Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities 2017 MD: Backgrounder
Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities 2017 MD
Backgrounder
Review Backgrounder
In 2019-2020, NSIRA conducted its first interdepartmental review on the implementation of the 2017 Ministerial Directions on Avoiding Complicity in Mistreatment by Foreign Entities (2017 MD). The review set out to build NSIRA’s knowledge of the information sharing process adopted by the six departments that received the 2017 MD.
NSIRA conducted a case study for each department that had operationalized the 2017 MD. NSIRA noted significant differences in the six departments’ implementation and operationalization of information sharing processes. NSIRA found that CSE, CSIS and the RCMP had implemented the 2017 MD; DND/CAF was implementing the final elements of the 2017 MD; GAC had not yet fully implemented the 2017 MD; and, the CBSA had not yet operationalized the 2017 MD.
NSIRA examined and found differences in how high-risk decision-making is removed from operational personnel who may have a vested interest in the sharing. CSE and the RCMP had the most independent processes; GAC removed high-risk decision-making from front line personnel, while CSIS and DND/CAF decision makers had a direct operational interest in sharing information. NSIRA recommended that Departments ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.
NSIRA also found a lack of standardization in information sharing risk assessments for both foreign countries and foreign entities. This issue has been noted in other NSIRA information sharing reviews.
In 2019, parliament passed the Avoiding Complicity in Mistreatment by Foreign Entities Act, which in conjunction with the subsequent issued Orders in Council (OIC’s) codified many of the provisions of the 2017 MD and left the essential prohibitions and limits unchanged. Noteworthy, the six departments examined in this review are also the same departments for which there is an obligation to issue OICs pursuant to the Act. This review set out the foundation that has assisted and facilitated NSIRA’s subsequent mandated information sharing reviews.
Publishing this review aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work.
1.This report describes the results of a review by the National Security and Intelligence Review Agency (NSIRA) of the 2021 disclosures made by federal institutions under the Security of Canada Information Disclosure Act (SCIDA). This is the third year of implementation of the SCIDA regime. This year, NSIRA decided to focus the review on Global Affairs Canada’s (GAC) proactive disclosures.
2.The SCIDA encourages and facilitates the disclosure of information between federal institutions to protect Canada against activities that undermine or threaten national security, subject to certain conditions. The SCIDA provides a two-part threshold which must be met prior to making a disclosure: that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances. The SCIDA also includes provisions and guiding principles related to the management of disclosures, including accuracy and reliability statements and record keeping obligations.
3.NSIRA identified concerns that demonstrate the need for improved training. NSIRA found that there is potential for confusion on whether the SCIDA is the appropriate mechanism for certain disclosures of national security-related information. Some disclosures were of concern as GAC did not meet the two-part threshold requirements of the SCIDA prior to disclosing the information. Without meeting these requirements, some disclosures of personal information were not compliant with the SCIDA. Two disclosures did not contain accuracy and reliability statements, as required under the SCIDA. With respect to record-keeping, NSIRA recommends that departments contemporaneously document the information relied on to satisfy themselves that disclosures will not affect any person’s privacy interest more than is reasonably necessary in the circumstances.
4.NSIRA is confident that it received all information necessary to conduct the review.
2. Introduction
5.When federal departments fail to share national security information in a timely, coordinated, or responsible manner, serious and tragic consequences can result – as the Arar and Air India Inquiries found. As a mechanism in Canada’s national security accountability framework, NSIRA is mandated to prepare a report respecting disclosures under the Security of Canada Information Disclosure Act (SCIDA) during the previous calendar year. This is the only NSIRA review that must be made public and laid before both the House of Commons and the Senate, reflecting the importance Parliament has placed on independent review and accountability of national security information disclosure.
6.The SCIDA’s designated long title also reflects its stated purpose: An Act to encourage and facilitate the disclosure of information between Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada.
7.The SCIDA governs how Government of Canada institutions disclose information, including personal information, that is relevant to activities that undermine the security of Canada, to a select group of federal institutions with national security mandates. Disclosures are either made proactively, on the initiative of a Government of Canada institution, or in response to a request by an institution authorized to receive information under the SCIDA.
8.It is important to note that the SCIDA is simply a tool. It is only as useful as its real-time recognition and application. Its success relies on how individuals and institutions interact with and implement its provisions. Those federal government institutions authorized to disclose information under the SCIDA must maintain a certain vigilance for information that may have national security repercussions, including at the most basic operational level. Having recognized information that could involve national security matters, departments must then decide whether they are authorized to disclose that information and to whom, paying close attention to minimizing any impacts on individual privacy rights.
9.Federal departments and agencies with core national security mandates are generally able to rely on their own legal frameworks to share information with other domestic institutions, and do not require the SCIDA to do so. Previous NSIRA reports have found that for many such institutions, disclosures made under the SCIDA comprise only a small portion of their domestic national security information sharing.
10.NSIRA understands the significance of the SCIDA in the overall national security framework, and is concerned with its robust application, in keeping with the provisions of the SCIDA, including its guiding principles, and with respect to the disclosure of personal information. What is more, NSIRA has the ability to review all disclosures across the Government of Canada, and through this broad lens, can identify common themes and trends. This perspective, not available to individual federal departments, enables NSIRA to make findings and recommendations that can strengthen overall information disclosure within the national security framework.
Focus of this Review
11.In determining the focus of this review, NSIRA considered the concerns raised in its review conducted the year prior. In the review of disclosures made under the SCIDA in 2020, which NSIRA undertook jointly with the Office of the Privacy Commissioner (OPC), the review found that the majority of federal department disclosures – approximately 99 per cent – met the threshold requirements that permit information to be disclosed under the SCIDA. In other words, the disclosing institutions sufficiently demonstrated that they had satisfied themselves, prior to providing the disclosures, that the information to be disclosed would contribute to the exercise of the recipient’s jurisdiction or responsibilities respecting activities that undermine the security of Canada, and that it would not affect any person’s privacy interest more than reasonably necessary in the circumstances.
12.The few disclosures that raised concerns, however, were those that had been provided to the recipient institutions on a proactive basis. As such, NSIRA chose to focus on this category for its 2021 review of disclosures under the SCIDA. In 2021, the majority of proactive disclosures came from Global Affairs Canada (GAC). NSIRA therefore chose to focus on GAC’s proactive disclosures in 2021, as a representative sample.
13.In addition to reviewing these disclosures from the perspective of the SCIDA’s prerequisite thresholds, this review also assessed other important requirements under the SCIDA that help to ensure responsible disclosures of national security information. These include the need for disclosures to be accompanied by statements that attest to the accuracy and reliability of the information being disclosed, as well as the obligation on all disclosing institutions to prepare and keep records that set out a description of the information that was relied on to satisfy themselves that the disclosure was authorized under the SCIDA.
14.Although the review sample focused on GAC proactive disclosures, many findings and recommendations are general and illustrative and, in many instances, may be useful to all institutions when disclosing under the SCIDA.
Review Objectives
15.The objectives of this review were to assess proactive disclosures of information under the SCIDA.
16.Specifically, the review assessed whether GAC:
a) Satisfied itself, prior to disclosing any information, that the disclosure would contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, in respect of activities that undermine the security of Canada, as required under paragraph 5(1)(a) of the SCIDA;
b) Satisfied itself, prior to disclosing any information, that the disclosure would not affect any person’s privacy interest more than reasonably necessary in the circumstances, as required under paragraph 5(1)(b) of the SCIDA;
c) Described, at the time of the disclosure, the accuracy of the information disclosed and the reliability of the manner in which it was obtained, as required under subsection 5(2) of the SCIDA; and
d) Kept records that included a description of the information that was relied on to satisfy itself that the disclosure was authorized under the SCIDA, as required under paragraph 9(1)(e) of the SCIDA.
Methodology
17.NSIRA received 195 disclosures of information from federal departments that reported either disclosing or receiving information under the SCIDA between January 1, 2021 and December 31, 2021. NSIRA conducted a preliminary review of all disclosures received.
18.NSIRA focused this year’s review on GAC proactive disclosures only. GAC identified 16 proactive disclosures out of a total of 44 disclosures under the SCIDA in 2021. However, in reviewing the material provided by GAC, NSIRA noted that three of these files were in fact requests for information from another department, and not disclosures of information under the SCIDA. As such, NSIRA removed these three files from the review sample, and only analyzed the remaining 13 disclosures identified by GAC as proactive disclosures.
19.NSIRA sent five follow up requests for information to GAC regarding its disclosures, and assessed all records provided.
3. Analysis
20. In conducting this review, NSIRA observed positive components of disclosures that it endeavours to highlight in this report. Proactive disclosures are an important feature of the SCIDA regime, and the following findings and recommendations aim to enhance compliance with the SCIDA.
Thresholds for disclosing information to federal institutions under the SCIDA
a) Jurisdiction or responsibilities in respect of activities that undermine the security of Canada
21. Paragraph 5(1)(a) of the SCIDA requires departments to satisfy themselves that disclosures “will contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, under an Act of Parliament or another lawful authority, in respect of activities that undermine the security of Canada.”
22. The definition of “activity that undermines the security of Canada” is set out at subsection 2(1) of the SCIDA and includes, for example, espionage and terrorism. Certain activities are excluded from this definition, notably advocacy and protest not carried out in conjunction with an activity that undermines the security of Canada.
23. In conducting this review, NSIRA examined each disclosure in the sample and its corresponding documentation to assess whether GAC had satisfied itself, prior to making the disclosure, that the information to be disclosed would contribute to the recipient department’s jurisdiction in respect of activities that undermine the security of Canada, as defined in the SCIDA.
24. In 12 of the 13 disclosures reviewed, GAC sufficiently demonstrated that it had satisfied itself as to these requirements. Furthermore, in all of these 12 disclosures, GAC documented that it had considered not only whether the recipient had the appropriate jurisdiction, but also how the information would contribute to that jurisdiction in respect of an activity that undermines the security of Canada as defined in the SCIDA. For example, see text box 1. The information in the disclosure file supports the text of this statement.
Text box 1: Example of statement in disclosure demonstrating GAC satisfied itself as to the requirements under 5(1)(a) of the SCIDA
GAC’s disclosure will contribute to the carrying out of CSIS’ responsibilities under section 12 of the CSIS Act, which require CSIS to investigate activities that may on reasonable grounds be suspected of constituting threats to the security of Canada. Section 2.a of the CSIS Act defines threats to the security of Canada as encompassing threats or acts of “espionage or sabotage that is against Canada or is detrimental to the interests of Canada or activities directed toward or in support of such espionage or sabotage.” CSIS collects, analyzes and retains information and intelligence on these threats to the extent that it is strictly necessary to do so, and reports to and advises the Government of Canada. In the circumstances, GAC’s disclosure will contribute to CSIS’ responsibility under section 12 of the CSIS Act to investigate and report on threats to the security of Canada as defined in section 2.a of the CSIS Act. Specifically, the disclosure will contribute to an assessment of a potential espionage threat [against Canadian interests abroad].
25.However, NSIRA observed that in one of those twelve disclosures, GAC consulted on more information than necessary to determine whether the disclosure was authorized under the SCIDA. This disclosure is described below.
Disclosure 1
26.A foreign country provided information about an individual with ties to Canada, to GAC headquarters, and requested that GAC forward the information to appropriate authorities. GAC then met with CSIS and showed them the information in their holdings, in order to clarify whether the information contributed to CSIS’s national security mandate. CSIS reviewed the information and confirmed that the information was of value to their investigation. CSIS did not report any of the information in its holdings.
27.Following that consultation, GAC concluded that a number of the documents did not pertain to an activity that undermines the security of Canada, as they contained “significant amounts of personal information unrelated to [the subject of the investigation] and reflecting acts considered lawful in Canada, such as freedom of speech (with no stated intent to engage in acts of violence) and freedom of peaceful assembly.” As such, GAC subsequently formally disclosed to CSIS only a fraction of the previously consulted documents. With respect to this formal disclosure, GAC demonstrated that it satisfied itself as to the requirements under paragraph 5(1)(a) of the SCIDA.
28. GAC indicated to NSIRA that the Public Safety guide on responsible information-sharing (PS Guide) is its primary policy guidance on the SCIDA. NSIRA notes that the PS Guide encourages government institutions to “communicate with the designated recipient institution prior to disclosure to determine not only whether the information is linked to activities that undermine the security of Canada but also how it contributed to that institution’s national security mandate.” This should not be interpreted as providing authorization to consult on more information than necessary, given the possibility that information outside the scope of a SCIDA disclosure may be included.
29. During its consultation with CSIS, GAC consulted on information that it later assessed as not concerning an activity that undermines the security of Canada as defined in the SCIDA and which was later removed from the formal disclosure under the SCIDA. The consultation involved showing GAC’s full information holdings to CSIS, which was more information than necessary to obtain confirmation from CSIS that the information was of value. Information used in consultations should be limited to the information necessary to obtain confirmation from the potential recipient that the information contributes to the carrying-out of its mandate and is linked to activities that undermine the security of Canada.
30. Furthermore, despite twelve out of thirteen disclosures meeting the requirements of paragraph 5(1)(a) of the SCIDA, one disclosure did not. NSIRA addresses this disclosure below.
Disclosure 2
31. An individual overseas, on their own initiative, identified themselves as a member of that country’s government and provided information to an official at a Canadian embassy about an alleged threat. GAC disclosed this information along with personal information, including the individual’s contact information, to the Canadian Security Intelligence Service (CSIS), invoking the SCIDA as an authority to make the disclosure. However, GAC did not consider whether this disclosure met the two threshold requirements under paragraphs 5(1)(a) and 5(1)(b) of the SCIDA, prior to disclosing this information in its entirety. During the course of this review, GAC explained to NSIRA that the disclosure was erroneously made under the SCIDA, and it was authorized under another authority for disclosing information in such circumstances, that is the Privacy Act or the Crown Prerogative. NSIRA did not assess whether these mechanisms would have been appropriate in the circumstances. Nonetheless this example demonstrates a) that there is potential for confusion on whether the SCIDA is the appropriate mechanism for certain disclosures of national security-related information, and b) that such confusion, in this case, led to the improper use of the SCIDA to disclose.
Finding no. 1: NSIRA finds that, in twelve out of thirteen disclosures, GAC demonstrated that it satisfied itself as to the contribution of the information to the recipient institution’s responsibilities in respect of activities that undermine the security of Canada, as required under paragraph 5(1)(a) of the SCIDA.
Finding no. 2: NSIRA finds that, without first conducting the analysis under paragraph 5(1)(a) of the SCIDA, departments risk disclosing information that does not pertain to the national security mandate of the recipient institution or to activities that undermine the security of Canada.
Finding no. 3: NSIRA finds that, in one of thirteen disclosures, GAC consulted on more information than necessary to obtain confirmation that the disclosure contributed to CSIS’s mandate and was linked to activities that undermine the security of Canada.
Recommendation no. 1: NSIRA recommends that consultations be limited to the information necessary to obtain confirmation from the potential recipient that the information contributes to its mandate and is linked to activities that undermine the security of Canada.
b) Privacy interest not impacted more than reasonably necessary in the circumstances
32. Paragraph 5(1)(b) of the SCIDA requires that disclosing institutions be satisfied that the disclosure will not affect any person’s privacy interests more than reasonably necessary in the circumstances.
33. All thirteen proactive disclosures included personal information as defined in the Privacy Act, that is, identifiable information about an individual, such as name, contact information, background information, or suspicions concerning the individual.
34. The PS Guide provides direction on the type of analysis required prior to disclosing personal information. More specifically, the PS Guide states “whether the information impacting a person’s privacy interest is considered ‘reasonably necessary’ will depend upon the particular circumstances of each case. Relevant considerations may include contextual factors, such as the type and nature of the information in question and the particular purpose for the disclosure.”
35. In response to NSIRA requests for further information, GAC explained how it satisfied itself that these proactive disclosures did not affect any person’s privacy interest more than reasonably necessary in the circumstances.
36. For example, GAC explained that in eight of the thirteen disclosures, GAC determined that some of the information it was considering disclosing was not within the scope of the recipient institution’s mandate. In the same disclosures, GAC also stated that it determined that some of the information in its holdings did not contribute to the institution’s investigation or fall within the recipient institution’s original request for information. For example, in one disclosure, only an individual’s travel status abroad was shared with CSIS as this pertained to the latter’s responsibilities in a national security matter. Other information in GAC’s holdings, such as information concerning other individuals, was determined by GAC not to be relevant, and therefore was not included in the disclosure.
37. Similarly, GAC explained that in two of the thirteen disclosures, GAC determined that some information was necessary to report to the recipient department, and therefore included in the disclosure. More detailed information not linked to activities that undermine the safety of Canada was not disclosed. For example, in one of the two disclosures, only information about suspected espionage activity was disclosed to CSIS, while detailed information about certain personal activities and behaviours was withheld.
38. NSIRA observed that of the 13 disclosures in the sample, three disclosures did not meet the requirements under paragraph 5(1)(b) of the SCIDA.
39. In Disclosure 2, described above, GAC disclosed information that was received from an individual who, on their own initiative, provided information to an official at a Canadian embassy overseas. GAC did not conduct any analysis under the SCIDA including whether the disclosure would affect privacy interests more than reasonably necessary in the circumstances, and proceeded with disclosing the entirety of the information to CSIS. GAC explained to NSIRA that the disclosure was erroneously made under the SCIDA, and was authorized under another authority for disclosing information, that is the Privacy Act or the Crown Prerogative. NSIRA did not assess whether these mechanisms would have been appropriate in the circumstances.
Disclosures 3 and 4
40. A Canadian embassy abroad received screen shots of a private social media group. The screenshots included information about a political movement in a foreign country. They also contained the contact information of all members of the group. While the group shared posters about the movement and information concerning protests in Canada, there were no threats, whether specific or general, in the material. However, based on some information in the screenshots, as well as the broader context of protests, past events, and open source media, GAC determined that the information contributed to the exercise of the Royal Canadian Mounted Police (RCMP)’s and CSIS’s jurisdiction, or the carrying out of their responsibilities, in respect of activities that undermine the security of Canada.
41. GAC disclosed the entirety of the information to both the RCMP and CSIS. The only information redacted was the name and contact information of the individual who provided the information to GAC.
42. GAC explained to NSIRA that it concluded that paragraph 5(1)(b) of the SCIDA was met because it did not identify a reasonable expectation of privacy in the content of the private social media group. NSIRA observes that GAC did not consider all of the relevant factors that would allow it to satisfy itself that the disclosure would not affect any person’s privacy interest more than is reasonably necessary in the circumstances. As such, the disclosure of information did not meet the second threshold requirement under subsection 5(1) of the SCIDA. Therefore, the disclosure of personal information of the group members did not comply with the requirements of the SCIDA.
Finding no. 4: NSIRA finds that, in ten out of thirteen disclosures, GAC satisfied itself that the disclosure will not affect any person’s privacy interest more than reasonably necessary in the circumstances, as required under paragraph 5(1)(b) of the SCIDA.
Accuracy and Reliability Statements
43. The Arar Report noted that “sharing unreliable or inaccurate information does not provide a sound foundation for identifying and thwarting real and dangerous threats to national security and can cause irreparable harm to individuals.”
44. A core theme in the SCIDA’s guiding principles is that of effective and responsible disclosure of information. Disclosing institutions are required, under subsection 5(2) of SCIDA, to provide information at the time of disclosure regarding the accuracy of the information disclosed and the reliability of the manner in which it was obtained.
45. Given the valuable context that accuracy and reliability statements provide to disclosures, precise and complete statements tailored to the specific circumstances of the disclosure can help avoid false perceptions, and can help ensure that recipient institutions have a clear understanding as to the accuracy and reliability of the information disclosed.
46. GAC relied on the PS Guide as its primary policy guidance document on the SCIDA. The PS Guide sets out that ensuring that the information disclosed is as accurate, complete, and as upto-date as possible is key to responsible and effective information sharing.
47. GAC informed NSIRA that partner agencies can better verify the accuracy of the information and the reliability of its source than GAC. NSIRA agrees that in some instances, GAC has limited capability for verification. Nonetheless, the SCIDA requires accuracy and reliability statements in every disclosure; accuracy and reliability statements must be clear and contextspecific in order to be meaningful.
48. In an example of a well-developed statement, GAC provided the following: The information disclosed by GAC was obtained through interactions between GAC officials with [known and credible source X and another individual]. GAC is not in a position to assess the accuracy and reliability of the above information provided to GAC officials by [these individuals]. GAC assesses that [source X] is highly credible, and is likely providing reliable information. In this case, the statement made a distinction between the accuracy and reliability of the information disclosed, depending on the source of that information. The disclosure sets out which information was provided by which source.
49. Overall, eleven of the thirteen disclosures contained accuracy and reliability statements. Two disclosures did not include the statement as the SCIDA requires. These omissions were not tied to GAC’s inability to verify the accuracy and reliability of the information.
Finding no. 5: NSIRA finds that two out of thirteen disclosures did not contain accuracy and reliability statements as required by subsection 5(2) of the SCIDA.
Recommendation no. 2: NSIRA recommends that in order to provide the most valuable and meaningful context for the recipient institution, accuracy and reliability statements should be clear and specific to the circumstances of the disclosure.
Record-keeping
50. Paragraph 9(1)(e) of the SCIDA requires that disclosing institutions prepare a description of the information that they relied on to satisfy themselves that the disclosure was authorized under the SCIDA, including that the disclosure did not affect privacy interests more than reasonably necessary, as part of their record-keeping obligations under the SCIDA.
51. It is noted that the PS Guide sets out the steps to making a disclosure, which include creating a record describing the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under the SCIDA. Furthermore, the PS Guide’s Appendix A: Record-keeping Template for Institutions Disclosing Information under the SCIDA, which is intended to help departments meet record-keeping obligations for disclosing institutions under the SCIDA, contains a field for departments to describe that information. It also restates the requirements under paragraphs 5(1)(a) and (b) of the SCIDA that the disclosing institution be satisfied that the disclosure will contribute to the recipient institution’s national security mandate, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances.
52. The SCIDA 2020 Review observed that GAC’s records describing the information it used to satisfy itself that certain responsive disclosures to CSIS, were robust. The basis for this observation was that GAC’s records contained information provided by CSIS to aid in GAC’s assessment, including details of the potential impact on the subject(s) of the request.
53. During the course of this year’s review, NSIRA requested that GAC provide a description of how it satisfied itself that the disclosure was authorized under both threshold requirements under the SCIDA. NSIRA also requested that GAC provide all supporting documents GAC relied on in its assessment. GAC provided explanations in response to NSIRA’s queries in this regard, referencing supporting documents. Based on a review of the records provided, NSIRA observes that GAC’s practices could be improved by contemporaneously and expressly articulating which information it relied on to satisfy itself that the disclosures would not impact any person’s privacy interest more than reasonably necessary in the circumstances.
Recommendation no. 3: NSIRA recommends that all disclosing departments contemporaneously prepare descriptions of the information that was relied on to satisfy themselves that disclosures were authorized under the SCIDA.
Training on the SCIDA
54. GAC used four distinct PowerPoint documents in 2021 to train employees on the SCIDA.
55. A course entitled Governance, Access, Espionage and Technical Security (GATE) was accessible to all employees going on postings as an introductory course focused on the awareness of information security at GAC. This presentation did not include practical examples or scenarios, but explained that any information sharing under the SCIDA must be done through GAC Headquarters.
56. Furthermore, a presentation provided by the Director General of the Intelligence Bureau to the majority of Heads of Mission going on postings, as an introductory course on intelligence support and security, did not provide illustrative examples or scenarios, but set out that information sharing under the SCIDA must be done through Headquarters.
57. Finally, the Department of Justice legal team provided two presentations: one to Global Security Reporting Program Officers going on postings as an introduction to information sharing policies and practices, including several slides on the SCIDA, and the other to groups of employees at Headquarters as an introduction to information sharing policies and practices. NSIRA noted that each presentation included only one or two examples illustrating the considerations in making a disclosure under the SCIDA.
58. Three of the four presentations also included a range of information about record-keeping requirements. However, the information in the presentations was largely limited to reiterating the requirements under the SCIDA, and no practical examples or scenarios were provided. Similarly, while these presentations reiterated requirements under the SCIDA to include accuracy and reliability statements, no practical examples were provided.
Finding no. 6: NSIRA finds that GAC training on the SCIDA lacks sufficient illustrative examples required to provide employees with adequate guidance to fulfill their obligations under the SCIDA.
Recommendation no. 4: NSIRA recommends that additional illustrative examples and scenarios be included in the SCIDA training, including for disclosure threshold requirements, accuracy and reliability statements and record-keeping requirements.
4. Responsiveness and provision of information
59. All departments met the timelines for the provision of information to NSIRA.
60. Subsections 9(1) and 9(2) of the SCIDA contain record-keeping obligations for disclosing and recipient institutions. Subsection 9(3) of the SCIDA requires all departments to provide every record prepared under those subsections to NSIRA, for the purpose of NSIRA’s annual review of disclosures under SCIDA. Not only is thorough record-keeping a legal requirement for disclosing and recipient institutions, it is not possible for NSIRA to fulfill its mandated annual review without all records from all departments.
61. This review focussed on GAC proactive disclosures. NSIRA conducted a cross-comparison of the number of disclosures reported by GAC and those received by recipient institutions and notes that the numbers align. NSIRA did not independently verify the completeness of the records provided by GAC. Nonetheless, the assessment under the SCIDA requires GAC to demonstrate compliance. Additional requests for information over the course of the review led NSIRA to conclude that it received all information necessary to conduct the review. Finally, GAC had the opportunity to review a preliminary draft of this report and provide additional information. For these reasons, NSIRA is confident that it received all information necessary to conduct the review.
5. Conclusion
62. The SCIDA is a legislative tool meant to encourage and facilitate the responsible and effective disclosure of national security-related information between federal government institutions. Of the thirteen disclosures in the review sample, three did not meet one or both disclosure threshold requirements and two did not contain accuracy and reliability statements. Prior to consulting on potential disclosures, departments should consider what information is necessary to include in the consultation. Departments should also contemporaneously document on what basis they were satisfied that disclosures were authorized under the SCIDA. Furthermore, improvements to ongoing training are recommended, to provide more illustrative examples to guide employees in fulfilling their obligations under the SCIDA. NSIRA looks forward to revisiting the implementation of the SCIDA in future years and expects to find improved compliance, recordkeeping, and delivery of training programs.
Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2021: Backgrounder
Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2021
Backgrounder
Backgrounder
This report describes the results of a review by the National Security and Intelligence Review Agency (NSIRA) of the 2021 disclosures made by federal institutions under the Security of Canada Information Disclosure Act (SCIDA). This is the third year of implementation of the SCIDA regime. This year, NSIRA decided to focus the review on Global Affairs Canada’s (GAC) proactive disclosures.
The SCIDA encourages and facilitates the disclosure of information between federal institutions to protect Canada against activities that undermine or threaten national security, subject to certain conditions. The SCIDA provides a two-part threshold which must be met prior to making a disclosure: that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances. The SCIDA also includes provisions and guiding principles related to the management of disclosures, including accuracy and reliability statements and record keeping obligations.
Review of Canadian Security Intelligence Service’s threat reduction activities: Backgrounder
Review of Canadian Security Intelligence Service’s threat reduction activities
Backgrounder
Review Backgrounder
On February 15, 2021, the National Security and Intelligence Review Agency (NSIRA) presented the Minister of Public Safety and Emergency Preparedness with a classified report on its review of CSIS threat reduction activities. This was NSIRA’s first review of CSIS’s threat reduction mandate. The report contains a detailed compliance review of a sample of TRMs from 2019.
NSIRA’s review found that all of the measures reviewed met the obligations under Ministerial Direction. For the most part, the measures taken by CSIS also satisfied the requirements of the CSIS Act. NSIRA also noted, however, that in a limited number of cases, CSIS selected individuals for inclusion in the TRM without a rational link between the selection of the individual and the threat. As a result, these measures were not “reasonable and proportional” as required under the CSIS Act.
For one type of TRM reviewed, NSIRA is of the view that more consideration needs to be given to the way in which CSIS engages third parties. This would require CSIS to consider fully the Canadian Charter of Rights and Freedoms(Charter) implications of its measures, and could require CSIS to obtain warrants before taking certain measures.
As 2020 marked five years since CSIS obtained threat reductions powers as part of the Anti-terrorism Act, 2015, NSIRA conducted high-level analysis of all TRM activities over the past five years to identify trends and to inform NSIRA’s choice of future review topics. Overall, NSIRA noted that while CSIS’s use of TRM powers has not been extensive, CSIS has been applying TRM powers to the full spectrum of national security threats mandated under the CSIS Act.
Publishing this summary aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work. Going forward, NSIRA will continue to examine CSIS’s threat reduction activities annually as required by section 8(2) of the NSIRA Act.
Our team is working on an HTML version of this content to enhance usability and compatibility across devices. We aim to make it available in the near future. Thank you for your patience!
Review of the Canadian Security Intelligence Service-Royal Canadian Mounted Police relationship in a region of Canada through the lens of an ongoing investigation: Report
Review of the Canadian Security Intelligence Service-Royal Canadian Mounted Police relationship in a region of Canada through the lens of an ongoing investigation
Our team is working on an HTML version of this content to enhance usability and compatibility across devices. We aim to make it available in the near future. Thank you for your patience!
Review of the Canadian Security Intelligence Service-Royal Canadian Mounted Police relationship in a region of Canada through the lens of an ongoing investigation: Backgrounder
Review of the Canadian Security Intelligence Service-Royal Canadian Mounted Police relationship in a region of Canada through the lens of an ongoing investigation
Backgrounder
Backgrounder
On February 10, 2021, the National Security and Intelligence Review Agency (NSIRA) presented the Minister of Public Safety and Emergency Preparedness with a classified report on its review of the CSIS-RCMP relationship in a region of Canada through the lens of an ongoing investigation.
NSIRA’s review found that in the specific region, the agencies have developed a strong relationship that has fostered effective tactical de-confliction of operational activities. Nonetheless, technological constraints are making CSIS-RCMP de-confliction excessively burdensome and time-consuming. Furthermore, NSIRA observed a general reluctance on the part of both agencies to connect CSIS information to an RCMP investigation.
NSIRA found that the current framework guiding the CSIS-RCMP relationship sets out principals and guidelines to manage the risks of interaction and information sharing between the two agencies; however, it left fundamental issues related to the “intelligence-to-evidence” problem unresolved.
On the whole, NSIRA found that CSIS and the RCMP have made little progress in addressing the threat under investigation. Moreover, CSIS and the RCMP do not have a shared vision or complementary strategy to address the threat.
Publishing this summary aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work. Going forward, NSIRA will review CSIS and the RCMP’s implementation of the Operational Improvement Review which set out ambitious recommendations to improve the way in which CSIS and the RCMP jointly manage threats.
Our team is working on an HTML version of this content to enhance usability and compatibility across devices. We aim to make it available in the near future. Thank you for your patience!
Review of the Canadian Security Intelligence Service’s (CSIS) Internal Security Branch: Backgrounder
Review of the Canadian Security Intelligence Service’s (CSIS) Internal Security Branch
Backgrounder
Review Backgrounder
On August 14, 2019, the National Security and Intelligence Review Agency (NSIRA) presented the Minister of Public Safety and Emergency Preparedness with a classified report on its review of the Canadian Security Intelligence Service’s (CSIS) Internal Security Branch. This review is a follow-up to the 2013 study conducted by NSIRA’s predecessor, the Security Intelligence Review Committee (SIRC) of CSIS’s Internal Security (IS) Branch. SIRC found a number of serious shortcomings related to CSIS’s handling of sensitive case files, access lists and their practices and management of internal investigations.
NSIRA’s latest review found that while significant improvements have been made with respect to internal security at CSIS since the 2013 review (The “Insider Threat” and Its Effect on Information Management — Section 54 Report (TOP SECRET) (PDF of Review) (SIRC 2013-06)), further improvements to internal security policies could strengthen the consistency of decision-making on personnel security files and investigations. It could also improve the procedural fairness of these processes writ large.
NSIRA’s review also examined the use of the polygraph, and sought justification for its use and the extent to which such determinations are reasonable and necessary. Several key observations were derived from this analysis. It also raised a much broader consideration: namely, the extent to which the government’s overarching policy document, the Standard on Security Screening, provides adequate guidance for departments and agencies when they implement this safeguarding measure.
Going forward, NSIRA will continue to examine the Government’s use of the polygraph as a security screening tool.
This review began under the authority of the Security Intelligence Review Committee (SIRC) articulated in subsection 38(1 ) of the Canadian Security Intelligence Service’s (CSIS Act), which provided SIRC the mandate to review CSIS’s operations in the performance of its duties and functions.
During the course of the review. Bill C-59 -An Act Respecting National Security Matters received Royal Assent on June 21, 2019. Part 1 of Bill C-59 enacted the National Security and Intelligence Review Agency Act (NSIRA Act), which came into force by order of the Governor in Council on July 12, 2019. The NSIRA Act repeals the provisions of the CSIS Act that established and governed SIRC and establishes in its place the National Security and Intelligence Review Agency (NSIRA). The NSIRA Act sets out the composition, mandate and powers of NSIRA and amends the CSIS Act, and other Acts, in order to transfer certain powers, duties and functions to NSIRA.
This review continued under the authority described in subsections 8(1 )(a) and 8(3) of the NSIRA Act to review any activity carried out by CSIS and to make any finding and recommendation that NSIRA considers appropriate.
2. Introduction
In its review function, NSIRA expects CSIS’s activities to be lawful and comply with ministerial direction. This review focused on CSIS’ s non-warranted collection of geolocation information and is part of NSIRA’s ongoing interest in CSIS’s collection and exploitation of both warranted and unwarranted data. Past reviews have assessed CSIS’s warranted collection and retention of metadata and CSIS’s unwarranted collection and exploitation of bulk personal datasets. This is NSIRA’s first dedicated look at CSIS’s collection of geolocation data.
The review takes place in the context of Federal Court decisions, most particularly the IMSI decision of September 27. 2017, that impact on CSIS’s collection, use and retention of data, including geolocation data. The IMSI decision found that, though CSIS’s authority under section 12 does authorize it to obtain geolocation information for which there is a low expectation of privacy, anything beyond that, such as geolocating an individual, would require a warrant.
It is worth noting that the scope of the review was broader at the outset and was intended to include a more comprehensive examination of the collection of different types of geolocation information, both warranted and unwarranted. Although the scope was reduced in the course of the review, NSIRA will be mindful of this for future reviews.
3. Objectives
The objective of this review is to assess whether CSIS’s collection of unwarranted geolocation information used by CSIS in support of its operations is compliant with applicable sources of law, including the Canadian Charter of Rights and Freedoms (Charter) and the CSIS Act, as well as ministerial direction and operational policy. A related objective is to determine whether CSIS has sufficient safeguards in the form of formal procedures and policies to ensure that it is able to comply with its legal obligations amid a period of rapid change in technology and a correspondingly fluid legal environment.
4. Scope and Methodology
The scope and direction of the review was identified through a preliminary investigation of available documentation and a briefing with the ████████████████████████████████████████████████████████ Further, NSIRA requested that CSIS identify all activities undertaken by the █████ that may result in geographic information collected against non-warranted targets within the review period. This information was used as a foundation to request specific documents from CSIS.
NSIRA examined all documents provided by CSIS and sought, retrieved and reviewed documents through CSIS’s various computer and email systems to ensure a clear record of activity. Documents reviewed included: ██████████████ taskings from the regions, responses to these taskings, briefing notes, planning documents, legal assessments and internal correspondence.
To conduct a compliance assessment of CSIS’ s use of geolocation information, NSIRA chose to conduct an in-depth case study of ██████████████████████████████████████████ geolocation information. NSIRA reviewed all instances when ██████████ was used by CSIS during the period under review. As this review consists of a single case study. NSIRA is mindful of generalizing the findings and conclusions to other types of geolocation data.
The core review period for this study was from January 1, 2017 to June 30, 2018, although NSIRA examined documentation that fell outside this period in order to provide a complete assessment of relevant issues.
5. Criteria
Legal and Ministerial Requirements
NSIRA expects CSIS to conduct its activities in accordance with relevant sources of law. including the CSIS Act. the Charter. the Privacy Act. and case law. NSIRA also expects CSIS to conduct its activities in accordance with ministerial direction. Most relevant in this review given the subject matter was an analysis of the Charter, which, in section 8, provides everyone with the right to be secure against unreasonable search and seizure. In this case, at issue was whether the use of ███████ to collect information about an individual’s location information constitutes a search for the purposes of section 8 such that a warrant would be required.
Policies and Procedures
NSIRA’s expectation was that there would be policies and procedures in place to guide the collection, use and retention of data from ███████ despite its uniqueness, and that those policies and procedures would support compliance with CSIS’s legal obligations, including the Charter, as well as its obligations stemming from ministerial direction.
For reference, the relevant policies that pertain to the collection of information ███████
███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ In principle, this allows collection of this nature on a very broad cross-section of individuals;
The collection of █████████ policies, including the DDO Memorandum of 2015 that request the establishment of █████████ as the National Policy Centre for █████████. Additionally there is the procedure on █████████ that allows █████ to conduct █████████ defined as a non-warranted collection tool or technique, against a ██████████████████████████████████████████████████████████████.
6. Background
The Investigative Technique – █████████
████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ from users across the world.
█████████ contains three months of data. The information is not available in real-time; however, there is a delay of only 24-48 hours between the collection of the ████ and it becoming available in ████████.
█████ echoed those same governance-related issues; specifically, it questioned whether there were legal issues associated with █████ that needed to be addressed prior to the trial period. █████ asked for “the rules of engagement so that we can plan accordingly and get the most of this evaluation.”█████ further noted that, although the data seemed “wonderful….there must be some legal/governance rules that apply to this when in the hands of a government agency. These questions were raised in an email to both █████ and the ██████████
███████████████████████████████████████████████████████████████████████████████████████████████████████████████████ Nevertheless, by September 2017 █████ was anticipating an evaluation of █████ that would involve using █████ for a trial period of two months with a limited ██████████.
█████convened a meeting in October with █████████████████████████████████████████████████████████████████████████████████████████████████████████ The objective of the meeting was to prepare for a █████ evaluation and, for that purpose, “to make decisions on a few details to ensure compliance with legal and policy.
The questions to be covered in the agenda were:
1 ) Does existing █████ policy cover the use of █████ or does the policy need to be adapted?
2) Is the information contained in ███████ subject to a reasonable expectation of privacy?
3) Is there anything else that needs to be considered before CSIS can use █████? For example, additional █████ procedures or tests?
According to a written summary of discussions circulated by █████ following the meeting, it was agreed that ███████ would be compliant with collection under the ████████████ which allows ████ to “research and use open information” in support of investigations, it was further decided that the use of ██████ would align with ████ policies as it would constitute threat related queries ██████████████ and would be used only with the ██████████ authorities in place. Finally, it was assessed that the ██████ data invested would meet the “strictly necessary” threshold for collection and retention as set out in the CSIS Act as it would be based on a specific threat.
Following the meeting, approval was granted for the trial use of ██████ by Deputy Chief █████████. Documentation of the approval consists of an email from the Deputy Chief to ███ and ███ with the understanding that, ██████████████████████████████████████████████████████████████████.
b. CSIS’s trial period – March 2018 – July 2018
CSIS began its pilot of ████ on January 14. 2018. It was initially to be for two months; but because of technical issues at the beginning that delayed its full use, and due to ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
During that time, ████████ was tasked a total of approximately ████ times, resulting in ████ operational messages. As noted, efforts were made by ███ to ensure that its use of ████████ was compliant with CSIS’s ████ policies on collection ████████████████████ as well as the CSIS Act provision that collection and retention be done only to the extent that is “strictly necessary.”
████ completed its evaluation of ████ by the end of April 2018. ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████.
The first version of a briefing note to gain approval for the ████████████ was drafted jointly by ████ and ███ in April 2018. The briefing note stated that the pilot for ████ was “conducted operational policies.” The briefing note also ████████████████████ one was a restricted amount of information that would meet the strictly necessary threshold; and the other was a situation in which ████████████████████ in which case it would be ████████████████████████████.
A subsequent version of the briefing note was prepared, also jointly by ████████████. This one was dated May 15, 2018 and was sent to the Director General of ████. In contrast to the first version of the briefing note, this one was the dual purpose of obtaining a legal opinion and ████████████████. This version was ultimately sent to the DG ████████ and also included that ████████ had been assessed as compliant with ████ authorities, following discussion with CSIS’s External Review and Compliance (ERC). ████ as well as informally with a representatives of the DLS. The briefing note stated that ████████████████████████ fall within existing authorities and directives” and, further that “although ████ has assessed that ████████████████ a formal legal opinion has not yet been conducted and suggest this briefing note be used as a mechanism to obtain one.”
NSIRA inquired as to the substance of the ERC and DLS discussion, as well as documentation of those meetings. NSIRA was advised that the ERC compliance officer embedded within ████ was aware of ████ which was presented at a town hall, but that it was not discussed with her beyond that. NSIRA asked for documentation to substantiate the DLS discussions but non was provided.
c. Legal advice: July 2018 – February 2019
Following the May briefing note, on July 20th, the DG ██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
By July 31, preliminary legal advice was received:
A formal legal opinion was provided on December 7, 2018, that called into question CSIS’s use of ████████ without a warrant except in very narrow circumstances, ████████████████████████████████████████████████████████████████████.
A further legal opinion was requested by CSIS to determine whether ████████████████████████████████████████. The resulting legal opinion, dated February 19 2019, ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████. Accordingly, section 8 of the CHarter would not be engaed in this narrow circumstance.
based in part on the February 2019 legal opinion, CSIS subsequently took the decision to ████████████████████████████████████████████████████████████████████████████████████████████████████████. It is NSIRA’s understanding that, presently, ████████████ being used only in very specific circumstances and according to the guidelines set out in the legal opinions.
7. Findings
Finding no. 1 Compliance with the CSIS Act and the Charter NSIRA finds that there was a risk that CSIS breached section 8 of the Charter during the trial period in which it used █████ without a warrant.
DLS was asked to provide a legal opinion to CSIS on this investigative technique; in particular, to address the question of the “legal risk of using ██████████ (i) with respect to Canadians or persons in Canada; and (ii) human sources and employees, with their informed consent”. CSIS was advised in a Legal Memorandum dated December 7,2018 that:
NSIRA’s own review of the file, which is meant to provide the Committee with independent legal advice, supports DLS’s opinion in that regard. In particular, NSIRA believes that the use of ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████. NSIRA observes that it is very unlikely that a court would find that section 12 of CSIS Act was sufficient legal authority to render warrantless use of ██████ reasonable” for the purposes of section 8 of the Charter. Accordingly, CSIS would be required to obtain a warrant pursuant to section 21 of the CSIS Act for such searches. Of note, NSIRA’s legal analysis was based on the same set of facts as DLS used for its opinion.
In reaching this conclusion. NSIRA interprets section 12 of the CSIS Act as only providing authority for collection activities of minimal intrusiveness. In that regard, NSIRA concurs with the DLS opinion that, ██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
At the time of writing, CSIS is pursuing options for how █████████ may be used under the authority of a warrant in the future.
NSIRA recommends that CSIS review its use of █████████ to date and make a determination as to which of the operational reports generated through the use of ███████ were in breach of section 8 of the Charter. These operational reports and/or any documents related to those results should be purged from its systems.
Findings no. 2 Governance related to piloting █████████
NSIRA finds that there was no policy centre clearly responsible for the use of the data contained in ████████.
NSIRA asked about the policies and procedures that guided the decision to authorize the trial period, as well as which unit within the ██████████████████ branch would have been responsible for assessing and authorizing the use of ███████ As described above, the record suggests there were three discrete units involved in the ████████████████████████ for the trial period.
█████████████ was involved in the ██████████████████ As the policy centre with respect to the ███████████████████████████████ the role and mandate of ████ is to coordinate, manage and █████████████████████████████████. In this capacity, ████ would have been responsible for assessing ████████ for privacy impacts, among other things, had ████████ been assessed as a ████████. However, ████████ was not ████████████████ but rather, as ████████████████████████████████████████████████████████████████. Therefore, █████ did not officially assess ███████████████████████████████████████. That said, the briefing note of May 15 2018, clearly indicates that ██████ assessed that the use of ████████████ fall within existing authorities and directives.” Given the lack of a formal record, NSIRA was unable to assess the content of, or the rationale for, this assessment.
██████ is the unit responsible for providing operational support for ████████████████████████ intelligence through the use of covert ████████████████████████████████████████████████████████████████████████████████████ and it was to ████ that the first demonstration of ██████ was given, ███ authorities were eventually identified as those under which ██████ would operate. However ██████ was not the primary user of ██████. Neither did it participate in the formal evaluation of the data contained in ████████████.
Responsibility for developing a means of formally evaluating ██████ fell to the ██████ given its expertise in geolocation information. However, ████ does not generally collect data, but is merely the user of data provided to it. As such, █████ thorough preliminary evaluation to determine whether there were legal or other issues that needed to be addressed, even at the pilot stage. Nevertheless, ████ prepared, on its own initiative, a formal document to guide its evaluation of ██████ during the trial period. NSIRA also notes that ████ followed existing policy in using ███████ only in instances when a valid targeting authority was in place.
NSIRA was not provided any formal documentation on the decision to authorize the pilot period. The record of decision to pilot ██████ consisted of an email, which contained the following:
I don’t see any reason not to start an evaluation – ████████████████████████████████████████████████ In addition, ████████████████████████ are not provided until after we can determine that they are “strictly necessary” and of relevance to the investigation -just until we find something of relevance.
Ultimately, NSIRA was unable to identify which of the three policy areas within ██████ should have had, according to existing policies and procedures, responsibility for the assessment of ████████████████████████████████████████████████████████████████████████████████████.
Finding no. 3 Record of decision
NSIRA finds that the record of approval to pilot ██████ consisted of an email and that this email was not “put-away” as part of the official record, as it should have been.
As noted, the closest thing to a record of decision to pilot ██████ was an email from a Deputy Chief of ██████ the full text of which is cited above.
NSIRA notes that this email was not “put-away” as is should have been given that it represents, de facto, the approval for acquiring ██████ for the purposes of evaluation and is required for robust records management and for accountability purposes. Instead, it was saved on a “personal” drive and only produced as part of the review process.
Findings no. 4-5 Assessment of risk in the case of ██████
NSIRA finds that there are no developed policies or procedures around the assessment and handling of new and emerging collection technologies, such that a formal evaluation of the legal risks of using ██████ would have been required.
NSIRA finds that CSIS overlooked multiple indicators that using ██████ might raise legal issues.
Ministerial Direction requires that the risk of operational activities be assessed across four pillars (operational, political, foreign policy and legal ). In particular, the Direction states that CSIS should “consider its ow n level of experience and novelty of the operational activity in assessing risk”.
NSIRA was told that there is no formal process for the evaluation of risk in cases like ████████████ given that it was assessed as ████████████████████████. This is consistent with NSIRA’s reading of the relevant policies, cited earlier, pertaining to ██████████████████████████████████████████ of which require an assessment of legal risk prior to the use of ████████████ for collection purposes.
It was suggested to NSIRA that it would not have been possible to conduct a thorough assessment of ████████ before the pilot based on the reasoning that a risk assessment is only possible with full ████████. NSIRA accepts in principle that there are situations when it would be difficult to appreciate the legal risks until such time ████████████████ and fully evaluated. Notwithstanding the difficulties, it is the responsibility of CSIS to mitigate these risks to the extent possible.
In this case, moreover. NSIRA notes that there were indications of a need for caution with respect to the ████████ in the period before the trial was even begun, including the IMSI decision of the Federal Court, which found that geolocating an individual would require a warrant.
Internally, there were multiple indications to the effect that there may be reason for particular attention, including:
two emails sent prior to the pilot, one by █████ on June 28. 2017. and the other by █████ September 27. 2017, both containing legal and governance questions;
the meeting convened by █████ for the purpose of discussing whether there existed a reasonable expectation of privacy in the █████ data;
the examples provided by ███████████████████████████████████████████████████████████████████████████████████████████████ and the evaluation of █████ in April 2018. which indicated that there were privacy concerns with this tool given its ability to generate ███████████████ and to ██████████████████████████████████████████████████████████████████████
There were other indications of a need for caution, ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
Despite these signs, no formal action was taken to assess the question of legal risk until the briefing note in May 2018 requested a formal legal opinion.
NSIRA recommends that policy be developed or amended as appropriate that would require a documented risk assessment, including legal risks, in situations like ██████████ when information collected through new and emerging technologies may contain information in respect of which there may be a reasonable expectation of privacy. If not █████ NSIRA further recommends that a policy centre for this type of █████ collection be clearlv identified.
Conclusion
At the outset █████ was characterized as making use of ██████████. This is made clear from the approval email, ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ would consider, it is not clear that the data exploited through ██████████ represents genuinely ██████████ at least as defined in plain language, as was asserted.
Assessing █████ in this way was not without its consequences in that it appears to have justified the lack of a more thorough legal assessment. This assumption proved to be problematic; the consequence was that CSIS placed itself at risk of having violated the Charter. Throughout this review. NSIRA has been mindful of the length of time it took for CSIS to obtain the final legal opinion, which was requested in July but finalized only in December, a full five months later.
NSIRA is aware that there have been discussions within ██████████ on the need to have ongoing legal support. In particular █████ has requested the establishment of a policy and legal operating envelope to ensure that policy and legal questions related to data exploitation are properly covered, including a resource from DLS who would provide ongoing, even weekly, legal assistance. NSIRA understands that this request was made in part due to the difficulties associated with obtaining legal advice on an as needed basis. NSIRA has been advised that █████ request to have weekly legal support has not yet been actioned.
The combination of an expanding scope in the type, volume and sources of data collected by CSIS and a fluid legal situation makes this an area of persistent high legal risk. CSIS has publicly affirmed that the concept of a reasonable expectation of privacy is evolving over time and committed to ensuring that CSIS’s approach to a reasonable expectation of privacy “is kept consistent”.
NSIRA is of the view that, in this environment, legal support to █████ is essential to operate at an acceptable level of risk. NSIRA expects CSIS and the Department of Justice ( DOJ) to demonstrate institutional leadership that would allow responsible decision-making in an environment of uncertainty by making available legal support to █████ as required on a priority basis.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
