnerships and Working Groups: FINTRAC makes use of external organizations, such as the Egmont group, to ensure that member organizations are adhering to global standards against mistreatment. If one of these groups is found to have breached their duty of care, and is expelled from the group, then FINTRAC will cease to exchange information until the matter has been rectified. FINTRAC enters Memoranda of Understandings (MOUs) with nations who wish to exchange information with them. To do so, each nation is assessed using a variety of criteria to determine their risk rating and whether an MOU should be established.

FINTRAC also regularly participates in ISCG meetings alongside other departments.

Senior Management Committee: FINTRAC does not have a senior management committee to determine risk like other departments. Instead, they rely on senior management and the Director to make final decisions on cases.

Country Assessments: FINTRAC established its own country assessments. Establishing each country assessment involves gathering pertinent information on the human rights situation in the country and using indicators to assess the risk level of mistreatment of each country. During the development of the country assessment process, FINTRAC consulted with other agencies/government departments captured under the ACA.

The Manager of International Relationships is responsible for monitoring and assessing the human rights profile of countries with which FINTRAC shares an MOU.

Mitigation Measures: Caveats and assurances are established at the signing of an MOU and repeated whenever sharing information with any foreign entity. The sharing of information is not allowed without a signed MOU.

Annex I: Global Affairs Canada

Annex I: Global Affairs Canada Framework

Framework Updates: Global Affairs Canada (GAC) indicated that no changes to their framework was made during the current review period.

Triage: There is not one unified set of processes at GAC for determining whether information being used by the department is likely to have been obtained through the mistreatment of an individual by a foreign entity. If an official determines that information that he or she has received is likely to have been obtained through the mistreatment of an individual by a foreign entity and that official still wants to use the information, they are instructed in their training to consult with their Program management at HQ. Should that manager be unable to make a determination on their own as to whether the use would comply with the Act, they will consult the relevant departmental policy group and the department’s Legal Services Unit.

Working Groups: The Ministerial Direction Compliance Committee Secretariat

Senior Management Committees: The Ministerial Direction Compliance Committee (MDCC) meetings focuses on the following:

  • Has the information, the use of which is being sought, likely been derived from mistreatment?
  • What are the proposed measures to mitigate the risks? What is the likelihood of their success?
  • Consider the justifications for and proportionality of any potential involvement with the foreign state or entity that may result in mistreatment.

The MDCC Secretariat will create a record of decision and circulate it for comment by MDCC members. Once finalized, it will be kept by the Secretariat for future reporting. The MDCC Secretariat follows up with the requesting official for updates on the outcome of the situation and requests a final update from the requesting official once the situation is resolved. Currently the MDCC Secretariat consists of one person.

Country Assessments: Global Affairs Canada’s human rights reports provide an evidence-based overview of the human rights situation in a particular country, including significant human rights-related events, trends and developments and include a section focused on mistreatment. There are no scores for countries however, and it is up to the officials to assess the risk based on the information in the reports.

Mitigation Measures: The Legal Services Unit and/or Intelligence Policy and Programs division will provide guidance on the limitations and the prohibitions of the use of information obtained through mistreatment. They are also able to propose potential mitigation measures, such as sanitization of the information, if there is a risk of further mistreatment; of depriving someone of their rights or freedoms; or if the information could be used as evidence in any judicial, administrative or other proceeding.

Annex J: IRCC

Annex J: IRCC Framework

Framework Updates: Immigration, Refugees and Citizenship Canada (IRCC) indicated that there were no changes to its procedures regarding the disclosure of information to foreign entities.

Triage: The initial assessment is done by the employee/officer receiving a request to disclose information. Officers are provided with a country assessment tool that provides a country-level risk assessment. If the country is listed as low-risk and the employee does not believe there are any risks of mistreatment, they may proceed with the exchange and record the details of that exchange (i.e., what information was exchanged; to which country, etc) into the Global Case Management System (GCMS). If the country is high-risk, or the officer believes that there is any risk of mistreatment and they wish to pursue with the case, then the officer is required to refer the case to IRM and Admissibility to assess the risk of the exchange.

Senior Management Committee: IRCC has the Avoiding Complicity Assessment Committee. The Committee is comprised of executives representing relevant policy, operations, legal and privacy branches within the Department. The purpose of the Committee is to reassess whether the circumstances of the case meet the “substantial risk” threshold, and to determine whether mitigations could be sufficiently imposed to allow for the disclosure. If the Committee is unable to unanimously determine if the risk can be mitigated, and there remains a need to disclose the information to the requesting foreign entity, then the case will be referred to the Deputy Minister for final decision.

Country Assessments: IRCC officers are instructed to refer to an initial country assessment tool when they are contemplating any disclosure or request for information from a foreign entity. This tool provides a general assessment of the country’s risk. If the country is identified as a high-risk country, then the officer is required to make a Consultation Request before disclosing, requesting or using information. If the country is identified as medium-risk, then it is recommended that the officer make a Consultation Request.

Mitigation Measures: Possible mitigation measures for a case where a substantial risk of mistreatment has been determined, if available, would be established in the Consultation Request assessment and, if necessary, in the Avoiding Complicity Assessment Committee’s recommendation. In either case, the mitigations will be manually recorded in the case file where they can be later recalled and noted in the Annual Report.

Annex K: Public Safety

Annex K: Public Safety Framework
Annex K: Public Safety Framework Image 2

Please note that the above flow charts are draft and have not yet been approved.

Framework Updates: Public Safety (PS) does not yet have a framework for deciding whether an exchange of information with a foreign entity would result in a substantial risk of mistreatment of an individual. PS noted, however, that it has drafted a departmental policy to support the department’s implementation of the Directions but it has not yet been approved by senior management.

Triage: PS officials at the operational level are responsible for identifying whether the disclosure of or request for information would result in a substantial risk of mistreatment of an individual. Prior to the disclosure of or request for information to/from a foreign entity, PS officials, as per the draft policy, are expected to:

  • review risk assessments and information sharing arrangements/agreements to determine risks;
  • identify mitigation measures as needed; and
  • seek DG approval for the disclosure or request; and the DG would determine whether the risk can or cannot be mitigated and whether the case should be referred to the DM for determination and decision.
  • PS officials at the operational level are responsible for identifying whether information for potential use was likely obtained through the mistreatment of an individual. As per the draft policy, prior to the use of information, PS officials are expected to:
  • conduct an assessment to determine if the information was likely obtained through the mistreatment of an individual, if not previously completed by PS officials or another government department, and mark it accordingly, based on DG-level determination;
  • assess and characterize the accuracy and reliability of the information; and,
  • advise their DG of the circumstance; and the DG would determine whether the information would be used as per section 3 of the Directions and refer the decision to the DM to determine if the use of information in any way that deprives someone their rights or freedoms is necessary to prevent the loss of life or significant personal injury.

For PS program areas where responsibilities for program delivery are shared among multiple Government of Canada departments, PS officials may use accuracy and reliability assessments conducted by another Government of Canada department for the express purpose of the specific information exchange. In these cases, and where PS does not have sufficient information (such as the source of the information) to conduct an assessment, it will require Government of Canada departments to attest to having conducted the assessment. This same principle applies risk assessments and assessments as to whether information was likely obtained through the mistreatment of an individual.

Working Group: The ISCG is the primary interdepartmental forum for supporting interdepartmental collaboration and information-sharing between members as they implement the Act and Directions and is regularly attended by all members.

PS participates in the ISCG in three ways as the:

  1. chair, coordinator and PS policy lead;
  2. area responsible for implementing the ACA;
  3. legal counsel representative.

PS has also made progress with ISCG guidance. However, due to COVID-19, the ISCG was limited in its capacity to convene meetings.

Senior Management Committee: PS does not have a formal senior management committee to review high-risk cases. The Investigative Authorities and Accountability Policy (IAAP) unit supports program areas in the referral process to the Senior Assistant Deputy Minister (SADM) of the National and Cyber Security Branch for further examination. Acting as a senior Public Safety official, the SADM is responsible for referring cases to the Deputy Minister if they are unable to determine whether the risk of mistreatment can be mitigated.

Country Assessments: PS currently does not have any country assessments completed and plans to use other department’s assessments, but as outlined in its draft policy, PS expects to conduct country and entity assessments as part of its annual risk assessment process. The risk assessment process will ensure that an agreement with the foreign entity is in place prior to information sharing exchanges; review risk and country assessments developed by portfolio agencies (e.g. CSIS) and other departments (e.g. GAC), and consider human rights reporting from non-government entities.

The IAAP will coordinate, on an annual basis, risk assessments. To do so, IAAP may, for example, review human rights reports developed by Global Affairs Canada (GAC), country assessments prepared by portfolio agencies (e.g. CSIS), human rights reporting from non-government entities and country/entity specific material.

Mitigation Measures: PS currently has developed a draft policy to address mitigation measures and caveats. The draft policy will provide guidance to officials on how to assess risk and apply mitigation measure, while also defining approval levels and country assessment responsibilities.

Once a risk of mistreatment has been identified, the PS official is required to undertake a risk mitigation assessment prior to requesting the information. Approved risk mitigation mechanisms include:

  • the caveating of information,
  • obtaining assurance and/or
  • disclosing a limited amount of the information.

The policy also outlines requirements regarding the use of congruent mitigation mechanisms to collectively reduce the risk.

Annex L: Royal Canadian Mounted Police

Annex L: Royal Canadian Mounted Police Framework

Framework Updates: There were no changes to the Royal Canadian Mounted Police’s (RCMP) framework in 2020. RCMP has undertaken a number of internal reviews of its information sharing framework and continues to refine and optimize its processes.

RCMP also noted that it was in its final stages of rolling out an online training course specifically tailored to the ACA.

Triage: The Foreign Information Risk Advisory Committee (FIRAC) process may be initiated if and when an information exchange involves a country identified as high or medium risk. A low-risk case would only be sent if an official believes there is the potential for mistreatment.

All RCMP personnel are required to consider the risk of mistreatment before requesting, disclosing or using information and to engage the FIRAC process if there is a substantial risk identified to a specific individual(s) with a country of exchange.

An employee is almost always the one to perform the initial risk assessment. When an entity is green, the employee may exchange or use information without consulting FIRAC, unless they express doubts. When an entity is yellow, the employee must consider whether or not there is a substantial risk of mistreatment by looking at a list of criteria (similar to CSIS). If one or more of these criteria is present, the employee must send the case to FIRAC. If the entity is red, the employee must send the case to FIRAC for the initial assessment, unless no personal information is exchanged.

Working Group: Law Enforcement Assessment Group (LEAG). Full-length LEAG assessments include classified information from other Federal departments and agencies. The FIRAC Portal was developed to allow RCMP employees to access the assessments, and to further support compliance with the directions.

Senior Management Committee: FIRAC was established to facilitate the systematic and consistent review of RCMP files to ensure information exchanges do not involve or result in the mistreatment of any person.

FIRAC holds the responsibility to determine if a substantial risk exists and in cases where a substantial risk of mistreatment exists, make a recommendation on whether the proposed mitigating measures are adequate to mitigate the risk.

FIRAC’s recommendations are made by the Chair, upon the advice of the Committee, to the appropriate Assistant Commissioner / Executive Director responsible for the operational area seeking to disclose, request or use the information.

FIRAC determines if the risk is mitigatable or not. If it is, the case goes to the Assistant Commissioner. If it is not, FIRAC declines the exchange or use of information.

Country Assessments: An in-house country assessment model has been completed.

Countries are listed in alphabetical order, along with any specific foreign entities (i.e. police forces, military units, etc.) that have been assessed. For each entity, the risk level (Red-High, Yellow-Medium, Green-Low) is provided, as are the specific crime types and conditions.

Mitigation Measures: The RCMP leverages existing MOU’s with specific partners to partially mitigate underlying risk, in particular where mutually agreed standards around human rights exist as well as having a good track record for respecting caveats. Similarly, officials work with Liaison Officers to identify any relevant assurances or strategies, factors or conditions that could mitigate the risk of mistreatment posed by the information exchange, request for information or use of information.

All mitigation measures used are tracked through the FIRAC by filling in a FIRAC Request Form. Noting which mitigations/caveats are used is a mandatory part of the process.

Annex M: Transport Canada

Does not have a departmental framework for assessing ACA considerations, outside of the Passenger Protect Program (PPP).

Changes: Transport Canada (TC) developed a corporate policy in September 2020 to highlight the department’s ACA-related requirements, roles and responsibilities and remains a participant in PS framework.

Triage: Relies on PS’ framework for the Passenger Protect Program.

Should they have any concerns about a request for information from a foreign partner they will consult with other agencies, such as CSIS or GAC.

Working Group: TC is a voting member of the PPP Advisory Group but does not have any responsibility for drafting case briefs. At each meeting of the PPP Advisory Group, TC has ensured that all other voting members have acknowledged TC’s SATA-legislated responsibility for sharing the List with domestic and foreign air carriers, and its associated responsibilities under the ACA.

Senior Management Committee: TC does not have any senior management committee in place to further review cases with a potential for mistreatment.

Country Assessments: Rely on other government departments.TC relies on assessments by other departments such as PS and GAC.

Mitigation measures: The framework was established by Public Safety (lead on PPP), with consultations with the PPP partners (RCMP, CSIS, CBSA). TC has worked with PS to integrate mitigation measures into the operating procedures and protocols of PPP partners.

Share this page
Date Modified:

Notification of NSIRA’s Review of CRA’s Review and Analysis Division (RAD)

Context

March 08, 2023

Bob Hamilton
Commissioner of Revenue and Chief Executive Officer
Canada Revenue Agency

Subject: Notification of NSIRA’s Review of CRA’s Review and Analysis Division (RAD)

Table of Contents

Date of Publishing:

Dear Mr. Hamilton,

I am writing on behalf of the Members of the National Security and Intelligence Review Agency (NSIRA) to inform you that NSIRA is commencing a review of the Canada Revenue Agency’s Review and Analysis Division (RAD).

The review focuses on the RAD program’s national security activities and decision-making relating to registered Canadian charities, to assess their reasonableness, necessity, and compliance with the law.

This review is conducted pursuant to paragraph 8(1)(b) of the NSIRA Act. The NSIRA Act grants NSIRA full and timely access to all information held by reviewed departments and agencies, including classified and sensitive information, with the exception of cabinet confidences.

Please identify any specific contacts you deem relevant for the topic(s) being addressed by this review. NSIRA will be in contact with your officials with requests for preliminary briefings and documents to gain an introductory overview of CRA and RAD’s activities. Depending on the scope of the review, to be determined at a later time, NSIRA will also contact any other implicated departments or agencies to inform them of this review.

In the interim, if there are any questions or comments, I would be pleased to discuss them at your convenience.

I thank you in advance for your cooperation and support to the independent review process, which is key to the transparency and accountability we provide to Canadians on behalf of the Government of Canada.

Sincerely,
John Davies
Executive Director, NSIRA

P.O Box / C.P. 2430, Station / Succursale “D”
Ottawa, Canada K1P 5W5

Share this page
Date Modified:

National Security and Intelligence Review Agency Annual Report 2021

Backgrounder

Ottawa, Ontario, October 7, 2022 – The third Annual Report of the National Security and Intelligence Review Agency (NSIRA) was tabled in Parliament today, October 7, 2022.

NSIRA’s 2021 Annual Report focuses on our progress and activities in our second full year of operation. During this time, we pursued the reform of our processes and methods for doing review and investigations, both of which helped us improve the consistency and efficiency of our work.

This report highlights key findings and recommendations. The report also presents our intention to use future annual reports to publicly assess and track the implementation of previous recommendations, in accordance with our continued commitment to transparency and public engagement. Review highlights include:

  • Four reviews of important areas of CSIS activities, notably CSIS threat reduction measures (TRMs) and technical capabilities, as well as the manner in which CSIS seeks and receives legal service from de Department of Justice and prepares and executes the warrants it needs to collect information. An annual compliance review of CSIS’s activities was also completed;
  • CSE activities, notably CSE’s governance framework that guides the conduct of active and defensive cyber operations, internal information sharing, and CSE disclosures of Canadian-identifying information (CII);
  • DND/CAF Defense Intelligence Enterprise and a follow-up review of the Canadian Forces National Counter-Intelligence Unit;
  • Two specifically mandated multi-departmental reviews with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act and sharing of information within the federal government under the Security of Canada Information Disclosure Act; and,
  • One multi-departmental review relating to the collection and use of biometrics in the “border continuum”.

In 2021, NSIRA saw its complaints investigation caseload increase significantly as a result of 58 complaints referred to NSIRA by the Canadian Human Rights Commission pursuant to subsection 45(2) of the Canadian Human Rights Act. NSIRA also completed its investigation process reform initiative after consultation with multiple stakeholders. NSIRA investigations under this new model are already showing improved efficiency.

NSIRA’s 2021 Annual Report also discusses our organization’s underlining goals and values, and highlights how the organization continued to grow in size and capacity throughout the year, and sought to enhance its technical and subject-matter expertise.

Date of Publishing:

Dear Prime Minister,

On behalf of the National Security and Intelligence Review Agency, it is my pleasure to present you with our third annual report. Consistent with subsection 38(1) of the National Security and Intelligence Review Agency Act, the report includes information about our activities in 2021, as well as our findings and recommendations.

In accordance with paragraph 52(1)(b) of the National Security and Intelligence Review Agency Act, our report was prepared after consultation with relevant deputy heads, in an effort to ensure that it does not contain information the disclosure of which would be injurious to national security, nation al defence or international relations, or is information that is subject to solicitor-client privilege, the professional secrecy of advocates and notaries, or to litigation privilege.

Yours sincerely,

The Honourable Marie Deschamps, C.C.

Chair // National Security and Intelligence Review Agency

Message from the members

The National Security and Intelligence Review Agency (NSIRA) is pursuing its mission of enhancing accountability for national security and intelligence activities in Canada. In 2021, our agency continued to grow in size and improved its ability to fully take advantage of its broad review and investigations mandate covering the national security and intelligence activities of departments and agencies across the federal government.

It is our pleasure to present to you our third annual report in which we discuss our progress and activities in our second full year of operation. Despite the recurrent challenges posed by the COVID-19 pandemic and delays caused by a cyber incident, we completed a wide array of reviews and investigations, and continued improving our processes across the agency. Indeed, we pursued the reform of our processes and methods for doing reviews and investigations, both of which helped us to improve the consistency and efficiency of our work tremendously. These reforms, in conjunction with our growing experience, have allowed us to implement and deliver on our review plan. All of this was made possible by the development of a much stronger corporate policy framework backed by a corporate group that really cares about service delivery and the health of the agency.

In accordance with our continued commitment to transparency and public engagement, this report will present our intention to use future annual reports to publicly assess and track the implementation of previous recommendations. In the same spirit of holding us and the reviewed organizations accountable, we also formalized standards that will allow us to assess the timeliness of responses. It is our hope that these initiatives, in addition to the stringent verification process to assess our confidence in each review that we are currently developing, will inspire confidence and trust in our recommendations and findings.

We would like to thank the staff of NSIRA’s Secretariat for their efforts, patience and resilience throughout this challenging year and we hope you share our enthusiasm for what we can accomplish in the year ahead.

Marie Deschamps
Craig Forcese
Ian Holloway
Faisal Mirza
Marie-Lucie Morin

Executive Summary

The National Security and Intelligence Review Agency (NSIRA) marked its second full year in operation in 2021. With the agency’s broad jurisdiction under the National Security and Intelligence Review Agency Act (NSIRA Act), it reviewed and investigated national security and intelligence matters relating to not only the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), but also several federal departments and agencies, including:

  • the Department of National Defence (DND) and the Canadian Armed Forces (CAF);
  • the Royal Canadian Mounted Police (RCMP);
  • Immigration, Refugees and Citizenship Canada (IRCC);
  • the Canada Border Services Agency (CBSA);
  • Transport Canada; and
  • all departments and agencies engaging in national security and intelligence activities in the context of NSIRA’s yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act.

In 2021, NSIRA continued to grow in capacity and sought to enhance its technical and subject-matter expertise.

Review highlights

Canadian Security Intelligence Service

Over the course of 2021, NSIRA completed four reviews that strengthened its knowledge of important areas of CSIS activity:

  • a review of the cultural, governance and systemic issues arising in the context of the manner in which CSIS seeks and receives legal services from the Department of Justice and prepares and executes the warrants it needs to collect information;
  • a survey of CSIS’s suite of technical capabilities, along with its associated governancestructure, and areas of interest or concern to which NSIRA may return in future reviews;
  • the second annual review of CSIS’s Threat Reductions Measures (TRMs) that expandson findings from the previous review by examining a larger number of TRMs; and
  • an annual compliance review of CSIS’s activities.

Communications Security Establishment

In 2021, NSIRA completed two reviews of CSE activities, and directed CSE to conduct one departmental study:

  • a review of CSE’s governance framework that guides the conduct of active and defensive cyber operations, including whether CSE appropriately considered its legal obligations and the foreign policy impacts of operations;
  • a review focused on internal information sharing within CSE between the foreign intelligence aspect and the cybersecurity and information assurance aspect of its mandate; and
  • a departmental study on whether CSE disclosures of Canadian-identifying information were conducted in a manner that complies with the Communications Security Establishment Act, and were essential to international affairs, defence, security or cybersecurity.

Department of National Defence and the Canadian Armed Forces

In 2021, NSIRA completed two reviews of the DND/CAF:

  • a scoping exercise to gain foundational knowledge of the Defence Intelligence Enterprise, where a significant part of intelligence functions of the DND/CAF are located; and
  • a follow-up review on the previous year’s examination of the Canadian Forces National Counter-Intelligence Unit, with emphasis on operational collection and privacy practices.

Multi-departmental reviews

NSIRA conducted two specifically mandated multi-departmental reviews in 2021:

  • a review of directions issued with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act; and
  • a review of information sharing within the federal government under the Security of Canada Information Disclosure Act.

NSIRA also completed a multi-departmental review under its general mandate to review any activity carried out by a department that relates to national security or intelligence:

  • to map the collection and use of biometrics across several federal government departments and agencies in security and intelligence activities related to international travel and immigration, that is, the “border continuum.”

Complaints investigations

In 2021, NSIRA saw its complaints investigation caseload increase significantly as a result of 58 complaints referred to NSIRA by the Canadian Human Rights Commission pursuant to subsection 45(2) of the Canadian Human Rights Act.

Further, the COVID-19 pandemic contributed to delays in NSIRA’s investigations by reducingparties’ responsiveness in providing access to information and evidence.

In 2021, NSIRA completed its investigation process reform initiative after consultation with multiple stakeholders. NSIRA investigations under this new model are already showing improved efficiency.

Introduction

1.1 Who we are

Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities. Prior to NSIRA’s creation, several gaps existed in Canada’s national security accountability framework. Notably, NSIRA’s predecessor review bodies did not have the ability to collaborate or share their classified information but were each limited to conducting reviews for their specified department or agency.

By contrast, NSIRA has the authority to review any Government of Canada national security or intelligence activity in an integrated manner. As noted in the 2019 annual report, with NSIRA’s expanded role, Canada now has one of the most extensive systems for independent review of national security.

1.2 Mandate

NSIRA has a dual mandate to conduct reviews and investigations of Canada’s national security and intelligence activities. Annex B contains a financial and administrative overview of NSIRA.

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice.

Further, NSIRA reviews any national security or intelligence matters that a minister of the Crown refers to NSIRA. Annex C contains summaries of the reviews completed in 2021.

NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.

Reviews of CSIS and CSE will always remain a core part of NSIRA’s work since the entire focus of these organizations is to address national security and intelligence matters. Unlike its predecessor review bodies, however, NSIRA has an all-encompassing review mandate. NSIRA will thus continue to prioritize and examine how other departments engaging in national security and intelligence activities meet their obligations. NSIRA reviews help keep Parliament and Canadians informed about the lawfulness and reasonableness of Canada’s national security and intelligence activities.

Investigations

In addition to its review mandate, NSIRA is responsible for investigating national security- or intelligence-related complaints. This duty is outlined in paragraph 8(1)(d) of the NSIRA Act, and involves investigating complaints about:

  • the activities of CSIS or CSE;
  • decisions to deny or revoke certain federal government security clearances; and
  • ministerial reports under the Citizenship Act that recommend denying certain citizenship applications.

This mandate also includes investigating national security-related complaints referred to NSIRA by the Civilian Review and Complaints Commission for the RCMP (the RCMP’s own complaints mechanism) and the Canadian Human Rights Commission.

Reviews

2.1 Canadian Security Intelligence Service reviews

Overview

NSIRA has a mandate to review any Canadian Security Intelligence Service (CSIS) activity. The NSIRA Act requires NSIRA to submit a classified annual report to the Minister of Public Safety and Emergency Preparedness on CSIS activities each year, including information related to CSIS’s compliance with the law and applicable ministerial directions, and the reasonableness and necessity of the exercise of CSIS’s powers.

In 2021, NSIRA completed four reviews of CSIS, summarized below. NSIRA also began two more reviews: one of CSIS’s Justification Framework and the other of CSIS’s Dataset Regime. Several other ongoing NSIRA reviews contain a CSIS component.

In a 2020 decision (2020 FC 616), the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.” Based on that recommendation, the Minister of Public Safety and Minister of Justice referred the review to NSIRA pursuant to paragraph 8(1)(c) of the NSIRA Act. Acting on this reference and relying on its own jurisdiction, NSIRA therefore reviewed the manner in which CSIS seeks and receives legal services from the Department of Justice and prepares and executes the warrants it needs to collect information.

This review found an intelligence service and its counsel who struggle to organize themselves in a manner that enables them to meet their legal obligations, including to the Federal Court. NSIRA also found a failure at CSIS to fully and sustainably professionalize the warrant application process as a specialized trade requiring training, experience and investment. This review also demonstrated the need to transform the relationship between CSIS and its legal counsel.

This review was led by NSIRA members Marie Deschamps and Craig Forcese. One or both members were directly involved in every aspect of the review including review process management, briefings, interviews and document review. This included dozens of confidential interviews with Department of Justice and CSIS employees whose perspectives were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal briefings.

In organizing these interviews, NSIRA ensured robust representation covering the range of functions in the warrant and legal advice giving processes. The interviews raised issues and concerns that would have otherwise been unavailable to NSIRA. This assisted NSIRA in making recommendations on governance, systemic and cultural issues that contribute to inefficiencies threatening the ability of CSIS and the Department of Justice to fulfil their mandates.

NSIRA heard repeated concerns from interviewees that these problems put at risk the ability of the intelligence service to meet the mandate Parliament has assigned to it. Addressing these challenges urgently is in the public interest. Though CSIS and the Department of Justice have made improvements, difficulties are still evident.

NSIRA grouped its findings and recommendations into three overarching areas:

  • the Department of Justice’s provision of legal advice;
  • CSIS’s and the Department of Justice’s management of the warrant acquisition process; and investment in people.

CSIS operates in often rapidly evolving and legally challenging environments. Timely, nimble and actionable legal advice is critical. The Department of Justice provides CSIS with legal advice on national security matters via the National Security Litigation and Advisory Group (NSLAG). This review highlighted factors that prevent NSLAG from providing CSIS with the legal advice it needs.

The Department of Justice has employed a centralized “one voice” model for delivering its legal services. The one voice model reflects a desire for uniform and consistent legal advice delivered on behalf of the Attorney General of Canada. Although the premise for the one voice approach is sound, NSIRA found that NSLAG struggled to provide timely, responsive and useful legal advice in the CSIS context. The way the Department of Justice provides advice has often not been responsive to CSIS operations. For example, NSLAG presents its advice as a legal risk assessment using the Department of Justice-wide Legal Risk Management grid. This grid uses a colour-coded risk rating that can be compared to a “traffic light” system: a green risk rating represents a low legal risk to CSIS, a red risk rating represents a high legal risk, and, more ambiguously, a yellow risk rating represents an intermediate legal risk. Yellow light responses are reportedly the most common and the most frustrating for CSIS, especially when unaccompanied by discussions on how to mitigate the risk, the inclusion of which NSIRA heard is not currently common practice.

Therefore, some at CSIS perceive the Department of Justice as presenting a roadblock because of its bureaucracy, its perceived operational illiteracy and its unhelpful approach to communicating legal advice.

However, the problems with timely, responsive and useful legal advice do not stem from the Department of Justice alone. NSIRA heard that CSIS has not always shared all relevant information with the Department of Justice, prompting a degree of mistrust. The internal process for requesting legal advice at CSIS also contributes to delays and lack of relevance. The advice that sometimes comes back to operational investigators at CSIS filtered through bureaucratic hierarchies may be of limited relevance.

NSIRA heard that the laborious advice-seeking and -receiving process has sometimes caused [discussion of detrimental effects on and risks to operations].

CSIS and the Department of Justice often operate in a situation of legal doubt because of lack of clarity in the law. Clarifying legal standards often requires judicial case law. However, an unwieldy warrant process, discussed below, makes that prospect more difficult.

The Department of Justice is aware of the need for change. Broad, recent initiatives include the Vision Project, which promises client-centric strategic partnerships. New procedures have been implemented at NSLAG to address internal silos between advisory and litigation counsel, and to improve training, improve access to legal advice and facilitate consistent legal opinions. NSLAG also appears to recognize the desire for a different approach to providing legal advice, including moving toward legal advice that promotes collaborative and iterative engagement with CSIS in order to achieve its operational goals, within the bounds of the law. However, as of fall 2021, it did not appear that CSIS and the Department of Justice had systematically put this model into effect.

To facilitate proper advice-giving, CSIS needs to provide NSLAG with all the facts, and to engage NSLAG early on, at the operational level. Earlier and ongoing involvement throughout the stages of an investigation or operation would enable counsel to provide informal legal nudges that allow CSIS to course-correct before too much time has been spent. A more iterative process of incorporating legal advice over the full course of an operation could address the reported challenge of operations halted due to untimely or ambiguous legal advice.

Management of the warrant process

CSIS organizes the process of seeking a warrant around a system of internal preparation and approvals before proceeding to the statutory step of seeking ministerial approval of the warrant application. A number of legal concepts and expectations enter into the warrant process, including the “duty of candour” owed to the Court.

The Federal Court duty of candour concerns fit into two categories: disclosure of information material to the credibility of the sources who supply information used in the application; and disclosure of information material to matters of potential concern about the broader context of the warrant and how it will be executed.

Despite past attempts at reforms, the current warrant process adopted by CSIS and supported by the Department of Justice has repeatedly failed to meet these candour obligations. Many reforms appear to have contributed to the bureaucratic complexity of the warrant process, without addressing candour issues.

CSIS has especially struggled to ensure that all information material to the credibility of sources is properly included in warrant applications. NSIRA heard repeatedly that CSIS officers involved in the early stages of preparing warrant applications do not clearly understand the legal expectations surrounding the duty of candour. Deficient information management systems related to human sources at CSIS have also resulted in important omissions, violating duty of candour obligations. These challenges produce what NSIRA calls the “recurring omissions” problem.

In 2019, CSIS sought to professionalize affiant work by creating an Affiant Unit. CSIS’s establishment of the Affiant Unit is a critical development and, properly resourced and staffed, it would be well positioned to respond to long-standing problems with the duty of candour. However, when created, the Affiant Unit was placed [Name of Branch]. [Name] has a broad mandate that does not align with the Affiant Unit’s functions in preparing legally robust warrant applications. This governance anomaly may explain the Affiant Unit’s present administrative and human resource challenges. The Affiant Unit’s sustainability is in question, and indeed NSIRA heard that the unit could currently be described as being in a state of crisis. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission.

Warrants counsel at NSLAG have several key roles in the warrant application process and are intimately implicated in ensuring adherence to the duty of candour. Fostering a strong, collaborative and productive relationship with CSIS is key. Morale among NSLAG warrants counsel may have suffered in light of the recent Federal Court decision that prompted this review. With recent staffing increases, it appears that NSLAG currently has the requisite complement to manage the number of annual warrant applications expected from CSIS, but recruitment challenges remain an ongoing issue. NSLAG should be staffed to ensure that CSIS’s operations are not stalled due to the lack of availability of warrants counsel.

The warrant application process is meant to be strengthened through a review of the near- final affidavit by an “independent counsel” (IC) – in practice, a lawyer drawn from the Department of Justice’s National Security Group. The role was originally envisioned as performing a rigorous challenge of the warrant application. However, the primary role of the IC appears to be more clerical than substantive, designed to cite check rather than assertively perform a devil’s advocate function.

NSIRA believes that the presence of a rigorous challenge function performed by a knowledgeable, adequately supported lawyer distant from the warrant application is valuable and necessary. However, NSIRA proposes that the current IC model be abandoned in favour of a challenge function performed at Public Safety Canada, whose precise role is that of oversight of the CSIS warrant application process.

Working with the Public Safety Canada unit charged with warrant review, an experienced and specialized warrant counsel could perform a genuine challenge role to the warrant, analogous to the role a defence lawyer would play were warrants subject to an adversarial process. NSIRA believes that a testing review of this sort will help forestall duty of candour shortcomings stemming from a failure to disclose fully information material to matters of potential concern about the broader context of the warrant and how it will be executed.

Once a judge issues a warrant, CSIS may execute the warrant. That execution must comply with the scope and terms of the warrant. However, the CSIS regional warrant coordinators have not received sufficient training to enable the contents of warrants to be translated into advice on proper execution.

Investment in people

Concern about inadequate training at CSIS was a recurring theme in this review. This concern was noted in internal CSIS documents. CSIS acknowledges that it is currently not a learning organization and does not have a learning culture. There are too few training opportunities required to sustain a modern professional intelligence service operating in a complex environment.

Conclusions

This report concluded with observations on cross-cutting cultural and governance challenges that stem, at least in part, from challenges characterizing the provision of legal advice and the warrant process. NSIRA divides these broad, cross-cutting phenomena into two categories: morale and attitudes; and performing the mission.

Low morale at CSIS was a common theme throughout this review. The systemic problems in the warrant application process are likely one cause of this problem: morale is affected when a warrant acquisition system repeatedly prevents CSIS officers from performing their mandated duties and is the source of regular reputational crises stemming from failures to meet the duty of candour.

Meanwhile, a failure to correct problems with the warrant process impairs CSIS’s and the Department of Justice’s abilities to fulfil their mandates. The Department of Justice must go from being perceived as a roadblock to a frank and forthright advisor fully attuned to operational objectives.

Within CSIS, the warrant application process was sometimes likened to winning a lottery — not because the Federal Court declines to issue warrants, but because of the resources required to prepare and complete the application. The current, laborious warrant application process is preventing some collection activities from moving forward.

In sum, this review was sparked by a compliance failure in a duty of candour matter. It concludes that repeated failures in this area are both caused by, and cause, deep-seated cultural and governance patterns. This vicious cycle has compounded the challenges of reform in the warrant acquisition process.

Cherry-picked or paper-based reforms that mask without addressing the overarching systemic, cultural, and governance challenges will suffer the fate of prior reforms: the problems will continue.

NSIRA intends to launch a follow-up review within two years that will measure progress at CSIS, the Department of Justice and Public Safety Canada in resolving the systemic problem with the warrant process addressed by this review. Moreover, in other regular reviews implicating warrants, NSIRA will document recurrences of systemic problems. In the meantime, since this review originated with a decision of the Federal Court, it is vital that the Minister and CSIS share it in its full form with the designated judges of that court. NSIRA’s full redacted report can be read on its website.4

Response to NSIRA’s recommendations

NSIRA’s recommendations, the management response of CSIS, Public Safety Canada and the Department of Justice, and other details about this review are found in Annex D of this report.

Study of CSIS Technical Capabilities

Canada’s national security threat landscape is constantly evolving and changes in technology present CSIS with a variety of new investigative opportunities. Consequently, CSIS must develop and acquire new technical capabilities, as well as adapt (repurpose) existing tools to support its mandated collection activities. This process presents potential compliance risk, as CSIS’s existing governance and legal frameworks may not capture the new deployment or adaptation of these technical capabilities. Furthermore, certain personnel and supporting legal counsel may not fully understand how these tools are used operationally, impacting their ability to advise whether or not CSIS has the legal and policy framework required to support use of the technology. These risks require NSIRA to maintain up-to-date knowledge of CSIS’s technical capabilities and related warrant powers.

NSIRA’s survey of CSIS technical capabilities offers a first step in this endeavour by surveying CSIS’s suite of capabilities, along with its associated governance structure, and identifying areas of interest or concern to which NSIRA may return in future reviews.

Reality of the risks

NSIRA’s review of CSIS’s use of a geolocation tool found that the lack of “developed policies and procedures around the assessment of new and emerging collection technologies” directly contributed to the risk that CSIS had breached section 8 of the Canadian Charter of Rights and Freedoms while testing the tool.

– NSIRA Study 2018-05

The full range of technical capabilities CSIS currently employs in support of its intelligence collection operations was examined. NSIRA reviewed relevant policy and legal frameworks as communicated by CSIS but did not conduct an independent verification or audit of the claims or activities themselves. NSIRA also examined the tripartite information/knowledge sharing and support nexus that exists between CSIS’s operational branches, technological branches and CSIS’s Department of Justice counsel with regard to the deployment of capabilities in support of operations.

In addition to the foundational knowledge NSIRA gained of CSIS’s technical capabilities, NSIRA made several observations identifying areas of interest for possible future reviews. For example, NSIRA noted, and CSIS agreed, that the main policy suite related to the use of technical capabilities is outdated and under revision, though the timeline for completing this task is unclear.

In the interim, the policy suite is buttressed as required by directives from senior leadership and other relevant policies and practices. The lack of up-to-date policies and procedures may result in heightened compliance risks, an issue of interest to future NSIRA reviews.

In addition, CSIS is currently reworking the framework it uses to assess compliance and risk in this area. CSIS indicated that greater efficiencies in addressing stakeholder needs and compliance gaps could be achieved through new initiatives such as the creation of the Operational Technology Review Committee, which was created in May 2021. This committee’s objective is to review all new technologies used to collect intelligence and existing technologies that will be used in a new or different manner. The creation of the Operational Technology Review Committee suggests a positive step toward mitigating the risk of compliance breaches related to the deployment of technologies in support of operations. Most obviously, it presents a forum in which potential risks can be proactively identified and mitigated. The evolving nature of how compliance is monitored in relation to technical capabilities will be of interest to NSIRA moving forward.

Further questions exist regarding how CSIS monitors the operational value of technical capabilities. CSIS needs to strengthen its performance metrics program with regard to its deployment of technologies in support of operations. A performance measurement regime, currently under development, will become an important feature of the governance framework, with attendant compliance implications for possible future NSIRA reviews.

Overall, it will be important for NSIRA to remain up to date with respect to the technical aspects of CSIS intelligence collection operations, particularly given the speed with which technology and associated technical capabilities evolve.

As part of this effort, it may be possible to leverage existing reporting requirements already undertaken by CSIS. For example, Section 3 of the Ministerial Direction to the Canadian Security Intelligence Service: Accountability (September 10, 2019) requires CSIS to inform the Minister of Public Safety of operational activities in which “a novel authority, technique or technology is used.” These notifications could provide NSIRA with ongoing and up-to-date knowledge of CSIS’s capability suite and how/when technologies are deployed operationally. Furthermore, sharing the notifications would bolster CSIS’s efforts toward proactive transparency, which are in line with commitments to provide explanatory briefings to the Federal Court on new technologies used in warranted operations.

NSIRA has recommended that the full, unredacted, version of this technical survey be shared with the designated judges of the Federal Court.

Review of CSIS Threat Reduction Activities: A Focus on Information Disclosure to External Parties

Under the Anti-terrorism Act, 2015, CSIS was granted the authority to undertake threat reduction measures (TRMs). NSIRA is required to review, annually, at least one aspect of CSIS’s performance in the use of its threat reduction powers. NSIRA recognizes that CSIS’s threat reduction powers can be an effective tool to diminish a national security threat; however, these powers also command heightened responsibility, given their nature and ability to profoundly impact, not only the subject of a given TRM, but others potentially captured by its scope.

This year, NSIRA produced its second annual review of CSIS’s TRMs. This review sought to expand on findings from the previous review by examining a larger number of TRMs, wherein CSIS disclosed information to external parties, and in doing so, provided the external party the opportunity to take action, at their discretion and pursuant to their authorities, to reduce identified threats. This review studied the characteristics of these particular TRMs but focused its examination on the extent to which CSIS appropriately identified, documented and considered any plausible adverse impacts that these measures could have on affected individuals.

NSIRA observed that several different kinds of external parties were involved in the TRMs. These external parties had varied levers of control through which they could take action to reduce a threat.

NSIRA found that CSIS’s documentation of the information disclosed to external parties as part of TRMs was inconsistent and, at times, lacked clarity and specificity. NSIRA also found that CSIS did not systematically identify or document the authorities or abilities of external parties to take action, or the plausible adverse impacts of the TRM. NSIRA also found that CSIS did not always document the outcomes of a specific TRM, or the actions taken by external parties to reduce a threat.

Without robust documentation, CSIS is neither capable of assessing the efficacy of its measures nor appreciating the full impact of its actions related to these measures.

NSIRA recommended that when a TRM involves the disclosure of information to external parties, CSIS should clearly identify and document the scope and breadth of information that will be disclosed as part of the proposed measure. NSIRA recommended that CSIS should also fully identify, document and consider the authority and ability of the external party to take specific action to reduce a threat, as well as the plausible adverse impacts of the measure. Beyond recommending that CSIS comply with its record-keeping policies, NSIRA recommended that CSIS amend its TRM policy to include a requirement to systematically document the outcomes of TRMs, including actions taken by external parties. This practice should inform post-action assessments and future decision-making.

In addition, NSIRA found that the current assessment framework employed as part of the TRM approval process is overly narrow and does not sufficiently consider the full impact of CSIS TRMs. NSIRA recommended that CSIS consider plausible adverse impacts resulting not only from CSIS disclosures of information, but also from the actions of external parties as part of TRMs.

The variety of impacts observed in this year’s review, combined with the gaps identified in CSIS’s understanding and assessment of these impacts, highlights the salience of a number of NSIRA’s recommendations made in 2020. NSIRA reiterated its 2020 recommendation that CSIS consider more comprehensively the plausible adverse impacts of these types of measures on the affected individuals, even when they are carried out by the external party and not CSIS. These impacts should be considered not only when assessing the reasonableness and proportionality of a proposed measure, but also when determining whether a warrant is required.

The Canadian Security Intelligence Service Act (CSIS Act) is clear that when a proposed TRM would limit a right or freedom protected in the Canadian Charter of Rights and Freedoms, or would otherwise be contrary to Canadian law, CSIS must seek a judicial warrant. NSIRA fundamentally disagrees with CSIS’s understanding of and approach to the legal analysis of determining whether a warrant is required for proposed TRMs. In 2020, CSIS responded to this recommendation by stating, “the Department of Justice will consider this recommendation and factor it into its work related to TRMs under the CSIS Act.”

Going forward, NSIRA recommended that CSIS seeks a warrant when a proposed TRM could infringe on an individual’s Charter rights, or where it would otherwise be contrary to Canadian law, regardless of whether the activity would be conducted by CSIS directly, or via an external party to whom CSIS discloses information.

NSIRA was able to use its direct access to CSIS information repositories to confirm information that it needed to verify and pursue necessary additional inquiries. For that reason, NSIRA has a high level of confidence in the information used to complete this review. NSIRA would also like to recognize CSIS’s timeliness in responding to NSIRA’s requests for information throughout the course of this review.

Response to NSIRA’s recommendations

NSIRA’s recommendations, the management response of CSIS and other details about this review are found in Annex D of this report.

NSIRA’s annual review of CSIS activities

In accordance with the CSIS Act, CSIS is required to provide information to NSIRA on specific activities. In response, NSIRA has developed a process to examine this information throughout the year and highlight any significant observations as part of NSIRA’s annual reporting obligations to the Minister of Public Safety. This process aims to keep NSIRA informed of key CSIS activities so that it can identify emerging issues and compliance gaps in a timely manner, and plan reviews and annual reporting obligations. Furthermore, this process facilitates additional scrutiny of these activities, as necessary, to assess for compliance, reasonableness and necessity.

In 2021, NSIRA formalized this process and initiated an annual review pursuant to its review mandate (paragraph 8(1)(a) of the NSIRA Act). To enhance transparency, NSIRA requested additional categories of information from CSIS, including approved warrant applications, compliance reports, internal audits and evaluations, and communications between CSIS and the Federal Court and CSIS and the Minister of Public Safety. These additional categories sought to ensure that NSIRA has the benefit of specific policy and governance information beyond that which CSIS is legislatively required to provide.

NSIRA found that CSIS met its legislated reporting requirements; however, these requirements do not always translate into information that can be used for assessments by NSIRA. Notably, CSIS did not provide information on the additional categories of activities requested by NSIRA. Conversations to address these gaps will continue in 2022.

In 2022, NSIRA will continue its review of CSIS activities with the support of the information from CSIS as required under the CSIS Act and the NSIRA Act.

Statistics

NSIRA requested that CSIS provide for publication statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSIS operations, as well as display the evolution of activities from year to year.

Warrant applications

Section 21 of the CSIS Act authorizes CSIS to make an application to a judge for a warrant if CSIS believes, on reasonable grounds, that more intrusive powers are required to investigate a particular threat to the security of Canada. Warrants may be used by CSIS, for example, to intercept communications, enter a location, and/or obtain information, records or documents. Each individual warrant application could include multiple individuals or request the use of multiple intrusive powers.

NSIRA is aware that difficulties with the warrant acquisition process within CSIS persist. NSIRA’s Review on Rebuilding Trust: Reforming the CSIS Warrant and Justice Legal Advisory Process found that the current warrant process continues to be overly burdensome, despite attempts at reform. The review found a failure at CSIS to professionalize the warrant application process fully and sustainably. The lack of clear accountability and clear communication combined with excessive complexity have contributed to the problems facing this process. The review made a number of findings and recommendations related to systemic problems with CSIS’s warrant process.

Section 21 warrant applications made by CSIS, 2018 to 2021

2018201920202021
Approved warrants Total24231531
New warrant109213
Replacements1112814
Supplemental3254
Denied total0100
Threat reduction measures (TRMs)

Section 12.1 of the CSIS Act authorizes CSIS to take measures to reduce threats to the security of Canada, within or outside Canada. CSIS is authorized to seek a judicial warrant if it believes that certain intrusive measures (outlined in subsection 21 (1.1) of the CSIS Act) are required to reduce the threat. To date, CSIS has sought no judicial authorizations to undertake warranted TRMs.

NSIRA’s first two reviews of CSIS’s use of threat reduction measures found that CSIS did not sufficiently consider the full impact of the measure as part of the approval process for these activities. More specifically, these impacts were not explicitly considered when determining whether a warrant may be required. As already noted, NSIRA expects that when CSIS is proposing a TRM where an individual’s Charter rights would be limited or the TRM would otherwise be contrary to Canadian law, whether CSIS is undertaking the TRM directly or whether it will be executed by an external party, CSIS will seek a warrant to authorize the TRM.

Threat reduction measures approved, executed by CSIS and warranted, 2015 to 2021

2015201620172018201920202021
Approved TRMs1081523241123
Executed108131719817
Warranted TRMs0000000
CSIS targets

CSIS is mandated to investigate threats to the security of Canada, including espionage; foreign-influenced activities; political, religious or ideologically motivated violence; and subversion. Section 12 of the CSIS Act sets out criteria permitting CSIS to investigate an individual, group or entity for matters related to these threats. Sub jects of a CSIS investigation, whether they be individuals or groups, are called “targets.”

CSIS targets, 2018 to 2021

2018201920202021
Number of targets430467360352
Datasets

Data analytics is a key investigative tool for CSIS, providing it with the capacity to make connections and identify trends that are not possible through traditional methods of investigations. The National Security Act, 2017, which was passed by Parliament in June 2019, gave CSIS a suite of new powers including a legal framework for the collection, retention and use of datasets. The framework authorizes CSIS to collect datasets (sub- divided into Canadian, foreign and publicly available datasets) that have the ability to assist CSIS in the performance of its duties and functions. It also establishes safeguards for the protection of Canadian rights and freedoms, including privacy rights. These protections include enhanced requirements for ministerial accountability. Depending on the type of dataset, CSIS must meet different requirements before it is able to use the dataset.

The CSIS Act also requires CSIS to keep NSIRA apprised of certain dataset-related activities. Reports prepared following the handling of datasets are to be provided to NSIRA, under certain conditions and within reasonable timeframes. While CSIS is not required to advise NSIRA of judicial authorizations or ministerial approvals for the collection of Canadian and foreign datasets, CSIS has been proactively keeping NSIRA apprised of these activities.

While this new framework has provided opportunities to execute CSIS’s mandate to investigate threats, CSIS noted in its 2020 Public Annual Report that the current legislative framework is not without its challenges. NISRA is currently reviewing CSIS’s implementation of its dataset regime. The results of this review will inform Parliament’s review of the National Security Act, 2017.

Datasets evaluated by CSIS, approved or denied by the Federal Court or Intelligence Commissioner, and retained by CSIS, 2019 to 2021

201920202021
Publicly available datasets
Evaluated8114
Retained811215
Canadian datasets
Evaluated1002
Retained by CSIS00016
Denied by the Federal Court000
Foreign datasets
Evaluated800
Retained by CSIS01117
Denied by Minister000
Denied by IntelligenceCommissioner000
Justification Framework

The National Security Act, 2017, also created a legal justification framework for CSIS’s intelligence collection operations. The framework establishes a limited justification for CSIS employees, and persons acting at their direction, to carry out activities that would otherwise constitute offences under Canadian law. CSIS’s Justification Framework is modelled on those already in place for Canadian law enforcement. The Justification Framework provides needed clarity to CSIS, and to Canadians, as to what CSIS may lawfully do in the course of its activities. It recognizes that it is in the public interest to ensure that CSIS employees can effectively carry out its intelligence collection duties and functions, including by engaging in otherwise unlawful acts or omissions, in the public interest and in accordance with the rule of law. The types of otherwise unlawful acts and omissions that are authorized by the Justification Framework are determined by the Minister and approved by the Intelligence Commissioner. There remain limitations to what activities can be undertaken, and nothing in the Justification Framework permits the commission of an act or omission that would infringe a right or freedom guaranteed by the Charter.

According to subsection 20.1 (2) of the CSIS Act, employees must be designated by the Minister of Public Safety in order to be covered under the Justification Framework while committing or directing an otherwise unlawful act or omission. Designated employees are CSIS employees who require the Justification Framework as a part of their duties and functions. Designated employees are justified in committing an act or omission themselves (commissions by employees) and they may direct another person to commit an act or omission (directions to commit) as a part of their duties and functions. NSIRA is currently reviewing CSIS’s implementation of the Justification Framework. The results of this review will inform Parliament’s review of the National Security Act, 2017.

Authorizations, commissions and directions under the Justification Framework, 2019 to 2021

201920202021
Authorizations83147178
Commissions by employees173951
Directions to commit3284116
Emergency designations000
Compliance

CSIS’s internal operational compliance program leads and manages overall compliance within CSIS. The objective of this unit is to promote a “culture of compliance” within CSIS by investing in information technology (IT) to support the process around warrants, designing an approach for reporting and assessing potential non-compliance incidents, embedding experts in operational branches to provide timely advice and guidance, and producing internal policies and procedures for employees. This program is the centre for processing all instances of potential non-compliance related to operational activities.

NSIRA’s knowledge of CSIS operational non-compliance and associated violations of the Charter is limited to what is contained in the CSIS Director’s Annual Report on Operations to the Minister of Public Safety. NSIRA notes with interest that CSIS reports Charter violations as operational non-compliance. NSIRA will continue to monitor closely instances of non- compliance that relate to Canadian law and the Charter, and to work with CSIS to improve transparency around these activities.

Non-compliance incidents processed by CSIS, 2019 to 2021

201920202021
Processed compliance incidents19539985
Administrative5364
Operational40201921
Canadian law1
Canadian Charter of Rights and Freedoms6
Warrant conditions6
CSIS governance     8   

CSIS review plan

In 2022, NSIRA is commencing or conducting five reviews exclusively focused on CSIS, one review focused on CSIS and CSE operational collaboration (See 2022 CSE review plan, below), one focused on threat management by CSIS and the RCMP of ideologically motivated violent extremism, and a number of interagency reviews that contain a CSIS component.

In addition to NSIRA’s three legally mandated reviews of the Security of Canada Information Disclosure Act, the Avoiding Complicity in Mistreatment by Foreign Entities Act and CSIS’s TRMs, NSIRA has initiated or is planning the following CSIS reviews:

Justification Framework
This review will assess the implementation of CSIS’s new Justification Framework for activities that would otherwise be unlawful, authorized under the National Security Act, 2017.
Datasets
This review will examine the implementation of CSIS’s dataset regime following the coming into force of the National Security Act, 2017.
CSIS Cover Program
This review would be the first review of CSIS Cover Operations. It will survey the full range of CSIS cover activities and concentrate on building foundational knowledge to allow NSIRA to select specific activities for detailed review in future years.
Ideologically Motivated Violent Extremism
This is a joint CSIS-RCMP review of their respective and joint threat management of ideologically motivated violent extremism. The core of the review will be the interplay between CSIS and the RCMP in the context of ideologically motivatedviolent extremism, and an assessment of whether activities complied with the law, applicable ministerial directions, operational policies, and whether activitieswere necessary and reasonable.

Beyond 2022, NSIRA intends to explore reviews of CSIS on topics including, but not limited to:

  • the lifecycle of warranted information;
  • CSIS’s section 16 mandate;
  • “Strictly Necessary” retention policies; and
  • CSIS’s Internal Compliance Framework.

Access to CSIS information

Throughout 2021, NSIRA faced differing levels of access and responsiveness in relation to CSIS. COVID-19 related restrictions resulted in considerable delays with receiving requested information and briefings and impeded direct access to NSIRA’s dedicated office space within CSIS Headquarters.

In response to NSIRA’s requests for information, CSIS was transparent in its ability to respond and communicate anticipated delays. When access and staffing levels were no longer restricted, CSIS responses to formal and informal requests related to the Study of Technical Capabilities and the TRM review were timely and complete, and briefings were well administered and provided the requested information.

As mentioned above, throughout 2021, NSIRA did not have consistent access to its dedicated office space within CSIS Headquarters, which is used by NSIRA review, legal and investigation staff. As a result, NSIRA’s direct access to CSIS’s information systems was notably limited. NSIRA was provided various temporary accommodations within CSIS headquarters during this time.

CSIS was able to continue to provide NSIRA members access to its regional offices across Canada throughout 2021, however. This access supported NSIRA members not based in the National Capital Region, whose work often requires secure facilities where they can safely and securely access information relevant to reviews and investigations. NSIRA greatly appreciates the willingness and efforts of CSIS and its regional colleagues in this regard.

2.2 Communications Security Establishment reviews

Overview

NSIRA has the mandate to review any activity conducted by CSE. NSIRA must also submit a classified annual report to the Minister of National Defence on CSE activities, including information related to CSE’s compliance with the law and applicable ministerial directions, and NSIRA’s assessment of the reasonableness and necessity of the exercise of CSE’s powers.

In 2021, NSIRA completed two reviews of CSE, and directed CSE to conduct one departmental study, all of which are summarized below. NSIRA also began five new reviews focused on CSE’s activities that are scheduled for completion in 2022 (see 2022 CSE Review Plan, below). Furthermore, CSE is implicated in other NSIRA multi-departmental reviews, such as the legally mandated annual reviews of the Security of Canada Information Disclosure Act (SCIDA) and the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA), the results of which are described below (see Multi-departmental Reviews).

Although the pandemic and other priorities precluded NSIRA from advancing its previous commitments to redacting, translating and publishing reviews of the former Office of the CSE Commissioner, NSIRA remains committed to releasing this material, resources permitting.

Review of CSE’s Governance of Active and Defensive Cyber Operations

The Communications Security Establishment Act (CSE Act) provides CSE with the authority to conduct active cyber operations (ACOs) and defensive cyber operations (DCOs). As defined by the CSE Act, an ACO is designed to “degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.” A DCO helps protect Canadian federal government systems, or systems deemed by the Minister of National Defence to be important to Canada against foreign cyber threats. ACOs and DCOs are authorized by ministerial authorizations and, due to the potential impact on Canadian foreign policy, require the Minister of Foreign Affairs to consent to an ACO ministerial authorization or be consulted on a DCO ministerial authorization.

In this review, NSIRA assessed the governance framework that guides the conduct of ACOs and DCOs, and whether CSE appropriately considered its legal obligations and the foreign policy impacts of operations. NSIRA analyzed policies and procedures, governance and operational documentation, and correspondence within and between CSE and GAC. The review scope included the earliest available materials pertaining to ACOs and DCOs and ended concurrently with the validity period of the first ACO and DCO ministerial authorizations (2019–2020).

NSIRA incorporated GAC into this review, given the role of the Minister of Foreign Affairs in the ACO and DCO governance structure. As a result, NSIRA gained an understanding of the governance and accountability structures in place for these activities by obtaining unique perspectives from the two departments on their respective roles and responsibilities.

The novelty of these powers required CSE to develop new mechanisms and processes while also considering new legal authorities and boundaries. NSIRA found that both CSE and GAC made considerable efforts in building the ACO and DCO governance structure. In this context, NSIRA has found that some aspects of the governance of ACOs and DCOs could be improved by making them more transparent and clearer.

Specifically, NSIRA found that CSE could improve the level of detail provided to all parties involved in the decision-making and governance of ACOs and DCOs, within documents such as the ministerial authorizations authorizing these activities and the operational plans that are in place to govern their execution. Additionally, NSIRA also identified several gaps that CSE and GAC need to address, and recommended improvements relating to:

  • engaging other departments to ensure an operation’s alignment with broader
  • Government of Canada priorities;
  • demarcating an ACO from a pre-emptive DCO;
  • assessing each operation’s compliance with international law; and
  • communicating with each other any newly acquired information that is relevant to the risk level of an operation.

The gaps observed by NSIRA, if left unaddressed, could carry risks. For instance, the broad and generalized nature of the classes of activities, techniques and targets comprising ACOs and DCOs could capture unintended higher-risk activities and targets. Additionally, given the difference in the required engagement of GAC in ACOs and DCOs, misclassifying what is truly an ACO as a pre-emptive DCO could result in a heightened risk to Canada’s international relations through the insufficient engagement of GAC.

While this review focused on the governance structures at play in relation to ACOs and DCOs, of even greater importance is how these structures are implemented and followed in practice. NSIRA made several observations about the information contained within the governance documents developed to date and will subsequently assess how they are put into practice as part of NSIRA’s forthcoming review focused on the operations themselves.

Response to NSIRA’s recommendations

NSIRA’s recommendations and other details about this review are found in Annex D of this report.

Review of Information Sharing across Aspects of CSE’s Mandate

This review examined CSE’s legal authority for sharing information obtained in the course of one aspect of its mandate for the purposes of fulfilling another aspect of its mandate. Specifically, the review focused on internal information sharing within CSE between the foreign intelligence aspect and the cybersecurity and information assurance (cybersecurity) aspect of CSE’s mandate.

NSIRA examined whether CSE’s internal sharing of information relating to a Canadian or a person in Canada (IRTC) is consistent with the Privacy Act, which limits how collected personal information can be used by a federal institution, and the CSE Actwhich applies to CSE’s incidental collection and use of IRTCNSIRA concluded that from the descriptions of the aspects in sections 16 and 17 of the CSE Actsometimes information acquired under one aspect can be used for the same, or a consistent purpose, as another. This would satisfy Privacy Act requirements for sharing information internally. However, this principle cannot simply be assumed to apply as the purposes of the aspects differ within the CSE Act. CSE must conduct case-by-case compliance analysis that considers the purpose of the collection and sharing.

NSIRA considers it necessary for the Chief of CSE’s application for a ministerial authorization to fully inform the Minister of National Defence of how IRTC might be used and analyzed by CSE, including the sharing of IRTC to another aspect, and for what purpose. With one exception, the Chief’s applications for the period of review appropriately informed the Minister that retained IRTC might be used to support a different aspect. Moreover, the foreign intelligence applications appropriately informed the Minister how CSE assessed “essentiality” for IRTC collected under the foreign intelligence aspect.

Under CSE policy, an assessment of IRTC’s relevance, essentiality or necessity to each aspect is required for sharing information across the aspects. CSE policy offers definitions and criteria for assessing and applying these thresholds to the information. NSIRA found that CSE’s policy framework with regards to the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is compliant with the CSE Act.

Response to NSIRA’s recommendations

NSIRA’s recommendations, CSE’s management response and other details about this review are found in Annex D of this report.

CSE Departmental Study on Disclosures of Canadian Identifying Information

Following a 2020 review of CSE’s disclosures of Canadian identifying information (CII),21 NSIRA concluded that CSE’s implementation of its disclosure regime under the National Defence Act may not have been in compliance with the Privacy Act. On November 25, 2020, following the release of the review, NSIRA submitted a compliance report to the Minister of National Defence. NSIRA was of the opinion that CSE, as the custodian of incidentally collected CII, has the responsibility to assure itself and to document that both a collection and disclosure authority exist before sharing it with third-party recipients. NSIRA then directed CSE to conduct a departmental study of its disclosure of CII from August 1, 2019, to March 1, 2021.

The purpose of the departmental study was to ensure that disclosures of CII conducted by CSE were conducted in a manner that complies with the CSE Actand that all disclosures of CII were essential to international affairs, defence, security or cybersecurity.

CSE provided the completed departmental study to the Minister of National Defence on October 8, 2021, with a copy to NSIRA, on November 1, 2021. NSIRA is satisfied that CSE provided a complete accounting of its disclosure regime for the requested period of review and provided a report that meets the objectives detailed in NSIRA’s terms of reference. In doing so, CSE defined its process for assessing and disclosing CII requests to Government of Canada and foreign clients under the CSE Act while also providing an update on relevant changes that have been made to its disclosure regime based on NSIRA’s recommendations from the last CII review.

The production of the departmental study also provided an opportunity for CSE to review the CII disclosure regime from CSE’s own perspective. This process provides NSIRA with a clearer understanding of how CSE manages its program and evaluates its relevant legal authorities. In addition to contributing to NSIRA’s current understanding of CSE’s disclosure regime, the study will also assist in identifying avenues of inquiry for the planned follow-up review of CII scheduled for 2023.

Statistics

To achieve greater public accountability, NSIRA recommends that CSE publish statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSE operations, as well as display the evolution of activities from year to year.

Ministerial authorizations and ministerial orders

Ministerial authorizations are issued by the Minister of National Defence and authorize specific activities conducted by CSE pursuant to one of the aspects of the CSE mandate. The following table lists the ministerial authorizations issued between 2019 and 2021.

CSE ministerial authorizations, 2021

Type of ministerial authorizationEnabling section of the CSE ActNumber issued in 2019Number issued in 2020Number issued in 2021
Foreign intelligence26(1)333
Cybersecurity — federal and non- federal27(1) and27(2)212
Defensive cyber operations29(1)111
Active cyber operations30(1)112

Note: This table refers to ministerial authorizations that were issued in the given calendar years and may not necessarily reflect ministerial authorizations that were in effect at a given time. For example, if a ministerial authorization was issued in late 2020 and remained in effect in parts of 2021, it is counted above solely as a 2020 ministerial authorization.

Ministerial orders are issued by the Minister of National Defence and designate people or organizations with whom CSE can work and share information. For instance, a ministerial order designating non-federal information infrastructures as being of importance to the Government of Canada is required for CSE to carry out certain aspects of its cybersecurity and defensive cyber operations mandate. A ministerial order is also required to designate recipients of CII. The following table lists the three ministerial orders in effect in 2021.

CSE ministerial orders, 2021


Nameof ministerial order
In effect in 2021Enabling section of the CSE Act
Designating electronic information and information infrastructures of importance to the Government of Canada121(1)
Designating recipients of information relating to a Canadian or person in Canada acquired, used or analyzedunder the cybersecurity and information assurance aspects of the CSE mandate144(1) and45
Designating recipients of Canadian identifying information used, analyzed or retained under a foreign intelligence authorization pursuant to section45 of the CSE Act143 and 45
Foreign intelligence reporting

Pursuant to section 16 of the CSE Act, CSE is mandated to acquire information from or through the global information infrastructure, and to use, analyze and disseminate the information for the purpose of providing foreign intelligence in accordance with the Government of Canada’s intelligence priorities.

According to CSE, it released 3,050 foreign intelligence end-product reports to 1,627 clients across 28 departments or agencies of the Government of Canada in 2021.

Information relating to a Canadian or a person in Canada

As discussed in NSIRA’s Review of Information Sharing Across Aspects of CSE’s Mandate, IRTC includes information about Canadians or persons in Canada that may be incidentally collected by CSE while conducting foreign intelligence or cybersecurity activities under the authority of a ministerial authorization. According to CSE policy, IRTC is any information recognized as having reference to a Canadian or person in Canada, regardless of whether that information could be used to identify that Canadian or person in Canada.

CSE was asked to release statistics or data about the regularity with which IRTC or “Canadian-collected information” is included in CSE’s end-product reporting. CSE responded that “as this type of information has not previously been disclosed publicly, CSE is carrying out an injury assessment to determine if information can be provided for publication.” CSE subsequently advised that “The impact assessment for disclosure of information requested … is a longer-term endeavour that is unlikely to be resolved in time for the 2021 NSIRA public annual report. Please consider [CSE’s response] as ‘no releasable information’ for the purpose of this year’s report.”

Canadian identifying information

CSE is prohibited from directing its activities at Canadians or persons in Canada. However, given the nature of the global information infrastructure and CSE’s collection methodologies, such information may be incidentally acquired by CSE. When used in CSE foreign intelligence reporting, incidentally collected information potentially identifying a Canadian or a person in Canada is suppressed in order to protect the privacy of the individual(s) in question. CSE may release unsuppressed CII to designated recipients when the recipients have the legal authority and operational justification to receive it and when it is essential to international affairs, defence or security (including cybersecurity).

The following table shows the number of requests CSE received for disclosure of CII in 2021.

Number of requests for disclosure of Canadian identifying information, 2021.

Type of requestNumber
Government of Canada requests741
Five Eyes27 requests90
Non-Five Eyes requests0
Total831

CSE was also asked to release the number of instances where CII is suppressed in CSE foreign intelligence or cybersecurity reporting. CSE indicated that “as this type of information has not previously been disclosed publicly, CSE is carrying out an injury assessment to determine if information can be provided for publication.” CSE subsequently advised that “The impact assessment for disclosure of information requested … is a longer-term endeavour that is unlikely to be resolved in time for the 2021 NSIRA public annual report. Please consider [CSE’s response] as ‘no releasable information’ for the purpose of this year’s report.”

Privacy incidents and procedural errors

A privacy incident occurs when the privacy of a Canadian or a person in Canada is put at risk in a manner that runs counter to, or is not provided for, in CSE’s policies. CSE tracks such incidents via its Privacy Incidents File, Second-party Privacy Incidents File and Minor Procedural Errors File.

The following table show the number of privacy incidents and procedural errors CSE tracked in 2021.

CSE privacy incidents and procedural errors, 2021

Type of incidentNumber
Privacy incidents96
Second-party privacy incidents33
Minor procedural errors18
Cybersecurity and information assurance

Pursuant to section 17 of the CSE Act, CSE is mandated to provide advice, guidance and services to help protect electronic information and information infrastructures of federal institutions, as well as non-federal entities which are designated by the Minister as being of importance to the Government of Canada.

CSE was asked to release statistics or data characterizing CSE’s activities related to the cybersecurity and information assurance aspect of its mandate. CSE responded that:

  • Generally, the Canadian Centre for Cyber Security does not comment on specific cyber security incidents, nor do we confirm businesses or critical infrastructure partners that we work with or provide statistics on the number of reported incidents. Statistics on cyber incidents, including cybercrime, are predicated upon victims coming forward, which is not an accurate reflection of the Canadian environment.
  • CSE and its Canadian Centre for Cyber Security work every day to defend Government of Canada systems from cyber attacks. On any given day, CSE’s dynamic defence capabilities block up to seven billion reconnaissance scans on these systems.
Defensive and active cyber operations

Pursuant to section 18 of the CSE Act, CSE is mandated to conduct DCOs to help protect electronic information and information infrastructures of federal institutions, as well as non- federal entities that are designated by the Minister of Defence as being of importance to the Government of Canada from hostile cyber attacks.

Pursuant to section 19 of the CSE Act, CSE is mandated to conduct ACOs against foreign individuals, states, organizations or terrorist groups as they relate to international affairs, defence or security.

CSE was asked to release the number of DCOs and ACOs approved during 2021. CSE responded that it is “not in a position to provide this information for publication by NSIRA, as doing so would be injurious to Canada’s international relations, national defence and national security.”

Technical and operational assistance

As part of the assistance aspect of CSE’s mandate, CSE receives Requests for Assistance from Canadian law enforcement and security agencies, as well as from the DND/CAF.

The following table shows the number of requests for assistance CSE received and acted on in 2020 and 2021.

CSE requests for assistance received and acted on, 2020 and 2021

Requests for assistance20202021
Number received2435
Number acted on2332

2022 CSE review plan

In addition to NSIRA’s two legally mandated reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, both of which implicate CSE, NSIRA has initiated or is planning the following five reviews of CSE:

Review of CSE’s Internal Security Program (Safeguarding)
This review will examine how CSE safeguards its employees, information and assets. It will explore the ways in which CSE mitigates internal security risks through inquiries and investigations, and in particular, the use of the polygraph as a tool in the security screening process. This review will alsoassess CSE’s compliance with Treasury Board security policies and directives, as well as the adequacy of, adherence to and effectiveness of CSE’s internal processes used to address potential or actual security incidents, violations and breaches of security.
Review of Cybersecurity — Network-Based Solutions
This will be NSIRA’s first review focused on the cybersecurity and information assurance aspect of CSE’s mandate. It will explore the use of a specific tool: Network Based Solutions as outlined within the cybersecurity ministerial authorization.
Review of Active and Defensive Cyber Operations — Part 2 (Operations)
This review is the continuation of NSIRA’s examination of CSE’s active and defensive cyber operations conducted prior to July 30, 2021. The first review focused on the internal policies and procedures governing CSE’s use of active and defensive cyber operations. This review builds on NSIRA’s previous work and will focus on the implementation of these governance structures in actual operations.
Review of a Program under the Foreign Intelligence Mandate
This is a review of a classified program under the foreign intelligence aspect of CSE’s mandate. Thisprogram is authorized by a ministerial authorization, which also sets out its parameters.
Review of CSE-CSIS Operational Collaboration
This review will examine operational collaboration between CSE and CSIS, both under the assistance aspect of CSE’s mandate, but also as it relates to joint operational activities coordinated between them under each agency’s respective mandates.

Beyond 2022, NSIRA intends to review topics including, but not limited to:

  • an annual compliance review of CSE;
  • CSE’s signals intelligence(SIGINT) retention practices;
  • a CSE collection program conducted under a ministerial authorization; and
  • CSE’s Equities Management Framework.

Access to CSE information

In its 2020 Public Annual Report, NSIRA noted that it was seeking to formalize CSE’s provision of specific categories of information on a regular basis, such as ministerial authorizations, orders and directives, which would be used to ensure compliance of activities and to inform the conclusions NSIRA provides in the annual classified report to the Minister of National Defence. NSIRA will commence this review, called the annual compliance review of CSE, in 2022. NSIRA is pleased to report that CSE has already begun the process of providing the requested information.

NSIRA also previously reported that a lack of comprehensive and independently verifiable access to CSE’s information repositories posed a significant challenge to NSIRA’s ability to review CSE’s activities. In 2021, this challenge persisted.

In 2021, NSIRA sought to develop direct access to CSE information repositories, further to NSIRA’s “trust but verify” review model. With the exception of dedicated office space, which NSIRA continues to utilize at CSE’s Headquarters, NSIRA and CSE have been unable to achieve a workable trust-but-verify model for any reviews of CSE to date, despite several proposals for test cases brought forward by NSIRA throughout the year. NSIRA remains committed to developing a greater degree of verifiable access to CSE information so as to ensure the robustness of its findings and recommendations and, in turn, provide greater transparency of CSE activities to Parliament and the Canadian public.

In lieu of direct access to CSE information repositories, NSIRA has to rely on CSE External Review staff to collect relevant information held by CSE on its behalf. CSE External Review organizes briefings by subject matter experts, solicits responses to specific questions, and coordinates searches by CSE staff through information repositories for documents and other materials relevant to reviews. NSIRA recognizes the work of CSE External Review staff and thanks them for their contribution to the work of review.

However, reliance on CSE to locate, collate and curate information for NSIRA is not a proper long-term alternative to direct access. Currently, and on receipt of a request for information, CSE conducts a lengthy process to locate and collect information, followed by an internal review of this information to determine relevance prior to releasing materials to NSIRA. CSE’s predetermination of relevance of information undercuts NSIRA’s authority to decide whether information relates to its reviews and contributes to significant delays in the provision of information to NSIRA. Furthermore, this process creates a burden on CSE staff to coordinate responses to NSIRA’s information requirements. This workload could be substantially reduced by allowing NSIRA to conduct its own searches in CSE’s information repositories. Concurrently, it would serve as an element of verification that could strengthen NSIRA’s confidence in the completeness of information reviewed.

Beyond the issues related to limitations on NSIRA’s ability to trust but verify are ongoing concerns related to CSE’s responsiveness. As mentioned above, significant delays in the provision of information continued to pose a disruptive challenge to all NSIRA reviews of CSE activities in 2021. Although the COVID-19 pandemic interrupted life everywhere, it alone could not account for the extent of delays experienced during 2021. The timely provision of information required for a review not only facilitates the work of NSIRA, but is a legal requirement to which NSIRA expects CSE to adhere.

The sole exception to NSIRA’s right of access to information under the control of CSE is a confidence of the Queen’s Privy Council for Canada, otherwise known as a Cabinet confidence. Information subject to the Privacy Act, or any other act of Parliament, for that matter, as well as highly classified or Exceptionally Controlled Information (ECI) must be made available to NSIRA in a timely manner, when it relates to a review. This was not always the case in 2021.

In light of the ongoing challenges to NSIRA reviews of CSE activities, NSIRA continues to be of the opinion that the only mechanism to ensure a high degree of confidence, reliability and independence in its work is to have direct access to information relevant to its reviews. One important way by which CSE can continue to increase the level of transparency for its activities is to facilitate greater direct access for external review. For NSIRA to be able to conduct its work with a high degree of confidence, it must be able to verify the accuracy and completeness of the information on which it bases its findings and recommendations. NSIRA will continue to work with CSE to identify ways it can begin to implement additional elements of NSIRA’s trust but verify methodology in a more comprehensive and meaningful manner.

2.3 Other government departments

Overview

Beyond CSIS and CSE, NSIRA initiated reviews of the following departments and agencies in 2021:

  • the Department of National Defence / Canadian Armed Forces (DND/CAF);
  • the Royal Canadian Mounted Police (RCMP);
  • Immigration, Refugees and Citizenship Canada (IRCC);
  • the Canada Border Services Agency (CBSA); and
  • Transport Canada.

As well, through the annual reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has engaged with all departments and agencies that make up the Canadian national security and intelligence community.

The following sections outline reviews completed or initiated in 2021, by department or agency, as well as some planned future reviews.

Department of National Defence and the Canadian Armed Forces

Study of the Defence Intelligence Enterprise of the Department of National Defence and the Canadian Armed Forces

The purpose of this study was threefold. The primary objective focused on understanding the concept of the Defence Intelligence Enterprise (DIE), the umbrella under which DND/CAF conducts its intelligence activities. The second objective focused on developing an understanding of the compliance and oversight functions within the DIE, as well as the reporting of instances of non-compliance. Finally, the information gathered through the two primary objectives of this review provided NSIRA with prerequisite knowledge to help design future reviews.

Although comprising only a small percentage of the work of DND/CAF, the intelligence function is growing both in how DND/CAF perceives its importance, as well as in resource allocation. All of DND/CAF’s intelligence activities and structures fall within the DIE and without an understanding of this enterprise, NSIRA’s review plan would lack focus and organization. The DIE represents a large and complex structure with widely varied activities and functions. Successive reviews will build on NSIRA’s knowledge and experience, as well as developing the required expertise to proactively identify areas of future review. In addition, having a more complete understanding of the DIE will help NSIRA better situate DND/CAF in the broader security and intelligence community, so it can identify more opportunities for horizontal review activities.

This study also helped to highlight and identify some of the challenges NSIRA may face in reviewing DND/CAF moving forward. Notably, DND/CAF represents a large and complex structure with widely varied activities and functions. Reporting structures are complex. For example, DND senior management structures report directly to the Deputy Minister, CAF Commands report directly to the Chief of the Defence Staff, and some accountability structures require reporting to both. NSIRA also observed that information collection and storage procedures vary across the organization and that it has over 180 independent electronic repositories. The combination of these elements emphasizes the importance of maintaining strong working relationships with DND/CAF to help navigate access to timely information and assets. NSIRA is working closely with DND/CAF on how to overcome these challenges, including the possibility of providing detailed search strings and follow-up briefings to attest to the reliability, completeness and specificity of the provided documentation.

Review of the Canadian Forces National Counter-Intelligence Unit — Operational Collection and Privacy Practices

This review was a follow up to last year’s review of the Canadian Forces National Counter- Intelligence Unit (CFNCIU). This year’s review focused on how IT searches were used to support counter-intelligence investigations. NSIRA assessed whether IT searches and the collection of information in support of counter-intelligence investigations interfered with individuals’ reasonable expectation of privacy in the circumstances.

Over the course of the review, NSIRA identified three areas of concern tied to the requests for, and conduct of, counter-intelligence internal IT network searches. These are arranged under the following categories: (1) CFNCIU’s search of a subject’s email, internet and removable device activity; (2) the CFNCIU checklist used to identify and restrict search parameters, and how applicable stakeholders define search parameters; and (3) the use acquired information to expand supplementary searches.

NSIRA believes that DND employees and CAF members have a reasonable expectation of privacy when using work computers for personal use. CFNCIU requires the assistance of police or security agencies to obtain search warrants or technical intercept services, under Level II and Level III investigations. NSIRA found that CFNCIU may be inappropriately relying on DND/CAF policies as lawful authority to interfere with a subject’s reasonable expectation of privacy.

NSIRA observed that information obtained by CFNCIU via the checklist has the potential to capture intimate and personal information that touches on a subject’s biographical core. NSIRA found that the checklist risks capturing information that is protected by section 8 of the Charter. NSIRA also found that DND/CAF is applying a definition of metadata that captures information that could be subject to a reasonable expectation of privacy.

NSIRA observed that CFNCIU IT inquiries used broad search parameters, which may include information not relevant to the investigation. These parameters were applied as broad approvals with no specific internal controls or oversight at both the operational and working levels. Collection techniques, due in part to the limitations of IT audit tools and broad search parameters, resulted in a wide net being cast. NSIRA found that the investigative IT system practices observed in the context of CFNCIU’s counter-intelligence investigations have insufficient legal oversight to ensure that they are as minimally invasive as possible.

As a result of these findings, NSIRA recommended that DND/CAF suspend investigative IT system practices in the context of CFNCIU counter-intelligence investigations until a reasonable legal authority has been established. Once a reasonable legal authority has been established, DND/CAF should create a new policy framework that is reflective of the noted findings.

Response to NSIRA’s recommendations

NSIRA’s recommendations, DND/CAF’s management response and other details about this review are found in Annex D of this report.

Reviews planned or in progress

NSIRA has several reviews planned for DND/CAF and will conduct further work on two in 2022. The first one in progress is NSIRA’s review of DND/CAF’s human intelligence (HUMINT) program. This review will examine the entirety of the human source handling program used by DND/CAF.

Second, NSIRA is currently examining the domestic open-source collection activities of DND/CAF. More specifically, this review will take a closer look at legal authorities and the policy framework, program support and training, information and technology management systems, collection activities, intelligence production and dissemination, and oversight and accountability mechanisms.

Access to DND/CAF information

DND/CAF is the largest federal government department, both in terms of personnel (127,000 including regular and reserve forces) and number of physical locations occupied (42 in the National Capital Region alone). Given its domestic and international breadth, information collection and storage varies across the organization, with 180+ independent electronic repositories. NSIRA primarily accesses information through DND/CAF’s liaison body, the National Security and Intelligence Review and Oversight Coordination Secretariat (NSIROCS).

To help ensure that NSIRA receives timely and complete access to requested information, DND/CAF has formalized processes for responding to requests for information that includes a Level 1 (assistant deputy minister or equivalent) approval and attestation. Therefore, when NSIROCS receives a request for information, it coordinates with internal stakeholders to provide the requested information and submit it for Level 1 approval, after which the assistant deputy minister (or equivalent) provides a managerial attestation verifying the completeness and accuracy of the information provided.

NSIRA has also established direct access to specific DND/CAF IT systems for an ongoing review, and is working on a “proxy access” model for future reviews. Ultimately, the nature and scope of the review will dictate the access and verification model to be applied. NSIRA remains committed to working with NSIROCS to ensure that access and verification processes meet review requirements.

Royal Canadian Mounted Police

Reviews in progress or planned

NSIRA is currently working on three reviews focused exclusively on the RCMP. One of these reviews assesses the RCMP’s use of human sources in national security criminal investigations. Another review examines how the RCMP bypasses encryption when it intercepts private communications in national security criminal investigations. Lastly, NSIRA’S review of the Operational Research Unit of the RCMP will be examining the unit’s access to and use of security intelligence. The RCMP is also implicated in one multi- departmental review that is discussed below.

Access to RCMP information

NSIRA began reviewing the RCMP in 2020 and does not yet have direct access to the RCMP’s IT systems. The decentralized nature of the RCMP’s information holdings, COVID-19- related restrictions, and limitations resulting from other emergencies have resulted in delays in the RCMP providing NSIRA with requested information. NSIRA is committed to working with the RCMP’s National Security External Reviews and Compliance (NSERC) team to establish approaches for the timely provision of information.

In lieu of direct access to RCMP IT systems, NSIRA currently relies on the RCMP’s NSERC team to collect relevant information. NSIRA thanks the NSERC team for its contribution to the work of review but looks forward to working toward direct access to RCMP IT systems or alternate independent verification processes that provides NSIRA with independent confidence in the reliability and completeness of the information it has access to.

Canada Border Services Agency

In 2021, NSIRA completed its review of the Government of Canada’s use of biometrics in the border continuum that, while also examining IRCC and Transport Canada, had a strong CBSA component. The summary of this review can be found in the multi-departmental review section below.

NSIRA also made considerable progress on two CBSA -focused reviews. The first review is of air passenger targeting and examines the CBSA’s use of predictive analysis to identify inbound air travellers for further scrutiny in relation to national security threats. The second review assesses the CBSA’s use of confidential human sources, building on prior work in this area by National Security and Intelligence Committee of Parliamentarians.

Financial Transactions and Reports Analysis Centre of Canada

NSIRA is currently working on its first review of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). NSIRA will examine FINTRAC’s existing regime for sharing information with its domestic and international partners by looking at queries and disclosures to foreign financial intelligence units.

2.4 Multi-departmental reviews

Study of the Government of Canada’s Use of Biometrics in the Border Continuum

Biometrics play a fundamental role in the border continuum, which includes the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air. In the course of this review, NSIRA examined activities conducted by the CBSA, IRCC and Transport Canada. The review also extended to the RCMP, which plays a supporting role in one of the major IRCC-led programs using biometrics.

Biometrics are sensitive personal information. The identification of persons by virtue of their biological characteristics raises privacy and human rights concerns. There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. At the same time, identifying individuals entering the country — and consequently determining whether they have a right to enter, or what risks they might pose — serves a national security function. In this way, the use of biometrics requires an assessment of the balance between security and privacy.

The immediate objective of this review was to map the nature and scope of biometric activities occurring in this space. This included examining the collection, retention, use and disclosure of biometric information, as well as the legal authorities under which these activities occur. This review also considered the reasonableness and necessity of these activities, studying the accuracy and reliability of biometrics.

This review identified a set of observations linked to nine overarching themes:

  • Biometrics and national security. The centrality of national security as a justification for biometric activities has waned over time relative to other objectives, such as identity management and traveller facilitation. This makes it challenging to assess biometric activities in general as national security activities. Future NSIRA reviews may focus more narrowly on biometric activities that directly engage national security.
  • The steady-state activities. The steady-state biometric activities in the border continuum are generally well-supported by current legal authorities and are consistent with international practice.
  • Expanding use of biometrics over time. The use of biometrics in the border continuum has significantly expanded over the last three decades and is likely to continue expanding in the future. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for particular, intended objectives.
  • Pilot projects. Pilot projects and initiatives raise more concerns than do steady-state activities, as they risk being implemented without sufficient legal analysis or policy development. Despite the temporary or experimental nature of a project, NSIRA expects that departments will conduct the analysis necessary to ensure that legal authority is in place for the conduct of the activity, and that the attendant collection, use, retention and disclosure of personal information is well-governed by policy.
  • Evolving legal and societal norms. The public debate surrounding legal authorities questions whether existing standards and protections are sufficient for regulating biometric activities or whether new standards and protections are required. The border is, comparatively, a space in which greater intrusiveness is considered reasonable — but the boundaries of those justifications are not limitless, and will require careful calibration moving forward.
  • The dual use of biometrics. NSIRA observed several instances of possible dual use of biometric information in the activities examined in this report. Even where new uses of biometrics offer demonstrable benefits, new uses must be carefully considered to ensure their reasonableness and proportionality. In addition, all new uses must be justified and well-authorized in law. The principle of “purpose limitation” may be a way of guarding against dual use in the context of biometric activities.
  • Technical systems. There is significant overlap between the technical systems and databases used across the steady-state biometric activities. The overall architecture of the systems is complex, though not necessarily problematic.
  • Visibility into algorithms. Departments and agencies have limited ability to see how the algorithms they use for biometric analysis operate. Each department and agency did, however, demonstrate that performance metrics are known and tested, and that custom thresholds are used when appropriate.
  • Preventing bias and discrimination. IRCC and the CBSA have conducted preliminary analyses to explore how their biometric activities may impact diverse groups of people, though the implementation of possible mitigation strategies was not always apparent. In some contexts, technological advancements have helped to reduce, but not eliminate, differential impacts. More work remains in terms of mitigating differential impacts on segments of the population. At the same time, the departments and agencies under review have demonstrated their awareness of possible systemic inequalities and their commitment to addressing them.

Public debate about the government’s application of biometric technology will continue to evolve, driving change in the legal and regulatory frameworks associated with such activities. As such, continued scrutiny from NSIRA is warranted, particularly in those instances where the collection and use of biometric information is justified by explicit reference to national security outcomes.

Review of Federal Institutions’ Disclosures of Information under the Security of Canada Information Disclosure Act in 2020

In November 2021, NSIRA and the Office of the Privacy Commissioner of Canada (OPC) completed a joint review of the 215 disclosures made under the Security of Canada Information Disclosure Act (SCIDA) in 2020 — NSIRA’s first joint review with another review body.

SCIDA encourages and facilitates the sharing, or disclosure, of information within the federal government to protect against activities that undermine or threaten national security, subject to certain conditions. SCIDA permits disclosures of information where the disclosing federal institution satisfies itself that the information will contribute to the exercise of the recipient federal institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than is reasonably necessary. This is called the disclosure test.

The review found that 212 of the 215 disclosures (approximately 99%) appeared to meet both parts of the disclosure test. In the remaining three disclosures, the information appeared speculative, with no clear connection to activities that undermine the security of Canada. All three of the disclosures of concern were proactive disclosures by the RCMP. Of particular interest was the RCMP’s disclosure of the identities and biometric information about approximately 2,900 individuals to the CAF. NSI RA and the OPC recommended that the RCMP update its policies and practices to support compliance with the disclosure test, that the institution that received the disclosure of concern from the RCMP delete or return the information unless they can demonstrate a valid reason not to,and that any institution disclosing personal information about a large number of individuals (bulk disclosure) exercise heightened due diligence.

The records reviewed also highlighted one case of a verbal disclosure made to CSIS months prior to a formal SCIDA disclosure and without an apparent source of legal authority. NSIRA and the OPC recommended that institutions with national security expertise ensure that when they request personal information for national security purposes from other federal institutions, they make it clear that their request, in and of itself, does not constitute or confer authority on the other institution to disclose personal information.

Based on CSE’s and IRCC’s information-sharing patterns under SCIDA, NSIRA and the OPC recommended that these two institutions enter into an information-sharing arrangement, and that GAC and CSIS update their information-sharing arrangement to incorporate SCIDA’s guiding principles.

Finally, the review examined the federal government’s SCIDA policies. The review found that Public Safety Canada developed a SCIDA guide for federal institutions, led an interdepartmental working group, and provided training that included all 17 of the federal institutions listed in SCIDA. The review also found that 16 of the 17 federal institutions listed in SCIDA — the exception being the Canadian Food Inspection Agency — have policies to support compliance with SCIDA. NSIRA and the OPC recommended that the Canadian Food Inspection Agency develop a similar framework to implement a SCIDA policy.

Response to NSIRA’s recommendations

NSIRA’s recommendations, the management response of reviewees and other details about this review are found in Annex D of this report.

Review of Departmental Implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2020

The Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA) and directions issued according to the ACA seek to prevent the mistreatment of any individual as a result of information exchanged between a department of the Government of Canada and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated. To do this, the ACA and the directions lay out a series of requirements that need to be met or implemented when handling information.

This review covered the implementation of the directions sent to 12 departments and agencies from January 1, 2020, to the end of the calendar year, December 31, 2020. It was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the ACA.

This was the first ACA review to cover a full calendar year. Many of the reviewed departments noted that the COVID-19 pandemic impacted their information-sharing activities, such as the number of cases requiring further review as per the ACA. As such, NSIRA found that from January 1, 2020, to December 31, 2020, no cases under the ACA were issued to deputy heads in any department.

While NSIRA was pleased with the considerable efforts made by many departments new to the ACA in building their frameworks, the CBSA and Public Safety Canada had not finalized their policy frameworks in support of the directions received under the ACA within the review period.

Mitigation measures used by departments were also reviewed this time, since they are an integral part in the information-sharing process for departments.

NSIRA believes that it is now in a position to conduct in-depth case study assessments of individual departments’ adherence to the ACA and directions, irrespective of whether a department reported any cases to its deputy head. Finally, future reviews will follow up on the ongoing implementation of NSIRA’s past recommendations.

Reviews planned or in progress

In the future, NSIRA intends to continue to take advantage of its mandate to “review any activity carried out by a department that relates to national security or intelligence” by pursuing more multi-departmental reviews and avoiding examinations in siloes. In addition to the mandated annual SCIDA and ACA reviews, NSIRA plans to work on two more reviews involving multiple departments. The first one is a review of how CSIS and the RCMP manage threats posed by ideologically motivated violent extremism. The second review will study the relationship between CSE and CSIS on operational activities.

2.5 Technology in review

Integration of technology in review

Traditionally associated with the systems and software responsible for the administrative support of an organization, IT plays an increasingly large role in the operational activities of Canada’s national security and intelligence community. By taking advantage of rapid advances in cutting-edge technologies, Canada’s security and intelligence community is operationalizing advancements in technology to a degree greater than ever before. Modern national security and intelligence agencies must not only use new technologies to enhance their respective mandates, but they also do so to keep abreast of new opportunities, as well as new threats.

These advancements happen quickly, are complex and are often unique to each institution. Furthermore, emerging technologies, while ostensibly developed for one purpose, often have unforeseen implications on civil liberties and privacy, especially when used in an intelligence or security capacity. It is essential for an accountability body like NSIRA to keep pace with the use of developing technologies in Canada’s national security and intelligence community to ensure that the organizations it is responsible to review are discharging their mandates lawfully, reasonably and appropriately.

The vision for NSIRA’s Technology Directorate is to enhance the review landscape to incorporate an appropriate focus on the use and implementation of technology by security and intelligence agencies in Canada. By extending its reach into the practical applications of technology, and by entrusting this new focus to an in-house team of engineers, computer scientists and experienced review professionals, NSIRA will be well placed to ensure that the departments and agencies are held accountable for the decisions they make in leveraging the various aspects of emerging technology.

The development of this capacity at NSIRA will also provide a unique opportunity to build a review model that will put us on equal footing within the Five Eyes and the international review community. Without dedicated in-house technology expertise, NSIRA’s work will not stay current with contemporary national security legal and compliance risks or issues.

To that effect, NSIRA’s Technology Directorate will:

  • lead the review of IT systems and cutting-edge technical advancements;
  • conduct independent technical investigations;
  • support assigned NSIRA members in the investigation of complaints against CSIS, CSE or the RCMP requiring technological expertise to assess the evidence;
  • produce reports explaining and interpreting sophisticated technical subjects;
  • assess the risk of a reviewed entity’s IT compliance with applicable laws and policy;
  • recommend IT system and data safeguards to minimize the risk of legal non- compliance;
  • lead the integration of technology themes into yearly NSIRA review plans; and leverage external expertise in the understanding and assessment of IT risks.

Future of technology in review

In 2022, NSIRA will continue to increase the number of employees working in the Technology Directorate as it takes an increasingly active and significant role. It will also lead the first technology-focused reviews of the lifecycle of CSIS information collected by technical capabilities pursuant to a Federal Court warrant. NSIRA is also scheduled to review CSE’s SIGINT retention practices in 2023.

In terms of important considerations for ongoing reviews, NSIRA Technology Directorate has identified the following three technology-related topics as priorities for consideration:

  • dual-use technologies;
  • data warehousing, bulk data and data analytics; and
  • automated decision-making.

As Canada’s security and intelligence community continues to grow its technical collection and analytic capacity, NSIRA must develop its own expertise in technical review in tandem. Over the next year, NSIRA intends to establish domestic and international partnerships and develop working relationships with academics, civil society and commercial leaders to ensure key technological issues factor into its approaches. NSIRA’s Technology Directorate will also support the NSIRA complaint investigations team to understand where and when technology advancements could be applied to NSIRA investigations.

2.6 Review policies and processes

Method for assessing timeliness

Guidelines for assessing timeliness in reviews​​​​​​​

To ensure greater accountability and predictability, NSIRA will be using the following guidelines to assess the timeliness of reviewee responses to requests for information (RFIs) during the review process, and will comment both privately and publicly on the outcomes. Notably, NSIRA’s annual report will track timeliness each year. These guidelines provide clear, standardized expectations on this important aspect of the review process.

Standard request for information (RFI) timelines

Much of the information requested by NSIRA falls into two categories: “off-the-shelf,” readily available material, and material requiring additional work to compile. Off-the-shelf material may include items such as policy documents, ministerial directives, operational policies, legal opinions and standard operating procedures. Information that requires additional work to compile may include things such as material that requires data manipulation or explanations and material in certain specialized databases and emails. RFIs will clearly state which type of material they pertain to, and standard timelines of 15 or 30 days, respectively, will be provided for responses.

Non-standard RFI timelines

NSIRA may deem it necessary to provide longer response times for information requests, for example, when the review covers new subject matter, the request is expected to return a large amount of information or documentation, or the reviewee has other ongoing reviews or other operational considerations. Non-standard timelines are at NSIRA’s discretion and will be applied based on the judgment of the review team.

NSIRA recognizes that extraordinary factors and extenuating circumstances may affect responses to requests for information and documentation. To accommodate this, reviewees may present, with significant justification, an alternative RFI timeline to the one originally provided. This should be done on receipt and review of the request, if possible. The decision to grant an extension is made by the NSIRA review team, and other arrangements, such as providing the requested information in tranches, can be considered. Regardless, RFI’s will always have an associated response timeline attached to them. This timeline will determine whether subsequent remedial steps are required.

Remedial steps

NSIRA will implement a three-stage approach to engage reviewees when no response is received to an RFI within the associated timeline. When a deadline is missed with no satisfactory response, NSIRA will escalate its concerns progressively by sending a series of letters to the assistant deputy minister, deputy minister and, finally, the responsible minister.

The letters will be attached as an annex to the related review and will inform an overall assessment of timeliness of the reviewee in NSIRA’s public annual report. The above guidelines will also be reviewed annually and may be updated based on the outcome of their ongoing implementation to ensure they meet their objectives.

Implementation of recommendations

The key outcomes of the work flowing from NSIRA’s review mandate are typically captured and distilled in the recommendations NSIRA provides based on its findings. In most NSIRA reviews completed since its inception, NSIRA has issued recommendations to the departments and agencies under review. In turn, reviewees have provided responses to these recommendations, which may include a plan for implementation. With a little over two years since recommendations for the first NSIRA reviews were issued, NSIRA believes enough time has elapsed to begin seeing the results of the implementation of these recommendations reflected in reviewees’ activities and policies. Therefore, NSIRA will begin considering the most appropriate means to track and evaluate the implementation of the recommendations issued in past reviews.

NSIRA will discuss with agencies and departments that were reviewed how to evaluate the implementation of past recommendations. For example, if issues and challenges remain unaddressed, NSIRA may initiate follow-up reviews. NSIRA’s public annual report may also raise issues in the implementation of recommendations as needed.

Verification

As noted above, verification is a fundamental component of credible and professional independent review. NSIRA must be able to test the completeness or accuracy of information it may receive as a matter of course during every review. This component is key to NSIRA’s ability to assure its stakeholders that it has confidence in the information it receives during a review, and thereby in the findings and conclusions of the review.

During a review, NSIRA is entitled to receive all information it deems relevant, except for Cabinet confidences. This feature of the NSIRA Act is critical for the success of NSIRA’s mandate. For NSIRA to assure Parliament and Canadians that it has a high level of confidence in the information it receives, departments and agencies under review are expected to support processes that satisfy NSIRA’s requirement to independently verify the completeness and accuracy of information provided by the department or agency. For example:

  • provide NSIRA, in support of each review, an index of documents provided, and an indication as to whether any information has been altered or removed and why; and
  • include a record of how searches of information are conducted, including which search terms were used, and which databases were queried.

Reviewees should always expect an element of verification as a regular part of each review. In keeping with its commitment to transparency and methodological rigour, NSIRA reviews now contain a “confidence statement.” This statement reflects NSIRA’s ability to verify information during a review. The confidence statement also provides important additional context to the review, apprising readers of the extent to which NSIRA has been able to verify necessary or relevant information during the review, and whether its confidence was impacted as a result of this exercise. 

Complaints investigations

3.1 Overview

In the course of the year, NSIRA continued to adapt in conducting its complaints investigations by using innovative approaches. This included the use of videoconference technology for its hearings and investigative interviews, as well as finding procedural efficiencies such as proceeding with some investigations in writing. In part due to challenges inherent to the COVID-19 pandemic, NSIRA experienced delays in its investigations stemming from reduced responsiveness in accessing information and evidence. Annex E contains statistics for NSIRA’s complaints investigations in 2021.

Advancing the investigations and obtaining evidence presented issues for both NSIRA and the federal government parties to investigations that were obligated to provide information to NSIRA. In several ongoing matters, NSIRA granted adjournments and extensions of deadlines for procedural steps, including the filing of submissions and evidentiary material. In addition to pandemic-related delays, NSIRA notes that federal government parties to investigations cited other reasons for their requests for extensions of deadlines to file material, such as issues related to availability of witnesses and shortage of resources. Furthermore, NSIRA had to ask for additional information in response to incomplete initial disclosures in more than one investigation, which also created delays.

As to NSIRA’s investigation caseload in 2021, NSIRA dealt with a continued substantial increase in its inventory of cases. This increase resulted from 58 complaints referred in April 2021 to NSIRA for investigation by the Canadian Human Rights Commission, pursuant to subsection 45(2) of the Canadian Human Rights Act. This high-volume caseload has impacted NSIRA’s overall management of its cases.

NSIRA has also been focusing on strengthening its program delivery by working on strategies for the collection, analysis and use of race-based and demographic data in the context of the complaints investigation process. Working closely with its partner, the Civilian Review and Complaints Commission for the RCMP, NSIRA has been developing strategies of common interest in improving procedures to take into account considerations of diversity and inclusion. The specific objective is to improve access to justice by improving awareness and understanding of the investigation process. The intent is also to document the different racial groups among civilian complainants and determine:

  • whether there are significant racial disparities;
  • whether there are racial differences with respect to the types of complaints made against national security organization members based on different groups;
  • the frequency of complaints that include allegations of racial or other forms of bias; and
  • whether complaint investigation outcomes vary by racial group.

Looking to the year ahead, NSIRA will analyze procedural data with respect to the timelines of its investigations in order to inform the establishment of new service standards, continuing its efforts to ensure efficiency and transparency in the process. NSIRA is mindful that service standards are based on time commitments in normal circumstances. As the public health situation with respect to the COVID-19 pandemic continues to improve, NSIRA looks forward to the cooperation of federal government parties in increasing their responsiveness to advance investigations. In light of NSIRA’s objective of developing service standards, it will be adopting a measured approach to requests for adjournments and extensions of deadlines, which will be permitted in exceptional circumstances. Also for the year ahead, NSIRA will continue to improve its website to promote accessibility to and relevance of processes in the investigation of complaints.

3.2 Status of complaints investigation process reform

In 2021, NSIRA completed its investigation process reform initiative after a complex consultation with multiple stakeholders. In July 2021, NSIRA launched its new process that included the implementation of its new rules of procedure, aiming to provide greater accessibility as well as greater efficiency in NSIRA’s investigation mandate. Investigations under this new model show early signs of efficiency in that NSIRA has set timelier dates for the conduct of investigative interviews.

3.3 Investigations

Final report summaries

Investigation Concerning Allegations Against the Canadian Security Intelligence Service (1500-516)

Background​​​​​​​

The Complainant filed a complaint against the Canadian Security Intelligence Service (CSIS) regarding its involvement in different incidents with airport authorities while the Complainant was travelling.

In addition, the Complainant alleged harassment, possible interference with employment opportunities, interference with a passport application, intercepting and reviewing mail, and disrupting personal relationships.

Investigation

During the investigation, the Complainant raised several separate incidents that led to the filing of their complaint. NSIRA reviewed the evidence before it to determine whether CSIS’s actions were reasonable and proportionate in the circumstances; whether CSIS’s actions constituted harassment; and whether it had acted lawfully.

NSIRA considered the evidence given by witnesses, the documentation submitted by the parties, as well as other relevant material made available during the course of the investigation of the complaint. NSIRA also heard evidence provided by the Complainant.

With respect to one specific incident in dealing with airport authorities while travelling, NSIRA heard evidence by witnesses regarding section 8 of the Canadian Charter of Rights and Freedoms (Charter). Section 8 of the Charter provides that everyone has the right to be secure against unreasonable search and seizure.

Conclusion

With respect to all allegations, NSIRA determined that the complaint is unsupported. However, concerning events related to CSIS participating in a Canada Border Services Agency search of the Complainant’s cell phone at an airport on one occasion, NSIRA found that CSIS breached section 8 of the Charter.

NSIRA concluded that CSIS did not take the Complainant’s privacy interests casually and did not deliberately disregard privacy considerations in relation to the search. The breach of section 8 of the Charter was not egregious and constituted an error in judgment.

Reopened Investigation Concerning Allegations Against the Canadian Security Intelligence Service (1500-471)

Background

NSIRA issued a supplemental final report resulting from a reopened investigation that was concluded by its predecessor, the Security Intelligence Review Committee (SIRC).

The Complainant alleged that CSIS had violated his constitutional rights due to his race and religion as well as his refusal to work as a human source. He further alleged that CSIS agents were harassing him by stopping him in airports and following him. Lastly, the Complainant alleged that CSIS had disclosed false information to a foreign entity, which resulted in him being held for eight hours without food in a foreign country’s airport.

In SIRC’s final report, SIRC concluded that the Complainant’s allegations of discrimination and harassment were unsupported. SIRC also concluded that the actions of CSIS officials had violated section 12 of the CSIS Actministerial directions, policies and operational procedures, and that these actions resulted in adverse consequences for the Complainant.

NSIRA’s reopened investigation was strictly limited to two questions of law: (1) whether the reasonable grounds to suspect standard under section 12 of the CSIS Act must be met when CSIS makes initial inquiries of its operational holdings; and (2) whether CSIS was required to obtain an individual targeting authority against the Complainant.

Investigation

The investigation of the reopening was deemed to be continued before NSIRA pursuant to subsection 11(1) of the National Security Act. NSIRA considered the documentation submitted by the parties, including classified submissions and documents filed by CSIS. NSIRA also considered the submissions filed by the Complainant as well as any other relevant material made available during the course of the investigation of this reopening.

With respect to whether the reasonable grounds to suspect standard under section 12 of the CSIS Act must be met when CSIS makes initial inquiries of its operational holdings, CSIS conceded during the investigation that it requires reasonable grounds to suspect that activities constitute a threat to the security of Canada, as described in section 2 of the CSIS Act, to conduct such initial inquiries of its operational holdings.

On the facts of this case, NSIRA determined that SIRC had correctly found that CSIS did not possess objective facts about activities that met the requisite reasonable grounds to suspect standard.

With regard to whether CSIS was required to obtain an individual targeting authority against the Complainant, NSIRA concluded that SIRC’s findings of fact regarding the extent and manner in which CSIS investigated the Complainant would not be revisited by NSIRA. NSIRA found that SIRC’s conclusion that there is a point in the CSIS investigation where CSIS agents were specifically investigating the activities of the Complainant was unequivocal, and, therefore, it was clear that CSIS should have obtained an individual targeting authority against him, yet failed to do so.

Conclusion

NSIRA determined that SIRC’s report and the findings were affirmed.

Conclusion

In 2021, NSIRA delivered on its mandate by completing reviews on a wide array of federal departments and agencies involved in national security and intelligence activities. Similarly, despite the challenges of the COVID-19 pandemic for complaints investigation proceedings and a large increase in its workload, NSIRA adapted its methods and continued its efforts to improve its program delivery.

NSIRA aims to increase its capacity to review technology and its practical use in national security and intelligence activities. The ongoing growth in NSIRA’s staff complement will also help the organization review a greater variety of national security and intelligence activities and continue to progress in its investigation of a large number of complaints.

NSIRA remains committed to engage with non-government stakeholders. NSIRA took note of feedback on its prior annual report and will continue to aim to improve its usefulness.

Once again, NSIRA members are very grateful for the excellent work of the Secretariat staff and their dedication to the organization’s mission of promoting greater accountability in the Canadian security and intelligence community and improving the confidence of Canadians in their oversight institutions.

Share this page
Date Modified:

Quarterly Report: For the quarter ended June 30, 2022

Date of Publishing:

Introduction

This quarterly report has been prepared by management as required by section 65.1 of the Financial Administration Act and in the form and manner prescribed by the Directive on Accounting Standards, GC 4400 Departmental Quarterly Financial Report. This quarterly financial report should be read in conjunction with the 2022–23 Main Estimates.

This quarterly report has not been subject to an external audit or review.

Mandate

The National Security and Intelligence Review Agency (NSIRA) is an independent external review body that reports to Parliament. Established in July 2019, NSIRA is responsible for conducting reviews of the Government of Canada’s national security and intelligence activities to ensure that they are lawful, reasonable and necessary. NSIRA also hears public complaints regarding key national security agencies and their activities.

A summary description NSIRA’s program activities can be found in Part II of the Main Estimates. Information on NSIRA’s mandate can be found on its website.

Basis of presentation

This quarterly report has been prepared by management using an expenditure basis of accounting. The accompanying Statement of Authorities includes the agency’s spending authorities granted by Parliament and those used by the agency, consistent with the 2022–23 Main Estimates. This quarterly report has been prepared using a special-purpose financial reporting framework (cash basis) designed to meet financial information needs with respect to the use of spending authorities.

The authority of Parliament is required before money can be spent by the government. Approvals are given in the form of annually approved limits through appropriation acts or through legislation in the form of statutory spending authorities for specific purposes.

Highlights of the fiscal quarter and fiscal year-to-date results

This section highlights the significant items that contributed to the net increase or decrease in authorities available for the year and actual expenditures for the quarter ended June 30, 2022.

NSIRA spent approximately 12% of its authorities by the end of the first quarter, compared with 9% in the same quarter of 2021–22 (see graph 1).

Graph 1: Comparison of total authorities and total net budgetary expenditures, Q1 2022–23 and Q1 2021–22

Graph: Variance in authorities as at June 30, 2022 - Text version follows
Comparison of total authorities and total net budgetary expenditures, Q1 2022–23 and Q1 2021–22
  2022-23 2021-22
Total Authorities $28.3 $30.2
Q1 Expenditures $3.3 $2.8

Significant changes to authorities

As at June 30, 2022, Parliament had approved $28.3 million in total authorities for use by NSIRA for 2022–23 compared with $30.2 million as of June 30th, 2021, for a net decrease of $1.9 million or 6.3% (see graph 2).

Graph 2: Variance in authorities as at June 30, 2022

Graph: Variance in authorities as at June 30, 2022 - Text version follows
Variance in authorities as at June 30, 2022 (in millions)
  Fiscal year 2021-22 total available for use for the year ended March 31, 2022 Fiscal year 2022-23 total available for use for the year ended March 31, 2023
Vote 1 – Operating 28.5 26.5
Statutory 1.7 1.7
Total budgetary authorities 30.2 28.3

*Details may not sum to totals due to rounding*

The decrease of $1.9 million in authorities is mostly explained by a gradual reduction in NSIRA’s ongoing operating funding.

Significant changes to quarter expenditures

The first quarter expenditures totaled $3.3 million for an increase of $0.5 million when compared with $2.8 million spent during the same period in 2021–22. Table 1 presents budgetary expenditures by standard object.

Table 1

Variances in expenditures by standard object(in thousands of dollars) Fiscal year 2022–23: expended during the quarter ended June 30, 2022 Fiscal year 2021–22: expended during the quarter ended June 30, 2021     Variance $ Variance %
Personnel 2,345 2,312 33 1%
Transportation and communications 44 13 31 23*
Information 5 2 3 150%
Professional and special services 846 196 650 332%
Rentals 10 0 10
Repair and maintenance 31 8 23 288%
Utilities, materials and supplies 16 3 13 433%
Acquisition of machinery and equipment 9 216 (207) (96%)
Other subsidies and payment (2) 12 (14) (117%)
Total gross budgetary expenditures 3,304 2,762 541 20%

Transportation and communications

The increase of $31,000 relates to increased travel, as travel restrictions due to COVID-19 are no longer in place in Canada.

Professional and special services

The increase of $650,000 is explained by a change in the timing of invoicing for the maintenance and services in support of our classified IT network infrastructure.

Rentals

The increase of $10,000 is explained by rent for temporary office space and software support licenses.

Repair and maintenance

The increase of $23,000 is explained by office accommodation fit-up costs.

Utilities, materials and supplies

The increase of $13,000 is explained by the acquisition office supplies.

Acquisition of machinery and equipment

The decrease of $207,000 is explained by a one-time bulk purchase of monitors and other computer equipment made in the first quarter of 2021-22.

Other subsidies and payments

The decrease of $14,000 is explained by a reduction in emergency salary advances and payroll system overpayments. NSIRA is showing a negative balance here because of the acquisition card rebates.

Risks and uncertainties

The ability of NSIRA to access the information it needs to conduct its reviews and complaints investigations is closely tied to the capacity of the reviewed or investigated departments and agencies to respond to NSIRA’s demands. While most pandemic constraints have subsided, there continues to be recruitment challenges in a tight labour market. To address this challenge, NSIRA is experimenting with hybrid workplace approaches, launching internal career development programs and focusing on onboarding practices to attract and retain talent.

NSIRA is closely monitoring pay transactions to identify and address over and under payments in a timely manner and continues to apply ongoing mitigating controls.

Mitigation measures for the risks outlined above have been identified and are factored into NSIRA’s approach and timelines for the execution of its mandated activities.

Significant changes in relation to operations, personnel and programs

There have been two new Governor-in-Council appointments during the first quarter, Dr. Foluke Laosebikan and Mr. Matthew Cassar. Existing member, Mr. Craig Forcese, has been named Vice Chair of NSIRA.

There have been no changes to the NSIRA Program.

Approved by senior officials:

John Davies
Deputy Head

Pierre Souligny
Chief Financial Officer

Appendix

Statement of authorities (Unaudited)

(in thousands of dollars)

  Fiscal year 2022–23 Fiscal year 2021–22
  Total available for use for the year ending March 31, 2023 (note 1) Used during the quarter ended June 30, 2022 Year to date used at quarter-end Total available for use for the year ending March 31, 2022 (note 1) Used during the quarter ended June 30, 2021 Year to date used at quarter-end
Vote 1 – Net operating expenditures 26,523 2,872 2,872 28,490 2,3 5,647
Budgetary statutory authorities
Contributions to employee benefit plans 1,728 432 432 1,705 426 426
Total budgetary authorities (note 2) 28,251 3,304 3,304 30,195 2,762 2,762

Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.

Note 2: Details may not sum to totals due to rounding.

Departmental budgetary expenditures by standard object (unaudited)

(in thousands of dollars)

  Fiscal year 2022–23 Fiscal year 2021–22
  Planned expenditures for the year ending March 31, 2023 (note 1) Expended during the quarter ended June 30, 2022 Year to date used at quarter-end Planned expenditures for the year ending March 31, 2022 Expended during the quarter ended June 30, 2021 Year to date used at quarter-end
Expenditures
Personnel 13,245 2,345 2,345 13,222 2,312 2,312
Transportation and communications 597 44 44 673 13 13
Information 372 5 5 375 2 2
Professional and special services 3,506 846 846 5,904 196 196
Rentals 271 10 10 188 0 0
Repair and maintenance 9,722 31 31 8,737 8 8
Utilities, materials and supplies 173 16 16 103 3 3
Acquisition of machinery and equipment 232 9 9 991 216 216
Other subsidies and payments 133 (2) (2) 0 12 12
Total gross budgetary expenditures
(note 2)
28,251 3,304 3,304 30,195 2,762 2,762

Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.

Note 2: Details may not sum to totals due to rounding.

Share this page
Date Modified:

Study of the Government of Canada’s use of Biometrics in the Border Continuum

Review Backgrounder

The Government of Canada (GoC) uses biometrics to identify individuals with a level of confidence beyond what is possible absent such techniques.

Biometrics play a fundamental role in the border continuum, which includes the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air. In the course of this study, the National Security and Intelligence Review Agency (NSIRA) examined activities conducted by the Canadian Border Services Agency (CBSA), Immigration, Refugees, and Citizenship Canada (IRCC), and Transport Canada (TC). The study also extended to the Royal Canadian Mounted Police (RCMP), which plays a supporting role in one of the major IRCC-led programs in this area.

Biometrics are sensitive personal information. The identification of persons by virtue of their biological characteristics raises privacy and human rights concerns. There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. At the same time, identifying individuals entering the country – and consequently determining whether they have a right to enter, or what risks they might pose – serves a national security function. In this way, the use of biometrics requires an assessment of the balance between privacy and security.

This report informs, contextualizes, and contributes to this conversation by presenting NSIRA’s foundational study of the GoC’s biometric activities in the border continuum.

Date of Publishing:

1. Executive Summary

The Government of Canada (GoC) uses biometrics to identify individuals with a level of confidence beyond what is possible absent such techniques.

Biometrics play a fundamental role in the border continuum, which includes the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air. In the course of this study, the National Security and Intelligence Review Agency (NSIRA) examined activities conducted by the Canadian Border Services Agency (CBSA), Immigration, Refugees, and Citizenship Canada (IRCC), and Transport Canada (TC). The study also extended to the Royal Canadian Mounted Police (RCMP), which plays a supporting role in one of the major IRCC-led programs in this area.

Biometrics are sensitive personal information. The identification of persons by virtue of their biological characteristics raises privacy and human rights concerns. There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. At the same time, identifying individuals entering the country – and consequently determining whether they have a right to enter, or what risks they might pose – serves a national security function. In this way, the use of biometrics requires an assessment of the balance between privacy and security.

This report informs, contextualizes, and contributes to this conversation by presenting NSIRA’s foundational study of the GoC’s biometric activities in the border continuum.

The study identified a set of observations linked to nine overarching themes:

  1. Biometrics and National Security. The centrality of national security as a justification for biometric activities has waned over time relative to other objectives, such as identity management and traveller facilitation. This makes it challenging to assess biometric activities in general as national security activities. Future NSIRA reviews may focus more narrowly on biometric activities that directly engage national security.
  2. The Steady-State Activities. The steady-state biometric activities in the border continuum are generally well-supported by current legal authorities and are consistent with international practice.
  3. Expanding Use of Biometrics over Time. The use of biometrics in the border continuum has significantly expanded over the last three decades, and is likely to continue expanding in the future. This trajectory is driven partly by advancing technological capabilities, partly by evolving challenges in identity management. It is reflected in other jurisdictions around the world. Exploiting the possibilities created by technological developments and keeping pace with other jurisdictions cannot justify the expanded use of biometrics in their own right. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for particular, intended objectives.
  4. Pilot Projects. Pilot projects and initiatives raise more concerns than do steady-state activities, as they risk being implemented on an experimental basis, without sufficient legal analysis or policy development. These projects represent an area of continued interest for NSIRA. Despite the temporary or experimental nature of a project, NSIRA expects that departments will conduct the analysis necessary to ensure that legal authority is in place for the conduct of the activity, and that the attendant collection, use, retention and disclosure of personal information is well-governed by policy.
  5. Evolving Legal and Societal Norms. The public debate surrounding legal authorities questions whether existing standards and protections are sufficient for regulating biometric activities or whether new standards and protections are required. The border is, comparatively, a space in which greater intrusiveness is considered reasonable – but the boundaries of those justifications are not limitless, and will require careful calibration moving forward.
  6. The Dual-Use of Biometrics. NSIRA observed several instances of possible dual-use of biometric information in the activities examined in this report. Even where they pose demonstrable benefits, new uses of biometrics must be carefully considered to ensure their reasonableness and proportionality. In addition, all new uses must be justified and well-authorized in law. The principle of “purpose limitation” may be a way of guarding against unjustified dual-use in the context of biometric activities.
  7. Technical Systems. There is significant overlap between the technical systems and databases used across the steady-state biometric activities. The overall architecture of this system – biometric collection, transmission, and storage in the course of the GoC’s activities in the border continuum – is complex, though not necessarily problematic.
  8. Visibility into Algorithms. Departments and agencies have limited visibility into how the algorithms they use for biometric analysis operate. Each department and agency did, however, demonstrate that performance metrics are known and tested, and that custom thresholds are used when appropriate.
  9. Preventing Bias and Discrimination. IRCC and CBSA have conducted preliminary analyses to explore how their biometric activities may impact diverse groups of people, though the implementation of possible mitigation strategies was not always apparent. In some contexts, technological advancements have helped to reduce, but not eliminate, differential impacts. More work remains in terms of mitigating differential impacts on segments of the population. At the same time, the departments and agencies under review have demonstrated their awareness of possible systemic inequalities and their commitment to addressing them.

These observations are intended to contribute to Canadians’ understanding of the complex and evolving use of biometrics in the border continuum, and to shape how NSIRA as an organization engages with this area in future work.

Public debate about the government’s application of biometric technology will continue to evolve, driving change in the legal and regulatory frameworks associated with such activities. As such, continued scrutiny from NSIRA is warranted, particularly in those instances where the collection and use of biometric information is justified by explicit reference to national security outcomes.

List of Acronyms

Glossary of Terms

2. Authorities

The National Security Review Agency (NSIRA) conducted this study under section 8(1)(b) of the National Security and Intelligence Review Agency Act.

3. Introduction

Background

Biometrics enhance the government’s ability to know who you are. The measurement and analysis of unique biological characteristics – including, inter alia, fingerprints, iris patterns, and facial features – facilitates the identification of individuals to a level of confidence beyond what is possible absent the use of such techniques. Biometrics can be layered with traditional identifiers – such as name, date of birth, place of birth, gender etc. – to enhance the government’s identification process.

Knowing who you are – including verifying that you are who you claim to be – has benefits for national security. At the border, in particular, questions about identity are paramount: who has the right to enter the country, who does not, and who might pose a threat to the security of Canada and Canadians?

At the same time, the identification of persons by virtue of their biological characteristics raises acute privacy and human rights concerns. Biometrics are intrinsically personal information, and are largely immutable (i.e., they cannot be easily changed, as can passwords or other identifiers). There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. As biometric technology is increasingly integrated into public spaces, it will be important for government and for Canadians to consider the associated calibration of security, privacy, and human rights.

This report informs, contextualizes, and contributes to this conversation by presenting NSIRA’s foundational study of the Government of Canada (GoC)’s biometric activities in the border continuum, with a focus on activities relating to the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air.  The immediate objective of the study was to map the biometric activities occurring in this space. This includes examining the collection, retention, use, and disclosure of biometric information, as well as the legal authorities under which said activities occur. The baseline for an informed public discussion is accurate information about which activities are being pursued by the GoC and whether/how they are authorized in law.

The study also considered the reasonableness and necessity of these activities, studying the accuracy and reliability of biometrics, including the possibility of discrimination on the basis of identity factors like race and gender; the proportionality of their collection, retention, use and disclosure; and the transparency with which the GoC discusses its use of biometrics and their contribution to national security.

NSIRA’s ability to look across departments and agencies and to make both specific and general observations – to examine the forest as well as the trees – was particularly valuable in assessing a wide and growing biometric landscape.

In addition to informing an important public conversation, the report’s broad treatment of biometric activities in the border continuum advances NSIRA’s work in two ways. First, it identifies several more narrow areas of interest or concern, to which NSIRA may return in future targeted reviews. Second, it defines a set of criteria against which NSIRA may review the GoC’s use of biometrics in national security and intelligence activities – both within and beyond the border continuum.

The Study

Scope

The border is distinct from other public settings. There are security imperatives that arise when individuals cross sovereign boundaries, such that the state is justified in taking measures not permissible in other contexts. While privacy rights and civil liberties do not disappear, expectations of privacy and of free movement are significantly lower. In considering the GoC’s biometric activities, therefore, it was practical to separate the border continuum from other settings; what might be overly intrusive in the latter may be justified in the former. Further, the border can serve as a testing ground for new biometric techniques and technologies, which then spread to other areas. If there are public concerns about biometric technology more generally, the border may serve as a harbinger of things to come and ought to be scrutinized accordingly.

In this study, we examine the collection, retention, use, and disclosure of biometric information and evaluate, where applicable, said activities against the criteria outlined below. We reviewed relevant policy and legal frameworks as communicated by departments and agencies, to inform our assessment of reasonableness and necessity, and to establish foundational knowledge that will inform future compliance assessments in the biometrics space. Our assessment of reasonableness and necessity was conducted at a high-level, reflecting on the themes, trends and issues manifest in considering the GoC’s biometric activities in the border continuum as a whole. We did not conduct independent verification or audit of the claims or activities themselves.

In the course of this study, NSIRA examined activities conducted by the Canada Border Services Agency (CBSA), Immigration, Refugees, and Citizenship Canada (IRCC), and Transport Canada (TC). The study also extended to the Royal Canadian Mounted Police (RCMP), which plays a supporting role in one of the major IRCC-led programs in the border continuum.

NSIRA also surveyed the history, and possible future, of biometric activities in the border continuum. The biometric landscape is not static, nor are practices in traveler facilitation and border security. Much of the public concern regarding biometrics (in particular over something like facial recognition technology) has to do with what lays just over the horizon, rather than simply any activity currently taking place. To this end, discussion of past activities, programs, and pilot projects illustrate the expansion of biometrics that has culminated in the present moment. Similarly, several pilot projects and initiatives known to be in development serve as examples of what may be to come. This wider lens contextualizes present activities and thus helps fulfill the broader objectives of the study.

Criteria

A set of basic criteria guided NSIRA’s assessment of the GoC’s present biometric activities in the border continuum:

  • Compliance. NSIRA examined the legislative and policy framework governing departments’ and agencies’ collection and use of biometrics. It examined the enabling legislation’s compliance with the Canadian Charter of Rights and Freedoms and Privacy Act; considered the safeguards and features of the departments’ or agencies’ enabling statutes and regulations as applies to their biometric programs; and reviewed applicable departmental and Treasury Board policies.
  • Proportionality. Proportionality, in this context, weighs the government’s objectives in using biometrics against any impacts on individuals’ privacy or human rights. Generally speaking, NSIRA expects that any intrusions on the rights and freedoms of individuals be readily justifiable and offer important benefits to pressing and substantial objectives.
  • Accuracy. Because biometrics are fundamentally designed to identify individuals, it is important that they do so accurately, such that they can effectively contribute to the government’s objectives in a given activity/program. Biometric analysis (including the use of algorithms) is subject to error rates and false-matches that can have significant consequences for individuals. Relatedly, algorithms used for biometric analysis are susceptible to demographic performance variables which could give rise to bias or discrimination.
  • Transparency. In light of the GoC’s National Security Transparency Commitment of 2017, this criterion generally assessed the public transparency of biometric activities in the border continuum. It emphasized the availability of information regarding the type of biometrics collected and the connection of biometrics to GoC priorities, including national security.
  • Data Security. Given the sensitive nature of biometric information, protection of said data throughout the so-called “privacy lifecycle” (collection, storage, transmission, and destruction) is particularly important. As such, NSIRA assessed the policy frameworks of the activities under review for data security protections, such as encryption, access limitations, and privacy-by-design principles.

Collectively, these criteria informed NSIRA’s assessment of the lawfulness, reasonableness and necessity of the departments’ exercise of their powers as concerns the use of biometrics in Canada’s border continuum. Our observations highlight potential issues and areas of concern, which may serve as a basis for subsequent in-depth review of particular activities.

Methodology and Information Requirements

NSIRA received information from departments and agencies in the form of briefings, written responses, and documents. The latter included policies, procedures, project reports, technical studies, operational bulletins, manuals, correspondence, websites, and relevant legal opinions.

In addition to information obtained from departments and agencies, the nature of the study – dealing with a broad category of information widely used and heavily scrutinized across the globe – meant that a significant volume of open-source research was pertinent. As such, NSIRA examined media reports (both domestic and international), industry reports, academic research, think tank reports, government reports/documents from other jurisdictions, and intergovernmental and non-governmental organization research on biometrics and related technology. What emerged was a sense of the common standards, themes, risks, and even lexicon associated with biometrics, all of which helped inform NSIRA’s observations regarding the GoC’s biometric activities in the border continuum.

The Report

The body of the report is organized into three descriptive sections, presented in chronological order:

  • Biometrics Past: a discussion of the history and evolution of the use of biometrics in the border continuum, including relevant pilot projects and key expansions along the way;
  • Biometrics Present: a description of current, steady-state biometric activities; and,
  • Biometrics Future: a discussion of the role biometrics are likely to play in the border continuum moving forward, based on present trajectories.

The concluding section unpacks overarching themes and observations pertinent to the study objectives outlined above. While some of these observations are specific to a particular program or activity, others apply horizontally across various aspects of the study. The mélange reflects both the nature of a foundational study and the unique, crosscutting mandate that NSIRA enjoys. Our observations are intended to contribute to Canadians’ understanding of the complex and evolving use of biometrics in the border continuum, and to shape how NSIRA as an organization engages with this area in future work.

4. Biometrics Past

IRCC began collecting fingerprints from asylum claimants and deportees in 1993, partly as a consequence of the rise in global migration volumes following the end of the Cold War. Canada received 37,000 refugee protection claims in 1992, up from just a few thousand annually for the balance of the 1980s. The resulting pressure on the system led, in part, to the introduction of Bill C-86 in June 1992, which included several provisions designed to enhance the efficiency and integrity of Canada’s immigration and refugee system, among them the fingerprinting of asylum claimants and deportees. This provision generated public criticism, with the government eventually amending it to include the deletion of fingerprints if/when an individual became a Canadian citizen. Ultimately, the purpose of the collection was to introduce processing efficiency into the system and to enhance both fraud detection and fraud deterrence through rigorous identity management.

Over the subsequent years, the collection and use of biometrics in the border continuum has steadily expanded, such that nearly everyone entering Canada by air – whether a foreign national or Canadian citizen – now has their biometric information collected and/or analyzed in some way. How did we get from there to here? The present section addresses this question by describing the evolution of the GoC’s activities over time, highlighting key moments, programs, and projects that animate it along the way.

9/11

The terrorist attacks of September 11, 2001, dramatically altered Canada’s national security landscape. The 2001 budget reflected the new priorities of the day, with $7.7 billion over five years allocated to security measures, including $1 billion to immigration screening and enforcement and $1.2 billion to border security initiatives.

These outlays came on the heels of explicit recommendations from a parliamentary committee to, among other things, “modernize border management to accommodate future security and trade needs” and “test and implement […] advanced technologies in […] border processing operations.” The latter recommendation included the suggestion that “biometric technology in the form of fingerprint or retina scanners could […] be considered to identify individuals […] crossing the border.” The report also called for the reactivation and full implementation of the NEXUS program, which had been a cross-border travel pilot project between the US and Canada launched in November 2000 but suspended in the wake of the attacks.

The central plank of post-9/11 US-Canada border security cooperation, however, was the Smart Border Declaration, signed on December 12, 2001. Accompanied by a 30-point Action Plan, the declaration guided US and Canadian efforts to enhance border security. The very first item on the Action Plan was the introduction of “biometric identifiers”, calling for the two countries to “develop on an urgent basis common biometric identifiers in documentation such as permanent resident cards, NEXUS, and other travel documents to ensure greater security.” Also of note were the provisions to expand information sharing in the visa and refugee/asylum context.

The two countries explicitly framed the Smart Border Action Plan as an effort to “develop a zone of confidence against terrorist activity”. In the US, the Final Report of the National Commission on Terrorist Attacks Upon the United States (more widely known as the “9/11 Commission Report”) expressed this logic, calling for a “biometric screening system” that would encompass the entire border continuum, from passport and immigration application to arrival at ports of entry, along with information sharing between jurisdictions. Canada’s 2004 National Security Policy (NSP) similarly foregrounded biometrics in its chapter on border security. The NSP noted that Canada would “work toward a broader use of biometrics” and “examine how to use biometrics in [its] border and immigration systems to enhance the design and issuance processes of travel and proof-of-status documents and to validate the identity of travellers at [Canada’s] ports of entry.” For both countries, biometrics were seen as a means of identifying possible terrorists crossing the border. 9/11 had fused border security to national security, turning identity management – hitherto primarily associated with efficiencies and fraud – into a national security priority.

In Canada, the NSP set the basic outline of the GoC’s current steady-state biometric activities: facial recognition in the issuance and use of travel documents (Passport Program) and fingerprints and the validation of identity at ports of entry (Immigration Program). We return to these in Section 5.

In the balance of this section, we briefly describe the key biometric activities and programs adopted in the years following 9/11.

ePassport

Though standard in the document for decades, passport photographs were not considered “biometrics” until passports became machine-readable. The 2003 International Civil Aviation Organization (ICAO) guidelines on ePassports, also commonly referred to as “biometric passports,” therefore mark the introduction of biometric identifiers to the document on the international stage. Canada committed to the ePassport in 2004, though actual implementation unfolded in stages over subsequent years, with the full rollout occurring in 2013. Hundreds of other jurisdictions adopted the ePassport during this period, gradually establishing it as an international recommended practice for official travel documents. Canada’s current iteration of the ePassport is discussed in paragraphs 95-112, below.

In addition to the “smart chip” embedded in the ePassport and containing the facial photograph, the government also pursued facial recognition in the passport application/issuance process. The first Privacy Impact Assessment (PIA) for what was then known as the “Facial Recognition Project” was crafted in 2003, though full implementation under the guise of the “Facial Recognition Solution” (FRS) did not occur until 2010. The system used facial recognition to help assess entitlement to a Canadian passport or other official Canadian travel document. The specific objectives of the program were: to detect fraud, support the authentication of identity, and prevent passport issuance to ineligible applicants. We discuss the current iteration of the FRS, which is a key component of the steady-state Passport Program, in paragraphs 95-112, below.

Temporary Resident Biometrics Program (TRBP) (2009-2018)

The “Temporary Resident Biometrics Program” (TRBP) – initiated in 2009 and operational by 2013 – marked a significant expansion of the collection of biometrics in the immigration context. Under the TRBP, biometrics (fingerprints and a digital photograph) were collected by IRCC (then-Citizenship and Immigration Canada [CIC]) as part of temporary resident applications from 30 nationalities. The fingerprints were screened “against fingerprint records of known criminals, past refugee claimants, persons previously deported, and previous immigration applicants” held by the GoC. Once the application was approved and the applicant arrived in Canada, the CBSA verified the biometrics ensuring that the person presenting was the same individual that had applied. In 2014, biometrics collection was expanded beyond temporary resident applications to include overseas refugee and resettlement applications.

According to the GoC, biometrics were adopted as a means to access more complete and accurate information, so as to inform admissibility decisions made under the Immigration and Refugees Protection Act (IRPA) regarding temporary resident applicants. The TRBP’s use of biometrics therefore supported identity management goals, with national security – the identification of individuals who might pose a security threat – constituting a supporting feature of the larger program.

Beyond the Border (2011) and Immigration Information Sharing (IIS) (2013-2016)

In 2011, Canada and the US issued the joint declaration Beyond the Border: A Shared Vision for Perimeter Security and Economic Competitiveness and its accompanying “Beyond the Border Action Plan”. The plan made a commitment to increase information sharing between the two countries. Canada and the US had shared immigration information on a case-by-case, ad hoc basis since 2003, but the process was labour intensive and consequently limited in volume.

The resulting program was the Immigration Information Sharing (IIS) initiative, which made it possible for Canadian and American authorities to systematically exchange immigration information on the basis of a biometric match between their respective immigration databases – a capability that became fully operational in August 2015. For example, all biometric-required applicants to Canada had their fingerprints systematically checked against US fingerprint holdings at the time of enrolment. In the event of a match, the US returned relevant immigration information (e.g. biographical information to confirm identity, the outcome of any previous immigration applications, etc.) to IRCC, to help inform decisions about admissibility. The arrangement was reciprocal, meaning the US similarly queried Canadian immigration fingerprint holdings, with Canada returning immigration information in the event of a match. As characterized by a 2015 implementation report, this capability helped to “counter identity fraud, strengthen identity management and provide valuable information to inform respective admissibility determinations.”

The IIS was, in many ways, the natural extension of TRBP. Whereas TRBP made it possible to screen an applicant’s biometrics against domestic databases, IIS extended this capability to US databases, thereby increasing the range of information obtainable through biometric querying.

Information-Sharing Pilot between CBSA and IRCC/CIC (2013-2016)

Beginning in 2013, a two-phase pilot project between CBSA and IRCC/CIC explored the benefits of leveraging facial recognition through information sharing. The impetus for the project was the experimental querying of 72 photographs of individuals wanted by the CBSA against IRCC/CIC’s passport database. The querying was intended to verify whether any passports had been issued to individuals subject to CBSA warrants for arrest under the IRPA (under genuine or false identities), thus helping protect the integrity of the passport system, while also facilitating enforcement of the IRPA. The CBSA and IRCC rely on sections 7, 8(2)(a) and 8(2)(e) of the Privacy Act for the use and disclosure of this information.

Using facial recognition, the one-to-many identification of these 72 individuals identified three individuals who had fraudulently acquired travel documents. On the strength of these results, the organizations drafted a Memorandum of Understanding (MOU) in December 2013 to share photographs of 1,000 individuals wanted on active CBSA warrants and ran a one-to-many identification against the passport database using facial recognition. This time, 15 individuals were found to have submitted fraudulent passport applications.

In 2015, another round of the project was initiated under a subsequent MOU, raising the number of queries to 3,000 individuals. Also expanded was the scope of information that could be returned as a result of a positive match. Whereas the 2013 MOU only authorized the sharing of information related to document fraud, the 2015 MOU authorized the sharing of any derogatory information relevant to the enforcement of the IRPA. Appendix III of the Information Sharing Annex to the 2017 IRCC-CBSA MOU established this information sharing on a permanent basis.

Research into Facial Recognition

In addition to the expansion, refinement, and leveraging of biometric activities associated with passports and immigration, the GoC explored additional uses of biometrics, including facial recognition, through research into emerging technologies and pilot initiatives, testing possible applications in the border continuum.

Pilot and Research on Operational Video-based Evaluation of Infrastructure and Technology: Face Recognition in Video (PROVE-IT: FRiV) (2011-2013)

In 2011, CBSA led the “Pilot and Research on Operational Video-based Evaluation of Infrastructure and Technology: Face Recognition in Video” (PROVE-IT: FRiV) project. PROVE-IT: FRiV examined, in a lab setting, the possible use of live-capture facial recognition in a controlled environment, such as an airport. Researchers evaluated commercial products and tools available for this purpose, and determined that “face-based surveillance” was ready for live use in “in semi-constrained environments.”

Faces on the Move (FOTM) (2014-2017)

Building on the findings and results of PROVE-IT: FRiV, CBSA launched the “Faces on the Move” (FOTM) pilot project in 2014. FOTM involved the live video capture of the facial images of travellers as they passed through Toronto Pearson International Airport Terminal 3 for a six-month period between June 2016 and November 2016.

Project-specific video cameras were installed to capture facial images in the immigration arrivals area, primary inspection, and toward the exit following primary processing. Facial images were checked in real time using facial recognition against two image databases: a “control” watchlist comprised of 65 CBSA volunteers, and an “operational” watchlist of 4,860 previously deported individuals, generated by CBSA. The CBSA volunteers conducted over 1,200 test walkthroughs over the course of the six-month demonstration. At the same time, approximately 15,000 to 20,000 travellers per day were screened against the operational watchlist, of which forty-seven were correctly detected by the system. All records of personal information were to be destroyed at the end of the project, save those that served an administrative purpose, which would be retained for two years following the date of their last use in keeping with section 6(1) of the Privacy Act and section 4(1)(a) of the Privacy Regulations.

The immediate purpose of FOTM was to raise the technology readiness level of facial recognition to the point of being ready for live, real-time implementation in a controlled environment. Further objectives included the establishment of privacy and security protocols governing the deployment of facial recognition and the development of Canadian industry offerings in the facial recognition space through partnership with CBSA and access to the CBSA’s operational environment (i.e. the border). Longer-term strategic goals included promoting the “efficient flow of people across Canada’s borders” and addressing “evolving threats to public safety at or before the border…while respecting Canadian values including the right to privacy.” Ultimately, FOTM was couched as a building block toward future applications of facial recognition in the border continuum and “similar security scenarios (transportation facilities, shopping malls, stadiums, mass public events).” The lessons from FOTM were to inform a “roadmap” for the use of “science and technology […] for face surveillance, specifically at the border.”

According to the project’s final report, FOTM experienced several policy challenges, “including concept of operation, deployment constraints, public notification, data security, data retention/purging rules, and legality of enforcement based on face recognition and privacy issues.” These and other challenges were likely to “influence face surveillance future deployments and/or technology road maps.” Nonetheless, it recognized that the combination of advancing capabilities and relaxing public resistance to facial recognition technology “will drive the need for continual investment in both the science and the application of face recognition based surveillance.”

Prior to the demonstration period, a PIA conducted for FOTM in consultation with the OPC had brought additional issues to light. This resulted in certain changes to the project, including dropping plans to use watchlist photographs from multiple government agencies and foregoing plans to advise enforcement agencies of a previously deported person’s presence if the individual was not intercepted by the CBSA before leaving the port of entry. The consultants’ final report for the project “recognized that should facial recognition be deployed for long-term, operational use, the PIA would have to be redone and updated to identify potential ongoing risks that did not affect the short-term FOTM project.” Furthermore, CBSA recognized that, were FOTM to become a permanent program, the use of facial recognition would require an update to its Policy on the Overt Use of Audio-Video Monitoring and Recording Technology, and to the description of the related CBSA Personal Information Bank57 (PIB), PPU 1104, which did not include “biometric information.”

Indeed, public signage and notice about the cameras was limited during the demonstration period. Signage at Terminal 3 of Toronto Pearson’s International airport stated that “[t]his area is under video surveillance,” but made no mention of facial recognition. Similarly, the November 19, 2012, version of the CBSA’s Privacy Notice on Video Monitoring and Recording, referred to in the PIA for FOTM, discloses that “[c]ameras may […] monitor the movement of travelers and goods from one point of CBSA operation to another, for example, from primary to secondary,” but does not provide notice of a facial recognition capability. These lacunae in the notice provisions appear to have been acknowledged in the final report on FOTM, however, which notes that the machine learning component “may require an extension to the current [privacy and security] protocols.”

To date, FOTM or similar use of facial recognition has not been adopted as an ongoing activity. Other operational priorities, including the deployment of Primary Inspection Kiosks (PIKs) at select airports, took precedence at the time the project was completed, and CBSA has not indicated plans to revive FOTM. The technology for FOTM was removed from the airport at the end of the pilot.

The CBSA relied on its powers of examination under sections 15-18 of IRPA to authorize the FOTM project, explaining that “[t]hese sections require all persons seeking entry to Canada to submit to an examination of their persons and documents” and “allow for the presentation of photographic evidence of an applicant’s identity.” Indeed, section 15(3) of IRPA authorizes “an officer [to] … examine any person carried by [a means of transportation bringing persons to Canada],” and to examine “any record or document respecting that person.” Section 16 of IRPA further specifies that “[a] person who makes an application must answer truthfully all questions put to them for the purpose of the examination and must produce [at this examination] a visa and all relevant evidence and documents that the officer reasonably requires.” In the case of a foreign national, this evidence includes “photographic and fingerprint evidence.” The CBSA did not request legal assessment from the Department of Justice (DOJ) as to whether these authorities would support the FOTM pilot program.

The CBSA’s reliance on these general powers of examination to conduct facial recognition on travelers as they make their way to the point of processing is of concern to NSIRA. The legislative authorities relied on by the CBSA presume an overt interaction between the traveler and CBSA officials, and the knowing presentation by travelers of their individual documents, fingerprints and photographs during their examination. NSIRA is not satisfied that sections 15-18 of the IRPA provide clear authority for the collection of travellers’ facial biometrics, particularly prior to – and away from – the point of formal examination. NSIRA is of the opinion that further legal advice would be required in order to ensure that the use of facial recognition in Canadian airports (or elsewhere at the border) is well-founded in the CBSA’s legislative authorities.

Moreover, with respect to the pilot’s compliance with section 8 of the Charter, the CBSA explained that a legal opinion from the Department of Justice (DOJ) was not required because “no information [was] being collected above and beyond the CBSA’s current use of CCTV technology.” The pilot used “the existing surveillance infrastructure” and “did not introduce any additional (audio or video) at ports of entry.” As such, the CBSA was of the opinion that FOTM did not engage privacy or other concerns that would necessitate legal consultation.

As described in paragraph 39, however, project documents indicate that new cameras were installed for the demonstration period. Moreover, these arguments under-value the effects of facial recognition technology on individuals’ privacy. The important fact is not the installation or absence of new cameras, but rather their ability to conduct facial recognition. This new aspect of what is being collected arguably changes the subject-matter of the search. As the OPC has recommended, PIAs (and, in NSIRA’s view, assessments of lawful authority) should be renewed when new technologies are used, in order to ensure that the subject-matter of the search – and its privacy implications – are well-understood. Notices should also be updated to ensure that the use of facial recognition is clearly made known to the public, unless operational imperatives justify a lower degree of transparency.

The deployment of such technology, whether on a short-term or long-term basis, must be carefully studied and be fully supported by legal authority and a sound policy framework. The FOTM demonstrated genuine benefits for the execution of the CBSA’s duties at the border, specifically the identification of individuals of concern. Individuals previously deported for inadmissibility are known to attempt re-entry into Canada under assumed or false identities. The 47 “real hits” during the six-month demonstration window of FOTM attest to this fact. As noted in other contexts, of course, national security is one among many interests supported through better identity management. Further, findings of inadmissibility on security grounds (s. 34 of the IRPA) constitute a comparatively small portion of overall inadmissibility decisions. At the same time, rare events can have extreme consequences. National security cases are, by their nature, infrequent but serious.

FASTER-PrivBio Project (2015-2017)

FASTER-PrivBio was a ‘proof of concept’ project that developed a prototype mobile application that facilitated the application and approval of electronic travel authorizations (eTAs). It was led by IRCC in conjunction with CBSA and other partners (including the University of Ottawa and Ryerson University). The application captured a digital photograph (selfie), extracted the digital photograph contained in the ePassport chip, compared the two using facial recognition (one-to-one comparison), and validated the authenticity of the travel document. Upon successful enrolment, the application would then create a ‘client token’ facilitating movement through the travel continuum for low-risk travellers. The project incorporated a ‘Privacy-by-Design’ framework, with a specific emphasis on addressing the privacy concerns raised by the use of biometrics.

Two basic security benefits were envisioned: first, the facilitation of low-risk travellers would allow resources and attention to be applied elsewhere, including toward higher-risk travellers in manual processing. Second, the application would automatically check enrolled travellers against CBSA, IRCC and other applicable (e.g. International Criminal Police Organization [INTERPOL]) biographic watchlists, thereby identifying individuals of concern. This latter function, however, would largely replicate existing screening in the eTA process.

The project closed in 2017 having successfully demonstrated its intended deliverables. Its key takeaways included the viability of mobile (smartphone-based) biometric credentials (including adequate data security protections, according to project participants), compatibility with ePassports and related IRCC systems and infrastructure, and the robust identity verifications possible through such a system. The next phase of the project was to work toward live implementation, set to occur under the “Chain-of-Trust” (CoT) initiative. CoT development continues at present and is covered in Section 6, paragraphs 151-155, below.

Biometrics Expansion Project (2015-2020)

Initiated in 2015, the Biometrics Expansion Project (BEP), as its name suggests, marked another significant increase in the collection of biometrics in the immigration stream. Building on the TRBP, the BEP expanded the collection of biometrics to all persons (unless exempted) making a claim, application or request under the IRPA. The BEP incorporated the IIS initiative and extended automated immigration information sharing, including through biometric querying, to other international partners in the Migration 5 (M5) group, which comprises the immigration agencies of the United States, Australia, New Zealand, and the United Kingdom. The BEP also broadened the capacity for fingerprint verification at Canadian ports of entry (POE) through the introduction of automated Systematic Fingerprint Verification (SFV) at eight international airports (see paragraph 73) and the addition of discretionary fingerprint verification at secondary inspection at an additional 11 airports and 40 land POE.

The BEP closed in 2020 and the biometric activities it established were transferred to steady-state operations. As such, the activities described here are addressed in Section 5, paragraphs 63-94, below.

Assessing Biometrics Past

This section surveyed the development of biometric activities in the border continuum over the past several decades, highlighting key moments, programs, and pilots along the way. Taken collectively, several themes emerge.

First, the GoC’s collection and use of biometrics has steadily expanded. In the immigration context, for example, what began with deportees and asylum claimants in 1993 culminated in 2018 with all persons (unless exempted) making a claim, application or request under IRPA.

Second, the commitments and priorities established in the wake of the 9/11 attacks spurred the adoption of biometrics in the early part of the millennium, setting the foundation for the basic architecture of biometric activities in the border continuum today. In this context, the rationale for biometric adoption was national security. Identifying individuals meant possibly identifying terrorists.

Third, identifying individuals is also (and increasingly) about broader identity management. For CBSA and IRCC, biometrics contribute to overall organizational goals, not just national security objectives. As the immediacy of 9/11 receded, broader identity management became a relatively larger part of the rationale for collecting and using biometrics. This shift reflected a more balanced logic for biometric adoption, embracing their overall utility rather than emphasizing the smaller – though important – national security subset.

Fourth, as biometric activities have expanded, so too has the overlap and/or shared responsibility between organizations in their design and implementation: between government departments/agencies (e.g. IRCC and CBSA); between jurisdictions (e.g. Canada and the US, and Canada and other international partners); and between the public and private sector (as the GoC engages industry partners). Such closer cooperation may have implications for individuals’ privacy rights, for possible future uses of biometrics, and also underscores the importance of sound data security across these various institutions.

Fifth, traveller facilitation has emerged as another force behind biometric adoption, to improve efficiency at the border and to reflect evolving societal norms about the use of technology. As the FASTER-PrivBIO project suggests, the development of new biometric activities takes for granted traveller familiarity with digital devices. At the same time, individuals are likely to be more comfortable adopting relatively intrusive technologies when they do so voluntarily and consensually. This tension – between expectations of convenience and expectations of privacy – is likely to shape public dialogue over biometrics moving forward.

Sixth, and related to the above, the expansion of biometrics has coincided with a growing emphasis on privacy and privacy protections. Many of the pilots and projects described in this section explicitly addressed such concerns, including by adopting so-called “Privacy-by-Design” principles, which are intended to proactively protect personal information. This dynamic reflects the development, over time, of the wider understanding (whether on the part of government, industry, the legal community, or academia) as to the particular risks associated with the collection and use of biometrics. Some applications of biometric analysis – for example the facial recognition used in the FOTM project – carry more risks than others, and ought to be scrutinized accordingly.

5. Biometrics Present

This section focuses on the GoC’s steady-state biometric activities in the border continuum. The balance of the section examines the role of biometrics in the immigration and Passport programs, respectively. For each, we examine how biometrics serve program objectives (noting, as relevant, their collection, use, retention, and disclosure) and consider the criteria outlined in Section 3. The end of the section examines the process of “arriving into Canada”, which includes the analysis of traveller and NEXUS member biometrics by automated kiosks at Canadian airports. Throughout, we highlight the relevant national security considerations.

Immigration Program

IRCC is responsible for screening the admissibility of potential permanent and temporary residents coming to Canada. As part of this process (hereafter the “Immigration Program”), IRCC employs biometrics, in cooperation with CBSA and the RCMP. As IRCC characterized it to NSIRA, for biometrics in the Immigration Program: “IRCC collects, the RCMP stores, and the CBSA verifies.”

IRCC collects (all ten) fingerprints and a digital photograph in support of applications for temporary resident visas or status, work permits, study permits, temporary resident permits, and permanent residency, and in support of refugee and asylum claims. The collected biometrics are stored in two databases: photographs are stored in the IRCC’s Global Case Management System (GCMS) and fingerprints are stored in the RCMP’s Automated Fingerprint Identification System (AFIS). The digital photograph, while ICAO compliant, is not used for facial recognition and may not be of sufficient quality for that type of analysis. As such, we focus primarily on fingerprints in our description and analysis of activities.

Biometrics are collected and enrolled at multiple service points, both in Canada and abroad, with the vast majority (approximately 90%) occurring at Visa Application Centres (VACs). VACs are commercial service suppliers, managed by private companies, contracted by IRCC to deliver biometric enrolment overseas.

The collection phase is a sensitive juncture given the personal nature of biometric information. The primary concerns here relate to privacy and the security of biometric data. Media reports have highlighted concerns about VACs, questioning whether adequate privacy protection can be maintained given the central role of private contractors based outside of Canada. Possible links between the subcontractor administering Canada’s VAC in Beijing and Chinese security forces have also been scrutinized. Foreign governments have an interest in knowing who is applying to come to Canada – the information can be leveraged to monitor, suppress, harass, coerce, threaten or otherwise harm an individual. The possible interception or theft of biometric data is especially concerning, given its possible use in monitoring, surveillance, and identification.

IRCC has taken steps to ensure the flow of biometric information (including collection and transmission) at VACs is controlled. Contracts with VAC providers stipulate that they must abide by Canadian privacy laws. IRCC further states that oversight of VAC contractors occurs through audits and site reviews, conducted by Canadian officials, at VAC locations. All biometric information collected outside of Canada is said to be encrypted before being transmitted back to IRCC servers located in Canada (photographs in GCMS) and to the RCMP (fingerprints in the AFIS). Once successfully transmitted, IRCC states that the information is deleted from the point of collection.

Given the nature of operating in certain foreign jurisdictions, however, there remain challenges to securing the information provided by applicants at VACs. Some VACs are located in countries with national interests inimical to those of Canada – the national security consequences of security breaches at these VACs may therefore be particularly acute. While the scope of the present study precluded in-depth examination of the security arrangements at VACs, NSIRA may wish to revisit the issue at a later date.

In the border continuum, Canada leverages (or uses) the collected biometrics in three ways: for screening at enrolment (with any returned information informing decisions about an application), for verification upon arrival at a Canadian POE, and for ongoing assessment of admissibility (or immigration status) once an individual is present in Canada.

Screening at enrolment is automatic, and includes both domestic (Canadian) and foreign databases. For enrolment, IRCC or CBSA submits the collected fingerprints to the RCMP. Fingerprints and biographic information are then compared against the RCMP’s criminal and immigration fingerprint repositories (the latter includes fingerprints collected as part of previous applications). Fingerprints are also queried against the immigration databases of Canada’s M5 partners.

Information returned from domestic and foreign screening informs decisions on admissibility – including possible inadmissibility on IRPA s. 34 security grounds. Biometric immigration information sharing with the M5 partners includes sharing of derogatory alert codes. Information that indicates a potential national security concern may be referred to the Public Safety portfolio (including CSIS and CBSA) for additional security screening. While foreign screening also occurs using biographical information, biometrics confer the additional advantage of identifying matches to previous applications associated with different names and/or with discrepant biographical information.

Following the screening process, biometrics are used by the CBSA to verify the identity of enrolled foreign nationals arriving at a Canadian POE. This ensures – to a level of confidence beyond what is generally possible absent the use of biometric information – that the individual granted a visa or permit is the same individual entering Canada.

The mode of verification varies between POE. At eight international airports, Systematic Fingerprint Verification (SFV) occurs through Primary Inspection Kiosks (PIKs). PIKs are automated kiosks used to process travellers through customs and immigration at major Canadian airports (for more on the PIK see paragraphs 125-137, below). The PIK captures fingerprints and transmits biometrics to the RCMP for one-to-one matching against the traveller’s reference fingerprint in the RCMP database. Where SFV is not available, Border Services Officers (BSOs) verify identity by comparing the traveller’s enrolled photograph with the individual presenting in front of them, while fingerprint verification occurs on a discretionary basis at secondary inspection using CBSA’s LiveScan device.

Biometrics are also used to assess ongoing admissibility. That is, they serve as a means to connect individuals to information that could affect their immigration status and/or future immigration applications (for example interaction with law enforcement that might indicate inadmissibility).

The retention period for biometrics collected is partially contingent on the application’s outcome. For both temporary resident and permanent resident applications refused on the grounds of what the IRCC considers “serious inadmissibility” (sections 34-37 of the IRPA), biometrics are retained until the individual’s 100th birthday.

This extended retention period provides security benefits as biometrics can help identify an individual should they submit a subsequent application at any (realistic) point in the future, even if submitted under a different name. Extended retention also makes such identification possible for domestic and/or foreign partners with querying access to the immigration database. Should the individual receive a record suspension, criminal rehabilitation, or ministerial relief, the retention period reverts to the typical 15 years from the date of biometric enrolment. This caveat is important, as it realigns the retention of an individual’s biometrics beyond the resolution of the underlying circumstances which warranted the extended retention.

At the end of the retention period, biometric information is disposed of by IRCC according to disposition authorizations issued by Library and Archives Canada. With respect to fingerprints held by the RCMP, an automated electronic purge transaction request is transmitted by IRCC and a confirmation of the purge returned.

In 2021, IRCC discovered a privacy breach related to the retention of immigration fingerprints and photographs beyond their prescribed retention period. The information belonged to individuals who attained Canadian citizenship meaning that, according to IRCC biometric retention policy, fingerprints and photographs associated with their immigration file should have been deleted. IRCC notified the OPC in February 2021 about the issue, and notified affected clients, by email, in March 2021. A public notification was placed on the IRCC website.

The disclosure of biometric information raises privacy considerations and calls for attentive consideration of their subsequent use. Given that biometrics are personal information, the current legal framework requires that the GoC only use them for the purposes for which they were obtained (namely, determining an individual’s admissibility to enter, or remain in, Canada); for a use consistent with that purpose; or as otherwise authorized by law.

The automated querying that occurs between Canada and its M5 partners involves an anonymous biometric (fingerprint) search, with no identifying biographic information included; if a match is detected, relevant immigration information is returned; if there is no match, the receiving country sends a nil result. In either case, the receiving country is required to purge and not retain the fingerprint. The system is designed, ultimately, with the intention that no biographic and/or immigration information is exchanged unless both parties already possess the biometric in their databases – an important privacy protection measure. Further, the automated agreements specify that any information exchanged will pertain to third-party nationals only; that is, Canada will not send or receive information on Canadian citizens or, with the exception of asylum claims, permanent residents.

Less frequent case-by-case (or ad hoc) exchanges may result in the actual exchange of underlying biometric information (whether photographs or fingerprints) if the information is deemed, by the requesting party, relevant to enforcing that party’s immigration and citizenship laws. Such exchanges are subject to caveats regarding use, onward disclosure, and retention, which apply to any information disclosed (not just biometrics), but which are not legally binding on the participants. IRCC further indicated that ad hoc exchanges of biometric information may also occur with international partners beyond the M5, “with either the consent of the individual to whom the information pertains, or pursuant to section 8(2)(a) [i.e. the consistent use provision] of the Privacy Act.”

The primary sources of authority for the collection, use, and disclosure of biometric information in the Immigration Program are the IRPA and the Immigration and Refugee Protection Regulations (IRPR). Specifically, s.10.01 of the IRPA authorizes the collection of biometrics for the purposes of enrollment and verification pursuant to an application under the Act. Under s. 10.02 of IRPA, the Minister may issue regulations respecting the implementation of these processes, through the IRPR. The Regulations specify to whom the biometrics requirements apply, the type of biometrics at issue, and guide their collection, processing and verification. Section 16(1) of the IRPA requires that individuals making an application under the Act submit truthfully to examination and produce “relevant evidence and documents” while 16(2), which applies only to foreign nationals, specifies that such evidence includes “photographic and fingerprint evidence”. IRCC also cites s. 4 of the Privacy Act as authorizing their collection of biometrics, given that the information relates “directly to the administration of [IRCC’s] immigration programs.” They note further that, consistent with s. 7 of the Privacy Act, biometrics “will only be used for the purposes for which it was collected, or for a use consistent with that purpose.”

In terms of the IRCC’s disclosure of biometrics to international allies, s. 7 of the IRPA authorizes the Minister, with the approval of the Governor in Council, to enter into an agreement(s) with the government of a foreign state(s), for the purposes of the IRPA. Multiple such agreements are part of the IRPR, which cover Canada’s information sharing activities with each M5 partner including: the ‘Agreement between the Government of Canada and the Government of the United States of America for the Sharing of Visa and Immigration Information’; the ‘Annex Regarding the Sharing of Information on Asylum and Refugee Status Claims to the Statement of Mutual Understanding’; and the bilateral automated exchange arrangements with the Governments of Australia, New Zealand and the United Kingdom. These agreements provide for the disclosure of biographic and biometric data between the parties to the extent “necessary, relevant and proportionate to achieve [the administration and enforcement of the parties’ citizenship and immigration laws].” Provisions in each agreement also govern the destruction of the information, the correction of previously disclosed information, and grant the Minister a discretion to refuse to disclose information detrimental to Canada’s national interests.

Such disclosures would also be consistent with s. 8(2)(f) of the Privacy Act, which allows for the disclosure of personal information under an agreement or arrangement between the Government of Canada and a foreign state, for the purpose of administering or enforcing its laws. Ad hoc exchanges with partners beyond the M5 are conducted pursuant to the consistent use provisions of s. 8(2)(a) of the Privacy Act.

Canadian law enforcement may also access fingerprints collected by IRCC during the immigration application process for law enforcement purposes. Section 13.11 of the IRPR allows the RCMP to use – or disclose to other law enforcement agencies in Canada – any biometric information and specified, related personal information for the purpose of establishing or verifying a person’s identity in order to prevent, investigate or prosecute an offence. This information may also be used to establish or verify the identity of a person whose identity cannot reasonably be otherwise established or verified because of a physical or mental condition or because of their death. In other words, when law enforcement agencies submit fingerprints collected in the course of its duties to the RCMP — or the RCMP itself verifies a fingerprint — both criminal and immigration repositories, containing the fingerprints of foreign nationals and permanent residents, are included in the search. Section 13.11(2) of the IRPR allows the following personal information to be used or disclosed: the individual’s fingerprints and the date on which they were taken; their surname and first name; their other names and aliases, if any, their date of birth, their gender, and any file number associated with the biometric information or related personal information.

Assessing the Immigration Program

Biometrics facilitate identity management in the Immigration Program. First, the enrolment of biometrics ties an application to an individual. Second, biometric querying screens applicants against domestic and foreign databases, with the information returned as part of these queries informing decision-making regarding their admissibility into Canada. Third, biometrics are verified upon arrival at a Canadian POE to ensure that the individual presenting is the one to whom a visa or permit has been granted. Finally, biometrics are retained for a specified period (varying between application streams) so as to both assess continuing admissibility (status) under the IRPA and allow foreign nationals to submit subsequent applications without having to re-enrol their biometrics.

National security benefits are a consequence of robust identity management. National security is a component of, rather than the sole impetus behind, the use of biometrics. Enrolling biometrics at the application stage serves as a potential deterrent to individuals who might otherwise apply for mala fide purposes. Biometric screening of domestic and foreign databases helps identify individuals who are inadmissible (including, potentially, for reasons of national security). Verifying biometrics upon arrival ensures that the individual authorized to enter and not an individual posing as that person is the individual who does enter. The retention of biometrics which includes the retention of biometrics tied to applications denied for reasons of national security allows for the ongoing assessment of admissibility under the IRPA (including s. 34) and facilitates the reciprocal querying of foreign databases. Without biometrics, such exchanges would rely on biographical information, which is more susceptible to fraud and/or error.

Unique to each individual and easily captured by digital technology, fingerprints are generally regarded as accurate and reliable means of identification. However, both CBSA and IRCC noted potential concerns in relation to Gender Based Analysis Plus (GBA+), which is an analytical process designed to assess how diverse groups of people may experience policies, programs and initiatives. Specifically, some groups have more difficulty than others having their fingerprints captured, including individuals working in certain trades (which may indicate lower socio-economic status) and women (due to a biological difference in finger ridges). Mitigation strategies at the collection stage included training for operators, and operational guidelines as well as a regulatory provision (R12.8 of the IRPR) that allow the application process to continue if fingerprint capture is not possible.

Similarly, research has shown that fingerprint-matching algorithms – such as those used during SFV – may be less accurate for certain ethnic, gender, age, and socio-economic groups. Examples include individuals of East Asian origin, women, those working in certain trades, and older individuals. These groups may be subject to higher error rates when their fingerprints are verified (e.g. compared to an existing fingerprint holding). Mitigation strategies identified by CBSA included hardware and software adjustments that would improve the ability of PIKs (the kiosks used for SFV) to capture and analyze fingerprints.

In terms of transparency, there is significant material available to the public regarding biometrics and the immigration application process. Much of this content is practical in nature, intended to guide prospective applicants in the provision of their biometric information. IRCC also explains the program benefits of using biometrics, including that they help facilitate entry into Canada, ensure that the person seeking entry is the same as the one who was granted a visa, permit, or permanent residence, and to help prevent the use of stolen, borrowed, or altered visas and/or permits to enter Canada. While national security justifications are provided, the emphasis is on service delivery and the broader imperatives of identity management.

Overall, fingerprints appear to be a reasonable, appropriate choice of biometric to use in the immigration system. They can be collected relatively easily, with little intrusion, and while they are reliable identifiers, they offer comparatively little extrinsic evidence about individuals’ lifestyles or personal choices. Moreover, they offer a vital inter-operability across domestic immigration and law enforcement systems, as well as with those of nearly all foreign jurisdictions. The privacy costs of relying on biometrics for immigration screening therefore appear to be reasonable and proportionate to the benefits they convey to the state and the integrity of its immigration system.

Once collected, the use of biometrics for screening and verification are proportionate to the objective of identity management. From a national security perspective, decisions about admissibility – who may and who may not enter the country – are fundamental. So, too, is the desire to prevent fraudulent entry. At the screening stage, biometrics are particularly helpful in linking information across databases – e.g. in connecting information about an individual held in domestic or foreign repositories. The ability to make such linkages even in the face of multiple names or biographical profiles – perhaps cultivated for mala fide purposes – is largely unique to biometrics as a class of information. Likewise, verification – confirming that an individual is who they say they are when presenting at the border – is significantly enhanced through biometric analysis.

The activities are not without risks, however. The availability of immigration biometrics to Canadian law enforcement, for example, has the potential to stigmatize the immigrant population by associating them with criminality. In 2015, the European Union’s EURODAC (European Asylum Dactyloscopy Database) was heavily criticized by civil rights groups for “criminalizing” asylum seekers by making their fingerprints available to European law enforcement agencies. While held in different repositories, immigration and criminal fingerprints exist within the same RCMP system, and both are searchable by law enforcement, including when attempting to identify latent fingerprints taken from crime scenes.

There are benefits to making immigration fingerprints available to law enforcement, most immediately in assisting police with the enforcement of Canadian criminal law and, consequently, in returning information to IRCC and CBSA which may be relevant for enforcing the IRPA. At the same time, if the fingerprints of all Canadian citizens were in the possession of the government and searchable by Canadian law enforcement, that too would benefit the enforcement of Canadian law, though few – if any – would consider such an arrangement proportionate or desirable. It is therefore legitimate to question whether the availability of immigration fingerprints – collected in the course of applying to come to Canada – to law enforcement is proportional in all circumstances, or whether it should be limited to certain serious offences.

Passport Program

The Passport Program, led by IRCC, is responsible for “issuing, refusing to issue, revoking, withholding, cancelling, recovering and providing instructions on the use of Canadian passports and other travel documents.” The program’s ultimate purpose is to enable the travel of eligible Canadian citizens, permanent residents, and refugees. Preventing individuals who are ineligible or not entitled to a passport from obtaining and travelling under official documents is the obverse of this goal. A subset of applicants will be ineligible for reasons related to national security. Established pursuant to the royal prerogative on passports, the Canadian Passport Order (CPO) constitutes the main legal framework for the issuance of regular and temporary passports by the Passport Program. It provides the authority for IRCC to collect and use personal information, including biometrics, for the processing of applications and determining an individual’s entitlement to a passport. IRCC maintains that this collection is consistent with s. 4 of the Privacy Act, given that collection relates directly to the administration of a lawfully authorized program.

Specifically with respect to biometrics, s. 8.1(1) of the CPO allows IRCC to convert an applicant’s photograph into a digital format and insert it on the electronic chip in the ePassport. Section 8.1(2) facilitates the use of the FRS by authorizing the conversion of the photograph into a biometric template “for the purpose of verifying the applicant’s identity, including nationality, and entitlement to obtain or remain in possession of a passport.” This provision similarly authorizes the use of the System Lookout-Facial Recognition System (SL-FRS) described below.

As with the Immigration Program, the full range of benefits associated with biometrics extend beyond national security outcomes. According to IRCC, the “use of biometrics in the Passport Program does not per se constitute a security and intelligence activity.” Rather, as in the immigration context, biometrics serve identity management, with potential national security benefits downstream of that broader ambit.

Two identical, printed facial photographs, meeting certain International Civil Aviation Organization (ICAO) standards, must be submitted as part of applications for all Canadian travel documents. According to IRCC, all application information is transmitted via secure systems, and all facial recognition data traffic is secured through encryption.

The collected photograph is used for two purposes. First, it is screened using facial recognition to help establish identity and inform an assessment of the applicant’s eligibility and entitlement to Canadian travel document services. Second, it is embedded in the document and used by border officials to validate the identity of the holder when crossing an international border.

The applicant’s digitized photograph is transferred to the Facial Recognition Solution (FRS) application. The FRS then converts the image into a biometric template using a proprietary algorithm and stores it in an accompanying database. If the application is linked to a previous application, such as renewals or the replacement of lost or stolen passports, one-to-one facial verification is performed against the applicants’ previous template(s). For both renewals and new applications, one-to-many facial identification is performed against existing templates (approximately 55 million, from previous applications) in the FRS database from adult (age 16+) applicants and photographs supplied as part of the Passport System Lookout (SL). The SL-FRS , as it is called, is effectively a watchlist comprised of individuals who are considered high-risk for identity fraud, including those known to have a history of using false identities or multiple aliases, or who have otherwise been identified by security partners – including CSIS and the RCMP – as high-risk for such behaviour. The precise criteria or circumstances for inclusion on the list are not clear, and appear to be highly discretionary. IRCC caveats, however, that “only a small number of IRCC Passport Program officers have the ability to add entries to the list.” The list has been in operation since February 2018, and currently includes fewer than 100 individuals.

According to IRCC, the use of the FRS protects the integrity of the Canadian passport. IRCC cites 2016 ICAO guidelines on security in the issuance of travel documents noting that the issuance phase – or the “beginning of the chain” – is becoming the primary target for fraud given “the rapid development of new technologies and new security techniques” which make forgery increasingly difficult, including, for example, the security features associated with the ePassport.

The authority to refuse passport applications for national security reasons lies with the Minister of Public Safety, as per the CPO. Biometric screening through FRS may inform that decision-making process by detecting identity fraud or flagging individuals from the SL-FRS. No such decisions are automatic; individuals on the SL-FRS may still be entitled to a passport or travel document following review.

Preventing fraud (whether through deterrence or detection) in the issuance of official travel documents offers clear national security benefits. The movement of mala fide actors across borders threatens both international and Canadian security. While identity fraud is committed for a host of reasons – including criminal, financial, or personal – the possibility that terrorism, espionage, or other national-security threats may involve the misuse of passports is well documented. Again, rare events can have significant consequences.

The second fundamental usage of the collected biometric is by way of the ePassport itself during the course of international travel. When the passport is issued, the facial photograph is both printed on the biographical page and embedded as a digital image on an electronic chip within the document.

The embedded digital photograph enables three-way verification between the image on the passport, the image on the chip, and the person presenting the passport. Certain countries – including Canada (see the discussion of the PIK in paragraphs 125-137, below) – leverage facial recognition technology for this purpose. The result is greater confidence in a) the integrity and authenticity of the document, and b) that the individual presenting the document is the individual to whom it was issued. The chip is digitally signed using Public Key Infrastructure (PKI) techniques allowing for the verification of the document against the issuing country and to ensure that the data contained within has not been modified.

Photographs submitted as part of passport applications, as well as the biometric templates derived therefrom, are retained until an applicant has reached 100 years of age. IRCC assesses that this retention period is consistent with the practices of international partners (e.g., the United Kingdom and Australia), and balances, in their estimation, the need to issue secure, trusted travel documents with the requirements of the Privacy Act to retain personal information only for as long as necessary. Hard paper copies of the passport applications, including photographs, are retained for six weeks following conversion to digital format, and subsequently shredded.

The length of the retention period facilitates identity management as individuals renew their passports over the course of their lifetime. Each returning adult applicant (e.g. renewal, replacement, etc.) can be verified through the FRS against previous applications from the same individual. Similarly, one-to-many FRS screening includes templates from most adult applicants, maximizing the scope of detecting possible identity fraud.

IRCC discloses photographs and related biographic information collected by the Passport Program to other government departments (OGDs). Unlike in the Immigration Program, these disclosures are not systematic. Rather, they come in response to ad hoc requests from OGDs with criminal, national security, and intelligence mandates. The OGDs make the requests pursuant to their own legislation, and their scope is circumscribed by s. 4 of the Privacy Act. According to IRCC, the context of many of these requests is often the need for information regarding Canadians travelling abroad to engage in foreign conflicts or unlawful acts.

Such requests can involve confirmation or validation of biometric information provided by the OGD against passport records, or identifying individuals of security concern by processing a photograph provided by the OGD through the FRS. For example, the RCMP may identify a person of national security concern, but have only a photograph of the person (e.g. from their social media presence); CSIS may provide IRCC with a photograph of an individual they are investigating but cannot identify. Alternatively, the RCMP and CSIS may share photographs of known individuals with the IRCC. The purpose of these checks is to ensure the person has not obtained a passport under another identity. The IRCC states that, for the RCMP, the scenarios described herein may require the RCMP to obtain a Production Order, depending on the particular circumstances of the request.

In both cases, the IRCC converts the photograph provided by CSIS/RCMP into a biometric template and runs it through FRS. In the first instance, in the event of a possible match, the IRCC would return limited biographic and/or biometric information to the RCMP or CSIS to assist in confirming the person’s identity. In the second instance, the IRCC may validate the person’s previously known identity and confirm whether the person’s photograph is associated to any other identities logged by the Passport Program. The scope of information disclosed by the IRCC, in both cases, depends on the nature of the investigation and its authorities to disclose.

The IRCC discloses this information pursuant to s. 5 of the Security of Canada Information Disclosure Act (SCIDA), if applicable, or may rely on s. 8(2)(e) of the Privacy Act in the case of specific requests. Section 5 of SCIDA allows the IRCC to disclose information to the RCMP, CSIS and other specified institutions where it is satisfied that the disclosure will contribute to the exercise of the recipient institution’s jurisdiction in respect of activities that undermine the security of Canada. To disclose under SCIDA, the IRCC must also be satisfied that the disclosure will not affect a person’s privacy interest more than is reasonably necessary in the circumstances. In contemplating such disclosures, the IRCC affirms that it first obtains sufficient details to ensure these conditions are met. In other instances, such as when the disclosure is to assist a law enforcement investigation, the IRCC may rely on s. 8(2)(e) of the Privacy Act to provide specific investigative bodies with information they have requested in writing, for the purpose of enforcing Canadian law or carrying out a lawful investigation. Where a production order or warrant supports the OGD requests, section 8(2)(c) of the Privacy Act authorizes the disclosure of information for the purpose of complying with the warrant.

In addition to these disclosures to assist national security or law enforcement investigations, the IRCC may disclose information to the Department of Public Safety, where necessary to assist the Minister of Public Safety in rendering a decision under the CPO. Sections 10.1 and 11.1(2) of the CPO authorize the Minister of Public Safety to decide that a passport should not be issued, or that a current passport should be revoked or cancelled, when such action is necessary to prevent the commission of a terrorist act or protect the national security of Canada or a foreign state. By virtue of this authority, the IRCC may collect information on an ongoing basis to verify an individual’s continued entitlement to possess the document. The IRCC also relies on the CPO to disclose, to the Minister of Public Safety, information necessary to support his decision on such matters. In practical terms, this includes IRCC’s disclosure of the relevant passport application, including the digitized photo, to Public Safety. Section 5 of SCIDA and section 8(2)(a) of the Privacy Act (on consistent use) further support these disclosures.

Assessing the Passport Program

A significant source of public concern regarding the use of facial recognition is the possibility that the technology will be inaccurate. In the passport context, false positive identification could lead to inconvenience and/or additional investigative attention for individuals. False negatives, by contrast, worry operators, as they potentially undermine the security benefits of the system.

The FRS has certain natural advantages with respect to accuracy. First, it predominately uses high-quality probe images (templates extracted from passport photographs taken according to ICAO specifications) and searches them against the same (a gallery populated by templates extracted from passport photographs). Exceptions are the images on the SL-FRS and images supplied by OGDs for checking against FRS, which may be of lesser quality. Second, the matching process is not time sensitive (as would be the case in a live environment such as a POE). Adjudication – triage, analysis, and investigation – of possible matches (one-to-many) or non-matches (one-to-one) can be conducted thoroughly before any decisions are made which affect individuals.

A related concern is that certain groups will be disproportionately affected by system inaccuracies. Extant research has demonstrated that age, gender, and ethnicity, among other factors, may influence the ability of a facial recognition system to accurately identify individuals, leading to possible bias and discrimination.

IRCC employs several mitigation measures. First, enrolled templates are stored in one of six separate galleries according to age (adults 16+ and children under the age of 16) and self-identified gender (male, female, or other). Age and gender are known to be confounding factors in facial recognition; separating the database into galleries according to these characteristics allows thresholds to be adjusted as necessary to improve the performance of the system.

In January 2021, IRCC completed an evaluation of a next generation algorithm for possible use in FRS. The results were favourable in terms of the accuracy observed in testing, and implementation of the new algorithm is set for 2021-22. Specifically, the new algorithm demonstrated superior performance in terms of age and gender disparity as compared to the algorithm currently in use. The new algorithm demonstrated improvement in matching photographs taken at lengthy time intervals (e.g. 15 years), which is directly relevant to passport renewals. The testing did not evaluate, however, the algorithm’s performance with respect to race and ethnicity.

IRCC provides public information regarding the use of facial recognition in the passport application process. The photograph guidelines posted on the IRCC website state that “The [ICAO] recommends that passport photos be taken with a neutral expression. This lets us use facial recognition systems to help prevent fraud.” Similarly, a Privacy Notice Statement is included on passport application forms, describing the collection, use, disclosure and retention of personal information, including biometrics.

The biometric embedded on the electronic chip in the ePassport does not constitute a significant risk or expansion beyond what was included in analog passports prior to the ePassport’s implementation. What is on the chip – the facial image and biographical information – is also on page 2 (the biographical page) of the physical document itself.

By contrast, the issuance process – including the use of FRS – directly implicates both biometric information and national security considerations. Preventing mala fide actors – including those posing a threat to national or international security – from obtaining bona fide travel documents warrants stringent processes and security measures during the issuance phase. At the same time, information collected and used in the context of the issuance process will impact all individuals – millions of Canadians and individuals living in Canada – who apply for a passport or other official travel document.

The key consideration is whether the privacy impact of the FRS is commensurate with the benefit to national security associated with its collection, use, retention, and disclosure of biometric information.

The OPC’s recent investigation into the RCMP’s use of facial recognition services supplied by the private firm Clearview-AI is worth considering in this context. In that case, the OPC found that the RCMP’s leveraging of biometric information collected by Clearview-AI from social media and other internet sources violated the Privacy Act because Clearview-AI’s collection of that information had been unlawful. More relevant for the present discussion, however, is the OPC’s characterization of the practical effect of law enforcement’s use of Clearview AI, which meant that “billions of people essentially found themselves in a ‘24/7’ police line-up.” That is, the existence of their biometric information in a database available to law enforcement meant they were subject to identification by law enforcement at any time.

In national security investigations, there may be different policy justifications, security benefits, and disclosure limitations that render use of the IRCC’s passport database proportionate. The disclosure of this information by the IRCC to the RCMP is also supported by law (see paragraph 111). The connection between passport biometrics and the investigations and activities of the RCMP, CSIS and CBSA remains a striking example, however, of the connections made possible by biometrics. Moving forward, NSIRA may wish to review these arrangements, to assess their reasonableness and necessity in terms of balancing individual interests (privacy, liberty, etc.) and the state’s security goals.

Arriving into Canada

The Passport and Immigration programs are the major programs governing Canada’s border continuum. Together, they help manage the processes by which individuals enter the country, largely by providing the documentation that makes international travel possible. Related to these larger programs is the actual process of arriving at a POE and going through Canadian customs and immigration. While the above discussions of both Immigration and Passport touched on these processes, this section discusses two additional activities that involve the analysis of biometric information to verify the identity of individuals arriving into Canada.

Primary Inspection Kiosks (PIKs)

Primary Inspection Kiosks (PIKs) are automated, self-serve kiosks present at ten major Canadian airports. The kiosks facilitate the immigration and customs process for international arrivals into Canada.

As discussed in relation to the Immigration Program, biometrically-enrolled foreign nationals are subject to biometric verification upon arrival into Canada. At airports equipped with Systematic Fingerprint Verification (SFV), this occurs through PIKs. Additionally, PIKs validate ePassports and help verify the identity of ePassport holders (including Canadians) using facial recognition (one-to-one matching) technology.

In 2019, PIKs processed 21,853,422 individuals, an average of 59,872 travellers per day. This means that most individuals – whether Canadian or foreign – arriving in Canada by air have their biometrics analyzed in some way (either as biometrically-enrolled foreign nationals, ePassport holders, or both). CBSA derives its authority to collect information from individuals as they arrive in Canada from s. 11 of the Customs Act and ss. 15 and 18(1) of the IRPA.

The PIK facilitates risk assessment by sending passport and biographical information to CBSA for processing in real time. CBSA uses the information to check the traveller against existing traveller processing systems. This includes the Interdiction and Border Alert System and the Integrated Customs Enforcement System.

According to CBSA, all information passes between the PIK and CBSA through an encrypted tunnel and is purged prior to the next traveller using the device.

The use of the facial photograph embedded on the ePassport’s electronic chip is for identity verification at the kiosk and during primary inspection. Facial recognition – or facial “matching” as it is called by CBSA in this context – occurs on a one-to-one basis by extracting the digital photograph from the chip and comparing it to a live photograph of the traveller captured by the kiosk. A match score is generated, based on the vendor’s proprietary algorithm, and the score is sent to the CBSA to determine whether it is above or below a pre-determined threshold. The result is printed on the PIK receipt. The CBSA itself defines the match/no-match threshold; it is not determined by, nor shared with, either the vendor or Airport Authorities.

The PIK receipt also includes the facial photograph taken by the kiosk. The traveller presents the receipt to a Border Services Officer (BSO); in the event of a no-match, the BSO may correct obvious non-technical errors (for example, one individual was photographed twice as part of a group of two travellers) through visual verification, ask additional questions, and/or refer the individual to secondary inspection on a discretionary basis.

The inclusion of the photograph on the receipt was a significant issue in the 2012 PIA conducted for the PIK project. CBSA justified the practice on the basis of efficiency (quicker processing by the BSO collecting receipts) and security (preventing receipt swapping prior to egress at primary inspection). The PIK receipt – including the printed photograph – is retained by CBSA for seven years. The OPC expressed concerns regarding this retention period given the presence of the traveller’s photograph. In essence, the retention of these photographs constitutes a database of (nearly) all travellers who enter Canada. While CBSA asserted that the photographs are not searchable nor used for facial recognition purposes, OPC noted the sensitivity of retaining biometric information in centralized databases and has urged CBSA to consider mitigation strategies.

The CBSA details the necessary specifications and requirements for PIKs, but relies on Airport Authorities to procure both the hardware and software (including the algorithm used for facial matching). This means that different versions exist at different airports across Canada. The accuracy of the facial matching process consequently varies between locations. The algorithms are proprietary, meaning CBSA does not have visibility into precisely how they operate, though it does have access to data on accuracy and performance through the US Department of Commerce’s National Institute of Standards and Technology (NIST) as well as from in-house performance testing.

In 2020, CBSA evaluated the performance of the four face-matching algorithms integrated in the three kiosk designs currently in use, and determined that opportunities existed to improve performance in certain airports by adjusting facial matching thresholds. The testing similarly examined issues of possible demographic bias. The results suggested that small discrepancies along the lines of gender (lower matching rates for females) and age (lower matching rates for younger and older) did exist in airports using a particular algorithm. Recommendations for mitigation included shifting vendors and/or setting gender-specific match thresholds, though the latter option was considered potentially problematic in terms of inviting higher false positive match rates.

Public reporting has expressed concern that higher facial matching error rates for certain ethnicities might result in more frequent referrals from PIKs to secondary inspection. It has been observed, for example, that rates of referral are higher for nationals from Iran and Jamaica, as compared to countries such as Iceland and Denmark. The CBSA indicated to NSIRA that no referrals to secondary inspection occur as a result of the facial matching process (i.e. there are no referral codes associated with facial matching leading from the PIK to secondary inspection). In practice, however, a failed match will lead to greater scrutiny as a BSO at primary inspection assesses the reason for the failed match. It is possible that discretionary referrals to secondary occur as a result; the CBSA does not track statistics associated with this scenario.

CBSA is aware of concern regarding possible bias associated with higher facial match error rates for certain ethnicities, and points to improvements in the overall accuracy of algorithms that will help close any gaps in performance across demographic categories. Further, CBSA notes that its “work in this area is nascent and is not yet conclusive with significant work still to be conducted.” Given the significance of the public interest and concern associated with possible bias, NSIRA encourages CBSA to continue its work in this area. In addition to technical solutions aimed at further closing identified gaps, an examination of the implications of facial matching errors on travellers might suggest policy solutions to mitigate any possible disparate impacts.

The PIK will continue to play an integral role in future applications of biometric technology at Canada’s international airports. As noted in the CBSA’s 2021-22 Departmental Plan, the agency is set to integrate the PIK into new applications of mobile technology with the aim of further streamlining the customs and immigrations arrival process.

NEXUS

NEXUS is a voluntary trusted traveller program intended to expedite border crossing between the US and Canada for preapproved, low-risk travelers (“NEXUS”). Section 11.1(1) of the Customs Act authorizes the Minister to administer such programs, by allowing him to authorize persons to present themselves at the border “in an alternative manner.” The program is jointly managed by CBSA and US Customs and Border Protection (CBP). As mentioned in Section 4, although NEXUS began as a pilot initiative prior to 9/11, it was expanded and implemented following the attacks with an eye toward robust identity verification and traveller facilitation in the context of enhanced border security.

In 2019, NEXUS underwent a “modernization” process, which saw the adoption of the PIK facialmatching model into NEXUS-dedicated kiosks for air arrivals, replacing iris scans with facial matching as the biometric modality for identity verification. In order to facilitate facial matching, CBSA collects the biometric from electronic passports, stores it in the NEXUS database, and uses the photograph to verify identity during travel. The process is similar to how the PIK operates in other traveller streams and produces roughly similar outcomes. The main difference here is that the photograph taken at the kiosk is matched against the traveller’s image in the NEXUS database. NEXUS’ purpose in using the passport photograph is the same as in the regular PIK process: to verify the individual’s identity prior to allowing them admission into Canada. NEXUS’ use of the passport photograph was preferred because the image provides better facial recognition matching (given that it was taken according to ICAO specifications) as compared to the membership photograph (taken by border services officers under varying conditions – light, background, distance, etc.). NEXUS participants are informed of the extraction of their passport photograph for facial matching purposes.

NEXUS’ voluntary nature, and the consistent purpose of using the passport photograph within NEXUS to facilitate identity verification and travel, renders this second use of the ePassport photograph reasonable in NSIRA’s view. The consistency of purpose between the programs also respects the norms and the requirements of sections 7 and 8 of the Privacy Act.

The use of the passport photograph for facial matching within NEXUS is nevertheless noteworthy as an example of when it has been beneficial to use an existing biometric in an additional program. The dual-use of biometrics in this case is relatively benign, but the dynamic which produced it – that is, the convenience, availability, and possible value-added (accuracy in identification) of existing biometric information – is likely to be common to scenarios which may be of more concern, as discussed below (see paragraphs 191-201, below).

6. Biometrics Future

We expect the landscape detailed in the preceding sections of this report to change significantly in the short-, medium-, and long-term. In this section, we highlight select projects and initiatives to illustrate how biometrics in the border continuum are likely to evolve, and to mark key points of consideration for Canadians – and NSIRA – as we move into this unfolding technological future.

The GoC has publicly committed to continued research, development, and deployment of biometric technologies in the border continuum. For instance, Budget 2021 allocates $656.1 million over five years (beginning in 2021-22) and $123.8 ongoing to the CBSA for the “modernization” of Canadian borders. CBSA “proposes to utilize new technologies, such as facial recognition and fingerprint verification” as part of such efforts.

The agency has announced the creation of an Office of Biometrics and Identity Management (OBIM) under a newly formed Biometrics Transformation Directorate (BTD) within the Chief Transformation Officer Branch (CTOB). CBSA indicated to NSIRA that the purpose of the BTD is to coordinate biometric initiatives (including design, implementation, and operation) across the agency. In addition to its coordination role, OBIM will act as a Centre of Expertise and focal point within CBSA for guidance on the appropriate use of biometrics. This will include developing and managing CBSA’s biometrics governance, risk and compliance framework. A June 2021 Notice of Proposed Procurement (NPP) solicited proposals from contractors for aid in establishing the OBIM and “to work with the [CBSA] in researching, planning for and rapidly developing a strategy and roadmap related to the use of Digital [sic] solutions enabled by supporting technologies in biometrics, in response to the COVID 19 situation and other operational priorities.” The proposal further specified that the successful contractor would aid in “the development of a comprehensive approach and plan to manage, evolve and adapt in using biometrics” to fulfill CBSA’s mandate and objectives. As part of this coordinating function, the OBIM will review current steady-state biometric activities and make recommendations where necessary for aligning them with overarching CBSA standards and objectives.

With respect to immigration, CBSA’s Departmental Plan 2021-22 commits to “explor[ing] measures to standardize the collection of biometric information on potentially inadmissible travellers to strengthen compliance verification at the border.” In July 2021, IRCC released a tender notice soliciting industry information regarding the procurement of a next generation Canadian Immigration Biometric Identification System (CIBIDS). The new system will “take advantage of the latest technologies […] to modernize [IRCC’s] biometric technology solution” and may include the “design and development of a new IRCC custom Biometric Collection Solution.”

“Next generation” development is occurring in the Passport Program as well, with “a new passport booklet, incorporating advancements in technology to enhance the document’s durability and security features” aimed, in part, at “alignment with documents issued by our Five Nations Passport Group partners.” Phased rollout of the new ePassport will occur between 2023 and 2024.

Passport issuance, similarly, is undergoing “modernization”, as part of an ongoing process initiated in 2013 to facilitate the transition of the Passport Program from the Department of Foreign Affairs, Trade and Development to CIC (now IRCC). The Passport Program Modernization Initiative (PPMI) is a multi-year project that is scheduled to be completed in 2023. PPMI intends to streamline “all aspects of Passport Program operations” and “keep pace with evolving international passport issuance and identity management best practices.” The initiative also aims to systematize passport services across intake locations, and lay “the foundation for online passport services and automation to improve the service experience.”

In June 2020, IRCC issued an NPP for a “Passport Digital Services Project” that “will allow Canadians to apply online for passports, using a computer, tablet or mobile device, as a convenient alternative to mail-in or in-person service options.” The procured platform will transmit passport applications – including digital photographs – from individuals to IRCC. Media reporting in early 2021 indicated that IBM was selected as the successful bidder. The proposed system has generated privacy concerns, particularly with respect to transmitting biometric information (digital photographs) over a private platform. We can expect the tension illustrated here, between convenience and privacy, to be a key theme in public conversations surrounding new biometric activities in the coming years.

In this vein, CBSA’s Department Plan 2021-22 highlights several experimentation and innovation initiatives involving mobile technology (e.g. smartphones), including “explor[ing] digital identity concepts and opportunities to pilot digital identity in the travel continuum from a border management perspective.” Digital Identity refers to paper-less identification, whereby trusted and secure digital proof of one’s identity replaces traditional, physical documentation (e.g. passports, driver’s licenses, etc.).

A Digital Identity is typically linked to an individual through biometrics. ICAO’s first iteration (Type 1) Digital Travel Credential (DTC), for example, “binds” a traveller to their Digital Identity by way of the biometric embedded in the ePassport, limiting the need to produce the physical document during travel. The DTC is an international project that, while coordinated by ICAO, includes input from jurisdictions around the world and encompasses several future iterations (Types 2 and 3). IRCC and CBSA are currently members of ICAO’s New Technology Working Group (NTWG) and the NTWG’s Digital Travel Credentials (DTC) sub-group. Ultimately, the long-term vision of the DTC project is to replace physical passports with Digital Identity “tokens” (which would include the facial photograph from the ePassport) stored on mobile devices.

As discussed in Section 4, IRCC and CBSA’s FASTER-PrivBIO Project (2015-2017) also explored the use of identity “tokens,” stored in a mobile application, in the context of Electronic Travel Authorizations (ETAs). FASTER-PrivBIO closed in 2017, and “Phase II” of the project became the Chain-of-Trust (CoT) initiative, led by CBSA in collaboration with IRCC, Defence Research and Development Canada (DRDC), the University of Ottawa, and industry partners.

CoT further explored the adoption of mobile technology in the eTA process, while also expanding to include other steps in the travel continuum. As described in CBSA’s Blueprint 2020 Report (published in December 2018):

[t]he Chain of Trust process would require travellers to download an app to their smartphone and create an account including a unique identifier built from their biometrics. At every stage of the trip – from flight reservation, to obtaining a boarding pass, to disembarking the plane – the traveller’s data would be collected and used to speed up the traveller’s passage. Just before landing, the traveller would create an e-declaration and digitally sign it using biometric facial verification. Upon arrival, cameras would match the biometric face to the traveller’s unique identifier.

The purpose of the process, ultimately, is to enhance risk assessment. Linking traveller information to traveller identity throughout the travel continuum (including by using facial recognition as an individual moves through the airport) facilitates the flow of low-risk travellers (including by minimizing touch-points with border control, a feature that will take on additional significance in the context of post-COVID 19 travel), while enhancing the detection of possible high-risk travellers.

In 2018, a simulated prototype demonstrated the basic features and process flow of the CoT to Canadian government officials. While the prototype project closed in 2019, the overarching CoT initiative continues, as per CBSA’s 2021-22 Departmental Plans, through the deployment of “small-scale minimum viable products to assess feasibility in a live environment and obtain user experience feedback.” The stated goal of CoT remains the streamlining of “traveller identification through the use of digital travel credentials and biometrics.” Notably, CoT is explicitly aligned with other international initiatives and projects, including ICAO’s DTC, reflecting the extent to which coordination exists in the broader ecosystem of biometric experimentation.

To be clear, the features of CoT described above do not reflect current practice at the border, nor do they represent commitments from CBSA (or any other GoC entity) regarding what the traveller experience will look like in the future. By the time the CoT, some version of it, or a new project operating in similar terrain, is implemented, the specifics of how biometrics verify identity or travellers move through the airport may have significantly changed. Nonetheless, the trend lines are apparent, as Digital Identity, mobile technology, and biometric verification converge on the traveller experience.

An additional example is the Known Traveller Digital Identity (KTDI) pilot project, led by Transport Canada (TC) in collaboration with the World Economic Forum (WEF), the government of the Netherlands, and commercial partners. In 2018, Canada announced its participation in the WEF’s broader KTDI vision and, in 2019, committed to a proof of concept pilot project which would operate between Canadian (Toronto-Pearson and Montreal-Trudeau) and Dutch (Amsterdam-Schiphol) airports on Air Canada and KLM Royal Dutch Airlines flights.237 This project may access required funding under Budget 2021, which proposes $105.3 million over five years to develop an approach to digital identity for air travellers.

KTDI will combine blockchain technology and facial recognition to “provide a seamless and secure air travel experience facilitated via a mobile application.” Travellers will have their facial photograph captured for one-to-one matching against their ePassport photograph at different touch points in the travel continuum (e.g. boarding and customs). They will be able to “push” their information (including their facial biometric) to relevant partners (e.g. airlines or Dutch or Canadian customs) at their own discretion, or revert to conventional identity verification (e.g. ePassport) at any time. While TC will interface with CBSA to conduct checks on ePassports at enrolment (to verify authenticity and ensure that the document is not lost or stolen) no passenger risk assessments will be conducted.

At the time of writing, the pilot is not yet live. The COVID-19 pandemic has impacted both the project’s timelines and its operational context. Originally, part of the rationale for KTDI was to accommodate increasing traveller volumes; although the pandemic has led to a decrease in travel volumes, it has also amplified the need for low-contact, ‘touchless’ travel. Indeed, the budget commitment noted in paragraph 156 was linked to the GoC’s investment in “safe air travel […] that limits transmission of COVID-19 and protects travellers.” For present purposes, the KTDI is important for what it suggests about the general trajectory of biometrics in the air travel and border continuum.

The Canadian KDTI pilot traces its origins to the broader KDTI vision articulated by the WEF. In the WEF’s KTDI concept, passports would effectively be replaced with digital credentials stored on mobile devices, while facial recognition-enabled gates (often referred to as smart gates or egates) would allow passengers to transit through airports from arrival to boarding to customs and exit with little to no interruptions. Other elements of the travel experience – for example hotel and car rentals, or shopping at duty free – would also be incorporated. Over time, travellers would compile a trail of interactions – or “attestations” – from various entities (border control, commercial entities) that cumulatively built trust in that individual. Risk profiles, supplemented by security screening, would help determine the level of scrutiny applied to a traveller by relevant authorities. Further, the Digital Identity “wallet” (encrypted mobile application) would include more than just passport information and biometrics, storing bank information, health records (including proof of vaccinations), educational degrees, credit scores, etc.

This broader vision is ambitious. The Canadian KTDI pilot – even as it evolves to reflect post-COVID priorities – is decidedly more circumspect in its aims. TC was clear in communications with NSIRA that the pilot (while including the WEF as a partner) is distinct from, and not beholden to, the broader WEF vision. Yet the sheer ambition of the latter indicates a probable trend in the future of international travel. As this report has demonstrated, the use of biometrics tends toward expansion over time. Concomitant advances in mobile technology – including the development of secure Digital Identity platforms, predicated on biometrics – find natural application in the border continuum, where identification is key and, increasingly, so is convenience.

However, enhanced convenience continues to rub up against privacy concerns, particularly with respect to facial recognition technology. A robust public debate is emerging regarding the legal authority for the use of facial recognition in public spaces. Jurisdictions around the world are grappling with how to manage the proliferation of facial recognition technology, in some cases issuing moratoriums or outright bans on new applications of the technique until its implications are properly considered and new legal and/or regulatory frameworks governing its use are established. The OPC’s recent investigations into the use of Clearview-AI by the RCMP reflect the Canadian salient of this broader conversation.

The basic contours of the debate are whether existing frameworks for the handling of personal information (in some cases drafted decades ago, before the advent of facial recognition and other biometric technology) are adequate or whether specific legislation is required, designed explicitly for facial recognition. Greater specificity in legislation would enable standards to be set as to when the use of facial recognition is appropriate and proportional. It would also enhance the transparency of the norms set by Parliament and provide public information about the circumstances in which Parliament considers facial recognition to be lawful and reasonable in promoting security and convenience in Canadian society.

The OPC is currently drafting new privacy guidance on biometrics, for both the public and private sector, intended to shape how the technology is applied moving forward. While the border context is distinct from other public settings when it comes to privacy, applications of biometric technology at the border cannot be exempt from emerging legal and societal norms. The development of new activities must be aware of such challenges, and account for shifts in the legal and regulatory landscape.

Public concern is likely to be most acute with respect to live capture facial recognition, in the vein of the FOTM pilot discussed in Section 4. Static, one-to-one verification of identity at mobile kiosks – for example as currently takes place at PIKs – is well-established, and allows travellers to know when facial recognition is being used. Roving, one-to-many identification – in which biometrics are captured at a distance – are the source of more anxiety. Consider, for example, the legal challenge to the use of this type of facial recognition in the UK and the multiple calls for moratoriums with respect to the use of facial recognition in public places.

Given the developments described above, NSIRA expects that biometric information will be systematically incorporated into the traveller experience across the border continuum moving forward. Security considerations and general identity management will remain important, but so too will traveller convenience and, in the wake of COVID-19, ‘touchless’ or decongested travel. The use of mobile technology and Digital Identities reflect broader societal trends that are particularly well-suited for application in the border continuum. Informed consent, and/or specific, transparent legal authorities are important considerations for ensuring that such applications occur lawfully and with sound public understanding surrounding when biometrics are collected, how they are used, and how they are protected when in the possession of the government.

7. Observations

This report has documented and described the GoC’s use of biometrics in the border continuum. The scope of these activities is large and growing. For government, biometric information offers a firm foundation for identity management. At the same time, civil society groups, academics, and other concerned Canadians worry about the privacy implications of the government collecting, using, retaining, and disclosing information about immutable physical characteristics. The fundamental purpose of the present study was to inform this ongoing conversation, to both demystify present government activities and evaluate them from NSIRA’s unique, crosscutting perspective. In this final section, we leverage that perspective to articulate our observations according to nine general themes.

1. Biometrics and National Security

Biometrics enhance identity management; identity management at the border in turn serves national security. As outlined in Section 4, the impetus for the expanded collection and use of biometrics, particularly post-9/11, was their purported national security benefits.

Nonetheless, the centrality of national security as a justification for biometric activities has waned over time relative to other objectives.

First, there were the broader benefits associated with identity management, including assessing admissibility and entitlement, preventing fraud, and introducing efficiencies into service delivery. Of note, the CBSA and IRCC do not currently characterize their steady-state biometric activities primarily in national security terms. The Passport Program’s purpose is to enable the travel of eligible Canadians, while the Immigration Program’s purpose is to manage the flow of foreign nationals into Canada, the vast majority of whom arrive for legitimate reasons. Biometrics are information about individuals that facilitate these functions. The benefits to national security, in each instance, are a consequence of the robust identity management to which biometrics contribute. More recently, traveller facilitation has risen to the fore, with programs and pilots incorporating biometrics and mobile technology in pursuit of “seamless” and “touchless” travel (the latter of particular interest given COVID-19).

Although biometrics extend beyond the national security domain, the national security outcomes they support are undeniable. Part of identity management is identifying mala fide actors, including possible terrorists, Canadian extremist travellers, and other national and international security threats. Biometric screening for both immigration and passport applications, for example, includes querying databases (domestic and foreign) that may return information pertinent to national security (e.g. presence on a watchlist, suspected terrorist activity, previous national security convictions, multiple identities, etc.).

The assessment of these programs’ proportionality must therefore be done in light of the full panoply of benefits that biometrics contribute to Canada’s activities at its border. This includes their benefits for identity management in admissibility and passport decisions, traveller screening, and also national security.

As pertains to areas for future NSIRA review, the present study’s overview of the border continuum highlighted several possibilities:

The collection of biometrics at Visa Application Centres (VACs). Here the national security concern stems from personal information – including biometrics – passing through VACs operating in high-risk jurisdictions and run by private contractors and sub-contractors. A review of VACs would include the risks associated with the collection and transmission of biometric information, but also cover the broader security arrangements and national security implications pertaining to the overall operation of such locations.

Instances where biometrics link information across databases for national security purposes. For example, when automated querying occurs with M5 partners in the immigration context, what are the statistics and other metrics associated with national security outcomes (e.g. information that leads to a decision of inadmissibility on IRPA s. 34 grounds)? What about case-by-case exchanges with M5 and other partners that occur because of national security concerns? Finally, what role, if any, has biometric information played in cases where the Minister of Public Safety has denied, revoked, or cancelled a Canadian passport for reasons of national security? These examples illustrate the potential for review of national security activities made possible by biometrics. In such instances, the balance between privacy and security – between protecting sensitive personal information and the security objectives of the state – suggests a clear role for NSIRA in terms of reviewing lawfulness, reasonableness, and necessity.

Other situations where biometrics collected for one purpose are subsequently used for any other program or purpose (see the discussion of dual-use in paragraphs 191-201, below).

2. The Steady-State Activities

Overall, the GoC’s steady-state biometric activities in the border continuum are well-supported by current legal authorities and are consistent with international practice.

The IRCC and CBSA’s use of biometrics in their steady-state programs is well-established and supported by detailed, statutory authority. Canada’s collection and verification of fingerprints and facial photographs in the immigration context is also consistent with that of other M5 members. By design, the use of fingerprints facilitates information sharing with the M5, who similarly collect fingerprints in support of their own immigration programs and to enforce domestic immigration law.

The Canadian ePassport, similarly, adheres to standards established by the International Civil Aviation Authority (ICAO), which mandates the use of facial photographs as a biometric measurement. Globally, more than 140 countries currently use ePassports based on ICAO specifications, making the system interoperable and facilitating international travel for Canadian passport holders. The use of facial recognition in the passport application process is consistent with ICAO guidelines and best practices on the issuance of travel documents.

The legislative framework for the steady-state activities provides a solid basis for the collection, use, retention and disclosure of biometrics as part of the GoC’s immigration and passport programs. Nonetheless, there may be more targeted areas of concern, as articulated below.

3. Expanding Use of Biometrics over Time

The use of biometrics in the border continuum has significantly expanded over the last three decades, and is likely to continue expanding in the future. The trend is driven, in part, by advancing technological capabilities and evolving challenges in identity management.

Beginning with asylum claimants and deportees in 1993, the collection of biometrics now covers all non-exempt foreign nationals entering Canada and, through the passport program, all Canadian citizens who apply for a passport as well as permanent residents who apply for a Certificate of Identity and refugees who apply for a Refugee Travel Document. The Biometric Expansion Project was initiated with the expressed aim of widening the scope – collection, sharing, and use – of biometrics. The M5 partners meet regularly in working groups to refine and enhance (frequently, to extend) the immigration information that is shared between them. Pilot and research projects conducted within the last several years have examined the use of facial recognition technology in airports, while others have explored the integration of mobile technology into biometric identity management in the travel continuum.

Undoubtedly, developments in technology drive some of this momentum. We can do more, so we do. Leveraging new capabilities to enhance program delivery is a legitimate objective. At the same time, however, such technological determinism cannot justify the collection of sensitive information in its own right. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for intended objectives.

Also at play is the impetus to keep pace with other jurisdictions. As countries around the world expand their biometric activities, it is natural for Canada to do the same; doing so facilitates global travel for Canadians, makes it easier for non-Canadians to travel to and through Canada, and helps Canadian officials identify possible security risks (as in M5 information-sharing). Yet keeping up with others, even Canada’s close international partners, is not on its own a valid justification for the expanded collection and use of sensitive personal information. Again, each new activity must be assessed, and justified, independently.

Exploiting the possibilities created by technological developments and keeping pace with other jurisdictions cannot justify the expanded use of biometrics in their own right. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for particular, intended objectives.

4. Pilot Projects

Pilot projects and initiatives raise more concerns than do steady-state activities, as they risk being implemented on an experimental basis, without sufficient legal analysis or policy development. These projects represent an area of continued interest for NSIRA.

Pilots are vehicles of expansion: a forum for new techniques and technologies that may strain the proportional balance between the government’s goals and intrusions on personal privacy. Furthermore, there tends to be less public information available to Canadians about pilot activities. In this report, we describe several such projects, though it was beyond the scope of our emphasis on current activities to determine whether any single pilot was proportionate in terms of its collection and use of biometrics.

Nonetheless, an illustration of the challenges and possible concerns associated with pilots is provided by the Faces-on-the-Move (FOTM) project. The pilot relied on legislative authority under sections 15-18 of the IRPA; yet, these provisions were drafted before facial recognition technology was contemplated. NSIRA is not satisfied that sections 15-18 of the IRPA provide clear authority for the collection of travellers’ facial biometrics, particularly prior to – and away from – the point of formal examination. In the future, legal advice should be sought to ensure that any similar activities are well-founded in the CBSA’s legislative authorities and consistent with the requirements of s.8 of the Charter. Attention must also be paid to the policy framework governing pilot activities to ensure the proper characterization of the affected personal information. Privacy notice statements and public signage should also ensure an appropriate degree of public transparency about the deployment of new technologies and the purposes for which they will be used.

Pilot projects that entail the collection of private or personal information must receive commensurate legal and policy attention. Despite the temporary or experimental nature of a project, NSIRA expects that departments will conduct the analysis necessary to ensure that legal authority is in place to conduct the activity, and that the attendant collection, use, retention and disclosure of personal information is well-governed by policy.

The public debate surrounding legal authorities questions whether existing standards and protections are sufficient for regulating biometric activities or whether new standards and protections are required.

This debate is growing, especially as relates to facial recognition technology. Biometrics are personal information, but they have particular features that may set them apart: they capture immutable personal characteristics, they allow for reliable identification at a distance, and they act as unique identifiers that can be used to discover and connect information about individuals across multiple datasets. The question is whether it is appropriate to treat biometrics as being commensurate with other personal information collected by the government in the course of its programs and activities. Are specific legal regimes necessary to create standards that appropriately reflect the potential intrusiveness and sensitivity of certain biometric data, and ought there be specific use limitations beyond those currently applicable by virtue of the Privacy Act?

The Office of the Privacy Commissioner (OPC) commented on this issue in the context of its recent investigation into the RCMP’s use of facial recognition via the private firm Clearview AI. “Canada’s privacy laws were designed to be technology neutral”, wrote the OPC, “which is positive, given the pace of technological change compared to that of legislative modernization. However, the risks of [facial recognition] technology are such that […] specific rules may be warranted.” The report further noted that many jurisdictions around the world have developed privacy laws which specifically regulate biometric activities. Quebec is presently the only Canadian jurisdiction to have enacted a law that specifically addressed biometrics. Other jurisdictions are calling for, or implementing, outright bans on facial recognition technologies. The European Data Protection Supervisor, for example, has called for a ban on facial recognition in public spaces, arguing that such applications constitute a “deep and non-democratic intrusion into individuals’ private lives.”

Civil liberty organizations have been vocal in raising concerns about biometric activities, as have academia and the media. Governments, meanwhile, can benefit from new capabilities and innovation in pursuit of program objectives, but must do so in a way that respects fundamental human rights. The tension at the core of this debate – how to achieve government objectives efficiently and effectively, while safeguarding individuals’ privacy – is familiar. It is the tension manifest in national security activities more generally, as society balances individual rights against collective protection. In the present context, this evergreen dilemma is catalyzed by advancements in technology, which widen the government’s toolkit while also widening the scope of possible intrusion on individual privacy, specifically the collection and use of sensitive personal data. Moving forward, the question of how biometric activities are designed, implemented, and regulated will be determined, in part, by shifting societal norms, established legal principles (including Charter considerations), and long-standing Canadian values associated with democracy and individual rights.

While the border is, comparatively, a space in which greater intrusiveness is considered reasonable, the boundaries of those justifications are not limitless, and will require careful calibration. For NSIRA, as for other review bodies, evolving legal and societal norms will shape how considerations such as compliance and reasonableness ought to be applied.

6. The Dual-Use of Biometrics

Dual-use refers to when biometrics collected for one purpose are subsequently used for any other program or purpose. The logic is appreciable. Biometrics constitute robust identifying information about individuals; if they are useful in one context, they are likely to be useful in another. However, this dynamic constitutes one of the main privacy concerns associated with biometrics.

NSIRA observed several instances of possible dual-use of biometric information in the activities examined in this report.

First, photographs collected under the Passport Program are also used for facial matching purposes in NEXUS.

Second, fingerprints collected from foreign nationals as part of immigration applications become searchable by law enforcement in the course of criminal investigations. While the RCMP maintains separate repositories for immigration fingerprints and criminal fingerprints, both are searched when law enforcement submit fingerprints for identification purposes.

Third, CSIS, RCMP and CBSA can submit photographs to IRCC to have them checked against passport and travel document application photographs using facial recognition. This can occur in the context of national security or law enforcement investigations in an attempt to identify an unknown individual, to determine if a known individual has multiple identities, and/or to assist in the execution of a warrant.

Dual-use does not always present a compliance issue. Indeed, many such uses are well-supported in law given the “consistent use” standard in s. 8(2)(a) of the Privacy Act, the ability for certain institutions to request personal information under s. 8(2)(e) of the Privacy Act, and other sector-specific legislative provisions (see, for example, paragraphs 85, 109, and 112, which outline the authorities that govern the law enforcement uses discussed above). With respect to NEXUS, in particular, the use of passport photographs is a clear consistent use (see paragraph 140). Privacy concerns are further muted given the program’s voluntary nature and individuals’ prior consent.

However, even where they pose demonstrable benefits, new uses of previously collected biometrics must be carefully considered to ensure their reasonableness and proportionality. In addition, all new uses must be justified and well-authorized in law.

Though authorized by law, the situations in which biometrics collected in the border continuum are leveraged for purposes outside of that continuum (such as when investigative agencies use biometric information initially compiled for immigration or passport purposes) may be worthy of particular scrutiny. NSIRA may return to these cases as it contemplates future review of biometric activities.

Additionally, the principle of “purpose limitation” may be a way of guarding against unjustified dual-use in the context of biometric activities.

Purpose limitation involves explicitly stipulating the specific purpose for which the collected biometrics will be used, with a commitment to not use them for any additional purposes in the future. It is well established in UK and European jurisprudence and is more restrictive than “consistent use.” While the “consistent use” principle reflects the GoC’s standing commitment to limit the repurposing of personal information, the standard ought to be read as narrowly as possible for biometric information. Again, biometrics are unique compared to other personal identifiers because they are essentially permanent and immutable. This means that once they are collected, if they are not subject to clear retention/deletion policies and purpose limitations, the government has a ready repository of information for identifying individuals in the future – perhaps in activities that are less benign than the activities under which the biometrics were originally collected.

It is premature for NSIRA to make a finding on whether the possible instances of dual-use identified above are reasonable or proportionate. Future review, whether by NSIRA or another review body, may consider the question in greater depth.

7. Technical Systems

NSIRA reviewed high-level technical information about the activities documented in this study. This included information pertaining to the various systems and databases used in the course of the GoC’s biometric activities.

There is significant overlap between the technical systems and databases used across the steady-state biometric activities.

Both the Passport Program and Immigration Program use the Global Case Management System (GCMS), and IRCC, CBSA and RCMP have access to GCMS. In the immigration context, facial photographs are stored in GCMS, while fingerprints are sent to the RCMP and stored in one (immigration) of several repositories of the Automated Fingerprint Identification System (AFIS). The immigration repository is then searchable by domestic law enforcement and can be queried by Canada’s M5 partners for immigration purposes.

The passport and travel document applications in the Passport Program, meanwhile, are stored in both GCMS and in IRCC’s Central Index (see Annex A), though IRCC has communicated that a full transition to GCMS is planned moving forward. The digitized photograph from the application is sent to IRCC’s FRS, converted into a biometric template, sent for evaluation in the FRS database, and stored in the CI. In both the Immigration Program and Passport Program, the intake of applications – and biometrics – employ a range of systems at different intake locations around the world, all of which connect back to IRCC servers in Canada.

The overall architecture of this system – biometric collection, transmission, and storage in the course of the GoC’s activities in the border continuum – is complex, though not necessarily problematic.

In keeping with the foundational nature of the study, NSIRA makes these observations as a first step in mapping the relevant systems architecture. This mapping, summarized in Annex A, will support NSIRA should it choose to review in detail the various technical systems used for biometrics in the course of border activities, including how they overlap and what privacy or security issues, if any, might arise from the present structure.

8. Visibility into Algorithms

In addition to the public concern about governmental surveillance noted above, there is related apprehension about automated decision-making and about decision-making aided by automation, particularly when it occurs in conjunction with biometric identification. The general concern with respect to algorithms and automation is that the decision-making process is opaque, even to the human operators who rely on the algorithms or systems to do their work.

In the Immigration Program, Passport Program, and at PIK kiosks, IRCC, CBSA, and the RCMP have limited visibility into how the algorithms used operate.

The algorithms are procured from private vendors, and the details of how they work are proprietary. They are, in this sense, essentially a ‘black box’. NSIRA supports greater transparency in how algorithms work when analyzing personal information. Such transparency is necessary for third-party verification of the algorithms’ accuracy and reliability and would enhance public confidence in both the algorithms’ ability to function fairly and without discrimination and in the departments’ ability to mitigate any shortcomings in that respect.

Each department and agency did, however, demonstrate that performance metrics (e.g. error rates) are known and tested, and that customizations (such as adjusting match thresholds) are applied when appropriate.

Moreover, for IRCC’s FRS, and for the RCMP’s AFIS, human intervention occurs to either verify system results or complete matches if necessary. Facial matching at PIKs, by contrast, occurs without human adjudication, though any obvious errors may subsequently be corrected by BSOs through visual verification.

9. Preventing Bias and Discrimination

Related to the opacity of algorithms is the possibility that automated biometric analysis – e.g. facial recognition and fingerprint matching – may be subject to bias. It is well documented in the academic literature, for example, that many facial recognition algorithms are less reliable in identifying women, the very young and very old, and individuals with darker skin tones. Similarly, fingerprint capture and matching may be more difficult and/or less accurate for females, particular ethnic groups, and individuals working in certain trades (which may reflect socio-economic status). Given that important decisions in the border continuum – including the issuance of official travel documents, the granting of visas, asylum, and/or residency status, and possible referral for additional questioning/inspection during the immigration and customs process – are informed by automated analysis, the possibility of systematic bias is of concern.

IRCC and CBSA have conducted preliminary analyses to explore how their biometric activities may impact diverse groups of people, though the implementation of possible mitigation strategies was not always apparent.

For example, CBSA’s GBA+ for the PIK, completed in May 2016, suggested that the agency apply gender-specific thresholds for facial matching; an October 2020 analysis on possible gender bias at PIKs made a similar recommendation. For facial recognition in both FRS (IRCC) and PIK (CBSA), recent performance testing explicitly addressed the possibility of demographic bias. This analysis noted minor imbalances in terms of gender accuracy, but emphasized that advancements over time (updated algorithms) have steadily reduced, though not eliminated, the gap.

In some contexts, technological advancements have helped to reduce, but not eliminate, differential impacts.

The work to comprehensively address these issues – beyond noting that small discrepancies do exist – remains to be done. CBSA noted, for example, that its “work in this area is nascent and is not yet conclusive with significant work still to be conducted.” This includes GBA+ on facial recognition technologies, work on the visibility of bias in data, and the development of possible policy mitigations. Similarly, IRCC stated that “further demographic bias assessments will […] be conducted” following the implementation of a new algorithm in the FRS.

This is not to suggest that efforts to mitigate possible bias have been insufficient to this point; rather, both IRCC and CBSA have demonstrated that they are aware of possible issues and committed to future work in this area. However, such efforts should not be confined to accuracy testing, and relying on improving algorithms. Solutions at the policy level should also be explored, including the implementation of previously identified mitigation strategies and the analysis of the possible consequences of biometric errors for the experience of affected individuals.

A commitment to continuing to minimize discrepancies in the algorithms’ function for diverse groups, and to ensure such differences are taken into account by the human decision-making that follows biometrics screening, will continue to be important in ensuring the reasonable use of these algorithms in the future.

More work remains in terms of mitigating differential impacts on segments of the population. At the same time, the departments and agencies examined in this study have demonstrated their awareness of possible systemic inequalities and their commitment to addressing them.

8. Conclusion

Biometrics play a fundamental role in the border continuum. The Government of Canada uses biometrics to verify and establish identity. The question of who is coming into the country – and whether they have a right to – is more confidently answered as a result. In the immigration context, this involves the screening, verification (at arrival), and ongoing assessment of admissibility of foreign nationals coming to Canada as temporary or permanent residents. Applicants for Canadian passports (and other official travel documents) are screened to confirm eligibility to passport services and entitlement to a passport, and subsequently use their biometric, embedded in the ePassport, during the course of international travel. These two streams converge at Canadian airports, where CBSA verifies the identity of travellers using facial recognition at automated kiosks.

The purpose of this study was to examine and contextualize these activities. We looked back, tracing the evolution of the GoC’s biometric activities in the border continuum, noting a shift from strict national security objectives to broader goals of identity management. We looked forward, to possible future biometric applications, including the adoption of Digital Identities, and even greater systematization of biometrics into the overall traveller experience.

Our observations are meant to inform both the Canadian public as it contemplates the government’s collection and use of biometric information, and NSIRA as it plans future review of the same. We noted that the steady-state activities are well-supported by current legal authorities, and are consistent with international practice. At the same time, certain areas raise potential concern. These include pilot projects, which are vehicles for experimentation and require careful legal consideration; the ongoing possibility of systemic inequalities across diverse groups of people resulting from algorithmic biometric analysis; and the possible dual-use of biometric information, including the availability of biometric information to investigative agencies.

Public debate about the government’s application of biometric technology will continue to evolve, driving change in the legal and regulatory frameworks associated with such activities. As such, continued scrutiny from NSIRA is warranted, particularly in those instances where the collection and use of biometric information is justified by explicit reference to national security outcomes.

Share this page
Date Modified:

NSIRA Review arising from Federal Court’s Judgment in 2020 FC 616

Review Backgrounder

This is a report about the manner in which the Canadian Security Intelligence Service (CSIS) seeks and receives legal services from the Department of Justice (Justice) and prepares and executes the warrants it needs to collect information. This review stemmed from a 2020 decision of the Federal Court (2020 FC 616). In that matter, the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.”

This review found an intelligence service and its counsel who struggle to organize themselves in a manner that allows them to meet easily their legal obligations, including to the Federal Court.

NSIRA also found a failure at CSIS to professionalize fully and sustainably the warrant application process as a specialized trade that requires training, experience, and investment. This report also demonstrates the need to transform the relationship between CSIS and its legal counsel.

This review was led by NSIRA Members Marie Deschamps and Craig Forcese. One or both Members were directly involved in every aspect of the review including review process management, briefings, interviews and document review. To conduct this review, NSIRA conducted dozens of confidential interviews with Justice and CSIS employees whose perspectives were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal briefings. In organizing these interviews, NSIRA ensured robust representation covering the range of functions in the warrant and legal-advice giving processes. The interviews raised issues and concerns that would have otherwise been unavailable to NSIRA. This assisted NSIRA in making recommendations on governance, systemic, and cultural issues that contribute to inefficiencies threatening the ability of CSIS and Justice to fulfil their mandates.

NSIRA heard repeated concerns from interviewees that the problems stemming from governance, systemic, and cultural challenges put at risk the ability of the intelligence service to meet the mandate Parliament has assigned to it. Addressing these challenges is in the urgent public interest. Though CSIS and Justice have made improvements, difficulties are still evident.

NSIRA groups its findings and recommendations into three overarching areas:

  1. Justice’s Provision of Legal Advice
  2. CSIS’s and Justice’s Management of the Warrant Acquisition Process
  3. Investment in People

In its conclusion, this report also makes comments and recommendations about the broader cultural and governance context.

Date of Publishing:

1. Executive Summary

This is a report about the manner in which the Canadian Security Intelligence Service (CSIS) seeks and receives legal services from the Department of Justice (Justice) and prepares and executes the warrants it needs to collect information. This review stemmed from a 2020 decision of the Federal Court (2020 FC 616). In that matter, the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.”

This review found an intelligence service and its counsel who struggle to organize themselves in a manner that allows them to meet easily their legal obligations, including to the Federal Court.

NSIRA also found a failure at CSIS to professionalize fully and sustainably the warrant application process as a specialized trade that requires training, experience, and investment. This report also demonstrates the need to transform the relationship between CSIS and its legal counsel.

This review was led by NSIRA Members Marie Deschamps and Craig Forcese. One or both Members were directly involved in every aspect of the review including review process management, briefings, interviews and document review. To conduct this review, NSIRA conducted dozens of confidential interviews with Justice and CSIS employees whose perspectives were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal briefings. In organizing these interviews, NSIRA ensured robust representation covering the range of functions in the warrant and legal-advice giving processes. The interviews raised issues and concerns that would have otherwise been unavailable to NSIRA. This assisted NSIRA in making recommendations on governance, systemic, and cultural issues that contribute to inefficiencies threatening the ability of CSIS and Justice to fulfil their mandates.

NSIRA heard repeated concerns from interviewees that the problems stemming from governance, systemic, and cultural challenges put at risk the ability of the intelligence service to meet the mandate Parliament has assigned to it. Addressing these challenges is in the urgent public interest. Though CSIS and Justice have made improvements, difficulties are still evident.

NSIRA groups its findings and recommendations into three overarching areas:

  • Justice’s Provision of Legal Advice
  • CSIS’s and Justice’s Management of the Warrant Acquisition Process
  • Investment in People

In its conclusion, this report also makes comments and recommendations about the broader cultural and governance context.

CSIS operates in often rapidly evolving and legally challenging environments. Timely, nimble and actionable legal advice is critical. This review highlighted factors that prevent the National Security Litigation and Advisory Group (NSLAG) of Justice from providing CSIS with the operational advice it needs.

Justice has employed a centralized “one voice” model for delivering its legal services. The “one voice” model reflects a desire for uniform and consistent legal advice delivered on behalf of the Attorney General of Canada. Although the premise for the “one voice” approach is sound, NSIRA found that NSLAG struggled to provide timely, responsive, and useful legal advice in the CSIS context. The way Justice provides advice has often not been responsive to CSIS operations. For example, NSLAG presents its advice as a legal risk assessment using the Justice-wide Legal Risk Management grid. This grid uses a colour-coded risk rating that can be compared to a “traffic light” system: a green risk rating represents a low legal risk to CSIS, a red risk rating represents a high legal risk, and, more ambiguously, a yellow risk rating represents an intermediate legal risk. Yellow light responses are reportedly the most common and the most frustrating for CSIS, especially when unaccompanied by discussions on how to mitigate the risk, the inclusion of which NSIRA heard is not currently common practice.

In consequence, some at CSIS perceive Justice as presenting a road-block because of its bureaucracy, its perceived operational illiteracy, and its unhelpful approach to communicating legal advice.

However, the problems with timely, responsive, and useful legal advice do not stem from Justice alone. NSIRA heard that CSIS has not always shared all relevant information with Justice, prompting a degree of mistrust. The internal process for requesting legal advice at CSIS also contributes to delays and lack of relevance. The advice that sometimes comes back to operational investigators at CSIS filtered through bureaucratic hierarchies may be of limited or little relevance.

NSIRA heard that the laborious advice-seeking and -receiving process has sometimes caused [discussion of the detrimental effects on and risks to operations] CSIS and Justice often operate in a situation of legal doubt, because of lack of clarity in the law. Clarifying legal standards often requires judicial case law. However, an unwieldy warrant process, discussed below, makes that prospect more difficult.

Finding no. 1: NSIRA finds that the legal advice-seeking and giving process, and resource constraints at NSLAG contribute to considerable delays, [description of timeline]

Finding no. 2: NSIRA finds that Justice legal opinions have sometimes been prepared without sufficient attention to the audience that needs to understand and act on them. Opinions have been focused on assessing legal risk, often late in the development of a CSIS activity, with limited effort made to propose alternative and legally sustainable means of arriving at the intended objective.

Finding no. 3: NSIRA finds that the Justice Legal Risk Management Framework is misunderstood at the working level at CSIS and further that it does not provide an appropriate framework for the unequivocal communication of unlawful conduct to CSIS.

Finding no. 4: NSIRA finds that difficulties in acquiring prompt and relevant legal advice have contributed to [discussion of the detrimental effects on and risks to operations] that may require legal advice. In consequence, the manner in which Justice has provided legal advice to CSIS does not always meet the needs of CSIS operations.

Finding no. 5: NSIRA finds that Justice does not generate the necessary business analytics to track its service delivery performance to CSIS.

Justice is aware of the need for change. Broad, recent initiatives include the Vision Project, which promises client-centric strategic partnerships. New procedures have been implemented at NSLAG to address internal silos between advisory and litigation counsel, and to improve training, access to legal advice and facilitate consistent legal opinions. NSLAG also appears to recognize the desire for a different approach to providing legal advice, including moving toward legal advice that promotes collaborative and iterative engagement with CSIS to achieve its operational goals, within the bounds of the law (a “road map”-style form of advice-giving). However, it does not appear that CSIS and Justice have thus far systematically put this model into effect.

To facilitate proper advice-giving, especially in a “road map”-style model, CSIS needs to provide NSLAG with all the facts, and to engage NSLAG early on, at the operational level. Earlier and ongoing involvement throughout the stages of an investigation or operation would enable counsel to provide informal legal nudges that allow CSIS to course-correct before too much time has been spent. A more iterative process of incorporating legal advice over the full course of an operation could address the reported challenge of operations halted due to untimely or ambiguous legal advice.

Finding no. 6: NSIRA finds that Justice has acknowledged that internal silos at NSLAG between the advisory and litigation wings have sometimes left warrant counsel unaware of emerging legal issues and that Justice has taken steps to resolve these issues.

Finding no. 7: NSIRA finds that Justice has committed to improve its advice-giving to CSIS, including moving toward “road map” style legal advice that involves working collaboratively and iteratively with CSIS to achieve operational goals within the bounds of the law.

Finding no. 8: NSIRA finds that CSIS has not always shared all relevant information with NSLAG, prompting a degree of mistrust and limiting Justice’s ability to provide responsive legal advice.

In view of these findings, NSIRA recommends that:

Recommendation no. 1: Justice pursue its commitment to reforming the manner of providing legal advice to CSIS, and its stated commitment to “road map”-style advice as a best practice. In support of this objective and the provision of timely, operationally relevant advice, NSIRA further recommends that Justice implement the following:

  • Whether through an expanded “office hours” and liaison counsel program or otherwise, NSLAG must develop a legal support service operating full time, staffed by experienced lawyers empowered to provide operational advice in real time on which CSIS officers can rely, on the basis of settled Justice positions on recurring legal issues, accessible directly to CSIS officers across all regional offices and at all levels.
  • NSLAG develop a concise reference tool with its position on recurring issues and most common legal authorities invoked and make the tool accessible to counsel to support their real-time advice.
  • To minimize the need to resort to the formalized legal advice-seeking process, NSLAG (in coordination with CSIS) must involve counsel with CSIS officers at the early stage of the planning of key or novel operations and throughout their entire operational lifecycle to case-manage an iterative legal guidance process.

Recommendation no. 2: NSLAG (in coordination with CSIS) develop Key Performance Indicators to measure the delivery of legal services to CSIS.

Recommendation no. 3: CSIS and Justice include in their training programs interactive scenario-based training developing the operational intelligence activities expertise of NSLAG counsel and the legal knowledge of CSIS operational staff.

Recommendation no. 4: To ensure Justice is able to give meaningful and responsive legal advice as recommended in recommendation #1, CSIS invite Justice counsel to sit at the table at all stages of the lifecycle of key and novel operations, and that it fully and frankly brief counsel on operational objectives, intent, and details.

Recommendation no. 5: Justice’s advice-giving must clearly and unequivocally communicate advice on the unlawfulness of client conduct, whether criminal or otherwise.

Management of the Warrant Process

CSIS organizes the process of seeking a warrant around a system of internal preparation and approvals before proceeding to the statutory step of seeking ministerial approval of the warrant application. A number of legal concepts and expectations enter into the warrant process, including the “duty of candour” owed to the Court.

The Federal Court duty of candour concerns now fit into two categories: disclosure of information material to the credibility of the sources who supply information used in the application; and disclosure of information material to matters of potential concern about the broader context of the warrant and how it will be executed.

Despite past attempts at reforms the current warrant process adopted by CSIS and supported by Justice, the warrant process has repeatedly failed to meet these candour obligations. Many reforms appear to have contributed to the bureaucratic complexity of the warrant process, without addressing candour issues.

Finding no. 9: NSIRA finds that CSIS has a history of quick reforms, followed by neglect, high turnover of personnel leading to a loss of institutional knowledge, and resourcing that did not match stated priorities. CSIS does not track or measure the outcome of past reforms adequately and has no performance metrics for assessing success.

Finding no. 10: NSIRA finds that CSIS policies have not kept pace with operational reality, as they are often vague, dated, overlapping and contradictory. The absence of clear policy creates legal doubt or concerns, and gives rise to disparate interpretations of legal and operational standards.

Finding no. 11: NSIRA finds that there is little common understanding regarding the process or basis on which a warrant is prioritized. Frequent shifts in this process of prioritization have added to operational uncertainty. The prioritization process has made it very difficult to bring novel issues to the Court with the goal of addressing legal ambiguities through court decisions.

Finding no.12: NSIRA finds that the actors involved in the warrant process do not have a common understanding of the rationale for each of the [multiple] of steps in the overarching warrant application scheme and are not always sure what role each approval step plays.

Finding no. 13: NSIRA finds that the proliferation of process in seeking warrants has created a system of diluted accountability widely regarded as slow and unwieldy, with delays caused by multiple levels of approval.

Finding no. 14: NSIRA finds that there is no regular feedback process in which explanations for warrant-related decisions made at one level filter back to other levels. The absence of feedback is especially acute for the regional investigators.

Finding no. 15: NSIRA finds that often, the sole means to address legal uncertainty is to bring legal questions to the Federal Court through warrant applications. In consequence, an unwieldy warrant process makes resolution of legal doubt more difficult.

CSIS has struggled especially to ensure that all information material to the credibility of sources is properly included in warrant applications. NSIRA heard repeatedly that CSIS officers involved in the early stages of preparing warrant applications do not clearly understand the legal expectations surrounding the duty of candour. Deficient information management systems related to human sources at CSIS have also resulted in important omissions, violating duty of candour obligations. These challenges produce what NSIRA calls the “recurring omissions” problem.

Finding no. 16: NSIRA finds that CSIS has struggled to ensure that all information material to the credibility of sources is properly contained in warrant applications. This “recurring omissions” problem stems from a misunderstanding of the Federal Court’s role in assessing the credibility of sources and from the presence of multiple, siloed information management systems. NSIRA acknowledges that CSIS has undertaken reforms, but work remains to implement successfully long term sustainable solutions.

In view of these findings, NSIRA recommends that:

Recommendation no. 6: CSIS adopt, and share internally, clear criteria for the warrant prioritization process.

Recommendation no. 7: CSIS establish a new warrant process eliminating steps that do not make a significant contribution to a more accurate application. The process should assign clear lines of responsibility for the production of accurate applications. The reformed system should ensure that delays associated with managerial approvals are minimized, and that time is reallocated to those steps contributing to the preparation of the accurate applications.

Recommendation no. 8: CSIS integrate the regional stakeholders (including the implicated investigators) at every key milestone of the warrants process.

Recommendation no. 9: CSIS adopt policies and procedures governing the reformed warrant process that clearly outlines the roles and responsibilities of each participant and the objective of each step in the warrant process and that these policies be kept current as the process evolves.

Recommendation no. 10: To address the seeming inevitability of “recurring omissions”, NSIRA recommends that CSIS prioritize the development of [an improved] system for human source information management. CSIS should also continue initiatives meant to ensure that source handlers are assiduous in documenting and then reporting in source precis information going to credibility. Even with these reforms, the Affiant Unit should adopt procedures for verifying the information prepared by the regions.

In 2019, CSIS sought to professionalize affiant work by creating an Affiant Unit (AU). CSIS’s establishment of the AU is a critical development and, properly resourced and staffed, it would be well positioned to respond to long-standing problems with the duty of candour. However, when created, the AU was placed under the [Name of Branch]. [Name] has a broad mandate that does not align with the AU’s functions in preparing legally robust warrant applications. This governance anomaly may explain the AU’s present administrative and human resource challenges. The AU’s sustainability is in question, and indeed NSIRA heard that the unit could currently be described as in a state of crisis. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission.

Finding no. 17: NSIRA finds that the Affiant Unit (AU) constitutes a vital and laudable reform within CSIS. However, the AU is currently at risk of collapse. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission. The benefits of the AU are currently in jeopardy because of governance, human resource, and training deficiencies.

Finding no. 18: NSIRA finds that the AU’s placement in the [Name] branch is not commensurate with its functions and importance. This governance anomaly most likely contributes to administrative hurdles and resource challenges faced by the AU.

Finding no. 19: NSIRA finds that without a functional AU able to produce timely and accurate warrant applications, CSIS puts at risk access to warrants and the information collected under them.

In view of these findings, NSIRA recommends that:

Recommendation no. 11: CSIS recognize the importance of the Affiant Unit by assigning affiants and analysts an employment classification congruent with their responsibilities.

Recommendation no. 12: CSIS create an Affiant Branch reporting directly to the CSIS Director.

Recommendation no. 13: CSIS urgently resource the Affiant Unit to meet its responsibilities and ensure its sustainability. In deciding the size of the AU, CSIS should assess how many warrants an affiant team might reasonably complete every year.

Recommendation no. 14: CSIS, in consultation with Justice, develop a comprehensive training course for all affiants and analysts, codifying best practices and methods for members of the AU.

Warrants counsel at NSLAG have several key roles in the warrant application process, and are intimately implicated in ensuring adherence to the duty of candour. Fostering a strong, collaborative, and productive relationship with CSIS is key. Morale among NSLAG warrants counsel may have suffered in light of the recent Federal Court decision that prompted this review. With recent staffing increases, it appears that NSLAG currently has the requisite complement to manage the number of annual warrant applications expected from CSIS, but recruitment challenges remain an ongoing issue. NSLAG should be staffed to ensure that CSIS’s operations are not stalled due to the lack of availability of warrants counsel.

Recommendation no. 15: NSIRA recommends that NSLAG be staffed by a complement of counsel and support personnel sufficient to ensure that CSIS operations are not impeded by resource limitations at NSLAG.

The warrant application process is meant to be strengthened through a review of the near-final affidavit by an “independent counsel” (IC) – in practice, a lawyer drawn from the National Security Group (NSG) of the Department of Justice. The role was originally envisioned as performing a rigorous challenge of the warrant application. However, the primary role of the IC appears to be more clerical than substantive, designed to cite check rather than assertively perform a “devil’s advocate” function.

NSIRA believes that the presence of a rigorous challenge function performed by a knowledgeable, adequately-supported lawyer distant from the warrant application is valuable and necessary. However, NSIRA proposes that the current IC model be abandoned in favour of a challenge function performed at Public Safety Canada, whose precise role is that of oversight of the CSIS warrant application process.

Working with the Public Safety unit charged with warrant review, an experienced and specialized warrant counsel could perform a genuine challenge role to the warrant, analogous to the role a defence lawyer would play were warrants subject to an adversarial process. NSIRA believes that a testing review of this sort will help forestall duty of candour shortcomings stemming from a failure to disclose fully information material to matters of potential concern about the broader context of the warrant and how it will be executed.

Finding no. 20: NSIRA finds that the “Independent Counsel” (IC) role as performed by NSG counsel falls short of creating a rigorous challenge function.

In view of this finding, NSIRA recommends that:

Recommendation no. 16: the function of the Independent Counsel as performed by NSG counsel at the Department of Justice be eliminated, in favour of a new challenge function, analogous to the role a defence lawyer would play were warrants subject to an adversarial process, situated at Public Safety and supported by the Public Safety vetting team, and performed by a knowledgeable lawyer from the Public Prosecution Service of Canada, the private sector, or elsewhere, who is independent from Justice management and not otherwise involved in CSIS warrant applications.

Once a judge issues a warrant, CSIS may execute the warrant. That execution must comply with the scope and terms of the warrant. However, the CSIS regional warrants coordinators have not received sufficient training to enable the contents of warrants to be translated into advice on proper execution.

Finding no. 21: NSIRA finds that the CSIS regional warrants coordinators have not received sufficient training enabling them to translate the contents of the warrants into advice on proper warrant execution.

In view of this finding, NSIRA recommends that:

 Recommendation no. 17: CSIS regional warrants coordinator positions receive adequate training, and that CSIS professionalize the position and enable warrant coordinators to more effectively translate the content of warrants into advice on warrant execution.

Investment in People

Concern about inadequate training at CSIS was a recurring theme in this review. This concern was noted in internal CSIS documents. CSIS acknowledges that it is currently not a learning organization and does not have a learning culture. There are too few training opportunities required to sustain a modern professional intelligence service operating in a complex environment.

Finding no. 22: NSIRA finds that CSIS lacks long-term training programs for Intelligence Officers.

Finding no. 23: NSIRA finds that CSIS has failed to provide systematic training programs for “non-Intelligence Officers”.

Finding no. 24: NSIRA finds that the CSIS’s Learning and Development Branch has not been sufficiently resourced to develop and administer comprehensive training programs, especially in specialized areas not covered by the training offered for Intelligence Officers early in their career.

In view of these findings, NSIRA recommends that:

Recommendation no. 18: CSIS adequately resource and regularly deliver evergreen scenario-based training programs for all CSIS employees, including;

  • annual, comprehensive, warrant training for all operational employees;
  • specialized onboarding training for all employees not part of the Intelligence Officer program; and
  • continued long-term training for all specialized personnel.

Conclusions

This report concludes with observations on cross-cutting cultural and governance challenges that stem, at least in part, from challenges characterizing the provision of legal advice and the warrant process. NSIRA divides these broad, cross-cutting phenomena into two categories: morale and attitudes; and, performing the mission.

Low morale at CSIS was a common theme throughout this review. The systemic problems in the warrant application process are likely one cause of this problem: morale is affected when a warrant acquisition system repeatedly prevents CSIS officers from performing their mandated duties, and is the source of regular reputational crises stemming from failures to meet the duty of candour.

Meanwhile, a failure to correct problems with the warrant process impairs CSIS and Justice’s abilities to fulfill their mandates. Justice must go from being perceived as a roadblock, to a frank and forthright advisor fully attuned to operational objectives.

Within CSIS, the warrant application process was sometimes likened to winning a lottery – not because the Federal Court declines to issue warrants, but because of the resources required to prepare and complete the application. The current, laborious warrant application process is preventing some collection activities from moving forward.

In sum, this review was sparked by a compliance failure in a duty of candour matter. It concludes that repeated failures in this area are both caused by, and cause, deep-seated cultural and governance patterns. This vicious cycle has compounded the challenges of reform in the warrant acquisition process.

Cherry-picked or paper-based reforms that mask without addressing the overarching systemic, cultural, and governance challenges will suffer the fate of prior reforms: the problems will continue.

Finding no. 25: NSIRA finds that CSIS and Justice are at risk of not being able to fulfill their respective mandates. No one reform is likely to succeed unless each is pursued as part of a coherent package. No package will succeed unless backed by prioritization at senior levels, and the stable provision of resources, including people with the means and institutional knowledge to see reforms through, and no reform initiative will succeed unless accompanied by clear performance indicators, measured and analyzed regularly to track progress.

In view of NSIRA’s findings above, and of prior unsuccessful reforms, NSIRA recommends that:

Recommendation no. 19: The recommendations within this review be treated as a coherent package and that progress and outcomes in implementing these recommendations be tracked, allowing management, the Ministers of Public Safety and of Justice, and NSIRA, to assess the efficacy of reforms and course-correct if necessary.

NSIRA intends to launch a follow-up review within two years that will measure progress at CSIS, Justice and Public Safety in resolving the systemic problem with the warrants process addressed by this review. Moreover, in other regular reviews implicating warrants, NSIRA will document recurrences of systemic problems. In the meantime, since this review originated with a decision of the Federal Court, it is vital that the Minister and CSIS share it in its full form with the designated judges of that court.

In recognition of the fact that this report was initiated following a recommendation of the Federal Court, NSIRA in turn recommends that:                                                             

(U) Recommendation no. 20: The full classified version of this report be shared with the designated judges of the Federal Court.

2. Authorities

(U) This review was conducted under the authority of paragraphs 8(1)(a), (b) and (c) of the NSIRA Act.

3. Introduction

(U) This review deals with how the Canadian Security Intelligence Service (CSIS) seeks and receives legal services from the Department of Justice (Justice) and obtains and executes warrants it needs to collect intelligence. In their current forms, these processes suffer from severe flaws due to systemic, governance and cultural issues. In this review, NSIRA found an intelligence service and its counsel who struggle to organize themselves in a manner that allows them to easily meet their legal obligations – towards the Federal Court in particular. NSIRA also found a failure to professionalize fully and sustainably the warrant process as a specialized trade that requires training, experience, and investment.

(U) This is not the first report on issues related to the warrant process. Since CSIS’s creation in the 1980s, there have been several independent and internal reviews of various aspects of this topic, which are described in Annex A. Many of the findings made in this review echo those made in earlier assessments. In response to these reviews, CSIS has planned many reforms, initiated some, but persisted with only a subset. Though CSIS (and Justice) have made improvements, difficulties are still obvious. The failure to effect sustainable solutions following the multiplicity of reviews and duty of candour breaches is indicative of organizational struggles with deep rooted cultural issues that risk the execution of their With each incomplete reform, CSIS faces change fatigue that makes future course corrections more difficult. Yet the stakes are considerable.

(U) This report demonstrates the need to transform the relationship between CSIS and its legal counsel. It also points to the urgency of CSIS succeeding in fully professionalizing the warrant process, a prospect that appears to be in jeopardy. When implemented, the changes that are recommended will help to reestablish the Federal Court’s trust in the warrant process. At the same time, legal support is not – and should not – be limited to the warrant process. As such, the review could not be restricted to the warrant process. It recommends reforms in the manner in which Justice gives legal advice to CSIS.

(U) The Federal Court’s “judicial control” in overseeing the issuance of warrants is a key accountability safeguard in a country governed by the rule of law and attentive to rights and liberties. The warrants the Court issues, meanwhile, are the lifeblood of CSIS’s functions as an intelligence agency – especially in an era where face to face interaction increasingly tends to be replaced by electronic communication.

(U) NSIRA heard repeated concerns from interviewees that the systemic problems rooted in governance and cultural issues risk creating an intelligence service incapable of meeting its intelligence mandate. These problems could also afflict other CSIS mandates potentially subject to judicial control, such as certain threat reduction measures. Urgently addressing challenges is therefore in the public interest. This review aims to recognize and encourage recent progress, while in some areas recommending new, essential reforms.

(U) This report first sets out the background to this review; the methodology NSIRA adopted for it; and the institutional and legal environment in which CSIS and Justice operate. The report then describes issues arising from Justice’s provision of legal advice to CSIS and the manner in which CSIS and Justice construct a warrant application, ultimately presented to the Federal Court, and if granted, executed by CSIS. It also examines the question of training and skills- development, a recurring issue in this review. In each area, this report notes shortcomings, while recommending reforms. The report ends with an examination of cross-cutting cultural and governance issues that are reflected in the warrant process, and which make change difficult.

(U) As the recommendations address the systemic, governance and cultural issues that are interrelated, a selective approach to their implementation will likely lead to the same outcome previous reviews have: repetition of the same problems, change fatigue and morale issues. The time has come for CSIS and Justice to face the harsh reality of potential failure to fulfill their mandates if they do not succeed with concrete governance, cultural and process change.

A. Review Background

(U) This review stemmed from a 2020 decision of the Federal Court (2020 FC 616). In that matter, the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.” As a matter of law, before issuing such a warrant, the judge must believe on reasonable grounds that statutory pre-requisites are met and that the court should allow the invasive CSIS, assisted by Department of Justice lawyers, must fully apprise the judge of all information material to this decision. Thus, the state must disclose to the judge, not just information supporting its application, but also information that weakens its case. The duty reflects the fact that a warrant proceeding is by necessity conducted in the absence of the proposed subject of the warrant, known as the “target”, and closed to the public so the target is not alerted to the state’s activities. The “duty of candour” in such proceedings aims to compensate for the absence of a party opposed to the state, by obliging the state to be especially frank and forthcoming about the merits of its application.

(U) At issue in 2020 FC 616 was whether CSIS should have told the Court about issues regarding the legality of CSIS human source activities that yielded information used in support of warrant applications. Some of these human source activities may have constituted terrorism offences in Canadian This was not the first instance of duty of candour problems – indeed, such problems have been a recurring feature of CSIS’s warrant practice. Because CSIS has repeatedly struggled with the duty of candour in its warrant applications, the Federal Court in 2020 FC 616 recommended an external review of both Justice and CSIS.

(U) In response, on June 23, 2020, the Minister of Justice and the Minister of Public Safety and Emergency Preparedness jointly referred the matter to NSIRA under paragraph 8(1)(c) of the NSIRA Act. NSIRA also chose to exercise its own independent jurisdiction under paragraph 8(1)(a)(b) to initiate this review.

(U) While the Federal Court of Appeal subsequently allowed the government’s appeal of the decision in 2020 FC 616, its holdings did not disturb – and indeed, reaffirmed — the lower court’s core preoccupation with the duty of candour.

B. Methodology

(U) NSIRA conducted this review during a pandemic that frequently impaired access to its facilities housing classified This reality presented challenges and inevitable delays for both NSIRA and the reviewed departments.

(U) NSIRA made this a “Member-led review”. Specifically, one or both of the two assigned NSIRA members (Marie Deschamps and Craig Forcese) managed the review process, reviewed the documents, participated in most of the CSIS and Justice briefings (and reviewed the transcripts of others), conducted most of the confidential interviews, and led the writing of this report. A specialized team at NSIRA participated in every aspect of the work.

(U) NSIRA drafted broad Terms of Reference to govern this review, with a heavy focus on the CSIS warrant application process and the manner by which Justice conveys legal advice to CSIS. As the review evolved, it became clear that the problems with the CSIS warrant process are more properly a symptom of broader systemic, governance and cultural issues at both CSIS and Justice, including Justice’s specialized legal services unit supporting CSIS, the National Security Litigation and Advisory Group (NSLAG). NSIRA therefore examined not only the operational provision of legal advice and the warrant process, but also information management, the use of technology, and related training programs. While the Terms of Reference indicate that the review covers the period of January 1, 2015 to September 30, 2020, NSIRA took into consideration information outside this period in order to fully understand the issues at play.

(U) This report does not revisit the specific circumstances of 2020 FC 616, nor does it conduct a forensic accounting of the events leading to it. From time to time, the report makes observations related to that case in order to contextualize findings. However, this review was intentionally forward-looking, reflecting the fact that CSIS and Justice have introduced (or proposed) reforms since the 2020 decision.

U) In conducting this review, NSIRA relied on both its regular process and confidential interviews. Under its regular protocols, it issued a number of requests for information, reviewed the documents provided, and received briefings from CSIS and Justice. In the case of CSIS, NSIRA also used its direct access to CSIS systems to retrieve information independently. Among other things, NSIRA examined the complete record of a recently filed complex warrant application. Most briefings involved CSIS and Justice managers describing their policies, governance structures, and practices. NSIRA heard about a number of initiatives – some that are planned, others underway or partially implemented, and still others abandoned.

(U) To supplement these briefings, NSIRA adopted an innovative approach to this review by also conducting dozens of confidential interviews with former and current management and staff at all levels from CSIS and Justice. These interviews were conducted in the absence of CSIS or Justice supervisors and without their knowledge. NSIRA conducted these interviews under a strict guarantee that it would protect the identities of those who participated. At the outset, the NSIRA Members leading the review met with both the Director of CSIS and the Deputy Minister of Justice. Following the meeting, both officials encouraged members of their management and staff to participate in confidential, in-person interviews with NSIRA. NSIRA thanks both leaders for their explicit support, including through their internal communications with their employees. NSIRA especially thanks all the individual employees who then participated in these confidential interviews and trusted NSIRA’s promise of anonymity.

(U) In some instances, NSIRA selected individuals to ensure it had full coverage of the warrant process and invited them to participate in a confidential Other interviewees contacted NSIRA and offered to participate. Some interviewees occupied operational positions at CSIS, while others worked on legal and policy matters. Some interviewees had daily exposure to the warrant process, while others had had more episodic exposure to the process. Since NSIRA conducted these interviews with the understanding it would protect the identities of interviewees, NSIRA has drafted this report carefully to honour this undertaking and has not identified interviewees by name or by position revealing their identity.

(U) The individuals who participated in confidential interviews with NSIRA were frank, professional, insightful about their experiences, and open. Interviewees did not come to voice personal grievances, nor were they inclined to defend past practices as ideal. Rather, the interviewees displayed a genuine commitment to their organizations’ mandates and a sincere desire to see positive, lasting change. Where they expressed dissatisfaction, it stemmed from earnestly (and often deeply held) concerns that their organization was falling short of meeting its mandate, and that the warrant process reflected certain organizational shortcomings. These interviews were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal They also raised issues and perspectives that would otherwise have been unavailable to NSIRA.

(U) NSIRA also consulted external experts on national security, organizational development, and human resources. These conversations contributed to NSIRA’s understanding of the systemic, governance, and cultural issues that often develop in organizations. NSIRA conducted a small number of discussions with foreign counterparts who have dealt with similar issues in the past. In addition, NSIRA consulted with experts who had been, in the past, involved in reviewing similar issues relating to NSIRA is grateful to these experts for their generosity in contributing to this review. All of NSIRA’s discussions with stakeholders external to the Canadian government took place at the unclassified level.

(U) Finally, as part of its standard protocol, NSIRA presented the draft report to both CSIS and Justice for factual accuracy verification. This part of the process provides reviewees with the opportunity to signal factual omissions or errors, if any. At the end of the factual accuracy verification period, the members met with the Deputy Minister of Public Safety and again with the Director of CSIS and the Deputy Minister of Justice. NSIRA thanks them for their time and

When examining the insights of its interviewees and throughout the finalization of this report, NSIRA was alive to the particular challenge of disaggregating legacy issues from contemporary concerns. During briefings and in comments received on the draft report, the departments noted projects, initiatives and reforms either being planned, scheduled for execution, or underway. NSIRA acknowledges the initiatives upon which it was briefed. However, this report focused on ascertaining the existing challenges with the provision of legal advice and the warrants process. NSIRA did not discount existing issues and challenges simply on account of promised (but not yet fully achieved) administrative reforms. NSIRA is confident that the issues described in this report persist as of the second half of 2021. As described at the end of this report, NSIRA intends to undertake a further review in two years’ time to assess progress in implementing the report’s recommendations. At that time, NSIRA will have an opportunity to assess whether any reform initiatives have been successful.

(U) Confidence Caveat: Some of the documents provided by the reviewed institutions have not been independently verified by NSIRA. However, to a large extent, NSIRA was able to verify much of the information relied upon in this review through NSIRA’s own confidential interviews. In addition to this direct access to staff, NSIRA was able to use its direct access to CSIS information repositories to confirm information that it needed to verify and to pursue necessary additional For that reason, NSIRA has a high level of confidence in the information on which it relied to complete this review.

C. Institutional Environment

1. Systemic, Governance and Cultural Issues

(U) In this review, NSIRA makes recommendations on systemic, governance, and cultural issues that contribute to inefficiencies and may threaten the ability of CSIS and Justice to fulfil their mandates.

(U) NSIRA defines “systemic” issues as ones affecting an organization as a whole, in the sense that they are not the consequence of a specific individual or isolated factor. “Governance” refers to the rules, practices and processes by which managers direct and control an organization. Governance addresses three key questions: how are decisions made; who makes the decisions; and who is accountable. Organizational “culture” is the way in which, over time, the members of an organization learn to work in a particular setting by developing a set of shared understandings. These understandings may be based not only on formal policies but also on assumptions and practices that members develop in response to the implicit rules and influences governing their organization.

(U) These three concepts operate together and are interconnected. For example, inadequate governance may be the source of deficiencies in training programs that may prompt increased requests for legal support, which in turn create resource management issues, delays in providing advice, and operational hurdles. These operational challenges may give rise to systemic issues, while imperfect workarounds to these problems may eventually become embedded as cultural practices.

(U) Systemic issues tied to governance and cultural issues may impede CSIS and Justice from fulfilling their mandates, while also meeting their obligation to adhere to the rule of law. In this last respect, Canada is a “rule of law” country. Among other things, the “rule of law” means that the state is subject to, and not above, the law. It only has the powers conferred upon it by law, and any exercise of state power must be traced to a law. Indeed, as discussed next, both CSIS and Justice operate in a highly legalized environment.

(U) The next section will briefly describe the basic legislative and operational framework of both CSIS and Justice.

a) CSIS

(U) The CSIS Act is the statute of Parliament that created CSIS, and confers upon CSIS certain powers to discharge its mandates. The key mandates implicated in this review are security intelligence (or “section 12 investigations”) and foreign intelligence (or “section 16 investigations”). Both of these types of investigations have their own distinct pre-requisites – not least, the conditions that CSIS must meet before it undertakes an investigation and then applies for a warrant under section 21.

(U) CSIS is one of several security organizations found within the portfolio of the Minister of Public Safety and Emergency Preparedness (Minister of Public Safety). CSIS is accountable to this minister, and this minister is in turn responsible to Parliament for CSIS.

(U) The manner in which CSIS discharges its mandates is governed by the CSIS Act and Ministerial Directions issued by the Minister of Public Safety. For instance, in 2015 and 2019, the Minister issued Ministerial Directions addressing issues of accountability. The 2015 Ministerial Direction (2015 MD) for Operations and Accountability states the fundamental principles that guide all of CSIS’s The 2015 MD is premised on the expectation that “the service will perform its duties and functions with due regard for the rule of law…”

(U) Other laws are pertinent to CSIS. Especially relevant for this review are Part VI of the Criminal Code of Canada, which governs the interception of private communications, and section 8 of the Canadian Charter of Rights and Freedoms, which protects the reasonable expectation of privacy against state searches and seizures. CSIS must acquire judicial warrants from the Federal Court before it embarks on investigative techniques that would otherwise violate these laws.

(U) Under the CSIS Act, CSIS is led by a Director who holds the status of deputy head of the organization. The Director performs the leadership function assisted by a team of executives responsible for specific business lines within CSIS, including the Deputy Director Operations (DDO). The DDO is responsible for CSIS’s operations across all active investigations. The CSIS management structure also includes an Assistant Director Legal (ADL), a position occupied by the NSLAG’ Executive Director (discussed below).

(U) CSIS converts legal requirements into administrative processes through Critically, it has struggled to do so. The CSIS operational policy suite has been incomplete and out-of- date for a number of years, a finding noted repeatedly by both NSIRA’s predecessor, SIRC, and by NSIRA. This issue was again pervasive in the course of this review, making it difficult to precisely describe the formal operational policy environment applicable to the warrant acquisition process throughout the period covered by this review. The consequences of this shortcoming are considerable. Policies are the building blocks of any organization. They guidethe conduct of its members from the bottom up to the senior leadership. Without clear policies, employees are likely to devise their own interpretations of how to act and of the limits of their powers, causing confusion and making legal compliance difficult.

b) Justice and NSLAG

(U) The Department of Justice provides legal services to departments and agencies on a broad range of issues across the federal Its mandate is to support the dual roles of the Minister of Justice and the Attorney General of Canada (AG).

(U) The Minister of Justice, as the official legal advisor to Cabinet, is responsible for the general management and direction of the department, and for ensuring that the administration of public affairs is in accordance with the The Minister is responsible for matters related to the federal administration of justice. The Minister exercises political judgment, except when providing legal advice, which must be independent and non-partisan.

(U) The Minister is also ex officio the AG, also referred to as the Chief Law Officer of Canada. The role of the AG is to provide legal advice and legislative services to government departments and agencies, and to conduct litigation on behalf of the government. Importantly, the AG represents the Crown and not individual departments or agencies, and therefore seeks to protect whole-of-government interests. Although departments generally act as the instructing clients, it is the Attorney General’s responsibility to facilitate, with these departments, adherence to the rule of law.

(U) The Deputy Minister (DM) of Justice, who is also the Deputy Attorney General of Canada, manages the work and operations of the department as its most senior public servant. The DM is supported by an Associate Deputy Minister who is entrusted to lead some of Justice’s specialized portfolios. This includes the Public Safety, Defence and Immigration (PSDI) Portfolio which is led by an Assistant Deputy Minister reporting directly to the Associate Deputy Minister.

(U) Justice delivers legal services to federal departments and agencies through a mix of three models, all of which apply to CSIS: (1) specialized centers of expertise, within the department; (2) a network of regional offices located across the country; and (3) dedicated legal service units (LSUs) that are physically located with the departments they advise.

(U) LSU counsel provide day-to-day advice on all issues. LSU counsel may consult or collaborate with counsel from the specialized branches, or at other LSUs as needed. Although co-located with client departments, LSU counsel are Justice employees, and in keeping with the status of the Attorney General, must remain independent from the client.

(U) The National Security Litigation and Advisory Group (NSLAG) is the LSU that supports and advises CSIS. It is located at CSIS headquarters and is part of the PSDI Portfolio. With approximately 50 counsel positions, NSLAG is led by an Executive Director and Senior General Counsel who reports directly to the Assistant DM of PSDI. The two meet every two weeks to discuss NSLAG’s work. The ADM, in turn, must report any matters of concern to the Associate DM.

(U) As mentioned previously, NSLAG’s Executive Director also occupies the position of ADL within the CSIS executive structure, reporting to the Director. Justice described this reporting relationship as functional only. In the ADL role, the head of NSLAG has confidential, bilateral meetings with the CSIS Director, to provide briefings on legal files and discuss issues that arise. This functional reporting relationship to the client co-exists with the formal reporting relationship within While at first glance this functional reporting role might seem to pose a challenge in terms of maintaining full independence from the client, Justice asserts that this structure is not unique to CSIS and does not create concerns regarding client capture.

(U) NSLAG provides both advisory and litigation services to CSIS on its security and intelligence Its advisory work involves matters related to the duties and functions of CSIS, including questions of legal authority, and advice related to the Charter, threat reduction measures, and the application of other legislation to CSIS operations. NSLAG’s litigation work consists mainly of representing CSIS in applications for warrants before the Federal Court and related matters, and representing both CSIS and other government departments and agencies in complaints investigations before NSIRA.

(U) CSIS also receives legal services from the National Security Group (NSG), a specialized legal branch located at Justice’s headquarters. As part of the AG’s National Litigation Sector, NSG leads the litigation of claims related to national security privilege under section 38 of the Canada Evidence Act. Its counsel are security cleared at the Top Secret level. NSG counsel also play a role in the CSIS warrant application process – namely, to conduct an “independent challenge” exercise as part of the internal approval process for warrant NSG’s role as Independent Counsel (IC) in the CSIS warrant application process is discussed in section 4e below.

(U) While the basic legislative and operational framework may seem simple, a closer analysis sheds light on many ongoing issues.

4. Analysis

(U) This review revealed governance and cultural challenges in both CSIS and Justice that contribute to systemic issues in the warrant process, including with respect to the duty of candour. NSIRA’s findings fall within three overarching areas:

  • Justice’s provision of legal advice;
  • CSIS and Justice’s management of the warrant acquisition process; and
  • Investment in people in terms of training.

The report concludes with comments on systemic, governance and cultural issues.

(U) In order to meet its obligations with regard to the rule of law, CSIS must know what the law is. An unwieldy, tardy or indefinite means of ascertaining the lawfulness of activities jeopardizes CSIS’s ability to fulfill its mandate while adhering to the rule of law. This review considered, therefore, the fashion in which Justice (and specifically, NSLAG) provides legal advice to CSIS in performing its mandated activities, and how it has organized itself to do so. NSIRA noted three specific issues: the bureaucratic manner of obtaining advice; its timeliness; and the usefulness of this advice to CSIS in meeting its mandate.

1. Giving Advice to CSIS

(U) CSIS operates in often rapidly evolving and legally challenging environments. Timely, nimble and actionable legal advice is critical. To meet these objectives, Justice has adopted “operating principles”, including a centralized “one-voice” model for delivering legal In this model, Justice counsel are described as speaking “with one voice”, reflecting a desire for uniform and consistent legal advice delivered on behalf of the AG. To this end, Justice seeks consistency in the legal advice provided and the legal positions taken across Justice, to ensure a “whole-of-government” approach. Its advice does not simply reflect the opinion of the assigned legal counsel. Rather, the advice provided has “all of Justice behind [it]”.

(U) The one voice approach responds to a prior era in which many federal government departments hired their own lawyers to provide them with legal These lawyers were not part of Justice. When difficult, cross-governmental legal issues arose, counsel representing the various ministries did not always agree, which would then place the AG in a difficult position in Cabinet. A decision was made to bring all such departmental lawyers together in a common legal service operating under the Justice umbrella.

(U) In support of its one voice approach, Justice now employs a number of tools, including:

  • establishing centers of expertise within Justice to provide consistent, “government-wide” advice, primarily to Legal Services Units, in key areas of public law, such as constitutional law, human rights law, and information and privacy law;
  • maintaining a legal knowledge portal called “Justipedia” to serve as a single, national, searchable repository for all legal opinions from Justice’s services;
  • fostering discussion of legal issues at various committees, such as the national and regional litigation committees and other ad hoc committees;
  • convening working groups to determine legal positions;
  • creating practice groups to exchange and share relevant knowledge; and,
  • applying a common legal risk management (LRM) framework when providing advice to client departments and agencies.

(U) While the premise for the one voice approach is sound, this review has noted some disadvantages in the current implementation of the model in the CSIS context. Importantly, because of the bureaucratic process required to complete a legal opinion, obtaining legal advice can be burdensome, inefficient, and a source of undue delay. Hierarchies in both CSIS and Justice have impeded fluid collaboration between Justice counsel and their CSIS client by limiting counsel’s ability to deliver advice rapidly. The pace of legal advice-receiving from Justice is slower than a CSIS intelligence operation, which leads to the advice not being delivered in a timely manner and in CSIS being [discussion of how collection activities are affected]

(U) In addition to the challenges of timeliness associated with bureaucratic hierarchies, there are also communication challenges associated with the different knowledge base involved in legal analysis versus operational expertise. NSIRA noted several critiques. Interviewees urged that Justice counsel would benefit from a greater understanding of CSIS’s operations. It was suggested that new or junior lawyers could participate in key operational training sessions to gain a better understanding of the CSIS Some discussed current initiatives to cultivate greater understanding between Justice and CSIS, voicing skepticism about their success. For instance, Justice was said to pitch its “lunch and learn” sessions with CSIS at the wrong level, and is too esoteric and theoretical when discussing, for example, section 8 of the Charter. Legal training of CSIS employees conducted by inexperienced counsel was also identified as a problem.

(S/C) These complaints are consistent with a 2018 client feedback survey on CSIS legal advisory That survey measured four dimensions of its service in comparison to those of the overall PSDI Portfolio. The survey found the overall quality of legal advisory services fell slightly below the departmental target, landing in the “moderate” category, with similar ratings from CSIS on the overall accessibility and responsiveness, as well as usefulness of its legal services. The survey results demonstrated satisfaction with legal risk management, which met the target standard. On the issue of timeliness, however, Justice scored poorly. Justice concluded that the survey indicated that CSIS users were, by and large, somewhat unsatisfied with the services provided and that there was room for improvement. Some comments from CSIS consistent with those frequently echoed in the interviews conducted by NSIRA included:

  • “I don’t get the impression that DOJ lawyers working within my organization actually comprehend what we do.”
  • “Responses take too long. Has impact on our operational abilities.”[discussion of how collected activities are affected]
  • “Justice staff were adept at pointing out…legal risks associated with initiatives, but were not adept at providing practical advice to mitigate risk (other than recommending cessation of the initiative)”
  • “There seems to be a lack of coordination.”

(U) The following sections describe more detailed and pointed CSIS preoccupations with the manner by which its officials seek advice from Justice and about the nature of the resulting advice.

a) Obtaining Advice

(U) Barriers to accessing legal advice were a common theme of interviews. CSIS must formally frame its questions as clearly as possible, to avoid “half-baked” inquiries. However, rather than a collaborative process between counsel and CSIS, the conventional advice- seeking system is a formalized, bureaucratic process. Formal advice requests generally appear to be funneled from CSIS investigators and related personnel in the regional offices through their hierarchies, sometimes (but not usually) up to headquarters, and then from there to Justice counsel.

(U) This process, and resource constraints at Justice, contribute to considerable delays, [description on timeline]. Apart from prioritized, urgent requests for legal advice, it can take [timeline] to receive legal advice. In situations involving novel or complex issues, advice may take [timeline].

(U) Once prepared, advice then filters back through the same hierarchy, sometimes never reaching the investigators in its full form. Some interviewees reported concerns about “broken telephones” in which advice requests morphed in their travels through the hierarchy without an iterative process between counsel and the investigators seeking the advice, resulting in legal advice of limited relevance.

(U) Since this conventional process implicates both CSIS and Justice, it can be difficult to ascertain how much of this reported delay stems from Justice’s advice-giving mechanics and how much from CSIS’s own internal bureaucracy. Moreover, statements by interviewees estimating delay in receiving advice are hard to corroborate since NSLAG does not track the time it takes to provide its advice. The absence of such data at Justice raises a separate issue of whether it is in a position to measure progress and improvements stemming from any reform initiative.

 (U) Regardless of precise cause, the lack of clear timely advice has reportedly had considerable impact on CSIS operations. With an increase in electronic communication and information, the need for timely, clear advice on investigative methods has become pivotal. The operational impact is notable: interviewees repeatedly described an [discussion of detrimental effects on operations] that may require legal advice. Managers have reportedly sometimes advised staff to seek alternative solutions where a matter may require legal advice [discussion of detrimental effects on operations]

(U) Clearly, the conventional legal advice process does not adequately support CSIS operations, both in terms of timeliness and relevance.

 (U) In addition to timeliness and relevance, NSIRA heard regular and often related concerns about the nature of the legal advice supplied by NSLAG to CSIS. NSIRA interviewees repeatedly described legal opinions pitched at an esoteric and legalistic level, without sufficient attention to the audience that needs to understand and act on them.

 (U) NSLAG has typically presented its advice as a legal risk assessment, in which NSLAG opines on the risk associated with a specific activity, in accordance with the Justice Legal Risk Management (LRM) Framework, described further below. The style of the resulting advice can be compared to a “traffic light” system, where an activity represents a low legal risk to CSIS (green light); a high legal risk (red light); or, more ambiguously, an intermediate legal risk (yellow light). Yellow light-style responses were reportedly the most common and the most frustrating to consumers of the advice, especially when unaccompanied with discussions of how risk could be mitigated.

(U) In this last respect, CSIS interviewees often described NSLAG opinions as not making efforts to propose alternative and legally sustainable means of arriving at the intended objective. That is, NSLAG reportedly does not always understand CSIS’s objectives, and then provide advice designed to guide CSIS on how it might lawfully meet that objective (if possible). Several CSIS interviewees emphasized the potential value of having Justice assist them by providing advice in the form of a “road map” to how an operation might reach its objective lawfully. They stressed, however, that this road map-style form of advice was not a regular part of the NSLAG advice-giving approach or practice culture. That said, NSIRA also heard that there may now be the beginnings of a shift from the conventional advice-giving approach, as discussed below. Because of the importance NSIRA places on it, this report returns repeatedly to the concept of road map-style advice.

(S) NSIRA heard that in instances where CSIS managers received advice indicating a medium level of risk (yellow light), they often [description within CSIS of an unwillingness to accept risk]. In other instances, managers expressed discomfort with assuming the risk and reportedly forwarded the decision up the hierarchy to diffuse responsibility. Operationally, such delays in decision-making often have detrimental effects on investigations.

(U) As a result, some at CSIS perceive Justice as presenting a road-block. This is not because Justice provides principled and clear positions reflecting the primacy of the rule of law over ill-advised operations, but rather as a result of the bureaucracy at Justice, its perceived operational illiteracy, and its unhelpful approach to communicating legal advice.

(U) There is, however, another dimension to these issues. Justice, and NSLAG especially, face challenges in giving advice to CSIS. Justice is not directly analogous to a private sector law It must perform a public law function tied to the roles of the Minister of Justice and the AG. In giving its legal advice, Justice must be especially attentive to the rule of law and the AG’s role in defending it.

(U) When interacting with its clients, Justice acts merely as an advisor and sees it as its client’s responsibility to make the ultimate decision, informed by the advice given. A factor that may explain Justice’s resistance to go beyond pure legal analysis is that Justice is necessarily wary of a reported tendency by CSIS to recast legal questions in an effort to get different answers. CSIS, it was said, sometimes resists the law as it is, hoping that the law will be what it wants it to be.

(U) Additionally, NSIRA heard that CSIS has not always shared all relevant information with Justice, prompting a degree of mistrust. NSIRA heard of instances in which CSIS provided Justice with partial information, but did not convey the full NSLAG has informed CSIS that to provide the most meaningful legal advice and to better support its operations, counsel need to have “all the facts”, and to be engaged “sooner and deeper”. NSLAG conveyed that earlier and ongoing involvement throughout the stages of an investigation or operation, with participation in CSIS meetings and discussions along the way, would enable counsel to gather facts more naturally, and permit a more nuanced understanding. If there is uncertainty as to the client’s true goals and current situation, it is understandable that Justice lawyers are sometimes reluctant to provide a road map.

(U) The provision of advice on highly classified matters also presents logistical challenges. NSLAG lawyers operate in an environment that may impede easy interaction with other components of Justice, including in the specialized practice groups, where top secret security clearance holders are few and information management systems are not approved for classified information storage. Further, Justice is not well structured to address the range of matters arising in national security, and other units may produce advice that is too late, or unhelpful. Specialized units struggle where they are excluded from relevant classified information, and have sometimes been consulted by NSLAG too late in the advice process. The process by which differences of opinion between these specialized groups and NSLAG are reconciled would appear not to be fully formalized. There are some joint committees, and strong disagreement on a high profile matter could be advanced to the deputy minister. It is unclear how much these processes are leveraged to overcome the identified challenges.

(U) Internal silos at NSLAG between the advisory and litigation wings also play a role. These internal silos were reportedly a contributing factor in the confusion and uncertainty surrounding the omission of information in the warrants in 2020 FC 616. Many of the unlawful activities at issue in that case involved sources and operations for which legal advice had been previously discussed within NSLAG in the advisory branch, where relevant opinions on matters such as crown immunity had been produced. However, warrants counsel reportedly were not always aware of this The breakdown of internal silos is thus essential for the avoidance of such sequences of events in the future.

 (U) Moreover, CSIS’s activities are sufficiently unique and unusual to impose a steep learning curve on counsel. This learning curve manifests itself in several ways. First, NSLAG lawyers must become familiar with the unique and classified CSIS operational environment, something that some interviewees on the CSIS side suggested counsel needed to better understand. Second, novel questions may require careful and collective consideration, ensuring that Justice “speaks with one voice” but also slowing the process of delivering advice.

(U) Finally, Justice cannot easily overcome the inherent uncertainty of some legal issues, and Justice lawyers may often be obliged to voice legal doubt; that is, the unhelpful “yellow light” concept. Legal doubt is anathema in a rule of law system – it is difficult to ask an organization to comply with a law when that law is unknown. The law in national security can be especially unsettled. The sometimes imprecise statutory law applicable to CSIS is rarely subject to judicial interpretation, creating considerable uncertainties. Meanwhile, case law on section 8 of the Charter mostly arises in the criminal law context, and Justice counsel are left to extrapolate from these decisions to the related, but still distinct world of CSIS operations. Often, the sole means to address legal uncertainty is to bring legal questions to the Federal Court through warrant applications.

(U) In sum, national security law is a highly specialized and constantly developing area. Nonetheless, CSIS needs efficient advice, a need that goes to the heart of both CSIS and Justice’s mandates.

2.    Reform Initiatives

This section addresses recent reform initiatives in the delivery of legal services at Justice.

a) NSLAG’s Recent Internal Protocols

(U) Justice told NSIRA that it is aware of the need for change in the organizational culture at NSLAG.A new NSLAG Executive Director took office in January 2020 and, since then, has reportedly participated in senior-level discussions with CSIS on cultural change management. NSLAG noted some resistance to change management within its organization, but reported a generally healthy appetite for change, including with an aim of addressing concerns about information silos.

(U) NSLAG has implemented several new internal procedures addressing internal silos by facilitating awareness among litigation counsel on emerging legal issues on the advisory side (and presumably vice versa). NSLAG has developed its own classified version of Justipedia to assist with knowledge management, with the aim of ensuring consistent legal opinions. NSLAG holds weekly practice group meetings in which participants provide “roundtable” updates on their work. If a practice group is unable to sort out a legal issue, the matter may escalate through several levels of management within NSLAG, to the Executive Director. While these reforms may assist in bridging internal silos, they may not be sufficient. NSLAG must develop a process whereby there is a method to communicate with, or brief warrant counsel where advice has been provided for an operation that subsequently becomes prioritized for a warrant.

(U) Justice sometimes issues practice directions to provide guidance to counsel on certain aspects of their practice. In 2019, Justice issued two practice directions related to the duty of candour in warrant applications. The first specified that warrant applications will not rely on information derived from unlawful activity, and where unlawful activity occurs, it must be brought to the Court’s attention. The second provided guidance on information that must be disclosed to the Court, including whether the human source has engaged in illegal activities, as well as issues that inform the credibility and reliability of a source.

(S/C) On September 22, 2020, Justice issued a practice note to NSLAG counsel [Description of contents of note]

(S) Not all interviewees thought these changes would suffice to address NSLAG’s internal silos, and worried that dots would not be connected between legal advisory opinions and operational legal One suggestion was to ensure that relevant advisory opinions are [IM solution suggested]

(U) Moreover, NSLAG’s range of expertise may not suffice to identify every latent legal issue. In addition, those components of Justice with that capacity may not appreciate the nature of CSIS’s mandate and operations. Some interviewees urged NSLAG’s litigation role needs to be supplemented by working more closely with Justice’s general litigation lawyers in their counsel role,80 requiring that information silos be overcome. NSIRA notes Justice recently implemented tools specific to its national security role. These include a number of DM-level committees that address broad policy and operational matters in national security and which involve other LSUs.

(U) NSIRA observes that Justice’s capacity to anticipate new issues depends on an alert client. Interviewees described an effort to be more proactive, and to raise to the CSIS Director legal issues requiring proactive resolution.  At a minimum, it will be important for the Director to work with Justice and Public Safety Canada to anticipate emerging legal issues, and organize effective means of resolving them.

b) Renewed NSLAG and CSIS Relations

(U) NSLAG acknowledged the need “to do a better job ensuring that the client understands the legal landscape”. It recognized client frustration with the law in some circumstances, since court cases may provide direction that is sometimes confusing in real world situations, including with respect to Charter issues and a person’s reasonable expectation of privacy. Although it does conduct some training for CSIS, NSLAG says it could be doing more outreach and engagement. As part of CSIS’s Project  [Name], discussed further below, NSLAG has indicated the need for more outreach training in both directions, including CSIS providing training for NSLAG.

(U) NSLAG also appears to recognize the desire for a different approach to giving advice, including moving toward road map-style legal advice that works collaboratively and iteratively with CSIS to achieve operational goals within the bounds of the law. NSIRA heard that NSLAG regards this approach as a best practice and is committed to it, although it was not clear at the time of the review how far Justice had moved toward a generalized, road map-style form of advice-giving.

(U) It was clear, however, that Justice generally does not support a solution of “embedded” legal counsel at CSIS regional offices. Justice interviewees regarded embedding as raising risks of client capture and posing challenges for internal staffing and consistency of advice. Instead, Justice and CSIS have recently launched a pilot project in which specific counsel were designated to support CSIS throughout a specific operational ‘mission’.

 (U) Moreover, NSLAG has piloted an “office hours” practice, relying on headquarters-based counsel serving as liaison counsel for the regions. Those regional liaison counsel who currently provide support make themselves available to the regions to receive informal queries. The office hours initiative was conceived as a means of permitting CSIS personnel to put forth “trial balloons” regarding operational possibilities before possibly formulating a request for formal legal advice, which would then be put through the conventional advice request process.

(U) NSIRA also heard that a revamped approach to the giving of advice would require cultural adjustments at both CSIS and Justice. The Justice practice of vetting advice through a hierarchy may be difficult to reconcile with more timely legal involvement. Novel questions may require careful and collective consideration, ensuring that Justice “speaks with one voice” but they will need to be mindful that delay may jeopardize operation or reach a point of uselessness. As noted, short of converting CSIS officers into legal experts, regular and timely access to legal advice is essential to meeting the standards of the rule of law without stymying operations. NSIRA would also note that even formal legal advice will need be geared to the consumer, and thus should avoid legalistic discussions largely meaningless to non-lawyers.

(U) In moving toward such a system, NSLAG will need to avoid client capture in order to meet the Attorney General’s obligation to honour and advance adherence to the rule of law, while also facilitating CSIS’s operational imperatives. A dominant theme of the interviews was the challenge of reconciling the Attorney General’s obligation to maintain the rule of law with client-centered service delivery models giving clear and consistent legal advice to CSIS in the execution of its lawful mandate. Lawyers do not easily reconcile these objectives, and interviewees were of the view that clearer instruction on the role of the AG and codified standards for giving advice were advisable. Thus, NSIRA heard support for the idea that NSLAG should have advisory service standards. Such standards are especially important if, as NSIRA heard, at the more senior levels in Justice, the border between legal advice and policy advice may begin to blur. Some interviewees indicated that at this level, there can be a strong cultural desire to give the client room to maneuver.

(U) For its part, CSIS will need to become more comfortable working closely with legal advisors, and in disclosing the full range of sensitive details needed for Justice counsel to provide useful advice. Generally, CSIS interviewees seemed to welcome the office hours approach, though some noted its usefulness will be dependent on the personality and experience of the counsel, and in any case, it is not a panacea. This reaction highlighted the reservations of some CSIS officers based on past unsatisfactory interactions involving inexperienced counsel.

c) Additional Steps at NSLAG

(U) Justice faces, therefore, the ongoing challenge of giving fearless, timely, consistent and clear legal advice while at the same time developing client-centered service models, in an area (national security) that is a niche, often highly-specialized concern for the department and fraught with legal uncertainties.

(U) In assessing current initiatives in future reviews, NSIRA will be especially concerned with how Justice embraces a road map-style of advice-giving. Based on the information collected for this review, NSIRA believes that useful advice must be offered during operational planning and execution, a prospect that NSIRA expects the pilot project involving an operational mission will explore. Advice should continue as the operation is evolving in response to unforeseen legal matters requiring immediate guidance. Based on its interviews, NSIRA believes the success of this system will depend on a number of features. First, the optimal delivery of legal services must rely on Justice counsel who are sufficiently experienced and attuned to the unique CSIS operating environment. While not embedded in the regions, it seems these counsel will need to be entrusted with the ability to interact directly with CSIS operational clients at all levels, including during live operations, and give advice on routine matters without delay. These counsel will also need to be familiar with Justice’s position on recurring issues so as not to jeopardize the one voice model. To this end, NSLAG would likely benefit from developing a concise reference tool with its position on recurring issues and most common legal authorities invoked and make the tool accessible to counsel to support their real-time advice.

(U) Not every legal issue will be routine. Yet, counsel participating in operational planning should be well positioned to anticipate and articulate more difficult legal issues, and then be responsible for resolving these legal questions in keeping with Justice’s one voice approach. Counsel involved in operational planning should serve as the entry to Justice for matters requiring additional internal consultation at Justice with either their NSLAG colleagues or those in centres of expertise. A counsel fully apprised of operational realities who is able to “case- manage” the provision of advice in this manner may avoid the problems of “broken telephone” and non-responsive legal advice associated with the conventional advice-giving model.

(U) Legal involvement in CSIS activities, as they are being planned and organized, should also allow Justice to provide informal legal nudges that allow CSIS to course-correct before too much time has been spent. Closer legal involvement during the early phases will minimize the need for legal opinions on operations that are late in the development cycle or that are already underway. Put another way, a more iterative process of incorporating legal advice over the full course of an operation could address the reported challenge of operations halted due to untimely or ambiguous legal advice.

(U) Critically, meeting these objectives requires CSIS to invite Justice counsel to sit at the table at all stages of the lifecycle of an operation, and for Justice counsel to be fully and frankly briefed on operational objectives, intent, and details.

d) Broader Department of Justice

(U) Justice has embarked on a “transformational change” initiative, in consultation with clients, to improve how it conducts its work and supports its clients. Launched in 2018, the VISION comprises four pillars: meaningful risk assessments; client-centric strategic partnerships; recognizing and building expertise; and, simplifying the funding model. One of the key priorities includes an overhaul of the existing Legal Risk Management Framework, which Justice has recognized for some time does not effectively communicate risk.

(U) Interviewees made clear that Justice’s manner of characterizing legal risk in the Legal Risk Management (LRM) Framework is not understood in the same way by its lawyers and its clients and is not always regarded as useful even by the lawyers applying it. For instance, something that is “high legal risk” is very likely unlawful under the LRM Framework, but this was not always understood by clients. Justice did not provide NSIRA with the full draft revised LRM Framework as modified in the context of VISION, as it is still under development. Justice did however provide and brief NSIRA on some working LRM documents. On the basis of these materials and briefings, NSIRA believes that two [aspects relating to the LRM Framework] need to be addressed.

(U) First, there will be instances in giving advice where Justice should describe activity not as “high risk”, but simply as unlawful. Certain legal questions can be answered unequivocally, even accounting for the cautious nature of lawyerly advice. In a system based on the rule of law, and given the role of the Attorney General, such questions should be answered in as definitive a manner as possible. That there may be some hypothetical possibility that the activity might not be unlawful does not mean that Justice should fall back only on the language of “high risk”, since this phrase may give a client the impression such activities, while “risky”, are still a viable option for risk-embracing officials. Justice should avoid such situations. Where an activity is very likely unlawful, Justice should tell the client exactly that and describe the consequences of proceeding, rather than simply couch its conclusions in a probabilistic formula.

(S/C) Some interviewees underscored this view in discussions with NSIRA. Further, NSIRA notes that Justice has proposed [discussion of Justice initative]

(S/C) [Discussion of operational aspects and purpose of Justice initative]

(U) In contrast [discussion of an NSIRA perceived gap in Justice initative]. In NSIRA’s view, this approach is [Discussion of NSIRA’s recommended approach to address the identified gap]

(U) Second, NSIRA notes that many of the [description of certain aspects of Justice’s tools] NSIRA regards these considerations as inappropriate,

(U) Justice believes that the draft [discussion of aspects of Justice initative]

(U) Still, without careful mitigation, NSIRA believes that there remains a risk [discussion of a concern relating to Justice initative]

(U) In sum, based on the role of the AG in advancing the rule of law, [discussion of a standard to address the identified concern in the Justice initative] In future reviews implicating Justice’s legal advice, NSIRA will be attentive to whether advice meets this standard.

Finding no. 1: NSIRA finds that the legal advice-seeking and giving process, and resource constraints at NSLAG, contribute to considerable delays, [description of timeline]

Finding no. 2: NSIRA finds that Justice legal opinions have sometimes been prepared without sufficient attention to the audience that needs to understand and act on them. Opinions have been focused on assessing legal risk, often late in the development of a CSIS activity, with limited effort made to propose alternative and legally sustainable means of arriving at the intended objective.

Finding no. 3: NSIRA finds that the Justice Legal Risk Management Framework is misunderstood at the working level at CSIS and that it does not provide an appropriate framework for the unequivocal communication of unlawful conduct to CSIS.

Finding no. 4: NSIRA finds that difficulties in acquiring prompt and relevant legal advice have contributed to the [discussion of the detrimental effects on and risks to operations] that may require legal advice. In consequence, the manner in which Justice has provided legal advice to CSIS does not always meet the needs of CSIS operations.

Finding 5: NSIRA finds that Justice does not generate the necessary business analytics to track its service delivery performance to CSIS.

Finding no. 6: NSIRA finds that Justice has acknowledged that internal silos at NSLAG between the advisory and litigation wings have sometimes left warrant counsel unaware of emerging legal issues and that Justice has taken steps to resolve these issues.

Finding no. 7: NSIRA finds that Justice has committed to improve its advice giving to CSIS, including moving toward “road map” style legal advice that involves working collaboratively and iteratively with CSIS to achieve operational goals within the bounds of the law.

Finding no. 8: NSIRA finds that CSIS has not always shared all relevant information with NSLAG, prompting a degree of mistrust and limiting Justice’s ability to provide responsive legal advice.

In view of these findings, NSIRA recommends that:

(U) Recommendation no. 1: Justice pursue its commitment to reforming the manner of providing legal advice to CSIS, and its stated commitment to “road- map” style advice as a best practice. In support of this objective and the provision of timely, operationally relevant advice, NSIRA further recommends that Justice implement the following:

  • Whether through an expanded office hours or liaison counsel program or otherwise, NSLAG must develop a legal support service operating full time, staffed by experienced lawyers empowered to provide operational advice in real time on which CSIS officers can rely, on the basis of settled Justice positions on recurring legal issues, accessible directly to CSIS officers across all regional offices and at all levels.
  • NSLAG develop a concise reference tool with its position on recurring issues and most common legal authorities invoked and make the tool accessible to counsel to support their real-time advice.
  • To minimize the need to resort to the formalized legal advice-seeking process, NSLAG (in coordination with CSIS) must involve counsel with CSIS officers at the early stage of the planning of key or novel operations and throughout their entire operational lifecycle to case manage an iterative legal guidance process.

(U) Recommendation no. 2: NSLAG (in coordination with CSIS) develop Key Performance Indicators to measure the delivery of legal services to CSIS.

(U) Recommendation no. 3: CSIS and Justice include in their training programs interactive scenario-based training developing the operational intelligence activities expertise of NSLAG counsel and the legal knowledge of CSIS operational staff.

(U) Recommendation no. 4: To ensure Justice is able to give meaningful and responsive legal advice as recommended in recommendation #1, that CSIS invite Justice counsel to sit at the table at all stages of the lifecycle of key and novel operations, and that it fully and frankly brief counsel on operational objectives, intent, and details.

(U) Recommendation no. 5: Justice’s advice giving must clearly and unequivocally communicate advice on the unlawfulness of client conduct, whether criminal or otherwise.

B. Warrant Process

(U) While the preceding section dealt with issues related to the provision of legal advice in the course of all of CSIS operations, the current warrant process is fraught with its own problems, as illustrated by numerous Federal Court decisions.

(U) Warrants are critical to CSIS’s success as an intelligence service. [Discussion of prior internal review]“The information obtained through their execution is the Service’s lifeblood”. At the same time, another, more recent review concluded that for many within CSIS, the warrant process is regarded as a “necessary evil” on account of its onerousness. This section examines the “warrants life cycle”, from prioritization to execution, in order to identify and assess the underlying factors that have made CSIS’s warrant process cumbersome.

(U) Section 21 of the CSIS Act provides the basic rules for warrant applications. If CSIS believes on reasonable grounds that a warrant is required to enable it to investigate a threat to the security of Canada (or collect foreign intelligence for section.16 purposes), it may, with the approval of the Minister, make an application to the Federal Court for a warrant. The affidavit supporting the application must provide the supporting facts demonstrating the reasonable grounds to believe that a warrant is needed to investigate the threat.

(U) In practice, CSIS organizes the process of seeking a warrant around a system of internal preparation and approvals before proceeding to the statutory step of seeking ministerial approval of the warrant application. In order to understand fully the warrant process, NSIRA has broken it down into several stages of a larger “warrant lifecycle”, each of which are discussed below.

(U) A number of legal concepts and expectations enter into the warrant process, including, in particular, the “duty of candour” owed to the Court. As noted, warrant proceedings are conducted in the absence of the target and are closed to the public in order to protect the covert nature of a search. To compensate, however, for the one-sided nature of such proceedings, courts (and the law societies that regulate the legal profession) impose elevated obligations of candour on the lawyers and party appearing before the court, also known as a duty of utmost good faith. The evidence presented by the party “must be complete and thorough and no relevant information adverse to the interest of the party must be withheld.” In consequence, the party must “conduct a thorough review of the information in its possession and make representations based on all of the information including that which is unfavourable to their case.”

(U) The concept of “materiality” guides which facts must be disclosed to the court. Thus, in CSIS warrant applications, CSIS “must present all material facts, favourable or otherwise”. “Materiality” simply means a fact relevant to an issue in the case. For CSIS warrants, “information is material if it is relevant to the determination a judge must make in deciding whether or not to issue a warrant, and if so, on what terms.” For instance, a material fact is one that is relevant to “the belief, on reasonable grounds, that a warrant… is required to enable” CSIS to investigate a threat to the security of Canada.

(U) The Federal Court has held, however, that materiality extends beyond facts relevant to the factors expressly listed in section 21 of the CSIS Act. For instance, materiality reaches “information about the broader framework in which applications for the issuance of CSIS Act warrants are brought”. This means the duty of candour includes information that is “material to the judicial exercise of discretion” to issue a warrant. It includes the flagging of “legal issues that could be of concern to the Court”. Legal issues do not, however, exhaust this broader category of materiality, as it also reaches disclosure of CSIS’s precise conduct under a warrant that may influence the Court’s exercise of discretion.

(U) This broader category of “material to the exercise of discretion” relates to the especially important role of the Federal Court as the primary source of independent control over CSIS activities conducted under warrant. Unlike a police warrant, which may be retrospectively scrutinized by a second judge in adversarial proceedings if a police investigation culminates in a prosecution, the Federal Court judge is often the only judge who ever examines a CSIS warrant. The target of the warrant or the broader public will usually never know the CSIS activities conducted under the authority of that warrant. In this context, the Federal Court has signaled a redoubled urgency to meeting a broad duty of candour.

(U) It is clear, however, from our interviews, that the broad conception of materiality has led to doubt and confusion within NSLAG and thus within CSIS. Those interviewees who addressed the issue appeared to agree that Federal Court candour concerns now fit into (at minimum) two categories, which we define as “material to credibility”, and “material to matters of potential concern”. NSIRA defines these categories as follows:

  • Material to Credibility: Facts relevant to an express statutory threshold that the court is asked to assess, most notably the statutory standards judges consider in issuing warrants. This category includes, especially, information that goes to the credibility of the sources whose information supports the warrant application.
  • Material to Matters of Potential Concern: Facts or legal issues concerning those aspects of the CSIS activity that might be unusual (or unanticipated) and that a judge will wish to know in exercising their discretion to issue a warrant and in imposing associated conditions. This category includes, for example, a failure to disclose tradecraft conducted to gather information supporting the warrant that may constitute illegal activity, the failure to disclose conduct under a warrant that might result in information sharing with other agencies, potentially imperiling the target, or circumstances in which the warrant will be implemented and that may not be obvious in the application.

(U) The first category of materiality should be well understood by CSIS and its lawyers. The contours of the second category are not as easily determined and require careful consideration by Justice counsel, assisted by a professional cadre of affiants who reach out to regions to determine how warrants will be executed.

2. Historical Initiatives

(U) As outlined in Annex A, incidents concerning CSIS’s observance of its duty of candour are almost as old as CSIS. Following each failure, CSIS Directors promised reforms. CSIS introduced new policies, but problems recurred. In other words, repeatedly, progress has been made on paper, but without genuinely correcting the underlying problems. CSIS appears to have a long history of quick reforms, followed by neglect, high turnover of personnel leading to a loss of institutional knowledge, and resourcing that did not match stated priorities. Some interviewees described reforms as typically focused on the minutiae of process rather than on achieving measurable outcomes. CSIS does not track or measure the success of past reforms. In the eyes of some, CSIS reforms often represented “band-aid” solutions rather than attempts to get to the core of issues, and often resulted in the creation of new bureaucracy. In NSIRA’s view, CSIS’s chief challenge is to break this cycle.

Finding no. 9: NSIRA finds that CSIS has a history of quick reforms, followed by neglect, high turnover of personnel leading to a loss of institutional knowledge, and resourcing that did not match stated priorities. CSIS does not track or measure the outcome of past reforms adequately and has no performance metrics for assessing success.

3. Description of the Warrant Process

(U) NSIRA notes that even determining how the warrants process works presents Internally, warrant requirements are not adequately codified in applicable policy. CSIS policies have not kept pace with operational reality, as they are often vague, dated, overlapping and contradictory. The gap in policy was evident when examining the warrants policies, which were last updated in 2018 prior to the warrant process undergoing substantial changes, including the implementation of the Affiant Unit (AU) in 2019. Given these issues, a basic question that arises is whether those CSIS officers conducting investigations are sufficiently attuned to when the law requires a warrant.

(U) NSIRA heard that there is a clear threshold for when a warrant process must typically be initiated for well-established collection techniques. However, absent clear policy, there was more legal doubt when at issue was the use of novel technologies with uncertain legal ramifications and requirements.

a) Prioritization of Investigations for Warrants

(U) Once a region or desk has identified the need for a warrant, the first step in the process is the internal prioritization at CSIS of a target case file or investigation for a warrant application. In practice, this prioritization amounts to a system of triage, assigning limited warrant application resources to specific files. However, it was evident to NSIRA that CSIS employees involved in the warrants process had little to no common understanding regarding the process or basis on which a warrant is prioritized. Even senior officials in the CSIS hierarchy regarded the prioritization process as a mystery.

(U) NSIRA heard that headquarters prioritization standards remain a work in progress, and sometimes a struggle among competing interests. The DDO meets weekly with a number of CSIS executives to discuss the investigations requesting a warrant and the possible operational, legal or process developments that could affect priorities for decision-making on warrants prioritization.  While NSIRA was informed that there is a record of decision produced after each prioritization meeting, it remains unclear what criteria are used to prioritize a warrant. Some information suggested prioritization has focused on security-related issues. Others speculated that prioritization also considered the perceived amount of work, availability of lawyers and affiants, and how long it would be until current warrant powers expired and needed renewal. Frequent shifts in this process of prioritization have reportedly produced situations where a warrant process starts and stops several times, wasting precious time and adding to operational uncertainty.

(U) Given the complexity and lack of clarity of the prioritization process, it has been very difficult to bring novel issues to the Court with the goal of addressing legal ambiguities through court decisions. NSIRA heard about activities that [discussion of detrimental effects on operations] over unresolved questions of law that could have been addressed by the Court. There appeared to be agreement among our interviewees that more matters should be taken to court – and whenever in doubt, seek a warrant.

(U) Given the current situation, however, NSIRA’s impression is that for CSIS to take a legal issue to Court likely requires the combination of a high priority investigation and the existence of just the right real-world scenario to illustrate the legal issue. Of course, any attempt to resolve legal uncertainty runs the risk of obtaining a legal ruling that constrains rather than empowers investigations. NSIRA heard from some interviewees that there may be a reluctance to take issues to court as there is always a risk of obtaining the “wrong answer”.

Finding no. 10: NSIRA finds that CSIS policies have not kept pace with operational reality, as they are often vague, dated, overlapping and contradictory. The absence of clear policy creates legal doubt or concerns, and gives rise to disparate interpretations of legal and operational standards.

Finding no. 11: NSIRA finds that there is little common understanding regarding the process or basis on which a warrant is prioritized. Frequent shifts in this process of prioritization have added to operational uncertainty. The prioritization process has made it very difficult to bring novel issues to the Court with the goal of addressing legal ambiguities through court decisions.

Recommendation no. 6: NSIRA recommends that CSIS adopt, and share internally, clear criteria for the warrant prioritization process.

b) The Complexity of the Warrant Acquisition Process

(S/C) Once CSIS decides to prioritize a warrant application for an investigation/case, CSIS begins the warrant acquisition process. This process has always been lengthy and bureaucratic. In 1992, the Honourable George Addy reviewed the CSIS warrant process and reported [number] steps spanning a total of [number] and involving from [number] people. Approximately [number] people knew the identity of the target before the warrant was issued, seemingly undercutting the “need to know” principle. George Addy commented adversely on the length of the warrant process. He wrote: “[w]hatever procedures might finally be decided upon, it is of paramount importance that, from the moment the decision to initiate the process is taken, the time required to obtain a warrant should never exceed [timeline], as an absolute maximum.”

(S/C) Yet, [discussion of prior internal review]

(S) At present, according to the documents provided to NSIRA, the process involves [Number] administrative steps in a security intelligence warrant request, [Number] which are internal to CSIS and Justice prior to the application’s filing at the Federal Court. For a foreign intelligence warrant, there [Number] steps. The timetable for the renewal of a security intelligence warrant anticipates a process of [Number] working days, or [timeline] (Annex B). The process involves  committees or units within CSIS (and possibly more if the warrant implicates more than one region), NSLAG, and Public Safety Canada. At least [Number] CSIS managers are named in the process, as are [Number] Justice employees and the Minister and Deputy Minister of Public Safety.

(U) NSIRA was unable to find any one person who could describe precisely the rationale of each of these [multiple] of steps in the overarching scheme; even those close to the process were not always sure what role each approval step played. Few of the steps are mandated by law, but rather they appear to have accrued over time despite repeated efforts at streamlining. Some steps appear to reflect older reform efforts triggered by concerns over compliance, not least with the duty of candour. And yet, as noted at the outset of this review, the candour issues at CSIS persist.

(U) In sum, the warrant process appears to be caught in a vicious cycle whereby duty of candour failures (or the fear of prospective failures) cause CSIS to add more bureaucratic fixes, which complicate an already lengthy and inefficient process without actually resolving the underlying issues that led to the duty of candour failures in the first place. Indeed, as discussed below, the complexity of the warrant process appears itself to contribute to CSIS’s candour issues. CSIS and Justice must break this cycle. A description of how best to do this will first require further discussion of the warrant process itself.

c) The Key Steps in the Process

(U) CSIS maintains five categories of warrant applications, the most common of which are new warrants, replacement of existing warrants159, and supplemental warrants. Each category has its initiating procedures.160 In all applications, the relevant desk at headquarters and the implicated CSIS operational region conducting the investigation prepare a [content of document]. Together, the [number] documents detail the threat, the targets, and set out the investigative powers CSIS proposes to use. Once approved, CSIS sends the [document] to NSLAG for a “threshold” determination; i.e., an assessment of whether there are reasonable grounds to believe that a warrant is required to investigate the threat. If NSLAG concludes that the proposed targets meet the threshold, then development of the rest of the warrant application begins. The key contributors to this process are the Affiant Unit, NSLAG and the Warrant Administration Unit.

(U) The Affiant Unit (with the advice and legal support of NSLAG) is responsible for preparing the affidavit used in support of the warrant application. The affidavit is the affiant’s sworn written testimony and includes a range of information required pursuant to section 21 of the CSIS Act. The affidavit is often laid out as follows.

  • Part 1 – Introduction: this section outlines the affiant’s work experience and introduces the sources of information and the exhibits used in the application.
  • Part 2 – The threat: this section provides information regarding the broader threat and how it relates to CSIS’s investigation and the specific list of target(s).
  • Part 3 – The subjects of the investigation: this section includes a thorough explanation of the threat posed by each target, based on information from human sources and other operational reporting.
  • Part 4 – Powers sought: this section describes the non-warranted (that is pre- or without the need for a warrant) investigative techniques used in the investigation thus far, as well as the powers requested in the application.
  • Part 5 – Other matters: this section includes the duration for which the warrant is sought as well as the required consultation with the Deputy Minister and Minister as per subsections 7(2) and 21(1) of the CSIS Act.

(S) The affidavit will also include a number of exhibits, the most important of which are the human source précis and the foreign agency précis. The human source précis is a summary of information from CSIS’s files that allows the court to assess the reliability and credibility of the human source without revealing the source’s identity. It comprises information pertaining to the source’s relationship with CSIS, [description of information] and motivation. The précis will also include a corroboration table used to support the source information contained in the affidavit. Where the application relies on information supplied by a foreign agency, the foreign agency précis includes background information regarding the mandate of that agency, the agency’s history with CSIS, and whether the information relied upon in the application may have been obtained as a result of mistreatment.

(U) Once approved and reviewed in keeping with several additional steps, including the Independent Counsel vetting discussed below, the application goes before the Warrant Review Committee (WRC) for approval. The committee comprises senior members of CSIS and the department of Public Safety Canada as well as observers from other government agencies such as CSE and the RCMP. At the WRC, the affiant provides a brief overview of the investigation, the application is discussed, and a decision is made regarding whether to proceed with the application, and if so, what changes are required. The application is then submitted to Public Safety Canada, where it is reviewed and passed to the Minister accompanied by a summary and advice as to whether the Minister should approve the application. Once approved, Justice files the warrant application package in court on behalf of CSIS.