Date of Publishing:
Our team is working on an HTML version of this content to enhance usability and compatibility across devices. We aim to make it available in the near future. Thank you for your patience!
In 2021, the National Security and Intelligence Review Agency (NSIRA) launched a comprehensive review of the Royal Canadian Mounted Police’s (RCMP) Human Source Program. This review was part of a broader, three-part series focused on how federal agencies manage and use human sources in national security operations. The other reviews in the series looked at the Canada Border Services Agency and the Department of National Defence/Canadian Armed Forces. While NSIRA had previously assessed aspects of the RCMP’s work, this was the agency’s first in-depth and targeted review of the RCMP’s human source program.
The review examined the legal and policy frameworks guiding the RCMP’s use of human sources — individuals who provide vital information that can be difficult or impossible to obtain through other means. It focused on three key areas:
Human sources, including police agents and confidential informants, play an essential role in national security investigations. Proper management, risk mitigation, and oversight of these programs are critical to ensuring investigations are conducted lawfully, ethically, and effectively.
The review identified areas of concern, particularly regarding the recruitment and use of confidential informants. NSIRA found that:
The review also highlighted shortcomings in how the RCMP handles investigations involving Canadian Fundamental Institutions — including, academia, politics, religion, the media, and trade unions. Despite a 2003 Ministerial Direction requiring “special care” in such sensitive investigations, NSIRA found the RCMP has not consistently demonstrated this level of care. Moreover, there is currently no framework in place to assess the cumulative impact of these investigations on individuals, institutions, or communities.
To address these issues, NSIRA issued six recommendations aimed at improving oversight, strengthening the management and assessment of risk, enhancing the duty of care to confidential informants, and better accounting for the impact of national security investigations involving Canadian Fundamental Institutions.
The Security of Canada Information Disclosure Act (SCIDA) is intended to facilitate information sharing across government for national security purposes. Disclosures under SCIDA tend to include considerable personal information, such as passport information, citizenship status, and information gathered by diplomatic missions.
NSIRA is responsible for annually reviewing disclosures made during the previous calendar year and submits a report with its findings and recommendations to the Minister of Public Safety.
Annual reviews of disclosures by NSIRA are key to ensuring that Government of Canada (GC) institutions use SCIDA in a manner that respects the Canadian Charter of Rights and Freedoms and the privacy rights of the individuals whose information is being disclosed.
This report describes the results of a review by NSIRA of SCIDA disclosures made in 2023. It was tabled in Parliament by the Minister of Public Safety, as required under subsection 39(2) of the NSIRA Act, on June 13 2025.
Since NSIRA began reviewing GC institutions’ compliance with the Act five years ago, it has made recommendations to promote higher levels of compliance among GC institutions. This has resulted in those institutions adjusting their practices and increasingly demonstrating an improved understanding of their obligations.
This year, for the first time in SCIDA’s history, NSIRA has found full compliance with the Act. As such, the report contains seven recommendations aimed at improving the practices of GC institutions to ensure that this high level of compliance is maintained.
Date of Publishing:
| CBSA | Canada Border Services Agency |
| CFIA | Canadian Food Inspection Agency |
| CNSC | Canadian Nuclear Safety Commission |
| CRA | Canada Revenue Agency |
| CSE | Communications Security Establishment |
| CSIS | Canadian Security Intelligence Service |
| DND/CAF | Department of National Defence/Canadian Armed Forces |
| FINTRAC | Financial Transactions and Reports Analysis Centre of Canada |
| GAC | Global Affairs Canada |
| GC | Government of Canada |
| IRCC | Immigration, Refugees and Citizenship Canada |
| NSIRA | National Security and Intelligence Review Agency |
| PHAC | Public Health Agency of Canada |
| PS | Public Safety Canada |
| RCMP | Royal Canadian Mounted Police |
| SCIDA | Security of Canada Information Disclosure Act |
| TC | Transport Canada |
| Contribution test | The first part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (paragraph 5(1)(a)). |
| Proportionality test | The second part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will not affect any person’s privacy interest more than reasonably necessary in the circumstances (paragraph 5(1)(b)). |
The objective of this review was to determine whether Government of Canada (GC) institutions complied with the Security of Canada Information Disclosure Act (SCIDA)’s requirements for disclosure and record keeping in 2023. The review assessed GC institutions’ use of information-sharing arrangements, consistent with SCIDA’s guiding principles. The review also documented the volume of SCIDA disclosures and highlighted patterns in the SCIDA’s use across GC institutions and over time.
This is the fifth year that GC institutions have used the SCIDA and that NSIRA has reviewed their compliance with the act. Each year, NSIRA has made recommendations aimed at promoting compliance with the Act. Over the last five years, GC institutions have adjusted their practices and are increasingly demonstrating an improved understanding of their obligations. As a result, for the first time in SCIDA’s history, NSIRA found full compliance with the SCIDA. This allowed NSIRA to focus its review on in-depth analysis of the SCIDA’s contribution and proportionality tests.
For instance, some Immigration, Refugees and Citizenship Canada (IRCC) disclosures, albeit compliant with the SCIDA, presented a heightened risk of non-compliance with these two tests. One disclosure involving protest activity raised concerns regarding how IRCC arrived at the conclusion that the disclosure was related to activity that undermined the security of Canada, and thus complied with paragraph 5(1)(a) of the SCIDA. Three disclosures also raised concerns with regard to the amount of personal information that IRCC disclosed following its proportionality assessment, pursuant to paragraph 5(1)(b).
CSIS request letters, on which IRCC often relies to assess compliance with subsection 5(1), were at times unclear. This hindered IRCC’s effort to satisfy itself that the disclosure was authorised under the SCIDA.
IRCC provided templated statements on accuracy and reliability that were not always relevant or specific to the circumstances of the disclosure. In one case, the Canada Border Services Agency (CBSA) made a verbal disclosure that did not include an explicit statement about accuracy and reliability at time of disclosure. In addition, CBSA’s record of disclosure form contradicts the SCIDA by suggesting that the provision of information on accuracy and reliability is optional.
As encouraged by the SCIDA’s guiding principles, and as recommended by NSIRA previously, IRCC and the Communication Security Establishment signed an informationsharing agreement.
NSIRA made seven recommendations to mitigate risks of non-compliance and enshrine best practices in future years.
This review was conducted pursuant to subsections 8(1)(b) and 39(1) of the National Security and Intelligence Review Agency Act (NSIRA Act).
The review satisfies the NSIRA Act’s section 39 requirement for NSIRA to submit a report to the Minister of Public Safety on disclosures made under the Security of Canada Information Disclosure Act (SCIDA, Act) during the previous calendar year.
The objective of this review was to determine whether Government of Canada (GC) institutions complied with the SCIDA’s requirements for disclosure and record keeping. The review assessed GC institutions’ use of information-sharing arrangements, consistent with SCIDA’s guiding principles. The review also documented the volume of SCIDA disclosures and highlighted patterns in the SCIDA’s use across GC institutions and over time.
The review included all GC institutions that disclosed or received information under the SCIDA in 2023: the Canada Border Services Agency (CBSA), Communications Security Establishment (CSE), Canadian Security Intelligence Service (CSIS), Global Affairs Canada (GAC), Immigration, Refugees and Citizenship Canada (IRCC), and Royal Canadian Mounted Police (RCMP). The review also included Public Safety Canada (PS), which provides SCIDA-related policy guidance and training across the GC.
NSIRA assessed administrative compliance with the SCIDA’s record keeping obligations in respect of all disclosures made in 2023.
NSIRA assessed substantive compliance with the SCIDA’s disclosure requirements for a targeted sample of 27 disclosures, selected according to the parameters described in Annex A.
The NSIRA Act grants NSIRA rights of timely access to any information in the possession or under the control of a department (except for cabinet confidences) and to receive from the department any documents and explanations NSIRA deems necessary. NSIRA monitors cooperation with access requests, including the completeness and accuracy of disclosures, which inform its overall assessment of a department’s responsiveness in each review.
All reviewees met NSIRA’s expectations for responsiveness during this review.
The SCIDA provides an explicit, stand-alone authority to disclose information between GC institutions in order to protect Canada against activities that undermine its security. Its stated purpose is to encourage and facilitate such disclosures.
Section 9 of the SCIDA prescribes record-keeping obligations for all institutions who disclose or receive information under the Act. Subsection 9(3) requires that these records be provided to NSIRA within 30 days after the end of each calendar year.
Subsection 5(1) of the SCIDA authorizes GC institutions to disclose information –subject to any prohibitions or restrictions in other legislation or regulations – to designated recipient institutions if the disclosing institution is satisfied that (a) the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (the “contribution test”); and (b) the information will not affect any person’s privacy interest more than is reasonably necessary in the circumstances (the “proportionality test”).
Subsection 5(2) requires disclosing institutions to, at the time of the disclosure,also provide information regarding the disclosure’s accuracy and the reliability ofthe manner in which it was obtained.
When a GC institution receives information under the Act, subsection 5.1(1)requires that the institution destroy or return any unnecessary personal informationas soon as feasible after receiving it.
The SCIDA’s guiding principles reinforce the notion that effective and responsible disclosure of information protects Canada and Canadians. Of note, subsection 4(c)suggests that GC institutions enter into an information-sharing arrangement when they regularly disclose information to the same recipient.
In 2023, GC institutions made a total of 269 disclosures under the SCIDA (see Table 1).
| Designated Recipient Institutions | ||||||||||||||||||
| Disclosing Institution | CBSA | CFIA | CNSC | CRA | CSE | CSIS | DND/CAF | Finance | FINTRAC | GAC | Health | IRCC | PHAC | PSC | RCMP | TC | TOTAL (proactive) | |
| CBSA | – | – | – | – | – | – | – | – | – | – | – | – | – | – | 2 (2) |
– | 2 (2) |
|
| GAC | – | – | – | – | 1 (1) |
10 (0) |
– | – | – | – | – | – | 4 (0) |
– | 15 (1) |
– | 53 (32) |
|
| IRCC | – | – | – | – | 58 (0) |
194 (7) |
– | – | – | – | – | – | – | – | – | – | 252 (7) |
|
| TOTAL (proactive) | – | – | – | – | 59 (1) |
204 (7) |
– | – | – | – | – | 1 (0) |
– | – | 6 (2) |
– | 263 (10) |
|
The number of disclosures increased 55% since 2022, reversing the slight downward trend in the number of disclosures observed across prior years. This shift is largely due to a 246% increase in disclosures from IRCC to CSIS. CSIS attributes this increase to a policy shift that led them to use the SCIDA to request information that IRCC previously provided under the Privacy Act.
As in previous years, disclosing institutions made the vast majority of disclosures following a request. Only 4% of disclosures were sent proactively by the disclosing institution.
Finding 1. NSIRA found that every institution that disclosed or received information pursuant to SCIDA in 2023 complied with their record keeping obligations under section 9, but some records were inaccurate or imprecise.
Section 9 of the SCIDA prescribes record-keeping obligations for all disclosing institutions, as well as institutions who receive information pursuant to a disclosure. These requirements include, among others, that records of the disclosure describe the information as well as indicate whether the information was destroyed or retained by the recipient. NSIRA’s cross-reference of records provided by disclosing and recipient institutions revealed some inaccuracies that were clarified through discussion with the institutions following receipt of their records:
- Under paragraph 9(2)(a), CSE mislabelled the number of subjects that the disclosure pertained to in four (of 59) instances;
- Under paragraph 9(2)(e), CSIS records included contradictory information as to whether the information received has been destroyed or retained; and
- Under paragraph 9(1)(a), IRCC records included contradictory descriptions of the information disclosed.
NSIRA was unable to reconcile the information provided in relation to one case where the CBSA made a verbal disclosure to the RCMP. Based on the initial records provided by the RCMP and CBSA, NSIRA could not determine with certainty what personal information was shared, and when. In response to a recommendation from NSIRA’s SCIDA review for 2022, the CBSA developed a record of disclosure form to serve as a record overview. In this instance, the form was incomplete and contradicted the copy of the disclosure that was also provided to NSIRA.
As it did last year, NSIRA underscores the importance of administrative precision in preparing records, and notes that a record overview – when correctly prepared –supports compliance with SCIDA record keeping requirements.
NSIRA identified several instances in which the disclosing institution did not provide an explicit statement, under paragraph 9(1)(e), regarding the information that was relied on to satisfy the disclosing institution of the proportionality test. Three of these disclosures were included in NSIRA’s targeted sample for assessing the contribution and proportionality tests.
Finding 2. NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves under the contribution and proportionality tests in compliance with subsection 5(1) of the SCIDA.
To assess compliance with subsection 5(1), NSIRA first considered the explicit statements prepared by disclosing institutions under paragraph 9(1)(e), describing the information that was relied on to satisfy themselves that the disclosure was authorized under the Act. When an explicit statement was provided, NSIRA analysed and corroborated these statements by reviewing all other documents provided by GC institutions related to a given disclosure. Additional documents provided did not raise any concern with paragraphs 5(1)(a) and 5(1)(b) compliance.
For all 27 disclosures included in the sample, the disclosing institution provided anexplicit statement that demonstrated that they had satisfied themselves that thedisclosure would contribute to the recipient’s jurisdiction or its responsibilities.24.
For 24 of the 27 disclosures, the disclosing institution provided an explicit statement that demonstrated they had satisfied themselves that no one’s privacy would be affected more than reasonably necessary in the circumstances. In the remaining three disclosures, despite having no explicit statement, other documents provided by the disclosing institutions nevertheless demonstrated that they had satisfied themselves of the proportionality test.25.
While NSIRA found that institutions were generally compliant with paragraphs5(1)(a) and 5(1)(b), IRCC’s contribution and proportionality assessments demonstrated some deficiencies. These deficiencies form the basis of findings 3and 4.
Recommendation 1. NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
Finding 3. NSIRA found that IRCC did not, in one instance, independently consider whether its disclosure related to activities that fell under the SCIDA exception for advocacy, protest, or dissent. Instead, IRCC satisfied itself of the SCIDA’s contribution test based on assumptions about how CSIS assessed activities that undermine the security of Canada.
The contribution test under paragraph 5(1)(a) requires the disclosing institution to assess whether the disclosure relates to activities that undermine the security of Canada. These activities are defined by the Act and include, for example, espionage, covert foreign-influenced activities, terrorism, and significant or widespread interference with critical infrastructure. In its definition of activities that undermine the security of Canada, subsection 2(2) of the SCIDA includes an exception for advocacy, protest, dissent, or artistic expression. These, in and of themselves, do not constitute activities that undermine the security of Canada. The legislated exception helps to distinguish between legitimate forms of political dissent and national security threats.
In one instance, CSIS requested detailed information from IRCC related to an individual. The request sought current and past passport applications and these contain a great deal of personal information3.CSIS justified its request with anexcerpt from a news article which cited a quote uttered publicly by the individualduring a protest.
IRCC did not request any additional rationale from CSIS. It disclosed the individual’s passport application, including some associate’s information, along with the individual’s passport number, place of issue, and dates of issue and expiry.
In response to a query from NSIRA regarding on what basis it satisfied itself of the contribution test, IRCC explained that it “relies on the partner to accurately describe that the individual is tied to an activity that may undermine the security of Canada.” The IRCC official who authorized the disclosure further explained that IRCC assumed that CSIS had not relied solely on the individual’s statements quoted in the news article given the limits of CSIS’s authority to investigate lawful advocacy, protest or dissent under the CSIS Act.
The CSIS Act includes an exemption preventing CSIS from investigating lawful advocacy, protest or dissent, without the presence of threat related activities itemised in the CSIS Act. However, the SCIDA’s use of “activity that undermines the security of Canada” is a purposeful departure from the CSIS Act’s “threat to the security of Canada”. The distinction reflects legislative intent that the disclosing institution perform its own, fit-for-purpose assessment.
Subsection 5(1) of the SCIDA explicitly places the onus on the disclosing entity to assure itself that the disclosure is authorized. The process by which an institution satisfies itself should be grounded in an independent and factual assessment. In that context, a mere acquiesce of a request would not be sufficient, nor would a de facto reliance on the recipient respecting their enabling legislation. The threshold of satisfaction imports an objective standard that must be based on facts.
PS guidance notes that although the threshold imposed by subsection 5(1) does not hold institutions to perfection, they must make all reasonable efforts to satisfy themselves that the information will contribute to the recipient’s national security mandate. When encountering activities occurring in the context of political dissent or a protest, NSIRA expects institutions with a national security mandate to exercise caution when requesting information relating to an activity protected under the Canadian Charter of Rights and Freedoms (Charter) to further an investigation. At the same time, in this case, IRCC should have obtained more information prior to disclosure, to substantiate what activities were undermining the security of Canada to ensure the exception did not apply.
Recommendation 2. NSIRA recommends that IRCC amend their SCIDA policy to underscore that IRCC must independently assess whether the disclosure is authorized. This assessment should consider whether the activity amounts to one of the exceptions to the SCIDA’s definition of activities that undermine the security of Canada.
Finding 4. NSIRA found that, throughout the course of 2023, IRCC improved the rigour of its proportionality assessments regarding disclosure of passport information. However, NSIRA identified three instances where IRCC disclosed visa information without applying the same rigorous approach, which risked disclosing more personal information than reasonably necessary in the circumstances.
In summer 2023, IRCC adopted a “higher” standard to satisfy itself that no person’s privacy interest would be affected more than reasonably necessary when disclosing passport information to CSIS. According to IRCC, this shift was prompted by a previous NSIRA recommendation that IRCC be explicit in their records that the proportionality test was met. Not only did IRCC adjust their record keeping practices, but they also turned their attention to the substantive issue at hand. Indeed, IRCC closely examined the privacy impact their disclosures may have when responding to CSIS requests.
As a result, when dealing with the absence of additional rationale from CSIS, IRCC became more conservative in the disclosure of information. For example, IRCC began redacting associate’s information in passport applications, limiting the provision of historical applications, and refraining from disclosing applications of minors. They adopted an iterative approach to disclosing passport information, which cultivated a more appropriate weighting of individuals’ privacy interests vis-à-vis the recipient’s investigative needs.
IRCC’s new approach to assessing the proportionality of passport information disclosures was not well-received by CSIS, who characterize their receipt of redacted passport applications as a “massive” hindrance to section 12 investigations. In internal correspondence, a CSIS analyst noted that they would prefer that “IRCC not filter down the info and let them [CSIS] make the assessment based on the knowledge of [national security] threats”.
Still, the discretionary nature of SCIDA disclosures make it such that IRCC may choose what information to disclose, if any. IRCC’s SCIDA Standard Operating Procedure states that requests for disclosure must provide sufficient information to justify the release of associate’s information. Under the SCIDA, it is entirely within IRCC’s purview to seek and obtain such justification prior to disclosing information.
IRCC’s increased attention to privacy interests in the context of passport application disclosures was not imparted to disclosures of information collected from visa applications. It is important to note that this distinction is not a factor that should be considered when assessing proportionality. Under the SCIDA, the privacy interests of citizens and non-citizens must be similarly assessed, and only treated differently in a visa application if no reasonable expectation of privacy is assessed.
Annex B presents the details of three disclosures in relation to which IRCC disclosed visa information to CSIS, concerning over 20 individuals, without having first established facts relevant to the conduct of an informed proportionality assessment. In these cases, either the identities of the subject of the request were unknown or the link between the subject of the disclosure and the threat had yet to be established. NSIRA would have expected IRCC to follow a more iterative approach to disclosing this information, consistent with its approach to passport disclosures in the later part of 2023. Such an iterative approach would have entailed disclosing only basic information until a greater connection to the activity that undermined the security of Canada could be established or the identity of the individual could be confirmed.
Additionally, the cases presented in Annex B are not fully consistent with IRCC policy, which underscores that “disclosing […] more personal information than is necessary could constitute a breach of a person’s reasonable expectation of privacy, a right protected by the Canadian Charter of Rights and Freedoms”. This is an important consideration since the proportionality of a given disclosure may be a factor in determining its Charter reasonableness.
Under the SCIDA regime, and as explained in PS guidance, the proportionality testis conducted to help determine the scope of what can be disclosed, and not necessarily whether the disclosure should occur. Thus, it would have been warranted for IRCC to assess how the sharing of each piece of information would impact the privacy of the individuals in question.
Recommendation 3. NSIRA recommends that IRCC apply an iterative approach to its proportionality assessments, with a view to disclosing only the minimum information reasonably necessary in the circumstances to enable the recipient institution to further their investigation.
Finding 5. NSIRA found that CSIS requests to IRCC used inconsistent terminology and were often unclear about the relationship between the subject of the request and its investigation. At times, this lack of clear communication hindered IRCC’s efforts to satisfy itself that the disclosure was authorised under the SCIDA.
96% of IRCC disclosures to CSIS were in response to a request. IRCC used the information in CSIS’s request letters to assure itself that a disclosure met both the contribution and the proportionality tests. While IRCC is always at liberty to request more information from CSIS to satisfy itself that the disclosure is authorized, in the majority of disclosures requested by CSIS, IRCC based its assessments solely on the information provided by CSIS in the request letter.
NSIRA reviewed all request letters sent by CSIS to IRCC. CSIS used a wide variety of terms to describe the nature of its interest in the subject of a request, such as:
In most cases, CSIS did not define these terms or provide any more information on why the subject was of interest.
Furthermore, CSIS used the same (or similar) words when referring to different levels of interest. For example, “associated with” and “part of a Service Investigation” were used in requests for individuals with no known involvement in threat related activities and for individuals who CSIS has reason to suspect are involved in threat activities. In another instance, CSIS’s request letter stated that the subjects were related to the threat, but the connection between the threat and the individuals had not been established.
As a result of these inconsistencies and lack of clarity, IRCC could not understand key nuances relevant to its proportionality assessments. This issue is compounded by the fact the CSIS tended to request “any and all information” associated with the subject(s) of a request.
The relationship between the information requested and an investigation is an important factor considered by IRCC when assessing proportionality. Indeed, IRCC’s new approach to assessing proportionality takes into consideration the fact that information on associates contained in passport applications may not be material to the investigation. As a result, IRCC has often opted to redact some associate’s information, unless CSIS provided some indication that they are, or could be, implicated in the threat activity. In one of the several instances where CSIS stated that the subject of the request was “very closely associated to a CSIS subject of investigation”, IRCC requested an explanation to clearly link the subject of the request to the investigation. When CSIS did not provide it, IRCC opted to cancel the disclosure as it was not satisfied that the disclosure would meet the proportionality test.
It is essential that CSIS convey information in a clear and consistent manner given that IRCC takes this information into account in conducting its proportionality assessments. This is especially true when IRCC is disclosing associate’s information. When requesting information under the SCIDA, recipient institutions should, as a matter of course, facilitate disclosing institutions’ compliance with SCIDA thresholds by using clear and consistent terminology.
In late 2023, CSIS began centralizing its process for requesting IRCC SCIDA disclosures and developed a standard request form, which should help with consistency. As no requests were made in 2023 using these standard forms, NSIRA could not assess the effect of these changes in practice.
Recommendation 4. NSIRA recommends that CSIS use consistent terminology, and be clear about the nature of the link that has been established between the subject of a request and its investigation, to assist IRCC in satisfying itself of the proportionality test.
Finding 6. NSIRA found that disclosing institutions provided information regarding the accuracy of the information and reliability of the manner in which it was obtained in relation to all disclosures. However, CBSA made one verbal disclosure that did not include an explicit statement on accuracy and reliability.
Under the SCIDA, departments are required to provide information on the accuracy and the reliability of the manner in which the information being disclosed was obtained. They must do so at the time of the disclosure.
All written disclosures made in 2023 contained a statement on accuracy and reliability. However, CBSA made one proactive verbal disclosure of a tip to the RCMP, previously described in paragraph 19, in which it did not provide an explicit statement regarding accuracy and reliability at the time of disclosure.
Although the same information was shared again in writing two weeks later, an explicit, written statement on accuracy and reliability was only shared with the RCMP nearly two months later, when the CBSA disclosed additional information about the subject.
Subsection 5(2) states that “information” regarding accuracy and reliability “must” be provided at time of disclosure. NSIRA assesses in this case that, by its very nature, relaying that the information disclosed was derived from a tip conveyed information regarding accuracy and reliability to the RCMP. That said, an explicit, written statement is considered best practice. While verbal disclosures are not prohibited by the SCIDA, PS guidance notes that “[i]nformal communication cannot be used in lieu of the formal disclosure process or to replace the formal recordkeeping obligations.”
Recommendation 5. NSIRA recommends that institutions avoid making verbal disclosures whenever possible. When they must occur, verbal disclosures should explicitly convey the requisite information on accuracy and reliability.
Finding 7. NSIRA found that CBSA’s record of disclosure form contradicts the SCIDA by allowing officials to opt out of providing information regarding accuracy and reliability.
Although CBSA policy correctly reflects the mandatory nature of providinginformation on accuracy and reliability, its new record of disclosure form does not.The form includes a yes/no checkbox to indicate whether a statement confirmingthe accuracy and reliability was provided to the recipient institution. If the CBSAofficial selects “no”, they are prompted to explain why they elected to not provide astatement. This implies that it is discretionary and leaves the opportunity for CBSAto opt out of the requirement.
Further, the form does not specify that the statement must be provided at the timeof disclosure, as the SCIDA specifically demands.
Recommendation 6. NSIRA recommends that CBSA harmonize its record of disclosure form with the SCIDA to convey the mandatory nature of providing information on accuracy and reliability at the time of the disclosure.
Finding 8. NSIRA found that IRCC used templated language to describe the disclosure’s accuracy and reliability that was not always relevant or specific to the circumstances of the disclosure.
All IRCC disclosures made in 2023 included the same accuracy and reliability statement:
The information in this disclosure was provided by the Subject as part of their various applications to IRCC. The Subject declared that the information they provided as part of their applications was truthful, complete and correct. The information in this disclosure is accurate and reliable in so far as the Subject was truthful in their submissions to our Department. IRCC holds no information that would call into question the accuracy and reliability of the information provided by the Subject.
There are several cases where this statement provided by IRCC did not reflect the specific circumstances of the disclosure. For example, the statement above was included in a disclosure where no immigration or passport records were found and the only information disclosed was the lack of records. The same statement was used in disclosures of child general passport applications, which are actually completed by parents or legal guardians rather than by the subject themselves. When solely disclosing citizenship status to CSE, IRCC still included the same statement, despite the information disclosed not being provided by the subject as part of their application. In one case, the IRCC used the same statement in the disclosure but nevertheless contradicted itself by also stating that there was some reason to believe the information might not be accurate.
All of these cases point to a tendency of copying the accuracy and reliability information without giving sufficient attention to the relevance of the statement.
When instructing on the accuracy and reliability statement, the PS SCIDA guide suggests that “formulaic (templated) language should be avoided, unless the nature and source of information disclosed is derived from a routine process.” IRCC produces a large number of disclosures every year. While some language can be recycled, it is necessary that the statement remain an accurate representation of each disclosure. NSIRA has previously recommended that statements be clear and specific to the circumstances of the disclosure.
Recommendation 7. NSIRA recommends that IRCC tailor its statements on accuracy and reliability as to ensure that each disclosure’s statement is specific to the circumstances of the case.
Finding 9. NSIRA found that disclosures between IRCC and CSE that occurred following the enactment of their new information sharing agreement were compliant with both the SCIDA and their information sharing agreement.
In past SCIDA reviews, NSIRA noted that some departments regularly use the SCIDA in a manner that warrants information sharing arrangements (ISA), as encouraged by subsection 4(c) of SCIDA. In 2022, NSIRA recommended that IRCC and CSE develop an ISA to govern their SCIDA disclosures.
In August 2023, IRCC and CSE signed an ISA. As a whole, the new ISA between IRCC and CSE supports compliance with SCIDA, with all key legislated requirements from SCIDA being included in the ISA. The agreement also adheres to the guidance on preparing ISAs recently developed by PS.
Of the 24 disclosures made after the ISA implementation, all were deemed compliant with the new agreement. NSIRA looked at each disclosure made under the ISA and assessed them against a majority of the requirements outlined in the agreement.
This is the fifth year that GC institutions have used the SCIDA and that NSIRA has reviewed their compliance with the act. Each year, NSIRA has made recommendations aimed at promoting compliance with the Act. Over the last five years, GC institutions have adjusted their practices and are increasingly demonstrating an improved understanding of their obligations. As a result, for the first time in SCIDA’s history, NSIRA found full compliance with the SCIDA.
This review assessed GC institutions’ compliance with requirements for recordkeeping in respect of all 269 disclosures that were made and received in 2023. It assessed their compliance with requirements for disclosure in relation to a targeted sample of 27 disclosures. All were compliant with SCIDA requirements, but NSIRA found that IRCC’s contribution and proportionality assessments demonstrated some deficiencies. An increased understanding of the activities that undermine the security of Canada would support a more thorough proportionality assessment and greater utility of the disclosed information.
NSIRA made recommendations aimed at promoting compliance with SCIDA, particularly with regard to how departments determine whether the contribution and proportionality tests have been met.
Disclosures were selected for the sample based on the content of records provided to NSIRA under subsection 9(3), according to the following parameters:
IRCC proactively disclosed to CSIS the visa applications of several individuals who received a work permit in various research fields linked to economic security threat. These applications included personal information such as employment history, travel history, contact information, photos, passport information, and associate’s information. This was part of IRCC’s effort to proactively identify and share with CSIS information about individuals that may engage in activities that pose a threat to Canada’s economic prosperity.
While the national security concern posed by these types of economic security threats is well documented, the role that these individuals played in that space was unknown. IRCC selected the individuals in question based on one threat related criteria, but the other criteria used to narrow the pool individuals from several hundreds to a few individuals were unrelated to the threat the individuals posed. Indeed, IRCC chose these additional arbitrary criteria mainly for practical reasons.
For greater clarity, there was no information indicating that any of the several individuals in question were involved in activities that undermine the security of Canada. Most of these applications were not initially referred to CSIS for security screening by IRCC, meaning that the visa officer was fully satisfied that the applicants posed no threat. In one case, the application was sent for security screening but CSIS returned a favorable recommendation and the individual was granted a visa.
The proactive sharing of complete visa application packages with CSIS risked affecting these individuals’ privacy more than was reasonably necessary in the circumstances.
CSIS requested passport information about any individuals with a valid visa currently working for a specific foreign entity. IRCC did not have any passport applications for the individuals that matched the search criteria, but nevertheless disclosed entire visa applications for some individuals. IRCC also provided information about individuals who had previously worked at the foreign entity, and individuals who did not have a valid visa. This misalignment between what was requested and what was disclosed does not reflect a proper tailoring of information to meet SCIDA’s contribution and proportionality tests.
None of these individuals had been linked to a specific activity that undermined the security of Canada, either at the time of the request nor following the disclosure. CSIS and IRCC’s inability to characterize the nature of the individuals’ relationship to threat activities created a risk that IRCC’s disclosure may have affected their privacy more than was reasonably necessary in the circumstances.
CSIS sent a letter to IRCC requesting the disclosure of information within immigration applications on individuals including a spreadsheet with certain identifying personal information (called “selectors”). While large data-set requests and disclosures are not prohibited by the SCIDA, the requirements imposed by the contribution and proportionality tests must be applied to every discrete piece of information disclosed. As such, this type of information would need to be responsibly assessed prior to disclosure.
While the CSIS request letter provides extensive rationale as to why the threat actor named in the request letter poses a threat to national security, the IRCC officials that authorized the disclosure did not have contemporaneous information on how these selectors, and, by extension the individuals linked to these selectors, are linked to the threat actor.
Nevertheless, IRCC disclosed significant personal details pertaining to several individuals. For example, the disclosure included a foreign state visa refusal, information about military service, a personal picture, and other documents that would have been provided as part of a visa application.
This disclosure included more information than what CSIS requested. Given that the identity of the individuals are unconfirmed, as CSIS’s request clearly stated that the purpose of this request was for identification, this suggests that IRCC risked disclosing more than the least amount of personal information necessary for CSIS to further its investigation.
While the legislative burden to ensure that the disclosure is authorized under SCIDA falls on the disclosing entity, in this case IRCC, it may be very complex fora disclosing entity to discharge its obligation under paragraphs 5(1)(a) and 5(1)(b)with these types of large data-sets requests, particularly when the requester provides very little rationale linking each selector or individual to the activity that undermines the security of Canada.
| Disclosing Institution | Designated Recipient Institutions under the SCIDA, Schedule 3 | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CBSA | GAC | CNSC | CRA | CSE | CSIS | DND/CAF | Finance | FINTRAC | GAC | Health | IRCC | PHAC | PS | RCMP | TC | TOTAL | |
| 2022 | |||||||||||||||||
| CBSA | – | – | – | – | – | – | – | – | – | – | – | – | – | – | 4 | – | 4 |
| GAC | – | 39 | 2 | – | – | – | – | – | – | – | – | – | – | – | 12 | – | 53 |
| IRCC | – | 59 | 56 | – | – | – | – | – | – | – | – | – | – | – | – | – | 115 |
| RCMP | – | – | – | – | – | – | – | – | – | – | – | – | – | – | 1 | – | 1 |
| TOTAL | – | 59 | 95 | 2 | – | – | – | – | – | – | – | – | – | – | 16 | – | 173 |
| 2021 | |||||||||||||||||
| DND/CAF | – | – | – | – | – | – | – | – | – | – | 2 | – | – | – | – | – | 2 |
| GAC | – | – | – | – | – | – | – | – | – | – | – | – | – | – | 2 | – | 44 |
| IRCC | – | 68 | 79 | – | – | – | – | – | – | – | – | 2 | – | 1 | – | – | 149 |
| TOTAL | – | 68 | 122 | – | – | – | 2 | – | – | – | – | 2 | – | 1 | 2 | – | 195 |
| 2020 | |||||||||||||||||
| CBSA | – | – | – | – | – | – | – | – | – | – | 1 | – | – | – | – | – | 4 |
| GAC | – | – | – | – | – | – | – | – | – | – | – | – | 25 | – | – | 13 | 40 |
| IRCC | – | 60 | 61 | – | – | – | – | – | – | – | – | – | 1 | – | 37 | – | 159 |
| RCMP | – | – | 1 | – | – | – | – | – | – | – | – | 1 | – | – | – | – | 3 |
| TC | – | – | – | – | – | – | – | – | – | – | – | – | – | – | – | 2 | 2 |
| Other¹⁰ | – | – | – | – | – | – | – | – | – | – | – | – | – | – | – | – | 1 |
| TOTAL | – | 61 | 88 | 1 | – | – | 3 | – | – | – | – | 6 | – | 55 | 1 | – | 215 |
| 2019 | |||||||||||||||||
| CBSA | – | – | – | – | – | – | – | – | – | – | – | – | – | – | 1 | – | 3 |
| GAC | – | – | – | – | – | – | – | – | – | – | – | – | 23 | – | – | – | 42 |
| IRCC | – | 5 | 17 | – | – | – | – | – | – | – | – | – | 1 | – | 36 | – | 59 |
| RCMP | – | 4 | 1 | – | – | – | – | – | – | – | – | – | – | 3 | – | – | 8 |
| TC | – | – | – | – | – | – | – | – | – | – | – | – | – | – | 1 | – | 2 |
| TOTAL | – | 4 | 5 | – | 41 | – | 1 | – | – | – | 1 | – | – | – | – | – | 114 |
Finding 1. NSIRA found that every institution that disclosed or received information pursuant to SCIDA in 2023 complied with their record keeping obligations under section 9, but some records were inaccurate or imprecise.
Finding 2. NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves under the contribution and proportionality tests in compliance with subsection 5(1) of the SCIDA.
Recommendation 1. NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
Finding 3. NSIRA found that IRCC did not, in one instance, independently consider whether its disclosure related to activities that fell under the SCIDA exception for advocacy, protest, or dissent. Instead, IRCC satisfied itself of the SCIDA’s contribution test based on assumptions about how CSIS assessed activities that undermine the security of Canada.
Recommendation 2. NSIRA recommends that IRCC amend their SCIDA policy to underscore that IRCC must independently assess whether the disclosure is authorized. This assessment should consider whether the activity amounts to one of the exceptions to the SCIDA’s definition of activities that undermine the security of Canada.
Finding 4. NSIRA found that, throughout the course of 2023, IRCC improved the rigour of its proportionality assessments regarding disclosure of passport information. However, NSIRA identified three instances where IRCC disclosed visa information without applying the same rigorous approach, which risked disclosing more personal information than reasonably necessary in the circumstances.
Recommendation 3. NSIRA recommends that IRCC apply an iterative approach to its proportionality assessments, with a view to disclosing only the minimum information reasonably necessary in the circumstances to enable the recipient institution to further their investigation.
Finding 5. NSIRA found that CSIS requests to IRCC used inconsistent terminology and were often unclear about the relationship between the subject of the request and its investigation. At times, this lack of clear communication hindered IRCC’s efforts to satisfy itself that the disclosure was authorised under the SCIDA.
Recommendation 4. NSIRA recommends that CSIS use consistent terminology, and be clear about the nature of the link that has been established between the subject of a request and its investigation, to assist IRCC in satisfying itself of the proportionality test.
Finding 6. NSIRA found that disclosing institutions provided information regarding the accuracy of the information and reliability of the manner in which it was obtained in relation to all disclosures. However, CBSA made one verbal disclosure that did not include an explicit statement on accuracy and reliability.
Recommendation 5. NSIRA recommends that institutions avoid making verbal disclosures whenever possible. When they must occur, verbal disclosures should explicitly convey the requisite information on accuracy and reliability.
Finding 7. NSIRA found that CBSA’s record of disclosure form contradicts the SCIDA by allowing officials to opt out of providing information regarding accuracy and reliability.
Recommendation 6. NSIRA recommends that CBSA harmonize its record of disclosure form with the SCIDA, to convey the mandatory nature of providing information on accuracy and reliability at the time of the disclosure.
Finding 8. NSIRA found that IRCC used templated language to describe the disclosure’s accuracy and reliability that was not always relevant or specific to the circumstances of the disclosure.
Recommendation 7. NSIRA recommends that IRCC tailor its statements on accuracy and reliability as to ensure that each disclosure’s statement is specific to the circumstances of the case.
Finding 9. NSIRA found that disclosures between IRCC and CSE that occurred following the enactment of their new information sharing agreement were compliant with both the SCIDA and their information sharing agreement.
Date of Publishing:
Our team is working on an HTML version of this content to enhance usability and compatibility across devices. We aim to make it available in the near future. Thank you for your patience!
The Government of Canada faces threats from a broad spectrum of malicious cyber actors—from cybercriminals to sophisticated foreign states—making cybersecurity a top national security priority. Protecting federal systems against these threats is a responsibility of the Communications Security Establishment (CSE), Canada’s lead agency for cybersecurity.
Within CSE, the Canadian Centre for Cyber Security leads efforts to prevent, detect, and respond to cyber threats targeting government systems and infrastructure. In 2019, the Communications Security Establishment Act granted CSE broader powers to strengthen Canada’s cybersecurity posture, including enhanced authorities related to cybersecurity and information assurance (CSIA).
Because CSE’s work involves collecting and analyzing large volumes of digital information—which may incidentally involve Canadians or individuals located in Canada—robust review is essential to ensure these activities remain lawful, and reasonable; in particular, respectful of privacy rights.
In this context, NSIRA undertook its first dedicated review of CSE’s CSIA activities. The review closely examined one of CSE’s key cybersecurity solutions, assessed its broader cyber defence operations, and evaluated how these efforts are coordinated with Shared Services Canada (SSC), who manages much of the federal government’s IT infrastructure.
To identify and prevent cyber threats, CSE acquires and analyzes vast amounts of information. These activities can be highly intrusive and engage significant privacy interests of Canadians, including those who interact with the Government of Canada. NSIRA’s review placed particular emphasis on how information that could impact Canadian privacy interests is managed.
The review concluded that CSE makes critical contributions to securing the Government of Canada’s networks and incorporates measures designed to protect the privacy of Canadians and other persons in Canada. However, NSIRA identified two important areas for improvement.
First, the review found that CSE’s reporting to the Minister of National Defence—the minister responsible for overseeing CSE—lacked sufficient clarity and detail. This gap could hinder the Minister’s ability to make fully informed decisions about CSE’s cybersecurity activities.
Second, NSIRA observed that, in limited cases, CSE’s collection of information from external sources may have implicated the privacy rights of Canadians.
To address these issues, NSIRA issued seven recommendations aimed at enhancing transparency in CSE’s communications with the Minister and strengthening procedures for assessing and managing data that may affect privacy interests.
These findings underscore the vital importance of rigorous, independent review in national security matters. As cyber threats continue to evolve in scale and sophistication, Canada must ensure that its digital defences remain not only effective but also accountable and consistent with Canadian values. NSIRA’s review plays a crucial role in maintaining this balance—ensuring that security and privacy go hand in hand.
Date of Publishing:
Dear Minister Blair,
I am writing on behalf of the Members of the National Security and Intelligence Review Agency (NSIRA) to inform you that NSIRA has initiated a review of its Annual Review of Select CSE Activities for 2025.
This review is being conducted pursuant to paragraph 8(1)(a) of the National Security and Intelligence Review Agency Act (NSIRA Act). The NSIRA Act grants NSIRA full and timely access to all information held by reviewed departments and agencies, including classified and privileged information, with the exception of cabinet confidences.
The review will include the assessment of information related to CSE’s compliance with the law and ministerial direction, as well as the reasonableness and necessity of CSE’s exercise of its powers.
NSIRA will engage with your officials regarding this review. As the review progresses, NSIRA’s review team will be in regular contact with them with requests for information. Such requests may involve documents, system access, written explanations, briefings, interviews, surveys, and any other information that NSIRA determines to be of relevance to this review. This review may also include independent inspections of some technical systems. NSIRA’s expectations for responsiveness are available online at https://nsira-ossnr.gc.ca.
I thank you in advance for your cooperation and support to the independent review process, which is key to transparency and democratic accountability.
Sincerely,
The Honourable Marie Deschamps, C.C.
Chair, National Security and Intelligence Review Agency
Date of Online Publishing:
Date of Submission:
March 28, 2024
Dear David,
I am writing on behalf of the Members of the National Security and Intelligence Review Agency (NSIRA) to inform you that NSIRA’s review of CSIS’ Justification Framework (21-14) has been closed.
NSIRA will initiate a new standalone review of the Justification Framework that will commence in 2024. CSIS already received the formal notification of the launch of this review.
NSIRA recognizes the resources CSIS committed to the previous review. Information already provided by CSIS under the authority of 21-14 will not be requested again and will be used to inform the upcoming review. Any new information will be requested through existing channels and processes.
Sincerely,
Charles Fugere
A/Executive Director and Senior General Counsel
NSIRA Secretariat
Date of Publishing:
Dear Minister McGuinty,
I am writing on behalf of the Members of the National Security and Intelligence Review Agency (NSIRA) to inform you that NSIRA has initiated its Annual Review of Select Canadian Security Intelligence Service (CSIS) Activities for 2025.
This review is being conducted pursuant to paragraph 8(1)(a), 8(2) and 8(2.1)(a) of the National Security and Intelligence Review Agency Act (NSIRA Act). The NSIRA Act grants NSIRA full and timely access to all information held by reviewed departments and agencies, including classified and privileged information, with the exception of cabinet confidences.
The review will include information relating to CSIS’ compliance with the law and ministerial directions, as well as the reasonableness and necessity of a selection of CSIS activities.
NSIRA will engage with your officials regarding this review. As the review progresses, NSIRA’s review team will be in regular contact with them with requests for information. Such requests may involve documents, system access, written explanations, briefings, interviews, surveys, and any other information that NSIRA determines to be of relevance to this review. This review may also include independent inspections of some technical systems. NSIRA’s expectations for responsiveness are available online at https://nsira-ossnr.gc.ca.
I thank you in advance for your cooperation and support to the independent review process, which is key to transparency and democratic accountability.
Sincerely,
The Honourable Marie Deschamps, C.C.
Chair, National Security and Intelligence Review Agency
Date of Publishing:
This review is the third annual review of Canadian Security Intelligence Service (CSIS) threat reduction measures (TRMs) completed by the National Security Intelligence Review Agency (NSIRA).
The review had two main objectives. First, to provide an overview of TRMs in 2021, contextualizing the data as appropriate by comparison with data from preceding years and noting any trends or patterns that emerge. Second, to conduct a review of a selection of TRMs implemented in 2021.
NSIRA found that CSIS’s use of its TRM mandate in 2021 was broadly consistent with its use in preceding years. Overall, CSIS implemented El TRMs during the review period, covering a range of threats to the security of Canada (as defined by section 2 of the CSIS Act), including espionage/sabotage, foreign interference, and violence/terrorism. Of note, 2021 marks the first time since the inception of the regime that TRMs involving Ideologically Motivated Violent Extremism (IMVE) threats outnumbered those stemming from Religiously Motivated Violent Extremism (RMVE).
In terms of trends over time, NSIRA observed that the year 2018 was an inflection point for CSIS’s use of the TRM mandate. In that year, CSIS proposed nearly as many TRMs as were proposed in the preceding three years – the first three of the mandate – combined. In the following year, however, the number dropped slightly, before a more significant reduction in 2020. This downward trend plateaued during the review period, even rebounding gently. The number of proposed TRMs in 2021 went up as compared to the previous year, as did both approvals and implementations.
NSIRA selected three TRMs implemented in 2021 for review, assessing the measures for compliance with applicable law, ministerial direction, and policy. At the same time, NSIRA considered the implementation of each measure, including the alignment between what was proposed and what occurred and, relatedly, the role of legal risk assessments for guiding CSIS activity, as well as the documentation of outcomes.
For all the cases reviewed, NSIRA found that CSIS met its obligations under the law, specifically the Canadian Charter of Rights and Freedoms and sections 12.1 and 12.2 of the CSIS Act. In addition to general legal compliance, NSIRA found that CSIS sufficiently established a “rational link” between the proposed measure and the identified threat.
For one of the three cases reviewed, NSIRA found that CSIS did not meet its obligations under the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety.
The TRM in question [**redacted**] NSIRA believes that the presence of these factors ought to have factored into the overall risk assessment of the measure. [**redacted**]. In addition, however, are the risks [**redacted**]. These risks are not, and in this instance were not, captured by CSIS’s reputational risk assessment.
Similarly, the legal risk assessment for this TRM did not comply with the ministerial direction that “legal risk is to be assessed in accordance with the Department of Justice risk criteria.” [**redacted**] Under CSIS’s “TRM Modernization” project, implemented in January 2021, [**redacted**]. NSIRA recommended that LRAs be conducted for TRMs [**redacted**] and, further, that CSIS consider and evaluate whether legal risk assessments under TRM Modernization comply with applicable ministerial direction. NSIRA may revisit this issue – and TRM Modernization as a whole – in a future review.
A comparative analysis of the two LRAs provided for the other TRMs under review underscored the practical utility of clear and specific legal direction for CSIS personnel. Clear direction allows investigators to be aware of, and understand, the legal parameters within which they can operate and, subsequently, allows after-action reporting to document how implementation stayed within said bounds.
With respect to documenting outcomes, NSIRA further noted issues with, and made recommendations for, when CSIS produces certain reports following implementation of a TRM. Specifically, NSIRA recommended specifying in policy when the Intended Outcome Report and Strategic Impact Report are required. While cognizant that overly burdensome documentation requirements can unduly inhibit CSIS activities, NSIRA nonetheless believes that the recommendations provided are prudent and reasonable. Relevant information, available in a timely manner, benefits CSIS operations.
NSIRA review is an important part of the TRM regime. The CSIS Act requires CSIS to notify NSIRA after it has implemented a TRM, while the NSIRA Act requires NSIRA to review, each calendar year, at least one aspect of CSIS’s performance in undertaking TRMs. The result is enhanced likelihood that CSIS will use the TRM mandate lawfully and responsibly. In this vein, it bears underscoring the general finding of compliance – with law, ministerial direction, and policy – at the core of this review, noted issues notwithstanding.
NSIRA employees directly and independently accessed the relevant CSIS database to review and verify information. Following an initial analysis, follow up Requests for Information (RFIs) targeted specific documents identified as missing or potentially relevant. NSIRA shared a preliminary draft of the report with CSIS to verify its factual accuracy. NSIRA has high confidence in the information it examined in the course of this review, and consequently in the findings and recommendations emerging therefrom.
Figure 1: Approved TRMs from 2015–2021
Figure 2: Proposed TRMs by Threat Type
Figure 3: Proposed TRMs within the 2c (violence) threat category, by year
Figure 4: Percentage distribution of TRMs targeting 2b (foreign interference) threats, 2015–2021
Figure 5: Proposed, Approved, Implemented totals for 2015–2021 TRMs
Table 1: All TRMs implemented in 2021
This review was conducted under the authority of subsection 8(2) of the National Security and Intelligence Review Agency Act (NSIRA Act).
This review is the third annual review of CSIS threat reduction measures (TRMs) completed by the National Security Intelligence Review Agency (NSIRA). NSIRA’s predecessor, the Security Intelligence Review Committee (SIRC), examined CSIS’s use of threat reduction measures between 2016 and 2019.
NSIRA review is an important part of the TRM regime.2 The CSIS Act requires CSIS to notify NSIRA after it has implemented a TRM, while the NSIRA Act requires NSIRA to review, each calendar year, at least one aspect of CSIS’s performance in undertaking TRMs. In this way, the significant power conferred by the creation of the TRM mandate in 2015 is countervailed by regular and rigorous independent review.
NSIRA’s 2020 Review examined a sample of TRMs to assess their compliance with law, policy, and ministerial direction. The review found that, in a limited number of cases, individuals were included in a TRM without a rational link between the individual and the identified threat. Relatedly, NSIRA cautioned that overly broad rational link criteria could affect a measure’s reasonableness and proportionality. The review also noted that more consideration was needed with respect to the possible existence of an agency relationship between CSIS and third parties receiving information from CSIS.
NSIRA’s 2021 Review focused on the latter dynamic, examining cases involving the disclosure of information from CSIS to external parties with their own levers of control and the extent to which CSIS appropriately identified, documented and considered any plausible adverse impacts such measures could have on individuals. The review made recommendations in these areas, including that CSIS “comply with its record-keeping policies related to documenting the outcomes of TRMs.
This recommendation was further to SIRC’s 2016 Review, which emphasized the importance of documenting TRM outcomes. SIRC commended CSIS for developing guidance with respect to outcome reporting, but urged continued refinement – suggesting, inter alia, “timeframes for reporting on all outcomes” – moving forward. CSIS agreed with the recommendation, and successive versions of CSIS’s governing policy for TRM have included greater specificity in this regard.
A benefit of yearly review is the ability to identify and assess such challenges over time. To this end, each previous NSIRA review, in addition to the particular objectives noted above, tracked and described the overall use of the TRM mandate in the relevant review period. The 2020 review established a dataset of all TRMs since the inception of the mandate in 2015, which in turn helped inform case selection for the 2021 review. Supplemented on an ongoing basis by information provided to NSIRA pursuant to subsection 12.1(3.5) of the CSIS Act, this dataset allows NSIRA to identify trends, patterns, and emerging issues of relevance with respect to CSIS’s use of threat reduction measures, including through the quantification of data. Data from a specific year/review period can be contextualized (e.g., was the mandate used more, less, or in a qualitatively different way as compared to previous years?) and topics for future review identified.
The present review builds on the above work in two ways. First, we compare the use of the TRM regime in the relevant review period to its use in previous years and identify overall trends and patterns since the inception of the regime. Second, we focus on outcomes by selecting cases of implemented (as opposed to simply proposed or approved) TRMs for review. This speaks not only to the challenges associated with the documentation of outcomes, but also the “rational link” requirement that undergirds a given TRM’s reasonableness and proportionality, and globally the alignment of what the measure did with the threat it was intended to reduce. All of these issues have been, to one extent or another, subject to comment, findings, and/or recommendations in previous reviews.
The review period covers 1 January 2021 to 31 December 2021. NSIRA also examined information from outside of this period in order to make a full assessment of relevant TRM activities.
The review had two main objectives:
With respect to this second objective, three TRMs were selected according to criteria designed to maximize the utility of NSIRA’s findings and recommendations to CSIS (see the discussion of case selection strategy in Annex C). These TRMs were subject to two lines of inquiry: a compliance review against applicable law, ministerial direction, and policy; and, a review of implementation, including the alignment between what was proposed and what occurred, the documentation of outcomes, and the crucial role of legal risk assessments for guiding CSIS activity.
NSIRA examined and considered all relevant legislation and documentation pertaining to the objectives of the review, including:
NSIRA employees directly accessed the relevant CSIS databases on 4 March 2022 to collect this information. Subsequent requests (RFIs) for additional documents identified by the review team were issued in March, April and May 2022.
The review also analyzed data compiled under previous TRM reviews as well as provided to NSIRA by CSIS pursuant to subsection 12.1(3.5) of the CSIS Act.
NSIRA has high confidence in the information it examined in the course of this review, and consequently in the findings and recommendations emerging therefrom.
As noted above, NSIRA employees directly and independently accessed the relevant CSIS database to review and verify information. NSIRA’s familiarity with the TRM regime meant that the review team was able to pre-identify relevant TRM documentation and then confirm its existence in CSIS holdings. Following an initial analysis, follow up RFIs targeted specific documents identified as missing or potentially relevant. In some instances, CSIS was able to produce the requested documents; in others, they confirmed that said documents did not exist. This process gave the review team confidence as to the completeness of the documentation necessary to satisfy the objectives of the review. That NSIRA personnel directly retrieved the majority of documents from CSIS databases similarly gives high confidence that the information is valid and accurate. Finally, NSIRA shared a preliminary draft of the report with CSIS to verify its factual accuracy.
The first objective of the review was to document and describe how CSIS used its TRM mandate in 2021, and to contextualize that use by comparison to previous years.
Finding 1: NSIRA finds that CSIS’s use of its TRM mandate in 2021 was broadly consistent with its use in preceding years.
In 2021, CSIS proposed [**redacted**] measures (i.e., TRMs designated [**redacted**] of which [**redacted**] were approved and [**redacted**] implemented. Of the [**redacted**] TRMs which were approved but not implemented in 2021, all remain valid, and implementation rates from previous years suggest that many are likely to be implemented in 2022 (see Figure I).
[**redacted figure**]
In addition, [**redacted**] TRMs that had been proposed in 2020 (designated [**redacted**] were 15(l)(d)(ii) ultimately implemented in 2021. Overall, therefore, CSIS implemented [**redacted**] TRMs a total of [**redacted**] times during the review period (for an overview, see Table 1 in Annex C).
Section 2, paragraphs (a) through (d) of the CSIS Act identifies four basic categories of threats to the security of Canada:
A range of threats were addressed by measures during the review period, including a rough balance between 2a (espionage/sabotage), 2b (foreign interference), and 2c (violence) threats. [**redacted**] 2d (subversion) threats, [**redacted**].
This distribution is in keeping with how CSIS used the mandate in previous years. Figure 2 plots the number of proposed TRMs by threat type since 2015.
[**redacted figure**]
Since 2015,2c (violence) threats have most frequently been the subject of TRMs [**redacted**] followed closely by 2b (foreign interference) threats.
While CSIS’s overall focus on 2c threats has been consistent over the years, the underlying composition of those threats (that is, the specific targets within that broader category) has evolved. From 2015-2017, for example, the overwhelming majority of TRMs aimed at reducing 2c threats involved targets associated with religious extremism (what would now be categorized as Religiously Motivated Violent Extremism, or “RMVE”). More recently, and beginning in 2018, there has been an increase in TRMs aimed at targets in the Ideologically Motivated Violent Extremism (IMVE) milieu. Figure 3 shows the number of TRMs in each of these categories year by year.
[**redacted figure**].
Of note, the present review period marks the first time since the inception of the regime that TRMs involving IMVE threats outnumber those stemming from RMVE. [**redacted**]. This shift in the threat environment is reflected in Figure 3, above, which shows [**redacted**] with respect to RMVE and IMVE overtime.
There are also trends worth noting with respect to 2b (foreign interference) threats, which have been subject to [**redacted**] TRMs since 2015. First, the number of TRMs targeting 2 b threats [**redacted**]. TRMs in this area aim at reducing threats to Canadian security from hostile state actors; such threats can include, among others, cyber attacks/operations, election interference, or the monitoring of dissidents in Canada. [**redacted**] throughout the course of the regime, [**redacted**] (see Figure 4).
[**redacted figure**].
Figure 5 shows overall trends, specifically use of the regime by TRM status – proposed, approved, and implemented – since 2015. The year 2018 was an inflection point. In that year, CSIS proposed nearly as many TRMs as were proposed in the preceding three years – the first three of the mandate – combined [**redacted**]. In the following year, however, the number dropped slightly [**redacted**] before a more significant reduction in 2020 [**redacted**]. The year 2020 was a low ebb across all three categories, with the lowest number of implementations [**redacted**] since the first year of the regime [**redacted**] This downward trend plateaued during the review period, even rebounding gently. The number of proposed TRMs in 2021 went up as compared to the previous year [**redacted**] as did both approvals [**redacted**] and implementations [**redacted**].
[**redacted figure**].
In the course of NSIRA’s 2020 TRM Review, CSIS explained [**redacted**]. The COVID-19 pandemic interrrupted some aspects of that work, such as site visits to regions to explain the program, [**redacted**]. The question of how actively CSIS uses the TRM regime – and whether efforts to bolster its use were or were not successful, or quire more attention – is reasonably deferred at present, given the unique circumstances related to COVID-19. Moving forward, however, NSIRA will be attuned to such considerations. Now over five years since the inception of the mandate, an assessment of CSIS’s use of TRM as a viable tool complementing the organization’s “culture of collection” may warrant explicit consideration.
In this way, NSIRA’s finding that CSIS’s use of TRMs in 2021 is broadly consistent with its use in preceding years is useful as a baseline, or data point, informing future assessments of the regime. Ultimately, each successive year of review will offer additional information and cumulative insight into how CSIS exercises its threat reduction mandate.
NSIRA’s second objective was to conduct a review of a selection of TRMs implemented during the review period. NSIRA assessed the TRMs for compliance with applicable law, ministerial direction, and policy. At the same time, NSIRA considered the implementation of each measure, including the alignment between what was proposed and what occurred and, relatedly, the role of legal risk assessments for guiding CSIS activity, as well as the documentation of outcomes. For a full discussion of NSIRA’s case selection strategy, see Annex C.
The selected cases are as follows:
[**redacted**] CSIS conducted a TRM [**redacted**].
The TRM involved [**redacted**].
The Department of Justice (hereafter, “Justice”) provided CSIS with a Legal Risk Assessment (LRA) of the proposed TRM [**redacted**].
[**redacted**].
Following these implementations, CSIS assessed that the immediate intended outcomes of the TRM [**redacted**].
The TRM’s Strategic impact Report, [**redacted**] ultimately concluded that the TRM’s [**redacted**].
[**redacted**] CSIS conducted a TRM [**redacted**].
The TRM [**redacted**].
Justice delivered an LRA of the proposed TRM to CSIS [**redacted**].
CSIS implemented the TRM [**redacted**].
Following the first implementation, CSIS assessed that the immediate intended outcome of the TRM had been “met”. [**redacted**].
[**redacted**] the TRM’s Strategic Impact Report, [**redacted**].
CSIS conducted a TRM [**redacted**].
The TRM involved [**redacted**].
Justice did not provide a formal LRA in this case. [**redacted**].
CSIS implemented the TRM [**redacted**].
CSIS assessed that [**redacted**].
Finding 2: For all the cases reviewed, NSIRA finds that CSIS met its obligations under the law, specifically the Canadian Charter of Rights and Freedoms and sections 12.1 and 12.2 of the CSIS Act.
As made explicit by subsection 12.1 (3.1) of the CSIS Act, the Charter “is part of the supreme law of Canada and all [TRMs] shall comply with it.” Measures that would limit a right or freedom protected by the Charter may only be undertaken if authorized by a warrant. However, the TRMs under consideration in this review were non-warranted measures. NSIRA’s assessment of Charter compliance considered whether any protected right or freedom was limited as a result of the measure. Examination of outcome reporting and other relevant documentation indicated that no such limitations occurred.
The key requirements of sections 12.1 and 12.2 of the CSIS Act include:
For the measures reviewed, each RFA explicitly addressed the requirements for RGB, reasonableness and proportionality, and consultations with other federal departments. In addition, the two LRAs (for Case 1 and Case 2, respectively) and one legal consultation (for Case 3) addressed [**redacted**]. Similarly, the LRAs for Case 1 and Case 2 determined that the proposed TRMs [**redacted**].
NSIRA broadly concurred with these assessments and conclusions. Further, but for Case 3 (see paragraph 79, below), there was no information in the relevant implementation reports or associated documentation that indicated that the actual implementation of the measures sufficiently deviated from the proposed implementation as to be of concern. Finally, NSIRA determined that none of the implemented measures involved any conduct prohibited by subsection 12.2(1) of the CSIS Act.
In addition to general legal compliance, NSIRA paid particular attention to the “rational link” test that helps CSIS establish the reasonableness and proportionality of a measure. As noted above, NSIRA’s 2020 TRM review cautioned against overly broad rational link criteria while also finding that the rational link had not been met in the selection of certain individuals for inclusion in a TRM. As such, the present review assessed whether a) the proposed rational link was logical and clear; and b) that it was met for each proposed implementation.
Finding 3: For all the cases reviewed, NSIRA finds that CSIS sufficiently established a “rational link” between the proposed measure and the identified threat.
However, NSIRA notes several legal and operational considerations that were not addressed as part of the design and analysis of the proposed TRMs but which may be relevant to the contemplation and evaluation of future, similar, measures.
For Case 1, [**redacted**].
While none of these [**redacted**] undermine NSIRA’s finding of legal compliance, they do underscore the possible challenges and risks associated with TRMs involving [**redacted**].
For Case 2, [**redacted**].
In the certification for the second implementation of the TRM, in which an assessment of, and statement regarding, reasonableness and proportionality is required, [**redacted**]. Again, while it is unlikely that such [**redacted**] had they been considered, would have rendered the second implementation unreasonable and/or disproportional in this case, the lack of consideration is potentially informative for other TRMs [**redacted**] and, even if minimal, may need to be addressed in certifications of the reasonableness and proportionality of each [**redacted**] implementation.
Finally, for the Case 3, [**redacted**] NSIRA’s 2021 TRM review dealt extensively with the question of CSIS’s relationship with third parties. Case 3 underscores several of NSIRA’s findings and recommendations from that review, in particular regarding the need to consider plausible adverse impacts of TRMs involving third parties and to document third party activity following implementation.
Compliance with ministerial direction
Finding 4: For Case 1 and Case 2, NSIRA finds that CSIS met its obligations under the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety.
Finding 5: For Case 3, NSIRA finds that CSIS did not meet its obligations under the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety.
Case 3 involved: [**redacted**]
A “fundamental principle” of the 2015 MD is that “the greater the risk associated with a particular activity, the higher the authority required for approval.” This principle was reflected in the section 12 targeting authority [**redacted**] which states [**redacted**]. [**redacted**] ultimately means the letter of the fundamental principle regarding the calibration of level of risk and level of approval is(i)(d) was met, NSIRA finds that the spirit of the principle was not honoured in this case. NSIRA believes that [**redacted**].
In response to a preliminary draft of the present report, CSIS noted to NSIRA that the presence the [**redacted**] see footnote 45 above – in the implementation of the TRM reflected CSIS’s recognition as to the sensitivities of this case. CSIS further argued that risks associated with [**redacted**]. NSIA agrees that part [**redacted**]. In addition, however, [**redacted**]. These risks are not, and in the instance of Case 3 were not, captured by CSIS’s reputational risk assessment. [**redacted**]
The 2019 MD addresses this risk assessment process. Annex A of the MD requires CSIS operational activities, including TRMs, to undergo a four-pillar assessment for legal, operational, reputational, and foreign policy risk. According to the MD, “Legal risk is to be assessed in accordance with the Department of Justice risk assessment criteria.” As noted in paragraph 57, above, no formal Legal Risk Assessment (LRA) was produced for Case 3. [**redacted**] (see the below textbox for a discussion of TRM Modernization [**redacted**]).
CSIS’s TRM Modernization Project
CSIS implemented the TRM Modernization Project on 19 January 2021, [**redacted**] The new process reduces the [**redacted**] aligns TRMs with other programs [**redacted**].
As per the new process outlined in the Department of Justice (DOJ) Legal Risk Management Framework (which supports Justice/CSIS engagement on TRM), Justice advice via an LRA would be sought only where [**redacted**] would be encountered by the TRM. (Prior to this, formal LRAs had been provided as part of every TRM proposal.)
[**redacted**]
Setting aside whether or not the TRM did or did not meet any of [**redacted**] (we return to this consideration below), NSIRA does not believe the legal advice fulfilled the requirements for legal risk assessments set out in the 2019 MD. [**redacted**]. However, CSIS’s Overall Risk Assessment (ORA), which evaluates all four pillars of risk identified by the 2019 MD, [**redacted**] an absence ** for an LRA was taken by CSIS to imply [**redacted**] which contributed to the ORA’s overall calculation that the TRM was low risk. Again, determining the legal risk level in this way [**redacted**] rather than a consideration of the actual legal risks themselves) does not comply with the ministerial direction that legal risk be assessed “in accordance with the Department of Justice risk criteria.”
The pre-identification of [**redacted**] if met, would require formal LRAs, is part of CSIS’s TRM Modernization Project, launched in 2021 (see textbox on TRM Modernization, above). An assessment of this new legal risk assessment model is beyond the scope of the present review, though may warrant attention in future years. In the present context, however, NSIRA questions the conclusion that Case 3 did not meet any of the identified [**redacted**] for consultation. Specifically, NSIRA believes the TRM may have met [**redacted**] and did meet [**redacted**].
[**redacted**] a formal consultation (LRA) must be produced for TRMs “where [**redacted**]. NSIRA believes that the cumulative effects [**redacted**] ought to have been explicitly considered as part of the TRM. This would have allowed CSIS to determine whether such risks were sufficient [**redacted**].
To be clear, it is not NSIRA’s position that the cumulative effects were unreasonable in this case, or constituted an abuse of process; rather, the risks that they were, or did, ought to have been considered more explicitly, which could then have [**redacted**] a formal LRA, as per the process established by TRM Modernization.
[**redacted**].
In addition to [**redacted**] under the current governance regime, NSIRA notes that the absence of a comprehensive legal assessment had potential consequences during the implementation of Case 3.
NSIRA observed that there was a discrepancy in terms of how CSIS described the measure proposal [**redacted**].
The RCMP raised the question of timing during consultations with CSIS about the TRM: [**redacted**].
[**redacted**]. More generally, NSIRA highlights the risks created by ambiguity in the implementation of a TRM, particularly absent clear consideration of possible risks as would occur in an LRA.
[**redacted**].
These considerations are illustrative. The fundamental point is that [**redacted**].
Recommendation 1: NSIRA recommends that formal Legal Risk Assessments (LRAs) be conducted for TRMs [**redacted**].
This recommendation reflects the explicit emphasis placed on these categories by the 2015 MD as well as elsewhere in CSIS policy. While NSIRA understands the desire to streamline the TRM process – reflected in the changes made to legal risk assessment under TRM Modernization – the risks associated with TRMs [**redacted**] rather than situational. A standing policy – [**redacted**] is therefore appropriate in these cases.
It was beyond the scope of the present review to consider the TRM Modernization model in its entirety. The above findings and associated recommendation, however, highlight potential discordance between the application of that model and the requirements of ministerial direction, particularly with respect to legal risk assessments in certain cases.
Recommendation 2: NSIRA recommends that CSIS consider and evaluate whether legal risk assessments under TRM Modernization comply with applicable ministerial direction.
Such an evaluation would allow CSIS to close potential compliance gaps and ensure that legal risk assessments – a mandatory component of every TRM – fulfill their intended function.
Legal Risk Assessments (LRAs)
[**redacted**]. These assessments ultimately bear on implementation – should CSIS deviate too widely from what they said they would do, the legal risk assessment they received may no longer fully apply, or additional risks may be created that were not considered.
Finding 6: With respect to Legal Risk Assessments (LRAs), NSIRA finds that greater specificity regarding legal risks, and direction as to how risks could be mitigated and/or avoided, resulted in more detailed outcome reporting vis-a-vis legal compliance.
This finding emerges from a comparative analysis of the [**redacted**] for Case 3; see Recommendation #1).
The fact patterns for Case 1 and Case 2 were very similar. Each TRM involved [**redacted**]. Nonetheless, NSIRA observed slight but relevant differences between the LRAs offered [**redacted**].
[**redacted**].
[**redacted**]. This reflects an understanding of the limits [**redacted**] and the care taken by investigators to stay within them.
[**redacted**].
[**redacted**].
[**redacted**]. For example, in the Implementation Report for [**redacted**]
Recommendation 3: NSIRA recommends that CSIS work with the Department of Justice to ensure that Legal Risk Assessments (LRAs) include clear and specific direction regarding possible legal risks and how they can be avoided/mitigated during implementation of the TRM.
A comparative assessment of [**redacted**] suggests to NSIRA that clarity and specificity regarding legal risks and how they can be mitigated/avoided serves to guide investigators during the implementation phase. The associated recommendation would allow investigators, whether new or experienced, to be aware of, and understand, the parameters within which they can operate without breaching the Charter or the law, as well as the delimitations of the line(s) that, if crossed, would constitute a breach (or create a significant risk thereof) according to Justice.
This may also improve both implementation and associated reporting. Providing clear guidelines would prompt CSIS investigators to specify in their implementation reports how they remained within the delimitations.
Recommendation 4: NSIRA recommends that Implementation Reports specify how the legal risks identified in the LRA were avoided/mitigated during implementation of the TRM.
The significant powers bestowed by the TRM mandate create potential risks to the rights and freedoms of the individuals subject to such measures, or others captured by their scope. Including specific reporting about how identified risks were mitigated or avoided in the implementation of a TRM would allow CSIS to demonstrate that it was legally compliant from start (what they proposed to do) to finish (what they did) in each case, thereby bolstering confidence that the regime is being used responsibly. (See also the discussion of TRM documentation beginning at paragraph 101, below.)
TRM governance includes requirements that specifically address relevant statutory obligations. For example, [**redacted**]. In this way, compliance with policy is crucial for ensuring compliance with the law.
Finding 7: For Case 2 and Case 3, NSIRA finds that CSIS did not meet its obligations with respect to one requirement of its Conduct of Operations, Section 12.1 Threat Reduction Measures, Version CSIS did not meet its internal policy requirements regarding the timelines to submit TRM implementation reports.
Specifically, NSIRA found that:
This non-compliance is minor in nature. However, it should be noted that delay in drafting and submitting implementation reports could conceivably impact their depth, rigour, and accuracy, particularly as the reports involve a detailed description of what occurred during implementation. If submitting implementation reports within five business days is chronically challenging for investigators, CSIS may wish to revisit the policy requirement and adjust it accordingly.
Documentation of outcomes
More generally, the documentation of implementation and outcomes is important, for at least two reasons. First, to ensure that ex ante compliance obtains ex post. The key consideration here is the alignment between what CSIS proposed to do and what they ultimately did. Second, so that CSIS can evaluate what worked and what did not, with an eye toward future TRMs. Were the goals articulated in the RFA achieved? Did the measure reduce the threat? Knowing the answers to these questions is crucial for determining both what to do next (with respect to a particular threat actor) and what to do in the future (vis-a-vis other, broadly comparable threat actors or circumstances).
Finding 8: For Case 3, NSIRA finds that the Intended Outcome Report was not completed in a timely manner.
At the time NSIRA initially collected information for this review [**redacted**] it did not find an Intended Outcome Report for Case 3 in the relevant CSIS database. In a follow-up request for information, dated [**redacted**] NSIRA sought to confirm whether or not an Intended Outcome report for this TRM had been produced. CSIS provided the report to NSIRA on [**redacted**] the completion date for the report was a day earlier, [**redacted**].
CSIS explained that the relevant regional desk was waiting to receive information from an external party, and therefore was not in a position to complete the Intended Outcome Report at an earlier date. Nonetheless, NSIRA notes that the Intended Outcome Report dated [**redacted**] provided relevant and valuable information, even as the information from the external party remained outstanding.
CSIS’s policy on when Intended Outcome (what CSIS formerly called “intermediate outcome”) Reports are required is unclear. Paragraph 6.5 of CSIS’s Conduct of Operations, Section 12.1 Threat Reduction Measures, Version 4 discusses the need for both Intended Outcome and Strategic Impact reports but only specifies when the latter is due (more on this below, see paragraph 109). As such, the above finding is not a compliance issue, but instead relates to the effective use of such reports for informing CSIS operations. Particularly insofar as CSIS contemplates additional TRMs – or additional implementations of the same TRM under a standing authority – against the same threat actor, having intended outcome reports in hand would likely be of use to operational units and approval authorities.
This was specifically true with respect to [**redacted**] for example. [**redacted**]. Particularly when such key decision points arise, information as to the outcome of a TRM is relevant and potentially useful.
As noted in the case description at paragraph 59 above, CSIS ultimately determined that, as of January 2022, [**redacted**]. That the Intended Outcome report was not completed until [**redacted**] suggests that this information was not available (or at least not documented) in a timely manner.
Recommendation 5: NSIRA recommends that CSIS specify in its Conduct of Operations, Section 12.1 Threat Reduction Measures when the Intended Outcome Report is required, as it does for the Strategic Impact Report.
This recommendation would mean that [**redacted**] reporting requirements would be subject to explicit timeframes, adding to those currently in place for Implementation Reports (within five business days) and Strategic Impact Reports (at one of two specified junctures). Determining when the Intended Outcome Report ought to be completed will require careful consideration. NSIRA’s recommendation does not include a specific timeframe, only that CSIS take the steps to determine what is practical and, in light of the considerations above, useful in this regard (e.g., provides relevant information in a timely manner, particularly with respect to key decision points such as renewals of authorities). While NSIRA acknowledges CSIS’s position that outstanding information may present challenges to an explicit timeframe, we also highlight the pertinent information that was ultimately included in the [**redacted**] Intended Outcome Report for Case 3. This example demonstrates the potential value of reporting information in hand as opposed to waiting until all information is received, with the recognition that updates can always be appended as new information becomes available.
The spirit of the recommendation is that more information, sooner, is beneficial for CSIS as it conducts TRMs. As the above analysis of Case 3 makes clear, knowing outcomes is important not only for tracking the success or failure of the TRM itself, but also for understanding how the TRM factors into the ongoing section 12 investigation within which it occurred. This includes the development of possible subsequent TRMs against the same threat actor. [**redacted**].
Current CSIS policy allows the Strategic Impact report to be completed at either:
In practice, because a TRM authority [**redacted**].
Finding 9: NSIRA finds that current policy for the completion of Strategic Impact Reports may inhibit the timely production of important information.
Of note, the above analysis with respect to the Intended Outcome Report for Case 3 is equally applicable to its Strategic Impact Report. The TRM authority for Case 3 [**redacted**].
For Case 1, CSIS completed the Strategic Impact Report [**redacted**] just before the expiry of the TRM authority [**redacted**].
Recommendation 6: NSIRA recommends that CSIS integrate in policy a requirement that the Strategic Impact Report be completed at the expiry of the TRM authority.
This recommendation urges CSIS to produce relevant information sooner rather than later. Given that strategic outcomes may influence or inform decision-making on further TRMs within active investigations, assessing outcomes prior to the closing of those investigations makes sense. If the strategic impact remains unclear at this earlier juncture (as may be the case for TRMs with short validity periods, e.g., 90 days), the relevant report can indicate this, and the issue can be revisited as necessary at the closing of the investigative authority. NSIRA notes that in the three cases under review, CSIS completed the Strategic Impact Report at the earlier of the two junctures (closing of the TRM authority); the above recommendation would simply codify this practice.
Overall, NSIRA found that CSIS’s use of its TRM mandate in 2021 was broadly consistent with its use in preceding years. With respect to the TRMs reviewed, NSIRA found that CSIS met its obligations under the law, specifically the Canadian Charter of Rights and Freedoms and sections 12.1 and 12.2 of the CSIS Act. For one of the measures, however, NSIRA found that CSIS did not meet its obligations under the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety.
The review contextualized CSIS’s use of TRMs in 2021 against its historical use of the regime. Of note, the decrease that began after 2018 plateaued in 2021 — NSIRA even observed modest upticks in TRM proposals, approvals, and implementations in the present review period. Moving forward, and out of the COVID-19 pandemic, monitoring and analyzing these numbers will inform future review.
The targeted objective of this year’s review was to conduct a review of a selection of implemented TRMs. In so doing, NSIRA was mindful of observations, findings, and recommendations emerging from previous SIRC and NSIRA reviews, for example the requirement that the “rational link” (between selected subject and threat) be present in each case, and that the documentation of outcomes be clear and complete. The focus on implementation generally raised the question of alignment between what CSIS proposed to do and what ultimately occurred.
Within this line of inquiry, findings and recommendations emerged which underscore NSIRA’s belief that relevant information, available in a timely manner, benefits CSIS operations. While cognizant that overly burdensome documentation requirements can unduly inhibit CSIS activities, NSIRA nonetheless believes that the recommendations provided here are prudent and reasonable, less creating new requirements as much as sharpening and refining existing ones.
[**redacted**] analysis touched both directly and indirectly on the new — as of January 2021 — legal risk assessment model in place pursuant to CSIS’s “TRM Modernization”. While the review did not consider this model in toto, and could not therefore pass comment on its performance, NSIRA recommended closing the gap by [**redacted**] and further recommended that CSIS evaluate the new model against the requirements of ministerial direction, particularly those associated with legal risk assessments. Moving forward, a focused NSIRA review of TRM Modernization may take up these questions with an eye toward compliance more broadly, as well as possible additional recommendations addressing gaps, issues, or risks.
Relatedly, the present review emphasized the importance of the guidance and direction offered in LRAs, both for identifying and mitigating potential legal risks and, crucially, for ensuring that CSIS investigators stay within the bounds of legal compliance during actual implementation of the TRM. Clear advice allays ambiguity and uncertainty, minimizing the potential for inadvertent breaches as CSIS employees implement the measure, while making it easier for employees to document legal compliance in after-action reporting.
The result is enhanced likelihood that CSIS will use the TRM mandate lawfully and responsibly. In this vein, it bears underscoring the general finding of compliance — with law, ministerial direction, and policy — at the core of this review, noted issues notwithstanding.
Finding 1: NSIRA finds that CSIS’s use of its TRM mandate in 2021 was broadly consistent with its use in preceding years.
Finding 2: For all the cases reviewed, NSIRA finds that CSIS met its obligations under the law, specifically the Canadian Charter of Rights and Freedoms and sections 12.1 and 12.2 of the CSIS Act.
Finding 3: For all the cases reviewed, NSIRA finds that CSIS sufficiently established a “rational link” between the proposed measure and the identified threat.
Finding 4: For Case 1 and Case 2, NSIRA finds that CSIS met its obligations under the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety.
Finding 5: For Case 3, NSIRA finds that CSIS did not meet its obligations under the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety.
Finding 6: With respect to Legal Risk Assessments (LRAs), NSIRA finds that greater specificity regarding legal risks, and direction as to how said risks could be mitigated and/or avoided, resulted in more detailed outcome reporting vis-à-vis legal compliance.
Finding 7: For Case 2 and Case 3, NSIRA finds that CSIS did not meet its obligations with respect to one requirement of its Conduct of Operations, Section 12.1 Threat Reduction Measures, Version 4. CSIS did not meet its internal policy requirements regarding the timelines to submit TRM implementation reports.
Finding 8: For Case 3, NSIRA finds that the Intended Outcome Report was not completed in a timely manner.
Finding 9: NSIRA finds that current policy for the completion of Strategic Impact Reports may inhibit the timely production of important information.
Recommendation 1: NSIRA recommends that formal Legal Risk Assessments (LRAs) be [**redacted**] for TRMs.
Recommendation 2: NSIRA recommends that CSIS consider and evaluate whether legal risk assessments under TRM Modernization comply with applicable ministerial direction.
Recommendation 3: NSIRA recommends that CSIS work with the Department of Justice to ensure that Legal Risk Assessments (LRAs) include clear and specific direction regarding possible legal risks and how they can be avoided/mitigated during implementation of the TRM.
Recommendation 4: NSIRA recommends that Implementation Reports specify how the legal risks identified in the LRA were avoided/mitigated during implementation of the TRM.
Recommendation 5: NSIRA recommends that CSIS specify in its Conduct of Operations, Section 12.1 Threat Reduction Measures when the Intended Outcome Report is required, as it does for the Strategic Impact Report.
Recommendation 6: NSIRA recommends that CSIS integrate in policy a requirement that the Strategic Impact Report be completed at the expiry of the TRM authority.
In June 2015, Parliament enacted the Anti-terrorism Act, 2015, which authorized CSIS, in the new section 12.1 of the CSIS Act, to take measures to reduce threats to the security of Canada, within or outside Canada. The new measures represented an unprecedented departure from CSIS’s traditional intelligence collection role.
In July 2019, the National Security Act, 2017, introduced amendments to CSIS’s TRM mandate that sought to clarify and further define this power. In particular, the amendments stressed the importance of compliance with the Canadian Charter of Rights and Freedoms (Charter), provided an expanded list of prohibited conduct under the TRM regime, and introduced a requirement that CSIS notify NSIRA after undertaking a TRM.
The CSIS Act does not provide a precise definition of “measures to reduce the threat.” As such, CSIS has developed its own, defining a TRM as “[a]n operational measure undertaken by [CSIS], pursuant to section 12.1 of the CSIS Act, whose principal purpose is to reduce a threat to the security of Canada as defined in s. 2 of the CSIS Act.”
These measures are subject to specific stipulations. Section 12.1 of the CSIS Act states that CSIS may only undertake a TRM if there are reasonable grounds to believe (RGB) that the identified conduct is a threat to the security of Canada. TRMs must be reasonable and proportional in the circumstances, having regard to the nature of the threat, the nature of the measures, the reasonable availability of other means to reduce the threat, and the reasonably foreseeable effects on third parties, including on their right to privacy. CSIS must also consult with other federal departments, where appropriate, with respect to whether they may be in a position to reduce the threat. Finally, CSIS must seek a warrant from a judge where a proposed TRM would limit a right or freedom guaranteed by the Charter or would otherwise be contrary to Canadian law.
In addition to these statutory requirements, the 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability require all TRMs to undergo a four-pillar risk assessment that examines the operational, reputational, foreign policy, and legal risks of proposed actions on a scale of low, medium or high. Moreover, they require that, when assessing the appropriate means of reducing a threat, CSIS consider the range of other possible national security tools available to the broader community, and consult with departments and agencies of the Government of Canada with mandates or authorities closely related to the proposed TRM. It is also important to note that both MDs operate concurrently: the 2015 MD section regarding Operations remains in effect, whilst the section concerning Accountability in the 2015 MD is superseded by the 2019 MD.
NSIRA’s population for case selection were the [**redacted**] TRMs — all those implemented in the calendar year 2021 — laid out in Table 1 [**redacted**].
[**redacted table**]
Of these 21 cases, three were TRMs first implemented in 2020, with subsequent implementations during the review period. [**redacted**]. As such, and given the desire to examine the full lifecycle of the TRM within the specified review period, NSIRA dropped [**redacted**].
[**redacted**].
[**redacted**] the prevalence and importance of measures aimed at reducing threats defined under subsection 2c of the CSIS Act. These threats include, but are not limited to, those stemming from RMVE and IMVE. As noted in paragraph 34 of the report, since 2015, 2c threats have been the most frequently subject to TRMs (as compared to other threats described by the Act), and will likely continue to be a focus in the years to come. As such, NSIRA judged that any findings and/or recommendations emerging from the review of TRMs aimed at 2c threats would be useful to CSIS going forward, as similar TRMs are contemplated, designed, proposed and implemented.
[**redacted**]. NSIRA reviewed documentation associated [**redacted**].
For these reasons, [**redacted**] was dropped from the sample, leaving three TRMs for review (n=3).
