Language selection

Government of Canada / Gouvernement du Canada

Search


Review of Information Sharing Across Aspects of CSE’s Mandate

Date of Publishing:

GAC Minister letter to NSIRA To Follow

This report has been modified slightly from the final version which was provided to the Minister. An error in the language of Finding 4, wherein two different versions were presented within the report and the summary, has been corrected for publication. The correct language was always represented in the body of the final report. The incorrect language has been replaced with the correct language for publication.

Executive Summary

(U) This review examined the Communications Security Establishment’s (CSE) legal authority for sharing information obtained in the course of one aspect of its mandate (“aspect”) for the purposes of fulfilling another aspect of its mandate. Specifically, the review focused on internal information sharing within CSE between the foreign intelligence (FI), and the cybersecurity and information assurance (cybersecurity) aspects of its mandate.

(U) NSIRA examined whether CSE’s internal sharing of information relating to a Canadian or a person in Canada (IRTC) is consistent with the Privacy Act, which limits how collected personal information can be used by a federal institution, and the CSE Act, which applies to CSE’s incidental collection and use of IRTC. NSIRA concluded that from the descriptions of the aspects in sections 16 and 17 of the CSE Act, there may be instances where information acquired under one aspect can be used for the same, or a consistent purpose, as another. This would satisfy Privacy Act requirements for sharing information internally. However, this cannot simply be assumed as the purposes of the aspects differ within the CSE Act. CSE must conduct case-by- case compliance analysis that considers the purpose of the collection and sharing.

(U) NSIRA considers it necessary for the Chief of CSE’s application for a Ministerial Authorization to fully inform the Minister of how IRTC might be used and analysed by CSE, including the sharing of IRTC to another aspect, and for what purpose. With one exception, the Chief’s applications for the period of review appropriately informed the Minister of National Defence that retained IRTC might be used to support a different aspect. Moreover, the foreign intelligence applications appropriately informed the Minister how CSE assessed “essentiality” for IRTC collected under the FI aspect.

(U) Under CSE policy, an assessment of IRTC’s relevance, essentiality, or necessity to each aspect is required for sharing information across the aspects. CSE policy offers definitions and criteria for assessing and applying these thresholds to the information. NSIRA found that CSE’s policy framework with regards to the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is compliant with the CSE Act.

(U) The information provided by CSE has not been independently verified by NSIRA. Work is underway to establish effective policies and best practices for the independent verification of various kinds of information, in keeping with NSIRA’s commitment to a ‘trust but verify’ approach.

Authorities

(U) This review was conducted under the authority of paragraph 8(1)(a) of the National Security and Intelligence Review Agency Act (NSIRA Act).

Introduction

(U) This review examined the Communications Security Establishment’s (CSE) legal authority for sharing information obtained in the course of one aspect of its mandate (“aspect”) for the purposes of fulfilling another aspect of its mandate. Specifically, the review focused on internal information sharing within CSE between the foreign intelligence (FI), and the cybersecurity and information assurance (cybersecurity) aspects of its mandate. Broadly, this review also documented activities pertaining to the internal sharing of information relating to a Canadian or a person in Canada between the foreign intelligence and cybersecurity aspects, in order to inform future reviews by NSIRA.

(TS) The Office of the Communications Security Establishment Commissioner (OCSEC) previously studied the sharing of, and access to, cyber threat information between CSE’s SIGINT and IT Security Branches. OCSEC’s review found that CSE’s cyber threat information sharing and accessing activities between CSE’s SIGINT and IT Security were consistent with National Defence Act and Privacy Act authorities, and that information shared between the branches posed a minimal risk to the privacy of Canadians.

(U) With the coming into force of the CSE Act, on August 1, 2019, CSE’s legal authorities for conducting its activities have changed since OCSEC’s review. In light of this change of legal authority for CSE, NSIRA decided to re-assess and evaluate whether CSE’s internal information sharing activities between the FI and cybersecurity aspects are consistent with the CSE Act and the Privacy Act.

(U) NSIRA expects that CSE’s internal sharing of IRTC complies with the CSE Act and the Privacy Act. As such, the focus of this review was to examine the legal authority that allows for CSE to share IRTC between the FI and cybersecurity aspects.

(U) The Communications Security Establishment Act (CSE Act), creates five distinct aspects to CSE’s mandate. The CSE Act distinguishes between each aspect and its associated activities, as listed below: Foreign intelligence (FI) (section 16): to acquire information from the global information infrastructure (GII), and to use, analyse and disseminate the information for the purpose of providing foreign intelligence;

  • Foreign intelligence (FI) (section 16): to acquire information from the global information infrastructure (GII), and to use, analyse and disseminate the information for the purpose of providing foreign intelligence;
  • Cybersecurity and information assurance (cybersecurity) (section 17): to provide advice, guidance and services to help protect electronic information and information infrastructures of federal institutions or those designated under subsection 21(1) of the CSE Act, and to acquire, use and analyse information to do so;
  • Defensive cyber operations (section 18): to carry out activities on the GII to help protect electronic information and information infrastructures of federal institutions or those designated under subsection 21(1) of the CSE Act;
  • Active cyber operations (section 19): to carry out activities on the GII to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of foreign entities; and
  • Technical and operational assistance (section 20): to provide technical and operational assistance to federal law enforcement, security agencies, the Canadian Armed Forces and the Department of National Defence.

(U) The CSE Act also distinguishes between the aspects by requiring different Ministerial Authorizations (MAs) for CSE’s activities, except for assistance activities (s. 20). Under the CSE Act, and with the exception of assistance activities, CSE’s activities must not be directed at a Canadian or any person in Canada, and must not infringe the Canadian Charter of Rights and Freedoms. Under the FI and cybersecurity aspects, CSE’s activities must not contravene any other Act of Parliament or involve the acquisition of information on or through the GII that interferes with the reasonable expectation of privacy of a Canadian or a person in Canada, unless carried out under a MA.

(U) The Minister of National Defence may issue a MA that permits CSE to conduct activities or classes of activities that may contravene any other Acts of Parliament, and, in the case of FI and cybersecurity, would involve the acquisition of information that would interfere with the reasonable expectation of privacy of a Canadian or a person in Canada. FI and cybersecurity MAs must be approved by the Intelligence Commissioner (IC), who must review whether the conclusions made by the Minister in issuing the authorization are reasonable.

(U) Thus, CSE is permitted to incidentally acquire information relating to a Canadian or a person in Canada in the course of carrying out activities that are authorized by an FI (s. 26(1)), cybersecurity (s. 27(1) or 27(2)), or emergency (s. 40) MA. CSE refers to this information as information relating to a Canadian or a person in Canada (IRTC). In order to issue an authorization, the Minister must be satisfied that CSE will only use, analyse or retain IRTC when it meets the “essentiality” conditions in section 34 of the CSE Act, which are different for the FI and cybersecurity aspects. For FI, “essentiality” means an assessment of whether the information is essential to international affairs, defence or security. For cybersecurity, “essentiality” means an assessment of whether the information is essential to identify, isolate, prevent or mitigate harm to (i) federal institutions’ electronic information or information infrastructures, or (ii) electronic information or information infrastructures designated under subsection 21(1) of the CSE Act.

(U) As the CSE Act distinguishes between the aspects and the corresponding MAs, NSIRA examined CSE’s legal authority for sharing IRTC between the FI and cybersecurity aspects.

(U) Due to operational and access-related challenges, including due to the COVID-19 pandemic, this review was not able to independently assess and verify CSE’s compliance with the law or compliance with the restrictions and authorities in place when internally sharing and using information between aspects. Additionally, NSIRA was not able to independently observe, investigate or validate the systems used when sharing data between aspects (consult Annex F for a description of processes and methods used by CSE to share information between the two aspects). These data sharing systems may be examined in future NSIRA reviews.

(U) NSIRA also intended to review the internal sharing of information with the active (ACO) and defensive (DCO) cyber operations aspects of CSE’s mandate, including compliance with the requirements in subsection 34(4) of the CSE Act on acquiring information while conducting ACO and DCO cyber operations. Among other things, this subsection stipulates that no information may be acquired pursuant to ACO and DCO authorizations unless done in accordance with an FI (CSE Act, s. 26(1)), cybersecurity (CSE Act, ss. 27(1) & 27(2)), or emergency (CSE Act, s. 40(1)) authorization. This facet of the review was instead covered in NSIRA’s review of CSE’s Active Cyber Operations and Defensive Cyber Operations – Governance, and will be further examined in NSIRA’s second review of ACO and DCO activities later in 2021.

(U) Importantly, this review did not examine the disclosure of Canadian identifying information (CII) outside of CSE.

Background

What is IRTC?

(U) While the CSE Act mentions IRTC several times, it is not clearly defined. In practice, IRTC is the information about Canadians or persons in Canada that may be incidentally collected by CSE while conducting FI or cybersecurity activities under the authority of an MA. According to CSE policy, IRTC is any information recognized as having reference to a Canadian or person in Canada, regardless of whether that information could be used to identify that Canadian or person in Canada.

(U) There is a distinction to be made between IRTC and Canadian identifying information (CII). For example, the CSE Act uses both IRTC and CII throughout the Act to describe types of information. Where IRTC is any information recognized as having reference to a Canadian or a person in Canada, CII is information that could be used to identify a Canadian or a person in Canada and that has been used, analyzed or retained under a FI or emergency authorization. CSE describes CII as a subset of IRTC. CII may be disclosed by CSE to designated persons under section 43 of the CSE Act.

Internal Sharing of IRTC at CSE

(TS) In some circumstances, CSE policy allows for IRTC collected under the authority of one aspect to be shared for use under another aspect (see Annex D for a description of the other types of information that is shared between the FI and cybersecurity aspects). CSE policy permits FI to be used internally to fulfill cybersecurity requirements. Information retained under the cybersecurity aspect may be used by CSE personnel operating under the FI aspect, unless the information is subject to any conditions imposed on it by external clients or disclosing entities. According to CSE, sharing information across aspects of the mandate enables CSE to carry out its activities in support of Government of Canada priorities.

(TS) In the cybersecurity context, CSE explained that any IRTC shared internally in support of the FI aspect [redacted description of CSE operations]

(TS//SI) An example that CSE provided [redacted example of CSE operations]. Sharing this information across the aspects of the mandate enabled CSE to help protect GC information and information infrastructures as well as those of Systems of Importance (SOI), by identifying, isolating and mitigating the threat, and provided GC decision- makers with a comprehensive view of the foreign threats targeting Canada.

(TS) After reviewing a random selection of reports, in addition to receiving information by CSE and interviewing analysts familiar with working on both FI and cybersecurity, NSIRA learned that the IRTC shared between the FI and cybersecurity aspects generally included: [redacted list of operational utilized in the system]. CSE policy permits [redacted].

(U) CSE asserts that although IRTC is shared across the aspects, activities will not be directed at Canadians or persons in Canada. As previously mentioned, CSE must not direct its activities at a Canadian or any person in Canada.

Findings and recommendations

Compliance with the CSE Act and the Privacy Act

What Acts Apply to the Internal Sharing of Information?

(S) The relevant statutes that apply to CSE’s internal information sharing are CSE’s enabling statute, the CSE Act, and the Privacy Act. The CSE Act does not provide a clear authority to share IRTC between the aspects. Likewise, the CSE Act disclosure provisions for CII in sections 43–45 do not prima facie contemplate internal sharing of IRTC, as to disclose information under these provisions, the Minister would need to authorize CSE to collect and disclose CII to itself. Additionally, CSE is not a designated entity under section 45 of the CSE Act for the purposes of receiving disclosed information under sections 43 and 44.

(U) IRTC could constitute personal information as defined in section 3 of the Privacy Act, which is information about an identifiable individual that is recorded in any form. For example, Canadian IP addresses, may constitute both IRTC for the purposes of the CSE Act and personal information under the Privacy Act. Pursuant to section 4 of the Privacy Act, the collection of personal information must relate directly to an operating program or activity of the institution, which includes CSE’s mandated activities in the CSE Act.

(U) The Privacy Act also requires that personal information be used and disclosed in manner consistent with sections 7 and 8 of the Privacy Act. For reference, Section 7 of the Privacy Act states:

Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except

  • For the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; or
  • For a purpose for which the information may be disclosed to the institution under subsection 8(2).

(U) NSIRA examined whether CSE’s internal sharing of IRTC is consistent with the Privacy Act, which limits how collected personal information can be used by a federal institution. NSIRA concluded that in some circumstances, as described later in the report, internal sharing of IRTC that constitutes personal information between the FI and cybersecurity aspects might satisfy Privacy Act requirements. This compliance assessment requires a case-by-case analysis.

(Protected B//Solicitor-Client Privilege) NSIRA examined CSE DLS’s legal analysis, provided by Department of Justice (DOJ) lawyers, [redacted legal opinion or advice].

(Protected B//Solicitor-Client Privilege) In DOJ’s opinion, [redacted legal opinion or advice].

(Protected B//Solicitor-Client Privilege) According to DOJ, [redacted legal opinion or advice].

Compliance with the Privacy Act

(U) NSIRA observes that, in assessing compliance with section 7 of the Privacy Act, CSE emphasizes compliance with paragraphs 34(2)(c) and 34(3)(d) of the CSE Act to support the internal sharing of personal information across the various aspects of the mandate.

(U) As noted, section 7 of the Privacy Act requires that personal information under the control of a government institution shall not be used without the consent of an individual, except for two purposes: (1) the purpose for which it was obtained, or for a use consistent with that purpose; or (2) for a purpose for which the information may be disclosed to the institution under subsection 8(2) of the Act. Importantly, a use of information need not be identical to the purpose for which information was obtained; it must only be consistent with that purpose.

(U) CSE’s reliance on section 34 of the CSE Act poses a challenge for compliance with the Privacy Act because section 34 does not identify the actual purpose of the incidental collection of the IRTC, or provide an authority for internal sharing. Rather, section 34 conditions the Minister’s authority to issue an MA on prerequisites. Paragraphs 34(2)(c) and 34(3)(d) of the CSE Act specify that the Minister must be satisfied that the privacy protection measures in section 24 of the Act will ensure that IRTC will be used, analysed, and retained only if it complies with the respective essentiality requirements for FI and cybersecurity, as the case may be. These conditions establish a required threshold for the use, analysis and retention of IRTC collected under a MA, and not an authority for internal sharing of IRTC.

(U) Depending on the factual circumstances in which the IRTC is shared, CSE’s sharing of IRTC that constitutes personal information between the FI and cybersecurity aspects could be supported by the CSE Act and the Privacy Act when the information is shared for the purpose for which it was obtained, or for a use consistent with that purpose. This would require a case-by- case assessment to ensure that the purpose for which the IRTC is shared internally is for the same purpose for which it was collected, a purpose consistent with that original purpose for collection, or as permitted by section 7(b), that the sharing is permitted for one of the reasons identified by Parliament in subsection 8(2) of the Privacy Act. As mentioned, CSE does not consider internal sharing a disclosure of information. NSIRA notes that the issue of whether internal sharing in this way constitutes a “use” or a “disclosure”, under the Privacy Act is unclear. Regardless, NSIRA observes that in relying solely on the “essentiality” criteria in section 34, CSE is not assuring itself that it has lawful authority for internal sharing.

(U) A justification under section 7(a) or paragraph 8(2)(a) of the Privacy Act requires CSE to identify the purpose of the incidental collection and internal sharing, which is found in the corresponding aspect of CSE’s mandate. CSE’s purpose for collecting, and authority to collect, personal information comes from the CSE Act. Sections 16 and 17 of the Act identify FI and cybersecurity as operating programs and activities of the institution, and provide the authority to collect information for those purposes. As noted, MAs must authorize collection when activities might contravene any other Act of Parliament, or involve the acquisition of information from or through the GII that interferes with a reasonable expectation of privacy of a Canadian or a person in Canada. From the descriptions of the aspects in sections 16 and 17 of the CSE Act, there may be instances where information acquired under one aspect can be used for the same, or a consistent purpose, as exists for another, thus satisfying Privacy Act requirements for sharing information internally. However, this cannot simply be assumed as the purposes of the aspects are described differently within the Act.

(U) Section 16 of the CSE Act authorizes CSE to acquire information from or through the GII, and to use, analyse and disseminate the information for the purpose of providing foreign intelligence in accordance with Government of Canada (GC) priorities. Section 17 of the CSE Act, in turn, authorizes CSE to provide advice, guidance and services to help protect the electronic information or information infrastructures of federal institutions and designated systems of importance, and to acquire, use and analyse information, from the GII or from other sources, in order to provide such advice, guidance and services.

(TS//SI) When sharing FI-acquired IRTC to support CSE’s cybersecurity aspect, there is arguably no shift in purpose if cybersecurity is among the purposes for which the FI is obtained, used, analysed and disseminated. For the period of this review, [redacted related to GC priorities]. Sharing FI information to fulfill CSE’s section 17 cybersecurity objectives of providing advice, guidance and services to help protect federal and designated electronic information and infrastructures could be considered as the same purpose, or consistent with the purpose, for which the IRTC was originally obtained. Where the FI is used in the section 17 aspect to protect federal and designated electronic information and infrastructures, the purpose of collection and the subsequent use of that information could remain the same.

(U) For cybersecurity-acquired IRTC, sharing information to the FI aspect could be permissible if the FI purpose is the same as, or consistent with, the purpose for which the information was initially acquired, i.e., for the purpose of providing advice, guidance and services to help protect federal and designated information infrastructures or electronic information. Thus, sharing cybersecurity IRTC to the FI aspect would be permissible under the Privacy Act if the internal sharing ultimately serves the purpose of helping to protect federal and designated information infrastructures or electronic information.

(U) In sum, if the purpose of CSE’s acquisition of personal information is for the purpose of, or consistent with, delivering on the foreign intelligence and/or cybersecurity aspects, CSE’s internal sharing of IRTC can be consistent with section 7(a) or paragraph 8(2)(a) of the Privacy Act, provided that purpose of the information collection and sharing is identified and justified. CSE must also always satisfy any conditions from the CSE Act and relevant MAs on the collection and use of IRTC. To support internal sharing of personal information between the aspects, further analysis is required based on the factual circumstances of each case.

Finding no. 1: CSE’s internal sharing of information between the FI and cybersecurity aspects of the mandate has not been sufficiently examined for compliance with the Privacy Act.

Recommendation no. 1: CSE should obtain additional legal advice on its internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate, explicitly in relation to compliance with the Privacy Act, which thoroughly addresses the following two issues:

  1. Whether the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is a use or a disclosure of information for the purposes of the Privacy Act; and
  2. Whether uses and disclosures are done in accordance with sections 7 and 8 of the Privacy Act.

The Ministerial Authorizations

(U) The CSE Act does not allow the Minister to authorize internal sharing of IRTC, as MAs may only authorize, in the case of FI, the activities or classes of activities listed in subsection 26(2), or for cybersecurity, access and acquisition of the information referred to in subsections 27(1) and 27(2). Any internal sharing of IRTC that constitutes personal information must be done in accordance with the Privacy Act.

(U) As mentioned, section 24 of the CSE Act requires CSE to have measures in place to protect the privacy of Canadians and of persons in Canada in the use, analysis, retention and disclosure of IRTC. When issuing a MA, the Minister must conclude that these measures will ensure that any acquired IRTC will only be used, analysed or retained if it meets the essentiality thresholds in paragraphs 34(2)(c) or 34(3)(d). The Minister may issue these authorizations if they are of the view that such activities would be “reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities.” As the Minister considers the reasonableness of the activities proposed against either an FI or cybersecurity purpose, it is conceivable that some activities might be reasonable and proportionate in one context, but not in the other. As activities authorized under subsection 26(2) might acquire a broader range of information than what is contemplated in subsections 27(1) and 27(2), the sharing of FI to cybersecurity might allow for CSE to use more information for a cybersecurity purpose than what is permitted under cybersecurity authorizations alone, and may require different privacy protection measures when using such information.

(U) To issue an MA, the Chief of CSE must set out the facts in an application that would allow the Minister to conclude that there are reasonable grounds to believe that the authorization is necessary, and that the conditions for issuing it are met. NSIRA considers it necessary for the Chief’s application to fully inform the Minister of how IRTC might be used and analysed by CSE, including the sharing of IRTC to another aspect, and for what purpose. This information would also allow for the Minister to make a determination under section 35 whether any other terms, conditions, or restrictions are advisable to protect the privacy of Canadians when issuing a FI or cybersecurity authorization.

(TS//SI) For the authorizations issued during 2020, most of the Chief of CSE’s applications indicated that collected and retained information might be used under a different aspect, while the text of most of the corresponding MAs did not mention use under a different aspect. This situation was reversed in one instance: [redacted example of CSE operations].

(TS//SI) Moreover, the 2020 FI applications and authorizations indicate that in order to meet the essentiality condition for retention of IRTC under subsection 34(2)(c) of the CSE Act, IRTC will be retained if it is assessed as essential to cybersecurity. In these instances, cybersecurity is included under the concept of “essential to security”, thus providing the Minister with additional context as to how the essentiality conditions are assessed and met by CSE. NSIRA considers this information necessary for the Minister to assess whether the conditions listed in section 34 of the CSE Act for issuing the authorization are met.

Finding no. 2: With one exception, the Chief of CSE’s applications for Ministerial Authorizations issued in 2020 informed the Minister of National Defence that retained information might be used to support a different aspect.

Finding no. 3: The applications for foreign intelligence authorizations by the Chief of CSE for the period of review appropriately informed the Minister of National Defence how the essentiality condition in paragraph 34(2)(c) is met for IRTC collected under the FI aspect.

Recommendation no. 2: All foreign intelligence and cybersecurity applications from the Chief of CSE should appropriately inform the Minister of National Defence that retained information might be used to support a different aspect.

Assessment of Essentiality, Necessity, and Relevancy

(U) Under CSE policy, an assessment of IRTC’s relevance, essentiality, or necessity to each aspect is required for sharing information across the aspects (see Annex G for CSE’s policy thresholds and definitions used to assess IRTC when shared between the aspects). These terms come from the CSE Act, but are not defined in the Act. CSE policy offers definitions and criteria for assessing and applying these thresholds to the information. NSIRA did not assess these policy thresholds or definitions for lawfulness, or how these requirements are satisfied by CSE when internally sharing IRTC. This may be examined in future reviews.

(TS) CSE policy also sets forth the criteria by which to authorize the sharing of IRTC across aspects (see Annex E for the approval processes at CSE for sharing information). Before any IRTC may be shared across aspects of the mandate, the information must be assessed for essentiality to the aspect for which it was acquired. If it does not pass this initial essentiality threshold, the information must be deleted.

(Protected B//Solicitor-Client Privilege) According to CSE, [redacted legal opinion or advice]

(U) NSIRA agrees that the CSE Act does not require that internally shared IRTC between the FI and cybersecurity aspects meet both of the essentiality conditions of paragraphs 34(2)(c) and 34(3)(d) of the CSE Act. Subsections 22(3) and 22(4) of the CSE Act require an FI or cybersecurity MA when the activities carried out in furtherance of either aspect involve acquiring information from the GII that may interfere with a reasonable expectation of privacy, or for activities that might contravene an Act of Parliament. MAs may only authorize the activities or classes of activities listed in subsection 26(2) for FI, or to access information infrastructures and acquire the information referred to in subsections 27(1) and 27(2). As mentioned, the “essentiality” thresholds in section 34 condition the Minister’s authority to issue an MA on the prerequisite of the privacy protection measures in section 24. Such a requirement can be understood as applying to use, analysis and retention of IRTC collected by CSE under the authority of a MA and within the confines of a single aspect. Therefore, there is no legal requirement within the CSE Act that CSE observe the essentiality threshold of the aspect of which the IRTC is internally shared. IRTC must only meet the original essentiality condition of either paragraph 34(2)(c) or 34(3)(d) when IRTC is acquired, as required by the MA authorizing its actual incidental collection.

Finding no. 4: CSE’s position that they do not need to assess “essentiality” twice when sharing information between the foreign intelligence and cybersecurity aspects of the mandate is compliant with paragraphs 34(2)(c) and 34(3)(d) of the CSE Act.

Conclusion

(U) As the CSE Act distinguishes between the aspects and the corresponding MAs, NSIRA examined CSE’s legal authority for sharing IRTC between the FI and cybersecurity aspects of its mandate. NSIRA concludes that internal sharing may be consistent with the Privacy Act in some circumstances. However, CSE must give further consideration to the purpose of the collection of the IRTC to justify any internal sharing of IRTC.

(U) This review also established a foundational understanding of some of the processes, systems, and compliance measures applied by CSE when sharing IRTC across aspects. Although NSIRA was not able to independently verify this information, NSIRA intends to build upon this information in future reviews.

Annexes

ANNEX A: Objectives, Scope, and Methodology

(U) Initially, NSIRA intended to examine the internal sharing of IRTC between aspects of CSE’s mandate in a thematic manner that covered several operational areas and several aspects. The review intended to examine the sharing of information between aspects of CSE’s mandate for the period of August 1, 2019 to August 1, 2020, with the objective to independently assess and evaluate:

  • Compliance with legal, ministerial, and policy requirements, including adequate management of compliance risks when conducting information sharing activities between aspects of CSE’s mandate; and,
  • CSE’s policies, procedures and practices on the internal sharing of information between aspects of the mandate.

(U) Due to operational realities, including COVID-19 related disruptions and access challenges, the objectives, scope, and methodology of this review were significantly reduced from the original Terms of Reference (sent to CSE on August 28, 2020), to focus mainly on the legal authority for sharing of information between the FI and cybersecurity aspects.

(U) For this review, NSIRA examined documents and records relevant to the sharing of information between aspects of CSE’s mandate, from the coming into force of the CSE Act on August 1, 2019, until August 1, 2020.

(U) Two interviews were conducted with CSE employees involved with information sharing across CSE’s aspects, and an interview was conducted with a Department of Justice lawyer in CSE’s Directorate of Legal Services familiar with the legal framework of such activities.

(U) NSIRA also completed a foundational description of some of the processes, systems, and compliance measures in place when sharing such information, in order to establish a baseline of knowledge to inform future reviews.

ANNEX B: Meetings and Briefings

Briefing. “Information Sharing: Sharing information for use across aspects of the CSE Mandate”, NSIRA Briefing, February 7, 2020.

NSIRA meeting with counsel from the Department of Justice at CSE DLS, October 13, 2020.

NSIRA meeting with CSE analysts, October 20, 2020.

ANNEX C: Findings and Recommendations

Finding no. 1: CSE’s internal sharing of information between the FI and cybersecurity aspects of the mandate has not been sufficiently examined for compliance with the Privacy Act.

Recommendation no. 1: CSE should obtain additional legal advice on its internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate, explicitly in relation to compliance with the Privacy Act, which thoroughly addresses the following two issues:

  • Whether the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is a use or a disclosure of information for the purposes of the Privacy Act; and
  • Whether uses and disclosures are done in accordance with sections 7 and 8 of the Privacy Act.

Finding no. 2: With one exception, the Chief of CSE’s applications for Ministerial Authorizations issued in 2020 appropriately informed the Minister of National Defence that retained information might be used to support a different aspect.

Finding no. 3: The applications for foreign intelligence authorizations by the Chief of CSE for the period of review appropriately informed the Minister of National Defence how the essentiality condition in paragraph 34(2)(c) is met for IRTC collected under the FI aspect.

Recommendation no. 2: All foreign intelligence and cybersecurity applications from the Chief of CSE should appropriately inform the Minister of National Defence that retained information might be used to support a different aspect.

Finding no. 4: CSE’s position that they do not need to assess “essentiality” twice when sharing information between the foreign intelligence and cybersecurity aspects of the mandate is compliant with paragraphs 34(2)(c) and 34(3)(d) of the CSE Act.

ANNEX D: Partner and client information and publicly available information shared between the fi and cybersecurity aspects

(Protected B) Under the cybersecurity aspect, federal and non-federal clients may disclose cyber threat information to CSE as Canada’s lead agency for cybersecurity, or when seeking CSE services to analyse and mitigate known or suspected cyber incidents. Disclosed information may be used for FI purposes provided that it is done so for the purposes of identifying, isolating, preventing or mitigating harm to federal systems or systems of importance to the GC.

(Protected B) The documentation that governs CSE’s arrangements with GC and non- federal clients specifies that information obtained by CSE from a given client’s network or system that is relevant to the cybersecurity aspect may be shared with partners [redacted CSE operational information] or internal partners for GC clients) involved in cybersecurity for the purposes of identifying, isolating, preventing or mitigating harm to federal systems or systems of importance to the GC. However, this type of documentation does not explicitly mention that clients’ information might be used for FI purposes. For the purposes of obtaining the informed consent of disclosing entities, NSIRA considers it appropriate for CSE to be fully transparent with how clients’ information might be used by CSE.

(Protected B) When client information is shared with [redacted CSE operational information] partners, the information is anonymized and identifiable information is omitted. Any releasable cybersecurity products created from client information must only contain information necessary to mitigate a cyber compromise. Additionally, disclosing entities may also impose specific restrictions on the use and sharing of their data at the time of disclosure.

(TS) As per subsection 21(1) of the CSE Act, CSE is permitted to acquire and use publicly available information without seeking a MA. Currently, [redacted related to legal opinion or advice].

ANNEX E: Approval Process and Sharing Release Approvals

Approval Processes for Sharing IRTC

(TS//SI) The appropriate approval authority for sharing information is outlined in CSE internal policy, where the nature of the information dictates the release authority. CSE policy requires management approval (known as the release authorities) before sharing unsuppressed IRTC between aspects. However, policy does not stipulate the actual process for approval; this is determined by the relevant operational areas in accordance with their business practices. The Mission Policy Suite (MPS) requires all management decisions to be documented and retained in a central repository for transparency and accountability purposes. Those records must be accessible for review purposes. However, for this review, NSIRA was unable to independently verify and assess the approval process for internally shared IRTC.

(TS) Generally, CSE requires management approval for sharing information contained within a report for use across aspects of the mandate, and will elevate the appropriate release authority when the information contains IRTC. The appropriate release authority and conditions for release are outlined in policy (discussed below). The release authority is responsible for the information exchange, and must be informed if any changes are made to the data that result in a change in the type of privacy-related information to be shared.

(TS) Automated sharing techniques [redacted related to GC priorities].

Cybersecurity IRTC to Foreign Intelligence

(U) Retained IRTC under the cybersecurity aspect can be shared to FI as a Releasable Cybersecurity Product (RCP), which must meet the requirements listed below. The release authority is determined by the privacy impact that the release of information may have on an individual or entity, which is in turn determined by the level of sensitivity and privacy impact of the IRTC. Depending on the level of sensitivity of the IRTC, operational managers or supervisors from the Canadian Centre for Cyber Security (CCCS, or Cyber Centre) must approve RCPs containing IRTC.

(U) The requirements for a RCP as per CSE policy include the following:

Requirement When and How the Requirement is Applied
Purpose is to provide advice, guidance, and services At the time of sharing – why am I sharing this information?
Product only contains retained information The decision to use and retain information is made at the time the raw data is assessed for relevance and necessity (and in the case of IRTC, essentiality) to the cybersecurity aspect of the mandate.
Privacy Protection

At the time of sharing, as appropriate (e.g., being shared back with the system owner/administrator who already has access to the information on their own systems; or to a broader audience with strict limits on the use of the information).

No suppression is required if the IRTC is shared for use under the FI aspect of the mandate when the sharing is for the purposes of supporting activities to help protect the electronic information and information infrastructures of the GC or SOI to the GC

Classification and limitations on use and handling

Either at the time of sharing, or applied at a later stage to the onward use and dissemination of the information by FI. Can include pre-approved uses and conditions, as well as limitations placed by the data/system owner if applicable.

Can be applied by report-authoring platforms to End Product Reports (EPRs), restrict the use and dissemination of CSE information.

Auditable At the time of acquisition, applied automatically by CSE systems.
All data entering CSE is automatically tagged with a unique identifier, as well as information regarding origin (e.g., MA vs non-MA, disclosing client if applicable etc.), access restrictions if applicable, aspect of the mandate under which the data was acquired, date and time of acquisition, use and handling requirements.
Approved for release

At the time of sharing.

The approval authority depends on the nature of the information. See table in s. 25.2 in the MPS cybersecurity chapter.

Foreign Intelligence IRTC to Cybersecurity

(TS) IRTC under the FI aspect can be released to CCCS as a Releasable SIGINT Product (RSP). RSPs that contain information with a recognized Canadian privacy interest, or based on material with a Canadian privacy interest, require DC SIGINT approval for release, which can be delegated.

(TS) In order to create a RSP to share information for use under the cybersecurity aspect, the following table summarizes how the criteria required in policy must be met:

Requirement When and How the Requirement is Applied
Information is relevant to FI At the time of assessment. Must be met prior to use.
Privacy protection e.g., suppression of IRTC

At the time of sharing, if necessary.

Suppression is mandatory for IRTC included in an EPR shared outside CSE. CCCS clients that receive these EPRs may request this CII through the regular Action-On process.

Otherwise, no suppression required if IRTC is necessary for cybersecurity purposes, but other measures to protect privacy are used, for example, restricting the audience for the information.

Sanitization Either at the time of sharing, or to be applied if/when cybersecurity use requires the information be sanitized to protect CSE equities.
Serialization

At the time of acquisition, applied automatically by CSE systems.

All data entering CSE is automatically tagged with a unique identifier, as well as information regarding origin [redacted example of CSE operations] access restrictions if applicable, aspect of the mandate under which the data was acquired, date and time of acquisition, use and handling requirements.

Caveats

Either at the time of sharing, or applied at a later stage to the onward use and dissemination of the information by cybersecurity. Can include pre- approved actions-on.

Automatically applied by report-authoring platforms to EPRs, limit the use and dissemination of CSE information.

Approved for release

At the time of sharing.

The approval authority depends on the nature of the information. See table in s. 27.8 of MPS FI chapter.

Internal Reviews of Information Sharing

(TS) Internal sharing of information between the aspects is subject to CSE internal review, for both automated sharing and data-based queries. SIGINT Compliance, the group responsible for internal compliance activities under the FI aspect, reviewed CSE-originated queries for 2019 and 2020, and found that query activity was complaint. The CCCS’ Internal Program for Operational Compliance (IPOC) did not prioritize compliance monitoring reviews for the past two fiscal years in order to monitor other activities that posed a higher-risk to compliance.

(TS) Automated sharing techniques are also subject to review. SIGINT Compliance is required to revalidate all instances of automated sharing between the FI and cybersecurity aspects every 12 months. The most recent review for the period of July 2019 to September 2020 found that the [redacted number] of automated sharing were compliant with policy requirements, except for [redacted number] that CSE was unable to assess.

ANNEX F: Methods and processes of sharing

(TS) This section describes the methods and processes used by CSE to share information between the FI and cybersecurity aspects. There is a multitude of systems, methods, and processes that enable information sharing between these aspects, both suppressed and unsuppressed. Note that the processes described below are not static, and that CSE’s systems, methods, and processes can change anytime.

(TS) Generally, access to information for each aspect is restricted by [redacted related to legal opinion or advice]

(TS//SI) For examples, [redacted description of CSE operations].

(U) As required by section 24 of the CSE Act, CSE must have measures in place to protect the privacy of Canadians and persons in Canada in the use of information related to them acquired in furtherance of the FI or cybersecurity aspects.

(TS) Suppression and minimization of IRTC is not required by CSE policy when sharing information internally; it is a default practice to share IRTC unsuppressed across the FI and cybersecurity aspects. According to CSE, although not mandated by policy, analysts are encouraged to anonymize or remove privacy-related information where it is not essential for the person using the information to understand the context and value. CSE recognizes that suppression and minimization are a best effort practice, and is of the opinion that CSE is not in contravention of the law should suppression, minimization, anonymization not occur when sharing information between the aspects.

Cross-Aspect Access to both SIGINT and Cyber Centre Raw Data

(TS) When accessing data from another aspect that is not within a reporting product (i.e., RSPs or RCPs), analysts are subject to the policy requirements of the data they are accessing.

(TS//SI) Under the FI aspect, [redacted description of CSE operations].

(TS//SI) For examples, [redacted description of CSE].

(TS//SI) While analysing raw FI data, Cyber Centre personnel must follow all applicable foreign intelligence authorities and policy requirements. The use, handling, and retention of this information is further subject to any restrictions applied to the foreign intelligence data.

(TS//SI) SIGINT personnel may access and use Cyber Centre systems if they meet the requirements in section 26.1 of the MPS Cybersecurity. Access to Cyber Centre systems and raw cybersecurity data is similarly restricted [redacted] to individuals with an operational need-to-know and mandatory annual policy and compliance training and knowledge testing. [description of CSE operations].

Reporting – RCPs and RSPs

(U) Retained information is internally shared through formal reporting processes in the form of either RSPs, which includes EPRs, or RCPs.

(TS//SI) Cyber Centre personnel operating under cybersecurity requirements may also be internal clients without access to raw FI data. Foreign intelligence information is shared to some cybersecurity personnel as an RSP, meaning that the information has met the requirements for release in CSE policy, including suppression and approval, and is subject to any restrictions on the intelligence data. For the period of review, there [redacted number] RSPs approved for release from the FI aspect that were made available to personnel operating under the cybersecurity aspect.

(TS//SI) Cybersecurity information can be reported and released to SIGINT personnel for subsequent use under the FI aspect via RCPs. Information released through RCPs must meet the requirements for release within CSE policy, and the use must be consistent with the cybersecurity aspect of CSE’s mandate and used for a subsequent use related to relevant GC priorities. For the period of review, [redacted number] RCPs were disseminated to authorized recipients in SIGINT.

Receiving Suppressed Identifiers from Reporting

(TS) Suppressed IRTC in EPRs disseminated through SLINGSHOT can be requested by internal CSE clients through the existing CII external disclosures process. This is the only mechanism by which suppressed identities can be accessed and released. Supressed IRTC can be requested by submitting a request to the Action-On team (D2A). The requestor must provide the legal authority and operational justification to receive the unsuppressed information. Between August 1, 2019 and August 1, 2020, [redacted description of CSE operations].

(TS) Although the mechanism for releasing this information is the same as the external disclosures process, it is not considered a “disclosure” of information but an internal “use” of information. As such, the disclosure regime requirements of sections 43 to 46 of the CSE Act do not need to be met in order for supressed information to be released to internal CSE clients.

Joint-Reporting

(TS//SI) Information may also be shared between the foreign intelligence and cybersecurity aspects for the purposes of disseminating foreign intelligence under cybersecurity authorities. This foreign intelligence information must first be used for foreign intelligence purposes, and then may be shared to CCCS personnel use under the cybersecurity aspect and only then released under their authorities.

(TS//SI) Approval for sharing of foreign intelligence information under the cybersecurity aspect of the mandate must abide by the appropriate release approval authorities for both aspects.  [redacted description of CSE operations]

Automated Sharing (forms of RSP or RCP)

(TS) Automated sharing is defined in CSE policy as “the use of automated techniques or processes to expedite the dissemination of [redacted releasable reporting products]”.

(TS//SI) There are various automated feeds used at CSE to exchange information between the aspects. [redacted description of CSE operations].

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

Other Methods of Sharing

(TS) More informal methods of information exchange may occur between the two aspects. As CSE teams work closely together, analysts might gain knowledge of information that can be useful for either aspect of the mandate. Analysts may exchange general knowledge without any formal reporting. CSE policy provides for analytic exchanges whereby analysts may engage with partners working under a different aspect to work on common objectives by exchanging information. However, any data exchange must meet the requirements of issuing a RCP or RSP, although the data need not be released through the formal product dissemination systems.

ANNEX G: Policy Thresholds for Internal Sharing

(U) Generally, CSE policy provides that IRTC may be shared internally according to the thresholds outlined below. As mentioned, NSIRA did not assess these thresholds or definitions for lawfulness, but may do so in future reviews. Additionally, NSIRA did not assess how these policy requirements are satisfied in practice.

Foreign Intelligence Aspect to Cybersecurity Aspect

(TS) Under the FI aspect, IRTC must be essential and relevant to the FI aspect prior to sharing, as per the essentiality condition in 34(2)(c) of the CSE Act. According to CSE policy, the information must be considered essential to international affairs, defence or security, including cybersecurity. Essential is not defined in CSE policy, though policy provides criteria by which to assess the IRTC as it relates to protecting the lives or safety of individuals, or to serious criminal activity relating to the security of Canada.

(TS) To share FI IRTC information for use under the cybersecurity aspect of the mandate, the IRTC information must be relevant to the cybersecurity aspect. IRTC must further be assessed for necessity to the cybersecurity aspect, meaning whether the information is necessary to help protect GC systems and designated systems of importance. It is a policy decision to apply the threshold of necessity from subsection 44(1) of the CSE Act.

(TS) CSE policy requires the standard of necessity, [redacted description of CSE operations]. This information is necessary to fulfill the cybersecurity mandate as it enables activities that protect GC systems and designated SOIs (such as by blocking traffic). However, the identifiable individual or entity is not the focus of the activity.104 Therefore, CSE is of the opinion that since there is a lower risk to the reasonable expectation of privacy of the individual in the cybersecurity context, the threshold of necessity is sufficient for sharing FI-acquired IRTC to the cybersecurity aspect.

Cybersecurity Aspect to Foreign Intelligence aspect

(TS//SI) Under the cybersecurity aspect, IRTC acquired under a MA must be both relevant and essential prior to sharing, as per the essentiality condition under paragraph 34(3)(d) of the CSE Act. In CSE policy, IRTC is considered essential when without the information, CSE would be unable to protect federal systems or SOIs and the electronic information on those systems. However, non-MA acquired IRTC, such as client information, must only be necessary.

(TS) The shared IRTC is also assessed for essentiality to the FI aspect (that is, essential to international affairs, defence or security), for both MA and non-MA cybersecurity information. It is a policy decision to further assess cybersecurity-acquired IRTC for essentiality under the FI criteria, [redacted description of CSE operations].

(TS//SI) As explained by CSE, the cybersecurity-acquired IRTC shared internally in support of the FI aspect is for the purposes of protecting federal institutions or SOIs and the electronic information they contain. This IRTC is used to identify foreign threats to Canadian systems, which aligns with the [redacted related to GC priorities].

ANNEX H: Internal Sharing of IRTC at CSE

Figure: Process Diagram of Internal Sharing of IRTC at CSE

Share this page
Date Modified:

Review of Global Affairs Canada’s Global Security Reporting Program

Backgrounder

This review focused on Global Affairs Canada’s (GAC) Global Security Reporting Program (GSRP, or the Program). The review was selected given that the GSRP is a key component to GAC’s security and intelligence footprint overseas, with approximately thirty officers posted around the world dedicated and funded to collect overt security-related information.  GSRP clients have reported that the Program is both unique and valuable to the Government of Canada. This review is the first external review of GSRP and NSIRA’s inaugural review of GAC.

Many of the receiving states where GSRP officers work have poor human rights records and/or are environments where surveillance of foreigners and citizens is commonplace. As such, receiving state perceptions of GSRP activities have direct implications on reputational risk to Canada and its allies, to other Canadian departments and agencies (like the Canadian Security Intelligence Service (CSIS), for example), to GSRP officers, and finally, on the local contacts used to help collect the Program’s information.

The review found a number of areas where the Program can improve, including more robust governance and accountability structures, additional oversight and attention to information management best practices.

Date of Publishing:

GAC Minister letter to NSIRA To Follow

Executive Summary

This review focused on Global Affairs Canada’s (GAC) Global Security Reporting Program (GSRP, or the Program). The review was selected given that the GSRP is a key component to GAC’s security and intelligence footprint overseas, with approximately thirty officers posted around the world dedicated and funded to collect overt security-related information. GSRP clients have reported that the Program is both unique and valuable to the Government of Canada. This review is the first external review of GSRP and NSIRA’s inaugural review of GAC.

Many of the receiving states where GSRP officers work have poor human rights records and/or are environments where surveillance of foreigners and citizens is commonplace. As such, receiving state perceptions of GSRP activities have direct implications on reputational risk to Canada and its allies, to other Canadian departments and agencies (like the Canadian Security Intelligence Service (CSIS), for example), to GSRP officers, and finally, on the local contacts used to help collect the Program’s information.

The review found a number of areas where the Program can improve, including more robust governance and accountability structures, additional oversight and attention to information management best practices.

More significantly, the review found that although the GSRP operates under the Vienna Convention on Diplomatic Relations (VCDR), it does so without legal guidance assessing the activities of the Program. Likewise, GSRP officers do not receive adequate training regarding their legal obligations. In particular, the activities of certain GSRP officers abroad raised concern that some activities may not be in accordance with the duties and functions under the VCDR.

Although GSRP officers rely on the VCDR as a shield for their actions, some officers did not appear to appreciate the limitations of this immunity nor understand the true scope of their duties and functions. In addition, it was not clear if all officers understood that once they are no longer afforded diplomatic immunity, a receiving state may seek retaliatory measures against them. The review found an absence of risk assessments, security protocols, and legal guidance specific to the increased scrutiny that GSRP officers may attract due to the nature of their reporting priorities.

As government partners overseas, CSIS and GSRP frequently interact with each other, with overlap between these respective mandates. Insufficient deconfliction at Mission and Headquarters between CSIS and GAC exists, which results in inconsistent governance [redacted].

The review also found that the Program does not have appropriate safeguards in place regarding the safety of contacts overseas. Although most interactions between officers and contacts are innocuous, the Program does not appear to appreciate the associated risks of these exchanges. Significantly, the review identified some possible concerns related to how recommended that GAC Canadian identity information is managed, and therefore conduct a privacy impact assessment of the Program.

The creation of a foreign intelligence entity within GAC, or the allowance of mission creep by the GSRP into covert collection would run against the principles of the VCDR. Therefore, NSIRA believes it is important that the Government consider the implications stemming from this review and decide on the most appropriate means of collecting this kind of information. NSIRA acknowledges that this is a topic that goes beyond our remit, and therefore may require consideration by the National Security and Intelligence Committee of Parliamentarians. We intend to share this review with our review counterpart in order to commence such deliberations.

Authorities

This review was conducted under the authority of subsections 8(1)(a) and 8(1)(b) of the National Security and Intelligence Review Agency Act.

Introduction

Global Affairs Canada’s (GAC) Global Security Reporting Program (GSRP) collects and disseminates information in support of Canada’s intelligence priorities. As the program has matured during its nearly twenty years of existence, GSRP products have received attention from Government of Canada (GoC) departments and agencies, as well as allied nations.

This was the National Security and Intelligence Review Agency’s (NSIRA) first standalone review of GAC. As such, NSIRA familiarized itself with GAC’s mandate, policies, and legal authorities while simultaneously reviewing the GSRP as a unique and complex program.

NSIRA assessed whether GSRP activities were conducted in accordance with the law, relevant policies and procedures, and whether the activities were reasonable and necessary. Additionally, NSIRA examined whether the Program’s policies and procedures were sufficiently comprehensive to support overseas activities.

The core review period for this study was from January 1, 2017, to December 31, 2019, however, NSIRA reviewed information outside of this period in order to conduct a complete assessment. NSIRA also examined a significant sample of GSRP Missions that provided diverse perspectives on the nature and scope of the Program’s activities.

Given the unique circumstances of NSIRA’s recent establishment and the various logistical and procedural challenges associated with this transition, this review was only possible with the support of GAC staff, especially those within its External Review Liaison Unit. Additionally, NSIRA thanks CSIS and its External Review and Compliance team for its help in facilitating this review. This report was scheduled to be completed in the summer of 2020, but was delayed due to the COVID-19 pandemic that began when the review was in its initial scoping stages.

History of the GSRP

During the Cold War, security reporting was integrated into political reporting by Canadian diplomats abroad. The Canadian security and intelligence (S&l) community largely relied on this foreign security reporting to meet its information needs. Following the end of the Cold War, security reporting was no longer routinely incorporated into political reporting by Canadian diplomats. The change was reflective of:

“an evolving world order, in which different, non-traditional security challenges arose; new and changing national and departmental priorities; the loss of subject matter expertise as diplomats and managers both moved on and retired; and significant public service cuts and budget restraints in the 1990s influenced GAC activities and priorities.”

GSRP was created soon after the events of 9/11. The contemporary Program has a unit of approximately 30 diplomatic personnel dedicated to overt single source* reporting — from a network of primarily “non-traditional” contacts — on issues pertinent to the Canadian security, intelligence, defence, and foreign policy community. GSRP. officers (or officers) operate within and outside of host country capitals and regularly travel to areas less frequented by most diplomats. Since 2009, these reports (which inform both Canadian and allied decision-makers), have been anchored in the GoC intelligence priorities.

GSRP officers report to the Intelligence Assessments and Reporting Division (INA) under the Intelligence Bureau which falls under the ADM of International Security and Political Affairs.” The GSRP adheres to a matrix management structure: at mission, GSRP officers report to the Foreign Policy and Diplomacy Service (FPDS) manager or Head of Mission (HoM), while GSRP Headquarters (HQ) primarily determines officer collection priorities. In addition, GSRP HQ defines the expectations for the Program.

Findings and recommendations

Utility of GSRP

The GSRP is the only Canadian diplomatic program that is dedicated and funded to collect overt security-related information. GSRP functions as a fenced resource wherein the majority of an officer’s time (90%) is devoted to the production of single- source reports. No other GAC program devotes similar resource allocation to “pure collection”.

GSRP’s clients repeatedly stated that the reports provide pertinent information consistent with their department/agency’s collection requirements. Specifically, GSRP reporting provides “on-the-ground” perspectives from a diverse group of individuals, which is unique in comparison to other GoC collection streams. Recipients mentioned the reports provide useful information on broader threats and trends in areas of emerging interest.

Clients reported that one of the greatest assets of the GSRP is the priority placed on language training. This includes, in some cases, over a year of training, including immersive in-country exposure.’ GSRP clients have noted that language fluency is a key value of the Program.

Moreover, clients commended the Program’s ability to rapidly deploy officers to cover a specific area, event, or issue that is of significant value to the GoC. Despite these benefits, review of GSRP documentation indicates the need for improved product feedback mechanisms to help determine whether reports meet client needs”.

Duties and Functions under the Vienna Convention on Diplomatic Relations

The lawful functions of a diplomatic mission and the duties owed by diplomats who enjoy privileges and immunities in a receiving state are articulated in the Vienna Convention on Diplomatic Relations (VCDR). The VCDR is generally accepted as a codification of diplomatic law, rules and practices under customary international law. According to GAC, the GSRP falls within the functions of a diplomatic mission, as listed in Article 3 of the VCDR. As outlined under Article 3(1)(d), it forms part of the function of a diplomatic mission to ascertain, by all lawful means, the conditions and developments in the host state and report on them to the government of the sending state. Article 3(1)(d) specifically requires diplomatic reporting to be “by lawful means.”

Under Article 41(1) of the VCDR, it is the duty of diplomats exercising the functions listed under Article 3 and who enjoy privileges and immunities in the receiving state “to respect the laws and regulations of the receiving state” and “not to interfere in the internal affairs of that state”. Breaches of these duties constitute abuses of privileges and immunities (also referred to as abuses of diplomatic functions).

Remedies for abuse of diplomatic privileges and immunities

Remedy for abuse of diplomatic privileges and immunities, as outlined in the VCDR, includes notifying the sending state that a diplomat in question is declared persona non grata (Article 9 of the VCDR) and, in the most exceptional circumstances, breaking off diplomatic relations, which are established by mutual consent as articulated in Article 2 of the VCDR.

Importantly, these remedies do not require the host state to give reasons for the remedial action. The result is that the perception of abuse can be as likely a cause for expelling a diplomat or even breaking off diplomatic relations as an actual abuse. The International Court of Justice in the Tehran Hostages Case explained the discretion built into this regime as follows:

Article 9 of the [VCDR]… take[s] account of the difficulty that may be experienced in practice of proving such abuses in every case or, indeed, of determining exactly when exercise of the diplomatic function”…”may be considered as involving such acts as “espionage” or “interference in internal affairs”. The way in which Article 9 paragraph 1, takes account of any such difficulty is by providing expressly in its opening sentence that the receiving state may “at any time and without having to explain its decision” notify the sending state that any particular member of its diplomatic mission is “persona non grata” or “not acceptable”… Beyond that remedy for dealing with abuses of the diplomatic function by individual members of a mission, a receiving state has in its hands a more radical remedy if abuses of their functions by members of a mission reach serious proportions. This is the power which every receiving state has, at its own discretion, to break off diplomatic relations with a sending state and to call for the immediate closure of the offending mission. (emphasis NSIRA’S).

The personal immunity enjoyed by diplomats will normally cease when the functions of the diplomat have come to an end and “at the moment when he leaves the country, or on expiry of a reasonable period in which to do so. There are circumstances wherein the receiving state may prosecute a diplomat for those breaches that contravene their domestic law where the personal diplomatic immunity enjoyed by the diplomat has ceased.

Acts performed by a diplomat “in the exercise of his functions as a member of the mission” will continue to be covered by immunity despite the diplomat’s personal immunity having ended. However, acts falling outside of a diplomat’s legitimate functions will not continue to be covered by immunity, and the diplomat may be liable to prosecution for illegal acts they performed during the mission if they later re-enter the receiving state without the protection of diplomatic immunity or where they fail to leave the receiving state within a reasonable time.

There are of course other less severe means at the receiving state’s disposal to respond to a diplomat’s abuse of functions, both legal and political. Aside from the more unlikely risks of expulsion or severing of diplomatic relations, there is a wide spectrum of reputational harm that may result from perceived breaches of the VCDR. NSIRA emphasizes that GSRP officers should be wary of placing a receiving state in the position to seek remedy.

Where the GSRP activities depart from the legal framework for diplomatic functions in international law, attention should also be turned to whether these activities are lawful under Canadian law. Diplomatic relations are conducted under the authority of Crown Prerogative over foreign relations, which is constrained, to some extent, by international law. Prohibitive rules of customary international law, which would include prohibitive rules of diplomatic law, are considered to be incorporated into Canadian common law unless there is legislation to suggest the contrary. Crown Prerogative is likewise part of our common law. Consideration must be given as to how the exercise of Crown Prerogative reconciles with these prohibitive rules.

Perceptions

Diplomatic vs. Intelligence Functions

Existing within GAC’s intelligence bureau, the GSRP’s reporting directions are derived from Canada’s intelligence priorities. Nonetheless, GAC characterized the Program to NSIRA as being consistent with regular diplomatic reporting. Effectively, NSIRA views the Program as existing within a grey zone between these two dichotomies.

GSRP officers are posted to countries to collect information relevant to the GoC’s intelligence priorities. These countries are often characterised by poor human rights records; a high degree of mistrust for outsiders; often take a hard line on internal security matters; and, tend to deploy mass surveillance on foreigners and citizens. This is why the perception of GSRP activities by receiving states is a relevant consideration for the Program.

When NSIRA asked how the Program accounts for disparities between what are legally permitted activities and the laws of the receiving state, GSRP officers were insistent that they operate under the VCDR.”’ Although officers acknowledged that they have a right under diplomatic law to fulfill their duties, they also understood that the receiving state might perceive their role differently. To help mitigate this risk, some officers indicated that they avoid reporting on sensitive topics.

Although the GSRP reports on intelligence priorities and obtains information from human contacts, officers believe they are distinct from intelligence practitioners given that they operate overtly as accredited members of a diplomatic mission, and do not pay or task their contacts. Despite these assertions, whether the actions of the GSRP officer are “overt” or “covert”, and whether or not they task or pay contacts, is not determinative when assessing for an abuse of privileges and immunities under the VCDR. In fact, many cases where interference activities have attracted the attention of receiving states were clearly overt.

Risk

GSRP officers must be alert to any activity that may be perceived by receiving states as falling outside of the functions of a diplomatic mission. This portion of the review briefly outlines some of the attendant risks.

Risk to the Government of Canada and its Allies

NSIRA expected to find a GSRP governance framework that articulates internal policies and provides guidance to GSRP officers on how to perform their diplomatic reporting functions. Such a governance framework does not exist.

When questioned on the absence of a governance framework, GSRP indicated that a policy suite was unnecessary given that officers “are doing what diplomats have always done.” Although GSRP management noted that they are working towards professionalizing the Program, policy is currently:

established by the Head of the GSRP, exercising their judgement and discretion, and drawing on specialized expertise, including support from legal, human resources and finance divisions, and seeking formal or informal approval from senior executives as required and when appropriate.

Policy guidance provided by the Head of GSRP is disseminated to officers via email. There is no central repository to organize this information. In addition to a lack of information management structures, there are information management weaknesses in other areas, including multiple incompatible systems and various security accreditations across missions. Additionally, some information is solely held at mission, limiting HQ’s visibility and oversight of mission developments.

As a result of the absence of a sufficient governance structure, information management challenges and limited oversight of mission developments, there have been instances where the Program has not managed risk appropriately.

For example, the review observed instances in which Canada’s allies misidentified GSRP officers as Canadian intelligence representatives.

Although NSIRA did not observe any instances where GSRP officers intentionally mislead receiving states, in one case, the lack of understanding of the Program’s mandate [redacted].

Some recipients of GSRP reports also indicated that other recipients (particularly those with limited security and intelligence backgrounds) do not fully understand that these products are single-source, unvalidated, or uncorroborated. This is particularly relevant given that GSRP officers have in the past unwittingly reported information that turned out to be misinformation and disinformation. Of note, GSRP produced just over five thousand reports over the review period, with two significant instances of confirmed disinformation in ten reports. Moreover, recipients repeatedly referred to misinformation in GSRP reports, yet NSIRA was unable to independently corroborate all of the Program’s reports over the review period.

As already noted, one of the challenges facing the Program is the absence of sufficient oversight. Four full time employees at HQ are responsible for the management of approximately thirty officers, the vetting of approximately two thousand reports per year, for providing informal policy guidance, and conducting outreach with relevant stakeholders. This deprives HQ of the capacity to perform adequate quality control of officer activities.

Finding no. 1: NSIRA found that GSRP’s governance and accountability structures are insufficiently developed.

Finding no. 2: NSIRA found that GSRP activities have the potential to cause unnecessary reputational and political harm to the Government of Canada.

Finding no. 3: NSIRA found that GSRP does not adequately maintain central repositories or follow information management best practices.

Recommendation no. 1: NSIRA recommends GSRP prioritize the development of a governance framework.

Recommendation no. 2: NSIRA recommends that GAC enforce data retention and information management practices as laid out in already-existing GoC policies.

GAC-CSIS Operational Partnership

CSIS has a framework that outlines host country expectations, both politically and operationally. The CS/S Act specifies, under section 17, how these arrangements are to be governed. In addition, there is Ministerial Direction that further guides CSIS’ conduct abroad. This governance framework structures CSIS’ operations to be consistent with domestic and international law. In most cases, CSIS prefers to be the primary interlocutor with foreign security or intelligence partners, just as GAC prefers to be the primary contact with diplomatic representatives.

In at least one instance, GSRP was a primary contact with a foreign intelligence agency instead of CSIS. In this instance, GAC refused to approve a Section 17 relationship between CSIS and [redacted] due to an ongoing sensitive diplomatic case. However, NSIRA did not observe anything to indicate these same relationship prohibitions were extended to RCMP or GSRP. Regardless of the circumstances, in cases where CSIS is prohibited from engaging a foreign entity due to restrictions on the foreign arrangement, GAC does not have the same restrictions.

Moreover, where CSIS and GAC have identical legal obligations under the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA), these obligations risk being applied differently. For example, where CSIS has controls on who they can and cannot liaise with as derived from Ministerial direction (i.e. s.17, CS/S Act), GAC does not have comparable restrictions. Rather, GAC relies on internal mitigation processes when sharing information with foreign entities, which for CSIS, are only relevant if the Minister permits the Service to engage with that entity to start with.

Although GSRP management stated that it is not the role of officers to liaise with foreign security and intelligence agencies, GSRP officers did not consistently articulate this to NSIRA. For instance, some officers interacted with members of local intelligence agencies, while others mentioned that they consider this to be outside their mandate.

In several instances, CSIS was asked by receiving states to clarify what was perceived to be inappropriate activities by GSRP officers. In these cases, CSIS. attempted to reassure these partners that the GSRP was not a covert collection program. NSIRA also observed coordination challenges in regions where CSIS and GSRP activities overlap (e.g. contact pools).

NSIRA heard from multiple GSRP officers that they generally found CSIS partners at missions collegial and forthcoming with security advice.” In one other instance, the GSRP officer reported a hostile relationship with their CSIS counterpart.

NSIRA also observed numerous cases where it did not appear that GSRP officers had adequately productive relationships with CSIS at mission. In these instances, although individuals were cordial, there was minimal interaction, with CSIS officers often keeping to themselves. Although NSIRA understands the legal protections pertaining to CSIS information sharing, there appeared to be a lack of consistent deconfliction and interaction between GSRP and CSIS in the field.

When NSIRA raised the issue of deconfliction overseas, GSRP management maintained that such mechanisms were unnecessary given that CSIS is a client, and not a partner, of the Program Although CSIS is indeed a client of GSRP reporting, the above also clearly indicates that the GSRP and CSIS operate in close proximity to each other overseas, with attendant relationship complexities that must be managed.

CSIS and GAC both participate in a Joint Management Team (JMT), which convenes at the Director General and Deputy Minister levels. NSIRA observed that although there is potential for the JMT to serve as an effective deconfliction mechanism, there was no evidence that key takeaways concerning GSRP and CSIS collaboration were acted upon. Further, the JMT convenes too infrequently to have a lasting or substantive impact.

Finding no. 4: NSIRA found that there is insufficient deconfliction between CSIS and GSRP, which results in inconsistent governance when engaging foreign entities.

Recommendation no. 3: NSIRA recommends the development of clear deconfliction guidelines between CSIS and GSRP and that there must be a consistent approach by CSIS and GSRP when engaging with foreign entities overseas.

Risk to Officers

GAC advised that they have no legal opinions on the legal framework for the GSRP. NSIRA observes that not enough attention has been turned to ascertaining the scope of the functions of a diplomatic mission as described by Article 3(1)(d) and the duties outlined in Article 41(1) of the VCDR, as well as the types of activities that may expose GSRP officers to being declared persona non grata by the receiving state. One area of particular ambiguity is the broad concept of diplomatic interference under Article 41(1) which is not clearly defined under diplomatic law and requires further consideration. The more sensitive a GSRP officer’s conduct, the more likely a receiving state may perceive interference. In addition, thresholds for interference will likely differ between states.

Similarly, where GSRP activity takes on the perceived attributes of espionage, there is increased risk of exceeding the GSRP mandate, violating the receiving state’s domestic law, and exceeding the GSRP officer’s legal diplomatic functions. These risks require further consideration by GAC’s legal and policy team, as outlined further below.

The risks of not creating a legal and policy framework could result in reputational harm to Canada and its diplomatic relations, and presents risks to the individual GSRP officers. NSIRA observed that many GSRP officers routinely relied on the VCDR as a shield for their actions. Indeed, officers did not appear to appreciate that a breach of their obligations under the VCDR amounts to an abuse of their diplomatic privileges and immunities. Article 3(1)(d) of the VCDR recognizes reporting information ascertained through lawful means. Any departure from this requirement would mean that a GSRP officer runs a risk of not being protected by immunity once the GSRP officer’s personal immunity ceases at the end of the individual’s diplomatic posting.

GAC’s Conduct Abroad Code explicitly acknowledges that host country local norms are to be followed by Canadian representatives and that perceptions of Canadian representatives may have a negative effect on Canada’s reputation. Additionally, the activities of GSRP officers are governed by other protocols, which cover the risk of natural disasters, local health concerns, crime, and the physical security of the mission.

In order to collect pertinent information, GSRP officers often travel to dangerous regions not regularly frequented by other diplomats. In addition, GSRP officers also engage with contacts who may hold viewpoints that are considered sensitive by receiving states. Obviously, these contacts would be of little value to the Program if the information/perspective they possess could be collected anywhere. Although all diplomats can attract attention of local authorities, given the nature of the GSRP’s mandate, officers are at particular risk of scrutiny by receiving states.

There also appears to be a disconnect between GSRP HQ and mission management. Namely, there does not appear to be a shared accountability structure. As a result, this undermines the primacy of any one of the managing parties. For example, NSIRA observed multiple instances in which the reporting structure was not clear either for Program partners or for GAC management. For example, the time lag for receiving critical guidance placed one officer at risk of continuing activities which could have been perceived as non-compliant with the VCDR.

GSRP officers do not receive adequate training or briefings on the parameters of diplomatic privileges and immunities. This lack of knowledge may have serious consequences on the GSRP officer’s ability to conduct themselves in accordance with their diplomatic duties. In addition, once a GSRP officer is no longer afforded diplomatic immunity, a receiving state may seek retaliatory measures.

Case Study: Accepting and reporting on classified information

During the course of the review, NSIRA observed many instances where GSRP officers claimed to have a good understanding of their legal boundaries. However, an instance that occurred in [redacted] highlighted the need to ensure that GSRP officers are properly aware of their legal obligations. In this case, a GSRP officer received what appeared to be classified [redacted] from a contact.

Like Canada, [redacted] has laws prohibiting the disclosure of classified information. The GSRP officer’s actions must comply with [redacted]. In addition, Article 41 of the VCDR is clear that diplomats are required to respect the laws and regulations of the receiving state. NSIRA did not see any indication that consultation with legal counsel occurred in this particular case.

In another case, a GSRP officer [redacted] requested and received what was likely classified information from a contact. The information received included [redacted].

In both of the cases examined above, the two GSRP officers appeared to believe that their actions were distinguishable from the activities of an intelligence officer because they did not pay for the information. As noted previously, this is not pertinent when considering compliance with the VCDR; moreover, the aforementioned cases raise concerns related to abuses of diplomatic privileges.

GSRP officers do not have clear guidelines on how to proceed when exposed to information that falls outside the limits of diplomatic collection. NSIRA did observe one instance in which a GSRP officer was given suspected classified information and appropriately returned it to the contact. However, this result was a consequence of the good judgment exhibited by the officer, rather than derived from explicit direction.

Finding no. 5: NSIRA found there was an absence of risk assessments and security protocols specific to the increased scrutiny that GSRP officers may attract because of the nature of their reporting priorities.

Finding no. 6: NSIRA found that although the GSRP operates under the VCDR, it does so without adequate legal guidance assessing the activities of the Program.

Finding no. 7: NSIRA found that GSRP officers do not receive adequate training regarding their legal obligations.

Recommendation no. 4: NSIRA recommends that GSRP develop risk protocols and security guidelines specific to the GSRP.

Recommendation no. 5: NSIRA recommends that GAC complete a thorough legal assessment of GSRP activities. GSRP officers should receive applicable training based on the result of the assessment.

Risk to Contacts

As already explained above, the more sensitive a GSRP officer’s conduct, the more likely a receiving state will perceive interference. This is particularly true with respect to officer interactions with contacts. It is important to underscore that the assumed diplomatic protections granted to the GSRP officer do not apply to contacts. As such, everything depends on a) the degree to which the contact is genuinely free to share such information with a foreign state and b) the degree to which the GSRP officer’s activities do not raise unnecessary suspicion about this interaction.

GSRP officers reported many different experiences regarding risk and security for their contacts, consistent with the diverse environments in which they operate. Most GSRP officers believed that there was little reason to be concerned for contacts, irrespective of the environment, given the overt nature of the collection. In cases where officers acknowledged that certain regions and/or circumstances created a higher risk to the contact, these situations were often mitigated by following the lead of the contact. In other words, given that the contact was most familiar with the environment, the GSRP officer paid close attention to these sensitivities.

In some instances however, GSRP officers mentioned concern for the security of their contacts, which could not be easily mitigated. One GSRP officer noted in an interview that his contact informed him that their interactions would garner unwanted attention by local authorities. Similarly, another GSRP contact was detained by the local authorities and questioned about his interaction with a GSRP officer. In other instances, GSRP officers reported political turmoil or increased security as reasons why contacts suddenly stopped talking to them.’”

Throughout the course of this review, the implications of the differences between overt contacts and clandestine sources were ever-present. In many respects, GSRP. management’s contention that a contact cannot be perceived in the same manner as an intelligence source is accurate. Certainly, most GSRP officers’ interactions with contacts are innocuous. However, given the very nature of the reporting requirements for the Program, there were cases where the contact’s interactions with the officer were high risk. Such examples include GSRP [redacted] speaking with various individuals in [redacted].

These topics and regions are not only widely known as highly sensitive to the receiving states, but also align closely with what a covert source may be tasked to collect information on.

The problem facing the Program from a “contact management” perspective is that anything that takes on the trappings of a “source management” program lends itself to appropriate criticism of being too closely affiliated to non-diplomatic reporting. For example, although the Program would benefit from some of the best practices of HUMINT management, discerning precisely which aspects would be most beneficial, while remaining a diplomatic program, is a key challenge.

In the absence of a “contact management” governance structure, it is therefore left to the best judgment of individual officers on how these interactions are to transpire. This includes the officer determining who to meet, where to meet, and what security protocols are most appropriate in the given circumstances.

In some cases, the officer took it upon themselves to try to enhance security for the contact, including setting up meeting venues minutes before in order to decrease the likelihood of third parties discovering the meeting location. In another example, the officer attempted to obscure mobile device tracking with a faraday bag.

Although these measures were undertaken with the best interest of the contact at hand, intelligence services observing these behaviours could draw an alternative perspective about the intent of such behaviours. Most notably, this could run the risk that GSRP contacts would be perceived by receiving states as assets of a hostile intelligence service.

Irrespective of the environment, or the comfort of the contact, there was also inconsistency in how GSRP officers provided assurances to contacts. For example, while some officers reassured contacts that there is anonymity or confidentiality in GSRP reports, others did not. There was no evidence of a consistent understanding among officers on what assurances could be offered to contacts, or if contacts fully understood what would be done with the information they provided.

Recipients of GSRP reports repeatedly mentioned the ease at which they were able to identify contacts from the descriptions in the reports. Significantly, the majority of officers mentioned that they also report on meetings with Canadian contacts. The anonymization of Canadians is particularly important with regard to ensuring that GAC is meeting its obligations under the Privacy Act and other pertinent legislation. NSIRA will examine the issue of the GSRP meeting their information-sharing obligations with regard to Canadian contacts in the future.

Finding no. 8: NSIRA found that the GSRP does not have appropriate safeguards for interactions with contacts overseas.

Recommendation no. 6: NSIRA recommends that GSRP develop best practices for interactions with contacts based on consultation with GAC legal advisors.

Recommendation no. 7: NSIRA recommends that GAC conduct a Privacy Impact Assessment of the GSRP.

Conclusion

GSRP operates in a distinctly grey zone; GSRP’s vision for the Program includes “greater integration of intelligence community standards and best practices into the GSRP, while maintaining its diplomatic ethos”. Reconciling what this means, in practice, is the most pressing challenge facing the Program.

Reciprocity is an important element of diplomacy. The activities of certain GSRP officers abroad raises concerns that Canada’s diplomats are at times not conducting themselves in accordance with their duties and functions under the VCDR, and of consequence, this may inadvertently influence how these states conduct activities in Canada.

There is a strong appetite for foreign intelligence collected by Canadians. Academics and senior officials from various departments have made clear that Canada’s allies are also eager for Canada to be more involved.

The creation of a foreign intelligence entity within GAC, or the allowance of mission creep by the GSRP into this area of collection, would run against the principles of the VCDR. Therefore, it is important that the GoC consider the implications stemming from this review and decide on the most appropriate means of collecting this kind of information. NSIRA appreciates that issues raised in this review necessarily evoke a renewed conversation on a dedicated Canadian foreign intelligence agency. This is, however, beyond the remit of NSIRA and may require consideration by the NSICoP.

Annex A: Findings and Recommendations

Finding no. 1: NSIRA found that GSRP’s governance and accountability structures are insufficiently developed.

Finding no. 2: NSIRA found that GSRP activities have the potential to cause reputational and political harm to the Government of Canada.

Finding no. 3: NSIRA found that GSRP does not adequately maintain central repositories or follow information management best practices.

Finding no. 4: NSIRA found that there is insufficient deconfliction between CSIS and GSRP which results in inconsistent governance when engaging foreign entities.

Finding no. 5: NSIRA found there was an absence of risk assessments and security protocols specific to the increased scrutiny that GSRP officers may attract because of the nature of their reporting priorities.

Finding no. 6: NSIRA found that although the GSRP operates under the VCDR, it does so without adequate legal guidance assessing the activities of the Program.

Finding no. 7: NSIRA found that GSRP officers do not receive adequate training regarding their legal obligations.

Finding 8: NSIRA found that the GSRP does not have appropriate safeguards for interactions with contacts overseas.

Recommendation no. 1: NSIRA recommends GSRP prioritize the development of a governance framework.

Recommendation no. 2: NSIRA recommends that GAC enforce data retention and information management practices as laid out in already-existing GoC policies.

Recommendation no. 3: NSIRA recommends the development of clear deconfliction guidelines between CSIS and GSRP and that there must be a consistent approach by CSIS and GSRP when engaging with foreign entities overseas.

Recommendation no. 4: NSIRA recommends that GSRP develop risk protocols and security guidelines specific to the GSRP.

Recommendation no. 5: NSIRA recommends that GAC complete a thorough legal assessment of GSRP activities. GSRP officers should receive applicable training based on the result of the assessment.

Recommendation no. 6: NSIRA recommends that GSRP develop best practices for interactions with contacts based on consultation with GAC legal advisors.

Recommendation no. 7: NSIRA recommends that GAC conduct a Privacy Impact Assessment of the GSRP.

Share this page
Date Modified:

Review of Government of Canada Institutions’ Disclosures of Information Under the Security of Canada Information Disclosure Act in 2022

Annual Reports

Review of Government of Canada Institutions’ Disclosures of Information Under the Security of Canada Information Disclosure Act in 2022


Backgrounder

ISSN: 2817-7525

This report presents findings and recommendations made in NSIRA’s annual review of disclosures of information under the Security of Canada Information Disclosure Act (SCIDA)It was tabled in Parliament by the Minister of Public Safety, as required under subsection 39(2) of the NSIRA Act, on November 1st, 2023.

The SCIDA provides an explicit, stand-alone authority to disclose information between Government of Canada institutions in order to protect Canada against activities that undermine its security. Its stated purpose is to encourage and facilitate such disclosures.

This report provides an overview of the SCIDA’s use in 2022. In doing so, it:

  • documents the volume and nature of information disclosures made under the SCIDA;
  • assesses compliance with the SCIDA; and
  • highlights patterns in the SCIDA’s use across Government of Canada institutions and over time.

The report contains six recommendations designed to increase standardization across the Government of Canada in a manner that is consistent with institutions’ demonstrated best practices and the SCIDA’s guiding principles.

Date of Publishing:

List of Acronyms

CBSA Canada Border Services Agency
CFIA Canadian Food Inspection Agency
CNSC Canadian Nuclear Safety Commission
CRA Canada Revenue Agency
CSE Communications Security Establishment
CSIS Canadian Security Intelligence Service
DND/CAF Department of National Defence/Canadian Armed Forces
FINTRAC Financial Transactions and Reports Analysis Centre of Canada
GAC Global Affairs Canada
GC Government of Canada
IRCC Immigration, Refugees and Citizenship Canada
NSIRA National Security and Intelligence Review Agency
PHAC Public Health Agency of Canada
PS Public Safety Canada
RCMP Royal Canadian Mounted Police
SCIDA Security of Canada Information Disclosure Act
TC Transport Canada

Glossary of Terms

Contribution test The first part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (paragraph 5(1)(a)).
Proportionality test The second part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will not affect any person’s privacy interest more than reasonably necessary in the circumstances (paragraph 5(1)(b)).

Executive summary

This review provides an overview of the Security of Canada Information Disclosure Act (SCIDA)’s use in 2022. In doing so, it documents the volume and nature of information disclosures made under the SCIDA; assesses compliance with the SCIDA; and highlights patterns in the SCIDA’s use across Government of Canada (GC) institutions and over time.

In 2022, four disclosing institutions made a total of 173 disclosures to five recipient institutions. The National Security and Intelligence Review Agency (NSIRA) found that institutions complied with the SCIDA’s requirements for disclosure and record keeping in relation to the majority of these disclosures. Instances of non-compliance related to subsection 9(3), regarding the timeliness of records copied to NSIRA; subsection 5.1(1), regarding the timeliness of destruction or return of personal information; and subsection 5(2), regarding the provision of a statement on accuracy and reliability. The observed non-compliance did not point to any systemic failures in GC institutions’ implementation of the SCIDA.

NSIRA also made findings in relation to practices that, although compliant with the SCIDA, left room for improvement. These findings related to:

  • the use of information sharing arrangements;
  • the format of records prepared by institutions and copied to NSIRA, including the characteristics of effective records;
  • the nature of information provided under paragraph 9(1)(e) and relied upon in the conduct of assessments under subsection 5(1);
  • the provision of statements regarding accuracy and reliability prepared under subsection 5(2); and
  • the timeliness of administrative processes supporting information disclosure.

NSIRA made six recommendations designed to increase standardization across the GC in a manner that is consistent with institutions’ demonstrated best practices and the SCIDA’s guiding principles.

Overall, NSIRA observed improvements in reviewee performance as compared with findings from prior years’ reports and over the course of the review. These improvements include corrective actions taken by reviewees in response to NSIRA’s requests for information in support of this review.

1. Introduction

Authority

This review was conducted pursuant to paragraph 8(1)(b) and subsection 39(1) of the National Security and Intelligence Review Agency Act (NSIRA Act).

Scope of the Review

This review provides an overview of the Security of Canada Information Disclosure Act (SCIDA)’s use in 2022. In doing so, it:

  1. Documents the volume and nature of information disclosures made under the SCIDA;
  2. Assesses Government of Canada (GC) institutions’ compliance with the SCIDA’s requirements for record keeping;
  3. Assesses GC institutions’ compliance with the SCIDA’s requirements for disclosure, including the destruction or return of personal information, as appropriate; and
  4. Highlights patterns in the SCIDA’s use across GC institutions and over time.

The review’s scope was defined by records provided to NSIRA under the SCIDA, subsection 9(3) (see Annex A for a copy of institutions’ section 9 obligations under the Act). As such, the review’s assessment of compliance was limited to the seven GC institutions identified within these records as either disclosers or recipients (Canada Border Services Agency [CBSA], Communications Security Establishment [CSE], Canadian Security Intelligence Service [CSIS], Department of National Defence/Canadian Armed Forces [DND/CAF], Global Affairs Canada [GAC], Immigration, Refugees and Citizenship Canada [IRCC], and the Royal Canadian Mounted Police [RCMP]); and to instances of information disclosure where the SCIDA was identified by these institutions as an authority for disclosure. The review also included Public Safety Canada (PS) in its capacity as manager of the Strategic Coordination Centre on Information Sharing, which provides SCIDA-related policy guidance and training across the GC. 

The review satisfies the NSIRA Act’s section 39 requirement for NSIRA to report to the Minister of Public Safety on disclosures made under the SCIDA during the previous calendar year.

Methodology

The review’s primary source of information was records provided to NSIRA by disclosing and recipient institutions under the SCIDA, subsection 9(3). NSIRA also identified a targeted sample of disclosures for which it requested and assessed all associated documents provided by both the disclosing and recipient institution. This information was supplemented by a document review of institutions’ SCIDA policies and procedures, and related explanations.

NSIRA assessed administrative compliance with the SCIDA’s record-keeping obligations in relation to all disclosures identified in the records provided to NSIRA under subsection 9(3) (N=173). Where these records were incomplete, NSIRA provided an opportunity for institutions to supply the missing records. NSIRA accounted for such late submissions in its assessment of compliance with subsections 9(1) and 9(2).

NSIRA assessed substantive compliance with the SCIDA’s disclosure requirements in relation to the sample of disclosures (n=19). The sample was designed to reflect a non-representative cross-section of the SCIDA’s use, with particular attention to areas at higher risk of non-compliance. Disclosures were selected for the sample based on the content of records provided to NSIRA under subsection 9(3), according to defined parameters (see Annex B, Sample of Disclosures).

Review Statements

NSIRA found that, overall, its expectations for responsiveness by CSE, CSIS, DND/CAF, GAC, IRCC, PS, and RCMP during this review were met. Its expectations for responsiveness by CBSA were partially met, as CBSA required repeated follow-up to provide the requested information.

NSIRA was able to verify information for this review in a manner that met NSIRA’s expectations.

2. Backgrounder

The SCIDA provides an explicit, stand-alone authority to disclose information between GC institutions in order to protect Canada against activities that undermine its security. Its stated purpose is to encourage and facilitate such disclosures.

Section 9 of the SCIDA prescribes record-keeping obligations for all institutions who (1) disclose or (2) receive information under the Act. Each paragraph under subsections 9(1) and 9(2) identifies particular elements that must be set out in the records prepared and kept by each institution (see Annex A). Subsection 9(3) requires that these records be provided to NSIRA within 30 days after the end of each calendar year.

Subsection 5(1) of the SCIDA authorizes GC institutions to disclose information – subject to any prohibitions or restrictions in other legislation or regulations – to designated recipient institutions, if the disclosing institution is satisfied that (a) the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (the “contribution test”); and (b) the information will not affect any person’s privacy interest more than is reasonably necessary in the circumstances (the “proportionality test”).

Subsection 5(2) requires institutions that disclose information under subsection (1) to, at the time of the disclosure, also provide information regarding its accuracy and the reliability of the manner in which it was obtained.

When a GC institution receives information under the Act, subsection 5.1(1) requires that the institution destroy or return any unnecessary personal information as soon as feasible after receiving it.

The Act’s guiding principles underscore the importance of effectiveness and responsibility across disclosure activities. Of note, subsection 4(c) sets out that information sharing arrangements are appropriate in particular circumstances.

3. Findings, Analysis, and recommendations

Volume and Nature of Disclosures

In 2022, four disclosing institutions made a total of 173 disclosures to five recipient institutions (see Table 1). 79% (n=136) of these disclosures were requested by the recipient institution. The other 21% of disclosures (n=37) were sent proactively by the disclosing institution.

Table 1: Number of SCIDA disclosures made in 2022, by disclosing and recipient institution [all disclosures (proactive disclosures)]

    Designated Recipient Institutions
Disclosing Institution   CBSA CFIA CNSC CRA CSE CSIS DND/CAF Finance FINTRAC GAC Health IRCC PHAC PSC RCMP TC TOTAL (proactive)
CBSA 4
(3)
4
(3)
GAC 39
(18)
2
(2)
12
(12)
53
(32)
IRCC 59
(0)
56
(2)
115
(2)
RCMP 1
(0)
1
(0)
TOTAL (proactive) 59
(0)
95
(20)
2
(2)
1
(0)
16
(15)
173
(37)

The total number of disclosures made under the SCIDA since its implementation reflects a slight downward trend, with a generally constant proportion of requested versus proactive disclosures for the years in which this data was collected (see Figure 1).

Figure 1: Number of SCIDA disclosures over time

In 2022, these disclosures were made and received by institutions that had each disclosed or received information, as the case may be, in at least two prior review years (see Annex C, Overview of SCIDA Disclosures in Prior Years).

Finding 1: NSIRA found that CSE, CSIS, GAC, and IRCC regularly use the SCIDA in a manner that warrants information sharing arrangements, as encouraged by subsection 4(c) of the SCIDA.

CSE, CSIS, GAC, and IRCC were the most frequent users of the SCIDA in 2022. The number of disclosures between these institutions was comparable to those observed by NSIRA in prior years (see Annex C), indicating the occurrence of regular exchange over time.

NSIRA also observed regular patterns in the purpose and nature of the information exchanged between these institutions in 2022, as described in Table 2. These information exchanges were not governed by up-to-date information sharing arrangements.

Table 2: Nature of disclosures between the SCIDA’s most frequent users

GAC-to-CSIS (N=39) IRCC-to-CSIS (N=56) IRCC-to-CSE (N=59)
  • GAC information holdings relevant to threats to the security of Canada
  • Often (85%) made in direct response, or as a follow-up, to CSIS requests
  • IRCC information holdings relevant to threats to the security of Canada
  • Almost always (96%) made in response to CSIS requests
  • IRCC confirmation of Canadian status of named individuals of interest, required to ensure lawfulness of CSE operational activities
  • All (100%) made in response to CSE requests

NSIRA has previously recommended that information sharing arrangements be updated (for GAC and CSIS) or created (for IRCC and CSE) to govern certain information exchanges made under the SCIDA.

Recommendation 1: NSIRA recommends that information sharing arrangements be used to govern regular SCIDA disclosures between GAC and CSIS; IRCC and CSIS; as well as IRCC and CSE.

Record Keeping

Copy to NSIRA: Subsection 9(3)

Finding 2: NSIRA found that CBSA, DND/CAF, and IRCC were non-compliant with subsection 9(3) of the SCIDA, as they failed to provide all records created under subsections 9(1) or 9(2) to NSIRA within the legislated timeframe.

Requests for information from NSIRA during the course of this review prompted the late production of additional records relating to paragraphs under subsections 9(1) or 9(2) from each of CBSA, DND/CAF, and IRCC (see Table 3).

Table 3: Number [and associated subsection 9(1) or 9(2) paragraph] of late records leading to non-compliance with subsection 9(3), by cause

Administrative Error Delayed Preparation of Records
CBSA 2 [paragraph 9(1)(e)]
DND/CAF 2 [paragraphs 9(2)(e-g)]
IRCC 6 [paragraph 9(1)(e)] 1 [paragraphs 9(2)(e-g)]

CBSA and IRCC were non-compliant with subsection 9(3) due to administrative error; the records they eventually supplied had existed at the time of the reporting deadline, but were not copied to NSIRA as required.

NSIRA expected that all records would be prepared within 30 days after the end of the calendar year, in order to meet the subsection 9(3) requirement to provide a copy of those records to NSIRA within that timeframe.

DND/CAF and IRCC were non-compliant with subsection 9(3) on account of delayed preparation of records; they did not prepare the records referred to in Table 3 within 30 days after the end of the calendar year, and therefore did not provide a copy of them to NSIRA within the legislated timeframe.

NSIRA underscores the importance of administrative precision and timeliness in preparing records and copying them to NSIRA.

Format of Records

Finding 3: NSIRA found improved compliance outcomes in instances where departments prepared record overview spreadsheets under subsections 9(1) and 9(2) of the SCIDA that displayed the following characteristics:

  • a row for each disclosure made or received;
  • columns explicitly tied to each individual paragraph under section 9; and
  • additional columns to capture relevant administrative details, such as whether the disclosure was requested or proactive; the date of the request (if applicable); and any applicable file reference numbers.

The SCIDA does not specify a format for records prepared under section 9. Accordingly, in 2022, GC institutions fulfilled their record-keeping obligations in different ways.

Most institutions provided NSIRA with an overview of each disclosure made or received. These overviews were submitted to NSIRA as spreadsheets that generally captured the information required in records under subsections 9(1) and 9(2).

Most institutions also provided NSIRA with a copy of the disclosure itself and a selection of related documents. These documents often included email consultations with legal services, disclosure request letters, and other correspondence between disclosing and recipient institutions. The scope of requests for information in the course of the review was minimized in cases where institutions provided such documents.

DND/CAF and IRCC (for its one disclosure receipt) were the only institutions that originally provided NSIRA with a copy of the raw disclosure, including transmittal details, in the absence of a record overview or other related documents.

NSIRA observed that DND/CAF and IRCC’s choice in records format for these disclosures contributed to their non-compliance with subsection 9(3), described in Table 3. The information elicited under paragraphs 9(2)(e-g) cannot by definition be found within a copy of the disclosure itself, as it relates to action taken by recipient institutions following the disclosure’s receipt. A copy of the disclosure on its own is therefore insufficient to comply with all requirements under subsection 9(2).

Both DND/CAF and IRCC were infrequent recipients of disclosures under the SCIDA in 2022, accounting for only two and one disclosures, respectively. Each of the more frequent recipients of information (CSE, CSIS, and RCMP) included express columns in their record overview spreadsheets to capture whether and, if applicable, when personal information was destroyed or returned, per the requirements of paragraphs 9(2)(e-g).

NSIRA also observed that CBSA and IRCC’s choice in records format contributed to their non-compliance with subsection 9(3) due to administrative error. These institutions did not account for the full scope of information required under paragraph 9(1)(e) in their record overview spreadsheets.

The information relied upon to satisfy the disclosing institution that a disclosure is authorized under the Act is not required to be conveyed within the disclosure itself. Completing an appropriately-specified record overview spreadsheet is therefore an effective way to ensure that the corresponding information is documented and conveyed to NSIRA ahead of the legislated deadline.

The RCMP’s record overview spreadsheet was particularly effective in demonstrating compliance with the Act. The spreadsheet included columns that were explicitly tied to individual paragraphs under section 9, with additional fields limited to RCMP administrative information such as file and database reference numbers.

Spreadsheets designed in this way enable institutions’ efficient self-assessment against the requirements of the Act. They also facilitate the task of review by clearly matching the information provided with its corresponding requirement under the SCIDA, and by organizing disclosures and receipts of information in a manner that supports cross-verification.

Recommendation 2: NSIRA recommends that all GC institutions prepare record overviews to clearly address the requirements of subsections 9(1) and 9(2) of the SCIDA; and provide them to NSIRA along with a copy of the disclosure itself and, where relevant, a copy of the request.

Preparing and Keeping Records: Subsections 9(1) and 9(2)

Finding 4: NSIRA found that all GC institutions complied with their obligation to prepare and keep records that set out the information prescribed under subsections 9(1) and 9(2) of the SCIDA.

Finding 5: NSIRA found that more than half of the descriptions provided by CBSA and IRCC under paragraph 9(1)(e) of the SCIDA did not explicitly address their satisfaction that the disclosure was authorized under paragraph 5(1)(b), the proportionality test.

Although NSIRA expected an express statement describing the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under the SCIDA, in this review, NSIRA considered any records that demonstrated the corresponding assessment had been conducted.

IRCC n’a pas fait de déclaration expresse précisant que les communications demandées par le SCRS, qui représentent 57 % (n=54) de l’ensemble de ses communications, lui semblaient satisfaisantes du point de vue du critère de proportionnalité. En revanche, IRCC a fourni des copies des lettres de demande et de l’information communiquée en guise de réponse, ce qui confirme que la communication était manifestement conforme aux besoins précis de la demande (et donc témoigne d’une évaluation de la proportionnalité).

L’ASFC n’a pas fourni de déclaration expresse concernant sa satisfaction au regard du critère de proportionnalité pour 75 % (n=3) de ses communications. Elle a plutôt démontré qu’elle tenait compte du principe de proportionnalité en fournissant divers documents justificatifs, y compris de la correspondance interne.

La feuille de calcul utilisée par AMC pour donner une vue d’ensemble de ses documents a été particulièrement efficace pour répondre aux exigences de l’alinéa 9(1)e). L’analyse détaillée qu’elle a consignée en ce qui concerne les critères de contribution et de proportionnalité lui a permis de remplir ses obligations en matière de conservation des dossiers et de démontrer qu’elle respectait en substance le paragraphe 5(1).

Recommendation 3: NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.

Disclosure of Information

Contribution and Proportionality Tests: Paragraphs 5(1)(a) and 5(1)(b)

Finding 6: NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves of both the contribution and proportionality tests, in compliance with subsection 5(1) of the SCIDA.

Finding 7: NSIRA found that GAC satisfied itself under the SCIDA’s paragraph 5(1)(a) contribution test based on an incorrect understanding of the recipient’s national security mandate in two cases.

The threshold for compliance with subsection 5(1) is that the disclosing institution has satisfied itself of the contribution and proportionality tests, and that it has done so prior to having made the disclosure.

In relation to the two disclosures that it made proactively to DND/CAF, GAC provided a rationale for the information’s contribution to DND/CAF’s mandate in respect of national security. Upon receipt of the information, however, DND/CAF did not agree with GAC’s assessment and therefore assessed that the SCIDA was not an appropriate disclosure mechanism in the circumstances.

Informal communication between the two institutions may have allowed DND/CAF and GAC to resolve this issue prior to the disclosure. When such communications occur, it is important that they be limited to the information necessary to confirm that the information contributes to the recipient’s mandate in respect of activities that undermine the security of Canada.

Recommendation 4: NSIRA recommends that GC institutions contemplating the use of proactive disclosures under the SCIDA communicate with the recipient institution, ahead of making the disclosure, to inform their assessments under subsection 5(1).

Statement Regarding Accuracy and Reliability: Subsection 5(2)

Finding 8: NSIRA found, within the sample of disclosures reviewed, that CBSA and GAC (in one and two disclosures, respectively) were non-compliant with the SCIDA’s subsection 5(2) requirement to provide a statement regarding accuracy and reliability.

Finding 9: NSIRA found, in relation to the remaining disclosures within the sample, that GAC, IRCC, and RCMP included their statements regarding accuracy and reliability within the disclosures themselves, whereas CBSA provided its statements in the disclosures’ cover letters.

Providing the statement on accuracy and reliability in a cover letter for the disclosure satisfies the Act’s requirement to provide the statement at the time of disclosure. However, separating the statement from the information disclosed increases the risk that the information may be subsequently used without awareness of relevant qualifiers. The location of the statement on accuracy and reliability – and not just its contemporaneous provision to the recipient – is therefore relevant to its value added.

Recommendation 5: NSIRA recommends that all disclosing institutions include statements regarding accuracy and reliability within the same document as the disclosed information.

Requirement to Destroy or Return Personal Information: Subsection 5.1(1)

Finding 10: NSIRA found that DND/CAF destroyed information under the SCIDA subsection 5.1(1), but they were non-compliant with the requirement to do so “as soon as feasible after receiving it.”

DND/CAF determined, upon receipt of the two disclosures it received from GAC, that the personal information contained within the disclosures should not be retained. The information, however, was not destroyed until April 2023 – 12 days following a request for information from NSIRA to provide a copy of records that set out whether and when the information had been destroyed or returned. The date of destruction was 299 and 336 days following DND/CAF’s receipt of each disclosure.

Taking into consideration the elapsed time between receipt of the information and its destruction, as well as DND/CAF’s timely conclusion that the information should not be retained, DND/CAF’s ultimate destruction of the information was non-compliant with the requirement to destroy the information “as soon as feasible after receiving it.” Its delay in this respect was also inconsistent with the responsible use and management of the information.

DND/CAF was the only institution to identify any disclosures as containing information that was destroyed or returned under subsection 5.1(1) in 2022. NSIRA did not identify any other disclosures within the sample for which personal information disclosed should have been destroyed or returned.

Purpose and Principles: Effective and responsible disclosure of information

Finding 11: NSIRA found delays between when a disclosure was authorized for sending and when it was received by the individual designated by the head of the recipient institution to receive it in at least 20% (n=34) of disclosures.

These 34 disclosures include 29 for which there was a delay between the dates provided by disclosing and recipient institutions in their section 9 records, as well as an additional five for which CSIS reported both the date of administrative receipt within the institution and the subsequent date of receipt by the person designated by the head to receive it (i.e., the relevant operational unit).

NSIRA attributes most of these delays to expected dynamics in classified information sharing: the individual authorizing the disclosure is not always the same individual who administratively sends it to the recipient, and the person who administratively receives the disclosure is not always the same person who is designated by the head to receive it.

In the majority of cases, the observed delays were shorter than one week. In nine cases, however, the delay ranged from 30 to 233 days.

Such delays mean that information is not processed and actioned within the recipient institution until long after it was sent – or intended to be sent – by the individual authorizing the disclosure. While these delays do not amount to non-compliance with the SCIDA, they are inconsistent with the Act’s purpose and guiding principles.

Recommendation 6: NSIRA recommends that GC institutions review their administrative processes for sending and receiving disclosures under the SCIDA, and correct practices that cause delays.

4. Conclusion

The SCIDA’s requirements for disclosure and record keeping apply to both disclosing and recipient institutions in all cases where the SCIDA is invoked as a mechanism for disclosure. This review assessed GC institutions’ compliance with requirements for record keeping in respect of all 173 disclosures that were made and received in 2022. It assessed their compliance with requirements for disclosure in relation to a targeted sample of 19 disclosures.

NSIRA found that institutions complied with the SCIDA’s requirements for disclosure and record keeping in relation to the majority of disclosures. GC institutions’ non-compliance with subsection 9(3) was driven by irregularities in the reporting of 11 disclosures. Observed non-compliance with substantive requirements under subsection 5(2) related to three disclosures; and non-compliance with subsection 5.1(1) related to two disclosures. These instances of non-compliance do not point to any systemic failures in GC institutions’ implementation of the SCIDA.

Within this context, NSIRA observed improvements in reviewee performance as compared with findings from prior years’ reports and over the course of the review. Of note, NSIRA’s requests for information in support of this review prompted corrective action by CBSA, DND/CAF, and IRCC that would have otherwise amounted to non-compliance with requirements under section 9.

NSIRA also observed several practices that, although compliant with the SCIDA, leave room for improvement. NSIRA’s recommendations in this review are designed to increase standardization across the GC in a manner that is consistent with institutions’ demonstrated best practices and the SCIDA’s guiding principles.

Annex A. Record Keeping Obligations for Disclosing and Recipient Institutions

Obligation – disclosing institution Obligation — recipient institution 
9 (1) Every Government of Canada institution that discloses information under this Act must prepare and keep records that set out (2) Every Government of Canada institution that receives information under this Act must prepare and keep records that set out
(a) a description of the information; (a) a description of the information;
(b) the name of the individual who authorized its disclosure; (b) the name of the institution that disclosed it;
(c) the name of the recipient Government of Canada institution; (c) the name or position of the head of the recipient institution — or of the person designated by the head — who received the information;
(d) the date on which it was disclosed; (d) the date on which it was received by the recipient institution;
(e) a description of the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under this Act; and (e) whether the information has been destroyed or returned under subsection 5.1(1);
(f) if the information has been destroyed under subsection 5.1(1), the date on which it was destroyed;
(g) if the information was returned under subsection 5.1(1) to the institution that disclosed it, the date on which it was returned; and
(f) any other information specified by the regulations. (h) any other information specified by the regulations.

Copy to National Security and Intelligence Review Agency

Within 30 days after the end of each calendar year, every Government of Canada institution that disclosed information under section 5 during the year and every Government of Canada institution that received such information must provide the National Security and Intelligence Review Agency with a copy of every record it prepared under subsection (1) or (2), as the case may be, with respect to the information.

Annex B. Sample of Disclosures

Disclosures were selected for the sample based on the content of records provided to NSIRA under subsection 9(3), according to the following parameters:

  • At least two disclosures per discloser-recipient pair, if available;
  • At least one proactive disclosure per discloser, if available;
  • At least one requested disclosure per recipient, if available;
  • All disclosures identified by recipient institutions as including personal information that was destroyed or returned under the SCIDA, subsection 5.1(1);
  • All disclosures for which there is a high-level discrepancy in the discloser and recipient records (i.e., a record of receipt, but no record of disclosure; a substantive misalignment in the description of the information; greater than seven days’ discrepancy in the date sent and received; date of receipt earlier than the date of sending);
  • All disclosures made by an institution that is not listed in Schedule 3 of the SCIDA; and
  • All disclosures received by institutions added to Schedule 3 in the preceding year.

Annex C. Overview of SCIDA Disclosures in Prior Years

Drawing on information published in previous NSIRA reports, Table 5 summarizes the number and distribution of disclosures made under the SCIDA in prior years.

Table 5: Number of SCIDA disclosures, by disclosing and recipient institution, 2019-2021

    Designated Recipient Institutions
  Disclosing Institution CBSA CFIA CNSC CRA CSE CSIS DND/CAF Finance FINTRAC GAC Health IRCC PHAC PSC RCMP TC TOTAL (proactive)
2021 DND/CAF 2 2
GAC 41 1 2 44
IRCC 68 79 2 149
TOTAL 68 122 2 1 2 195
2020 CBSA 1 3 4
GAC 1 25 1 13 40
IRCC 60 61 37 1 159
RCMP 1 3 5 9
TC 2 2
Other 1 1
TOTAL 61 88 1 3 6 55 1 215
2019 CBSA 1 2 3
GAC 23 3 1 15 42
IRCC 5 17 1 36 59
RCMP 4 1 3 1 9
TC 1 1
TOTAL 4 5 41 1 1 3 4 1 54 114

Annex D. Findings and Recommendations

Findings

NSIRA found that CSE, CSIS, GAC, and IRCC regularly use the SCIDA in a manner that warrants information sharing arrangements, as encouraged by subsection 4(c) of the SCIDA.

NSIRA found that CBSA, DND/CAF, and IRCC were non-compliant with subsection 9(3) of the SCIDA, as they failed to provide all records created under subsections 9(1) or 9(2) to NSIRA within the legislated timeframe.

NSIRA found improved compliance outcomes in instances where departments prepared record overview spreadsheets under subsections 9(1) and 9(2) of the SCIDA that displayed the following characteristics:

  • a row for each disclosure made or received;
  • columns explicitly tied to each individual paragraph under section 9; and
  • additional columns to capture relevant administrative details, such as whether the disclosure was requested or proactive; the date of the request (if applicable); and any applicable file reference numbers.

NSIRA found that all GC institutions complied with their obligation to prepare and keep records that set out the information prescribed under subsections 9(1) and 9(2) of the SCIDA.

NSIRA found that more than half of the descriptions provided by CBSA and IRCC under paragraph 9(1)(e) of the SCIDA did not explicitly address their satisfaction that the disclosure was authorized under paragraph 5(1)(b), the proportionality test.

NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves of both the contribution and proportionality tests, in compliance with subsection 5(1) of the SCIDA.

NSIRA found that GAC satisfied itself under the SCIDA’s paragraph 5(1)(a) contribution test based on an incorrect understanding of the recipient’s national security mandate in two cases.

NSIRA found, within the sample of disclosures reviewed, that CBSA and GAC (in one and two disclosures, respectively) were non-compliant with the SCIDA’s subsection 5(2) requirement to provide a statement regarding accuracy and reliability.

NSIRA found, in relation to the remaining disclosures within the sample, that GAC, IRCC, and RCMP included their statements regarding accuracy and reliability within the disclosures themselves, whereas CBSA provided its statements in the disclosures’ cover letters.

NSIRA found that DND/CAF destroyed information under the SCIDA subsection 5.1(1), but they were non-compliant with the requirement to do so “as soon as feasible after receiving it.”

NSIRA found delays between when a disclosure was authorized for sending and when it was received by the individual designated by the head of the recipient institution to receive it in at least 20% (n=34) of disclosures.

Recommendations

  1. NSIRA recommends that information sharing arrangements be used to govern regular SCIDA disclosures between GAC and CSIS; IRCC and CSIS; as well as IRCC and CSE.
  2. NSIRA recommends that all GC institutions prepare record overviews to clearly address the requirements of subsections 9(1) and 9(2) of the SCIDA; and provide them to NSIRA along with a copy of the disclosure itself and, where relevant, a copy of the request.
  3. NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
  4. NSIRA recommends that GC institutions contemplating the use of proactive disclosures under the SCIDA communicate with the recipient institution, ahead of making the disclosure, to inform their assessments under subsection 5(1).
  5. NSIRA recommends that all disclosing institutions include statements regarding accuracy and reliability within the same document as the disclosed information.
  6. NSIRA recommends that GC institutions review their administrative processes for sending and receiving disclosures under the SCIDA, and correct practices that cause delays.
Share this page
Date Modified:

Annual Report on the Access to Information Act 2022–23

Date of Publishing:

Introduction

The Access to Information Act gives Canadian citizens and permanent residents, as well as any person or corporation present in Canada, a right of access to information contained in government records, subject to certain specific and limited exceptions.

Section 94(1) of the Act requires the head of each government institution to prepare an annual report on the administration of the Act within the institution and to submit the report to Parliament. In addition, section 20 of the Service Fees Act requires institutions to report on all statutory fees processed during the reporting period.

This report to Parliament, which is prepared and tabled in accordance with section 94 of the Access to Information Act and section 20 of the Service Fees Act, describes the activities of the National Security and Intelligence Review Agency (NSIRA) Secretariat in administering these Acts during the period of April 1, 2022 to March 31, 2023.

If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:

Access to Information and Privacy Office
National Security and Intelligence Review Agency
P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5
Email: ATIP@nsira-ossnr.gc.ca

Who we are

Established in July 2019, NSIRA is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.

The NSIRA Secretariat assists NSIRA in fulfilling its mandate. It is the NSIRA Secretariat, headed by an Executive Director, that is the government institution for the purposes of the Access to Information Act and the Privacy Act.

Mandate

NSIRA has a dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities. 

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matters that a minister of the Crown refers to NSIRA.

NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.

Investigations

NSIRA is responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:

  • any activity of CSIS or of CSE;
  • decisions to deny or revoke certain federal government security clearances;
  • any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
  • reports made under section 19 of the Citizenship Act, and
  • matters referred under section 45 of the Canadian Human Rights Act.

Access to Information and Privacy Office

NSIRA’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the NSIRA Secretariat meets its responsibilities under the Access to Information Act and the Privacy Act.

For the reporting period, the NSIRA ATIP office consisted of:

  • 1 Full-time Access to Information Consultant;
  • 1 Part-time Privacy Consultant; and
  • 1 Full-time ATIP Manager who fulfilled the duties that would normally be carried out by an ATIP Coordinator, as well as managed the ATIP Office, in addition to fulfilling normal duties as Manager of Administrative Services for the Secretariat and Agency Members.

NSIRA Secretariat Corporate Legal Counsel and Senior General Counsel supported the ATIP office on an as required basis.

The ATIP Office is responsible for the following:

  • monitoring compliance with ATIP legislation and relevant procedures and policies;
  • processing requests under both the Access to Information Act and the Privacy Act;
  • developing and maintaining policies, procedures, and guidelines to ensure that the NSIRA Secretariat respected the Access to Information Act and the Privacy Act;
  • maintaining Personal Information Banks and conducting privacy impact assessments.
  • preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
  • representing the NSIRA Secretariat in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act.

The NSIRA Secretariat was a party to a service agreement under section 96 of the Access to Information Act during the reporting period, pursuant to which it received administrative services from the Privy Council Office related to the tabling of the Access to Information Act annual report in Parliament. The NSIRA Secretariat was also a party to a service agreement under section 92 of the Act, pursuant to which it received ATIP Online services from the Treasury Board of Canada Secretariat.

The NSIRA Secretariat ensured that the following proactive publication legislative requirements were met during the reporting period with the assistance of its Finance team:

  • Travel expenses;
  • Hospitality expenses;
  • Reports tabled in Parliament; and
  • Contracts over $10,000.

To assist the ATIP Office in meeting its overall legislative obligations, the NSIRA Secretariat relied on a collaborative internal group of subject matter points of contact from all its branches.

Delegation Order

The Executive Director, as the Head of the NSIRA Secretariat, is responsible for the administration of the Access to Information Act within the institution. Pursuant to section 95 of the Access to Information Act, the Executive Director has delegated the ATIP Manager and ATIP Officer – as well as persons acting in these positions – to perform powers, duties, and functions for the administration of the Act. These positions have limited delegation of authority under the Act and the Privacy Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Access to Information Act Delegation Order can be found in Appendix A.

Performance 2022-2023

Performance in Processing Access Requests

During the reporting period, from April 1, 2022 to March 31, 2023, the NSIRA Secretariat received 11 formal requests in addition to 10 requests that were outstanding from previous reporting periods, bringing the total number of requests to 21. Of these, the NSIRA Secretariat closed 15 requests in 2022-23, and 6 were carried over to the next reporting period. Five of the carried-over requests were received during the 2022-23 reporting period, of which two open requests are within the legislated timelines as of March 31, 2023, and four are beyond the legislated timelines, including one request that was received during the 2018-19 reporting period.

Statistical Reports for 2022-2023

The institution’s 2022-2023 Statistical Report on the Access to Information Act and Supplemental ATIP Statistical Report for 2022-2023 are found in Appendices B and C.

Extensions and Completion Time of Closed Requests

During the reporting period, the NSIRA Secretariat invoked extensions in processing 10 requests: 1 extension of 31 to 60 days, 3 extensions of 61 to 120 days, 2 extensions of 121 to 180 days, 2 extensions of 181 to 365 days, and 2 extensions of 365 days or more, all of which included extensions necessary to consult with third parties.

Of the requests completed during the reporting period,

  • 2 requests, or 13.33% of the requests completed, were disclosed in its entirety. 1 request completed within 16 to 30 days, and 1 request completed within 181 to 365 days.
  • 7 requests, or 46.66% of the requests completed, were disclosed in part. 3 requests completed within 61 to 120 days, 2 requests completed within 181 to 365 days, and 2 requests completed more than 365 days.
  • 2 requests, or 13.33% of the requests completed, were all exempted. 1 request completed within 1 to 15 days, and 1 request completed within 31 to 60 days.
  • 1 request, or 6.66% of the requests completed, resulted in no records. This request was completed within 16 to 30 days.
  • 1 request, or 6.66% of the requests completed was abandoned and completed within 1 to 15 days.
  • 2 requests, or 13.33% of the requests completed, were neither confirmed nor denied. 1 request completed within 16 to 30 days, and 1 request completed within 31 to 60 days.

The NSIRA Secretariat’s responses to many requests required intensive review of complex records, including extensive internal and external consultations due to a significant portion of our information holdings consisting of sensitive and classified records created or originally received by other government institutions owing to NSIRA’s mandate. In 2022-23, the NSIRA Secretariat’s on-time response rate decreased extensively to 33% from 80% in the previous reporting year.

Consultations

The NSIRA Secretariat was consulted on 4 requests this fiscal year. All 4 requests were completed within 61 to 120 days. The NSIRA Secretariat closed all consultations and carried over none into 2023-2024.

Requests Treated Informally

In 2022-2023, the NSIRA Secretariat responded to 2 informal requests for records previously released under the Access to Information Act and carried over one into 2023-2024.

Impact of COVID-19 measures

During the reporting period, the NSIRA Secretariat was not affected by measures related to the COVID‑19 pandemic.

Complaints and Investigations of Access Requests

Subsection 30(1) of the Act describes how the Office of the Information Commissioner receives and investigates complaints from individuals regarding the processing of requests under the Act. The NSIRA Secretariat received three new complaints during the reporting period. One of these complaints was discontinued during the reporting period, while the other two complaints remained active on March 31, 2023.

Moreover, one complaint received in fiscal year 2021-2022 was closed as “well-founded” during this reporting period. This complaint concerned the NSIRA Secretariat’s delay in providing a fulsome response to a large request that was made to NSIRA’s predecessor, the Security Intelligence Review Committee (SIRC), before the established legislative deadline. The delay was largely due to extended external consultations.

Training and Awareness

During the reporting period, access to information training requirements were identified for all NSIRA Secretariat employees, as well as for those with functional or delegated responsibility for the administration of the Access to Information Act, in accordance with the Directive on Access to Information Requests. The Canada School of Public Service course Access to Information and Privacy Fundamentals (COR502) was included as mandatory training in all employees’ training curriculum.

Privacy policies, guidelines, procedures and initiatives

The NSIRA Secretariat updated the Delegation Order during the reporting period. We also engaged with Library and Archives Canada on obtaining institution-specific disposition authorities, as we are currently operating under the former SIRC’s disposition authorities.

Proactive Publication under Part 2 of the ATIA

In accordance with paragraph 81(b) of the Access to Information Act, the NSIRA Secretariat is a government entity subject to the following proactive publication requirements:

  • Briefing materials (section 88)

During the reporting period, NSIRA Secretariat proactive publications were published on open.canada.ca.

Of the total proactive publication requirements that were due during the reporting period, 80% were published within the legislated timelines.

Initiatives and Projects to Improve Access to Information

The NSIRA Secretariat’s IT team began work to develop an ATIP software tool for our classified and unclassified systems. The NSIRA Secretariat also signed a memorandum of understanding with TBS to make full use of ATIP online and implemented the tool during the reporting period.

Summary of Key Issues and Actions Taken on Complaints

The NSIRA Secretariat hired a consultant to help process the large aforementioned access request made to its predecessor; a request that was subsequently the subject of a delay complaint made in FY 2021-2022 and deemed well-founded by the Information Commissioner during the reporting period. The NSIRA Secretariat took concrete action during the reporting period to comply with the Commissioner’s order to provide a fulsome response to the request “forthwith”, including but not limited to streamlining the consultation process with another government institution and disclosing additional records to the requestor.

Access to Information Act Fees for the Purposes of the Service Fees Act

The Service Fees Act requires a responsible authority to report annually to Parliament on the fees collected by the institution.

With respect to fees collected under the Access to Information Act, the information below is reported in accordance with the requirements of section 20 of the Service Fees Act.

  • Enabling authority: Access to Information Act
  • Fee payable: $5.00 application fee is the only fee charged for an ATI request
  • Total revenue: $30
  • $25
  • Cost of operating the program: $294,640

Monitoring Compliance

In order to meet legislative deadlines for access to information requests, deadlines for individual requests are strictly monitored by using MS Outlook reminders. The ATIP Manager organizes ad hoc meetings to discuss request-related activities (such as whether inter-institutional consultations are necessary), determine deadlines and ensure that all team members are informed of the status of files. At bi-weekly team meetings with the Senior General Counsel and Corporate Counsel, the ATIP Manager raises and discusses compliance with legislative and policy obligations. The Executive Director is also briefed on all ATIP compliance issues.

The NSIRA Secretariat has a document setting out the procedures to be followed in carrying out our monthly proactive disclosure, together with the associated expectations and timelines, in order to monitor the accuracy and completeness of the information proactively published under Part 2 of the Act.

During the reporting period, the NSIRA Secretariat also began assessing the feasibility of making information previously released under the Access to Information Act available on its public-facing website.

For contracts issued during the reporting period, the NSIRA Secretariat included a General Condition on Access to Information from Public Services and Procurement Canada’s Standard Acquisition Clauses and Conditions Manual.

Appendix A: Delegation Order

Access to Information Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.

Privacy Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.

Appendix B: 2022-2023 Statistical Report on the Access to Information Act

Name of institution: National Security and Intelligence Review Agency

Reporting period: 2022-04-01 – 2023-03-31

Section 1: Request Under the Access to Information Act

1.1 Number of Requests
  Number of Requests
Received during reporting period 11
Outstanding from previous reporting period 9
Outstanding from more than one reporting period 1
Total 21
Closed during reporting period 15
Carried over to next reporting period 6
Carried over within legislated timeline 2
Carried over beyond legislated timeline 4
1.2 Sources of requests
Source Number of Requests
Media 0
Academia 0
Business (private sector) 0
Organization 0
Public 10
Decline to Identify 1
Total 11
1.3 Channels of requests
Source Number of Requests
Online 10
E-mail 0
Mail 1
In person 0
Phone 0
Fax 0
Total 11

Section 2: Informal requests

2.1 Number of informal requests
  Number of Requests
Received during reporting period 3
Outstanding from previous reporting periods 0
Outstanding from more than one reporting period 0
Total 3
Closed during reporting period 2
Carried over to next reporting period 1
2.2 Channels of informal requests
Source Number of Requests
Online 0
E-Mail 3
Mail 0
In person 0
Phone 0
Fax 0
Total 3
2.3 Completion time of informal requests
Completion Time
1 to 15 days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More than 365 Days Total
2 0 0 0 0 0 0 2
2.4 Pages released informally
Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
2 65 0 0 0 0 0 0 0 0
2.5 Pages re-released informally
Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
0 0 0 0 0 0 0 0 0 0

Section 3: Applications to the Information Commissioner on Declining to Act on Requests

  Number of Requests
Outstanding from previous reporting period 0
Sent during reporting period 0
Total 0
Approved by the Information Commissioner during reporting period 0
Declined by the Information Commissioner during reporting period 0
Withdrawn during reporting period 0
Carried over to next reporting period 0

Section 4: Requests Closed During the Reporting Period

4.1 Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 1 0 0 0 1 0 2
Disclosed in part 0 0 0 3 0 2 2 7
All exempted 1 0 1 0 0 0 0 2
All excluded 0 0 0 0 0 0 0 0
No records exist 0 1 0 0 0 0 0 1
Request transferred 0 0 0 0 0 0 0 0
Request abandoned 1 0 0 0 0 0 0 1
Neither confirmed nor denied 0 1 1 0 0 0 0 2
Decline to act with the approval of the Information Commisioner 0 0 0 0 0 0 0 0
Total 2 3 2 3 0 3 2 15
4.2 Exemptions
Section Numbers of Requests
13(1)(a) 0
13(1)(b) 0
13(1)(c) 0
13(1)(d) 0
13(1)(e) 0
14 0
14(a) 0
14(b) 0
15(1) – I. A. * 0
15(1) – Def. * 5
15(1) – S.A. * 1
16(1)(a)(i) 3
16(1)(a)(ii) 0
16(1)(a)(iii) 0
16(1)(b) 1
16(1)(c) 4
16(1)(d) 0
16(2) 0
16(2)(a) 0
16(2)(b) 0
16(2)(c) 0
16(3) 0
16.1(1)(a) 0
16.1(1)(b) 0
16.1(1)(c) 0
16.1(1)(d) 0
16.2(1) 0
16.3 0
16.31 0
16.4(1)(a) 0
16.4(1)(b) 0
16.5 0
16.6 0
17 0
18(a) 0
18(b) 0
18(c) 0
18(d) 0
18.1(1)(a) 0
18.1(1)(b) 0
18.1(1)(c) 0
18.1(1)(d) 0
19(1) 2
20(1)(a) 0
20(1)(b) 0
20(1)(b.1) 0
20(1)(c) 0
20(1)(d) 0
20.1 0
20.2 0
20.4 0
21(1)(a) 0
21(1)(b) 0
21(1)(c) 0
21(1)(d) 0
22 0
22.1(1) 0
23 1
23.1 0
24(1) 1
26 0

* I.A.: International Affairs
* Def.: Defence of Canada
* S.A.: Subversive Activities

4.3 Exclusions
Section Numbers of Requests
68(a) 0
68(b) 0
68(c) 0
68.1 0
68.2(a) 0
68.2(b) 0
69(1) 0
69(1)(a) 0
69(1)(b) 0
69(1)(c) 0
69(1)(d) 0
69(1)(e) 0
69(1)(f) 0
69(1)(g) re (a) 0
69(1)(g) re (b) 0
69(1)(g) re (c) 0
69(1)(g) re (d) 0
69(1)(g) re (e) 0
69(1)(g) re (f) 0
69.1(1) 0
4.4 Format of information released
Paper Electronic Other
E-record Data set Video Audio
0 9 0 0 0 0
4.5 Complexity
4.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed Number of Pages Disclosed Number of Requests
856 856 14
4.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 1 7 1 322 0 0 0 0 0 0
Disclosed in part 6 247 1 280 0 0 0 0 0 0
All exempted 2 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 1 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 2 0 0 0 0 0 0 0 0 0
Declined to act with the approval of the information Commissioner 0 0 0 0 0 0 0 0 0 0
Total 12 254 2 602 0 0 0 0 0 0
4.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
4.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0 0 0
Total 0 0 0 0 0 0
4.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
4.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0 0 0
Total 0 0 0 0 0 0
4.5.7 Other complexities
Disposition Consultation Required Legal Advice Sought Other Total
All disclosed 0 0 0 0
Disclosed in part 0 0 0 0
All exempted 0 0 0 0
All excluded 0 0 0 0
Request abandoned 0 0 0 0
Neither confirmed nor denied 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0
Total 0 0 0 0
4.6 Closed requests
4.6.1 Requests closed within legislated timelines
  Requests closed within legislated timelines
Number of requests closed within legislated timelines 5
Percentage of requests closed within legislated timelines (%) 33.33333333
4.7 Deemed refusals
4.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines Principal Reason
Interference with Operations/Workload External Consultation Internal Consultation Other
10 0 10 0 0
4.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines Number of Requests Past Legislated Timeline Where No Extension Was Taken Number of Requests Past Legislated Timeline Where an Extension Was Taken Total
1 to 15 Days 0 0 0
16 to 30 Days 0 0 0
31 to 60 Days 0 2 2
61 to 120 Days 0 3 3
121 to 180 Days 0 0 0
181 to 365 Days 0 3 3
More than 365 Days 0 2 2
Total 0 10 10
4.8 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 5: Extensions

5.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was taken 9(1)(a) Interference With Operations/Workload 9(1)(b) Consultation 9(1)(c) Third-Party Notice
Section 69 Other
All disclosed 0 0 2 0
Disclosed in part 0 0 7 0
All exempted 0 0 1 0
All excluded 0 0 0 0
Request abandoned 0 0 0 0
No records exist 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0
Total 0 0 10 0
5.2 Length of extensions
Length of Extensions 9(1)(a) Interference With Operations/Workload 9(1)(b) Consultation 9(1)(c) Third-Party Notice
Section 69 Other
30 days or less 0 0 0 0
31 to 60 days 0 0 1 0
61 to 120 days 0 0 3 0
121 to 180 days 0 0 2 0
181 to 365 days 0 0 2 0
365 days or more 0 0 2 0
Total 0 0 10 0

Section 6: Fees

Fee Type Fee Collected Fee Waived Fee Refunded
Number of Requests Amount Number of Requests Amount Number of Requests Amount
Application 0 $30.00 5 $0.00 0 $0.00
Other fees 0 $0.00 0 $0.00 0 $0.00
Total 6 $30.00 5 $0.00 0 $0.00

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during reporting period 4 189 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 4 189 0 0
Closed during the reporting period 4 189 0 0
Carried over within negotiated timelines 0 0 0 0
Carried over beyond negotiated timelines 0 0 0 0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 4 0 0 0 4
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 4 0 0 0 4
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
8.2 Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 9: Investigations and Reports of finding

9.1 Investigations
Section 32 Notice of intention to investigate Subsection 30(5) Ceased to investigate Section 35 Formal Representations
3 0 0
9.2 Investigations and Reports of finding
Section 37(1) Initial Reports Section 37(2) Final Reports
Received Containing recommendations issued by the Information Commissioner Containing orders issued by the Information Commissioner Received Containing recommendations issued by the Information Commissioner Containing orders issued by the Information Commissioner
1 1 1 1 1 1

Section 10: Court Action

10.1 Court actions on complaints
Section 41
Complainant (1) Institution (2) Third Party (3) Privacy Commissioner (4) Total
0 0 0 0 0
10.2 Court actions on third party notifications under paragraph 28(1)(b)
Section 44 – under paragraph 28(1)(b)
0
11.1 Allocated Costs
Expenditures Amount
Salaries $100,000
Overtime $0
Goods and Services $194,640
Professional services contracts $194,640
Other $0
Total $294,640
11.2 Human Resources
Resources Person Years Dedicated to Access to Information Activities
Full-time employees 0.000
Part-time and casual employees 1.000
Regional Staff 0.000
Consultants and agency personnel 1.000
Students 1.000
Total 3.000

Note: Enter values to three decimal places.

Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act

Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act

  Number of weeks
Able to receive requests by mail 52
Able to receive requests by email 52
Able to receive requests through the digital request service 52

Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act

2.1 Number of weeks your institution was able to process paper records in different classification levels
  No capacity Partial Capacity Full capacity Total
Unclassified Paper Records 0 0 52 52
Protected B Paper Records 0 0 52 52
Secret and Top Secret Paper Records 0 0 52 52
2.2 Number of weeks your institution was able to process electronic records in different classification levels
  No capacity Partial Capacity Full capacity Total
Unclassified Paper Records 0 0 52 52
Protected B Paper Records 0 0 52 52
Secret and Top Secret Paper Records 0 0 52 52

Section 3: Open Requests and Complaints Under the Privacy Act

3.1 Number of open requests that are outstanding from previous reporting periods.

Fiscal Year Open Requests Were Received Open Requests that are Within Legislated Timelines as Open Requests that are Beyond Legislated Timelines as of March 31, 2023 Total
Received in 2022-23 2 3 5
Received in 2021-22 0 0 0
Received in 2020-21 0 0 0
Received in 2019-20 0 0 0
Received in 2018-19 0 1 1
Received in 2017-18 0 0 0
Received in 2016-17 0 0 0
Received in 2015-16 0 0 0
Received in 2014-15 0 0 0
Received in 2013-14 or earlier 0 0 0

3.2 Number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods

Fiscal Year Open Complaints were received by institutions Open Requests that are Within Legislated Timelines as
Received in 2022-23 3
Received in 2021-22 0
Received in 2020-21 0
Received in 2019-20 0
Received in 2018-19 0
Received in 2017-18 0
Received in 2016-17 0
Received in 2015-16 0
Received in 2014-15 0
Received in 2013-14 or earlier 0
Total 3
Share this page
Date Modified:

Annual Report on the Privacy Act 2022-23

Date of Publishing:

Introduction

The Privacy Act gives individuals the right to access information about themselves that is held by the National Security and Intelligence Review Agency Secretariat, subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.

Section 72 of the act requires the head of each government institution to prepare an annual report on the administration of the act within the institution and to submit the report to Parliament.

This report to Parliament, which is prepared and tabled in accordance with section 72 of the Privacy Act, describes the activities of the National Security and Intelligence Review Agency Secretariat in administering the Act during the period of April 1, 2022 to March 31, 2023.

If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:

Access to Information and Privacy Office
National Security and Intelligence Review Agency
P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5
​Email: ATIP@nsira-ossnr.gc.ca

Who we are

Established in July 2019, NSIRA is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.

The NSIRA Secretariat assists NSIRA in fulfilling its mandate. It is the NSIRA Secretariat, headed by an Executive Director, that is the government institution for the purposes of the Privacy Act and the Access to Information Act.

Mandate

The NSIRA Secretariat supports NSIRA in its dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities.

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matters that a minister of the Crown refers to NSIRA.

NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.

Investigations

NSIRA is responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:

  • any activity of CSIS or of CSE;
  • decisions to deny or revoke certain federal government security clearances;
  • any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
  • reports made under section 19 of the Citizenship Act, and
  • matters referred under section 45 of the Canadian Human Rights Act.

Access to Information and Privacy Office – Organizational Structure

NSIRA’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the NSIRA Secretariat meets its responsibilities under the Access to Information Act and the Privacy Act. For the reporting period, the NSIRA ATIP office consisted of:

  • 1 Full-time Access to Information Consultant;
  • 1 Part-time Privacy Consultant; and
  • 1 Full-time ATIP Manager who fulfilled the duties that would normally be carried out by an ATIP Coordinator, as well as managed the ATIP Office in addition to fulfilling normal duties as Manager of Administrative Services for the Secretariat and Agency Members.

NSIRA Secretariat Senior General Counsel and Corporate Counsel supported the ATIP Office on an as required basis.

The ATIP Office is responsible for the following:

  • monitoring compliance with ATIP legislation and relevant procedures and policies;
  • processing requests under both the Access to Information Act and the Privacy Act;
  • developing and maintaining policies, procedures, and guidelines to ensure that the NSIRA Secretariat respected the Access to Information Act and the Privacy Act;
  • maintaining Personal Information Banks and conducting privacy impact assessments.
  • preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
  • representing the NSIRA Secretariat in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act.

The NSIRA Secretariat was a party to a service agreement under section 73.1 of the Privacy Act during the reporting period, pursuant to which it received administrative services from the Privy Council Office related to the tabling of the Privacy Act annual report in Parliament. The NSIRA Secretariat was also a party to a service agreement under section 71.1 of the Act, pursuant to which it received ATIP Online services from the Treasury Board of Canada Secretariat.

To assist the ATIP Office in meeting its overall legislative obligations, the NSIRA Secretariat relied on a collaborative internal group of subject matter points of contact from all its branches.

Delegation Order

The Executive Director, as the Head of the NSIRA Secretariat, is responsible for the administration of the Privacy Act within the institution. Pursuant to section 73 of the Privacy Act, the Executive Director has delegated the ATIP Manager and ATIP Officer – as well as persons acting in these positions – to perform powers, duties, and functions for the administration of the Act. These positions have limited delegation of authority under the Act and the Access to Information Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The Privacy Act Delegation Order can be found in Appendix A.

Performance 2022-2023

Performance in Processing Privacy Requests

During the reporting period, from April 1, 2022 to March 31, 2023, the NSIRA Secretariat received 12 formal requests. All 12 requests were completed during the reporting period. No requests were carried over from the previous reporting period.

Statistical Reports for 2022-2023

The institution’s 2022-2023 Statistical Report on the Privacy Act and Supplemental ATIP Statistical Report for 2022-2023 are found in Appendices B and C.

Extensions and Completion Time of Closed Requests

During the reporting period, the NSIRA Secretariat invoked extensions in processing 5 requests: 3 extensions of 31 to 60 days, and 2 extensions of 61 to 120 days, all of which included extensions necessary to consult with third parties.

Of the requests completed during the reporting period:

  • 1 request, or 8.33% of the requests completed, was disclosed in its entirety. This request was completed within 16 to 30 days.
  • 4 requests, or 33.33% of the requests completed, were disclosed in part. 1 request completed within 16 to 30 days, 2 requests completed within 31 to 60 days, and 1 request completed within 61 to 120 days.
  • 7 requests, or 58.33% of the requests completed, resulted in no records. 1 request completed within 1 to 15 days, 4 requests completed within 16 to 30 days, 1 request completed within 31 to 60 days, and 1 request completed within 61 to 120 days.

The NSIRA Secretariat’s responses to many requests required intensive review of complex records, including extensive internal and external consultations. In 2022-23, the NSIRA Secretariat’s on-time response rate decreased to 58.33% from 71% in the previous reporting year.

Consultations

No consultations were received by the NSIRA Secretariat during the reporting period.

Impact of COVID-19 Measures

During the reporting period, the NSIRA Secretariat was not affected by measures related to the COVID‑19 pandemic.

Complaints and Investigations

During the reporting period, the NSIRA Secretariat received 9 privacy complaints, 2 of which were related to access. All 9 complaints remained active on March 31, 2023.

Moreover, one privacy breach-related investigation initiated by the Privacy Commissioner in fiscal year 2020-2021 continued during the reporting period and remained active on March 31, 2023.

Training and Awareness

During the reporting period, privacy training requirements were identified for all NSIRA Secretariat employees, as well as for those with functional or delegated responsibility for the administration of the Privacy Act, in accordance with the Directive on Personal Information Requests and Correction of Personal Information. The Canada School of Public Service course Access to Information and Privacy Fundamentals (COR502) was included as mandatory training in all employees’ training curriculum.

In addition, an all-staff lunch and learn session was held in August 2022 to provide employees with a debrief of the International Association of Privacy Professionals Privacy Conference.

Policies, Guidelines, and Procedures

The NSIRA Secretariat updated the Delegation Order during the reporting period and also established its internal Directive on Managing Security and Safety Events in March 2023, which provides for coordination with the ATIP Office and Office of Primary Interest when a security event involves a suspected or actual privacy breach.

Initiatives and Projects to Improve Privacy

The NSIRA Secretariat’s IT team began work to develop an ATIP software tool for our classified and unclassified systems. The NSIRA Secretariat also signed a memorandum of understanding with TBS to make full use of ATIP Online and implemented the tool during the reporting period.

Summary of Key Issues and Actions Taken on Complaints

As previously outlined, all 9 complaints received during the reporting period remained active on March 31, 2023. The NSIRA Secretariat meaningfully engaged with the Office of the Privacy Commissioner on all active investigations and disclosed additional records in 1 of the 2 access-related complaints.

Material Privacy Breaches

In the 2022-2023 reporting period, no material privacy breaches occurred.

Privacy Impact Assessments

The NSIRA Secretariat did not complete any PIAs in 2022-2023. During the reporting period, the NSIRA Secretariat received feedback from TBS for its PIA on the creation of NSIRA — which had been submitted to TBS in FY 2021-2022 — and undertook revisions to the PIA. During the reporting period, the NSIRA Secretariat also launched a PIA exercise pertaining to its investigations-related activities.

Public Interest Disclosures

No disclosures were made pursuant to paragraph 8(2)(m) of the Privacy Act during the reporting period.

Monitoring Compliance

In order to meet the legislative deadlines for privacy requests, deadlines for individual requests are strictly monitored by using MS Outlook reminders. The ATIP Manager organizes ad hoc meetings to discuss request-related activities (such as whether inter-institutional consultations are necessary), determine deadlines and ensure that all team members are informed of the status of files. At bi-weekly team meetings with the Senior General Counsel and Corporate Counsel, the ATIP Manager raises and discusses compliance with legislative and policy obligations. The Executive Director is also briefed on all ATIP compliance issues.

For contracts issued during the reporting period, the NSIRA Secretariat included a Standard Procurement Clause on the Handling of Personal Information or a Supplemental General Condition on Personal Information from Public Services and Procurement Canada’s Standard Acquisition Clauses and Conditions Manual.

Appendices

Appendix A: Delegation Order

Access to Information Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.

Privacy Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.

Appendix B: 2022-2023 Statistical Report on the Privacy Act

Name of institution: National Security and Intelligence Review Agency

Reporting period: 2022-04-01 – 2023-03-31

Section 1: Request Under the Access to Information Act

1.1 Number of Requests
  Number of Requests
Received during reporting period 12
Outstanding from previous reporting period 0
Outstanding from more than one reporting period 0
Total 12
Closed during reporting period 12
Carried over to next reporting period 0
Carried over within legislated timeline 0
Carried over beyond legislated timeline 0
1.2 Channels of requests
Source Number of Requests
Online 10
E-mail 2
Mail 0
In person 0
Phone 0
Fax 0
Total 12

Section 2: Informal requests

2.1 Number of informal requests
  Number of Requests
Received during reporting period 0
Outstanding from previous reporting periods 0
Outstanding from more than one reporting period 0
Total 0
Closed during reporting period 0
Carried over to next reporting period 0
2.2 Channels of informal requests
Source Number of Requests
Online 0
E-Mail 0
Mail 0
In person 0
Phone 0
Fax 0
Total 0
2.3 Completion time of informal requests
Completion Time
1 to 15 days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More than 365 Days Total
0 0 0 0 0 0 0 0
2.4 Pages released informally
Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
0 0 0 0 0 0 0 0 0 0

Section 3: Requests Closed During the Reporting Period

3.1 Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 1 0 0 0 0 0 1
Disclosed in part 0 1 2 1 0 0 0 4
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 1 4 1 1 0 0 0 7
Request abandoned 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 1 6 3 2 0 0 0 12
3.2 Exemptions
Section Numbers of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 1
22(1)(a)(i) 3
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 4
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
22.4 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 0
27 2
27.1 0
28 0
3.3 Exclusions
Section Numbers of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0
3.4 Format of information released
Paper Electronic Other
E-record Data set Video Audio
0 5 0 0 0 0
3.5 Complexity
3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed Number of Pages Disclosed Number of Requests
795 795 5
3.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 1 1 0 0 0 0 0 0 0 0
Disclosed in part 3 150 0 0 1 644 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Total 4 151 0 0 1 644 0 0 0 0
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.7 Other complexities
Disposition Consultation Required Assessment of Fees Legal Advice Sought Other Total
All disclosed 0 0 0 0 0
Disclosed in part 0 0 0 0 0
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 0 0 0 0
3.6 Closed requests
3.6.1 Requests closed within legislated timelines
  Requests closed within legislated timelines
Number of requests closed within legislated timelines 7
Percentage of requests closed within legislated timelines (%) 58.33333333
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines Principal Reason
Interference with Operations/Workload External Consultation Internal Consultation Other
5 0 3 0 2
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines Number of Requests Past Legislated Timeline Where No Extension Was Taken Number of Requests Past Legislated Timeline Where an Extension Was Taken Total
1 to 15 Days 0 1 1
16 to 30 Days 1 0 1
31 to 60 Days 1 1 2
61 to 120 Days 1 0 1
121 to 180 Days 0 0 0
181 to 365 Days 0 0 0
More than 365 Days 0 0 0
Total 3 2 5
3.8 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Section 5: Requests for Correction of Personal Information and Notations

Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Section 6: Extensions

6.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken 15(a)(i) Interference with operations 9(1)(b) Consultation 9(1)(b) Consultation
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
3 0 1 0 0 0 2 0 0
6.2 Length of extensions
Length of Extensions 15(a)(i) Interference with operations 9(1)(b) Consultation 9(1)(b) Consultation
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
1 to 15 days 0 1 0 0 0 2 0 0
16 to 30 days 0 0 0 0 0 3 0 0
31 days or greater               0
Total 0 1 0 0 0 2 0 0

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during reporting period 0 0 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 0 0 0 0
Closed during the reporting period 0 0 0 0
Carried over within regotiated timelines 0 0 0 0
Carried over beyond negotiated timelines 0 0 0 0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
8.2 Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 9: Complaints and Investigations Notices Received

Section 31 Section 33 Section 35 Court action Total
1 8 0 0 9

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBS)

10.1 Privacy Impact Assessments
Number of PIA(s) completed Number of PIAs modified
0 0
10.2 Institution-specific and Central Personal Information Banks
Personal Information Banks Active Created Terminated Modified
Institution-specific 0 0 0 0
Central 0 0 0 0
Total 0 0 0 0

Section 11: Privacy Breaches

11.1 Material Privacy Breaches reported
Number of material privacy breaches reported to TBS Number of material privacy breaches reported to OPC
0 0
11.2 Non-Material Privacy Breaches
Number of non-material privacy breaches
0
12.1 Allocated Costs
Expenditures Amount
Salaries $60,000
Overtime $0
Goods and Services $5,000
Professional services contracts $5,000
Other $0
Total $65,000
12.2 Human Resources
Resources Person Years Dedicated to Access to Information Activities
Full-time employees 0.000
Part-time and casual employees 1.000
Regional Staff 0.000
Consultants and agency personnel 0.500
Students 0.000
Total 1.500

Note: Enter values to three decimal places.

Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act

Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act

  Number of weeks
Able to receive requests by mail 52
Able to receive requests by email 52
Able to receive requests through the digital request service 52

Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act

2.1 Number of weeks your institution was able to process paper records in different classification levels
  No capacity Partial Capacity Full capacity Total
Unclassified Paper Records 0 0 52 52
Protected B Paper Records 0 0 52 52
Secret and Top Secret Paper Records 0 0 52 52
2.2 Number of weeks your institution was able to process electronic records in different classification levels
  No capacity Partial Capacity Full capacity Total
Unclassified Paper Records 0 0 52 52
Protected B Paper Records 0 0 52 52
Secret and Top Secret Paper Records 0 0 52 52

Section 3: Open Requests and Complaints Under the Privacy Act

3.1 Number of open requests that are outstanding from previous reporting periods.

Fiscal Year Open Requests Were Received Open Requests that are Within Legislated Timelines as Open Requests that are Beyond Legislated Timelines as of March 31, 2023 Total
Received in 2022-23 0 0 0
Received in 2021-22 0 0 0
Received in 2020-21 0 0 0
Received in 2019-20 0 0 0
Received in 2018-19 0 0 0
Received in 2017-18 0 0 0
Received in 2016-17 0 0 0
Received in 2015-16 0 0 0
Received in 2014-15 0 0 0
Received in 2013-14 or earlier 0 0 0

3.2 Number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods

Fiscal Year Open Complaints were received by institutions Open Requests that are Within Legislated Timelines as
Received in 2022-23 9
Received in 2021-22 0
Received in 2020-21 0
Received in 2019-20 0
Received in 2018-19 0
Received in 2017-18 0
Received in 2016-17 0
Received in 2015-16 0
Received in 2014-15 0
Received in 2013-14 or earlier 0
Total 9

Section 4: Social Insurance Number

Has your institution begun a new collection or a new consistent use of the SIN in 2022-23?
No

Section 5: Universal Access under the Privacy Act

How many requests were received from confirmed foreign nationals outside of Canada in 2022-2023?
0
Share this page
Date Modified:

Annual Report on the Access to Information Act 2021–22

Date of Publishing:

Introduction

The Access to Information Act gives Canadian citizens and permanent residents, as well as any person or corporation present in Canada, a right of access to information contained in government records, subject to certain specific and limited exceptions.

Section 94(1) of the Act requires the head of each government institution to prepare an annual report on the administration of the Act within the institution and to submit the report to Parliament. In addition, section 20 of the Service Fees Act requires institutions to report on all statutory fees processed during the reporting period.

This report to Parliament, which is prepared and tabled in accordance with Section 94 of the Access to Information Act, and section 20 of the Service Fees Act, describes the activities of the National Security and Intelligence Review Agency Secretariat in administering these Acts during the period April 1, 2021 to March 31, 2022.

If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:

Access to Information and Privacy Office
National Security and Intelligence Review Agency
P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5
Email: ATIP@nsira-ossnr.gc.ca

Who we are

Established in July 2019, NSIRA is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.

The NSIRA Secretariat assists the Review Agency in fulfilling its mandate.

Mandate

NSIRA has a dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities. 

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matters that a minister of the Crown refers to NSIRA.

NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.

Investigations

NSIRA is responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:

  • any activity of CSIS or of CSE;
  • decisions to deny or revoke certain federal government security clearances;
  • any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
  • reports made under section 19 of the Citizenship Act, and
  • matters referred under section 45 of the Canadian Human Rights Act.

Access to Information and Privacy Office

NSIRA’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the NSIRA Secretariat meets its responsibilities under the Access to Information Act and the Privacy Act.

For the reporting period, the NSIRA ATIP office consisted of:

  • 1 full-time ATIP Coordinator
  • 1 part-time ATIP Consultant
  • 1 full-time Senior Director, who managed the ATIP office in addition to fulfilling normal duties as Senior Director of Corporate Services

NSIRA Legal Services supported the ATIP team on an as required basis.

The main activities of the ATIP Coordinator included:

  • monitoring compliance with ATIP legislation and relevant procedures and policies;
  • processing requests under both the Access to Information Act and the Privacy Act;
  • developing and maintaining policies, procedures, and guidelines to ensure that the NSIRA Secretariat respected the Access to Information Act and the Privacy Act;
  • maintaining Personal Information Banks and conducting privacy impact assessments.
  • preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
  • representing the NSIRA Secretariat in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act.

To assist the ATIP Office in meeting its legislative obligations, NSIRA relied on a collaborative internal group of subject matter points of contact from all its branches.

Delegation Order

The Executive Director, as the Head of the National Security and Intelligence Review Agency Secretariat and pursuant to s.95(1) of the ATIA, is responsible for the implementation of the ATIA for NSIRA. Through the most recent NSIRA delegation order, the Executive Director has designated the ATIP Coordinator and ATIP Officer to perform the powers, duties, functions, or administrative tasks pertaining to the ATIA. These functions have limited delegation of authority under the Act and the Privacy Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The recently amended ATIA delegation orders can be found in Appendix A.

Performance and Statistical Overview

Performance in Processing Access Requests

During the reporting period, the number of access requests received by NSIRA increased by 1300% (14) compared to the previous year (1). The Agency also managed one request that was pending from previous years, bringing the total number of cases to 15. Of these, NSIRA closed 5 requests in 2021- 22, and 10 were carried over to the next reporting period.

NSIRA’s responses to many requests required intensive review of complex records, including extensive internal and external consultations. In 2021-22, NSIRA’s on-time response rate decreased to 80% from 100% in the previous reporting year.

Consultations

NSIRA was consulted on 12 requests this fiscal year, compared to 7 in the previous reporting period. NSIRA closed 11 consultations and carried over one into 2022-2023.

Requests Treated Informally

In 2021-2022, NSIRA responded to 7 informal requests for records previously released under the ATIA process. This is an increase from no informal requests in 2020-2021. NSIRA responded to all 7 requests within 30 days of the request.

Complaints and Investigations of Access Requests

Subsection 30(1) of the Act describes how the Office of the Information Commissioner receives and investigates complaints from individuals regarding the processing of requests under the Act. NSIRA received one new complaint during the reporting period and worked closely with the Office of the Information Commissioner to resolve the complaint. This complaint concerned NSIRA’s delay in providing a response to a request before the established legislative deadline. NSIRA’s delay was largely due to extended external consultations; however, the complaint was closed as “well-founded” in 2022-2023 reporting period.

Access to Information Act fees for the Purposes of the Service Fees Act

In accordance with the Interim Directive on the Administration of the ATIA, issued on May 5, 2016, and the changes to the ATIA that came into force on June 21, 2019, NSIRA waived or refunded all fees prescribed by the Act and Regulations during the reporting period.

Training

In 2021–22, the ATIP office provided orientation sessions to new and current employees. In all, 3 separate sessions on access and privacy legislation were provided to 60 employees.

Privacy policies, guidelines, procedures and initiatives

NSIRA did not revise policies, guidelines, or procedures related to the Access to Information Act—or implement new ones—during the reporting period. 

Monitoring processing time

Request processing times are monitored through the Access Pro software dashboard. The ATIP Coordinator notifies the Executive Director and suggests a course of action should any legislative timelines for responding to an ATIA request appear to be at risk. 

Appendix A: Delegation Order

Access to Information Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.

Privacy Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.

Appendix B: 2019-2020 Statistical Report on the Access to Information Act

Name of institution: National Security and Intelligence Review Agency

Reporting period: 2019-04-01 – 2020-03-31

Section 1: Request Under the Access to Information Act

1.1 Number of Requests
  Number of Requests
Received during reporting period 14
Outstanding from previous reporting period 0
Outstanding from more than one reporting period 1
Total 15
Closed during reporting period 5
Carried over to next reporting period 10
Carried over within legislated timeline 9
Carried over beyond legislated timeline 1
1.2 Sources of requests
Source Number of Requests
Media 4
Academia 0
Business (private sector) 0
Organization 0
Public 10
Decline to Identify 0
Total 14
1.3 Channels of requests
Source Number of Requests
Online 12
E-mail 1
Mail 1
In person 0
Phone 0
Fax 0
Total 14

Section 2: Informal requests

2.1 Number of informal requests
  Number of Requests
Received during reporting period 7
Outstanding from previous reporting periods 0
Outstanding from more than one reporting period 0
Total 7
Closed during reporting period 7
Carried over to next reporting period 0
2.2 Channels of informal requests
Source Number of Requests
Online 7
E-Mail 0
Mail 0
In person 0
Phone 0
Fax 0
Total 7
2.3 Completion time of informal requests
Completion Time
1 to 15 days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More than 365 Days Total
0 7 0 0 0 0 0 7
2.4 Pages released informally
Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
0 0 0 0 0 0 0 0 0 0
2.5 Pages re-released informally
Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
7 121 0 0 0 0 0 0 0 0

Section 3: Applications to the Information Commissioner on Declining to Act on Requests

  Number of Requests
Outstanding from previous reporting period 0
Sent during reporting period 0
Total 0
Approved by the Information Commissioner during reporting period 0
Declined by the Information Commissioner during reporting period 0
Withdrawn during reporting period 0
Carried over to next reporting period 0

Section 4: Requests Closed During the Reporting Period

4.1 Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 2 0 1 0 0 0 0 3
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 0 2 0 0 0 0 0 2
Request transferred 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Decline to act with the approval of the Information Commisioner 0 0 0 0 0 0 0 0
Total 2 2 1 0 0 0 0 5
4.2 Exemptions
Section Numbers of Requests
13(1)(a) 0
13(1)(b) 0
13(1)(c) 0
13(1)(d) 0
13(1)(e) 0
14 0
14(a) 0
14(b) 0
15(1) – I. A. * 0
15(1) – Def. * 2
15(1) – S.A. * 0
16(1)(a)(i) 0
16(1)(a)(ii) 0
16(1)(a)(iii) 0
16(1)(b) 1
16(1)(c) 2
16(1)(d) 0
16(2) 0
16(2)(a) 0
16(2)(b) 0
16(2)(c) 0
16(3) 0
16.1(1)(a) 0
16.1(1)(b) 0
16.1(1)(c) 0
16.1(1)(d) 0
16.2(1) 0
16.3 0
16.31 0
16.4(1)(a) 0
16.4(1)(b) 0
16.5 0
16.6 0
17 0
18(a) 0
18(b) 0
18(c) 0
18(d) 0
18.1(1)(a) 0
18.1(1)(b) 0
18.1(1)(c) 0
18.1(1)(d) 0
19(1) 2
20(1)(a) 0
20(1)(b) 0
20(1)(b.1) 0
20(1)(c) 0
20(1)(d) 0
20.1 0
20.2 0
20.4 0
21(1)(a) 1
21(1)(b) 0
21(1)(c) 0
21(1)(d) 0
22 0
22.1(1) 0
23 2
23.1 0
24(1) 1
26 0

* I.A.: International Affairs
* Def.: Defence of Canada
* S.A.: Subversive Activities

4.3 Exclusions
Section Numbers of Requests
68(a) 0
68(b) 0
68(c) 0
68.1 0
68.2(a) 0
68.2(b) 0
69(1) 0
69(1)(a) 0
69(1)(b) 0
69(1)(c) 0
69(1)(d) 0
69(1)(e) 0
69(1)(f) 0
69(1)(g) re (a) 0
69(1)(g) re (b) 0
69(1)(g) re (c) 0
69(1)(g) re (d) 0
69(1)(g) re (e) 0
69(1)(g) re (f) 0
69.1(1) 0
4.4 Format of information released
Paper Electronic Other
E-record Data set Video Audio
2 1 0 0 0 0
4.5 Complexity
4.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed Number of Pages Disclosed Number of Requests
63 63 3
4.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 0 0 0 0 0 0 0 0 0 0
Disclosed in part 3 63 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Declined to act with the approval of the information Commissioner 0 0 0 0 0 0 0 0 0 0
Total 3 63 0 0 0 0 0 0 0 0
4.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
4.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0 0 0
Total 0 0 0 0 0 0
4.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
4.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0 0 0
Total 0 0 0 0 0 0
4.5.7 Other complexities
Disposition Consultation Required Legal Advice Sought Other Total
All disclosed 0 0 0 0
Disclosed in part 2 0 0 2
All exempted 0 0 0 0
All excluded 0 0 0 0
Request abandoned 0 0 0 0
Neither confirmed nor denied 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0
Total 2 0 0 2
4.6 Closed requests
4.6.1 Requests closed within legislated timelines
  Requests closed within legislated timelines
Number of requests closed within legislated timelines 4
Percentage of requests closed within legislated timelines (%) 80
4.7 Deemed refusals
4.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines Principal Reason
Interference with Operations/Workload External Consultation Internal Consultation Other
1 0 0 1 0
4.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines Number of Requests Past Legislated Timeline Where No Extension Was Taken Number of Requests Past Legislated Timeline Where an Extension Was Taken Total
1 to 15 Days 1 0 1
16 to 30 Days 0 0 0
31 to 60 Days 0 1 0
61 to 120 Days 0 0 0
121 to 180 Days 0 0 0
181 to 365 Days 0 0 0
More than 365 Days 0 0 0
Total 1 0 1
4.8 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 5: Extensions

5.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was taken 9(1)(a) Interference With Operations/Workload 9(1)(b) Consultation
Section 69 Other
All disclosed 0 0 0
Disclosed in part 0 0 0
All exempted 0 0 0
All excluded 0 0 0
Request abandoned      
No records exist 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0
Total 0 0 0
5.2 Length of extensions
Length of Extensions 9(1)(a) Interference With Operations/Workload 9(1)(b) Consultation
Section 69 Other
30 days or less 0 0 0
31 to 60 days 0 0 0
61 to 120 days 0 0 0
121 to 180 days 0 0 0
181 to 365 days 0 0 0
365 days or more 0 0 0
Total 0 0 0

Section 6: Fees

Fee Type Fee Collected Fee Waived Fee Refunded
Number of Requests Amount Number of Requests Amount Number of Requests Amount
Application 0 $0.00 14 $0.00 0 $0.00
Other fees 0 $0.00 0 $0.00 0 $0.00
Total 0 $0.00 14 $0.00 0 $0.00

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during reporting period 12 143 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 12 143 0 0
Closed during the reporting period 11 123 0 0
Carried over within regotiated timelines 1 20 0 0
Carried over beyond negotiated timelines 0 0 0 0
7.2 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
8.2 Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 9: Investigations and Reports of finding

9.1 Investigations
Section 32 Notice of intention to investigate Subsection 30(5) Ceased to investigate Section 35 Formal Representations
0 0 1
9.2 Investigations and Reports of finding
Section 37(1) Initial Reports Section 37(2) Final Reports
Received Containing recommendations issued by the Information Commissioner Containing orders issued by the Information Commissioner Received Containing recommendations issued by the Information Commissioner Containing orders issued by the Information Commissioner
0 0 0 0 0 0

Section 10: Court Action

10.1 Court actions on complaints
Section 41
Complainant (1) Institution (2) Third Party (3) Privacy Commissioner (4) Total
0 0 0 0 0
10.2 Court actions on third party notifications under paragraph 28(1)(b)
Section 44 – under paragraph 28(1)(b)
0
11.1 Allocated Costs
Expenditures Amount
Salaries $24,082
Overtime $0
Goods and Services $0
Professional services contracts $0
Other $0
Total $24,082
11.2 Human Resources
Resources Person Years Dedicated to Access to Information Activities
Full-time employees 0.300
Part-time and casual employees 0.000
Regional Staff 0.000
Consultants and agency personnel 0.000
Students 0.000
Total 0.300

Note: Enter values to three decimal places.

Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act

Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act

  Number of weeks
Able to receive requests by mail 52
Able to receive requests by email 52
Able to receive requests through the digital request service 52

Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act

2.1 Number of weeks your institution was able to process paper records in different classification levels
  No capacity Partial Capacity Full capacity Total
Unclassified Paper Records 0 0 52 52
Protected B Paper Records 0 0 52 52
Secret and Top Secret Paper Records 0 0 52 52
2.2 Number of weeks your institution was able to process electronic records in different classification levels
  No capacity Partial Capacity Full capacity Total
Unclassified Paper Records 0 0 52 52
Protected B Paper Records 0 0 52 52
Secret and Top Secret Paper Records 0 0 52 52
Share this page
Date Modified:

Annual Report on the Privacy Act 2021-22

Date of Publishing:

Introduction

The Privacy Act gives individuals the right to access information about themselves that is held by the National Security and Intelligence Review Agency Secretariat, subject to certain specific and limited exceptions. The Privacy Act also protects the privacy of individuals by giving them substantial control over the collection, use, and disclosure of their personal information and by preventing others from having access to that information.

Section 72 of the act requires the head of each government institution to prepare an annual report on the administration of the act within the institution and to submit the report to Parliament.

This report to Parliament, which is prepared and tabled in accordance with Section 72 of the Privacy Act describes the activities of the National Security and Intelligence Review Agency Secretariat in administering the Act during the period of April 1, 2021 to March 31, 2022.

If you require more information or wish to make a request under the Access to Information Act or the Privacy Act, please direct your inquiries to the following:

Access to Information and Privacy Office
National Security and Intelligence Review Agency
P.O. Box 2430, Station “D” Ottawa, Ontario, K1P 5W5
​Email: ATIP@nsira-ossnr.gc.ca

Who we are

Established in July 2019, NSIRA is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities.

The NSIRA Secretariat assists the Review Agency in fulfilling its mandate.

Mandate

NSIRA has a dual mandate to conduct reviews and investigations in relation to Canada’s national security or intelligence activities. 

Reviews

NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice. Further, NSIRA may review any national security or intelligence matters that a minister of the Crown refers to NSIRA.

NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws, policies, and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.

Investigations

NSIRA is responsible for investigating national security or intelligence-related complaints from members of the public. As outlined in paragraph 8(1)(d) of the NSIRA Act, NSIRA has the mandate to investigate complaints about:

  • any activity of CSIS or of CSE;
  • decisions to deny or revoke certain federal government security clearances;
  • any complaint referred under subsection 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act,
  • reports made under section 19 of the Citizenship Act, and
  • matters referred under section 45 of the Canadian Human Rights Act.

Access to Information and Privacy Office

NSIRA’s ATIP Office is accountable for the development and implementation of effective policies, guidelines, systems, and procedures to ensure that the NSIRA Secretariat meets its responsibilities under the Access to Information Act and the Privacy Act. For the reporting period, the NSIRA ATIP office consisted of:

  • 1 full-time ATIP Coordinator
  • 1 part-time ATIP Consultant
  • 1 full-time Senior Director, who managed the ATIP office in addition to fulfilling normal duties as Senior Director of Corporate Services

NSIRA Legal Services supported the ATIP team on an as required basis.

The main activities of the ATIP Coordinator included:

  • monitoring compliance with ATIP legislation and relevant procedures and policies;
  • processing requests under both the Access to Information Act and the Privacy Act;
  • developing and maintaining policies, procedures, and guidelines to ensure that the NSIRA Secretariat respected the Access to Information Act and the Privacy Act;
  • maintaining Personal Information Banks and conducting privacy impact assessments.
  • preparing annual reports to Parliament and other statutory reports, as well as other material that might be required by central agencies; and
  • representing the NSIRA Secretariat in dealings with the Treasury Board of Canada Secretariat, the information and privacy commissioners, and other government departments and agencies in matters pertaining to the Access to Information Act and the Privacy Act.

To assist the ATIP Office in meeting its legislative obligations, NSIRA relied on a collaborative internal group of subject matter points of contact from all its branches.

Delegation Order

The Executive Director, as the Head of the National Security and Intelligence Review Agency Secretariat and pursuant to s.95(1) of the ATIA, is responsible for the implementation of the ATIA for NSIRA. Through the most recent NSIRA delegation order, the Executive Director has designated the ATIP Coordinator and ATIP Officer to perform the powers, duties, functions, or administrative tasks pertaining to the ATIA. These functions have limited delegation of authority under the Act and the Privacy Act, in accordance with the delegation of authority instrument approved by the Executive Director in August 2022. The recently amended ATIA delegation orders can be found in Appendix A.

Performance and Statistical Overview

Performance in Processing Access Requests

During the reporting period, the number of privacy requests received by NSIRA increased by 75% (7) compared to the previous year (4). All requests were completed in 2021-22, and no requests were carried over the next year.

NSIRA’s responses to most requests required intensive review of complex records, including extensive internal and external consultations. In 2021-22, NSIRA’s on-time response rate decreased to 71% from 75% in the previous reporting year.

Consultations

NSIRA received one new consultation request from another government institution which was responded within 30 days of its receipt.

Corrections and Notations

For this reporting period, NSIRA did not receive any requests for corrections of personal information.

Complaints and Investigations of Privacy Requests

NSIRA did not receive any complaints pursuant to the Privacy Act during this reporting period. However, one investigation was initiated by the Office of the Privacy Commissioner (OPC) concerning the cyber-attack discussed under the “Breaches” section below.

Training

In 2021–22, the ATIP office provided orientation sessions to new and current employees. In all, 3 separate sessions on access and privacy legislation were provided to 60 employees.

Policies, guidelines, procedures and initiatives

During the reporting period, the NSIRA Secretariat:

  • Initiated work on a Privacy Policy, a Privacy Protocol, and on a Privacy Breach Plan and Procedures; and
  • Submitted a request to the Treasury Board Secretariat (TBS) for the approval of changes respecting Personal Information Banks.

Monitoring processing time

Request processing times are monitored through the Access Pro software dashboard. The ATIP Coordinator notifies the Executive Director and suggests a course of action should any legislative timelines for responding to a Privacy Act request appear to be at risk.

Breaches

In March 2021, NSIRA was the victim of a cyber-attack on its public-facing network. As required by the TBS’ Directive on Privacy Practices, NSIRA reported the breach to the OPC and the TBS. Consistent with the Privacy Act, TBS requirements and advice from the OPC, the affected individuals were notified of the breach and how it could affect them.

Privacy Impact Assessments

NSIRA has completed a Privacy Impact Assessment (PIA) of its operations.

NSIRA is in the process of completing a PIA regarding its complaint investigation process.

Disclosure of Personal Information Under Section 8(2)

No disclosures were made pursuant to subsection 8(2) during the reporting period.

Appendices

Appendix A: Delegation Order

Access to Information Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.

Privacy Act Designation Order

The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.

Appendix B: 2021-2022 Statistical Report on the Privacy Act

Name of institution: National Security and Intelligence Review Agency

Reporting period: 2021-04-01 – 2022-03-31

Section 1: Request Under the Access to Information Act

1.1 Number of Requests
  Number of Requests
Received during reporting period 7
Outstanding from previous reporting period 0
Outstanding from more than one reporting period 0
Total 7
Closed during reporting period 7
Carried over to next reporting period 0
Carried over within legislated timeline 0
Carried over beyond legislated timeline 0
1.2 Channels of requests
Source Number of Requests
Online 4
E-mail 3
Mail 0
In person 0
Phone 0
Fax 0
Total 7

Section 2: Informal requests

2.1 Number of informal requests
  Number of Requests
Received during reporting period 0
Outstanding from previous reporting periods 0
Outstanding from more than one reporting period 0
Total 0
Closed during reporting period 0
Carried over to next reporting period 0
2.2 Channels of informal requests
Source Number of Requests
Online 0
E-Mail 0
Mail 0
In person 0
Phone 0
Fax 0
Total 0
2.3 Completion time of informal requests
Completion Time
1 to 15 days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More than 365 Days Total
0 0 0 0 0 0 0 0
2.4 Pages released informally
Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
0 0 0 0 0 0 0 0 0 0

Section 3: Requests Closed During the Reporting Period

3.1 Disposition and completion time
Disposition of Requests Completion Time
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 1 2 0 0 0 3
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
No records exist 2 2 0 0 0 0 0 4
Request abandoned 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 2 2 1 2 0 0 0 7
3.2 Exemptions
Section Numbers of Requests
18(2) 0
19(1)(a) 0
19(1)(b) 0
19(1)(c) 0
19(1)(d) 0
19(1)(e) 0
19(1)(f) 0
20 0
21 2
22(1)(a)(i) 0
22(1)(a)(ii) 0
22(1)(a)(iii) 0
22(1)(b) 1
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
22.4 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 0
26 2
27 1
27.1 0
28 0
3.3 Exclusions
Section Numbers of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0
3.4 Format of information released
Paper Electronic Other
E-record Data set Video Audio
1 2 0 0 0 0
3.5 Complexity
3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of Pages Processed Number of Pages Disclosed Number of Requests
768 768 3
3.5.2 Relevant pages processed per request disposition for paper and e-record formats by size of requests
Disposition Less Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 0 0 0 0 0 0 0 0 0 0
Disclosed in part 1 71 2 697 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0 0 0 0 0
Total 1 71 2 697 0 0 0 0 0 0
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.4 Relevant minutes processed per request disposition for audio formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Declined to act with the approval of the Information Commissioner 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.5 Relevant minutes processed and disclosed for video formats
Number of Minutes Processed Number of Minutes Disclosed Number of Requests
0 0 0
3.5.6 Relevant minutes processed per request disposition for video formats by size of requests
Disposition Less Than 60 Minutes Processed 60 – 120 Minutes Processed More than 120 Minutes Processed
Number of Requests Minutes Processed Number of Requests Minutes Processed Number of Requests Minutes Processed
All disclosed 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0
All exempted 0 0 0 0 0 0
All excluded 0 0 0 0 0 0
Request abandoned 0 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0 0
Total 0 0 0 0 0 0
3.5.7 Other complexities
Disposition Consultation Required Assessment of Fees Legal Advice Sought Other Total
All disclosed 0 0 0 0 0
Disclosed in part 2 0 0 0 2
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 2 0 0 0 2
3.6 Closed requests
3.6.1 Requests closed within legislated timelines
  Requests closed within legislated timelines
Number of requests closed within legislated timelines 5
Percentage of requests closed within legislated timelines (%) 71.42857143
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines Principal Reason
Interference with Operations/Workload External Consultation Internal Consultation Other
2 0 2 0 0
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines Number of Requests Past Legislated Timeline Where No Extension Was Taken Number of Requests Past Legislated Timeline Where an Extension Was Taken Total
1 to 15 Days 0 0 0
16 to 30 Days 0 2 2
31 to 60 Days 0 0 0
61 to 120 Days 0 0 0
121 to 180 Days 0 0 0
181 to 365 Days 0 0 0
More than 365 Days 0 0 0
Total 0 2 2
3.8 Requests for translation
Translation Requests Accepted Refused Total
English to French 0 0 0
French to English 0 0 0
Total 0 0 0

Section 4: Disclosures Under Subsections 8(2) and 8(5)

Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Section 5: Requests for Correction of Personal Information and Notations

Disposition for Correction Requests Received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Section 6: Extensions

6.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken 15(a)(i) Interference with operations 9(1)(b) Consultation 9(1)(b) Consultation
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
3 0 0 0 0 0 3 0 0
6.2 Length of extensions
Length of Extensions 15(a)(i) Interference with operations 9(1)(b) Consultation 9(1)(b) Consultation
Further review required to determine exemptions Large volume of pages Large volume of requests Documents are difficult to obtain Cabinet Confidence Section (Section 70) External Internal
1 to 15 days 0 0 0 0 0 0 0 0
16 to 30 days 0 0 0 0 0 3 0 0
31 days or greater             0 0
Total 0 0 0 0 0 3 0 0

Section 7: Consultations Received From Other Institutions and Organizations

7.1 Consultations received from other Government of Canada institutions and other organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during reporting period 1 52 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 1 52 0 0
Closed during the reporting period 1 52 0 0
Carried over within regotiated timelines 0 0 0 0
Carried over beyond negotiated timelines 0 0 0 0
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 1 0 0 0 0 0 1
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 1 0 0 0 0 0 1
7.3 Recommendations and completion time for consultations received from other organizations outside the Government of Canada
Recommendation Number of Days Required to Complete Consultation Requests
1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 1 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Section 8: Completion Time of Consultations on Cabinet Confidences

8.1 Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
8.2 Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More Than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Section 9: Complaints and Investigations Notices Received

Section 31 Section 33 Section 35 Court action Total
0 0 0 0 0

Section 10: Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBS)

10.1 Privacy Impact Assessments
Number of PIA(s) completed Number of PIAs modified
1 0
10.2 Institution-specific and Central Personal Information Banks
Personal Information Banks Active Created Terminated Modified
Institution-specific 2 0 0 0
Central 0 0 0 0
Total 2 0 0 0

Section 11: Privacy Breaches

11.1 Material Privacy Breaches reported
Number of material privacy breaches reported to TBS Number of material privacy breaches reported to OPC
1 1
11.2 Non-Material Privacy Breaches
Number of non-material privacy breaches
0
12.1 Allocated Costs
Expenditures Amount
Salaries $24,082
Overtime $0
Goods and Services $0
Professional services contracts $97,006
Other $0
Total $121,088
12.2 Human Resources
Resources Person Years Dedicated to Access to Information Activities
Full-time employees 0.300
Part-time and casual employees 0.000
Regional Staff 0.000
Consultants and agency personnel 0.500
Students 0.000
Total 0.800

Note: Enter values to three decimal places.

Appendix C: Supplemental Statistical Report on the Access to Information Act and Privacy Act

Section 1: Capacity to Receive Requests under the Access to Information Act and the Privacy Act

  Number of weeks
Able to receive requests by mail 52
Able to receive requests by email 52
Able to receive requests through the digital request service 52

Section 2: Capacity to Process Records under the Access to Information Act and the Privacy Act

2.1 Number of weeks your institution was able to process paper records in different classification levels
  No capacity Partial Capacity Full capacity Total
Unclassified Paper Records 0 0 52 52
Protected B Paper Records 0 0 52 52
Secret and Top Secret Paper Records 0 0 52 52
2.2 Number of weeks your institution was able to process electronic records in different classification levels
  No capacity Partial Capacity Full capacity Total
Unclassified Paper Records 0 0 52 52
Protected B Paper Records 0 0 52 52
Secret and Top Secret Paper Records 0 0 52 52
Share this page
Date Modified:

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2021

Annual Reports

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2021


Backgrounder

This report describes the results of a review by the National Security and Intelligence Review Agency (NSIRA) of the 2021 disclosures made by federal institutions under the Security of Canada Information Disclosure Act (SCIDA). This is the third year of implementation of the SCIDA regime. This year, NSIRA decided to focus the review on Global Affairs Canada’s (GAC) proactive disclosures. 

The SCIDA encourages and facilitates the disclosure of information between federal institutions to protect Canada against activities that undermine or threaten national security, subject to certain conditions. The SCIDA provides a two-part threshold which must be met prior to making a disclosure: that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada,  and will not affect any person’s privacy interest more than reasonably necessary in the circumstances.  The SCIDA also includes provisions and guiding principles related to the management of disclosures, including accuracy and reliability statements and record keeping obligations.

Date of Publishing:

1. Executive Summary

1.This report describes the results of a review by the National Security and Intelligence Review Agency (NSIRA) of the 2021 disclosures made by federal institutions under the Security of Canada Information Disclosure Act (SCIDA). This is the third year of implementation of the SCIDA regime. This year, NSIRA decided to focus the review on Global Affairs Canada’s (GAC) proactive disclosures.

2.The SCIDA encourages and facilitates the disclosure of information between federal institutions to protect Canada against activities that undermine or threaten national security, subject to certain conditions. The SCIDA provides a two-part threshold which must be met prior to making a disclosure: that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances. The SCIDA also includes provisions and guiding principles related to the management of disclosures, including accuracy and reliability statements and record keeping obligations.

3.NSIRA identified concerns that demonstrate the need for improved training. NSIRA found that there is potential for confusion on whether the SCIDA is the appropriate mechanism for certain disclosures of national security-related information. Some disclosures were of concern as GAC did not meet the two-part threshold requirements of the SCIDA prior to disclosing the information. Without meeting these requirements, some disclosures of personal information were not compliant with the SCIDA. Two disclosures did not contain accuracy and reliability statements, as required under the SCIDA. With respect to record-keeping, NSIRA recommends that departments contemporaneously document the information relied on to satisfy themselves that disclosures will not affect any person’s privacy interest more than is reasonably necessary in the circumstances.

4.NSIRA is confident that it received all information necessary to conduct the review.

2. Introduction

5.When federal departments fail to share national security information in a timely, coordinated, or responsible manner, serious and tragic consequences can result – as the Arar and Air India Inquiries found. As a mechanism in Canada’s national security accountability framework, NSIRA is mandated to prepare a report respecting disclosures under the Security of Canada Information Disclosure Act (SCIDA) during the previous calendar year. This is the only NSIRA review that must be made public and laid before both the House of Commons and the Senate, reflecting the importance Parliament has placed on independent review and accountability of national security information disclosure.

6.The SCIDA’s designated long title also reflects its stated purpose: An Act to encourage and facilitate the disclosure of information between Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada.

7.The SCIDA governs how Government of Canada institutions disclose information, including personal information, that is relevant to activities that undermine the security of Canada, to a select group of federal institutions with national security mandates. Disclosures are either made proactively, on the initiative of a Government of Canada institution, or in response to a request by an institution authorized to receive information under the SCIDA.

8.It is important to note that the SCIDA is simply a tool. It is only as useful as its real-time recognition and application. Its success relies on how individuals and institutions interact with and implement its provisions. Those federal government institutions authorized to disclose information under the SCIDA must maintain a certain vigilance for information that may have national security repercussions, including at the most basic operational level. Having recognized information that could involve national security matters, departments must then decide whether they are authorized to disclose that information and to whom, paying close attention to minimizing any impacts on individual privacy rights.

9.Federal departments and agencies with core national security mandates are generally able to rely on their own legal frameworks to share information with other domestic institutions, and do not require the SCIDA to do so. Previous NSIRA reports have found that for many such institutions, disclosures made under the SCIDA comprise only a small portion of their domestic national security information sharing.

10.NSIRA understands the significance of the SCIDA in the overall national security framework, and is concerned with its robust application, in keeping with the provisions of the SCIDA, including its guiding principles, and with respect to the disclosure of personal information. What is more, NSIRA has the ability to review all disclosures across the Government of Canada, and through this broad lens, can identify common themes and trends. This perspective, not available to individual federal departments, enables NSIRA to make findings and recommendations that can strengthen overall information disclosure within the national security framework.

Focus of this Review

11.In determining the focus of this review, NSIRA considered the concerns raised in its review conducted the year prior. In the review of disclosures made under the SCIDA in 2020, which NSIRA undertook jointly with the Office of the Privacy Commissioner (OPC), the review found that the majority of federal department disclosures – approximately 99 per cent – met the threshold requirements that permit information to be disclosed under the SCIDA. In other words, the disclosing institutions sufficiently demonstrated that they had satisfied themselves, prior to providing the disclosures, that the information to be disclosed would contribute to the exercise of the recipient’s jurisdiction or responsibilities respecting activities that undermine the security of Canada, and that it would not affect any person’s privacy interest more than reasonably necessary in the circumstances.

12.The few disclosures that raised concerns, however, were those that had been provided to the recipient institutions on a proactive basis. As such, NSIRA chose to focus on this category for its 2021 review of disclosures under the SCIDA. In 2021, the majority of proactive disclosures came from Global Affairs Canada (GAC). NSIRA therefore chose to focus on GAC’s proactive disclosures in 2021, as a representative sample.

13.In addition to reviewing these disclosures from the perspective of the SCIDA’s prerequisite thresholds, this review also assessed other important requirements under the SCIDA that help to ensure responsible disclosures of national security information. These include the need for disclosures to be accompanied by statements that attest to the accuracy and reliability of the information being disclosed, as well as the obligation on all disclosing institutions to prepare and keep records that set out a description of the information that was relied on to satisfy themselves that the disclosure was authorized under the SCIDA.

14.Although the review sample focused on GAC proactive disclosures, many findings and recommendations are general and illustrative and, in many instances, may be useful to all institutions when disclosing under the SCIDA.

Review Objectives

15.The objectives of this review were to assess proactive disclosures of information under the SCIDA.

16.Specifically, the review assessed whether GAC:

  • a) Satisfied itself, prior to disclosing any information, that the disclosure would contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, in respect of activities that undermine the security of Canada, as required under paragraph 5(1)(a) of the SCIDA;
  • b) Satisfied itself, prior to disclosing any information, that the disclosure would not affect any person’s privacy interest more than reasonably necessary in the circumstances, as required under paragraph 5(1)(b) of the SCIDA;
  • c) Described, at the time of the disclosure, the accuracy of the information disclosed and the reliability of the manner in which it was obtained, as required under subsection 5(2) of the SCIDA; and
  • d) Kept records that included a description of the information that was relied on to satisfy itself that the disclosure was authorized under the SCIDA, as required under paragraph 9(1)(e) of the SCIDA.

Methodology

17.NSIRA received 195 disclosures of information from federal departments that reported either disclosing or receiving information under the SCIDA between January 1, 2021 and December 31, 2021. NSIRA conducted a preliminary review of all disclosures received.

18.NSIRA focused this year’s review on GAC proactive disclosures only. GAC identified 16 proactive disclosures out of a total of 44 disclosures under the SCIDA in 2021. However, in reviewing the material provided by GAC, NSIRA noted that three of these files were in fact requests for information from another department, and not disclosures of information under the SCIDA. As such, NSIRA removed these three files from the review sample, and only analyzed the remaining 13 disclosures identified by GAC as proactive disclosures.

19.NSIRA sent five follow up requests for information to GAC regarding its disclosures, and assessed all records provided.

3. Analysis

20. In conducting this review, NSIRA observed positive components of disclosures that it endeavours to highlight in this report. Proactive disclosures are an important feature of the SCIDA regime, and the following findings and recommendations aim to enhance compliance with the SCIDA.

Thresholds for disclosing information to federal institutions under the SCIDA

a) Jurisdiction or responsibilities in respect of activities that undermine the security of Canada

21. Paragraph 5(1)(a) of the SCIDA requires departments to satisfy themselves that disclosures “will contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, under an Act of Parliament or another lawful authority, in respect of activities that undermine the security of Canada.”

22. The definition of “activity that undermines the security of Canada” is set out at subsection 2(1) of the SCIDA and includes, for example, espionage and terrorism. Certain activities are excluded from this definition, notably advocacy and protest not carried out in conjunction with an activity that undermines the security of Canada.

23. In conducting this review, NSIRA examined each disclosure in the sample and its corresponding documentation to assess whether GAC had satisfied itself, prior to making the disclosure, that the information to be disclosed would contribute to the recipient department’s jurisdiction in respect of activities that undermine the security of Canada, as defined in the SCIDA.

24. In 12 of the 13 disclosures reviewed, GAC sufficiently demonstrated that it had satisfied itself as to these requirements. Furthermore, in all of these 12 disclosures, GAC documented that it had considered not only whether the recipient had the appropriate jurisdiction, but also how the information would contribute to that jurisdiction in respect of an activity that undermines the security of Canada as defined in the SCIDA. For example, see text box 1. The information in the disclosure file supports the text of this statement.

Text box 1: Example of statement in disclosure demonstrating GAC satisfied itself as to the requirements under 5(1)(a) of the SCIDA

GAC’s disclosure will contribute to the carrying out of CSIS’ responsibilities under section 12 of the CSIS Act, which require CSIS to investigate activities that may on reasonable grounds be suspected of constituting threats to the security of Canada. Section 2.a of the CSIS Act defines threats to the security of Canada as encompassing threats or acts of “espionage or sabotage that is against Canada or is detrimental to the interests of Canada or activities directed toward or in support of such espionage or sabotage.” CSIS collects, analyzes and retains information and intelligence on these threats to the extent that it is strictly necessary to do so, and reports to and advises the Government of Canada. In the circumstances, GAC’s disclosure will contribute to CSIS’ responsibility under section 12 of the CSIS Act to investigate and report on threats to the security of Canada as defined in section 2.a of the CSIS Act. Specifically, the disclosure will contribute to an assessment of a potential espionage threat [against Canadian interests abroad].

25.However, NSIRA observed that in one of those twelve disclosures, GAC consulted on more information than necessary to determine whether the disclosure was authorized under the SCIDA. This disclosure is described below.

Disclosure 1

26.A foreign country provided information about an individual with ties to Canada, to GAC headquarters, and requested that GAC forward the information to appropriate authorities. GAC then met with CSIS and showed them the information in their holdings, in order to clarify whether the information contributed to CSIS’s national security mandate. CSIS reviewed the information and confirmed that the information was of value to their investigation. CSIS did not report any of the information in its holdings.

27.Following that consultation, GAC concluded that a number of the documents did not pertain to an activity that undermines the security of Canada, as they contained “significant amounts of personal information unrelated to [the subject of the investigation] and reflecting acts considered lawful in Canada, such as freedom of speech (with no stated intent to engage in acts of violence) and freedom of peaceful assembly.” As such, GAC subsequently formally disclosed to CSIS only a fraction of the previously consulted documents. With respect to this formal disclosure, GAC demonstrated that it satisfied itself as to the requirements under paragraph 5(1)(a) of the SCIDA.

28. GAC indicated to NSIRA that the Public Safety guide on responsible information-sharing (PS Guide) is its primary policy guidance on the SCIDA. NSIRA notes that the PS Guide encourages government institutions to “communicate with the designated recipient institution prior to disclosure to determine not only whether the information is linked to activities that undermine the security of Canada but also how it contributed to that institution’s national security mandate.” This should not be interpreted as providing authorization to consult on more information than necessary, given the possibility that information outside the scope of a SCIDA disclosure may be included.

29. During its consultation with CSIS, GAC consulted on information that it later assessed as not concerning an activity that undermines the security of Canada as defined in the SCIDA and which was later removed from the formal disclosure under the SCIDA. The consultation involved showing GAC’s full information holdings to CSIS, which was more information than necessary to obtain confirmation from CSIS that the information was of value. Information used in consultations should be limited to the information necessary to obtain confirmation from the potential recipient that the information contributes to the carrying-out of its mandate and is linked to activities that undermine the security of Canada.

30. Furthermore, despite twelve out of thirteen disclosures meeting the requirements of paragraph 5(1)(a) of the SCIDA, one disclosure did not. NSIRA addresses this disclosure below.

Disclosure 2

31. An individual overseas, on their own initiative, identified themselves as a member of that country’s government and provided information to an official at a Canadian embassy about an alleged threat. GAC disclosed this information along with personal information, including the individual’s contact information, to the Canadian Security Intelligence Service (CSIS), invoking the SCIDA as an authority to make the disclosure. However, GAC did not consider whether this disclosure met the two threshold requirements under paragraphs 5(1)(a) and 5(1)(b) of the SCIDA, prior to disclosing this information in its entirety. During the course of this review, GAC explained to NSIRA that the disclosure was erroneously made under the SCIDA, and it was authorized under another authority for disclosing information in such circumstances, that is the Privacy Act or the Crown Prerogative. NSIRA did not assess whether these mechanisms would have been appropriate in the circumstances. Nonetheless this example demonstrates a) that there is potential for confusion on whether the SCIDA is the appropriate mechanism for certain disclosures of national security-related information, and b) that such confusion, in this case, led to the improper use of the SCIDA to disclose.

Finding no. 1: NSIRA finds that, in twelve out of thirteen disclosures, GAC demonstrated that it satisfied itself as to the contribution of the information to the recipient institution’s responsibilities in respect of activities that undermine the security of Canada, as required under paragraph 5(1)(a) of the SCIDA.

Finding no. 2: NSIRA finds that, without first conducting the analysis under paragraph 5(1)(a) of the SCIDA, departments risk disclosing information that does not pertain to the national security mandate of the recipient institution or to activities that undermine the security of Canada.

Finding no. 3: NSIRA finds that, in one of thirteen disclosures, GAC consulted on more information than necessary to obtain confirmation that the disclosure contributed to CSIS’s mandate and was linked to activities that undermine the security of Canada.

Recommendation no. 1: NSIRA recommends that consultations be limited to the information necessary to obtain confirmation from the potential recipient that the information contributes to its mandate and is linked to activities that undermine the security of Canada.

b) Privacy interest not impacted more than reasonably necessary in the circumstances

32. Paragraph 5(1)(b) of the SCIDA requires that disclosing institutions be satisfied that the disclosure will not affect any person’s privacy interests more than reasonably necessary in the circumstances.

33. All thirteen proactive disclosures included personal information as defined in the Privacy Act, that is, identifiable information about an individual, such as name, contact information, background information, or suspicions concerning the individual.

34. The PS Guide provides direction on the type of analysis required prior to disclosing personal information. More specifically, the PS Guide states “whether the information impacting a person’s privacy interest is considered ‘reasonably necessary’ will depend upon the particular circumstances of each case. Relevant considerations may include contextual factors, such as the type and nature of the information in question and the particular purpose for the disclosure.”

35. In response to NSIRA requests for further information, GAC explained how it satisfied itself that these proactive disclosures did not affect any person’s privacy interest more than reasonably necessary in the circumstances.

36. For example, GAC explained that in eight of the thirteen disclosures, GAC determined that some of the information it was considering disclosing was not within the scope of the recipient institution’s mandate. In the same disclosures, GAC also stated that it determined that some of the information in its holdings did not contribute to the institution’s investigation or fall within the recipient institution’s original request for information. For example, in one disclosure, only an individual’s travel status abroad was shared with CSIS as this pertained to the latter’s responsibilities in a national security matter. Other information in GAC’s holdings, such as information concerning other individuals, was determined by GAC not to be relevant, and therefore was not included in the disclosure.

37. Similarly, GAC explained that in two of the thirteen disclosures, GAC determined that some information was necessary to report to the recipient department, and therefore included in the disclosure. More detailed information not linked to activities that undermine the safety of Canada was not disclosed. For example, in one of the two disclosures, only information about suspected espionage activity was disclosed to CSIS, while detailed information about certain personal activities and behaviours was withheld.

38. NSIRA observed that of the 13 disclosures in the sample, three disclosures did not meet the requirements under paragraph 5(1)(b) of the SCIDA.

39. In Disclosure 2, described above, GAC disclosed information that was received from an individual who, on their own initiative, provided information to an official at a Canadian embassy overseas. GAC did not conduct any analysis under the SCIDA including whether the disclosure would affect privacy interests more than reasonably necessary in the circumstances, and proceeded with disclosing the entirety of the information to CSIS. GAC explained to NSIRA that the disclosure was erroneously made under the SCIDA, and was authorized under another authority for disclosing information, that is the Privacy Act or the Crown Prerogative. NSIRA did not assess whether these mechanisms would have been appropriate in the circumstances.

Disclosures 3 and 4

40. A Canadian embassy abroad received screen shots of a private social media group. The screenshots included information about a political movement in a foreign country. They also contained the contact information of all members of the group. While the group shared posters about the movement and information concerning protests in Canada, there were no threats, whether specific or general, in the material. However, based on some information in the screenshots, as well as the broader context of protests, past events, and open source media, GAC determined that the information contributed to the exercise of the Royal Canadian Mounted Police (RCMP)’s and CSIS’s jurisdiction, or the carrying out of their responsibilities, in respect of activities that undermine the security of Canada.

41. GAC disclosed the entirety of the information to both the RCMP and CSIS. The only information redacted was the name and contact information of the individual who provided the information to GAC.

42. GAC explained to NSIRA that it concluded that paragraph 5(1)(b) of the SCIDA was met because it did not identify a reasonable expectation of privacy in the content of the private social media group. NSIRA observes that GAC did not consider all of the relevant factors that would allow it to satisfy itself that the disclosure would not affect any person’s privacy interest more than is reasonably necessary in the circumstances. As such, the disclosure of information did not meet the second threshold requirement under subsection 5(1) of the SCIDA. Therefore, the disclosure of personal information of the group members did not comply with the requirements of the SCIDA.

Finding no. 4: NSIRA finds that, in ten out of thirteen disclosures, GAC satisfied itself that the disclosure will not affect any person’s privacy interest more than reasonably necessary in the circumstances, as required under paragraph 5(1)(b) of the SCIDA.

Accuracy and Reliability Statements

43. The Arar Report noted that “sharing unreliable or inaccurate information does not provide a sound foundation for identifying and thwarting real and dangerous threats to national security and can cause irreparable harm to individuals.”

44. A core theme in the SCIDA’s guiding principles is that of effective and responsible disclosure of information. Disclosing institutions are required, under subsection 5(2) of SCIDA, to provide information at the time of disclosure regarding the accuracy of the information disclosed and the reliability of the manner in which it was obtained.

45. Given the valuable context that accuracy and reliability statements provide to disclosures, precise and complete statements tailored to the specific circumstances of the disclosure can help avoid false perceptions, and can help ensure that recipient institutions have a clear understanding as to the accuracy and reliability of the information disclosed.

46. GAC relied on the PS Guide as its primary policy guidance document on the SCIDA. The PS Guide sets out that ensuring that the information disclosed is as accurate, complete, and as upto-date as possible is key to responsible and effective information sharing.

47. GAC informed NSIRA that partner agencies can better verify the accuracy of the information and the reliability of its source than GAC. NSIRA agrees that in some instances, GAC has limited capability for verification. Nonetheless, the SCIDA requires accuracy and reliability statements in every disclosure; accuracy and reliability statements must be clear and contextspecific in order to be meaningful.

48. In an example of a well-developed statement, GAC provided the following: The information disclosed by GAC was obtained through interactions between GAC officials with [known and credible source X and another individual]. GAC is not in a position to assess the accuracy and reliability of the above information provided to GAC officials by [these individuals]. GAC assesses that [source X] is highly credible, and is likely providing reliable information. In this case, the statement made a distinction between the accuracy and reliability of the information disclosed, depending on the source of that information. The disclosure sets out which information was provided by which source.

49. Overall, eleven of the thirteen disclosures contained accuracy and reliability statements. Two disclosures did not include the statement as the SCIDA requires. These omissions were not tied to GAC’s inability to verify the accuracy and reliability of the information.

Finding no. 5: NSIRA finds that two out of thirteen disclosures did not contain accuracy and reliability statements as required by subsection 5(2) of the SCIDA.

Recommendation no. 2: NSIRA recommends that in order to provide the most valuable and meaningful context for the recipient institution, accuracy and reliability statements should be clear and specific to the circumstances of the disclosure.

Record-keeping

50. Paragraph 9(1)(e) of the SCIDA requires that disclosing institutions prepare a description of the information that they relied on to satisfy themselves that the disclosure was authorized under the SCIDA, including that the disclosure did not affect privacy interests more than reasonably necessary, as part of their record-keeping obligations under the SCIDA.

51. It is noted that the PS Guide sets out the steps to making a disclosure, which include creating a record describing the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under the SCIDA. Furthermore, the PS Guide’s Appendix A: Record-keeping Template for Institutions Disclosing Information under the SCIDA, which is intended to help departments meet record-keeping obligations for disclosing institutions under the SCIDA, contains a field for departments to describe that information. It also restates the requirements under paragraphs 5(1)(a) and (b) of the SCIDA that the disclosing institution be satisfied that the disclosure will contribute to the recipient institution’s national security mandate, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances.

52. The SCIDA 2020 Review observed that GAC’s records describing the information it used to satisfy itself that certain responsive disclosures to CSIS, were robust. The basis for this observation was that GAC’s records contained information provided by CSIS to aid in GAC’s assessment, including details of the potential impact on the subject(s) of the request.

53. During the course of this year’s review, NSIRA requested that GAC provide a description of how it satisfied itself that the disclosure was authorized under both threshold requirements under the SCIDA. NSIRA also requested that GAC provide all supporting documents GAC relied on in its assessment. GAC provided explanations in response to NSIRA’s queries in this regard, referencing supporting documents. Based on a review of the records provided, NSIRA observes that GAC’s practices could be improved by contemporaneously and expressly articulating which information it relied on to satisfy itself that the disclosures would not impact any person’s privacy interest more than reasonably necessary in the circumstances.

Recommendation no. 3: NSIRA recommends that all disclosing departments contemporaneously prepare descriptions of the information that was relied on to satisfy themselves that disclosures were authorized under the SCIDA.

Training on the SCIDA

54. GAC used four distinct PowerPoint documents in 2021 to train employees on the SCIDA.

55. A course entitled Governance, Access, Espionage and Technical Security (GATE) was accessible to all employees going on postings as an introductory course focused on the awareness of information security at GAC. This presentation did not include practical examples or scenarios, but explained that any information sharing under the SCIDA must be done through GAC Headquarters.

56. Furthermore, a presentation provided by the Director General of the Intelligence Bureau to the majority of Heads of Mission going on postings, as an introductory course on intelligence support and security, did not provide illustrative examples or scenarios, but set out that information sharing under the SCIDA must be done through Headquarters.

57. Finally, the Department of Justice legal team provided two presentations: one to Global Security Reporting Program Officers going on postings as an introduction to information sharing policies and practices, including several slides on the SCIDA, and the other to groups of employees at Headquarters as an introduction to information sharing policies and practices. NSIRA noted that each presentation included only one or two examples illustrating the considerations in making a disclosure under the SCIDA.

58. Three of the four presentations also included a range of information about record-keeping requirements. However, the information in the presentations was largely limited to reiterating the requirements under the SCIDA, and no practical examples or scenarios were provided. Similarly, while these presentations reiterated requirements under the SCIDA to include accuracy and reliability statements, no practical examples were provided.

Finding no. 6: NSIRA finds that GAC training on the SCIDA lacks sufficient illustrative examples required to provide employees with adequate guidance to fulfill their obligations under the SCIDA.

Recommendation no. 4: NSIRA recommends that additional illustrative examples and scenarios be included in the SCIDA training, including for disclosure threshold requirements, accuracy and reliability statements and record-keeping requirements.

4. Responsiveness and provision of information

59. All departments met the timelines for the provision of information to NSIRA.

60. Subsections 9(1) and 9(2) of the SCIDA contain record-keeping obligations for disclosing and recipient institutions. Subsection 9(3) of the SCIDA requires all departments to provide every record prepared under those subsections to NSIRA, for the purpose of NSIRA’s annual review of disclosures under SCIDA. Not only is thorough record-keeping a legal requirement for disclosing and recipient institutions, it is not possible for NSIRA to fulfill its mandated annual review without all records from all departments.

61. This review focussed on GAC proactive disclosures. NSIRA conducted a cross-comparison of the number of disclosures reported by GAC and those received by recipient institutions and notes that the numbers align. NSIRA did not independently verify the completeness of the records provided by GAC. Nonetheless, the assessment under the SCIDA requires GAC to demonstrate compliance. Additional requests for information over the course of the review led NSIRA to conclude that it received all information necessary to conduct the review. Finally, GAC had the opportunity to review a preliminary draft of this report and provide additional information. For these reasons, NSIRA is confident that it received all information necessary to conduct the review.

5. Conclusion

62. The SCIDA is a legislative tool meant to encourage and facilitate the responsible and effective disclosure of national security-related information between federal government institutions. Of the thirteen disclosures in the review sample, three did not meet one or both disclosure threshold requirements and two did not contain accuracy and reliability statements. Prior to consulting on potential disclosures, departments should consider what information is necessary to include in the consultation. Departments should also contemporaneously document on what basis they were satisfied that disclosures were authorized under the SCIDA. Furthermore, improvements to ongoing training are recommended, to provide more illustrative examples to guide employees in fulfilling their obligations under the SCIDA. NSIRA looks forward to revisiting the implementation of the SCIDA in future years and expects to find improved compliance, recordkeeping, and delivery of training programs.

Share this page
Date Modified: