Language selection

Government of Canada / Gouvernement du Canada

Search

Category: GAC

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019: Report

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019

Report

Date of Publishing:

Executive Summary

The Avoiding Complicity in Mistreatment by Foreign Entities Act (Avoiding Complicity Act or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, September 4, 2019, to the end of the previous calendar year, December 31, 2019. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Act.

While this was the inaugural annual review under the NSIRA Act, it builds upon previous work in this area undertaken by NSIRA and its predecessor SIRC. NSIRA’s review on the 2017 Ministerial Direction on information sharing with Foreign Entities is an example. The results from this previous review were sent to applicable departments in July 2020. NSIRA is building upon this previous review and strongly supports the findings and recommendations within it. As of the date of this report, departmental responses have not been received regarding the recommendations provided in NSIRA’s July 2020 Ministerial Direction review.

(U) It was essential to ensure that both NSIRA and the departments being reviewed met their obligations under the Avoiding Complicity Act and the NSIRA Act. The approach used to gather information during a global pandemic was purposely designed for this first and unique review period.

To capture a complete view on the departmental implementation, NSIRA requested information that related directly to every department’s specific obligations under the Act and the directions. The responses and associated information captured departmental activities related to the Act during the review period, and what procedures, policies, tools, etc. (frameworks) were leveraged to support these activities. NSIRA believes that having a robust framework is an essential part of an effective implementation of the directions departments have received.

Beyond the specific requirements of implementation, the information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken since the review period to build and formalize their frameworks. This information and knowledge will help set up the foundation for future reviews and assist efforts on creating consistent implementation across departments. While many of the issues discussed in this report go beyond the specific requirements of the directions, their consideration is critical to the overall improvement of the implementation process and how departments ultimately support the Act. No case studies were undertaken for this review. However, the information gathered has helped establish a baseline for overarching issues the community is facing. Building on this, future reviews will begin to examine specific sharing framework challenges and questions and look closely at specific cases and departmental legal opinions to guide review findings.

While NSIRA was pleased with the considerable efforts made by many departments new to the Avoiding Complicity Act in building up their supporting frameworks, it was clear during this review that departments are employing very different approaches to guide their information handling activities. The responses received demonstrate various inconsistencies across the departments. Having a consistent and coordinated approach when addressing the concerns related the Act is not a requirement for implementation, however, NSIRA believes that there is value in such an approach. And while departments will always require unique aspects in their sharing frameworks to address the unique characteristics of their mandates and activities, to improve the implementation process, a goal all involved likely have, the identification and sharing of best practices is critical.

For example, determining the best means for having a unified approach when engaging with foreign entities of concern or ensuring that an information sharing activity is consistently evaluated for risk by all departments. The recommendations provided on these issues in this review capture what NSIRA believes to be important concerns and considerations for supporting and improving departmental implementation.

Additionally, as the directives received under the Act do not describe the specific means by which departments ‘implement’ them, it is incumbent on the community to ensure that they have sufficiently robust frameworks and programs in place to fully support an assertion of implementation. Therefore, the information gathered during this review went beyond a strict assessment of implementation, but also considered the aspects required to better support this implementation. Going forward, this approach will help establish the foundation for subsequent reviews. Drawing on the findings and concerns identified here, NSIRA will continue to consider aspects that will ultimately improve underlying frameworks, thereby supporting an improved implementation of the Act across the community.

Authorities

This review was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Avoiding Complicity Act.

Introduction

Focus of the Act

In the same spirit as the Ministerial Direction (MD) that preceded it, the Avoiding Complicity Act and its associated directions seek to prevent the mistreatment of any individual due to the exchange of information between a Government of Canada department and a foreign entity. The Act also aims to limit the use of information received from a foreign entity that may have been obtained through the mistreatment of an individual. While the previous MD guided the activities of a selection of Canada’s security and intelligence departments, the Act broadened this scope to capture all departments whose interactions with foreign entities included information exchanges where such a concern may apply.

The focus of the Act is to ensure departments take the necessary steps during their information sharing activities to avoid contributing in any way to the mistreatment of an individual. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. There is an expectation that each department will satisfy these requirements by leveraging departmentally established mechanisms and procedures, or frameworks that will allow each department to confidently demonstrate how it has responded to its responsibilities under the Act.

During the first year that the Act was in force, written directions using nearly identical language were sent to the Deputy Heads of 12 departments. In regard to disclosure, the directions read as follows:
“If the disclosure of information to a foreign entity would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not disclose the information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”

With respect to requesting information, the directions state:
“If the making of a request to a foreign entity for information would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not make the request for information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”

Lastly, as it relates to the use of information, the directions indicate:
“The Deputy Head must ensure that information that is likely to have been obtained through the mistreatment of an individual by a foreign entity is not used by the Department

  • (a) in any way that creates a substantial risk of further mistreatment;
  • (b) as evidence in any judicial, administrative or other proceeding; or
    (c) in any way that deprives someone of their rights or freedoms, unless the Deputy Head or, in exceptional circumstances, a senior official designated by the Deputy Head determines that the use of the information is necessary to prevent loss of life or significant personal injury and authorizes the use accordingly.”

At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. This determination is done on a case-by-case basis. Each department is responsible for making these determinations as it applies to its activities. Following the outcome of a department’s determination of these important questions, cases may be approved, denied, or elevated to the Deputy Head for consideration. For the latter cases, this then results in additional reporting requirements for the Deputy Head. Throughout this process, there is also a requirement to ensure the accuracy, reliability, and limitations of use of all information being handled.

Review Objectives

After the Avoiding Complicity Act came into force in July 2019, the Governor in Council’s written directions were sent to each applicable department in September 2019. The period for this year’s review is September 4, 2019 to December 31, 2019. The short timeframe (approximately 4 months) associated with this year’s review means that departments are being assessed, in large part, on what they would already have had in place to address risks of mistreatment associated with information sharing, or what they were able to implement in a four-month window. NSIRA is cognizant that for the departments that were not previously subject to the 2017 MD on Avoiding Complicity in Mistreatment by Foreign Entities, the timeframe to implement the written directions was somewhat limited, as it would have been challenging to create and operationalize new procedures such that they would be reflected in the department’s activities during the period being reviewed.

While it was essential to ensure that both NSIRA and the departments being reviewed met their obligations, these challenges were kept in mind when evaluating the objectives for this first review. Given these considerations, the objectives of this year’s review were to determine whether:

  • departments had fully implemented the directions received under the Act in conformity with the obligations set out therein;
  • departments had established and operationalized frameworks that sufficiently enabled them to meet the obligations set out in the Act and directions; and,
  • there was consistency in implementation across applicable departments.

Methodology and assessment focus

To capture a complete view of the departmental implementation of the Act, NSIRA constructed a series of questions related directly to every department’s obligations under the Act and the directions. The responses and associated information captured what specific activities took place during the review period and what departmental frameworks were leveraged to adequately support these activities.

The information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken to build and formalize their frameworks to meet their obligations under the Act and directions. The information provided and the knowledge gained will help set up the foundation for future reviews and help create consistent implementation across departments.

The method used to gather information during a global pandemic was designed for this first and unique review period. We believe it allowed departments to quickly and efficiently indicate both whether the directions had been implemented, and what frameworks, processes, and policies had been leveraged or put in place.

Responses to many of the RFI questions were simply yes/no answers. Often, answers were dependent on what information handling activities took place with foreign entities by the department during the review period. As such, a number of questions could be returned with ‘not applicable’, and this was an acceptable response. Many of the questions were related to specific and easily defined requirements under the Act and its associated directions, e.g. ‘was a report submitted to the Minister?’ or ‘Did the Deputy Minister inform the applicable bodies of all their decision made under the act?’.

Other questions were designed to capture the details of the underlying processes that supported a department’s implementation, i.e. a department may indicate that they ensured no substantial risk of mistreatment was present in any of their information sharing activities, but how did they support this claim? Likewise, for an assertion that a possible substantial risk of mistreatment had been mitigated, what was in place that allowed a department to make this assertion? Therefore, this series of questions required sufficiently detailed responses to fully capture what a department had in place that allowed it to confidently state that it has met its implementation obligations under the Act and the issued directions.

Finally, a portion of the questions was intended to capture the level of uniformity in implementation across departments. This includes such things as country/entity assessments, triage practices, and record keeping. Much of this information will also help with recommendations going forward. This multi-faceted approach resulted in three main areas being evaluated to assess implementation for this review period and help set the groundwork for future reviews.

  • Departments have clear and comprehensive frameworks, policies, and guidelines such that they can demonstrate how they have fully implemented the directions under the Act.
  • All reporting requirements associated with both the Act and its applicable directions have been met.
  • Differences or gaps associate with areas such as country/entities assessments, record keeping, case triage, etc., such that consistent implementation across departments would be challenging.

Summary of the results table

The table in Annex A captures a summary of both the departmental responses to the implementation questions and NSIRA’s assessment regarding these responses. The assessment was based on the associated details provided by departments in the context of the specific information requested. As explained above, many of the responses were returned as not applicable (n/a). Since many implementation requirements are connected to specific activities, the absence of such activities would mean that the requirement does not come into play. The best example of this for the current review is the absence of any Deputy Minister level determinations. All 12 departments indicated that they did not have any cases referred to the Deputy Minister level for determination. All additional reporting requirements associated with this level of decision were not applicable and thus considered satisfied.

If a specific requirement was not met, it was flagged. The relatively few instances of this were connected with departments not meeting certain reporting obligations under the Act. In all cases, the department involved pre-identified these missing requirements and indicated that efforts were underway to address them.

The concerns and findings captured in the table (and others) are discussed subsequently. A concern was flagged in two situations: where there was an uncertainty associated with a department’s ability to support their implementation requirements; and cross-cutting issues related to general aspects of all of the frameworks described, both of which led to the findings and recommendations proposed.

Findings and Recommendations

Realities of Implementation for 2019

A challenge for departments for this first review was associated with one of the assessment items listed above, i.e. whether they had established frameworks to demonstrate how they supported the implementation of the directions they received.

With the Avoiding Complicity Act coming into force in July 2019, it was not feasible that departments would create and stand-up new frameworks for information exchanges in time for the period being reviewed. Although the Act did specify several Deputy Heads that were to receive directions, it only included those who received the previous 2017 MD. The remaining new departments received their directions in September 2019. Regardless of this two-month difference, each department would have been required to rely on, to some extent, existing procedures when handling information sharing with foreign entities during the review period.

This put the departments that had previously formalized policies and processes at an advantage when implementing the directions. For those departments who were not subject to the previous 2017 MD on information sharing, NSIRA considered how they leveraged and adjusted what was already in place to respond to their new responsibilities under the Act. What we then expected to see, for all departments, was what subsequent steps were taken during the review period and afterwards, to either adjust or create frameworks to better meet implementation requirements going forward. NSIRA noted that in response to questions on frameworks for handling information and mitigating risk, several of the departments new to the considerations of the Act provided extensive detail on their efforts and progress on building out their frameworks to support the directives. References to having these frameworks formalized over the subsequent year were also encouraging.

Finding no. 1: NSIRA found that several departments, new to the considerations of the Act, described considerable progress being made during the review period and afterwards to build out formalized frameworks to support implementation.

Importance of establishing operational framework

As discussed, having fully established operational frameworks in place for this review period may not have been feasible for the departments that did not previously have processes to support their activities. This, however, did not exempt a department from the requirements of implementation. Each department was still expected to leverage what it currently had in place to properly address the concerns associated with the Avoiding Complicity Act. Furthermore, there was a logical follow-on expectation that departments would take subsequent steps to build out formal frameworks to address any perceived gaps to support the implementation of the Act going forward if necessary.

After reviewing the responses received, NSIRA is concerned that departments with minimal information sharing activities taking place during their operations have yet to address the necessity of having a robust framework in place, regardless of how often that framework is leveraged. For example, although PS and TC may primarily act as facilitators or coordinators for information exchanges on specific programs, they are still interacting with foreign entities, and therefore are required to fully assess their interactions with a foreign entity in this regard.

If a department without a formal framework assesses that it has few or no cases associated with the Act, then it may believe it is adequately positioned to address any sharing concerns should they arise. This, however, is not the case. Even single instances of information exchange in which the concerns of the Act may apply require a framework to support it properly. In many cases, it will be the framework itself that properly identifies whether a sharing activity raises concerns under the Act. If there is no formal process in place, then this identification becomes problematic. Simply saying that there are no cases or activities associated with the Act is not sufficient. That determination can only be made after a sharing activity is scrutinized through the lens of a robust framework. Going forward, all departments who receive directions should demonstrate a formal framework that ensures all information sharing activities are adequately evaluated against the considerations of the Act.

Finding no. 2: NSIRA found that departments conducting minimal information exchanges with foreign entities have not yet fully addressed the importance of having an official information sharing framework in place.

Recommendation no. 1: NSIRA recommends that all departments in receipt of directions under the Act have an official framework that ensures they can fully support their implementation of the directions.

Community coordination and best practices

While departmental coordination and the sharing of best practices are not a requirement of the Avoiding Complicity Act or the directions, NSIRA considered such an approach’s value. What became clear during this first review was that every department employs a very different framework to guide their information sharing activities with foreign entities. This is to be expected to some extent, given the different mandates, sharing requirements, and areas of focus associated with each department. However, these differences are also a reflection of the independent, internal development that has taken place for the different frameworks being used. While the departments receiving directions under the Act do interact on this subject to some extent, to date, based on the responses provided, it appears that the majority of the work done by the departments to build supporting frameworks to address their responsibilities associated with the Act have been done so independently. There was little to no overlap with how departments described the various aspects of their frameworks, even amongst the departments subject to the earlier MD on this issue.

There would be value in departments collectively identifying the key aspects common or required in all information exchanges with foreign entities and then working together to craft best practices, irrespective of what a department currently has in place. This process should draw on all available resources to make this determination. Each department can then turn to their existing frameworks to consider where and how they can be adjusted to match this community-agreed upon ideal. This is not to say that aspects of what a department already has in place in their framework will not ultimately be seen as the best practice. Several departments do have robust sharing frameworks in place, and these will contribute significantly to this exercise. However, arriving at this determination independently will provide an additional level of confidence.

Department-specific challenges, of course, cannot be ignored. In fact, they will weigh in strongly on such a conversation. Departments share information under their mandates for various reasons, and this will mean that coordination on certain aspects of a sharing framework may not be possible. However, this needs to be evaluated. It is important that what already exists, or what is hard change, does not unduly influence what may be best. This approach will create uniformity (where possible) across the community and provide a starting point for ‘must haves’ for each department to evaluate their existing processes against.

The Public Safety Information Sharing Coordination Group (ISCG) was established to support departments on information sharing. As such, it is in an ideal position to help mitigate issues arising from the lack of coordination. Leading such efforts would build on the work already being done by this group. During recent discussions with NSIRA, the ISCG indicated that the tracking of lessons learned and the sharing of best practices was not yet routine. Going forward, there would be value in a more coordinated effort when departments are updating/changing their framework. Ensuring that this coordination takes place will require support and leadership by senior-level officials. This will help in sharing best practices once identified, and establish more consistent approaches across departments.

Finding no. 3: NSIRA found that the differences and variability in departmental frameworks demonstrate a previous lack of coordination across the community and a need to identify best practices.

Recommendation no. 2: NSIRA recommends that departments coordinate to identify best practices for all essential components of information sharing frameworks and that the ISCG is leveraged to ensure these practices are shared where possible across the community to support the implementation of the Act.

Framework application inconsistency

A series of questions in this review was related to aspects of consistency in how departments apply their frameworks. From this series, a comparison was made on how many times an information sharing/use event triggered an evaluation of any kind against the considerations of the Avoiding Complicity Act, versus how many of these triaged cases were elevated or referred up for decision. The results helped gauge two important aspects of a framework: One, the threshold requirements, i.e. how often a sharing activity triggers an evaluation of any kind; and two, the decision making power given to the operators who are initially handling these activities.

The feedback and the responses received demonstrate potential inconsistencies in both aspects across departments. For example, several departments indicated zero cases as being triaged/evaluated under the concerns of the Act during the review period, yet also specified that they are involved in regular information sharing or, specified that no information received from foreign entities was derived from mistreatment. These responses appear to be inconsistent as it would be problematic to participate in information sharing or to make such mistreatment determinations without the activity being evaluated on some level.

Other departments indicated a larger number of cases as initial triaged/evaluated, but also indicated that none of them were elevated in their decision making process for higher-level decisions. This would seem to suggest that all determinations were being made at the operational level. Such a result puts significant weight on the operator and the initial assessment tools they are leveraging if they are making all determinations independently. This reinforces the importance of a robust framework to help make these determinations, as previously indicated in Finding no. 2. As a result of these differences, potential challenges arise on accurately assessing the volume of cases being handled by departments, the tracking of those cases deemed to present a substantial risk, those which can be mitigated for, and those where the risk was not found to be substantial or even present.

These responses may result from how each department defines a ‘case’ or how it records a case, or they may be a result of differences in how a department’s decision-making process is leveraged. NSIRA’s concern is that these differences may indicate an inconsistency in application thresholds at different departments. As such, the following results were viewed as a potential issue based on the responses received:

  • if a department was involved in any kind for information exchange with a foreign entity during the review period, but did not indicate that any cases were formally triaged/evaluated; or
  • if there was a significant number of cases triaged, but none were elevated to a higher level for determination.

Such results do not necessarily indicate a problem as aspects of a framework may be able to account for this, however, looking further into how and why the department’s framework produced these outcomes is important. Future reviews will be able to do this. Consistent initial steps for information sharing activities, including triage/evaluation thresholds and documentation, are critical to the effective application of a framework, and ultimately to identifying best practices.

Finding no. 4: NSIRA found that there are inconsistencies in the application of existing sharing frameworks between departments, specifically concerning information evaluation thresholds, and decisions being elevated for senior level determinations,

Recommendation no. 3: NSIRA recommends that departments establish consistent thresholds for triggers in their information sharing frameworks, including initial evaluations against the concerns of the Act, when a case is to be elevated in the decision process, and how this is documented.

Country and entity assessments

A key recommendation of NSIRA’s previous review on information sharing related to the country/entity assessments being used by departments to inform their decision making process when sharing or using information with a foreign entity. While the use of country/entity assessments is not a required aspect of implementing the directions under the Act, NSIRA continues to support this tool as an important aspect of any sharing framework. In its previous review, NSIRA determined that having a firm grasp on the human rights situation, as well as any other pertinent information associated with a country/entity, was essential to making an informed decision on whether there should be concerns, caveats, or limitations when handling information with that country/entity. Moreover, having such information captured to ensure all departments consistently approach these countries/entities is critical. At the time of the previous review, the following recommendation was made:

  • a unified set of assessments of the human rights situations in foreign countries including as standardized ‘risk of mistreatment’ classification level for each country; and
  • to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.

It is important to note that there has been no formal response from departments on this previous recommendation as of the date of this report. Furthermore, during this report, two departments continue to raise concerns with NSIRA’s stance on this issue during the consultation process. While NSIRA continues to support this recommendation, as explained below, further discussions with departments on how to approach this matter may be warranted, specifically on the distinction between how this recommendation may apply to a foreign country/entity vs a specific foreign partner a department may be dealing with.

Based on the responses provided on this topic for the current review period, there is still inconsistency in this area. While almost all departments indicated that country/entity assessments were a standard part of their framework, the responses also indicate differences in which country assessments are used, how they are leveraged, and who is responsible for updating them. For example, several departments rely on their own in-house created assessments, while others leverage the assessments created by Global Affairs Canada and others. While departments who indicated that they are leveraging country/entity assessment tools in their process also indicated that these assessments captured human rights concerns, this has yet to be independently evaluated. NSIRA is concerned that these differences could result in different approaches/stances being taken by departments when dealing with the same foreign entity. While the country/entity assessments tools themselves are not necessarily in question, the fact that every department is not leveraging or does not have access to all useful or applicable information is.

NSIRA remains of the view that having a consistent stance on all countries and entities when implementing the requirements of the Act is important. Issues such as mistreatment and human rights should not be decided at a departmental level, but on a whole-of-government level. While mindful of classification levels, ensuring all departments have access to the same relevant information associated with a foreign country/entity is critical to making an informed decision. Due to the nature of their work, departments may be privy to unique information on a country/entity, some or all of which can be shared. This would lead to fully informed assessments that allow for a consistent approach when dealing with any country/entity. In addition to improving duplication of effort in this area by departments, NSIRA continues to see standardized country and entity assessments, which can be accessed and contributed to by all departments, as key to moving toward a more consistent and effective implementation of the Act across the community

Finding no. 5: NSIRA found a lack of unification and standardization in the country and entity assessments being leveraged by departments, resulting in inconsistencies in approach/stance by the community when interacting with Foreign Entities of concern related to the Act.

Recommendation no. 4: NSIRA recommends that departments identify a means to establish unified and standardized country and entity risk assessment tools to support a consistent approach by departments when interacting with Foreign Entities of concern under the Act.

Conclusion

While aspects of implementation can be easily quantified and evaluated e.g. reporting requirements to a Minister, others, which support implementation are more difficult to measure, e.g.:

  • What does a sufficiently robust framework for assessing and mitigating risk when sharing with a foreign entity look like?
  • Does this depend on the specific requirements and activities of the department; or,
  • Are there steps that should always be involved when vetting a foreign entity under the considerations of the Act?

Measuring and weighing the answers to such questions is challenging. They are more nuanced, and can’t be as easily quantified. Regardless, they must be considered and addressed. Drawing on the considerations and concerns identified in this review will help departments to ask the questions that will improve their underlying frameworks with the following goals in mind:

  • To identify the essential/key elements that need to be a part of any framework for it to address the concerns associated with the Avoiding Complicity Act sufficiently; and,
  • To have all identified best practices implemented as consistently as possible across departments.

Future reviews will push towards these goals by seeking answers to those questions above. By looking more closely at specific case studies, departmental legal opinions, items of inconsistency, and the departmental frameworks that are already demonstrating best practices that should be shared. Ultimately the results of such efforts will contribute to improving the implementation of the Act across the community.

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019: Backgrounder

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019

Backgrounder

Backgrounder

In 2011, the Government of Canada implemented a general framework for Addressing Risks of Mistreatment in Sharing Information with Foreign Entities. The framework aimed to establish a coherent and consistent approach across government when sharing and receiving information with Foreign Entities. Following this, Ministerial Direction was issued to applicable departments in 2011 on Information Sharing with Foreign Entities, and then again in 2017 on Avoiding Complicity in Mistreatment by Foreign Entities.

On July 13, 2019, the Avoiding Complicity Act came into force. This Act codifies and enshrines Canada’s commitments in respect to the Canadian Charter of Rights and Freedoms, and Canada’s international legal obligations on prohibiting torture and other cruel and inhumane treatment.

On September 4, 2019, pursuant to section 3 of the Act, the Governor in Council (GiC) issued written directions to the Deputy Heads of the following 12 departments and agencies: Canada Border Services Agency (CBSA), Canada Revenue Agency (CRA), Canadian Security Intelligence Service (CSIS), Communications Security Establishment (CSE), Department of Fisheries and Oceans Canada (DFO), Department of National Defence and Canadian Armed Forces (DND/CAF), Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Global Affairs Canada (GAC), Immigration, Refugees, and Citizenship Canada (IRCC), Public Safety Canada (PS), the Royal Canadian Mounted Police (RCMP) and Transport Canada (TC).

The GiC issued directions focused on three aspects of handling information when interacting with a foreign entity: the disclosure of information, the requesting of information, and the use of any information received.

Pursuant to section 7 of the Act, every Deputy Head having received direction must, before March 1 of each year, submit to the appropriate Minister a report regarding the implementation of those directions during the previous calendar year. Following this, every Deputy Head must, as soon as feasible after submitting the report, make a version of it available to the public.

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019

Last Updated:

Status:

Published

Review Number:

20-03

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2019

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2019

Last Updated:

Status:

Published

Review Number:

20-04

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified:

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2019: Report

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2019

Report

Date of Publishing:

Abstract

Parliament enacted the Security of Canada Information Disclosure Act (SCIDA) in 2019 to improve the sharing of intelligence and national security information. SCIDA provisions aim to enhance accountability by clarifying roles and responsibilities in the disclosure process and amending the specific authority under which federal institutions may disclose this information. The National Security and Intelligence Review Agency (NSIRA) is responsible for reviewing and reporting annually on these disclosures. SCIDA has been used 114 times to disclose information during the reporting period of June 21 to December 31, 2019. The initial impression is that departments and agencies are making good progress to institutionalize this new legislative authority. The Royal Canadian Mounted Police and the Canadian Security Intelligence Service were the main recipients of SCIDA disclosures; Immigration, Refugees and Citizenship Canada and Global Affairs Canada were the main disclosers of information. The content of these disclosures varied, but generally involved personal information: names, age, physical characteristics, location and residential information. Departments and agencies varied significantly in how they applied certain SCIDA requirements. For example, the level of detail varied in statements disclosing institutions made to recipients concerning the accuracy, reliability and origin of information. In determining whether to disclose information, departments and agencies were also inconsistent in how they applied the contribution test, that is, determining whether disclosure would contribute to the exercise of the recipient’s jurisdiction, or the carrying out of its responsibilities in respect of activities that undermine the security of Canada. In addition, NSIRA identified some requests for information that were broad in nature, raising a risk that extraneous personal information could have been inadvertently shared. Finally, NSIRA observed two instances of departments or agencies destroying or returning information that either exceeded initial requests or was not necessary for the institution to exercise its jurisdiction. NSIRA also observed that the disclosures contained caveats.

Executive Summary

The Security of Canada Information Disclosure Act (SCIDA) promotes the disclosure of certain information between institutions of the Government of Canada in order to protect Canada against activities that undermine the nation’s security. SCIDA is an updated statute intended to improve the sharing of intelligence and national security information, as well as to enhance accountability by clarifying roles and responsibilities in the disclosure process and amending the specific authority under which federal institutions may disclose this information.

Our agency, the National Security and Intelligence Review Agency (NSIRA), is required under its governing legislation to submit an annual report to the Minister of Public Safety and Emergency Preparedness on disclosures made under SCIDA. We have prepared this report to fulfil that obligation. This report is also intended to provide an overview of SCIDA and the obligations that it has created for federal departments and agencies.

Because SCIDA came into force only in June 2019, this report is based on a period of just six months; going forward, the reporting period will be a full calendar year. In addition, given the unprecedented nature of the COVID-19 pandemic, and its impact on our work, we could not complete our review of the disclosures made under SCIDA in 2019 in time for this publication. We are continuing our analysis of the disclosures, however, and intend to publish our findings in next year’s report.

In the last six months of 2019, departments and agencies made 114 disclosures under SCIDA. Immigration, Refugees and Citizenship Canada made almost half of these disclosures, primarily to the Canadian Security Intelligence Service and the Royal Canadian Mounted Police. The content of these disclosures varied, but was generally concerned with personal information: names, age, physical characteristics, location and residential information.

Public Safety Canada has primary responsibility for coordinating the implementation of SCIDA. While we will return to this theme next year, our initial impression is that good progress is being made to institutionalize this new legislative authority.

Finally, we are also pleased to report that we have laid a foundation for working collaboratively with the Office of the Privacy Commissioner of Canada (OPC) on next year’s annual review of SCIDA. The National Security and Intelligence Review Agency Act specifically allows for us to coordinate with the OPC; this will enable us to undertake a more comprehensive analysis of disclosures of information under SCIDA. Our goal is to produce a joint NSIRA-OPC report on SCIDA disclosures in 2021.

Sharing information in a timely and effective manner is critical to assessing and mitigating threats, which can be complex and global in scope, and often evolve rapidly. Generally, departments and agencies share information with one another under the authority of, and consistent with, legal frameworks specific to their mandates. Disclosures must also be compliant with the Privacy Act. That legislation sets out that, except in specific limited circumstances, personal information under the control of a government institution shall not be disclosed without the consent of the individual. One exception is that information maybe shared without consent when the purpose for disclosure is consistent with the original purpose for which the information was obtained or compiled. This exception, under section 8 of the Privacy Act, is known as “consistent use.”

Problems with respect to information sharing date back to at least the 1980s.They were apparent in the work of Justice Major’s Commission of Inquiry into the Investigation of the Bombing of Air India Flight 182, which addressed information sharing in relation to the bombing. The 2010 inquiry concluded that the failure of domestic agencies to share information effectively contributed to the downing of the Air India flight, and that information sharing lacked coordination, was unstructured and was inconsistent.

In 2010, the government released its “Action Plan – The Government of Canada Response to the Commission of Inquiry into the Investigation of the Bombing of Air India Flight 182.” This action plan led to the Security of Canada Information Sharing Act (SCISA), which came into force in 2015. SCISA’s goal was to facilitate information sharing for national security purposes. In 2019, the legislation was amended and renamed the Security of Canada Information Disclosure Act (SCIDA) in response to concerns expressed by various stakeholders and the general public.

SCIDA provides an independent authority for federal government institutions to disclose information to protect against activities that undermine the security of Canada. It is meant to improve the effectiveness and accountability of national security and intelligence information sharing by clarifying roles and responsibilities in the disclosure process, and by amending the specific legislative authority under which federal institutions are able to disclose this information.

Information sharing that takes place under SCIDA remains a small fraction of the information that is shared for national security purposes. Most information sharing continues to take place under the authority of the specific legal frameworks of the relevant departments, and under the authority of the Privacy Act, particularly its consistent use provision.

This Report

The National Security and Intelligence Review Agency (NSIRA) is required under its governing legislation to submit to the Minister of Public Safety and Emergency Preparedness a yearly report on disclosures made under SCIDA. This report fulfils NSIRA’s statutory obligation and is an essential component of the accountability measures in SCIDA. This report and NSIRA’s annual public report are important vehicles through which NSIRA hopes to contribute to transparency with respect to the national security and intelligence activities of federal departments and agencies.

Given the unprecedented circumstances created by the COVID-19 pandemic and how it has affected NSIRA’s work, the agency regrets that it was unable to complete in time for publication its assessment of the extent to which the 2019 SCIDA disclosures were legally compliant, as well as the extent to which these disclosures were reasonable and necessary. NSIRA is continuing to analyze these disclosures, however, and intends to publish its findings in next year’s SCIDA report. Instead, this year’s SCIDA report will provide parliamentarians and Canadians with information about SCIDA and how it fits alongside other legal mechanisms for the sharing of information, as well as provide baseline information on the disclosures for this reporting period. It also sets out NSIRA’s expectations and intentions for the future, and explains why information sharing is a critical issue for NSIRA.

In this regard, NSIRA is pleased to report that it has taken important steps to lay the foundation for working jointly with the Office of the Privacy Commissioner of Canada (OPC) on next year’s annual review of SCIDA. Coordinating with the OPC, pursuant to both the National Security and Intelligence Review Agency Act and the Privacy Act, will allow for a more comprehensive report in respect of disclosures of information under SCIDA. In addition to avoiding duplication, working collaboratively will ensure that NSIRA’s expertise in national security is complemented by the OPC’s privacy expertise, whose mandate is to oversee compliance with the Privacy Act. The goal is to produce a joint NSIRA-OPC report on SCIDA disclosures in 2021.

Initial Concerns with SCIDA’s Predecessor, the Security of Canada Information Sharing Act (SCISA)

As noted, SCIDA was shaped by the government’s consultations on national security matters in 2016, as well as by Parliament’s scrutiny of the bill. These efforts highlighted concerns among stakeholders and the general public that the legislation would permit too much sharing of personal information, and without appropriate mechanisms for accountability. Many commentators urged the government to enhance the legal threshold for disclosing information; they argued that the term “relevance” was too low. Several stakeholders also urged that the receipt of information be governed by a standard of necessity and proportionality and that a precise definition of “threats to the security of Canada,” one modelled on the Canadian Security Intelligence Service Act (CSIS Act), be incorporated into the bill.

In 2017, the review body for CSIS at the time, the Security Intelligence Review Committee (SIRC), published a review of SCISA to examine how it affected information sharing between CSIS and its domestic partners. That same year, the OPC published a report on SCISA intended to determine, among other things, whether departments and agencies had engaged in appropriate risk management activities to identify and minimize the privacy impacts of sharing. Both SIRC and the OPC noted general deficiencies in tracking and record keeping; they expressed concerns about SCISA’s lack of clear requirements in that regard, which were thought to be key to maintaining strict controls over information sharing.

In response to these concerns, the preamble in the proposed Act was amended to include a statement that disclosure of information must respect the Privacy Act and other privacy legislation, as well as the Canadian Charter of Rights and Freedoms (the Charter). Other legislative amendments to SCISA included a change to the previous threshold of relevance, and a new requirement that both the disclosing agency and the receiving agency perform assessments throughout the disclosure process. In addition, the legislation now contains retention, reporting and record-keeping requirements. NSIRA’s analysis of the 2019 disclosures — still under way — focuses on these concerns in assessing whether the disclosures met all statutory obligations.

The SCIDA preamble now declares that one of the Act’s objectives is to create an explicit authority to facilitate the effective and responsible disclosure of information to protect the security of Canada. SCIDA also stipulates that it cannot authorize a disclosure prohibited under another federal statute. It further stipulates that SCIDA does not constitute a lawful authority for a department or agency to collect information.

Under SCIDA, a disclosing department or agency must verify that the recipient is one of the 17 departments and agencies listed in schedule 3 authorized to receive disclosures. It must also be satisfied that the disclosure will “contribute to the exercise of the recipient’s jurisdiction, or the carrying out of its responsibilities in respect of activities that undermine the security of Canada” (paragraph 5(1)(a)). Importantly, information relating to lawful advocacy, protest, dissent and artistic expression cannot be disclosed unless conducted in conjunction with an activity that undermines the security of Canada. The disclosure must not “affect any person’s privacy interest more than is reasonably necessary in the circumstances” (paragraph 5(1)(b)). Additionally, the disclosing department or agency “must provide information regarding its accuracy and the reliability of the manner in which it was obtained” (subsection 5(2)).

At the same time, the receiving department or agency is subject to specific requirements under the Act. In particular, it must assess the “personal information” received in order to ensure that all information that is not necessary for the department or agency to exercise its jurisdiction, or to carry out its responsibilities in respect of activities that undermine the security of Canada, is promptly destroyed or returned. An exception to this requirement is if retention is otherwise required by law. For example, the requirement to destroy or return personal information does not apply to certain law enforcement bodies, including the RCMP, if they are subject to criminal law disclosure obligations. Additionally, pursuant to subsection 5.1(3), the requirement to return or destroy personal information obtained pursuant to SCIDA does not apply to CSIS in respect of any information that relates to the performance of its duties and functions under section 12 of the CSIS Act to collect information and intelligence on threats to the security of Canada.

SCIDA Information Sharing Scheme

BEFORE DISCLOSURE DISCLOSURE TEST OTHER REQUIREMENTS

GC institution requests information from another GC institution. The recipient institution must be listed in schedule 3 of the Act.

GC institution, on its own initiative, decides to disclose to a GC institution listed in schedule 3 of the Act.

The information that the GC institution is expected to share is in respect of activities that undermine the security of Canada as defined in s.2 of the Act.

The disclosing institution must be satisfied that:

a) the disclosure will contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, under an Act of Parliament or another lawful authority; and

b) the disclosure will not affect any person’s privacy interest more than it is reasonably necessary in the circumstances.

(paragraphs 5(1)(a) and 5(1)(b)).

Copy to NSIRA
In relation to the record-keeping requirement, a copy of every record of disclosure shared or received must be provided every year to NSIRA. (subsec. 9(3))

Destroy or return
The receiver must, as soon as feasible after receiving disclosure, destroy or return any personal information that is not necessary for the institution to exercise its jurisdiction, or to carry out its responsibilities, under an Act of Parliament or another lawful authority, in respect of activities that undermine the security of Canada. (subsec. 5.1 (1))

Accuracy and reliability
GC institution that discloses information under subsection (1) must, at the time of the disclosure, also provide information regarding its accuracy and the reliability of the manner in which it was obtained. (subsec. 5(2))

Recordkeeping
GC institution must, as soon as feasible after receiving it under section 5, destroy or return any personal information, as defined in section 3 of the Privacy Act, that is not necessary for the institution to exercise its jurisdiction, or to carry out its responsibilities, under an Act of Parliament or another lawful authority, in respect of activities that undermine the security of Canada (subsec. 5.1(1)) unless otherwise required by law. (subsec. 5.1(2))

CSIS – Exception
Recordkeeping requirement does not apply to CSIS in respect of any information that relates to the performance of its duties and functions under s. 12 of the CSIS Act. (subsec. 5.1(3))

SCIDA in Context

Currently, the information sharing that takes place under SCIDA represents a small fraction of the information that is shared for national security purposes among federal government departments and agencies. All sharing of personal information by the federal government must be done in conformity with the Charter. Of note, section 8 of the Charter protects against “unreasonable search or seizure” and applies wherever a person might have a reasonable expectation of privacy. An authority to share information does not guarantee that the sharing meets the standards derived from section 8 of the Charter, and this issue must be assessed on a case-by-case basis. The Privacy Act governs all handling of personal information by federal government departments and agencies. SCIDA, however, is specific, and relates to the disclosure of national security information. Both Acts work hand-in-glove.

Additionally, there are specific statutes under which information sharing may occur. For example, subsection 19(2) of the CSIS Act authorizes the disclosure of information obtained by CSIS, and sections 43, 44 and 46 of the Communications Security Establishment Act (CSE Act) authorize the disclosure of information obtained by the Communications Security Establishment (CSE), with both pieces of legislation specifying that the information had to be obtained in the performance of each agency’s own duties in certain circumstances. Other examples of specific statutes permitting such information sharing include the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, the Immigration and Refugee Protection Act (IRPA), the Customs Act, and the Secure Air Travel Act. In addition to these statutory authorities, section 8 of SCIDA provides that information can also be shared under the Crown prerogative or common law authorities. Much information sharing in the national security context, however, is done pursuant to the various exemptions of the Privacy Act. The RCMP, for example, may rely on the Privacy Act to disclose personal information in various contexts, including programs that coordinate the sharing of personal information, such as the Criminal Intelligence Service and the Canadian Police Information Centre, which are administered pursuant to the RCMP’s law enforcement mandate.

Disclosures to NSIRA

Proper record keeping is a key aspect of accountability, as a failure to document and track disclosures and receipts of information undermines the review function, whether external or internal.

Under subsection 9(1) of SCIDA, records must be kept by departments and agencies that disclose and receive such information. The records must include, among other baseline information, the information that disclosing departments and agencies relied on to satisfy themselves that they had the authority to disclose the information. Recipient departments and agencies must indicate whether the information has been destroyed or returned. Under subsection 9(3) of SCIDA, a copy of those records must be provided to NSIRA within 30 days after the end of each calendar year.

Statutory Requirement to Report Disclosures to NSIRA

NSIRA received records from all agencies that disclosed or received information on a timely basis. However, some discrepancies were detected such that the number of disclosures of information reported did not, in a minority of cases, match the reported receipts of information. NSIRA asked for, and was provided, explanations for these discrepancies and is satisfied that the root causes can be attributed to the newness of the regime and that there was no attempt to obscure the fact of information having been disclosed or received. NSIRA is aware of the community’s ongoing efforts to address this, led by Public Safety Canada. NSIRA expects that, next year, there will be fewer or no discrepancies in the numbers reported. NSIRA also requested and received access to the disclosures themselves, from all departments and agencies that either disclosed or received information. The necessity to provide complete copies of all disclosures and receipts, in addition to a “record” of each disclosure as set out in SCIDA, is required to allow NSIRA to fully assess whether the departments and agencies met their statutory obligations.

Frequency of Disclosures

During the last six months of 2019, departments and agencies reported havingused SCIDA 114 times to disclose information. In comparison, during the firstsix months after its predecessor SCISA was enacted in 2015, departmentsand agencies reported using that legislation to disclose information 58 times.

2019 SCIDA Disclosures

A total of 114 disclosures were sent and received by Government of Canada departments in 2019. The below table identifies by whom and to whom disclosures were sent and received, and the volume of 2019 disclosures under the SCIDA.

Disclosing Institution Number of Disclosures Receiving Institution
Canada Border Services Agency 2 Royal Canadian Mounted Police
Canada Border Services Agency 1 Canadian Security Intelligence Service
Global Affairs Canada 23 Canadian Security Intelligence Service
Global Affairs Canada 3 Immigration, Refugees and Citizenship Canada
Global Affairs Canada 1 Public Safety Canada
Global Affairs Canada 15 Royal Canadian Mounted Police
Immigration, Refugees and Citizenship Canada 17 Canadian Security Intelligence Service
Immigration, Refugees and Citizenship Canada 5 Communications Security Establishment
Immigration, Refugees and Citizenship Canada 1 Department of National Defence and Canadian Armed Forces
Immigration, Refugees and Citizenship Canada 36 Royal Canadian Mounted Police
Royal Canadian Mounted Police 4 Canada Revenue Agency
Royal Canadian Mounted Police 1 Financial Transactions and Reports Analysis Centre of Canada
Royal Canadian Mounted Police 1 Immigration, Refugees and Citizenship Canada
Royal Canadian Mounted Police 3 Global Affairs Canada
Transport Canada 1 Royal Canadian Mounted Police

Not surprisingly, the main recipients of SCIDA disclosures were the RCMP and CSIS, both of which have the authority under their respective mandates to collect and retain information in the conduct of investigations in the national security context. SCIDA, by contrast, does not constitute an authority to collect information.

Information disclosed under SCIDA may be disclosed either proactively or in response to a specific request. In many cases, the RCMP and CSIS requested of their government partners to obtain information of relevance to their active investigations. Information was then disclosed responsively under the authority of SCIDA.

Immigration, Refugees and Citizenship Canada (IRCC) was responsible for approximately half of the disclosures made under SCIDA in 2019. This, too, is not surprising, considering IRCC’s mandate to collect personal information about Canadians, permanent residents and foreign nationals under the IRPA, the Citizenship Act and the Canadian Passport Order. In general, records gathered during the course of applications for immigration to Canada were often the subject of disclosure. IRCC also supplied information about the status of individuals in Canada. In NSIRA’s view, a great deal of the information disclosed by IRCC would be considered “personal information” as defined in the Privacy Act and incorporated in the SCIDA.

Global Affairs Canada (GAC) was responsible for slightly over a third of all disclosures. The information was obtained in the course of providing consular assistance to Canadians, or through engagement with host-country authorities in regards to consular cases. In a majority of cases, GAC proactively disclosed the information at issue.

The content of disclosures varied, but was generally concerned with personal information: names, age, physical characteristics, location and residential information. As noted, some of the disclosures merely involved advising whether an individual had status in Canada. Other disclosures included familial and relationship information. A few disclosures contained personal information on individuals connected to an investigation.

Anonymized Scenario Examples of SCIDA Disclosures

RCMP request for disclosure from IRCC: The RCMP initiated a criminal investigation of an individual who applied for citizenship with personal finances potentially linked to terrorist investments. The RCMP requested descriptors, biographical information, employment history and other known selectors from IRCC that would assist in this investigation.

RCMP request for disclosure from IRCC: The RCMP initiated a criminal investigation of individuals believed to be facilitators of a terrorism organization. The RCMP sought identification information (e.g., full names, citizenship, marital status, photographs) for these individuals, in addition to contact and locational data, as well as marital status and known family members to assist in this investigation.

CSE request for disclosure from IRCC: CSE’s request for disclosure sought to confirm whether a given individual held Canadian citizenship or other status in Canada. This information assists CSE as it is prohibited from targeting Canadians. IRCC disclosed the information as requested, with caveats to protect the individual’s privacy rights when communicating back to third parties.

RCMP disclosure to the Canada Revenue Agency (CRA): The RCMP discloses information related to registered charities and individuals linked to them, in certain cases. This includes confirming whether organizations or individuals are or have been the subject of an investigation. The CRA is responsible for protecting the integrity of Canada’s registration system for charities. This information supports them in their efforts to detect and address risk as it relates to terrorist abuse of Canada’s charitable sector.

A very small number of disclosures targeted more than a single individual. These appeared to represent an efficiency because the grounds for requesting or disclosing were the same. Nevertheless, NSIRA will be attentive to these types of disclosures in future reviews, given the potential risks associated with disclosures of this nature.

Other Observations

The disclosures contained caveats related to the use and disclosure of information; NSIRA observed no refusals of caveats by requesters. The degree to which disclosures included statements concerning the accuracy, reliability and origin of information, however, varied. Simply put, the level of detail varied from disclosure to disclosure. Given the O’Connor Commission’s finding that inaccurate information related to Maher Arar was shared with foreign partners, this is an important observation. Next year’s review will look for a consistently high standard across departments and agencies in this regard.

In addition, there were instances in which, based on the broad nature of the request, NSIRA assessed that extraneous personal information could have been inadvertently shared. Responsible use of SCIDA depends on departments and agencies demonstrating caution and attention to detail throughout the process to ensure that the disclosure will not affect anyone’s privacy interest more than is reasonably necessary in the circumstances. This becomes a challenge when requests are not precise, or are expansive in scope. In this context, it is worth noting that NSIRA observed two instances of departments or agencies destroying or returning information that either exceeded initial requests or was not necessary for the institution to exercise its jurisdiction. NSIRA will pay particular attention to this issue in future reviews.

Finally, SCIDA specifies that a disclosing department or agency must be satisfied that the disclosure will “contribute to the exercise of the recipient’s jurisdiction, or the carrying out of its responsibilities, in respect of activities that undermine the security of Canada.” This is known as the “contribution test.”

NSIRA noted some variation in the application of this test from disclosure to disclosure. Some departments and agencies applied it to each disclosure on a case-by-case basis. Others applied blanket or generic statements for several different requests. It is the responsibility of the disclosing department or agency to satisfy itself, among other things, that the information disclosed will contribute to the mandate of the recipient institution. Requests for information should provide a rationale that is sufficiently detailed and nuanced so that the disclosing department or agency would be able to be satisfied that the information would contribute to the mandate of the recipient department or agency. This will be an area that NSIRA will closely scrutinize in the future.

Systems and Training

Public Safety Canada has assumed a lead role in promoting interagency cooperation with respect to SCIDA. The department established the Strategic Coordination Centre on Information Sharing. This centre is dedicated to providing support to federal departments and agencies in operationalizing SCIDA, advancing governmental knowledge related to information sharing, and better educating the public on issues of national security information sharing. The department also formed a working group comprising SCIDA’s schedule 3 departments and agencies.

In late 2019, Public Safety Canada produced a 92-page explanatory guide, “A Step-by-Step Guide to Responsible Information Sharing.” This guide provides contextual information to promote better understanding of the purpose of SCIDA. It provides supporting material to assist with practical implementation of the Act in an effort to achieve consistency across departments and agencies in the disclosure process and in record keeping. For example, the guide outlines the required actions to be taken to disclose and receive information under SCIDA, and includes checklists and record-keeping and disclosure templates. It also clearly describes the mandates of all 17 departments and agencies listed in SCIDA as an aid to disclosing departments and agencies, since they must understand these mandates before disclosing information. Overall, the guide demonstrates a serious effort to educate the government on SCIDA and to encourage its use. Departments and agencies using SCIDA are encouraged by NSIRA to make its use of the materials, including the templates, developed by Public Safety Canada.

Since July 2019, Public Safety Canada has also held SCIDA training and information sessions. Between July 2019 and February 2020, 14 sessions attracted some 245 participants. These sessions traced the history of SCIDA, provided guidance as to its use, and engaged participants with case scenarios. Participant feedback indicates these sessions were well-received. Due to the COVID-19 pandemic, training is now being held virtually.

All departments and agencies listed in SCIDA as potential recipients received the guidance materials from Public Safety Canada and all departments and agencies that actively disclosed material participated in the training. Training materials were also distributed to the members of the working group. These efforts promote consistency across government departments and agencies, which supports NSIRA’s review responsibilities. Training for other departments and agencies that are more likely to receive information under SCIDA was scheduled for spring 2020, but was postponed because of the pandemic.

Public Safety Canada also encourages departments and agencies to develop their own internal guidance materials to communicate SCIDA requirements in the context of their specific information holdings, and with regard to their specific responsibilities for handling that information. Some departments and agencies have already developed internal guidance materials to further support the use of SCIDA as an authority to disclose information and to complement the materials provided by Public Safety Canada. For example, IRCC has developed guidance material to support the responsible implementation of SCIDA, as has CSE. In future reviews, NSIRA will examine how departments and agencies have supported and educated staff internally.

Conclusion: The Way Forward

Next year, NSIRA’s review will respond to the two key concerns expressed during the public debate about this legislation, namely, that it would permit the disclosure of too much personal information, and that the information would be shared without appropriate mechanisms for accountability. Specifically, the report will feature a detailed examination of SCIDA disclosures to verify that the requirements and limitations of the Act are being respected when information is disclosed. As noted, this review will be coordinated with the OPC and will include, pursuant to the OPC’s mandate, a review of government departments and agencies’ compliance with the Privacy Act with respect to disclosures made under SCIDA.

In formulating an assessment, NSIRA will expect departments and agencies to have complied with the thresholds and requirements identified in SCIDA and the Privacy Act, as well as other applicable laws related to both disclosures and receipt of information. This will include an assessment of whether, for example:

  • the disclosures contributed to the exercise of the recipient department or agency’s jurisdiction, or the discharge of its responsibilities;
  • the disclosure affects any person’s privacy interest more than was reasonably necessary in the circumstances;
  • any personal information that was not necessary for the department or agency to exercise its jurisdiction, or to carry out its responsibilities, was returned or destroyed; and
  • statements on the accuracy and reliability of the information were provided.

NSIRA will be attentive to the limitation on disclosing information related to lawful advocacy, protest, dissent and artistic expression.

NSIRA will also expect the departments and agencies to continue to respect the record-keeping and reporting requirements of SCIDA; to have taken reasonable steps to put in place required policies, training or guidance, and procedures to ensure compliance with SCIDA; and, finally, that established policies and procedures have been followed in all cases. NSIRA’s analysis will be informed and guided by the initial observations made in relation to the 2019 SCIDA disclosures, as described above.

Share this page

No endorsement of any products or services is expressed or implied.

Share this page
Date Modified: