Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities 2017 MD: Backgrounder
Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities 2017 MD
Backgrounder
Review Backgrounder
In 2019-2020, NSIRA conducted its first interdepartmental review on the implementation of the 2017 Ministerial Directions on Avoiding Complicity in Mistreatment by Foreign Entities (2017 MD). The review set out to build NSIRA’s knowledge of the information sharing process adopted by the six departments that received the 2017 MD.
NSIRA conducted a case study for each department that had operationalized the 2017 MD. NSIRA noted significant differences in the six departments’ implementation and operationalization of information sharing processes. NSIRA found that CSE, CSIS and the RCMP had implemented the 2017 MD; DND/CAF was implementing the final elements of the 2017 MD; GAC had not yet fully implemented the 2017 MD; and, the CBSA had not yet operationalized the 2017 MD.
NSIRA examined and found differences in how high-risk decision-making is removed from operational personnel who may have a vested interest in the sharing. CSE and the RCMP had the most independent processes; GAC removed high-risk decision-making from front line personnel, while CSIS and DND/CAF decision makers had a direct operational interest in sharing information. NSIRA recommended that Departments ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.
NSIRA also found a lack of standardization in information sharing risk assessments for both foreign countries and foreign entities. This issue has been noted in other NSIRA information sharing reviews.
In 2019, parliament passed the Avoiding Complicity in Mistreatment by Foreign Entities Act, which in conjunction with the subsequent issued Orders in Council (OIC’s) codified many of the provisions of the 2017 MD and left the essential prohibitions and limits unchanged. Noteworthy, the six departments examined in this review are also the same departments for which there is an obligation to issue OICs pursuant to the Act. This review set out the foundation that has assisted and facilitated NSIRA’s subsequent mandated information sharing reviews.
Publishing this review aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work.
In 2011 and again in 2017, ministers issued direction (hereafter Ministerial Direction or MD) to a number of departments setting out how to manage the risks of mistreatment posed by the sharing of information with foreign entities. Most recently, Parliament passed the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA). In September 2019, direction under the ACMFEA was issued to twelve departments, six of which had never before received formal direction regarding information sharing with foreign entities.
This review set out to build NSIRA’s knowledge of the information sharing processes adopted by departments under the 2017 MD. The direction issued pursuant to the ACMFEA in September 2019 codified many provisions of the 2017 MD and left the essential prohibitions and limits unchanged. As such, this review provided a foundation that will expedite and facilitate NSIRA’s future information sharing reviews.
The review focused on the six departments that had received the 2017 MD: the Canadian Security Intelligence Service (CSIS), the Communications Security Establishment (CSE), the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CSBA), Global Affairs Canada (GAC), and the Department of National Defence and the Canadian Armed Forces (DND/CAF).
Observations and Recommendations
Degrees of implementation vary across departments
NSIRA noted significant differences between the six departments with regard to the level of implementation of information sharing processes. In summary:
CSE, CSIS and the RCMP have implemented the 2017 MD.
DND/CAF is in the process of implementing final elements of the 2017 MD.
GAC has not yet fully implemented the 2017 MD.
In practice, CBSA has not yet operationalized the 2017 MD.
The concept of “substantial risk” of mistreatment is not defined
Like the 2017 MD, the ACMFEA and its associated direction prohibit information sharing that would result in a “substantial risk” of mistreatment. Neither the ACMFEA nor its direction include a definition of substantial risk, however, despite the centrality of this concept to the regime. A definition of substantial risk existed in both the 2011 and 2017 MD; its absence now raises concerns about its interpretation in future.
Recommendation: The definition of “substantial risk” should be codified in law or public direction.
Departments vary with respect to the independence of their decision-making
CSE and the RCMP have the most independent processes.
The information sharing processes implemented by GAC to date remove high- risk decision-making from “front line” personnel.
At CSIS and DND/CAF, decision-makers typically have a direct operational interest in the sharing of information.
CBSA has not yet operationalized its information sharing processes.
Recommendation: Departments should ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.
Lack of standardized information sharing risk assessments
Under the 2017 MD, GAC, CSIS, CSE, and the RCMP all maintain their own sets of foreign country and/or entity profiles, while DND/CAF is currently developing its own as well. The existence of multiple different assessments is duplicative and unnecessary. It may also yield inconsistencies, as departments have at times come to quite different conclusions about foreign countries’ and entities’ human rights records and the associated risks of information sharing.
Recommendation: Departments should develop: (a) a unified set of assessments of the human rights situations in foreign countries including a standardized ‘risk of mistreatment’ classification level for each country; and (b) to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.
Benefits of internal information sharing process reviews
Finally, NSIRA noted that periodic internal reviews of information sharing policies and processes supported their successful functioning in the long term.
Recommendation: Departments should conduct periodic internal reviews of their policies and processes for sharing information with foreign entities in order to identify gaps and areas in need of improvement.
2. Authorities
This review was conducted under the authority of the National Security and Intelligence Review Agency Act (NSIRA Act), specifically paragraphs 8(1)(a) and 8(1)(b) as well as sections 9 and 11.
3. Introduction
Many departments and agencies in the Government of Canada routinely share information with foreign entities. Given that information sharing with entities in certain countries can result in a risk of mistreatment for individuals, it is incumbent upon the Government of Canada to evaluate and mitigate the risks that such sharing creates. This is particularly the case for information sharing related to national security and intelligence, where the information often relates to alleged participation in terrorism or other criminal activity.
Canada has made a number of binding commitments under the International Covenant on Civil and Political Rights (ICCPR), the Convention Against Torture and Other Cruel, Inhumane, or Degrading treatment or Punishment (CAT), and other international agreements. The prohibitions on mistreatment – including complicity in mistreatment – set out in these agreements are also considered to be customary international law. Some of Canada’s obligations have been incorporated into domestic law under section 269.1 of the Criminal Code.
In 2011 and again in 2017, ministers issued direction to a number of departments setting out how to manage the risks in information sharing with foreign entities. Most recently, Parliament passed Bill C-59, which included the ACMFEA. In September 2019, direction under the ACMFEA was issued to twelve departments, six of which had never before received formal direction regarding information sharing with foreign entities.
Subsection 8(2.2) of the NSIRA Act requires NSIRA to review annually every department’s implementation of the directions of the GiC issued under the ACMFEA. In 2020, the NSIRA will undertake its first such review. The purpose of the present review, however, was to build NSIRA’s knowledge and understanding of departments’ implementation of the 2017 MD. The direction issued pursuant to the ACMFEA in September 2019 codified many provisions of the 2017 MD and left the essential prohibitions and limits unchanged. As such, this review provided a valuable foundation that will expedite and facilitate NSIRA’s future information sharing reviews.
The review focused on the six departments that received the 2017 MD: CSIS, CSE, the RCMP, CBSA, GAC, and DND/CAF. NSIRA examined departments’ policies and processes as well as documents related to foreign arrangements. Where possible, NSIRA examined a single case study for each department in order to illustrate how information sharing works in practice. Given the high-level approach taken in this review, NSIRA opted to make a series of broad observations about the strengths and weaknesses of departments’ framework for information sharing with foreign entities, in the place of formal findings. Where NSIRA made recommendations, they were interdepartmental in scope.
This review focused on departmental policies and procedures for the disclosure and requesting of information involving a risk of mistreatment. It did not examine the use of information that may have been derived from mistreatment; NSIRA may review this topic in future.
4. Background
In 2011, the Government of Canada approved a general framework for “Addressing Risks of Mistreatment in Sharing Information with Foreign Entities”. The framework was the first multi-departmental set of instructions issued regarding information sharing and mistreatment. Its main aim was to establish a coherent and consistent approach across government when sharing information with foreign entities.
Later in 2011, a number of departments whose mandate related to national security and/or intelligence received Ministerial Direction on Information Sharing with Foreign Entities (the 2011 MD). Specifically, the 2011 MD was issued to CSIS, CSE, CBSA, and the RCMP. The 2011 MD, which was eventually released under the Access to Information Act, was subject to extensive criticism from non-governmental organizations, civil liberties groups, and others including the Canadian Bar Association. The main critique was that the 2011 MD did not clearly prohibit the disclosure or requesting of information entailing a “substantial risk” of mistreatment, but rather permitted departments to weigh the value of the information against the risk of mistreatment.
In 2017, the 2011 MD was replaced by a new Ministerial Direction on Avoiding Complicity in Mistreatment by Foreign Entities (the 2017 MD). The 2017 MD was received by CSIS, CSE, CBSA, and the RCMP – the departments that had received the 2011 MD – as well as by DND/CAF and GAC. The 2017 MD included numerous changes, but the most significant were clear prohibitions on the disclosure and requesting of information that would result in a substantial risk of mistreatment, as well as new limits on the use of information likely derived from mistreatment by a foreign entity. In addition, the new MD required departments to maintain policies and procedures to assess the risks of their information sharing relationships with foreign entities.
The 2017 MD further directed departments to cooperate in making assessments regarding foreign countries and entities. In response, Public Safety Canada (PS) established the Information Sharing Coordination Group (ISCG) comprised of PS and the six departments that had received the 2017 MD. The objective was to encourage interdepartmental discussions in support of a coordinated approach to the implementation of the MD.
On July 13, 2019, the ACMFEA came into force. The ACMFEA requires the GiC to issue direction to the six departments that had received the 2017 MD, and gives the GiC discretion to issue direction to other departments as well. On September 4, 2019, the GiC issued direction under the ACMFEA to twelve departments. In addition to the six mandatory departments, direction was issued to PS; the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC); Transport Canada; Immigration, Refugees and Citizenship Canada (IRCC); the Canada Revenue Agency (CRA); and Fisheries and Oceans Canada (DFO). These six new departments have now also joined the PS-led ISCG.
In practice, the information sharing regime set out by the ACMFEA and the subsequent GiC direction closely resembles the 2017 MD. The fundamental limits on Canadian departments’ scope to share information remain unchanged. Notably, however, the new regime omits certain aspects of the 2017 MD. The ACMFEA and its associated direction lack the 2017 MD’s requirement that departments maintain policies and procedures for assessing the risks associated with foreign information sharing arrangements, in collaboration with other departments. More importantly, the new system omits a definition of the threshold of “substantial risk”. The ramifications of this are discussed below.
5. Observations and Recommendations
Reporting
One of the new obligations placed on departments in the 2017 MD was a requirement that they provide an annual report to their minister that included:
All of the departments that were issued the 2017 MD fulfilled their obligation to report to their respective ministers by producing a report in late 2018 or early 2019 discussing the first year of activity under the MD. At the time of writing, however, not all of the departments have issued a public report. As this was a foundational review, NSIRA did not critically evaluate the reports.
Department
Report to Minister
Public report
Cases approved
Cases denied
CBSA
Provided
Published
0
0
CSIS12
Provided
Published
1
1
RCMP13
Provided
Published
25
4
CSE14
Provided
Published
1
0
DND/CAF
Provided
Not Published
0
0
GAC
Provided
Not Published
0
0
Implementation of the 2017 Ministerial Direction
When the 2017 MD was issued, departments that had already built information sharing policies and procedures under the 2011 MD found themselves at a significant advantage. CSIS, CSE, and the RCMP in particular were able to quickly adapt their existing systems to the 2017 MD. Accordingly, for departments that had not received the 2011 MD – or had not implemented it – the arrival of the 2017 MD proved more challenging.
CSE: NSIRA observes that CSE has fully implemented all of the elements of the 2017 MD. The MD’s requirements have been integrated directly into CSE’s operational policies and processes. A detailed overview of CSE’s information sharing framework and the results of the case study examined by NSIRA can be found at Annex D.
RCMP: In response to the 2017 MD, the RCMP overhauled their information sharing framework and stood up a new Law Enforcement Assessment Group (LEAG) that, amongst other things, assesses country human rights records and maintains a system for streaming information sharing requests according to risk. The RCMP is currently working to integrate these processes into their comprehensive operational manual. A detailed overview of the RCMP’s information sharing framework and the results of the case study examined by NSIRA can be found at Annex E.
CSIS: Following the issuance of the 2017 MD, CSIS quickly updated their policies and procedures. In 2018, CSIS also created a new system to implement the MD’s requirement to restrict information sharing with foreign entities that engage in mistreatment, with three levels of restriction depending on the seriousness of the problem. CSIS has informed NSIRA that it is overhauling its current policies and procedures. A detailed overview of CSIS’s current information sharing framework and the results of the case study examined by NSIRA can be found at Annex F.
DND/CAF: Although DND/CAF did not receive the 2011 MD, DND/CAF has had internal directives in place governing information sharing with foreign entities since 2010. The DND/CAF policy and process suite for information sharing was updated following the issuance of the 2017 MD to bring it into compliance with the new requirements. While DND/CAF vets partner forces, it does not yet have a fully developed system for assessing and managing the risks of sharing information with foreign entities. DND/CAF is, however, currently developing more extensive country risk profiles and a standardized assessment process that will be used to assess the risks of information sharing prior to establishing information sharing arrangements. A detailed overview of DND/CAF’s information sharing framework can be found at Annex G.
GAC: Following receipt of the 2017 MD, GAC established a new Ministerial Direction Compliance Committee (MDCC) in December 2018. The MDCC’s objective is to review requests for information sharing that may engage the MD. This is the extent of GAC’s policies and processes pursuant to the MD, however. GAC lacks any policies or procedures setting out how employees are to assess instances of possible information sharing to ensure that all appropriate cases reach the MDCC. It is insufficient to merely inform employees that they are responsible for assessing a complex legal threshold – the concept of a “substantial risk” of mistreatment at the core of the 2011 and 2017 MD as well as the ACMFEA – without guidance as to how they should proceed. As such, NSIRA observes that GAC has not yet fully implemented the 2017 MD.
GAC (cont.): Of note, GAC produces human rights reports on countries that are widely used within government to assist in assessing the risks of sharing with foreign entities. Following the 2017 MD, GAC added a subsection specific to mistreatment to these reports. A detailed overview of GAC’s information sharing framework and the results of the case study examined by NSIRA can be found at Annex H.
CBSA: In October 2018, CBSA issued a revised high-level policy document in response to the 2017 MD. The document did not include concrete processes for identifying and handling instances of information sharing involving a risk of mistreatment, however. CBSA employees thus lack effective guidance with which to discharge their responsibilities under the MD. CBSA also has no process for assessing the risks associated with specific foreign countries and entities, as required by the MD. CBSA has since drafted processes and additional policies, but they have not yet been finalized or invoked. Given these significant gaps, NSIRA observes that CBSA has not yet operationalized the 2017 MD. CBSA has informed NSIRA, however, that it intends to introduce significant improvements over the coming year. A detailed overview of CBSA’s information sharing framework can be found at Annex I.
Additional observations are included in the department-specific annexes referenced above. It should also be noted that NSIRA examined departmental policies and processes at a high level, and as such future reviews may make additional findings and recommendations regarding policies and processes. Moreover, a number of departments are in the process of revamping their information sharing practices, including in particular CSIS and DND/CAF.
In its survey of departments, NSIRA noted varying levels of rigour and consistency with regard to record keeping. Accurate and detailed records of deliberations and reasoning in support of decision-making related to information sharing with foreign entities are necessary to support accountability, particularly in light of the Supreme Court’s recent decision in Vavilov. NSIRA may return to this subject in future years.
In June 2019, the RCMP conducted an internal review of the framework and policies in place for its information sharing policies and procedures. The review identified certain shortcomings with regard to policies, processes, training, and resourcing. Based on the draft provided, NSIRA observes that the review was candid and thorough. The review is currently being used to guide improvements. Periodic internal reviews – such as the one conducted by the RCMP – should be considered a best practice.
Recommendation no. 1: Departments should conduct periodic internal reviews of their policies and processes for sharing information with foreign entities in order to identify gaps and areas in need of improvement.
Independent Decision-Making
The concept of risk mitigation is key to the information sharing frameworks of departments. When information sharing would result in a substantial risk that an individual would be mistreated, the information can only be shared if the department takes measures to mitigate the risk of mistreatment such that the residual risk is no longer substantial. Much therefore depends on who, within departments, is authorized to make decisions regarding whether:
an instance of proposed information sharing would result in a substantial risk of mistreatment; and
the proposed mitigation measures are sufficient.
In looking at the various decision-making processes adopted by departments, NSIRA noted varying levels of independence from operational personnel. Of particular interest were processes where the individual making decisions has a direct operational interest in the sharing of the information, creating the potential for conflict between operational imperatives and departmental obligations to respect the MD.
At CSE, the complete Mistreatment Risk Assessment process is conducted by non-operational units. The centralization of information sharing decision-making in a single branch minimizes direct operational pressure while facilitating informed and objective decisions.
The RCMP process uses other mechanisms to ensure independent decision- making. Individual investigators, when they wish to share information, must consult a list of countries and types of information sharing that the RCMP has pre-determined as representing sufficient risk of mistreatment. If the proposed sharing matches the list, then the case is automatically referred to the Foreign Information Risk Advisory Committee (FIRAC). FIRAC comprises a range of senior officials from RCMP headquarters who are a step removed from the operational front-line. The RCMP’s system of referral to FIRAC based on clear criteria removes discretion from officers with a vested interest in the sharing of the information. These officers may not have a full understanding of the geopolitical context of the proposed information sharing and thus are not best-placed to assess whether a substantial risk of mistreatment would result.
GAC requests that Directors General and Heads of Mission refer all cases where proposed information sharing “presents the potential for substantial risk of mistreatment” to the MDCC. The decision as to whether the substantial risk can be mitigated is made centrally by the MDCC, which comprises senior officials from across the department as well as a legal representative. As noted above, however, GAC currently does not provide officials with guidance on how to determine whether the threshold for referral to the MDCC has been met.
Compared to CSE, GAC, and the RCMP, decision-making at CSIS and DND/CAF is much closer to operations. CSIS provides high-level guidance to desks on how to identify information sharing that may result in a substantial risk of mistreatment, but leaves final decision-making regarding whether the situation does in fact create a substantial risk, and whether the risk can be mitigated, to the Deputy Director General or the Director General of each branch. Only if CSIS has heavily restricted information sharing with the foreign entity in question – or else the branch is unsure whether the substantial risk can be mitigated – then the branch must refer the case to the Information Sharing Evaluation Committee (ISEC) for determination. As a result, most of CSIS’s information sharing decisions – even those involving a substantial risk of mistreatment – are made by officials with a direct operational stake in the outcome of the proposed information sharing.
Within DND/CAF, decisions regarding the sharing of information rest with officers within the military chain of command. NSIRA was informed that while routine information sharing is approved by designated lower-level officers in theatre, cases involving unusual circumstances, or where there is uncertainty as to whether a substantial risk of mistreatment exists or can be mitigated, are elevated to senior levels. Once passed up the chain of command, senior officers receive advice from a range of officials at headquarters.
CBSA, at the present time, does not have processes to assess substantial risk or to make decisions regarding whether such risks can be mitigated. In practice, therefore, the onus currently rests on CBSA officers, acting without guidance, to identify cases that invoke the 2017 MD and to manage the associated risks. CBSA has drafted a procedure for cases where there is uncertainty as to whether a substantial risk of mistreatment can be mitigated, but it has not yet been implemented.
Recommendation no. 2: Departments should ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.
Country Assessments
As noted above, a significant addition to the 2017 MD was the requirement that departments maintain policies and procedures to assess the risks of their information sharing relationships with foreign entities. Notably, the MD required departments to assess the human rights records of foreign countries generally and not just of specific foreign entities (i.e., police or intelligence services) within those countries. While the MD did not prohibit information sharing with foreign entities in countries with troubling human rights records, it implied that Canada’s relationships with such foreign entities could not be considered in isolation from the broader human rights environment in which these entities functioned.
In several instances, NSIRA noticed departments citing an absence of direct Government of Canada intelligence of mistreatment by a specific foreign entity in support of a proposed sharing of information, or else in support of a less restrictive information sharing policy towards the entity in question – despite ample reporting of systemic human rights abuses in the public domain. NSIRA observes that a lack of internal Government of Canada reporting of mistreatment by a specific foreign entity is not evidence that the entity does not engage in mistreatment. Departments must consider the full range of sources in assessing risk, including open sources such as the media and non-governmental organizations.
GAC, CSIS, CSE, and the RCMP all maintain their own sets of foreign country and/or entity profiles, while DND/CAF is currently developing its own as well. The existence of multiple different assessments is duplicative and unnecessary. and It may also yield significant inconsistencies, as departments have at times come to quite different conclusions about foreign countries’ and entities’ human rights records and the associated risks of information sharing. With the issuance of direction under the ACMFEA to twelve departments, this issue will likely grow. See Annex F for additional discussion of this point.
The ISCG seeks to guide departments in developing their human rights assessment processes by providing a forum to discuss best practices. PS informed NSIRA that the ISCG had not discussed plans to standardize these assessments.
Recommendation no. 3: Departments should develop:
a unified set of assessments of the human rights situations in foreign countries including a standardized ‘risk of mistreatment’ classification level for each country; and
to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.
The recommendation above does not preclude department-specific approaches to mitigating the risks of mistreatment. For instance, a department may be able to draw upon aspects of its relationship with a foreign entity to reduce the risk of mistreatment not available to other departments. These differences should not affect the initial determination of the underlying risk of mistreatment posed by information sharing with a foreign entity, however.
In India v. Badesha (2017), the Supreme Court of Canada recently provided guidance on contextual factors to be considered when assessing the reliability of assurances sought from foreign entities regarding mistreatment. Though not exhaustive, the decision provides departments with some guidance regarding the adequacy of assurances received.
Duty of Care
In reviewing GAC, NSIRA noted a tension between adherence to the 2017 MD and GAC’s duty of care with regard to the safety and security of mission staff abroad. Indeed, both cases of information sharing referred to the MDCC in 2019 involved threats to mission In one of the cases, information was shared with a foreign entity before the MDCC had had the chance to assess the risk of mistreatment. In this instance, the GAC official cited the need to protect the safety of mission staff (see Annex H).
NSIRA acknowledges the importance of mission security and the seriousness of the conundrums that can arise when the needs of mission security and GAC’s obligations with respect to information sharing collide. Yet the charged atmosphere of a mission under threat may not be the best venue for quick decision-making involving risks of mistreatment.
Substantial Risk
Like the 2017 MD, the ACMFEA and its associated direction prohibit information sharing that would result in a substantial risk of mistreatment. Neither the ACMFEA nor its direction include a definition of “substantial risk”, however, despite the centrality of this concept to the regime. A definition of substantial risk existed in both the 2011 and 2017 MD; its absence now raises concerns about its interpretation in the future.
In consultation with other departments, PS is developing a policy document that includes the same definition of substantial risk that was found in the 2011 and 2017 MD. The document also contains guidance on other requirements contained in the 2017 MD but that were omitted from the ACMFEA and its direction. When asked by NSIRA, the six departments that had been subject to the 2017 MD all stated that they intended to continue abiding by the established definition of substantial risk. This is reassuring, and should limit the potential for inconsistency between departments. Nonetheless, such a crucial definition should not be left up to individual departments to determine.
Recommendation no. 4: The definition of “substantial risk” should be codified in law or public direction.
The definition of substantial risk in the 2017 MD requires that mistreatment be “foreseeable”. As described in Annex G, DND/CAF’s assessment of foreseeability encompasses a number of factors, but a key component is that the risk of mistreatment be a “causal consequence” of DND/CAF information sharing. NSIRA observes that DND/CAF’s interpretation of foreseeability runs the risk of narrowing the definition of substantial risk and therefore the application of the 2017 MD. Given the importance of a clear and consistent understanding of “substantial risk” across departments, in future years NSIRA may review the application of the “substantial risk” threshold by DND/CAF – and other departments – to information sharing with foreign entities.
A substantial risk of mistreatment is defined as existing in cases where mistreatment is more likely than not. The definition includes a qualifier, however, that the threshold may be met at lower level of probability “where the risk is of severe harm”. This reflects a larger point that the assessment of substantial risk is not intended to be a narrowly mechanistic process of balancing probabilities. The 2017 MD notes that the Government of Canada “has no interest in actions associated with the use of torture or other cruel, inhumane or degrading treatment or punishment. Knowingly associating the Government of Canada with any of these actions would damage the credibility and effectiveness of any department or agency associated with them”. When interpreting the threshold of substantial risk, departments should always bear in mind the larger purpose of Canada’s framework for sharing information with foreign entities.
In order to give life to this framework, it is incumbent on departments, first, to ensure that their employees are trained to the point where they fully understand their legal obligations, and second, to establish clear and well-developed processes that foster and facilitate compliance in the broadest sense.
6. Conclusion
This review set out to build NSIRA’s knowledge of the information sharing processes adopted by departments under the 2017 MD. NSIRA noted significant differences between the six departments reviewed with respect to the level of implementation of information sharing processes. Processes also varied widely in terms of the level of independence of decision-making.
Although departmental information sharing frameworks will continue to evolve over time, this review will provide a baseline of comparison for future developments under the ACMFEA. The review also served to identify areas of potential concern that NSIRA may revisit in future years.
1.This report describes the results of a review by the National Security and Intelligence Review Agency (NSIRA) of the 2021 disclosures made by federal institutions under the Security of Canada Information Disclosure Act (SCIDA). This is the third year of implementation of the SCIDA regime. This year, NSIRA decided to focus the review on Global Affairs Canada’s (GAC) proactive disclosures.
2.The SCIDA encourages and facilitates the disclosure of information between federal institutions to protect Canada against activities that undermine or threaten national security, subject to certain conditions. The SCIDA provides a two-part threshold which must be met prior to making a disclosure: that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances. The SCIDA also includes provisions and guiding principles related to the management of disclosures, including accuracy and reliability statements and record keeping obligations.
3.NSIRA identified concerns that demonstrate the need for improved training. NSIRA found that there is potential for confusion on whether the SCIDA is the appropriate mechanism for certain disclosures of national security-related information. Some disclosures were of concern as GAC did not meet the two-part threshold requirements of the SCIDA prior to disclosing the information. Without meeting these requirements, some disclosures of personal information were not compliant with the SCIDA. Two disclosures did not contain accuracy and reliability statements, as required under the SCIDA. With respect to record-keeping, NSIRA recommends that departments contemporaneously document the information relied on to satisfy themselves that disclosures will not affect any person’s privacy interest more than is reasonably necessary in the circumstances.
4.NSIRA is confident that it received all information necessary to conduct the review.
2. Introduction
5.When federal departments fail to share national security information in a timely, coordinated, or responsible manner, serious and tragic consequences can result – as the Arar and Air India Inquiries found. As a mechanism in Canada’s national security accountability framework, NSIRA is mandated to prepare a report respecting disclosures under the Security of Canada Information Disclosure Act (SCIDA) during the previous calendar year. This is the only NSIRA review that must be made public and laid before both the House of Commons and the Senate, reflecting the importance Parliament has placed on independent review and accountability of national security information disclosure.
6.The SCIDA’s designated long title also reflects its stated purpose: An Act to encourage and facilitate the disclosure of information between Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada.
7.The SCIDA governs how Government of Canada institutions disclose information, including personal information, that is relevant to activities that undermine the security of Canada, to a select group of federal institutions with national security mandates. Disclosures are either made proactively, on the initiative of a Government of Canada institution, or in response to a request by an institution authorized to receive information under the SCIDA.
8.It is important to note that the SCIDA is simply a tool. It is only as useful as its real-time recognition and application. Its success relies on how individuals and institutions interact with and implement its provisions. Those federal government institutions authorized to disclose information under the SCIDA must maintain a certain vigilance for information that may have national security repercussions, including at the most basic operational level. Having recognized information that could involve national security matters, departments must then decide whether they are authorized to disclose that information and to whom, paying close attention to minimizing any impacts on individual privacy rights.
9.Federal departments and agencies with core national security mandates are generally able to rely on their own legal frameworks to share information with other domestic institutions, and do not require the SCIDA to do so. Previous NSIRA reports have found that for many such institutions, disclosures made under the SCIDA comprise only a small portion of their domestic national security information sharing.
10.NSIRA understands the significance of the SCIDA in the overall national security framework, and is concerned with its robust application, in keeping with the provisions of the SCIDA, including its guiding principles, and with respect to the disclosure of personal information. What is more, NSIRA has the ability to review all disclosures across the Government of Canada, and through this broad lens, can identify common themes and trends. This perspective, not available to individual federal departments, enables NSIRA to make findings and recommendations that can strengthen overall information disclosure within the national security framework.
Focus of this Review
11.In determining the focus of this review, NSIRA considered the concerns raised in its review conducted the year prior. In the review of disclosures made under the SCIDA in 2020, which NSIRA undertook jointly with the Office of the Privacy Commissioner (OPC), the review found that the majority of federal department disclosures – approximately 99 per cent – met the threshold requirements that permit information to be disclosed under the SCIDA. In other words, the disclosing institutions sufficiently demonstrated that they had satisfied themselves, prior to providing the disclosures, that the information to be disclosed would contribute to the exercise of the recipient’s jurisdiction or responsibilities respecting activities that undermine the security of Canada, and that it would not affect any person’s privacy interest more than reasonably necessary in the circumstances.
12.The few disclosures that raised concerns, however, were those that had been provided to the recipient institutions on a proactive basis. As such, NSIRA chose to focus on this category for its 2021 review of disclosures under the SCIDA. In 2021, the majority of proactive disclosures came from Global Affairs Canada (GAC). NSIRA therefore chose to focus on GAC’s proactive disclosures in 2021, as a representative sample.
13.In addition to reviewing these disclosures from the perspective of the SCIDA’s prerequisite thresholds, this review also assessed other important requirements under the SCIDA that help to ensure responsible disclosures of national security information. These include the need for disclosures to be accompanied by statements that attest to the accuracy and reliability of the information being disclosed, as well as the obligation on all disclosing institutions to prepare and keep records that set out a description of the information that was relied on to satisfy themselves that the disclosure was authorized under the SCIDA.
14.Although the review sample focused on GAC proactive disclosures, many findings and recommendations are general and illustrative and, in many instances, may be useful to all institutions when disclosing under the SCIDA.
Review Objectives
15.The objectives of this review were to assess proactive disclosures of information under the SCIDA.
16.Specifically, the review assessed whether GAC:
a) Satisfied itself, prior to disclosing any information, that the disclosure would contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, in respect of activities that undermine the security of Canada, as required under paragraph 5(1)(a) of the SCIDA;
b) Satisfied itself, prior to disclosing any information, that the disclosure would not affect any person’s privacy interest more than reasonably necessary in the circumstances, as required under paragraph 5(1)(b) of the SCIDA;
c) Described, at the time of the disclosure, the accuracy of the information disclosed and the reliability of the manner in which it was obtained, as required under subsection 5(2) of the SCIDA; and
d) Kept records that included a description of the information that was relied on to satisfy itself that the disclosure was authorized under the SCIDA, as required under paragraph 9(1)(e) of the SCIDA.
Methodology
17.NSIRA received 195 disclosures of information from federal departments that reported either disclosing or receiving information under the SCIDA between January 1, 2021 and December 31, 2021. NSIRA conducted a preliminary review of all disclosures received.
18.NSIRA focused this year’s review on GAC proactive disclosures only. GAC identified 16 proactive disclosures out of a total of 44 disclosures under the SCIDA in 2021. However, in reviewing the material provided by GAC, NSIRA noted that three of these files were in fact requests for information from another department, and not disclosures of information under the SCIDA. As such, NSIRA removed these three files from the review sample, and only analyzed the remaining 13 disclosures identified by GAC as proactive disclosures.
19.NSIRA sent five follow up requests for information to GAC regarding its disclosures, and assessed all records provided.
3. Analysis
20. In conducting this review, NSIRA observed positive components of disclosures that it endeavours to highlight in this report. Proactive disclosures are an important feature of the SCIDA regime, and the following findings and recommendations aim to enhance compliance with the SCIDA.
Thresholds for disclosing information to federal institutions under the SCIDA
a) Jurisdiction or responsibilities in respect of activities that undermine the security of Canada
21. Paragraph 5(1)(a) of the SCIDA requires departments to satisfy themselves that disclosures “will contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, under an Act of Parliament or another lawful authority, in respect of activities that undermine the security of Canada.”
22. The definition of “activity that undermines the security of Canada” is set out at subsection 2(1) of the SCIDA and includes, for example, espionage and terrorism. Certain activities are excluded from this definition, notably advocacy and protest not carried out in conjunction with an activity that undermines the security of Canada.
23. In conducting this review, NSIRA examined each disclosure in the sample and its corresponding documentation to assess whether GAC had satisfied itself, prior to making the disclosure, that the information to be disclosed would contribute to the recipient department’s jurisdiction in respect of activities that undermine the security of Canada, as defined in the SCIDA.
24. In 12 of the 13 disclosures reviewed, GAC sufficiently demonstrated that it had satisfied itself as to these requirements. Furthermore, in all of these 12 disclosures, GAC documented that it had considered not only whether the recipient had the appropriate jurisdiction, but also how the information would contribute to that jurisdiction in respect of an activity that undermines the security of Canada as defined in the SCIDA. For example, see text box 1. The information in the disclosure file supports the text of this statement.
Text box 1: Example of statement in disclosure demonstrating GAC satisfied itself as to the requirements under 5(1)(a) of the SCIDA
GAC’s disclosure will contribute to the carrying out of CSIS’ responsibilities under section 12 of the CSIS Act, which require CSIS to investigate activities that may on reasonable grounds be suspected of constituting threats to the security of Canada. Section 2.a of the CSIS Act defines threats to the security of Canada as encompassing threats or acts of “espionage or sabotage that is against Canada or is detrimental to the interests of Canada or activities directed toward or in support of such espionage or sabotage.” CSIS collects, analyzes and retains information and intelligence on these threats to the extent that it is strictly necessary to do so, and reports to and advises the Government of Canada. In the circumstances, GAC’s disclosure will contribute to CSIS’ responsibility under section 12 of the CSIS Act to investigate and report on threats to the security of Canada as defined in section 2.a of the CSIS Act. Specifically, the disclosure will contribute to an assessment of a potential espionage threat [against Canadian interests abroad].
25.However, NSIRA observed that in one of those twelve disclosures, GAC consulted on more information than necessary to determine whether the disclosure was authorized under the SCIDA. This disclosure is described below.
Disclosure 1
26.A foreign country provided information about an individual with ties to Canada, to GAC headquarters, and requested that GAC forward the information to appropriate authorities. GAC then met with CSIS and showed them the information in their holdings, in order to clarify whether the information contributed to CSIS’s national security mandate. CSIS reviewed the information and confirmed that the information was of value to their investigation. CSIS did not report any of the information in its holdings.
27.Following that consultation, GAC concluded that a number of the documents did not pertain to an activity that undermines the security of Canada, as they contained “significant amounts of personal information unrelated to [the subject of the investigation] and reflecting acts considered lawful in Canada, such as freedom of speech (with no stated intent to engage in acts of violence) and freedom of peaceful assembly.” As such, GAC subsequently formally disclosed to CSIS only a fraction of the previously consulted documents. With respect to this formal disclosure, GAC demonstrated that it satisfied itself as to the requirements under paragraph 5(1)(a) of the SCIDA.
28. GAC indicated to NSIRA that the Public Safety guide on responsible information-sharing (PS Guide) is its primary policy guidance on the SCIDA. NSIRA notes that the PS Guide encourages government institutions to “communicate with the designated recipient institution prior to disclosure to determine not only whether the information is linked to activities that undermine the security of Canada but also how it contributed to that institution’s national security mandate.” This should not be interpreted as providing authorization to consult on more information than necessary, given the possibility that information outside the scope of a SCIDA disclosure may be included.
29. During its consultation with CSIS, GAC consulted on information that it later assessed as not concerning an activity that undermines the security of Canada as defined in the SCIDA and which was later removed from the formal disclosure under the SCIDA. The consultation involved showing GAC’s full information holdings to CSIS, which was more information than necessary to obtain confirmation from CSIS that the information was of value. Information used in consultations should be limited to the information necessary to obtain confirmation from the potential recipient that the information contributes to the carrying-out of its mandate and is linked to activities that undermine the security of Canada.
30. Furthermore, despite twelve out of thirteen disclosures meeting the requirements of paragraph 5(1)(a) of the SCIDA, one disclosure did not. NSIRA addresses this disclosure below.
Disclosure 2
31. An individual overseas, on their own initiative, identified themselves as a member of that country’s government and provided information to an official at a Canadian embassy about an alleged threat. GAC disclosed this information along with personal information, including the individual’s contact information, to the Canadian Security Intelligence Service (CSIS), invoking the SCIDA as an authority to make the disclosure. However, GAC did not consider whether this disclosure met the two threshold requirements under paragraphs 5(1)(a) and 5(1)(b) of the SCIDA, prior to disclosing this information in its entirety. During the course of this review, GAC explained to NSIRA that the disclosure was erroneously made under the SCIDA, and it was authorized under another authority for disclosing information in such circumstances, that is the Privacy Act or the Crown Prerogative. NSIRA did not assess whether these mechanisms would have been appropriate in the circumstances. Nonetheless this example demonstrates a) that there is potential for confusion on whether the SCIDA is the appropriate mechanism for certain disclosures of national security-related information, and b) that such confusion, in this case, led to the improper use of the SCIDA to disclose.
Finding no. 1: NSIRA finds that, in twelve out of thirteen disclosures, GAC demonstrated that it satisfied itself as to the contribution of the information to the recipient institution’s responsibilities in respect of activities that undermine the security of Canada, as required under paragraph 5(1)(a) of the SCIDA.
Finding no. 2: NSIRA finds that, without first conducting the analysis under paragraph 5(1)(a) of the SCIDA, departments risk disclosing information that does not pertain to the national security mandate of the recipient institution or to activities that undermine the security of Canada.
Finding no. 3: NSIRA finds that, in one of thirteen disclosures, GAC consulted on more information than necessary to obtain confirmation that the disclosure contributed to CSIS’s mandate and was linked to activities that undermine the security of Canada.
Recommendation no. 1: NSIRA recommends that consultations be limited to the information necessary to obtain confirmation from the potential recipient that the information contributes to its mandate and is linked to activities that undermine the security of Canada.
b) Privacy interest not impacted more than reasonably necessary in the circumstances
32. Paragraph 5(1)(b) of the SCIDA requires that disclosing institutions be satisfied that the disclosure will not affect any person’s privacy interests more than reasonably necessary in the circumstances.
33. All thirteen proactive disclosures included personal information as defined in the Privacy Act, that is, identifiable information about an individual, such as name, contact information, background information, or suspicions concerning the individual.
34. The PS Guide provides direction on the type of analysis required prior to disclosing personal information. More specifically, the PS Guide states “whether the information impacting a person’s privacy interest is considered ‘reasonably necessary’ will depend upon the particular circumstances of each case. Relevant considerations may include contextual factors, such as the type and nature of the information in question and the particular purpose for the disclosure.”
35. In response to NSIRA requests for further information, GAC explained how it satisfied itself that these proactive disclosures did not affect any person’s privacy interest more than reasonably necessary in the circumstances.
36. For example, GAC explained that in eight of the thirteen disclosures, GAC determined that some of the information it was considering disclosing was not within the scope of the recipient institution’s mandate. In the same disclosures, GAC also stated that it determined that some of the information in its holdings did not contribute to the institution’s investigation or fall within the recipient institution’s original request for information. For example, in one disclosure, only an individual’s travel status abroad was shared with CSIS as this pertained to the latter’s responsibilities in a national security matter. Other information in GAC’s holdings, such as information concerning other individuals, was determined by GAC not to be relevant, and therefore was not included in the disclosure.
37. Similarly, GAC explained that in two of the thirteen disclosures, GAC determined that some information was necessary to report to the recipient department, and therefore included in the disclosure. More detailed information not linked to activities that undermine the safety of Canada was not disclosed. For example, in one of the two disclosures, only information about suspected espionage activity was disclosed to CSIS, while detailed information about certain personal activities and behaviours was withheld.
38. NSIRA observed that of the 13 disclosures in the sample, three disclosures did not meet the requirements under paragraph 5(1)(b) of the SCIDA.
39. In Disclosure 2, described above, GAC disclosed information that was received from an individual who, on their own initiative, provided information to an official at a Canadian embassy overseas. GAC did not conduct any analysis under the SCIDA including whether the disclosure would affect privacy interests more than reasonably necessary in the circumstances, and proceeded with disclosing the entirety of the information to CSIS. GAC explained to NSIRA that the disclosure was erroneously made under the SCIDA, and was authorized under another authority for disclosing information, that is the Privacy Act or the Crown Prerogative. NSIRA did not assess whether these mechanisms would have been appropriate in the circumstances.
Disclosures 3 and 4
40. A Canadian embassy abroad received screen shots of a private social media group. The screenshots included information about a political movement in a foreign country. They also contained the contact information of all members of the group. While the group shared posters about the movement and information concerning protests in Canada, there were no threats, whether specific or general, in the material. However, based on some information in the screenshots, as well as the broader context of protests, past events, and open source media, GAC determined that the information contributed to the exercise of the Royal Canadian Mounted Police (RCMP)’s and CSIS’s jurisdiction, or the carrying out of their responsibilities, in respect of activities that undermine the security of Canada.
41. GAC disclosed the entirety of the information to both the RCMP and CSIS. The only information redacted was the name and contact information of the individual who provided the information to GAC.
42. GAC explained to NSIRA that it concluded that paragraph 5(1)(b) of the SCIDA was met because it did not identify a reasonable expectation of privacy in the content of the private social media group. NSIRA observes that GAC did not consider all of the relevant factors that would allow it to satisfy itself that the disclosure would not affect any person’s privacy interest more than is reasonably necessary in the circumstances. As such, the disclosure of information did not meet the second threshold requirement under subsection 5(1) of the SCIDA. Therefore, the disclosure of personal information of the group members did not comply with the requirements of the SCIDA.
Finding no. 4: NSIRA finds that, in ten out of thirteen disclosures, GAC satisfied itself that the disclosure will not affect any person’s privacy interest more than reasonably necessary in the circumstances, as required under paragraph 5(1)(b) of the SCIDA.
Accuracy and Reliability Statements
43. The Arar Report noted that “sharing unreliable or inaccurate information does not provide a sound foundation for identifying and thwarting real and dangerous threats to national security and can cause irreparable harm to individuals.”
44. A core theme in the SCIDA’s guiding principles is that of effective and responsible disclosure of information. Disclosing institutions are required, under subsection 5(2) of SCIDA, to provide information at the time of disclosure regarding the accuracy of the information disclosed and the reliability of the manner in which it was obtained.
45. Given the valuable context that accuracy and reliability statements provide to disclosures, precise and complete statements tailored to the specific circumstances of the disclosure can help avoid false perceptions, and can help ensure that recipient institutions have a clear understanding as to the accuracy and reliability of the information disclosed.
46. GAC relied on the PS Guide as its primary policy guidance document on the SCIDA. The PS Guide sets out that ensuring that the information disclosed is as accurate, complete, and as upto-date as possible is key to responsible and effective information sharing.
47. GAC informed NSIRA that partner agencies can better verify the accuracy of the information and the reliability of its source than GAC. NSIRA agrees that in some instances, GAC has limited capability for verification. Nonetheless, the SCIDA requires accuracy and reliability statements in every disclosure; accuracy and reliability statements must be clear and contextspecific in order to be meaningful.
48. In an example of a well-developed statement, GAC provided the following: The information disclosed by GAC was obtained through interactions between GAC officials with [known and credible source X and another individual]. GAC is not in a position to assess the accuracy and reliability of the above information provided to GAC officials by [these individuals]. GAC assesses that [source X] is highly credible, and is likely providing reliable information. In this case, the statement made a distinction between the accuracy and reliability of the information disclosed, depending on the source of that information. The disclosure sets out which information was provided by which source.
49. Overall, eleven of the thirteen disclosures contained accuracy and reliability statements. Two disclosures did not include the statement as the SCIDA requires. These omissions were not tied to GAC’s inability to verify the accuracy and reliability of the information.
Finding no. 5: NSIRA finds that two out of thirteen disclosures did not contain accuracy and reliability statements as required by subsection 5(2) of the SCIDA.
Recommendation no. 2: NSIRA recommends that in order to provide the most valuable and meaningful context for the recipient institution, accuracy and reliability statements should be clear and specific to the circumstances of the disclosure.
Record-keeping
50. Paragraph 9(1)(e) of the SCIDA requires that disclosing institutions prepare a description of the information that they relied on to satisfy themselves that the disclosure was authorized under the SCIDA, including that the disclosure did not affect privacy interests more than reasonably necessary, as part of their record-keeping obligations under the SCIDA.
51. It is noted that the PS Guide sets out the steps to making a disclosure, which include creating a record describing the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under the SCIDA. Furthermore, the PS Guide’s Appendix A: Record-keeping Template for Institutions Disclosing Information under the SCIDA, which is intended to help departments meet record-keeping obligations for disclosing institutions under the SCIDA, contains a field for departments to describe that information. It also restates the requirements under paragraphs 5(1)(a) and (b) of the SCIDA that the disclosing institution be satisfied that the disclosure will contribute to the recipient institution’s national security mandate, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances.
52. The SCIDA 2020 Review observed that GAC’s records describing the information it used to satisfy itself that certain responsive disclosures to CSIS, were robust. The basis for this observation was that GAC’s records contained information provided by CSIS to aid in GAC’s assessment, including details of the potential impact on the subject(s) of the request.
53. During the course of this year’s review, NSIRA requested that GAC provide a description of how it satisfied itself that the disclosure was authorized under both threshold requirements under the SCIDA. NSIRA also requested that GAC provide all supporting documents GAC relied on in its assessment. GAC provided explanations in response to NSIRA’s queries in this regard, referencing supporting documents. Based on a review of the records provided, NSIRA observes that GAC’s practices could be improved by contemporaneously and expressly articulating which information it relied on to satisfy itself that the disclosures would not impact any person’s privacy interest more than reasonably necessary in the circumstances.
Recommendation no. 3: NSIRA recommends that all disclosing departments contemporaneously prepare descriptions of the information that was relied on to satisfy themselves that disclosures were authorized under the SCIDA.
Training on the SCIDA
54. GAC used four distinct PowerPoint documents in 2021 to train employees on the SCIDA.
55. A course entitled Governance, Access, Espionage and Technical Security (GATE) was accessible to all employees going on postings as an introductory course focused on the awareness of information security at GAC. This presentation did not include practical examples or scenarios, but explained that any information sharing under the SCIDA must be done through GAC Headquarters.
56. Furthermore, a presentation provided by the Director General of the Intelligence Bureau to the majority of Heads of Mission going on postings, as an introductory course on intelligence support and security, did not provide illustrative examples or scenarios, but set out that information sharing under the SCIDA must be done through Headquarters.
57. Finally, the Department of Justice legal team provided two presentations: one to Global Security Reporting Program Officers going on postings as an introduction to information sharing policies and practices, including several slides on the SCIDA, and the other to groups of employees at Headquarters as an introduction to information sharing policies and practices. NSIRA noted that each presentation included only one or two examples illustrating the considerations in making a disclosure under the SCIDA.
58. Three of the four presentations also included a range of information about record-keeping requirements. However, the information in the presentations was largely limited to reiterating the requirements under the SCIDA, and no practical examples or scenarios were provided. Similarly, while these presentations reiterated requirements under the SCIDA to include accuracy and reliability statements, no practical examples were provided.
Finding no. 6: NSIRA finds that GAC training on the SCIDA lacks sufficient illustrative examples required to provide employees with adequate guidance to fulfill their obligations under the SCIDA.
Recommendation no. 4: NSIRA recommends that additional illustrative examples and scenarios be included in the SCIDA training, including for disclosure threshold requirements, accuracy and reliability statements and record-keeping requirements.
4. Responsiveness and provision of information
59. All departments met the timelines for the provision of information to NSIRA.
60. Subsections 9(1) and 9(2) of the SCIDA contain record-keeping obligations for disclosing and recipient institutions. Subsection 9(3) of the SCIDA requires all departments to provide every record prepared under those subsections to NSIRA, for the purpose of NSIRA’s annual review of disclosures under SCIDA. Not only is thorough record-keeping a legal requirement for disclosing and recipient institutions, it is not possible for NSIRA to fulfill its mandated annual review without all records from all departments.
61. This review focussed on GAC proactive disclosures. NSIRA conducted a cross-comparison of the number of disclosures reported by GAC and those received by recipient institutions and notes that the numbers align. NSIRA did not independently verify the completeness of the records provided by GAC. Nonetheless, the assessment under the SCIDA requires GAC to demonstrate compliance. Additional requests for information over the course of the review led NSIRA to conclude that it received all information necessary to conduct the review. Finally, GAC had the opportunity to review a preliminary draft of this report and provide additional information. For these reasons, NSIRA is confident that it received all information necessary to conduct the review.
5. Conclusion
62. The SCIDA is a legislative tool meant to encourage and facilitate the responsible and effective disclosure of national security-related information between federal government institutions. Of the thirteen disclosures in the review sample, three did not meet one or both disclosure threshold requirements and two did not contain accuracy and reliability statements. Prior to consulting on potential disclosures, departments should consider what information is necessary to include in the consultation. Departments should also contemporaneously document on what basis they were satisfied that disclosures were authorized under the SCIDA. Furthermore, improvements to ongoing training are recommended, to provide more illustrative examples to guide employees in fulfilling their obligations under the SCIDA. NSIRA looks forward to revisiting the implementation of the SCIDA in future years and expects to find improved compliance, recordkeeping, and delivery of training programs.
Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2021: Backgrounder
Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2021
Backgrounder
Backgrounder
This report describes the results of a review by the National Security and Intelligence Review Agency (NSIRA) of the 2021 disclosures made by federal institutions under the Security of Canada Information Disclosure Act (SCIDA). This is the third year of implementation of the SCIDA regime. This year, NSIRA decided to focus the review on Global Affairs Canada’s (GAC) proactive disclosures.
The SCIDA encourages and facilitates the disclosure of information between federal institutions to protect Canada against activities that undermine or threaten national security, subject to certain conditions. The SCIDA provides a two-part threshold which must be met prior to making a disclosure: that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances. The SCIDA also includes provisions and guiding principles related to the management of disclosures, including accuracy and reliability statements and record keeping obligations.
I am pleased to present the National Security and Intelligence Review Agency (NSIRA) 2022–23 Departmental Plan. This report outlines our planned activities, priorities and targeted outcomes for the 2022–23 fiscal year.
Over the past two years, NSIRA has focused on ensuring a successful and efficient transition to a much larger organization with a much broader mandate, while working on standardization and modernizing the processes that underpin our work. The agency has also increased its size and strengthened its technical and subject matter expertise.
In 2022–23, we will be implementing NSIRA’s renewed three-year review plan, which continues to emphasize reviews of increasing scale and complexity as we become familiar with the operations of departments and agencies that have only recently become subject to review. This includes reviewing activities taken under authorities granted by the National Security Act, 2017, and those that are technology- and data-collection–centric.
In the upcoming year, we will continue implementing our new process launched in 2021 for taking in and investigating complaints from members of the public. NSIRA consulted multiple key stakeholders in shaping this new process, which aims to provide greater accessibility and greater timeliness to our complaints investigation function.
As we continue to scale up our operations in 2022–2023, our priority will remain the health and safety of our staff. Some of our planned initiatives include expanding to a second site, recruiting staff across all business lines, and supporting staff and NSIRA members. Moreover, while building on our successes and pursuing ambitious organizational goals, we will maintain our focus on diversity and inclusion in the workplace, including developing an employment equity strategy.
I would like to thank the staff and members of NSIRA. They are dedicated, resilient and committed to excellence. I look forward to continuing to work with them to develop and grow the NSIRA of the future.
John Davies Executive Director
Plans at a glance
Over the coming year, NSIRA will continue its ambitious review agenda. This will include:
mandatory reviews related to the Canadian Security Intelligence Service (CSIS), the Communications Security Establishment (CSE), the Security of Canada Information Disclosure Act and Governor in Council directions under the Avoiding Complicity in Mistreatment by Foreign Entities Act;
reviews of activities undertaken under the new authorities granted to government institutions under the National Security Act, 2017; and
reviews of activities where technology and the collection of data are central features.
NSIRA will also continue to expand its knowledge of departments and agencies not previously subject to expert review, including through the conduct of interagency reviews.
After an extensive consultation exercise with key stakeholders and the development of new rules of procedures in 2021, NSIRA will also focus on implementing its new model for investigating complaints. Our goal is to enhance access to justice for complainants and to ensure that NSIRA investigates complaints in a timely manner.
Employee health and well-being are key to the agency’s success. In that regard, NSIRA will continue to take steps to protect the physical and mental health of its employees and help address stresses caused by the pandemic. NSIRA will focus on the implementation of initiatives aimed at improving workplace and employee well-being as well as meeting federal public service objectives for employment equity, diversity and inclusion.
For more information on NSIRA’s plans, see the “Core responsibilities: planned results and resources, and key risks” section of this plan.
Core responsibilities: planned results and resources, and key risks
This section contains information on the department’s planned results and resources for each of its core responsibilities. It also contains information on key risks related to achieving those results.
National Security and Intelligence Reviews and Complaints Investigations
Description
NSIRA reviews Government of Canada national security and intelligence activities to assess whether they are lawful, reasonable and necessary. It investigates complaints from members of the public regarding activities of CSIS, CSE or the national security activities of the Royal Canadian Mounted Police (RCMP), as well as certain other national security-related complaints. This independent scrutiny contributes to the strengthening of the framework of accountability for national security and intelligence activities undertaken by Government of Canada institutions and supports public confidence in this regard.
Planning highlights
Reviews
In support of this outcome, NSIRA will continue to implement an ambitious review agenda in 2022–23. It will review the activities of CSIS and CSE to provide responsible ministers and the Canadian public with an informed assessment of these activities, including their lawfulness, reasonableness and necessity. NSIRA will also build on the knowledge it has acquired of departments and agencies, such as the RCMP, the Canada Border Services Agency, Immigration, Refugees and Citizenship Canada, and the Department of National Defence and Canadian Armed Forces. Using that knowledge, NSIRA will ensure these organizations’ national security or intelligence activities are independently reviewed. NSIRA is committed to transcending the silos that have characterized national security review , and will “follow the thread” of an activity between agencies to ensure its assessments reflect the complex and interwoven approach Canada takes to national security.
NSIRA is committed to ensuring its review agenda remains responsive and topical. In 2022–23, in order to inform the upcoming review of the National Security Act, 2017, NSIRA will focus on the review of activities performed under authorities that were granted by virtue of this legislation. For CSIS, these include the collection and use of datasets, and the implementation of a framework for justifying activities that contravene the law that are carried out by designated employees under specific circumstances in the context of their duties and functions. For CSE, this will include the conduct of active and defensive cyber operations. Other NSIRA reviews that will contribute information in this regard are the annual reviews of the Security of Canada Information Disclosure Act, of the Governor in Council directions under the Avoiding Complicity in Mistreatment by Foreign Entities Act, and of the use of measures by CSIS to reduce threats to the security of Canada.
NSIRA will continue to expand its knowledge of national security institutions by undertaking reviews in the areas of terrorist financing, foreign interference and cybersecurity. The agency will fully utilize its authorities to follow the thread of information across multiple organizations by undertaking reviews on CSIS-CSE collaboration, the efforts of both CSIS and the RCMP to address threats posed by ideologically motivated violent extremists, and the use of human sources by various departments and agencies.
Finally, NSIRA will focus on select reviews where the review of technology and data flows are central, including the collection and use of open-source intelligence at the Department of National Defence, the lifecycle of information collected under warrant by CSIS, and the retention practices of signals intelligence by CSE. NSIRA will be leveraging both internal and external technology expertise in conducting these reviews.
Outreach and collaboration
NSIRA will continue to engage with community stakeholders to understand their concerns surrounding national security and intelligence activities. NSIRA will also continue to proactively publish unclassified versions of its reports throughout the year, as well as information on its plans and processes. The annual report will continue to summarize NSIRA’s review findings and recommendations in context, situating these elements within a broader discussion of key trends and challenges NSIRA has observed over the year. NSIRA will finish a full update of its review process and procedures, and work with reviewed entities in applying them to all reviews that are starting or in early stages.
In 2022–23, NSIRA will continue to draw on the close relationships it has established with the National Security and Intelligence Committee of Parliamentarians and the Office of the Privacy Commissioner. The agency will coordinate its activities to ensure review is efficient and comprehensive, and avoids unnecessary duplication of effort.
NSIRA is also developing close ties to its international equivalents. It will continue its participation in the Five Eyes Intelligence Oversight and Review Council (FIORC) that brings together review agency representatives from Canada, the United States, Australia, New Zealand and the United Kingdom. NSIRA will participate in the FIORC annual conference in the fall of 2022. In addition, NSIRA will participate in FIORC working groups, which aim to meet regularly at the working level to discuss topics of common interest, such as the impacts of new technology, the investigation of complaints from the public and access to information in the possession of reviewed departments. NSIRA also intends to renew its efforts to foster new collaborative relationships with other international review bodies.
Complaints investigations
In 2022–23, NSIRA will also strengthen institutions’ accountability and enhance public confidence by ensuring consistency, quality and timeliness in investigating national security–related complaints. The independent investigation of complaints plays a critical role in maintaining public confidence in Canada’s national security institutions. In 2022–23, NSIRA will continue to offer an informal resolution process to complement the investigative process to respond to complaints. NSIRA will apply its new rules of procedure to promote accessibility, timeliness and efficiency in the investigation of complaints. Finally, NSIRA will establish new service standards for the investigation of complaints.
Gender-based analysis plus
In 2022–23, NSIRA’s Diversity, Inclusion and Employment Equity Advisory Committee will examine and provide advice on its internal policies, programs and procedures, as well as its external service delivery model through the lens of inclusion, diversity and equity.
From a program delivery perspective, NSIRA is working closely with its partner, the Civilian Review and Complaints Commission for the RCMP, to develop strategies for the collection, analysis and use of race-based and demographic data in the context of the complaints process. The objectives of this initiative are to improve access to justice by improving awareness and understanding of the investigation process. The intent is also to document the different racial groups among civilian complainants and determine:
whether there are significant racial disparities;
whether there are racial differences with respect to the types of complaints made against national security agency members based on different groups;
the frequency of complaints that include allegations of racial or other forms of bias;
whether complaint investigation outcomes vary by racial group; and
whether civilian satisfaction with NSIRA’s investigation process also varies by racial group.
NSIRA’s program of planned and ongoing reviews also takes into account the potential for national security and intelligence activities to result in disparate outcomes for minority groups. Ongoing reviews of the Canada Border Services Agency’s targeting practices, as well as the use of biometrics in a national security and intelligence context, include specific considerations of the impacts of these activities on diverse communities.
From a corporate perspective, the Diversity, Inclusion and Employment Equity Advisory Committee will also continue to engage with NSIRA’s personnel on issues related to systemic discrimination and racism through seminars and learning events. The intent is to continue to create an environment in which all employees feel comfortable and will not shy away from participating in discussions on issues related to anti-racism, diversity and inclusion.
As well, NSIRA is developing a self-identification process for its employees that will allow it to shape its staffing and employment equity strategies to increase representation and to ensure it reflects the diversity of the Canadian public, which it serves.
Experimentation
Given the functions and responsibilities of NSIRA, the organization does not engage in experimentation activities.
Key risks
NSIRA’s ability to access the information it needs to do its work and speak to the relevant stakeholders to understand policies, operations and ongoing issues is closely tied to the capacity of the organizations being reviewed to respond to NSIRA’s demands. The resource constraints of those organizations might continue to be compounded next year by disruptions stemming from the COVID-19 pandemic. This presents a risk of hindering NSIRA’s ability to deliver on its mandate in a timely way. NSIRA is mitigating this risk by ensuring clear communication about information requests and by setting review priorities.
The physical distancing precautions established by the COVID-19 pandemic will likely continue to be needed in 2022–23. While NSIRA invested in technology and adapted and expanded its office space to accommodate these requirements, the pandemic may still affect NSIRA’s ability to deliver on its mandate in a timely way and limit the frequency and type of outreach NSIRA can accomplish. The agency will continue to innovate and adapt to conduct its operations and, as necessary, engage virtually with stakeholders, departments and agencies.
Planned results for National Security and Intelligence Activity Reviews and Complaints Investigations
The following table shows, for National Security and Intelligence Activity Reviews and Complaints Investigations, the planned results, the result indicators, the targets and the target dates for 2022–23, and the actual results for the three most recent fiscal years for which actual results are available.
Departmental results
Departmental result indicator
Target
Date to achieve target
2018–19 actual result
2019–20 actual result
2020–21 actual result
Note: Because NSIRA was created on July 12, 2019, there is no comparative information to provide for 2018–19. Actual results for 2019–20 are not available as the new Departmental Results Framework in the changeover from the Security Intelligence Review Committee to NSIRA was being developed. This new framework is for measuring and reporting on results achieved starting in 2021–22, thus no actual results can be reported for 2020–21 either.
Ministers and Canadians are informed whether national security and intelligence activities undertaken by Government of Canada institutions are lawful, reasonable and necessary
All mandatory reviews are completed on an annual basis
100% completion of mandatory reviews
December 2022
Not applicable (N/A)
N/A
N/A
Reviews of national security or intelligence activities of at least five departments or agencies are conducted each year
At least one national security or intelligence activity is reviewed in at least five departments or agencies annually
December 2022
N/A
N/A
N/A
All Member-approved high priority national security or intelligence activities are reviewed over a three- year period
100% completion over three years; at least 33% completed each year
December 2022
N/A
N/A
N/A
National security-related complaints are independently investigated in a timely manner
Percentage of investigations completed within NSIRA service standards
90%
March 2023
N/A
N/A
N/A
Financial, human resources and performance information for NSIRA’s program inventory is available in the GC InfoBase.
Planned budgetary financial resources for assisting the National Security and Intelligence Review Agency
2022–23 budgetary spending (as indicated in Main Estimates)
2022–23 planned spending
2023–24 planned spending
2024–25 planned spending
10,756,818
10,756,818
10,757,687
10,757,687
Financial, human resources and performance information for NSIRA’s program inventory is available in the GC InfoBase.
Planned human resources for assisting the National Security and Intelligence Review Agency
2022–23 planned full-time equivalents
2023–24 planned full-time equivalents
2024–25 planned full-time equivalents
69.0
69.0
69.0
Financial, human resources and performance information for NSIRA’s program inventory is available in the GC InfoBase.
Internal Services: planned results
Description
Internal services are the services that are provided within a department so that it can meet its corporate obligations and deliver its programs. There are 10 categories of internal services:
Management and Oversight Services
Communications Services
Legal Services
Human Resources Management Services
Financial Management Services
Information Management Services
Information Technology Services
Real Property Management Services
Materiel Management Services
Acquisition Management Services
Planning highlights
As it enters a third full year of operation, NSIRA will continue to take steps to ensure resources are deployed in the most effective and efficient manner possible and that its operational and administrative structures, tools and processes will continue to focus on supporting the delivery of its priorities.
NSIRA’s employees are the backbone of its operations. Because their health and well-being are key to the agency’s success, several initiatives geared toward improving workplace health and employee well-being will be an ongoing priority.
In an effort to attract and retain talent, NSIRA will further initiatives aimed at articulating NSIRA’s vision, values, culture and brand. The agency will work with employees to establish a hybrid workplace framework and talent/career management programs.
NSIRA has identified and publicly shared an action plan aimed at supporting the federal public service objectives for employment equity, diversity and inclusion. In 2022–23, the agency will accelerate its efforts on this front.
If not further delayed by the pandemic, NSIRA aims to complete its accommodation, infrastructure and systems investments in 2022–23 and initiate self-assessments of its compliance with central agencies’ policies and directives.
Planned budgetary financial resources for Internal Services
2022–23 budgetary spending (as indicated in Main Estimates)
2022–23 planned spending
2023–24 planned spending
2024–25 planned spending
17,493,858
17,493,858
7,701,336
7,701,042
Planned human resources for Internal Services
2022–23 planned full-time equivalents
2023–24 planned full-time equivalents
2024–25 planned full-time equivalents
31.0
31.0
31.0
Planned spending and human resources
This section provides an overview of the department’s planned spending and human resources for the next three fiscal years and compares planned spending for 2022–23 with actual spending for the current year and the previous year.
Planned spending
Departmental spending 2019–20 to 2024–24
The following graph presents planned (voted and statutory) spending over time.
Text version of Figure 1
Departmental spending trend graph
2019–20
2020–21
2021–22
2022–23
2023–24
2024–25
Statutory
371,057
962,186
1,295,290
1,727,668
1,727,668
1,727,668
Voted
5,254,250
11,289,189
19,137,337
26,523,008
16,731,355
16,731,061
Total
5,625,250
12,251,375
20,432,627
28,250,676
18,435,987
18,458,729
Fiscal years 2019–20 and 2020–21 show actual expenditures as reported in the Public Accounts, while 2021–2022 presents the forecast for the current fiscal year. Fiscal years 2022–23 to 2024–25 present planned spending.
The 2020–21 spending of $12.2 million increased by $6.6 million (118%), compared to 2019–20. The increase is due to the fact that NSIRA was created in July 2019, which resulted in the actual expenditures for fiscal year 2019–20 reflecting only a partial year of spending. Forecast spending in 2021–22 is higher than 2020–21 spending by $8.2 million (67%), primarily due to growth in personnel and limited investments in accommodation, infrastructure and systems.
Spending is expected to increase by $7.8 million (38%) in 2022–23 compared to 2021–22. This planned increase is mainly due to a re-profile of funding to align to the conduct of projects delayed by the pandemic. Spending is expected to decrease by $9.8 million (35%) in 2023–24, mainly due to the expected completion of the office expansion project in 2022–23. Spending is expected to remain relatively unchanged in 2024–25 from 2023–4.
Budgetary planning summary for core responsibilities and Internal Services (dollars)
The following table shows information on spending for each of NSIRA’s core responsibilities and for its internal services for 2022–23 and other relevant fiscal years.
Core responsibilities and Internal Services
2019–20 actual expenditures
2020–21 actual expenditures
2021–22 forecast spending
2022–23 budgetary spending (as indicated in Main Estimates)
2022–23 planned spending
2023–24 planned spending
2024–25 planned spending
National Security and Intelligence Reviews and Complaints Investigations
3,009,066
5,607,796
8,074,229
10,756,818
10,756,818
10,757,687
10,757,687
Subtotal
3,009,066
5,607,796
8,074,229
10,756,818
10,756,818
10,757,687
10,757,687
Internal Services
2,616,241
6,643,579
12,358,398
17,493,858
17,493,858
7,701,336
7,701,042
Total
5,625,307
12,251,375
20,432,627
28,250,676
28,250,676
18,459,023
18,458,729
As NSIRA was created on July 12, 2019, the numbers for 2019–20 are for the reporting period of July 12, 2019, to March 31, 2020.
Planned human resources
The following table shows information on human resources, in full-time equivalents, for each of NSIRA’s core responsibilities and for its internal services for 2022–23 and the other relevant years.
Human resources planning summary for core responsibilities and Internal Services
Core responsibilities and Internal Services
2019–20 Actual full-time equivalents
2020–21 Actual full-time equivalents
2021–22 Forecast full-time equivalents
2022–23 Planned full-time equivalents
2023–24 Planned full-time equivalents
2024–25 Planned full-time equivalents
National Security and Intelligence Reviews and Complaints Investigations
17.5
37.8
53.3
69.0
69.0
69.0
Subtotal
17.5
37.8
53.3
69.0
69.0
69.0
Internal Services
11.2
21.7
25.9
31.0
31.0
31.0
Total
28.7
59.5
79.2
100.0
100.0
100.0
Over the course of 2019–20, funding for an additional 26 FTEs was received to account for NSIRA’s expanded mandate. It is expected that NSIRA will be at full capacity by the close of 2021–22 to fulfil its new mandate.
Estimates by vote
Information on NSIRA’s organizational appropriations is available in the 2022–23 Main Estimates.
Condensed future-oriented statement of operations
The future-oriented condensed statement of operations provides an overview of NSIRA’s operations for 2021–22 to 2022–23.
The forecast and planned amounts in this statement of operations were prepared on an accrual basis. The forecast and planned amounts presented in other sections of the Departmental Plan were prepared on an expenditure basis. Amounts may therefore differ.
A more detailed future-oriented statement of operations and associated notes, including a reconciliation of the net cost of operations with the requested authorities, are available on NSIRA’s website.
Future-oriented Condensed statement of operations for the year ending March 31, 2022 (dollars)
Financial information
2021–22 Forecast results
2022–23 Planned results
Difference (2022–23 planned results minus 2021–22 Forecast results)
Total expenses
21,850,048
28,625,397
6,775,349
Total revenues
–
–
–
Net cost of operations before government funding and transfers
21,850,048
28,625,397
6,775,349
The difference between the 2022–23 planned results and 2021–22 forecast results is mostly explained by planned accommodation, infrastructure and systems project costs.
Corporate Information
Organizational profile
Appropriate minister: The Right Honourable Justin Trudeau, Prime Minister of Canada Institutional head: John Davies, Executive Director Ministerial portfolio: Privy Council Office Enabling instrument:National Security and Intelligence Review Agency Act Year of incorporation / commencement: 2019
Raison d’être, mandate and role: who we are and what we do
“Raison d’être, mandate and role: who we are and what we do” is available on NSIRA‘s website.
Operating context
Information on the operating context is available on NSIRA’s website.
Reporting framework
NSIRA’s Departmental Results Framework, with accompanying results and indicators, is under development. Additional information on key performance measures will be included in the 2021- 22 Departmental Plan.
Text version of Figure 2
Core Responsibility: National Security and Intelligence Reviews and Complaints Investigations
Departmental Results Framework
Ministers and Canadians are informed whether national security and intelligence activities undertaken by Government of Canada institutions are lawful, reasonable and necessary
Indicator: All mandatory reviews are completed on an annual basis
Internal Services
Indicator: Reviews of national security or intelligence activities of at least five departments or agencies are conducted each year
Indicator: All Member-approved high priority national security or intelligence activities are reviewed over a three-year period
National security-related complaints are independently investigated in a timely manner
Indicator: Percentage of investigations completed within NSIRA service standards
Program Inventory
Program: National security and intelligence activity reviews and complaints investigations
The changeover of the Security Intelligence Review Committee (SIRC) to NSIRA required significant changes to the Departmental Results Framework, expected results and indicators. With NSIRA’s broader mandate, these changes now provide a framework for measuring and reporting on results achieved starting in 2021–22 and beyond.
Changes to the approved reporting framework since 2020-21
Structure
2020-21
2021-22
Change
Reason for change
Total expenses
Investigations of Canadian Security Intelligence Service’s (CSIS’s) operational activities
National Security and Intelligence Reviews and Complaints Investigations
New Core responsibility
New Departmental Results Framework
Programs
Review of CSIS’s operations
National security and intelligence activity reviews and complaints investigations
New Program
New Departmental Results Framework
Investigation of complaints against CSIS
Supporting information on the program inventory
Supporting information on planned expenditures, human resources, and results related to NSIRA’s program inventory is available in the GC InfoBase.
Supplementary information tables
The following supplementary information tables are available on NSIRA‘s website.
Gender-based analysis plus
Federal tax expenditures
NSIRA’s Departmental Plan does not include information on tax expenditures.
Tax expenditures are the responsibility of the Minister of Finance. The Department of Finance Canada publishes cost estimates and projections for government‑wide tax expenditures each year in the Report on Federal Tax Expenditures. This report provides detailed information on tax expenditures, including objectives, historical background and references to related federal spending programs, as well as evaluations, research papers and gender-based analysis plus.
Organizational contact information
National Security and Intelligence Review Agency P.O. Box 2430, Station “D” Ottawa, Ontario K1P 5W5
Any authority of Parliament to pay money out of the Consolidated Revenue Fund.
budgetary expenditures(dépenses budgétaires)
Operating and capital expenditures; transfer payments to other levels of government, organizations or individuals; and payments to Crown corporations.
core responsibility(responsabilité essentielle)
An enduring function or role performed by a department. The intentions of the department with respect to a core responsibility are reflected in one or more related departmental results that the department seeks to contribute to or influence.
Departmental Plan(plan ministériel)
A report on the plans and expected performance of an appropriated department over a 3‑year period. Departmental Plans are usually tabled in Parliament each spring.
departmental priority(priorité)
A plan or project that a department has chosen to focus and report on during the planning period. Priorities represent the things that are most important or what must be done first to support the achievement of the desired departmental results.
departmental result(résultat ministériel)
A consequence or outcome that a department seeks to achieve. A departmental result is often outside departments’ immediate control, but it should be influenced by program-level outcomes.
departmental result indicator (indicateur de résultat ministériel)
A quantitative measure of progress on a departmental result.
departmental results framework(cadre ministériel des résultats)
A framework that connects the department’s core responsibilities to its departmental results and departmental result indicators.
Departmental Results Report(rapport sur les résultats ministériels)
A report on a department’s actual accomplishments against the plans, priorities and expected results set out in the corresponding Departmental Plan.
experimentation(expérimentation)
The conducting of activities that seek to first explore, then test and compare the effects and impacts of policies and interventions in order to inform evidence-based decision-making, and improve outcomes for Canadians, by learning what works, for whom and in what circumstances. Experimentation is related to, but distinct from innovation (the trying of new things), because it involves a rigorous comparison of results. For example, using a new website to communicate with Canadians can be an innovation; systematically testing the new website against existing outreach tools or an old website to see which one leads to more engagement, is experimentation.
full‑time equivalent(équivalent temps plein)
A measure of the extent to which an employee represents a full person‑year charge against a departmental budget. For a particular position, the full‑time equivalent figure is the ratio of number of hours the person actually works divided by the standard number of hours set out in the person’s collective agreement.
gender-based analysis plus (GBA Plus)(analyse comparative entre les sexes plus [ACS Plus])
An analytical process used to assess how diverse groups of women, men and gender-diverse people experience policies, programs and services based on multiple factors including race ethnicity, religion, age, and mental or physical disability.
For the purpose of the 2020–21 Departmental Results Report, those high-level themes outlining the government’s agenda in the 2019 Speech from the Throne, namely: Fighting climate change; Strengthening the Middle Class; Walking the road of reconciliation; Keeping Canadians safe and healthy; and Positioning Canada for success in an uncertain world.
horizontal initiative(initiative horizontale)
An initiative where two or more federal organizations are given funding to pursue a shared outcome, often linked to a government priority.
non‑budgetary expenditures(dépenses non budgétaires)
Net outlays and receipts related to loans, investments and advances, which change the composition of the financial assets of the Government of Canada.
performance (rendement)
What an organization did with its resources to achieve its results, how well those results compare to what the organization intended to achieve, and how well lessons learned have been identified.
performance indicator(indicateur de rendement)
A qualitative or quantitative means of measuring an output or outcome, with the intention of gauging the performance of an organization, program, policy or initiative respecting expected results.
performance reporting(production de rapports sur le rendement)
The process of communicating evidence‑based performance information. Performance reporting supports decision making, accountability and transparency.
plan(plan)
The articulation of strategic choices, which provides information on how an organization intends to achieve its priorities and associated results. Generally, a plan will explain the logic behind the strategies chosen and tend to focus on actions that lead to the expected result.
planned spending(dépenses prévues)
For Departmental Plans and Departmental Results Reports, planned spending refers to those amounts presented in Main Estimates.
A department is expected to be aware of the authorities that it has sought and received. The determination of planned spending is a departmental responsibility, and departments must be able to defend the expenditure and accrual numbers presented in their Departmental Plans and Departmental Results Reports.
program(programme)
Individual or groups of services, activities or combinations thereof that are managed together within the department and focus on a specific set of outputs, outcomes or service levels.
program inventory(répertoire des programmes)
Identifies all the department’s programs and describes how resources are organized to contribute to the department’s core responsibilities and results.
result(résultat)
A consequence attributed, in part, to an organization, policy, program or initiative. Results are not within the control of a single organization, policy, program or initiative; instead they are within the area of the organization’s influence.
statutory expenditures(dépenses législatives)
Expenditures that Parliament has approved through legislation other than appropriation acts. The legislation sets out the purpose of the expenditures and the terms and conditions under which they may be made.
target (cible)
A measurable performance or success level that an organization, program or initiative plans to achieve within a specified time period. Targets can be either quantitative or qualitative.
voted expenditures(dépenses votées)
Expenditures that Parliament approves annually through an appropriation act. The vote wording becomes the governing conditions under which these expenditures may be made.
Statement of Management Responsibility Including Internal Control over Financial Reporting
Responsibility for the integrity and objectivity of the accompanying financial statements for the year ended March 31, 2021, and all information contained in these financial statements rests with the management of the National Security and Intelligence Review Agency (NSIRA). These financial statements have been prepared by management using the Government of Canada’s accounting policies, which are based on Canadian public sector accounting standards.
Management is responsible for the integrity and objectivity of the information in these financial statements. Some of the information in the financial statements is based on management’s best estimates and judgment, and gives due consideration to materiality. To fulfill its accounting and reporting responsibilities, management maintains a set of accounts that provides a centralized record of NSIRA’s financial transactions. Financial information submitted in the preparation of the Public Accounts of Canada, and included in NSIRA’s Departmental Results Report, is consistent with these financial statements.
Management is also responsible for maintaining an effective system of internal control over financial reporting (ICFR) designed to provide reasonable assurance that financial information is reliable, that assets are safeguarded and that transactions are properly authorized and recorded in accordance with the Financial Administration Act and other applicable legislation, regulations, authorities and policies.
Management seeks to ensure the objectivity and integrity of data in its financial statements through careful selection, training and development of qualified staff; through organizational arrangements that provide appropriate divisions of responsibility; through communication programs aimed at ensuring that regulations, policies, standards, and managerial authorities are understood throughout the NSIRA and through conducting an annual risk-based assessment of the effectiveness of the system of ICFR.
The system of ICFR is designed to mitigate risks to a reasonable level based on an ongoing process to identify key risks, to assess effectiveness of associated key controls, and to make any necessary adjustments.
A risk-based assessment of the system of ICFR for the year ended March 31, 2021 was completed in accordance with the Treasury Board Policy on Financial Management and the results and action plans are summarized in the Annex.
The financial statements of the National Security Intelligence Review Agency have not been audited.
John Davies Deputy Head
Pierre Souligny Chief Financial Officer
Ottawa, Canada December 10, 2021
Statement of Financial Position (Unaudited)
As of March 31(in thousands of dollars)
2021
For the Period July 12, 2019 through March 31, 2020
Statement of Change in Departmental Net Debt (Unaudited)
For the Year Ended March 31(in thousands of dollars)
2021
For the period July 12, 2019 through March 31, 2020
Net cost of operations after government funding and transfers
(1,096)
(673)
Change due to tangible capital assets
Acquisition of tangible capital assets
1,353
14
Amortization of tangible capital assets
(171)
–
Transfer of tangible capital asset to/from other government department
–
953
Total change due to tangible capital assets
1,182
967
Change due to prepaid expenses
(17)
109
Net increase (decrease) in departmental net debt
69
403
Departmental net debt – Beginning of year
403
–
Departmental net debt – End of year
472
403
The accompanying notes form an integral part of these financial statements.
Statement of Cash Flows (Unaudited)
For the Year Ended March 31 (in thousands of dollars)
2021
For the Period July 12, 2019 through March 31, 2020
Operating activities
Net cost of operations before government funding and transfers
11,662
6,330
Non-cash items:
Amortization of tangible capital assets
(171)
–
Transfer of tangible capital assets to/from other government department
–
953
Services provided without charge by other government departments (Note 9a)
(1,007)
(611)
Transfer of overpayments
60
–
Variations in Statement of Financial Position:
Increase (decrease) in accounts receivable and advances
542
90
Increase (decrease) in prepaid expenses
(17)
109
Decrease (increase) in accounts payable and accrued liabilities
41
(1,560)
Decrease (increase) in vacation pay and compensatory leave
108
(323)
Decrease (increase) in future employee benefits
(170)
(146)
Transfer of liabilities to other government departments
–
(937)
Cash used in operating activities
11,048
3,905
Capital ingesting activities
Acquisitions of tangible capital assets (Note 8)
1,353
14
Cash used in capital investing activities
1,353
14
Net cash provided by Government of Canada
12,401
3,919
The accompanying notes form an integral part of these financial statements.
Notes to the Financial Statements (Unaudited)
1. Authority and objectives
On July 12, 2019 Bill C-59 enacted the National Security and Intelligence Review Agency Act (NSIRA Act), and repealed the provisions of the Canadian Security Intelligence Service Act (CSIS Act) which governed the activities of Security Intelligence Review Committee (SIRC). The National Security Intelligence Review Agency (NSIRA) has a statutory mandate to review the activities of the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security and intelligence activities of all other federal departments and agencies. To fulfill its review mandate, NSIRA has unfettered access to classified information other than Cabinet confidences. In addition, NSIRA inherited the complaints investigation functions of the SIRC, which was responsible for hearing complaints from members of the public regarding the actions of CSIS, as well as those related to the revocation or denial of security clearances. Going forward, it will also hear complaints regarding the CSE, as well as national security-related complaints regarding the Royal Canadian Mounted Police (RCMP).
To achieve its strategic outcome and deliver results for Canadians, NSIRA articulates its plans and priorities based on the core responsibility and program inventory included below:
Assist the NSIRA
Support the Conduct of Reviews and Investigations, and the Development of Reports
The secretariat will assist NSIRA members in fulfilling the agency’s mandate. The Secretariat will conduct a range of activities to support the agency, including accessing relevant information and providing strategic and expert advice in the conduct of reviews, quasi-judicial investigation of complaints and the development of reports. It will also provide administrative support in arranging for briefings, hearings and consultations with stakeholders and international counterparts, and support to ensure compliance with security requirements.
Internal Services
Internal support services are groups of related activities and resources that are administered to support the needs of programs and other corporate obligations of an organization. These groups are: Management and Oversight Services; Communications Services; Legal Services; Human Resources Management Services; Financial Management Services; Information Management Services; Information Technology Services; Real Property Services; Materiel Services; Acquisition Services; and Other Administrative Services. Internal Services include only those activities and resources that apply across an organization and not to those provided specifically to a program.
2. Comparative Information
The comparative information (2019-20) included in these financial statements represent the partial year results of operations for the period July 12, 2019 through March 31, 2021, and the financial position of the NSIRA as at March 31, 2020, including all transferred assets and liabilities.
3. Summary of significant accounting policies
These financial statements are prepared using NSIRA’s accounting policies stated below, which are based on Canadian public sector accounting standards. The presentation and results using the stated accounting policies do not result in any significant differences from Canadian public sector accounting standards.
Significant accounting policies are as follows:
(a) Parliamentary authorities
NSIRA is financed by the Government of Canada through Parliamentary authorities. Financial reporting of authorities provided to NSIRA do not parallel financial reporting according to generally accepted accounting principles since authorities are primarily based on cash flow requirements. Consequently, items recognized in the Statement of Operations and Departmental Net Financial Position and in the Statement of Financial Position are not necessarily the same as those provided through authorities from Parliament. Note 4 provides a reconciliation between the bases of reporting. The planned results amounts in the ”Expenses” and ”Revenues” sections of the Statement of Operations and Departmental Net Financial Position are the amounts reported in the Future-Oriented Statement of Operations included in the 2020-2021 Departmental Plan. The planned results amounts in the “Government funding and transfers” section of the Statement of Operations and Departmental Net Financial Position and in the Statement of Change in Departmental Net Debt were prepared for internal management purposes and have not been previously published.
(b) Net cash provided by Government of Canada
NSIRA operates within the Consolidated Revenue Fund (CRF), which is administered by the Receiver General for Canada. All cash received by NSIRA is deposited to the CRF, and all cash disbursements made by NSIRA are paid from the CRF. The net cash provided by Government is the difference between all cash receipts and all cash disbursements, including transactions between departments of the Government.
(c) Amounts due from or to the CRF
Amounts due from or to the CRF are the result of timing differences at year-end between when a transaction affects authorities and when it is processed through the CRF. Amounts due from the CRF represent the net amount of cash that NSIRA is entitled to draw from the CRF without further authorities to discharge its liabilities.
(d) Expenses
Vacation pay and compensatory leave are accrued as the benefits are earned by employees under their respective terms of employment.
Services provided without charge by other government departments for accommodation, employer contributions to the health and dental insurance plans and workers’ compensation are recorded as operating expenses at their carrying value.
(e) Employee future benefits
Pension benefits: Eligible employees participate in the Public Service Pension Plan, a pension plan administered by the Government. NSIRA’s contributions to the Plan are charged to expenses in the year incurred and represent the total departmental obligation to the Plan. NSIRA’s responsibility with regard to the Plan is limited to its contributions. Actuarial surpluses or deficiencies are recognized in the financial statements of the Government of Canada, as the Plan’s sponsor.
Severance benefits: The accumulation of severance benefits for voluntary departures ceased for applicable employee groups. The remaining obligation for employees who did not withdraw benefits is calculated using information derived from the results of the actuarially determined liability for employee severance benefits for the Government as a whole.
(f) Accounts receivable
Accounts receivable are initially recorded at cost and when necessary, an allowance for valuation is recorded to reduce the carrying value of accounts receivable to amounts that approximate their net recoverable value.
(g) Non-financial assets
All tangible capital assets having an initial cost of $5,000 or more are recorded at their acquisition cost. Tangible capital assets do not include immovable assets located on reserves as defined in the Indian Act, works of art, museum collection and Crown land to which no acquisition cost is attributable; and intangible assets.
Inventories are valued at cost and are comprised of spare parts and supplies held for future program delivery and are not primarily intended for resale. Inventories that no longer have service potential are valued at the lower of cost or net realizable value.
(h) Measurement uncertainty
The preparation of these financial statements requires management to make estimates and assumptions that affect the reported and disclosed amounts of assets, liabilities, revenues and expenses reported in the financial statements and accompanying notes at March 31. The estimates are based on facts and circumstances, historical experience, general economic conditions and reflect the Government’s best estimate of the related amount at the end of the reporting period. The most significant items where estimates are used are contingent liabilities, the liability for employee future benefits and the useful life of tangible capital assets. Actual results could significantly differ from those estimated. Management’s estimates are reviewed periodically and, as adjustments become necessary, they are recorded in the financial statements in the year they become known.
4. Parliamentary authorities
NSIRA receives most of its funding through annual Parliamentary authorities. Items recognized in the Statement of Operations and Departmental Net Financial Position and the Statement of Financial Position in one year may be funded through Parliamentary authorities in prior, current or future years. Accordingly, NSIRA has different net results of operations for the year on a government funding basis than on an accrual accounting basis. The differences are reconciled in the following tables:
(a) Reconciliation of net cost of operations to current year authorities used
(in thousands of dollars)
2021
For the Period July 12, 2019 to March 31, 2020
Net cost of operations before government funding and transfers
11,662
6,330
Adjustments for items affecting net cost of operations but not affecting authorities:
Amortization of tangible capital assets
(171)
–
Services provided without charge by other government departments
(1,007)
(611)
Increase / (decrease) in vacation pay and compensatory leave
(108)
(76)
Increase / (decrease) in employee future benefits
(170)
(72)
Refund of prior years’ expenditures
481
(1)
Total items affecting net cost of operations but not affecting authorities
(759)
(760)
Adjustments for items not affecting net cost of operations but affecting authorities
Acquisition of tangible capital assets
1,353
14
Amortization of tangible capital assets
(17)
28
Accounts receivable and advances
12
13
Total items not affecting net cost of operations but affecting authorities
1,348
55
Current year authorities used
12,251
5,625
(b) Authorities provided and used
(in thousands of dollars)
2021
For the Period July 12, 2019 to March 31, 2020
Authorities provided:
Vote 1 – Operating expenditures
22,592
22,468
Statutory amounts
962
371
Less:
Lapsed: Operating
(11,303)
(17,214)
Current year authorities used
12,251
5,625
5. Accounts payable and accrued liabilities
The following table presents details of NSIRA’s accounts payable and accrued liabilities.
2021
For the Period July 12, 2019 to March 31, 2020
Authorities provided:
Accounts payable – Other government departments and agencies
444
306
Accounts payable – External parties
1,075
(8)
Accounts payable and accrued liabilities transferred in from other government department
–
1,262
Total accounts payable
1,519
1,560
Total accounts payable and accrued liabilities
1,519
1,560
6. Employee future benefits
(a) Pension benefits
NSIRA’s employees participate in the Public Service Pension Plan (the ”Plan”), which is sponsored and administered by the Government of Canada. Pension benefits accrue up to a maximum period of 35 years at a rate of two percent per year of pensionable service, times the average of the best five consecutive years of earnings. The benefits are integrated with Canada/Québec Pension Plan benefits and they are indexed to inflation.
Both the employees and the Agency contribute to the cost of the Plan. Due to the amendment of the Public Service Superannuation Act following the implementation of provisions related to Economic Action Plan 2012, employee contributors have been divided into two groups – Group 1 related to existing plan members as of December 31, 2012 and Group 2 relates to members joining the Plan as of January 1, 2013. Each group has a distinct contribution rate.
The 2020-21 expense amounts to $877,610 ($325,594 in 2019-20). For Group 1 members, the expense represents approximately 1.01 times (1.01 times in 2019-20) the employee contributions and, for Group 2 members, approximately 1.00 times (1.00 times in 2019-20) the employee contributions.
NSIRA’s responsibility with regard to the Plan is limited to its contributions. Actuarial surpluses or deficiencies are recognized in the Consolidated Financial Statements of the Government of Canada, as the Plan’s sponsor.
(b) Severance benefits
Severance benefits provided to NSIRA’s employees were previously based on an employee’s eligibility, years of service and salary at termination of employment. However, since 2011 the accumulation of severance benefits for voluntary departures progressively ceased for substantially all employees. Employees subject to these changes were given the option to be paid the full or partial value of benefits earned to date or collect the full or remaining value of benefits upon departure from the public service. By March 31, 2018, substantially all settlements for immediate cash out were completed. Severance benefits are unfunded and, consequently, the outstanding obligation will be paid from future authorities.
The changes in the obligations during the year were as follows:
(in thousands of dollars)
2021
For the Period July 12, 2019 to March 31, 2020
Accrued benefit obligation – Beginning of year
146
–
Accrued benefit obligation transferred in from other government department
–
74
Expense for the year
170
72
Accrued benefit obligation – End of year
316
146
7. Accounts receivable and advances
The following table presents details of NSIRA’s accounts receivable and advances balances:
2021
For the Period July 12, 2019 to March 31, 2020
Receivables – Other government departments and agencies
581
(21)
Receivables – External parties
51
11
Employee advances
–
2
Accounts receivable and advances transferred in from other government department
–
98
Net accounts receivable
632
90
8. Tangible capital assets
Amortization of tangible capital assets is done on a straight-line basis over the estimated useful life of the asset as follows:
Asset Class
Amortization Period
Informatics hardware
3 to 10 years
Other equipment
3 to 30 years
(in thousands of dollars)
Cost
Accumulated Amortization
Net Book Value
Capital Asset Class
Opening Balance
Acquisitions
Adjustments (1)
Disposal and Write- Offs
Closing Balance
Opening Balance
Amortization
Adjustments (1)
Disposals and Write- Offs
Closing Balance
2021
For the period July 12, 2019 to March 31, 2020
Informatics hardware
279
–
–
–
279
120
69
–
–
189
90
159
Other equipment
1,012
84
–
–
1,096
205
102
–
–
307
789
808
Assets under construction
–
1,269
1
–
1,270
–
–
–
–
–
1,270
–
Total
1,291
1,353
1
–
2,645
325
171
–
–
496
2,149
967
9. Contractual obligations
The nature of NSIRA’s activities may result in some large multi-year contracts and obligations whereby NSIRA will be obligated to make future payments in order to carry out its programs or when the services/goods are received. Significant contractual obligations that can be reasonably estimated are summarized as follows:
2022
2023
2024
2025
2026
2027 and subsequent
Total
Professional and special services
1,019
462
–
–
–
–
1,481
Information
88
–
–
–
–
–
88
Repair and maintenance
6,195
–
–
–
–
–
6,195
Rental
117
–
–
–
–
–
117
Transportation and communications
111
–
–
–
–
–
111
Aquisition of machinery and equipment
376
–
–
–
–
–
376
Total
7,906
462
–
–
–
–
8,368
10. Related party transactions
NSIRA is related as a result of common ownership to all government departments, agencies, and Crown Corporations. Related parties also include individuals who are members of key management personnel or close family members of those individuals, and entities controlled by, or under shared control of, a member of key management personnel or a close family member of that individual. NSIRA enters into transactions with these entities in the normal course of business and on normal trade terms.
During the year, NSIRA received common services which were obtained without charge from other government departments as disclosed below.
(a) Common services provided without charge by other government departments
During the year, NSIRA received services without charge from certain common service organizations, related to accommodation, the employer’s contribution to the health and dental insurance plans and workers’ compensation coverage. These services provided without charge have been recorded at the carrying value in NSIRA’s Statement of Operations and Departmental Net Financial Position as follows:
(in thousands of dollars)
2021
For the Period July 12, 2019 t0 March 31, 2020
Accommodation
451
316
Employer’s contribution to the health and dental insurance plans
556
295
Total
1,007
611
The Government has centralized some of its administrative activities for efficiency, cost-effectiveness purposes and economic delivery of programs to the public. As a result, the Government uses central agencies and common service organizations so that one department performs services for all other departments and agencies without charge. The costs of these services, such as the payroll and cheque issuance services provided by Public Services and Procurement Canada are not included in NSIRA’s Statement of Operations and Departmental Net Financial Position. The costs of information technology infrastructure services provided by Shared Services Canada, following the transfer of responsibilities in November 2011 are also not included in NSIRA’s Statement of Operations and Departmental Net Financial Position.
(b) Other transactions with other government departments and agencies
2021
For the Period July 12, 2019 to March 31, 2020
Expenses
5,595
2,325
11. Segmented information
Presentation by segment is based on NSIRA’s Departmental Results Framework. The presentation by segment is based on the same accounting policies as described in the Summary of significant accounting policies in note 3. The following table presents the expenses incurred and revenues generated for the main program alignments, by major object of expense and by major type of revenue. The segment results for the period are as follows:
Assist the NSIRA
Internal Services
2021
For the period July 12, 2019 to March 31, 2020
Expenses
Salaries and employee benefits
5,380
2,614
7,994
3,996
Professional and special services
302
1,543
1,845
1,361
Accommodation
–
451
451
316
Transportation and communications
15
73
88
225
Information
109
82
192
78
Acquisition of machinery and equipment
–
694
694
73
Repair and maintenance
(49)
1,307
1,258
115
Amortization of tangible capital assets
–
171
171
–
Rental
–
152
152
51
Utilities, materials and supplies
2
6
8
40
Other
10
(1,201)
(1,191)
75
Total expenses
5,769
5,893
11,662
6,330
Net cost from continuing operations
5,769
5,893
11,662
6,330
Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting for Fiscal Year 2021-22 (unaudited)
1. Introduction
This document provides summary information on measures taken by the National Security Intelligence Review Agency (NSIRA) to maintain an effective system of internal control over financial reporting (ICFR) including information on internal control management, assessment results and related action plans.
2. Departmental system of internal control over financial reporting
2.1 Internal Control Management
NSIRA recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective financial systems of ICFR and are well equipped to exercise these responsibilities effectively. NSIRA’s financial transactions can be processed within the financial system by both NSIRA and the Privy Council Office (PCO), in accordance with a Memorandum of Understanding (MOU), and are subject to the same control framework and monitoring activities undertaken at PCO.
NSIRA relies on PCO control measures to a large extent, but also recognizes the importance of ensuring that it implements its own complementary measures. To this end, NSIRA ensures that all managers with financial delegation have completed the appropriate training course prior to exercising their delegation. NSIRA has implemented a rigourous governance and accountability structure to support the oversight of its system of internal control, which includes:
Values and ethics framework;
Organizational accountability structures as they relate to internal control management to support sound financial management including roles and responsibilities for senior managers in their areas of responsibility;
Evidence of effective planning and reporting activities which includes multiple financial reviews and regular financial reporting to all managers including senior management;
Integrated risk management and on-going quality assurance and monitoring activities;
On-going communication and training on statutory requirements, policies, and procedures for sound financial management and control; and
Monitoring and regular updates as needed on internal control management plus assessment results and action.
2.2 Service Arrangements relevant to financial statements
NSIRA relies on other organizations for the processing of certain transactions that are recorded in its financial statements, and relies on these service providers to ensure an adequate system of ICFR is maintained over services provided to NSIRA.
Common Arrangements:
Public Services and Procurement Canada, which administers the payment of salaries and the procurement of goods and services, and provides accommodation services
Shared Services Canada, which provides IT infrastructure services
Treasury Board of Canada Secretariat, which provides information on public service insurance and centrally administers payment of the employer’s share of contributions toward statutory employee benefit plans
Specific Arrangements:
As aforementioned, NSIRA’s financial transactions are processed within the financial system by both NSIRA and the Privy Council Office (PCO), in accordance with a Memorandum of Understanding (MOU), and are subject to the same control framework and monitoring activities undertaken at PCO.
3. Departmental assessments results during fiscal year 2021-22
Progress during the 2021-22 fiscal year
NSIRA’s management team has maintained a financial system and an internal control mechanism that ensures that financial information is understandable, relevant, reliable and comparable in concert with the Privy Council Office’s support as per our MOU. Progress is disclosed in the Annex of PCO’s Statement of Management Responsibility.
New or significantly amended key controls
NSIRA relies on the system of internal control implemented at PCO for the above noted business processes. New or significantly modified internal controls are disclosed in the Annex of PCO’s statement of management responsibility.
On-going monitoring program
NSIRA’s monitoring program for the above noted business processes leverages PCO’s rotational on-going monitoring plan disclosed in the Annex of PCO’s statement of management responsibility.
4. Departmental action plan
4.1 Progress during fiscal year 2020-21
We understand our responsibility in terms of appropriate financial comptrollership and communication with the public, and we will continue to ensure that financial controls and a rigorous reporting process continue to be in place going forward. Action plans are disclosed in the Annex of PCO’s Statement of Management Responsibility.
The National Security and Intelligence Review Agency (NSIRA) is pleased to submit to Parliament its annual report on the administration of the Access to Information Act (ATIA) for the fiscal year commencing April 1, 2020, and ending March 31, 2021. This annual report is presented in accordance with section 94 of the ATIA, whose purpose is to provide the right of access to records under the control of government institutions.
NSIRA is an independent and external review body that reports to Parliament on its operations under the National Security and Intelligence Review Agency Act (NSIRA Act). NSIRA reviews all Government of Canada national security and intelligence activities to ensure that they are lawful, reasonable and necessary. NSIRA also investigates public complaints regarding key national security agencies and activities.
Review mandate
NSIRA has a statutory mandate to review activities of the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security and intelligence activities of all other federal departments and agencies. This includes, but is not limited to, the national security and intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency, the Department of National Defence, Global Affairs Canada and the federal Department of Justice.
To fulfil its mandate, NSIRA has unfettered access to classified information. This includes any and all information held by, or under the control of, departments and agencies, including information subject to legal privilege. NSIRA independently determines which information is relevant to the conduct of its reviews. The sole exception to NSIRA’s right to access is information considered a Cabinet confidence.
In carrying out reviews, NSIRA may make any findings and recommendations it considers appropriate. In accordance with the NSIRA Act, however, it will pay particular attention to whether government activities are lawful and comply with ministerial direction and whether the activities are reasonable and necessary.
Complaints mandate
Some of the activities under NSIRA’s complaints mandate are the complaints investigation functions inherited from the Security Intelligence Review Committee (SIRC). SIRC was responsible for hearing public complaints regarding the actions of CSIS. SIRC was also responsible for complaints related to the Government of Canada security clearance process, as well as specific matters and reports referred to under the Citizenship Act and the Canadian Human Rights Act.
In addition to these SIRC-related activities, NSIRA investigates complaints against CSE, as well as complaints against the RCMP that are referred by the Civilian Review and Complaints Commission (CRCC). The CRCC will continue to review all other activities of the RCMP.
Organizational structure
The responsibility for the administration of the ATIA is delegated to NSIRA’s Executive Director and further subdelegated to the Access to Information and Privacy (ATIP) Coordinator, as set out in the ATIA Designation Order in Appendix A.
The person holding the position or acting in the position of Executive Director has full delegation to exercise or perform any of the powers, duties and functions under the ATIA.
The ATIP Coordinator operates under a restricted delegation. The ATIP Coordinator works with the Executive Director’s Office, Legal Services and the Review Directorate to meet requirements of the ATIP program.
The ATIP Coordinator is a member of the Corporate Services Directorate and trained in ATIP legislation and review.
Delegation Order
Pursuant to subsection 95(1) of the ATIA, the Executive Director of NSIRA has the duty to exercise full authorities under the ATIA legislation and regulations.
The Executive Director also designated the person holding the position or acting in the position of the ATIP Coordinator with delegation of specific sections and subsections (see Appendix A).
Highlights of the 2020-21 statistical report
This report is an accounting of NSIRA’s activities related to the administration of the ATIA in the 2020–21 fiscal year. NSIRA’s 2020-21 statistical report on the ATIA, from which the data in this report is derived, is provided in Appendix B.
Access to information requests
NSIRA received one new request under the ATIA during this reporting period; it was abandoned within 30 days. One request was carried over from the previous year; it was not closed during this reporting period because NSIRA needed to conduct external consultations.
Consultation requests
NSIRA received seven consultation requests in addition to three carried over from the previous reporting period. All 10 consultations were closed during the reporting period for a total of 373 pages reviewed. No consultations were carried over to the next reporting period.
As shown in the graphic below, 80% of the NSIRA’s consultations were closed within four months, with the remaining 20% closed within six months. Whenever NSIRA receives a consultation request, it often has to make its own consultation requests to the departments and agencies it reviews prior to delivering a decision on disclosing the information
Pandemic impacts
In March 2020, NSIRA implemented exceptional workplace measures to curb the spread of COVID-19 and to protect federal employees and the public. These measures have limited NSIRA’s access to a secure office space, as well as access to the facilities and information of the departments and agencies it reviews.
Training and awareness
During the reporting period, one employee participated in a specialized training session concerning responsibilities relating to access to information and privacy. Guidance to employees and managers on access to information matters was provided on an ad hoc basis (e.g., in person, by email and through NSIRA’s electronic newsletter).
Access to information policies, guidelines, procedures and initiatives
During the reporting period, NSIRA did not implement any new institution-specific policies, guidelines, procedures or initiatives related to access to information. However, management is committed to implementing the procedures and guidelines to ensure employees are aware of their responsibilities with respect to ATI requests and to support NSIRA’s compliance with the requirements of the ATIA.
Complaints and investigations
Over the period covered by this report, the Information Commissioner of Canada did not receive any complaints against NSIRA under the ATIA, nor did the Information Commissioner undertake any ATIA-related audit or investigation of NSIRA.
Monitoring processing time
Request processing times are monitored through the Access Pro software dashboard. The ATIP Coordinator notifies the Executive Director and suggests a course of action should any legislative timelines for responding to an ATIA request appear to be at risk.
Appendices
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2020–21 Statistical Report on the Access to Information Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2019-04-01 – 2020-03-31
Section 1: Request Under the Access to Information Act
1.1 Number of Requests
Number of Requests
Received during reporting period
1
Outstanding from previous reporting period
1
Total
2
Closed during reporting period
1
Carried over to next reporting period
1
1.2 Sources of requests
Source
Number of Requests
Media
0
Academia
0
Business (private sector)
0
Organization
0
Public
1
Decline to Identify
0
Total
1
1.3 Informal requests
Completion Time
1 to 15 days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More than 365 Days
Total
0
0
0
0
0
0
0
0
Section 2: Decline to act vexatious, made in bad faith or abuse of right requests
Number of Requests
Outstanding from previous reporting period
0
Sent during reporting period
0
Total
0
Approved by the Information Commissioner during reporting period
0
Declined by the Information Commissioner during reporting period
0
Carried over to next reporting period
0
Section 3: Requests Closed During the Reporting Period
3.1 Disposition and completion time
Disposition of Requests
Completion Time
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
0
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
No records exist
0
0
0
0
0
0
0
0
Request transferred
0
0
0
0
0
0
0
0
Request abandoned
0
1
0
0
0
0
0
1
Neither confirmed nor denied
0
0
0
0
0
0
0
0
Decline to act with the approval of the Information Commisioner
0
0
0
0
0
0
0
0
Total
0
1
0
0
0
0
0
1
3.2 Exemptions
Section
Numbers of Requests
13(1)(a)
0
13(1)(b)
0
13(1)(c)
0
13(1)(d)
0
13(1)(e)
0
14
0
14(a)
0
14(b)
0
15(1) – I. A. *
0
15(1) – Def. *
0
15(1) – S.A. *
0
16(1)(a)(i)
0
16(1)(a)(ii)
0
16(1)(a)(iii)
0
16(1)(b)
0
16(1)(c)
0
16(1)(d)
0
16(2)
0
16(2)(a)
0
16(2)(b)
0
16(2)(c)
0
16(3)
0
16.1(1)(a)
0
16.1(1)(b)
0
16.1(1)(c)
0
16.1(1)(d)
0
16.2(1)
0
16.3
0
16.31
0
16.4(1)(a)
0
16.4(1)(b)
0
16.5
0
16.6
0
17
0
18(a)
0
18(b)
0
18(c)
0
18(d)
0
18.1(1)(a)
0
18.1(1)(b)
0
18.1(1)(c)
0
18.1(1)(d)
0
19(1)
0
20(1)(a)
0
20(1)(b)
0
20(1)(b.1)
0
20(1)(c)
0
20(1)(d)
0
20.1
0
20.2
0
20.4
0
21(1)(a)
0
21(1)(b)
0
21(1)(c)
0
21(1)(d)
0
22
0
22.1(1)
0
23
0
23.1
0
24(1)
0
26
0
* I.A.: International Affairs * Def.: Defence of Canada * S.A.: Subversive Activities
3.3 Exclusions
Section
Numbers of Requests
68(a)
0
68(b)
0
68(c)
0
68.1
0
68.2(a)
0
68.2(b)
0
69(1)
0
69(1)(a)
0
69(1)(b)
0
69(1)(c)
0
69(1)(d)
0
69(1)(e)
0
69(1)(f)
0
69(1)(g) re (a)
0
69(1)(g) re (b)
0
69(1)(g) re (c)
0
69(1)(g) re (d)
0
69(1)(g) re (e)
0
69(1)(g) re (f)
0
69.1(1)
0
3.4 Format of information released
Paper
Electronic
Other
0
0
0
3.5 Complexity
3.5.1 Relevant pages processed and disclosed
Number of Pages Processed
Number of Pages Disclosed
Number of Requests
0
0
0
3.5.2 Relevant pages processed per request disposition by size of requests
Disposition
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
All disclosed
0
0
0
0
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
0
0
Request abandoned
1
0
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
0
0
Declined to act with the approval of the information Commissioner
0
0
0
0
0
0
0
0
0
0
Total
1
0
0
0
0
0
0
0
0
0
3.5.3 Other complexities
Disposition
Consultation Required
Assessment of Fees
Legal Advice Sought
Other
Total
All disclosed
0
0
0
0
0
Disclosed in part
0
0
0
0
0
All exempted
0
0
0
0
0
All excluded
0
0
0
0
0
Request abandoned
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
0
Total
0
0
0
0
0
3.6 Closed requests
3.6.1 Number of requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines
1
Percentage of requests closed within legislated timelines (%)
100
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines
Principal Reason
Interference with Operations/Workload
External Consultation
Internal Consultation
Other
0
0
0
0
0
3.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines
Number of Requests Past Legislated Timeline Where No Extension Was Taken
Number of Requests Past Legislated Timeline Where an Extension Was Taken
Total
1 to 15 Days
0
0
0
16 to 30 Days
0
0
0
31 to 60 Days
0
0
0
61 to 120 Days
0
0
0
121 to 180 Days
0
0
0
181 to 365 Days
0
0
0
More than 365 Days
0
0
0
Total
0
0
0
3.8 Requests for translation
Translation Requests
Accepted
Refused
Total
English to French
0
0
0
French to English
0
0
0
Total
0
0
0
Section 4: Extensions
4.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was taken
9(1)(a) Interference With Operations/Workload
9(1)(b) Consultation
9(1)(c) Third-Party Notice
Section 69
Other
All disclosed
0
0
0
0
Disclosed in part
0
0
0
0
All exempted
0
0
0
0
All excluded
0
0
0
0
No records exist
0
0
0
0
Request abandoned
0
0
0
0
Declined to act with the approval of the Information Commissioner
0
0
0
0
Total
0
0
0
0
4.2 Length of extensions
Length of Extensions
9(1)(a) Interference With Operations/Workload
9(1)(b) Consultation
9(1)(c) Third-Party Notice
Section 69
Other
30 days or less
0
0
0
0
31 to 60 days
0
0
0
0
61 to 120 days
0
0
0
0
121 to 180 days
0
0
0
0
181 to 365 days
0
0
0
0
365 days or more
0
0
0
0
Total
0
0
0
0
Section 5: Fees
Fee Type
Fee Collected
Fee Waived or Refunded
Requests
Amount
Requests
Amount
Application
0
$0.00
1
$5.00
Other fees
0
$0.00
0
$0.00
Total
0
$0.00
1
$5.00
Section 6: Consultations Received From Other Institutions and Organizations
6.1 Consultations received from other Government of Canada institutions and other organizations
Consultations
Other Government of Canada Institutions
Number of Pages to Review
Other Organizations
Number of Pages to Review
Received during reporting period
7
129
0
0
Outstanding from the previous reporting period
3
244
0
0
Total
10
373
0
0
Closed during the reporting period
10
373
0
0
Carried over to next reporting period
0
0
0
0
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
1
1
1
0
1
0
0
4
Disclose in part
0
3
0
1
1
0
0
5
Exempt entirely
0
1
0
0
0
0
0
1
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
1
5
1
1
2
0
0
10
6.3 Recommendations and completion time for consultations received from other organizations
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
Disclose entirely
0
0
0
0
0
0
0
0
Disclose in part
0
0
0
0
0
0
0
0
Exempt entirely
0
0
0
0
0
0
0
0
Exclude entirely
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
Section 7: Completion Time of Consultations on Cabinet Confidences
7.1 Requests with Legal Services
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
7.2 Requests with Privy Council Office
Number of Days
Fewer Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
More than 365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
Section 8: Complaints and investigations
Section 32 Notice of intention to investigate
Subsection 30(5) Ceased to investigate
Section 35 Formal Representations
Section 37 Reports of finding received
Section 37 Reports of finding containing recommendations issued by the Information Commissioner
Section 37 Reports of finding containing orders issued by the Information Commissioner
0
0
0
0
0
0
Section 9: Court Action
9.1 Court actions on complaints received before June 21, 2019 and on-going
Section 41 (before June 21, 2019)
Section 42
Section 44
0
0
0
9.2 Court actions on complaints received after June 21, 2019
Section 41 (after June 21, 2019)
Complainant (1)
Institution (2)
Third Party (3)
Privacy Commissioner (4)
Total
0
0
0
0
0
Section 10: Resources Related to the Access to Information Act
10.1 Costs
Expenditures
Amount
Salaries
$56,192
Overtime
$0
Goods and Services
$0
Professional services contracts
$0
Other
$0
Total
$56,192
10.2 Human Resources
Resources
Person Years Dedicated to Access to Information Activities
The National Security and Intelligence Review Agency (NSIRA) is pleased to submit to Parliament its annual report on the administration of the Privacy Act for the fiscal year commencing April 1, 2020, and ending March 31, 2021. This annual report is presented in accordance with section 72 of the Privacy Act, whose purpose is to protect the privacy of individuals with respect to the personal information held by a government institution and to provide a right of access to that information.
NSIRA is an independent and external review body that reports to Parliament on its operations under the National Security and Intelligence Review Agency Act (NSIRA Act). NSIRA reviews all Government of Canada national security and intelligence activities to ensure that they are lawful, reasonable and necessary. NSIRA also investigates public complaints regarding key national security agencies and activities.
Review mandate
NSIRA has a statutory mandate to review activities of the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security and intelligence activities of all other federal departments and agencies. This includes, but is not limited to, the national security and intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency, the Department of National Defence, Global Affairs Canada, and the federal Department of Justice.
To fulfil its mandate, NSIRA has unfettered access to classified information. This includes any and all information held by, or under the control of, departments and agencies, including information subject to legal privilege. NSIRA independently determines which information is relevant to the conduct of its reviews. The sole exception to NSIRA’s right to access information is when the information is considered a Cabinet confidence.
In carrying out reviews, NSIRA may make any findings and recommendations it considers appropriate. In accordance with the NSIRA Act, however, it will pay particular attention to whether government activities are lawful and comply with ministerial direction, and to whether the activities are reasonable and necessary.
Complaints mandate
Some of the activities under NSIRA’s complaints mandate are the complaints investigation functions inherited from the Security Intelligence Review Committee (SIRC). SIRC was responsible for hearing public complaints regarding the actions of CSIS. SIRC was also responsible for complaints related to the Government of Canada security clearance process, as well as specific matters and reports referred to under the Citizenship Act and the Canadian Human Rights Act.
In addition to these SIRC-related activities, NSIRA investigates complaints against CSE, as well as complaints against the RCMP that are referred by the Civilian Review and Complaints Commission (CRCC). The CRCC will continue to review all other activities of the RCMP.
Organization Structure
The responsibility for the administration of the Privacy Act is delegated to NSIRA’s Executive Director and further subdelegated to the Access to Information and Privacy (ATIP) Coordinator, as set out in the Privacy Act Designation Order in Appendix A.
The person holding the position or acting in the position of Executive Director has full delegation to exercise or perform any of the powers, duties and functions under the Privacy Act. The ATIP Coordinator operates under a restricted delegation.
The ATIP Coordinator works with the Executive Director’s Office, Legal Services and the Review Directorate to meet requirements of the ATIP program.
The ATIP Coordinator is a member of the Corporate Services Directorate and trained in ATIP legislation and review.
Delegation Order
Pursuant to subsection 73 of the Privacy Act, the Executive Director of NSIRA has the duty to exercise full authorities under the Privacy Act legislation and regulations.
The Executive Director also designated the person holding the position or acting in the position of the ATIP Coordinator with delegation of specific sections and subsections (see Appendix A).
Highlights of the 2020-21 statistical report
This report is an accounting of NSIRA’s activities related to the administration of the Privacy Act in the 2020–21 fiscal year. NSIRA’s 2020-21 statistical report on the Privacy Act, from which the data in this report is derived, is provided in Appendix B.
Privacy Act requests
NSIRA received four new requests under the Privacy Act during the reporting period. Of those requests, three were closed within 30 days and one was closed between 61 and 120 days, representing 75% closed within legislated timelines. The request that needed an extension required NSIRA to consult with another Government of Canada department.
The following table shows that 100% of requests under the Privacy Act, where records existed, were disclosed in part.
Consultation requests
NSIRA did not received any requests for consultation under the Privacy Act during the reporting period.
Pandemic impacts
In March 2020, NSIRA implemented exceptional workplace measures to curb the spread of COVID-19 and to protect federal employees and the public. These measures have limited NSIRA’s access to a secure office space, as well as access to the facilities and information of the departments and agencies it reviews, delaying the completion of one Privacy Act request.
Training and awareness
During the reporting period, one employee participated in a specialized training session concerning responsibilities relating to access to information and privacy. Guidance to employees and managers on access to information matters was provided on an ad hoc basis (e.g., in person, by email and through NSIRA’s electronic newsletter).
Privacy policies, guidelines, procedures and initiatives
During the reporting period, NSIRA did not implement any new institution-specific policies, guidelines, procedures or initiatives related to the Privacy Act requirements. However, management is committed to implementing a policy, procedures and guidelines to support NSIRA and its employees in meeting their Privacy obligations.
Complaints and investigations
Over the period covered by this report, the Privacy Commissioner of Canada did not receive any complaints against NSIRA under the Privacy Act, nor did the Privacy Commissioner undertake any audit or investigation of NSIRA.
Monitoring processing time
Request processing time is monitored through the Access Pro software dashboard. The ATIP Coordinator notifies the Executive Director and suggests a course of action should any legislative timelines for responding to a Privacy Act request appear to be at risk.
Material Privacy Breaches
In March 2021, NSIRA was the victim of a cyber attack on its public-facing network. The resulting network breach was reported to the Office of the Privacy Commissioner (OPC) and the Treasury Board Secretariat (TBS). Consistent with the Privacy Act, TBS requirements and advice from the OPC, the affected individuals were notified of the breach and how it could affect them.
Privacy Impact Assessments
Over the fiscal year, NSIRA continued to work toward completing a privacy impact assessment (PIA) of its activities. Due to COVID-19 restrictions, the PIA was not completed by March 31, 2021, as previously communicated. NSIRA has since hired a consultant to complete the PIA and begun to implement preliminary recommendations.
NSIRA also intends to conduct a PIA with respect to material revisions made to its complaints investigation service line.
Public Interest Disclosures
No disclosures were made under paragraph 8(2)(m) of the Privacy Act during this reporting period.
Appendices
Appendix A: Delegation Order
Access to Information Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 95 of the Access to Information Act, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Access to Information Act set out in the schedule opposite each position.
Privacy Act Designation Order
The Executive Director of the National Security and Intelligence Review Agency, pursuant to section 73 of the Privacy Act*, hereby designates the persons holding the positions or acting in these positions, set out in the schedule hereto to exercise the powers and perform the duties and functions of the Executive Director of the National Security and Intelligence Review Agency as the head of a government institution under the section of the Privacy Act set out in the schedule opposite each position.
Appendix B: 2020–21 Statistical Report on the Privacy Act
Name of institution: National Security and Intelligence Review Agency
Reporting period: 2019-04-01 – 2020-03-31
Section 1: Request Under the Privacy Act
1.1 Number of Requests
Number of Requests
Received during reporting period
4
Outstanding from previous reporting period
0
Total
4
Closed during reporting period
0
Carried over to next reporting period
0
Section 2: Requests Closed During the Reporting Period
2.1 Disposition and completion time
Disposition of Requests
Completion Time
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
0
0
0
0
0
0
0
Disclosed in part
0
1
0
1
0
0
0
2
All exempted
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
No records exist
0
2
0
0
0
0
0
2
Request transferred
0
0
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
Decline to act with the approval of the Information Commisioner
0
0
0
0
0
0
0
0
Total
0
3
0
1
0
0
0
4
2.2 Exemption
Section
Numbers of Requests
18(2)
0
19(1)(a)
0
19(1)(b)
0
19(1)(c)
0
19(1)(d)
0
19(1)(e)
0
19(1)(f)
0
20
0
21
1
22(1)(a)(i)
0
22(1)(a)(ii)
0
22(1)(a)(iii)
0
22(1)(b)
1
22(1)(c)
0
22(2)
0
22.1
0
22.2
0
22.3
0
22.4
0
23(a)
0
23(b)
0
24(a)
0
24(b)
0
25
1
26
1
27
1
27.1
0
28
0
2.3 Exclusions
Section
Numbers of Requests
69(1)(a)
0
69(1)(b)
0
69.1
0
70(1)
0
70(1)(a)
0
70(1)(b)
0
70(1)(c)
0
70(1)(d)
0
70(1)(e)
0
70(1)(f)
0
70.1
0
2.4 Format of information released
Paper
Electronic
Other
1
1
0
2.5 Complexity
3.5.1 Relevant pages processed and disclosed
Number of Pages Processed
Number of Pages Disclosed
Number of Requests
146
135
2
2.5.2 Relevant pages processed and disclosed by size of requests
Disposition
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
All disclosed
0
0
0
0
0
0
0
0
0
0
Disclosed in part
1
1
1
134
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
0
0
Request abandoned
0
0
0
0
0
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
0
0
0
0
0
Total
1
1
1
134
0
0
0
0
0
0
2.5.3 Other complexities
Disposition
Consultation Required
Assessment of Fees
Legal Advice Sought
Other
Total
All disclosed
0
0
0
0
0
Disclosed in part
1
0
0
0
1
All exempted
0
0
0
0
0
All excluded
0
0
0
0
0
Request abandoned
0
0
0
0
0
Neither confirmed nor denied
0
0
0
0
0
Total
1
0
0
0
1
2.6 Closed Requests
2.6.1 Number of requests closed within legislated timelines
Requests closed within legislated timelines
Number of requests closed within legislated timelines
3
Percentage of requests closed within legislated timelines (%)
75
2.7 Deemed refusals
2.7.1 Reasons for not meeting legislated timelines
Number of Requests Closed Past the Legislated Timelines
Principal Reason
Interference with Operations/Workload
External Consultation
Internal Consultation
Other
1
0
1
0
0
2.7.2 Requests closed beyond legislated timelines (including any extension taken)
Number of Days Past Legislated Timelines
Number of Requests Past Legislated Timeline Where No Extension Was Taken
Number of Requests Past Legislated Timeline Where an Extension Was Taken
Total
1 to 15 Days
0
0
0
16 to 30 Days
0
0
0
31 to 60 Days
0
1
1
61 to 120 Days
0
0
0
121 to 180 Days
0
0
0
181 to 365 Days
0
0
0
More than 365 Days
0
0
0
Total
0
1
1
2.8 Requests for translation
Translation Requests
Accepted
Refused
Total
English to French
0
0
0
French to English
0
0
0
Total
0
0
0
Section 3: Disclosures Under Subsections 8(2) and 8(5)
Paragraph 8(2)(e)
Paragraph 8(2)(m)
Subsection 8(5)
Total
0
0
0
0
Section 4: Requests for Correction of Personal Information and Notations
Disposition for Correction Requests Received
Number
Notations attached
0
Requests for correction accepted
0
Total
0
Section 5: Extensions
5.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was taken
9(1)(a) Interference With Operations
9(1)(b) Consultation
9(1)(c) Third-Party Notice
Section 69
Other
All disclosed
0
0
0
0
Disclosed in part
0
0
0
0
All exempted
0
0
0
0
All excluded
0
0
0
0
No records exist
0
0
0
0
Request abandoned
0
0
0
0
Total
0
0
0
0
5.2 Length of extensions
Number of requests where an extension was taken
15(a)(i) Interference with operations
15(a)(iii) Consultations
15(b) Translation purposes or conversion
Further review required to determine exemptions
Large volume of pages
Large volume of requests
Documents are difficult to obtain
Cabinet Confidence Section (Section 70)
External
Internal
1 to 15 days
0
0
0
0
0
0
0
0
16 to 30 days
0
0
0
0
0
1
0
0
31 days or greater
0
Total
0
0
0
0
0
1
0
0
Section 6: Consultations Received From Other Institutions and Organizations
6.1 Consultations received from other Government of Canada institutions
Consultations
Other Government of Canada Institutions
Number of Pages to Review
Other Organizations
Number of Pages to Review
Received during reporting period
0
0
0
0
Outstanding from the previous reporting period
0
0
0
0
Total
0
0
0
0
Closed during the reporting period
0
0
0
0
Carried over to next reporting period
0
0
0
0
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
0
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
6.3 Recommendations and completion time for consultations received from other organizations
Recommendation
Number of Days Required to Complete Consultation Requests
1 to 15 Days
16 to 30 Days
31 to 60 Days
61 to 120 Days
121 to 180 Days
181 to 365 Days
More Than 365 Days
Total
All disclosed
0
0
0
0
0
0
0
0
Disclosed in part
0
0
0
0
0
0
0
0
All exempted
0
0
0
0
0
0
0
0
All excluded
0
0
0
0
0
0
0
0
Consult other institution
0
0
0
0
0
0
0
0
Other
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
Section 7: Completion Time of Consultations on Cabinet Confidences
7.1 Requests with Legal Services
Number of Days
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
7.2 Requests with Privy Council Office
Number of Days
Less Than 100 Pages Processed
101-500 Pages Processed
501-1000 Pages Processed
1001-5000 Pages Processed
More Than 5000 Pages Processed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
Number of Requests
Pages Disclosed
1 to 15
0
0
0
0
0
0
0
0
0
0
16 to 30
0
0
0
0
0
0
0
0
0
0
31 to 60
0
0
0
0
0
0
0
0
0
0
61 to 120
0
0
0
0
0
0
0
0
0
0
121 to 180
0
0
0
0
0
0
0
0
0
0
181 to 365
0
0
0
0
0
0
0
0
0
0
365
0
0
0
0
0
0
0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
Section 8: Complaints and investigations
Section 31
Section 33
Section 35
Court action
Total
0
0
0
0
0
Section 9: Privacy Impact Assessments (PIA) and Personal Information Banks (PIB)
9.1 Privacy Impact Assessments
Number of PIA(s) completed
0
9.2 Personal Information Banks
Personal Information Banks
Active
Created
Terminated
Modified
0
0
0
0
Section 10: Material Privacy Breaches
Number of material privacy breaches reported to TBS
Number of material privacy breaches reported to OPC
0
0
Section 11: Resources Related to the Privacy Act
11.1 Costs
Expenditures
Amount
Salaries
$24,082
Overtime
$0
Goods and Services
$0
Professional services contracts
$0
Other
$0
Total
$24,082
11.2 Human Resources
Resources
Person Years Dedicated to Access to Information Activities
