Date of Publishing:
Our team is working on an HTML version of this content to enhance usability and compatibility across devices. We aim to make it available in the near future. Thank you for your patience!
NSIRA’s 2020 Annual Report focuses on review and investigation work carried out during our first full year of operation. In 2020, NSIRA completed reviews covering the national security and intelligence activities of departments and agencies across Canada’s federal government.
This report highlights key findings and recommendations, as well as our efforts to standardize and modernize our review processes. The report also discusses our new approach to information verification in reviews (our “trust but verify” approach) as well as NSIRA’s review plan for the coming years. Review highlights include:
NSIRA’s mandate includes the investigation of complaints related to national security made by members of the public. In 2020, we completed one investigation and modernized our complaints investigation model to ensure efficiency and transparency. Two priorities guided the modernization of the process, namely, access to justice for self-represented complainants and the creation of streamlined and less formal procedural steps. This was achieved through the creation of new Rules of Procedure as well as the implementation of our new declassified, de-personalized policy on final investigations reports.
NSIRA’s 2020 Annual Report also discusses our organization’s underlining goals and values, and highlights how the organization grew in size and capacity throughout the 2020, as it continued efforts to enhance its technical and subject matter expertise.
Date of Publishing:
Dear Prime Minister,
On behalf of the National Security and Intelligence Review Agency, it is my pleasure to present you with our second annual report. Consistent with subsection 38(1) of the National Security and Intelligence Review Agency Act, the report includes information about our activities in 2020, as well as our findings and recommendations.
In accordance with paragraph 52(1)(b) of the National Security and Intelligence Review Agency Act, our report was prepared after consultation with the deputy heads concerned in an effort to ensure that it does not contain information the disclosure of which would be injurious to national security, national defence or international relations, or is information that is subject to solicitorclient privilege, the professional secrecy of advocates and notaries or to litigation privilege.
Yours sincerely,
The Honourable Marie Deschamps, C.C.
Chair // National Security and Intelligence Review Agency
The National Security and Intelligence Review Agency (NSIRA) began operating in 2019 as a new independent accountability mechanism in Canada. Our broad review and investigations mandate covers the national security and intelligence activities of departments and agencies across the federal government. In our first annual report, released in 2020, we discussed our initial activities from our inception in July 2019 to December 2019.
We are pleased to now present our second annual report, covering our activities in our first full year of operation. In 2020, we completed numerous reviews and investigations, engaged with stakeholders in the national security and intelligence community, including our international counterparts, launched an ambitious review plan for the coming years, initiated a comprehensive reform of our complaints investigation process, developed a uniform approach to information verification in reviews (our “trust but verify” approach), began standardizing our review processes, and made strides in formalizing efforts to coordinate and collaborate with various partner organizations. NSIRA’s Secretariat also continued to grow steadily in size, expertise, and administrative, technical, and substantive capacity. We achieved all of this within the considerable constraints presented by the COVID-19 pandemic.
We are committed to transparency and public engagement, striving to keep Canadians informed about national security and intelligence activities, and ensure our plans reflect the priorities of all Canadians. Our annual report is one way among many of achieving this. We also aim to achieve this through regularly engaging with stakeholders, members of diverse communities, and parallel review bodies internationally, including those that comprise the Five Eyes Intelligence Oversight and Review Council (FIORC). We are likewise committed, and have began to, releasing public versions of our reports as they are completed (our “write for release” initiative), and to provide timely updates via our website and social media platforms.
After the release of our inaugural annual report, we sought and received feedback from academic and community stakeholders. As a result of these consultations, we have reorganized how we present some of the material in our 2020 annual report. In particular, we have grouped our review summaries, including any findings and recommendations, according to the institutions to which they pertain. We also discuss the outcomes and themes of interagency reviews. As well, this report sets out a framework for more robust statistical reporting on certain aspects of the activities of the Canadian Security Intelligence Service and the Communications Security Establishment activities, to enable year-to-year comparisons.
The pandemic delayed our plans and progress on reviews, investigations, and corporate initiatives in 2020, as was the case for many industries and sectors around the world. As of writing, our staff has begun to have more regular access to our offices and to the classified material critical to our work. More frequent and sustained access will help us conduct our work in a more timely and efficient manner. We look forward to carrying out an ambitious agenda in the year ahead.
We wish to extend our sincere thanks to our NSIRA staff for their dedication and diligence over the past challenging year, and for their continued efforts to build a strong organization.
Marie Deschamps
Craig Forcese
Ian Holloway
Faisal Mirza
Marie-Lucie Morin
The National Security and Intelligence Review Agency (NSIRA) marked its first full year in operation in 2020. With the agency’s broad jurisdiction under the National Security and Intelligence Review Agency Act (NSIRA Act), it reviewed and investigated national security and intelligence matters relating to not only the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), but also several federal departments and agencies, including:
The agency also focused on standardizing and modernizing the processes that govern the two main functions under NSIRA’s mandate—reviews and investigations—to ensure that our processes are robust, clear, and transparent.
The year 2020 also saw the organization grow in size and capacity, as it continues efforts to enhance its technical and subject-matter expertise.
Over the course of 2020, NSIRA completed two reviews that strengthened its knowledge of important areas of CSIS activity:
NSIRA completed three reviews of CSE activities in 2020, including of:
In 2020, NSIRA completed a review of DND/CAF, which examined how the Canadian Forces National Counter-Intelligence Unit (CFNCIU) conducted its counter-intelligence gathering activities—focusing particularly on how the unit’s activities corresponded with legal and governance frameworks.
In 2020, NSIRA completed its first dedicated review of Global Affairs Canada (GAC) focusing on one of its programs.
NSIRA also began reviews regarding a specialized RCMP intelligence unit, to better understand the national security role and responsibilities of Immigration, Refugees and Citizenship Canada, and a review of air passenger targeting at the Canada Border Services Agency.
NSIRA conducted two mandated cross-departmental reviews in 2020:
NSIRA also began another cross-departmental review in 2020:
In 2020, NSIRA reformed and modernized its complaints process to promote efficiency and transparency. Two priorities guided this process of modernization, namely, promoting access to justice for self-represented complainants, and putting in place more streamlined and less formal procedural steps.
As part of this reform process, NSIRA created new Rules of Procedures, completing an extensive consultation exercise with stakeholders in the public and private sectors to ensure the most effective and considered final product. The new rules have come into force on July 19, 2021.
NSIRA also developed a new policy statement in 2020 that commits to publishing redacted and de-personalized investigation reports to promote and enhance transparency in its investigations.
Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament. Prior to NSIRA’s creation, several gaps existed in Canada’s national security accountability framework. Notably, NSIRA’s predecessor review bodies did not have the ability to collaborate or share their classified information, but were each limited to conducting reviews for a specified department or agency.
By contrast, NSIRA has the authority to review all Government of Canada national security and intelligence activities in an integrated manner. As noted in the 2019 annual report, with NSIRA’s expanded role, Canada now has one of the world’s most extensive systems for independent review of national security in the world.
NSIRA has a dual mandate to conduct reviews and investigations on Canada’s national security and intelligence activities. Annex B contains a financial and administrative overview of NSIRA.
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act).2 This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency, the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada, and the Department of Justice. Further, NSIRA reviews any national security or intelligence matters that a minister of the Crown refers to NSIRA. Annex C describes NSIRA’s review framework.
NSIRA’s reviews assess whether Canada’s national security and intelligence activities comply with relevant laws and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Reviews of CSIS and CSE will always remain a core part of NSIRA’s efforts, since the entire focus of these organizations is to address national security and intelligence matters. Unlike its predecessor review bodies, however, NSIRA has an all- encompassing review mandate. NSIRA will also continue to prioritize and examine how other departments engaging in national security and intelligence activities meet their obligations. NSIRA’s reviews help keep Parliament and Canadians informed about the lawfulness and reasonableness of Canada’s national security and intelligence activities.
In addition to its review mandate, NSIRA is responsible for investigating national security- or intelligence-related complaints. This duty is outlined in paragraph 8(1)(d) of the NSIRA Act, and involves investigating complaints about:
This mandate also includes investigating national security-related complaints referred to NSIRA by the Civilian Review and Complaints Commission for the RCMP (the RCMP’s own complaints mechanism)3 and the Canadian Human Rights Commission.
Each calendar year, NSIRA has a statutory obligation to submit to the Prime Minister a report on its activities in the preceding year, along with its findings and recommendations.
NSIRA’s first annual report (2019 Annual Report) covered the six-month period from July 2019 when NSIRA was established, through to the end of 2019. In that report, the agency discussed the reviews and investigations that it had either completed or launched in 2019, with the accompanying findings and recommendations. It also published the results of reviews that had not yet been made public by its predecessor organizations, the Security Intelligence Review Committee (SIRC) and the Office of the Communications Security Establishment Commissioner (OCSEC).
The 2019 Annual Report also presented NSIRA’s review findings through a novel framework called the “information continuum.” Given the agency’s comprehensive, overarching review mandate, this framework offers a lens for understanding key national security- and intelligence-related themes, trends and challenges that are common to departments and agencies across the federal government. This lens allows for discussing shared concerns in Canada’s overall security and intelligence architecture, and informs future review priorities and the recommendations for addressing them. The information continuum is discussed further in section 2.1 below.
In response to feedback received from stakeholders, NSIRA’s second annual report groups the review summaries according to government department, including for CSIS and CSE. Nevertheless, NSIRA continues to be committed to presenting broader themes and observations on national security and intelligence accountability across Canada.
In the 2020 Annual Report, NSIRA therefore presents:
NSIRA is committed to:
As part of a commitment to methodological excellence, NSIRA developed its “trust but verify” approach (highlighted below) to provide an important measure of confidence in the completeness of information received from departments and agencies.
In 2020 the NSIRA Secretariat also began work to develop a Code of Conduct for all employees, which was finalized in June 2021. The Code sets out the organizational values that guide the workforce’s activities and functions and the expected standards that must be observed during and after a person’s employment with the NSIRA Secretariat.8
Additional details on NSIRA’s values and goals related to transparency, anticipation of risk, objectivity and independence, methodological excellence, stakeholder and community engagement, and forward- and innovative-thinking can be found in Annex G.
The NSIRA Act grants the agency extensive access rights to information: with the exception of Cabinet confidences, NSIRA is entitled to have access in a timely manner to any information in the possession or under the control of any department. In conducting reviews and investigations, it requires timely access to a wide range of information, people, and assets. This, in turn, requires regular support from expert liaison units that can provide documentation, arrange briefings, answer questions, and generally guide and implement NSIRA’s access requirements. NSIRA’s ability to fulfil its mandate can be challenged when it faces delays in receiving information.
As a review agency, NSIRA must be able to assure Parliament — and through it, Canadians — that it has a high level of confidence in the completeness of the information received from departments and agencies, and hence, in the robustness of its findings. The ‘’trust but verify” approach is a critical tool for reaching this objective.
NSIRA recognizes, on the one hand, that the principle of trust requires each party to understand and appreciate the mandate, and feel confident in the integrity, of the other. Of course, in a review relationship there will necessarily be healthy tensions stemming from differences in perspective.
On the other hand, verification is a fundamental prerequisite of any credible review. NSIRA must be able to independently test the completeness of the information it receives.
Moving forward, NSIRA will implement a “tailored access” process for conducting verification. Tailored access involves identifying its information access needs in response to the specific review or investigation and collaborating with departments and agencies in determining the various types of access that will constitute the best manner in which to obtain that information. The tailored access process may include targeted access of computer networks and information, proxy access, dedicated office space, and access to training materials.
The tailored access processes can place logistical and resource strains on departments and agencies having to implement them, and may require a shift in culture. Overall, however, tailored access provides mutual benefits. Tailored access processes can increase transparency and accountability on all sides, allow information to be accessed in a more secure and timely manner, foster positive professional interactions, improve overall expertise, and strengthen evidence-based findings and recommendations. Moreover, NSIRA believes that tailored access will, over time, result in a reduced workload for liaison staff at departments and agencies under review.
The trust but verify approach is not new. Both NSIRA and its predecessor, SIRC, have already had long-standing tailored access arrangements with CSIS that include targeted (direct) access to CSIS’s computer networks and sensitive information.
The trust but verify principle is a key aspect of maintaining the integrity and credibility of NSIRA’s reviews. In keeping with the commitment to transparency and methodological rigour, its reviews will contain a “confidence statement” to report NSIRA’s confidence level in the completeness of the information on which the findings rely, given agency’s ability to verify. The confidence statement is an important tool for apprising ministers, Parliament, and members of the public on the extent to which NSIRA has been able to access all relevant information.
As previously mentioned, NSIRA’s review mandate extends throughout the federal government. NSIRA’s broader jurisdiction allows it not only to examine the national security and intelligence activities of a specific organization, but also to identify common themes that emerge across government.
In the 2019 Annual Report, NSIRA introduced a framework to assist in discussing and analyzing such trends. The “information continuum” identifies four main stages in the lifecycle of national security and intelligence information where problems can arise, including in information collection, safeguarding, sharing, and use in real-world actions.
In an environment that is constantly changing, including the rapid development of new technologies, each stage presents potential challenges for departments and agencies engaging in national security and intelligence activities. Despite the challenges, all national security and intelligence activities must comply with the law and applicable ministerial directions, and meet the tests of reasonableness and necessity.
The 2019 Annual Report also identified a number of future priorities that would benefit from analysis through the lens of the information continuum. To achieve these goals, NSIRA promised to invest in building in-house technological expertise, collaborate with allied accountability bodies through the Five Eyes Intelligence Oversight and Review Council, and seek to stay current with new and emerging technologies such as artificial intelligence, machine learning, quantum computing, and “big data.”
NSIRA also pledged to continue to work with the Office of the Privacy Commissioner (OPC) and the National Security and Intelligence Committee of Parliamentarians (NSICOP) on matters of joint concern to ensure the broadest range of perspectives are addressed.
NSIRA continues to examine national security and intelligence activities through the lens of the information continuum, and plans on presenting work on its website using the continuum approach to help situate horizontal themes for national security review. For 2020, however, this report builds on some feedback NSIRA received on last year’s annual report and uses a more institutional approach as a narrative device.10
As noted in the 2019 Annual Report, NSIRA staff continued to work remotely in 2020, which meant limited office access and, therefore, minimal access to the classified physical and electronic documents that must be protected in a secure environment, and that are critical to NSIRA’s work. Just as all organizations have had to adapt to the realities of the pandemic, so has NSIRA. It revised its review plans, and implemented strict rotating schedules to enable limited office access for classified work to safely continue to fulfill its statutory obligations and uphold its commitments to Canadians.
The omnibus National Security Act, 2017, which established NSIRA and made major changes to Canada’s national security framework, contains provisions mandating a review by Parliament during NSIRA’s fourth year of operation, which will be in 2022.
This comprehensive review will require Parliament to assess the effects of the National Security Act, 2017, on the operations of the Canadian Security Intelligence Service (CSIS), the Royal Canadian Mounted Police (RCMP) and the Communications Security Establishment (CSE) that relate to national security, information sharing, and the interaction of those organizations with NSIRA, the Office of the Intelligence Commissioner and NSICOP.11
NSIRA has structured and sequenced its review plan in order to inform Parliament’s examination of new powers granted to security agencies through the National Security Act, 2017. Reviews of these new powers will take place over the course of 2021 and into early 2022, to determine whether they were exercised in compliance with the law and ministerial direction, and whether they were reasonable and necessary.
Under the NSIRA Act, NSIRA has a mandate to review any CSIS activity. The Act requires NSIRA to submit an annual report to the Minister of Public Safety and Emergency Preparedness on CSIS activities each year, including information related to CSIS’s compliance with the law and applicable ministerial directions, and the reasonableness and necessity of the exercise of CSIS’s powers.12
In 2020, NSIRA completed two CSIS reviews, summarized below. NSIRA also began two more reviews: a review of CSIS’s technology programs and intelligence collection techniques, and a review of the duty of candour owed by both CSIS and the Department of Justice in warrant proceedings before the Federal Court. Other NSIRA ongoing reviews, including multiple agency reviews, have a CSIS component.
Under the Anti-terrorism Act, 2015, CSIS was granted the authority to undertake threat reduction measures (TRMs). NSIRA is required to review, annually, at least one aspect of CSIS’s performance in using its threat reduction powers.13
This was NSIRA’s first review of CSIS’s threat reduction mandate. It included a detailed compliance review of a sample of TRMs from 2019. The review also included a high- level analysis of CSIS’s use of TRMs over the past five years to identify trends and to inform NSIRA’s choice of future review topics.
The sample reviewed by NSIRA consisted of TRMs that were employed to disrupt threats to Canadian democratic institutions in relation to the 2019 federal election. NSIRA assessed the measures against legislative and policy requirements, as well as ministerial direction.
For all the measures reviewed, NSIRA found that CSIS met its obligations under ministerial direction, namely that CSIS consulted with its government partners and completed an assessment of the operational, political, foreign relations and legal risks of each TRM.
For most of the measures taken by CSIS, NSIRA noted that the measures satisfied the requirements of the Canadian Security Intelligence Service Act (CSIS Act). NSIRA also noted, however, that in a limited number of cases, CSIS selected individuals for inclusion in the TRM without a rational link between the selection of the individual and the threat. As a result, these measures were not “reasonable and proportional” as required under the CSIS Act.14
For one type of TRM reviewed by NSIRA, CSIS deemed that a warrant was not required. NSIRA identified concerns about factors which would require CSIS to consider fully the implications of the Canadian Charter of Rights and Freedoms for its measures, and could require CSIS to obtain warrants before taking certain measures.
Finally, NSIRA noted some inconsistencies in the type of information provided to CSIS decision-makers in its internal requests for approval. NSIRA also found gaps and inconsistencies in CSIS’s documentation, which had the effect of hindering NSIRA’s compliance review. As a result, NSIRA recommended that formalized and documented processes be developed for the management of all TRM-related information. In addition, NSIRA recommended that all pertinent facts relating to the TRM be formally provided to the National Security Litigation and Advisory Group (NSLAG), which is part of the Department of Justice, to ensure that the NSLAG has the information necessary to provide considered legal advice.
The legal issues and questions raised in this review, as well as the analysis of trends across the last five years, point the way to further reviews by NSIRA. In particular, NSIRA was struck by the potential for a class of TRMs to affect rights and freedoms protected under the Charter. In future, NSIRA will pay particular attention to this class of TRMs and the associated legal risks. NSIRA also notes that CSIS has yet to undertake a TRM under the authority of a court warrant. If and when CSIS obtains a TRM warrant, NSIRA will prioritize it for review.
Response to NSIRA’s recommendations
NSIRA’s recommendations, CSIS’ management responses, and other details about this review, are found in Annex E of this report.
CSIS and the RCMP must work together and share intelligence to effectively counter national security threats.15 NSIRA examined the state of the relationship between CSIS and the RCMP through the lens of an ongoing investigation in a specific region of Canada. NSIRA undertook an in-depth study of both agencies’ operations, with particular attention to how the two agencies collaborated on this investigation in recent years, both in this region and at headquarters. Although the findings of this review are specific to the given investigation, NSIRA has no reason to believe that the investigation in question is atypical, and thus this review provides insight into the more general state of the two agencies’ relationship.
With respect to CSIS’s investigation specifically, NSIRA found that CSIS was reliant on a narrow set of information and was thus vulnerable; NSIRA observed how external factors arose that sharply limited CSIS’s ability to collect intelligence on the threat in question, resulting in collection gaps.
NSIRA found that in the specific region in question, CSIS and the RCMP had developed a strong relationship that has fostered effective tactical de-confliction of operational activities. Nonetheless, technological constraints made CSIS-RCMP de-confliction in the region excessively burdensome and time-consuming.
The RCMP’s use of CSIS information in support of criminal prosecutions has long been limited by perceived risks of involving CSIS or CSIS information in a prosecution. As an element of this, NSIRA observed a general reluctance on the parts of both CSIS and the RCMP to connect CSIS information to an RCMP investigation. In the case of the regional investigation in question, CSIS intelligence had not been shared or used in a way that significantly advanced the RCMP’s investigations.
On the whole, NSIRA found that CSIS and the RCMP had made little progress in addressing the threat under investigation. Moreover, CSIS and the RCMP did not have a complementary strategy to address the threat.
NSIRA has the legal authority to assess CSIS-RCMP activities from the perspective of both parties, and is not limited to the standpoint of CSIS, as was the case for the Security Intelligence Review Committee (SIRC). This regional review exposed an important, yet unresolved, issue in Canada’s national security framework: the limitations on the use of CSIS intelligence to support RCMP criminal investigations, often termed the “intelligence-to-evidence” dilemma. Given the centrality of the CSIS- RCMP relationship to Canada’s national security architecture, NSIRA will return to this topic in future years.
Response to NSIRA’s recommendations
NSIRA’s recommendations, CSIS’ management responses, and other details about this review, are found in Annex E of this report.
To achieve greater public accountability, NSIRA is requesting that CSIS publish statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSIS operations, as well as display the evolution of activities from year to year.
The number of section 21 warrant applications (a) approved, and (b) denied; each further broken down as either new or replacement/supplemental.
The number of section 21.1 warrant applications (a) approved, and (b) denied; each further broken down as either new or replacement/supplemental.
The number of CSIS targets
The number of publicly available datasets (a) evaluated, and (b) retained.
*Note that one had been collected in late 2019 but was evaluated in 2020.
The number of Canadian datasets (a) evaluated, and (b) retained after authorization by the Court, and the number of such requests denied.
The number of foreign datasets (a) evaluated, and (b) retained after approval by the Minister and Intelligence Commissioner, and the number of such requests denied (by either the Minister or Intelligence Commissioner).
The number of TRMs (a) approved, and (b) executed.
The number of Justification Framework (a) approvals, and (b) invocations.
The number of internal CSIS compliance incidents.
In 2020, External Review and Compliance processed 50 compliance incidents. Of these, 29 were considered to be administrative, 14 related to warrant terms and conditions, and 7 related to internal policies, procedures or directives.
As legal and operational environments have evolved over the years, the suite of internal policies and procedures governing CSIS operations has drifted out of date. These operational policies and procedures translate the limits imposed by law and ministerial directions into everyday practice for CSIS activities.
NSIRA, and previously SIRC, noted concerns with out-of-date policies and procedures in reports and reviews over the years. CSIS also recognizes these concerns, but has struggled to adequately resource and prioritize the renewal of its operational policy suite. The result is a confusing collection of old and new policies, and ad hoc directives that have not yet been incorporated into policy. Over the past two years, CSIS has reported that more than 150 of its operational policy related documents need to be developed, updated, or significantly revised.
Written policies and procedures that do not reflect current operational realities and legal requirements—or are simply not internally consistent—elevate the risk that CSIS will not comply with the law and ministerial directions. CSIS employees should always have a clear, consistent and up-to-date suite of policies and procedures that makes compliance easy.
NSIRA is aware of CSIS’ ongoing efforts to overhaul and organize its full range of operational policies and procedures. Since the backlog has persisted for years, it remains unclear whether the latest efforts at renewal are sufficiently well-resourced to truly remedy the situation in a timely manner.
Internal compliance and proactive disclosure to NSIRA
In 2020, CSIS proactively disclosed to NSIRA a compliance issue related to certain operational activities. After CSIS employees raised concerns about an operational program, CSIS conducted an internal compliance review. The initial review focused on compliance with CSIS policies and procedures, but as the issue was explored CSIS opted to conduct a legal assessment as well. CSIS has since taken a number of steps to address the shortcomings it identified, including improved operational governance and management accountability. NSIRA received a comprehensive briefing on the matter in early 2021; CSIS is also providing, and has committed to continue to provide, NSIRA with the full range of relevant internal documents. NSIRA is examining this material with interest and will follow up with CSIS as appropriate.
This incident illustrates how departmental compliance mechanisms and NSIRA’s external review mandate can complement each other. NSIRA encourage CSIS to continue to engage the agency when internal compliance issues of note are uncovered.
In 2021, NSIRA is commencing or conducting three reviews exclusively focused on CSIS, one review focused on CSIS and the Department of Justice and a number of interagency reviews with a CSIS component. The reviews are summarized below.
In addition to NSIRA’s two legally mandated reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has initiated or is planning the following CSIS reviews, for completion in 2021:
Survey of new technology programs and intelligence collection techniques
This review, initiated in 2020, involves a broad survey of CSIS’s technology programs and intelligence collection techniques, with a particular focus on those that require authorization by court warrant. The review will help to identify specific technologies or investigative techniques that merit future review due to their novelty, potential intrusiveness, or potential for posing risks to compliance. Once identified, these technologies or techniques will be reviewed over subsequent years to ensure legal compliance.
Review arising from the Federal Court’s judgment in 2020 FC 616
This review arises from the Federal Court’s judgement in 2020 FC 616.16 To fully identify systemic, governance and cultural shortcomings and failures that may have led to the breach noted by the Court, NSIRA has undertaken an extensive program of document review and briefings involving both CSIS and the Department of Justice. NSIRA is also conducting confidential interviews with CSIS and Department of Justice employees, at various levels, to better understand the dynamics shaping decision-making in both departments and the interactions between the departments. In addition, NSIRA has consulted with external experts where possible. This review is distinct from other reviews NSIRA has conducted, as it is led by two NSIRA members: Marie Deschamps and Craig Forcese. The final report is expected to be completed in late 2021 or early 2022.
Beyond 2021, NSIRA intends to explore CSIS reviews of topics including, but not limited to:
The range of information that CSIS must proactively inform NSIRA about has expanded under amendments to the CSIS Act. NSIRA must be informed about matters that include CSIS’s use of datasets, threat reduction measures, disclosures of information, and the new justification framework for otherwise unlawful activities. Since these requirements are embedded in the CSIS Act, it is NSIRA’s understanding that Parliament intended that NSIRA keep itself continuously apprised of these activities. To this end, NSIRA will systematically monitor the information received from CSIS for its compliance with the law, and the reasonableness and necessity of those activities.
However, NSIRA considers it vital that CSIS also keep NSIRA informed of those activities beyond those that CSIS is explicitly required to bring to NSIRA’s attention. NSIRA is working with CSIS to establish a process that builds on NSIRA’s existing direct access to CSIS’s main databases. This process will enable NSIRA to obtain additional information that complements the information that CSIS is required to report to NSIRA.
This endeavour will not only strengthen the content of NSIRA’s public annual reporting, but will also better inform the annual classified report on CSIS that NSIRA must provide to the Minister of Public Safety and Emergency Preparedness.
CSIS has been subject to independent review since its creation in 1984. To manage its relationship with external review bodies, CSIS has long maintained a dedicated review secretariat, which is currently housed within its External Review and Compliance branch. CSIS’s review secretariat has enhanced its ability to meet its statutory obligations to provide NSIRA with timely access to the information NSIRA deems relevant. In 2020, NSIRA was generally satisfied with its access to CSIS.
During this reporting period, CSIS personnel have remained supportive and available to the extent possible, and in several instances in 2020, went to exceptional lengths to assist NSIRA is completing reviews whose timelines had themselves been disrupted by COVID-19. Although CSIS and NSIRA may disagree on specific issues — as is to be expected with regard to an external accountability body — NSIRA is of the view that the continued cooperation of CSIS personnel under difficult circumstances reflects an underlying understanding of and respect for the role of independent review at CSIS.
As set out in the NSIRA Act, NSIRA has a mandate to review any CSE activity. Under the NSIRA Act, NSIRA must also submit an annual report to the Minister of National Defence on CSE activities each year, including information related to CSE’s compliance with the law and applicable ministerial directions, and the reasonableness and necessity of the exercise of CSE’s powers.
In 2020, NSIRA completed three CSE reviews. This annual report also presents results from a 2019 review that NSIRA was unable to share in the 2019 Annual Report. NSIRA also initiated three reviews, as discussed below.
In meetings with representatives from Canadian civil society and academia, some stakeholders expressed an interest in receiving follow-up information pertaining to reviews conducted under the former Office of the CSE Commissioner (OCSEC).20 NSIRA remain committed to redacting, translating, and publishing OCSEC historical reviews as resources permit. However, many of OCSEC’s reviews are no longer relevant in light of the legislative amendments introduced in 2019 by the National Security Act, 2017. Many of OCSEC’s recommendations have also been implemented, since they called for changes to the law that were subsequently captured in the National Security Act, 2017. As well, any ministerial directions and other instruments issued under the previous legal framework for CSE (National Defence Act) are now obsolete, having been reissued under the new authorities.
On June 18, 2021, NSIRA released a public summary of its review of CSE’s disclosures of Canadian Identifying information (CII).21 When CSE conducts foreign signals intelligence (SIGINT) collection, it suppresses any incidentally collected CII in its intelligence reporting to protect the privacy of Canadians and persons in Canada. 22 Nevertheless, the Government of Canada and foreign recipients of these intelligence reports can request the details of this information—including names, email addresses, and IP addresses—if they have the legal authority and operational justification to receive it.
In 2020, NSIRA reviewed the lawfulness and appropriateness of CSE’s disclosure of CII, focusing on CSE’s disclosure of CII to other Government of Canada departments.
This review examined a sample of CSE’s CII disclosures from July 1, 2015 to July 31, 2019 containing 2,351 Canadian identifiers, including in the context of assisting CSIS’s foreign intelligence collection under section 16 of the CSIS Act.
NSIRA found that although CSE approved 99% of requests for CII disclosure from its domestic partners, 28% of all requests were not sufficiently justified to warrant the release of CII. As a result, NSIRA concluded that CSE’s implementation of the CII disclosure regime lacked rigour, and may not have complied with its responsibilities under the Privacy Act. This report therefore constituted a compliance report pursuant to section 35 of the NSIRA Act, and was presented to the Minister of National Defence on November 25, 2020.
NSIRA also found that CSE’s releases of CII collected under section 16 of the CSIS Act were conducted in a manner that was unlikely to have been communicated to the Federal Court by CSIS. CSIS had provided the Federal Court with testimony about its treatment of information about Canadians collected through section 16 of the CSIS Act. Yet, when NSIRA compared this testimony with how CSE handled information about Canadians collected when assisting CSIS in relation to section 16, NSIRA found notable discrepancies in the standards communicated to the Federal Court. CSIS was not involved in assessing or releasing the disclosures about which NSIRA had concerns; these disclosures were handled solely by CSE.
Response to NSIRA’s recommendations:
As detailed in Annex E of this report, CSE accepted all 11 of NSIRA’s recommendations. CSE initiated a privacy impact assessment of its CII disclosure regime, and has informed NSIRA that it is in the final stages of implementing an updated version of its CII request software, which is intended to ensure that all necessary information related to operational justification, and legal authority is captured prior to a disclosure taking place. CSE has also ceased releasing CII collected under section 16 of the CSIS Act until the Federal Court is fully informed about CSE’s sharing of information derived from collection under section 16 warrants.
After the CSE Act came into force in 2019, CSE received a new set of ministerial authorizations (MAs). These documents, issued by the Minister of National Defence, authorize CSE to engage in activity that risks contravening an “Act of Parliament or interfering with a reasonable expectation of privacy of a Canadian or person in Canada.” For example, such activities might include the incidental interception of private communications during CSE’s foreign SIGINT collection activities.
The CSE Act also created the legislative authority for the Minister to “designate electronic information or information infrastructures or classes of electronic information or information infrastructures as being of importance to the Government of Canada” through a ministerial order (MO). Designating infrastructures as being of importance to the Government of Canada enables CSE to share certain kinds of information, and provide direct assistance.
In 2019, the Minister of National Defence issued seven MAs and three MOs under the CSE Act. NSIRA received comprehensive briefings on the activities authorized by each MA and MO. Based on the records that CSE provided, NSIRA believes that CSE employed considerable rigour in the MA application process. NSIRA found that CSE’s MA application requests contained sufficient information, and provided more information than previous applications under CSE’s pre-CSE Act governing legislation, National Defence Act, thereby allowing for greater transparency of CSE’s activities.
NSIRA found, however, that CSE has not fully assessed the legal implications of certain activities enabled since the CSE Act, which have not yet occurred, but which are permissible under a specific type of MA. NSIRA also found that CSE was unable to provide an assessment of its obligations under international law regarding the conduct of active cyber operations.
CSE’s briefings on these matters have informed NSIRA’s three-year review plan. In particular, this review highlighted the immediate need for NSIRA to focus on CSE’s active cyber operations (ACOs) and defensive cyber operations (DCOs), given that the Intelligence Commissioner does not provide approval for these activities and that CSE has no statutory obligation to notify NSIRA when it undertakes these activities. Active and defensive cyber operations represent a new aspect of CSE’s mandate, and NSIRA will closely examine both the governance policies and procedures for these activities, as well as the operations themselves.
Response to NSIRA’s recommendations
As detailed in Annex E, CSE generally accepted NSIRA’s recommendations in relation to this review. CSE agrees that its operations should be assessed with respect to compliance with international law, but continues to dispute NSIRA’s assertion that it was unable to provide an assessment of its obligations under international law.
Inspired by a similar review by the U.S. Inspector General for the National Security Agency, NSIRA completed a review of CSE’s SIGINT data retention policies and procedures in December 2020. The purpose of the review was to understand the SIGINT data lifecycle management process and learn about compliance with legal data retention limits, and with government and internal policy. Non-compliance with these limits could potentially adversely affect civil liberties and privacy protections. NSIRA completed its review and will use the information learned as a foundation for a future review.
On March 4, 2021, NSIRA publicly released its first review of CSE, which was a 2019 review of CSE’s Privacy Incidents File (PIF).29 A privacy incident occurs when the privacy of a Canadian or a person in Canada is put at risk in a manner that runs counter to, or is not provided for, in CSE’s policies. NSIRA’s 2019 PIF review, including findings and recommendations, was discussed in Annex A of the 2019 Annual Report. NSIRA was unable to publish CSE’s responses to NSIRA’s recommendations in time for that report, and so these responses are now included in Annex E to the present annual report.
Response to NSIRA’s recommendations
CSE accepted all five of NSIRA’s recommendations regarding the 2019 PIF review. CSE is pursuing a standardized mechanism for identifying and reporting on incidents with privacy interests, and is investigating ways to reach more streamlined and uniform reporting between operational compliance teams. CSE committed to standardizing its policy on how to assess whether a privacy incident constitutes a material privacy breach, and re-examining its assessment methods to ensure they are effective and reasonable. In November 2019, CSE also abolished a specific practice that NSIRA had raised concerns about.
To achieve greater public accountability, NSIRA is requesting that CSE publish more statistics and data about public interest and compliance-related aspects of its activities. This section presents some of this CSE data.
NSIRA intends to provide data on an annual basis to provide benchmarks and enable comparison. It cautions, however, that some CSE data are difficult to interpret without significant analysis and full context, and may not necessarily indicate particular practices or developments.
In 2020, CSE provided foreign intelligence reports to more than 2100 clients in over 25 departments and agencies within the Government of Canada in response to a range of priorities related to international affairs, defence, and security. As examples, CSE believes that its own intelligence reporting helped thwart or respond to foreign cyber threats, supported Canada’s military operations, protected deployed forces, identified hostile state activities, and provided insight into global events and crises to help inform Government of Canada policies and decision making.
In calendar year 2020, CSE received 24 requests for assistance from CSIS, the RCMP, and the Department of National Defence, and actioned 23 of these requests.
Also in 2020, CSE recorded a total of 81 incidents in its PIF, second party privacy incidents file (SPIF), and minor procedural errors file.
In calendar year 2020, CSE was issued six MAs. The table below provides a breakdown of these MAs, as well as of MAs from calendar year 2019, which NSIRA was unable to publish in its 2019 annual report. NSIRA will continue to benchmark and compare these, and other statistics, each year.
* Note that the above tables refer to ministerial authorizations (MAs) that were issued in the given calendar years, and may not necessarily reflect MAs that were in effect. For example, if an MA was issued in late 2019 and remained in effect in parts of 2020, it is counted above solely as a 2019 MA.
In June 2021, in CSE’s 2020-2021 public annual report, CSE confirmed that it has conducted foreign cyber operations.32 CSE informed NSIRA that it is not prepared to release specific information related to foreign cyber operations, as it would constitute special operational information that, if disclosed, could be injurious to Canada’s international relations, national defence or national security.
In addition to NSIRA’s independent expert review, CSE’s functions are also subject to its own internal compliance programs. For this annual report, NSIRA asked CSE to provide information on some of its internal compliance programs. CSE’s Internal Program for Operation Compliance is responsible for activities of the Canadian Centre for Cyber Security (Cyber Centre), while compliance of SIGINT activities is overseen by the SIGINT Compliance section.
Unlike some of its international counterparts, NSIRA does not currently assess the effectiveness of department and agency internal compliance programs. However, NSIRA recognizes that assessing such programs would be an important component of its review mandate, and it intends to build capacity in this area. In the interim, there is nevertheless value in publishing the information available on internal compliance, to provide a greater understanding of CSE’s policies in this regard. The information provided in this section should not be considered an independent assessment or evaluation.
The Internal Program for Operation Compliance (IPOC) is responsible for providing mission management support and operationalizing the Cyber Centre’s Internal Compliance Program, which encompasses three fundamental accountability pillars:
According to CSE, the Cyber Centre’s ability to demonstrate compliance with legal, ministerial, and policy obligations while conducting cybersecurity activities is “a key component of its ‘licence to operate’.” CSE considers these accountability and transparency values to be at the core of Cyber Centre operations; they are seen as constituting the foundation for maintaining Canadians’ trust and confidence in the Cyber Centre’s activities.
CSE also stated that, in addition to conducting annual compliance monitoring of cybersecurity and information assurance activities, IPOC works with Cyber Centre operational areas to promote “compliance by design,” whereby control mechanisms and privacy protection measures are intended to be proactively built into systems, tools, and operational business processes.
Ensuring compliance of activities is, according to CSE, “of utmost importance to SIGINT, as it is critical to CSE’s continued lawfulness.” The SIGINT Compliance section works with employees to clarify their roles in compliance, for example through employee engagement, incident handling, annual compliance accreditation training, and compliance advice on new and established SIGINT initiatives. The section works to build and maintain a compliance review framework based on the CSE Act and other appropriate legislation, as well as CSE’s internal policy instruments.
According to CSE, this compliance review framework dictates internal compliance reviews that the group must complete annually over a three-year cycle. Moreover, the SIGINT Compliance group is meant to review SIGINT activities across the entire lifecycle of intelligence production, from data acquisition to processing, analysis and end-product dissemination. When necessary, these reviews contain required actions that employees in certain activity areas must complete to maintain or improve compliance. These required actions must be tracked and updated regularly by both the compliance group, as well as senior management.
NSIRA understands that transparency related to compliance is not achieved overnight, and that CSE’s transparency efforts are, as CSE told NSIRA, “still a work in progress.” NSIRA can assist CSE in such efforts, for example by providing information to the Canadian public about CSE’s lawfulness, compliance, and its functions more broadly.
Internal compliance errors reported to NSIRA
CSE states that it promotes a culture of compliance and encourages the self-reporting of potential compliance incidents. In 2019-20, CSE had concerns that it may have received information outside of a valid MA period, in relation to cybersecurity activities on a certain type of infrastructure.
CSE ultimately notified the infrastructure owner, purged the inadvertently received information from its systems in accordance with standard privacy safeguards, and launched a review of the incident for the purpose of identifying and implementing additional privacy protection measures. CSE also proactively engaged the Minister of National Defence and NSIRA for transparency and accountability purposes.
NSIRA appreciates that CSE brought this incident to its attention. NSIRA did not consider the incident to be of major concern, but view CSE’s proactive and voluntary notification of the incident as a key success in the NSIRA-CSE relationship. NSIRA feels that CSE’s response to this incident bodes well for effective and honest communication and collaboration moving forward.
In general, NSIRA prioritizes its reviews of CSE based on legislative requirements, as well as risk. In the case of risk, NSIRA seeks to identify those activities that may potentially pose higher risks of legal non-compliance, often because these activities are new and untested, or operate under the updated authorities of the CSE Act. NSIRA also engages with various stakeholders, both internal and external to the Government of Canada, to consider CSE-related concerns that should be reviewed.
Over the coming years, NSIRA will focus on newer aspects of CSE’s mandate, as well as on CSE’s use of certain emerging technologies, including artificial intelligence. In particular, NSIRA has heard various concerns from Canadian stakeholders about CSE’s novel foreign cyber operations mandate. NSIRA is closely examining CSE’s foreign cyber operations, including in two ongoing reviews, and NSIRA will continue to review these kinds of operations in future. NSIRA will also continue to review discrete CSE activities in cybersecurity and SIGINT based on their associated risks.
In addition to NSIRA’s two legally mandated reviews of the Security of Canada Information Disclosure Act (SCIDA) and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has initiated or is planning the following CSE reviews, for completion in 2021:
Review of information use and sharing between aspects of CSE’s mandates
This review examines how CSE ensures compliance with its lawful authorities and restrictions when exchanging information between aspects of its mandates. An exchange of information between aspects occurs, for example, if CSE collects information under the foreign intelligence aspect and then shares this information with those operating under the cybersecurity aspect. The review examines how CSE uses such cross-aspect information, in order to ensure compliance with the CSE Act. This review was initiated in January 2020, but has been delayed.
Review of CSE’s active cyber operations and defensive cyber operations, Part 1: Governance
This review examines CSE’s new active cyber operation / defensive cyber operation powers under the CSE Act to ensure legal compliance. It looks at the policy and legal framework for conducting these activities for the 2019-20 MAs. This review was initiated in August 2020, but has been delayed.
Review of an activity conducted under CSE’s foreign intelligence Ministerial Authorizations
This review studies an activity conducted under CSE’s Foreign Intelligence Ministerial Authorizations to examine CSE’s policies and procedures. This activity has not been subject to any external or internal assessment, audit, or compliance review, and as such presents an opportunity for NSIRA to conduct the first-ever review of this CSE activity. CSE provided a preliminary briefing to NSIRA on this topic in early 2021, but this review has been delayed.
Departmental study under section 31 of the NSIRA Act
Under section 31 of the NSIRA Act, NSIRA can direct CSE to conduct a study of its activities that relate to national security and intelligence, to ensure that these activities are carried out in compliance with the law and any applicable ministerial directions, and that they are reasonable and necessary. On completion of the study, CSE must provide a copy of the report to the Minister of National Defence and to NSIRA. Following NSIRA’s review of CSE’s CII disclosures, NSIRA concluded that CSE’s implementation of its disclosure regime under the National Defence Act may not have complied with requirements under the Privacy Act. Given the change in CSE’s governing legislation in 2019, NSIRA has directed CSE to review its disclosures to Government of Canada partners as well as foreign partners to ensure that these disclosures comply with section 43 of the CSE Act.
Beyond 2021, NSIRA intends to explore CSE reviews of topics including, but not limited to:
NSIRA’s mandate allows it to conduct inter-departmental reviews (also known as ‘follow-the-thread’ reviews), and it intends to do so for several ongoing and planned CSE reviews. In engaging with a range of federal departments and agencies, NSIRA’s CII review was its first follow-the-thread review.
In 2020, NSIRA’s CSE Review Team established office space in CSE’s headquarters. This office space, which began partial operations in 2020, includes nine workstations and provides NSIRA with greater access to its CSE counterparts. Access to NSIRA’s CSE office is restricted, and appropriate safeguards are in place to ensure NSIRA’s independence.
A significant challenge to NSIRA’s CSE review is the lack of comprehensive and independently verifiable access to CSE’s information repository.37 As one component of addressing challenges, NSIRA is exploring options to have CSE proactively disclose specific categories of information on a regular basis, which would be used to both ensure compliance of activities and inform the conclusions NSIRA provides in the annual classified report to the Minister.
As another component of addressing access challenges, NSIRA is also exploring some options with CSE to implement the “tailored access” approach described under section 1.5 of this Report. Implementing tailored access will result in trust being maintained between the two organizations, while ensuring that NSIRA has the ability to independently verify the information received in the context of its review. It should also be noted that the speed at which NSIRA receives information before the verifications stage remains important, as any delays in receiving information has the potential to impede NSIRA’s ability to fulfill its mandate.
To encourage greater accountability in the year ahead, NSIRA intends to establish more formal guidelines for the provision of information by departments and agencies, including targets for the timeliness of responses to requests for information, and a framework for reporting publicly on the above.
As a new organization, NSIRA continued to staff its CSE Review Team in 2020,39 in addition to improving its overall understanding of CSE’s remit. NSIRA acknowledges the need to continue consolidating its familiarity and expertise with CSE and various aspects related to CSE’s functions. Similarly, CSE—which built a close relationship with OCSEC over some 23 years of review — is in the process of building its own familiarity with NSIRA and its mandate. NSIRA also acknowledges that reviews of CSE’s functions can be particularly sensitive, for example, because of the high volume of highly classified special information content.
NSIRA thanks CSE for timely assistance in providing publicly-releasable information for this annual report, much of which has not previously been made public. NSIRA feels that this reflects steps by CSE toward increased transparency to Canadians. Further, NSIRA is grateful for regular support from CSE’s Information Technology services in helping with secure communications.
One key reason for creating NSIRA was to ensure scrutiny of Canadian national security and intelligence departments and agencies that did not already have dedicated review bodies. To this end, the NSIRA Act provides the legal foundation to “review any activity carried out by a department that relates to national security or intelligence.”40 As would be expected, selecting which departments and agencies outside of CSIS and CSE that require examination is complex and must be continuously updated in tandem with the ever-changing national security landscape.
In addition to selecting specific departments for review, NSIRA is developing an integrated review framework that addresses broad-based national security and intelligence issues both horizontally and vertically across departments and agencies. This is in addition to the yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, which when considered cumulatively, provide the opportunity to cover the entire community.
As previously mentioned in section 1 of this report, NSIRA is working with departments and agencies across government to design a process where the information provided for a review is corroborated and verified for completeness. NSIRA calls this the trust but verify principle: NSIRA trusts departments to provide access to information, people and assets in a timely manner, while having mechanisms in place to allow the agency to independently verify the completeness of the access.
It is also important to note that NSIRA works closely with the NSICOP and the OPC to share review plans and de-conflict when reviews touch on similar subjects.
Beyond CSIS and CSE, NSIRA initiated reviews with the following departments and agencies in 2020:
As well, through the yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has engaged with all departments and agencies that make up the Canadian national security and intelligence community.
The following sections outline reviews completed or initiated in 2020, by department or agency, as well as some planned future reviews.
The Canadian Forces National Counter-Intelligence Unit (CFNCIU) falls under the Canadian Forces Intelligence Group within Canadian Forces Intelligence Command and is organized along Regional Detachments. CFNCIU’s activities involve investigating and reporting counter-intelligence threats that pose a security risk to DND/CAF, supporting CAF operations to enhance force posture and operational security, coordinating exchanges of threat information with security partners, and providing early warning. CFNCIU’s primary responsibility is the collection of security intelligence for integration into national or local threat assessments.
The investigative framework for CFNCIU is unique insofar as it covers a broad range of security intelligence concerns similar to those of CSIS, yet is limited in investigative scope to DND/CAF information, people and assets (i.e. nexus to DND/CAF). Unlike CSIS, CFNCIU does not collect expansively on threats given the need for a nexus; and unlike a Departmental Security Officer, CFNCIU does not conduct investigations on issues regarding policy compliance, or security issues involving inappropriate behavior by employees that do not point to an obvious threat. Furthermore, CFNCIU does not have responsibility for security screening or criminal investigations. The investigative scope of CFNCIU is therefore best understood as occupying a very narrow space above those related to discipline and security screening, yet falling below criminal thresholds.
This review examined CFNCIU’s domestic efforts at investigating counter-intelligence threats posed to DND/CAF, the rationale used by CFNCIU for justifying investigations, and the associated investigative activities that follow. In this context, the review specifically sought to provide an initial understanding of the DND/CAF governance framework, as well as how CFNCIU views threats, collects intelligence, engages in cooperation and applies analysis. Particular attention was paid to CFNCIU’s legal foundations, processes and procedures, and how they contribute to safeguarding against insider-threat scenarios. NSIRA also reviewed how intelligence derived from investigations was conveyed to DND/CAF decision-makers. The full review is currently being redacted and should be released on NSIRA’s website soon.
NSIRA found that CFNCIU and other DND/CAF security components have been organized into narrowly focused vertical silos that do not work in an integrated manner. While CFNCIU adhered to internal policies used to initiate investigations, it did not have a formalized process to help guide investigation prioritization based on relevant criteria. It was also evident that CFNCIU required clarity on its legal authorities, to ensure the proper sharing of information in support of administrative and criminal processes.
NSIRA further identified the need for DND/CAF to empower CFNCIU to make full use of its investigative capabilities to reduce investigative durations, an issue that NSIRA found runs contrary to the sound safeguarding practices of DND/CAF information, people, and assets.
Moreover, NSIRA’s review found that CFNCIU did not adequately consider the cumulative effect of its counter-intelligence activities in relation to an investigation subject’s privacy, raising questions about the adequacy of CFNCIU’s efforts to ensure procedural fairness and prompting NSIRA to recommend that CFNCIU seek advice from the OPC. NSIRA also observed that CFNCIU’s information sharing regime was not compliant with Government of Canada policies for safeguarding information, people, and assets.
The presence of white supremacy within the Canadian military has been well documented. White supremacist groups actively seek individuals with prior military training and experience, or conversely, encourage individuals to enlist in order to gain access to specialized training, tactics and equipment. Although NSIRA acknowledges that the responsibility for addressing this threat cannot fall uniquely on the shoulders of CFNCIU, the review’s multiple findings lead to concern that CFNCIU may not be fully utilized to proactively identify white supremacists across DND/CAF. After examination of case studies and interviews with CFNCIU investigators, the review found that white supremacy poses an active counter-intelligence threat to DND/CAF, and that the CFNCIU’s mandate to proactively identify this threat is limited.
Finally, following some concerns identified in the later stages of this review, NSIRA will carry out a case study of CFNCIU computer searches and interview processes in 2021 to assess whether these activities were Charter-compliant.
DND/CAF agreed with NSIRA’s recommendations, and stated that they welcome the review report. DND/CAF agreed that action will be taken at the appropriate levels in conjunction with required expertise and offices, noting that work in this regard has commenced, and that some of NSIRA’s recommendations are already being addressed. For example, DND/CAF are working to complete a Privacy Impact Assessment of Defence Intelligence activities, and will engage the OPC for further input once this assessment is completed.
NSIRA launched a review of the Defence Intelligence Enterprise to map intelligence collection, and obtain information on the governance frameworks, authorities and structures of defence intelligence with a view towards assisting future review planning. This information was further supplemented by a corollary review of Intelligence Oversight, Review and Compliance within DND/CAF’s defence intelligence system. Although there are no findings or recommendations stemming from these inquiries, NSIRA members will receive a briefing note and presentation from NSIRA staff on key observations gained through this process. The expected completion is fall of 2021.
NSIRA has also begun to follow-up on issues identified during last year’s CFNCIU review. NSIRA’s Counter-Intelligence Operational Collection and Privacy Review will further examine CFNCIU’s practices concerning subject interview and database access to information management/information technology systems; this latter assessment will require access by NSIRA staff to DND/CAF computer networks to validate how these systems are used when conducting counter-intelligence inquiries.
NSIRA has also initiated an examination of DND/CAF’s human intelligence (HUMINT) capabilities, primarily through review of the governance of this specialized collection activity. The review will cover the evolution of HUMINT within DND/CAF, including consideration of recent internal initiatives aimed at improving governance and guidance for HUMINT. In the fall of 2021 NSIRA staff will travel to DND/CAF’s HUMINT training centre, and will conduct wide-ranging interviews of HUMINT senior leadership, trainers, and practitioners. The review will lay the foundation for a full operational review of HUMINT sources in various theatres of operation.
As a result of recent disclosures from DND/CAF through the Scoping Review of the Defence Intelligence Enterprise, NSIRA will also examine DND/CAF’s Open Source Intelligence and Medical Intelligence collection activities beginning at the end of 2021. This review will assess the governance and compliance of these activities.
COVID-19 has affected timelines and scheduling significantly, resulting in delays of up to six months. While COVID presented challenges affecting timelines and impacting review work, both DND/CAF and the National Security and Intelligence Review and Oversight Coordination Secretariat were attentive to NSIRA requests, providing access to information, people and assets when required.
NSIRA completed its first dedicated review of a Global Affairs Canada program. The review period was January 1, 2017 to December 31, 2019, although information from outside this period was used to conduct a full assessment of specific aspects of this program. Challenges related to COVID-19 resulted in methodological adjustments such as the use of secure video-teleconferencing in place of in-person interviews for some of the employees.
While clients of the program find it both unique and valuable to the Government of Canada, the review identified several areas of improvement. NSIRA made a number of recommendations aimed at improving this program. Global Affairs Canada has agreed to “positively address all of the recommendations” and has committed to responding to NSIRA in the near future. Due to the highly sensitive nature of this review, NSIRA will not be publishing anything further at this time.
In 2021, NSIRA will finish a review of a specialized RCMP intelligence unit, and it will launch a review of the RCMP’s National Security Program’s human source activities. Going forward, NSIRA plans to increase the number of reviews involving the RCMP. For example, the agency will review how the RCMP and CSIS have responded to the threat posed by ideologically motivated violent extremism.
NSIRA is currently conducting a scoping review of Immigration, Refugees and Citizenship Canada in order to delineate its national security role and responsibilities. While the department has no intelligence collection programs, Immigration, Refugees and Citizenship Canada has an intricate mandate with shared legal authorities and operational responsibilities for ensuring the integrity of the immigration system and mitigating threats to national security from abroad.
NSIRA has initiated its plan to conduct in-depth reviews of the most sensitive security and intelligence activities of the Canada Border Services Agency (CBSA), as identified by NSICOP: scenario-based targeting, surveillance, confidential human sources, lookouts and joint force operations. A review of air passenger targeting is currently underway, focusing on how the CBSA uses predictive analyses, including what is termed “scenario-based targeting,” to identify inbound air travellers for further scrutiny in relation to national security threats. Reviews of the CBSA’s use of confidential human sources and surveillance activities are slated for completion in 2022.
On September 4, 2019, the Governor in Council issued written directions to the Deputy Heads of 12 departments and agencies under the new Avoiding Complicity in Mistreatment by Foreign Entities Act (Avoiding Complicity Act). The Avoiding Complicity Act and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. To do this, the Avoiding Complicity Act and the directions lay out a series of requirements that need to be met or implemented by departments when handling information. Under subsection 8(2.2) of the NSIRA Act, NSIRA is required to annually review implementation of all directions sent to departments and agencies.
While this was the inaugural annual review under the NSIRA Act, it builds on previous work in this area undertaken by NSIRA and its predecessor SIRC. NSIRA’s review on the 2017 Ministerial Direction on Information Sharing with Foreign Entities is an example. NSIRA is building on this previous review and strongly supports that review’s findings and recommendations. It was essential to ensure that both NSIRA and the departments being reviewed met their obligations under the Avoiding Complicity Act and the NSIRA Act. The approach used to gather information during a global pandemic was purposely designed for this first and unique review period. The full 2019 review of the Avoiding Complicity Act has been redacted and released on its website.
To capture a complete view on the departmental implementation, NSIRA requested information that related directly to every department’s specific obligations under the Avoiding Complicity Act and the directions. The responses and associated information captured departmental activities related to the Avoiding Complicity Act during the review period, and what procedures, policies, tools, etc. (frameworks) were leveraged to support these activities. No case studies were undertaken for this review. However, the information gathered has helped establish a baseline for overarching issues the community is facing. Building on this, future reviews will begin to examine specific sharing framework challenges and questions, and look closely at specific cases and departmental legal opinions to guide review findings.
While NSIRA was pleased with the considerable efforts made by many departments new to the Avoiding Complicity Act in building up their supporting frameworks, it was clear during this review that departments were employing very different approaches to guide their information handling activities. The responses received demonstrate various inconsistencies across the departments. Having a consistent and coordinated approach when addressing the concerns related the Avoiding Complicity Act is not a requirement for implementation, however, NSIRA believes that there is value in such an approach.
Additionally, as the directives received under the Avoiding Complicity Act do not describe the specific means by which departments ‘implement’ them, it is incumbent on the departments and agencies to ensure that they have sufficiently robust frameworks and programs in place to fully support an assertion of implementation. Therefore, the information gathered during this review went beyond a strict assessment of implementation, and also considered the aspects required to better support this implementation. Going forward, this approach will help establish the foundation for subsequent reviews. Drawing on the findings and concerns identified here, NSIRA will continue to consider aspects that will ultimately improve underlying frameworks, thereby supporting an improved implementation of the Avoiding Complicity Act across the community.
Enacted in 2019, the purpose of the Security of Canada Information Disclosure Act (SCIDA) is to encourage and facilitate the disclosure of information between Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada. NSIRA has a statutory requirement to conduct an annual review of disclosures made under the SCIDA.
In 2020, NSIRA completed the 2019 Annual Report on the Disclosure of Information under the Security of Canada Information Disclosure Act. The report covers the period from when SCIDA came into force on June 21, 2019 to December 31 of that year. During the reporting period, federal institutions made 114 disclosures of information under SCIDA. The report notes that institutions made good progress in institutionalizing this new legislation. The report provides historical and contextual information on SCIDA and how it fits alongside other legal mechanisms for the sharing of information. The report also includes anonymized scenario examples of SCIDA disclosures, and criteria for future assessment. NSIRA intends to work closely with the OPC for future iterations of this report. Outcomes of NSIRA’s subsequent review of disclosures under SCIDA will be discussed in the 2020 report on the disclosure of information under this SCIDA.
NSIRA has advanced its commitment made last year to map the collection and use of biometrics across the government in relation to its security and intelligence activities. A horizontal review of biometrics in the border continuum is currently underway, focusing on activities conducted by the CBSA, Immigration, Refugees and Citizenship Canada and Transport Canada. The activities under review include the issuance and verification of travel documents — with an emphasis on air travel — and the screening of foreign nationals seeking admission to Canada. A subsequent review will examine the use of biometrics in security intelligence and national security related policing activities.
Given the ongoing pandemic and lessons emerging from current reviews, in some instances NSIRA have modified the plan put forward in NSIRA’s 2019 Annual Report. Its work on economic security, for example, benefited from a scoping exercise involving several departments to help it better understand the authorities in this area, and to help it determine whether to pursue further work on this issue. Similarly, following a scoping exercise, a decision on whether to review public health intelligence awaited considerations of the conclusions of an independent report commissioned by the Minister of Health in this area that has now been released.
Over the next year, NSIRA will continue to engage with departments and agencies through focused reviews. Some of these will be organized around broad horizontal themes that may include multiple departments, requiring a coordinated approach. NSIRA is committed to working collaboratively with departments, particularly on the establishment of an access regime that supports independent verification and accountability.
The pandemic has had an adverse impact on the timely conduct of NSIRA’s investigations. As of March 2020, inevitable delays resulted from the provincial stay- at-home orders and public health guidelines that were issued. Just as NSIRA was affected by limited access to classified documents as a result, so too were the for federal government parties to investigations that are obliged to provide information to NSIRA. Consequently, in several ongoing matters, NSIRA granted adjournments and extensions of deadlines for procedural steps, including the filing of submissions and evidentiary material. While this was regrettable, NSIRA adapted to the challenging circumstances of the pandemic as best as possible and advanced investigative procedures in an innovative manner whenever possible, such as conducting some proceedings in writing and holding case management conferences and meetings virtually.
Despite the procedural setbacks in 2020, NSIRA was able to complete one complaint investigation and issue a final report. NSIRA also issued formal decisions to close three other files. In addition, it succeeded in completing a complex process reform initiative that will see the modernization and streamlining of the investigative process.
While the pandemic affected complaints investigations, NSIRA made considerable progress on reforming the processes governing such investigations. In the course of the year, NSIRA undertook a process reform initiative to modernize the complaints investigation model to meet its goal of ensuring efficiency and transparency. Two priorities guided the modernization of the process, namely, access to justice for self-represented complainants and the creation of streamlined and less formal procedural steps.
NSIRA created new Rules of Procedures to reflect this new model and completed an extensive consultation exercise with stakeholders in the public and private sectors to achieve the most effective and considered final product. These new Rules of Procedure have been in effect since July 2021.
NSIRA also implemented a new policy statement that provides a commitment to the public to increase transparency in its investigations by publishing redacted and de- personalized complaints investigation reports.
In the year ahead, NSIRA will update its website to include improved procedural guidance to inform members of the public on how to make complaints and navigate the investigative process. Part of the update to NSIRA’s website will involve implementing a secure portal for the online filing of complaints and for protected communications to assist in effectively managing NSIRA’s complaints case load.
In the future, NSIRA also plans on conducting a trend analysis for complaints, which will involve a broad initiative to appropriately collect race-based and other demographic information. The objectives of this initiative are to improve access to justice by improving awareness and understanding of the investigation process. The overall aim is to document the different groups among civilian complainants and identify the frequency of complaints that include allegations of racial or other forms of bias, and to determine whether there are disparities; whether there are differences with respect to the types of complaints made against national security and intelligence organizations based on different groups; whether complaints investigation outcomes vary by group; and whether civilian satisfaction with NSIRA’s investigation process varies by group.
On concluding efforts to case manage NSIRA’s ongoing investigations in the context of the challenges presented by the pandemic in 2020, NSIRA will look ahead to the coming year with a reformed investigation process that will assist in implementing modern and fair procedures to advance these cases, complemented by an improved website that will promote access and transparency in the investigations process.
NSIRA will also see a substantial increase in its caseload in 2021 as a result of close to 60 new investigations added to its existing inventory. These complaints were referred to NSIRA in April 2021 by the Canadian Human Rights Commission pursuant to subsection 45(2) of the Canadian Human Rights Act. This high-volume caseload will significantly challenge NSIRA’s case management. NSIRA will be implementing procedural efficiencies as much as possible while meeting procedural fairness requirements.
Background
The Complainant filed a complaint against CSIS requesting an investigation of CSIS’s role or involvement in the cancellation and/or denial of site access screening requests for employment with a private company at a government building.
Allegation
The Complainant alleged CSIS improperly used information collected and made an improper inference of a security threat which led to the denial of a site access clearance.
Investigation
NSIRA considered the evidence given by summoned witnesses, the documentation submitted by the parties as well as other relevant material made available during the course of the investigation of the complaint, including classified documents disclosed to NSIRA by CSIS. NSIRA also heard evidence provided by the Complainant.
Sections 13 and 15 of the CSIS Act give CSIS the authority to provide security assessments to departments of the Government of Canada and to conduct investigations as required. CSIS receives applications from government departments for persons seeking a security clearance or site access clearance and their role is defined in section 2 of the CSIS Act. CSIS presented evidence on the steps that are followed in CSIS’s process, the Treasury Board Secretariat’s Standard on Security Screening, and the fact that the client department decides whether to grant a clearance. As such, CSIS only provides background information and an assessment from a national security perspective so that government departments have the information it needs to make an informed decision.
NSIRA also heard evidence from CSIS with respect to some information shared with the client department that requested the site access clearance and how it pertained to both reliability and loyalty. CSIS acknowledged that some information shared with the client department took place in an informal setting and that it should not have occurred in such way. It was noted that after open source information was shared, the client department cancelled its request and CSIS closed its file.
The Complainant expressed a belief that CSIS was responsible for denying his application for a site access clearance.
NSIRA acknowledged the Complainant’s perception that CSIS denied his request for a site access clearance, but the evidence demonstrated that CSIS did not make the decision. The decision was made by the government department and CSIS had no further involvement in the matter.
Findings
NSIRA found that:
Conclusion
NSIRA determined that the complaint is unsupported.
The Complainant filed a complaint against CSIS about the sharing of information with foreign authorities that led to having difficulty with border crossings. NSIRA commenced its investigation and had an informal case management conference with the parties for the purposes of resolving the complaint. As a result of this resolution meeting, the Complainant undertook to take steps to resolve any ongoing issues. NSIRA attempted to communicate with the Complainant on several occasions to determine whether the ongoing issues were resolved. NSIRA determined that reasonable attempts had been made to communicate with the Complainant and issued reasons deeming the complaint abandoned as per NSIRA’s Rules of Procedure. The complaint investigation file was closed.
The Complainant filed a complaint against CSIS alleging that it caused a significant delay in submitting the security assessment for a permanent residency application. During the investigation, NSIRA attempted to communicate with the Complainant on several occasions regarding the possibility of engaging in informal resolution discussions with CSIS. NSIRA determined that reasonable attempts had been made to communicate with the Complainant and issued reasons deeming that the complaint had been abandoned as per NSIRA’s Rules of Procedure. The complaint investigation file was closed.
This complaint was referred to NSIRA by the Civilian Review and Complaints Commission for the RCMP, pursuant to subsection 45.53(4.1) of the RCMP Act. The complaint alleged that members of the Royal Canadian Mounted Police (RCMP) failed to inform the Complainant of the Complainant’s rights and obligations during an interaction that occurred the day before an arrest for a terrorism hoax and public mischief, use of excessive force and other allegations. During the course of launching its investigation, NSIRA attempted to establish contact with the Complainant on several occasions. NSIRA found that reasonable attempts had been made to communicate with the Complainant and had exhausted all options. Accordingly, NSIRA issued reasons deeming the complaint had been abandoned as per NSIRA’s Rules of Procedure. The complaint investigation file was closed.
In 2020, NSIRA’s teams worked under exigent conditions and yet were able to outperform. NSIRA is grateful to them for having conducted the reviews in an efficient manner. As mentioned in this annual report, NSIRA have ambitious plans for ongoing and future work, all while continuing to grow its own capacity and to strengthen its relationships with the departments and agencies under its review. In 2020, NSIRA’s staff complement grew from 30 to 58 individuals, its CSE Review Team began operations in offices on site at CSE, and NSIRA neared completion of a new facility for staff, all while carefully and responsibly adapting to the challenges of the pandemic.
In the spirit of coordinating and complementing other review and oversight entities, NSIRA continued to strengthen its relationships with various counterparts, including the Five Eyes Intelligence Oversight and Review Council, the National Security and Intelligence Committee of Parliamentarians, and the Office of the Privacy Commissioner of Canada. NSIRA also remains dedicated to robust and mutually- beneficial engagement with non-governmental stakeholders. NSIRA hopes both to raise awareness of its mandate amongst various communities — including students — as well as to receive input to help us further its work and refine its agenda. NSIRA strongly encourages feedback and input and hopes you found this report useful and helpful. No matter your background, please reach out to us and share your thoughts about this report, as well as NSIRA’s review and complaints work.
NSIRA is very grateful for the perseverance, diligence, and passion of its staff for continuing to produce meaningful work and achieve important results despite the challenges of the pandemic in 2020. As NSIRA grows as an organization, including in staff numbers, it looks forward to continuing to promote accountability in the Canadian security and intelligence community.
Date of Publishing:
Our team is working on an HTML version of this content to enhance usability and compatibility across devices. We aim to make it available in the near future. Thank you for your patience!
On February 10, 2021, the National Security and Intelligence Review Agency (NSIRA) presented the Minister of Public Safety and Emergency Preparedness with a classified report on its review of the CSIS-RCMP relationship in a region of Canada through the lens of an ongoing investigation.
NSIRA’s review found that in the specific region, the agencies have developed a strong relationship that has fostered effective tactical de-confliction of operational activities. Nonetheless, technological constraints are making CSIS-RCMP de-confliction excessively burdensome and time-consuming. Furthermore, NSIRA observed a general reluctance on the part of both agencies to connect CSIS information to an RCMP investigation.
NSIRA found that the current framework guiding the CSIS-RCMP relationship sets out principals and guidelines to manage the risks of interaction and information sharing between the two agencies; however, it left fundamental issues related to the “intelligence-to-evidence” problem unresolved.
On the whole, NSIRA found that CSIS and the RCMP have made little progress in addressing the threat under investigation. Moreover, CSIS and the RCMP do not have a shared vision or complementary strategy to address the threat.
Publishing this summary aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work. Going forward, NSIRA will review CSIS and the RCMP’s implementation of the Operational Improvement Review which set out ambitious recommendations to improve the way in which CSIS and the RCMP jointly manage threats.
Last Updated:
Status:
Published
Review Number:
19-04
Date of Publishing:
This quarterly report has been prepared by management as required by section 65.1 of the Financial Administration Act and in the form and manner prescribed by the Directive on Accounting Standards, GC 4400 Departmental Quarterly Financial Report. This quarterly financial report should be read in conjunction with the 2021-22 Main Estimates.
A summary description of the National Security and Intelligence Review Agency Secretariat (NSIRA) program activities can be found in Part II of the Main Estimates. For information on the mandate of NSIRA, please visit its website at https://nsira-ossnr.gc.ca.
This quarterly report has not been subject to an external audit or review.
The NSIRA is an independent external review body, which reports to Parliament. NSIRA was established in July of 2019 and is responsible to conduct reviews of the Government of Canada national security and intelligence activities to ensure that they are lawful, reasonable and necessary. NSIRA also hears public complaints regarding key national security agencies and activities. NSIRA replaces the Security Intelligence Review Committee (SIRC), which reviewed CSIS (Canadian Security Intelligence Service) activities as well as those related to the revocation or denial of security clearances. It also hears complaints regarding the Communication Security Establishment (CSE), as well as national security-related complaints regarding the RCMP.
This quarterly report has been prepared by management using an expenditure basis of accounting. The accompanying Statement of Authorities includes the department’s spending authorities granted by Parliament and those used by the department, consistent with the 2021-22 Main Estimates. This quarterly report has been prepared using a special purpose financial reporting framework (cash basis) designed to meet financial information needs with respect to the use of spending authorities.
The authority of Parliament is required before moneys can be spent by the Government. Approvals are given in the form of annually approved limits through appropriation acts or through legislation in the form of statutory spending authority for specific purposes.
This section highlights the significant items that contributed to the net increase or decrease in authorities available for the year and actual expenditures for the quarter ended June 30, 2021.
NSIRA spent approximately 9% of its authorities by the end of the first quarter, compared to 5% in the same quarter of 2020-21 (see graph 1 below).
| 2021-22 | 2020-21 | |
|---|---|---|
| Total Authorities | $30.2 | $24.3 |
| Q1 Expenditures | $2.8 | $1.2 |
As per graph 2 below as at June 30, 2021, NSIRA had authorities available for use of $30.2 million in 2021-22 compared to $24.3 million as of June 30, 2020, for a net increase of $5.9 million or 24.3%.
| Fiscal year 2020-21 total available for use for the year ended March 31, 2021 | Fiscal year 2021-22 total available for use for the year ended March 31, 2022 | |
|---|---|---|
| Vote 1 – Operating | $22.8 | $28.5 |
| Statutory | $1.5 | $1.7 |
| Total budgetary authorities | $24.3 | $30.2 |
The authorities’ increase of $5.9 million is mostly explained by the ramp-up of approved funding for the mandate of NSIRA and the approval of a funding reprofile into fiscal year 2021-22 for accommodation and infrastructure projects.
The first quarter expenditures totaled $2.7M for an increase of $1.5M when compared to $1.2M spent during the same period in 2020-21. Table 1 below presents budgetary expenditures by standard object.
(in thousands of dollars)
| Material Variances to Expenditures by Standard Object | YTD Expenditures as of June 30, 2021 | YTD Expenditures as of June 30, 2020 | Variance $ | Variance % |
|---|---|---|---|---|
| Personnel | 2,312 | 1,111 | 1,201 | 108% |
| Transportation and communications | 13 | 7 | 6 | 86% |
| Information | 2 | 50 | (48) | (96%) |
| Professional and special services | 196 | 68 | 128 | 188% |
| Repair and maintenance | 8 | 0 | 8 | 100% |
| Utilities, materials and supplies | 3 | 9 | (6) | (67%) |
| Acquisition of machinery and equipment | 216 | 0 | 216 | 100% |
| Other subsidies and payment | 12 | 0 | 12 | 100% |
| Total gross budgetary expenditures | 2,762 | 1,246 | 1,516 | 122% |
The increase of $1.2M relates to additional staffing to support NSIRA’s departmental mandate as well as higher statutory expenditures in 2021-22.
The increase of $6K is mainly explained by the relocation of an employee.
The decrease of $48K is explained by lower expenditures for electronic subscriptions.
The increase of $128K is mainly due to contracts in management consulting, including procurement and business advisory services.
The increase of $8K is explained by office accommodation fit-up costs.
The decrease of $6K is mainly explained by lower expenditures for cleaning supplies and personal protective equipment for the pandemic over the previous year.
The increase of $216K is mainly explained by the acquisitions of informatics equipment and related cyber security products.
The increase of $12K due to multiple payroll system overpayments processed in the first quarter of 2021-22.
The COVID-19 pandemic had a significant impact on the ability of NSIRA to grow its organization in a way that is commensurate with its new mandate. The physical distancing requirements decreased the ability of staff to concurrently work with departments and agencies subject to reviews. In light of that, NSIRA revised its Review Plan and has advanced the introduction of a new approach to the review of complaints.
The ability to hire a sufficient number of qualified personnel within relevant timelines remains a short- and medium-term risk for NSIRA, particularly given the specialized knowledge and skillset required for many positions. This is further compounded by the requirement for candidates to obtain a Top Secret security clearance, which can incur significant delays, especially during the pandemic.
While NSIRA has been able to secure temporary space to address its immediate space requirements, significant delays have been incurred for the fit-up of this space due to the pandemic. NSIRA is working closely with Public Services and Procurement Canada and Shared Services Canada to expedite the office expansion plans.
The ability of NSIRA to access the information it needs to do its work and speak to the relevant stakeholders to understand policies, operations and ongoing issues is closely tied to the reviewed departments’ and agencies’ capacity to respond to the demands of NSIRA. The pandemic impacts including the ability to conduct classified work at the workplace combined with existing resource constraints of the reviewed departments and agencies continue to delay the conduct of reviews.
NSIRA is closely monitoring pay transactions to identify and address over and under payments in a timely manner and continues to apply ongoing mitigating controls, which were implemented in 2016.
Mitigation measures for the risks outlined above have been identified and are factored into NSIRA’s approach to the conduct of its mandate.
The pandemic forced changes in the way NSIRA conducts operations. The requirement for physical distancing and the existing challenge with respect to the high security zone accommodation has led NSIRA to authorize staff to work with non-sensitive files from home.
In late March 2021, NSIRA was victim of a cyber attack on its public network. The attack did not affect its classified networks. That attack has led NSIRA to change its Information Technology (IT) operating model and NSIRA has since then been using the Privy Council Office IT infrastructure for the conduct of it’s unclassified and up to protected B activities.
The Honourable Marie Deschamps has also recently been named interim Chair for NSIRA.
There have been no changes to the NSIRA Program.
John Davies
Deputy Head
Pierre Souligny
Senior Director, Corporate Services, Chief Financial Officer
(in thousands of dollars)
| Fiscal year 2021–22 | Fiscal year 2020–21 | |||||
|---|---|---|---|---|---|---|
| Total available for use for the year ending March 31, 2022 (note 1) | Used during the quarter ended June 30, 2021 | Year to date used at quarter-end | Total available for use for the year ending March 31, 2021 (note 1) | Used during the quarter ended June 30, 2020 | Year to date used at quarter-end | |
| Vote 1 – Net operating expenditures | 28,490 | 2,336 | 2,336 | 22,801 | 875 | 875 |
| Budgetary statutory authorities | ||||||
| Contributions to employee benefit plans | 1,705 | 426 | 426 | 1,484 | 371 | 371 |
| Total budgetary authorities (note 2) | 30,195 | 2,762 | 2,762 | 24,285 | 1,246 | 1,246 |
Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.
(in thousands of dollars)
| Fiscal year 2021–22 | Fiscal year 2020–21 | |||||
|---|---|---|---|---|---|---|
| Planned expenditures for the year ending March 31, 2022 (note 1) | Expended during the quarter ended June 30, 2021 | Year to date used at quarter-end | Planned expenditures for the year ending March 31, 2021 | Expended during the quarter ended June 30, 2020 | Year to date used at quarter-end | |
| Expenditures | ||||||
| Personnel | 13,222 | 2,312 | 2,312 | 11,510 | 1,111 | 1,111 |
| Transportation and communications | 673 | 13 | 13 | 1,162 | 7 | 7 |
| Information | 375 | 2 | 2 | 364 | 50 | 50 |
| Professional and special services | 5,904 | 196 | 196 | 3,250 | 68 | 68 |
| Rentals | 188 | 0 | 0 | 237 | 0 | 0 |
| Repair and maintenance | 8,737 | 8 | 8 | 7,134 | 0 | 0 |
| Utilities, materials and supplies | 103 | 3 | 3 | 173 | 9 | 9 |
| Acquisition of machinery and equipment | 991 | 216 | 216 | 393 | 0 | 0 |
| Other subsidies and payments | 0 | 12 | 12 | 63 | 0 | 0 |
| Total gross budgetary expenditures (note 2) |
30,195 | 2,762 | 2,762 | 24,285 | 1,246 | 1,246 |
Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.
Note 2: Details may not sum to totals due to rounding.
Date of Publishing:
This quarterly report has been prepared by management as required by section 65.1 of the Financial Administration Act and in the form and manner prescribed by the Directive on Accounting Standards, GC 4400 Departmental Quarterly Financial Report. This quarterly financial report should be read in conjunction with the 2020- 21 Main Estimates.
A summary description of the National Security and Intelligence Review Agency Secretariat (NSIRA) program activities can be found in Part II of the Main Estimates. For information on the mandate of NSIRA, please visit its website at http://www.nsira-ossnr.gc.ca.
The NSIRA is an independent external review body, which reports to Parliament. NSIRA was established in July of 2019 and is responsible to conduct reviews of the Government of Canada national security and intelligence activities to ensure that they are lawful, reasonable and necessary. NSIRA also hears public complaints regarding key national security agencies and activities.
NSIRA replaces the Security Intelligence Review Committee (SIRC), which reviewed CSIS (Canadian Security Intelligence Service) activities as well as those related to the revocation or denial of security clearances. It also hears complaints regarding the Communication Security Establishment (CSE), as well as national security-related complaints regarding the RCMP.
This quarterly report has been prepared by management using an expenditure basis of accounting. The accompanying Statement of Authorities includes the department’s spending authorities granted by Parliament and those used by the department, consistent with the 2020-21 Main Estimates. This quarterly report has been prepared using a special purpose financial reporting framework (cash basis) designed to meet financial information needs with respect to the use of spending authorities.
The authority of Parliament is required before moneys can be spent by the Government. Approvals are given in the form of annually approved limits through appropriation acts or through legislation in the form of statutory spending authority for specific purposes.
This section highlights the significant items that contributed to the net increase or decrease in authorities available for the year and actual expenditures for the quarter ended December 31, 2020.
NSIRA spent approximately 28% of its authorities by the end of the third quarter, compared to 15% in the same quarter of 2019-20 (see graph 1 below).
| 2020-21 | 2019-20 | |
|---|---|---|
| Total Authorities | $24.0 | $24.8 |
| Q3 Expenditures | $2.7 | $2.0 |
| Year-to-Date Expenditures | $6.6 | $3.8 |
As per graph 2 below as at December 31, 2020, NSIRA had authorities available for use of $24.0 million in 2020-21 compared to $24.8 million as of December 31, 2019, for a net decrease of $0.8 million or 3.2%.
| Fiscal year 2019-20 total available for use for the year ended March 31, 2020 | Fiscal year 2020-21 total available for use for the year ended March 31, 2021 | |
|---|---|---|
| Vote 1 – Operating | $23.6 | $22.6 |
| Statutory | $1.2 | $1.4 |
| Total budgetary authorities | $24.8 | $24.0 |
The authorities’ decrease of $0.8 million is mostly explained by a transfer of funding to CSE for the fit-up and maintenance of office space.
The third quarter expenditures totaled $2.7M for an increase of $0.7M when compared to $2.0M spent during the same period in 2019-20. Table 1 below presents budgetary expenditures by standard object.
| Material Variances to Expenditures by Standard Object | Fiscal year 2020-21: expended during the quarter ended December 31, 2020 | Fiscal year 2019-20: expended during the quarter ended December 31, 2019 | Variance $ | Variance % |
|---|---|---|---|---|
| Personnel | 1,732 | 1,504 | 228 | 15% |
| Transportation and communications | 19 | 99 | (80) | (81%) |
| Information | 37 | 3 | 34 | 1133% |
| Professional and special services | 389 | 377 | 12 | 3% |
| Rentals | 41 | 4 | 37 | 925% |
| Repair and maintenance | 189 | 47 | 142 | 302% |
| Utilities, materials and supplies | 21 | 14 | 7 | 50% |
| Acquisition of machinery and equipment | 257 | 6 | 251 | 4183% |
| Other subsidies and payment | (13) | (68) | 55 | (81%) |
| Total gross budgetary expenditures | 2,671 | 1,985 | 686 | 35% |
* Details may not sum to totals due to rounding
The increase of $0.2M relates to additional staffing to support NSIRA’s new departmental mandate as well as higher statutory expenditures in 2020-21.
The decrease of $80K is mainly explained by the absence of travel due to the COVID-19 pandemic.
The increase of $34K is explained by a contract for communication services.
The increase of $37K is mostly due to new fees paid for the maintenance of NSIRA’s Finance and HR systems.
The increase of $142K is explained by office accommodation fit-up costs.
The increase of $7K is mainly explained by higher expenditures for cleaning supplies and personal protective equipment due to the pandemic.
The increase of $251K is mainly explained by furniture acquisitions and office redesign to accommodate more employees and to equip NSIRA personnel to work from home.
The increase of $55K is explained by fewer salary overpayment recoveries processed in the third quarter of 2020-21 compared to 2019-20.
Year-to-date expenditures recorded to the end of the third quarter totaled $6.7M for an increase of $2.8M when compared to the same year-to-date expenditures in 2019-20. Table 2 below presents budgetary expenditures by standard object.
| Material Variances to Expenditures by Standard Object | YTD Expenditures as of 31 December, 2020 | YTD Expenditures as of 31 December 2019 | Variance $ | Variance % |
|---|---|---|---|---|
| Personnel | 5,072 | 2,814 | 2,258 | 80% |
| Transportation and communications | 37 | 184 | (147) | (80%) |
| Information | 78 | 7 | 71 | 1014% |
| Professional and special services | 731 | 555 | 176 | 32% |
| Rentals | 104 | 43 | 61 | 142% |
| Repair and maintenance | 247 | 53 | 194 | 366% |
| Utilities, materials and supplies | 28 | 20 | 8 | 40% |
| Acquisition of machinery and equipment | 300 | 35 | 265 | 757% |
| Other subsidies and payment | 28 | 76 | (48) | (63%) |
| Total gross budgetary expenditures | 6,626 | 3,786 | 2,840 | 75% |
Details may not sum to totals due to rounding
The increase of $2.3M is mainly explained by additional staffing to support NSIRA’s new departmental mandate as well as higher statutory payments.
The decrease of $147K is mainly explained by the absence of travel due to the COVID-19 pandemic.
The increase of $71K is explained by higher expenditures for electronic subscriptions and communication consultants.
The increase of $176K is mainly due to additional management consulting contracts.
The increase of $61K is mostly explained by new fees paid for the maintenance of NSIRA’s corporate information technology systems.
The increase of $194K is mainly due to office accommodation fit-up costs.
The increase of $8K is mainly explained by higher expenditures of cleaning supplies and personal protective equipment due to the pandemic.
The increase of $265K is mainly explained by furniture acquisitions and office redesign to accommodate more employees and to support home offices.
The decrease of $48K is due to multiple salary overpayments processed in the first three quarters of 2019-20.
The COVID-19 pandemic had a significant impact on the ability of NSIRA to grow its organization in a way that is commensurate with its new mandate. The physical distancing requirements decreased the ability of staff to concurrently work with departments and agencies subject to reviews. In light of that, NSIRA revised its Review Plan and has advanced the introduction of a new approach to the review of complaints.
The ability to hire a sufficient number of qualified personnel within relevant timelines remains a short- and medium-term risk for NSIRA, particularly given the specialized knowledge and skillset required for many positions. This is further compounded by the requirement for candidates to obtain a Top Secret security clearance, which can incur significant delays, especially during the pandemic.
While NSIRA has been able to secure temporary space to address its immediate space requirements, significant delays have been incurred for the fit-up of this space due to the pandemic. The timing at which staff will be able to operate within this high security zone has yet to be determined. NSIRA is working closely with Public Services and Procurement Canada and Shared Services Canada to expedite the office expansion plans.
The ability of NSIRA to access the information it needs to do its work and speak to the relevant stakeholders to understand policies, operations and ongoing issues is closely tied to the reviewed departments’ and agencies’ capacity to respond to the demands of NSIRA. The pandemic impacts including the ability to conduct classified work at the workplace combined with existing resource constraints of the reviewed departments and agencies could delay NSIRA’s ability to deliver on its mandate in a timely way.
NSIRA is closely monitoring pay transactions to identify and address over and under payments in a timely manner and continues to apply ongoing mitigating controls, which were implemented in 2016.
Mitigation measures for the risks outlined above have been identified and are factored into NSIRA’s approach to the conduct of its mandate.
The pandemic forced changes in the way NSIRA conducts operations. The requirement for physical distancing and the existing challenge with respect to the high security zone accommodation has led NSIRA to authorize staff to work with non-sensitive files from home.
In September 2020, Murray Rankin stepped down as Chair of NSIRA. The Honourable L. Yves Fortier was named acting Chair until the end of his term. Since, The Honourable Dr. Ian Holloway acted as Chair and now The Honourable MarieLucie Morin has been reappointed as acting Chair.
In addition, Faisal Mirza has been appointed as a new member of NSIRA.
John Davies
Deputy Head
Pierre Souligny
Senior Director, Corporate Services, Chief Financial Officer
(in thousands of dollars)
| Fiscal year 2020–21 | Fiscal year 2019–20 | |||||
|---|---|---|---|---|---|---|
| Total available for use for the year ending March 31, 2021 (note 1) | Used during the quarter ended December 31, 2020 | Year to date used at quarter-end | Total available for use for the year ending March 31, 2020 (note 1) | Used during the quarter ended December 31, 2019 | Year to date used at quarter-end | |
| Vote 1 – Net operating expenditures | 22,565 | 2,300 | 5,513 | 23,618 | 1,854 | 3,392 |
| Budgetary statutory authorities | ||||||
| Contributions to employee benefit plans | 1,484 | 371 | 1,113 | 1,240 | 131 | 394 |
| Total budgetary authorities | 24,049 | 2,671 | 6,626 | 24,858 | 1,985 | 3,786 |
Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.
Note 2: Details may not sum to totals due to rounding.
(in thousands of dollars)
| Fiscal year 2020–21 | Fiscal year 2019–20 | |||||
|---|---|---|---|---|---|---|
| Planned expenditures for the year ending March 31, 2021 (note 1) | Expended during the quarter ended December 31, 2020 | Year to date used at quarter-end | Planned expenditures for the year ending March 31, 2020 | Expended during the quarter ended December 30, 2019 | Year to date used at quarter-end | |
| Expenditures | ||||||
| Personnel | 11,512 | 1,732 | 5,072 | 8,677 | 1,504 | 2,814 |
| Transportation and communications | 1,162 | 19 | 37 | 961 | 99 | 184 |
| Information | 364 | 37 | 78 | 402 | 3 | 7 |
| Professional and special services | 3,250 | 389 | 731 | 3,353 | 377 | 555 |
| Rentals | 237 | 41 | 104 | 229 | 4 | 43 |
| Repair and maintenance | 6,681 | 189 | 247 | 9,641 | 47 | 53 |
| Utilities, materials and supplies | 173 | 21 | 28 | 179 | 14 | 20 |
| Acquisition of machinery and equipment | 293 | 257 | 299 | 1,356 | 6 | 25 |
| Other subsidies and payments | 278 | (13) | 28 | 70 | (68) | 76 |
| Total gross budgetary expenditures (note 2) |
24,049 | 2,671 | 6,626 | 24,858 | 1,985 | 3,786 |
Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.
Note 2: Details may not sum to totals due to rounding.
NSIRA delivered its classified review to the Minister of National Defence in November 2020.
Throughout NSIRA’s review of CSE’s disclosure process, CSE responded to NSIRA requests in a timely manner and offered to provide additional context and briefings to NSIRA regarding CSE processes.
Importance of independent external review
CSE values independent, external review of our activities, and we remain committed to a positive and ongoing dialogue with NSIRA and other review and oversight bodies.
This oversight frameworks allows us to deliver our important mission of foreign intelligence, cyber security and foreign cyber operations in a way that demonstrates accountability, and that builds trust and confidence with Canadians.
CSE operates within a culture of compliance, grounded in our understanding of and commitment to our legal and policy regime, and evidenced by our record of self-reporting and addressing incidents and errors that may occur.
We appreciate NSIRA and their continued work to provide Canadians with greater insight and understanding of the important work that CSE does on a regular basis to keep Canadians safe.
We accept the recommendations aimed at improving our processes, yet are concerned that the overall conclusions do not fully appreciate CSE’s commitment to, and work on protection of privacy.
Canadian Identifying Information and CSE’s Commitment to Privacy
CSE is Canada’s national lead for foreign signals intelligence and cyber operations, and the national technical authority for cybersecurity. We provide critical foreign intelligence and cyber defence services for the Government of Canada (GC). Protecting Canadian information and the privacy of Canadians is an essential part of our mission.
CSE does not direct its foreign signals intelligence activities at Canadians or anyone in Canada. The CSE Act, however, recognizes that incidental collection of Canadian communications or Canadian information may occur even when targeting only foreign entities outside Canada. CSE takes very seriously our responsibility to protect Canadian privacy interests that may occur as a result of this incidental collection.
In the event that Canadian information is incidentally acquired in foreign signals intelligence collection, CSE may include obfuscated references to Canadian individuals or organizations in intelligence reporting if those references are essential to understand the foreign intelligence.
The obfuscation of this Canadian Identifying Information (CII) in reporting represents one of many layered privacy measures that are applied at different points in CSE’s end-to-end intelligence process. These include, among others, legal and policy training and on-site support for intelligence analysts, mandatory annual privacy tests for all operational employees, data tagging and auto-deletion, strict retention limits, specific handling guidelines, escalating approvals for reporting that includes CII, compliance spot checks, and separate vetting processes for disclosing obfuscated information and taking action on intelligence reporting.
Pursuant to the Privacy Act, government clients who receive CSE foreign intelligence reports may ask for obfuscated CII to be “disclosed” to them if that information relates directly to their department’s operating program or activities. Any disclosed CII is provided solely to inform their understanding of the foreign intelligence presented in the report. Government officials may not take action, share or otherwise use the CII disclosed to them under the disclosure process.
CSE continually refines its CII disclosure process. For example, to help support audit and review, CSE implemented a requirement for government clients to provide an operational justification to support their CII disclosure requests. It is important to note, however, that this is a matter of internal policy and that the Privacy Act does not require the documentation of legal authorities before information can be collected and disclosed.
Review Recommendations
CSE is committed to continuous improvement. We know that the recommendations from independent external review play an important role in that improvement. CSE has 25 years of experience working with the Office of the CSE Commissioner and now NSIRA to help improve our processes. We thank these review bodies for their work to help build trust and confidence with Canadians.
CSE continuously refines our privacy-protection measures, including those associated with the disclosure process. Improvements made over the past decade have been informed by the recommendations made by the CSE Commissioner as part of his annual reviews of CSE’s CII disclosures. Prior to NSIRA taking over review duties, CSE had accepted and implemented 95% of the recommendations made by the CSE Commissioner. Those not adopted were duplicative or overtaken by events such as new legislation. In his final 2018-2019 review, the Commissioner confirmed that CSE’s disclosures of CII complied with the law and were done in accordance with ministerial direction.
In this NSIRA review, as with previous CSE Commissioner reviews, we appreciate and have accepted the recommendations aimed at improving our internal policies and practices.
Given the overlap in this review period between the two bodies, certain NSIRA recommendations duplicate some presented in the CSE Commissioner’s reviews. As a result, we are pleased to note that many have already been implemented at this time; other NSIRA recommendations are in the process of being implemented.
Review Findings
Throughout this CII disclosure review, CSE provided extensive feedback and context to NSIRA, and sought clarification regarding the assessment criteria used to determine adequacy or inadequacy of specific records, the vast majority of which were deemed adequate by NSIRA. Without explaining the methodology used to support the findings, we are concerned that broad generalizations based on specific aspects of certain records within a single privacy measure may leave the reader with an incorrect impression about CSE’s overall commitment to privacy protections for Canadians.
CSE’s case-by-case process for disclosing CII to authorized GC recipients is part of robust and comprehensive internal measures that protect Canadians’ privacy. We balance the sharing of our intelligence with the privacy and safety of Canadians at all times. CSE disclosure analysts receive training and follow internal policies, guidelines and standard operating procedures to guide decision making.
While committed to implementing the recommended process improvements contained in the report, CSE remains concerned by NSIRA’s overall conclusions and characterization of the disclosure process and its role in the broader privacy framework, which we have expressed to NSIRA.
Referral to Attorney General of Canada
The Minister of National Defence submitted NSIRA’s classified report to the Attorney General of Canada in January 2021, supported by a comprehensive analysis of each record identified by NSIRA in its review.
The analysis supports the view that our activities, including applying protections for the privacy of Canadians, were conducted within a robust system of accountability, including compliance with the Privacy Act.
Additional Information
Top Secret-cleared and special intelligence-indoctrinated GC clients received thousands of foreign intelligence reports via CSE’s mandate under the CSE Act. These reports corresponded to Cabinet-approved intelligence priorities and were delivered to government clients who had both the authority to receive them and the ‘need to know’ their contents.
These reports reflect a wide range of intelligence requirements, from support to Canadian military operations, espionage, terrorism and kidnappings to geostrategic concerns, cyber threats, foreign interference and global crises, among others. While only a very small percentage of these reports contain obfuscated CII, the underlying Canadian information is often essential for GC officials to understand the context of the threat and its Canadian nexus.
Date of Publishing:
The Avoiding Complicity in Mistreatment by Foreign Entities Act (Avoiding Complicity Act or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, September 4, 2019, to the end of the previous calendar year, December 31, 2019. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Act.
While this was the inaugural annual review under the NSIRA Act, it builds upon previous work in this area undertaken by NSIRA and its predecessor SIRC. NSIRA’s review on the 2017 Ministerial Direction on information sharing with Foreign Entities is an example. The results from this previous review were sent to applicable departments in July 2020. NSIRA is building upon this previous review and strongly supports the findings and recommendations within it. As of the date of this report, departmental responses have not been received regarding the recommendations provided in NSIRA’s July 2020 Ministerial Direction review.
(U) It was essential to ensure that both NSIRA and the departments being reviewed met their obligations under the Avoiding Complicity Act and the NSIRA Act. The approach used to gather information during a global pandemic was purposely designed for this first and unique review period.
To capture a complete view on the departmental implementation, NSIRA requested information that related directly to every department’s specific obligations under the Act and the directions. The responses and associated information captured departmental activities related to the Act during the review period, and what procedures, policies, tools, etc. (frameworks) were leveraged to support these activities. NSIRA believes that having a robust framework is an essential part of an effective implementation of the directions departments have received.
Beyond the specific requirements of implementation, the information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken since the review period to build and formalize their frameworks. This information and knowledge will help set up the foundation for future reviews and assist efforts on creating consistent implementation across departments. While many of the issues discussed in this report go beyond the specific requirements of the directions, their consideration is critical to the overall improvement of the implementation process and how departments ultimately support the Act. No case studies were undertaken for this review. However, the information gathered has helped establish a baseline for overarching issues the community is facing. Building on this, future reviews will begin to examine specific sharing framework challenges and questions and look closely at specific cases and departmental legal opinions to guide review findings.
While NSIRA was pleased with the considerable efforts made by many departments new to the Avoiding Complicity Act in building up their supporting frameworks, it was clear during this review that departments are employing very different approaches to guide their information handling activities. The responses received demonstrate various inconsistencies across the departments. Having a consistent and coordinated approach when addressing the concerns related the Act is not a requirement for implementation, however, NSIRA believes that there is value in such an approach. And while departments will always require unique aspects in their sharing frameworks to address the unique characteristics of their mandates and activities, to improve the implementation process, a goal all involved likely have, the identification and sharing of best practices is critical.
For example, determining the best means for having a unified approach when engaging with foreign entities of concern or ensuring that an information sharing activity is consistently evaluated for risk by all departments. The recommendations provided on these issues in this review capture what NSIRA believes to be important concerns and considerations for supporting and improving departmental implementation.
Additionally, as the directives received under the Act do not describe the specific means by which departments ‘implement’ them, it is incumbent on the community to ensure that they have sufficiently robust frameworks and programs in place to fully support an assertion of implementation. Therefore, the information gathered during this review went beyond a strict assessment of implementation, but also considered the aspects required to better support this implementation. Going forward, this approach will help establish the foundation for subsequent reviews. Drawing on the findings and concerns identified here, NSIRA will continue to consider aspects that will ultimately improve underlying frameworks, thereby supporting an improved implementation of the Act across the community.
This review was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Avoiding Complicity Act.
In the same spirit as the Ministerial Direction (MD) that preceded it, the Avoiding Complicity Act and its associated directions seek to prevent the mistreatment of any individual due to the exchange of information between a Government of Canada department and a foreign entity. The Act also aims to limit the use of information received from a foreign entity that may have been obtained through the mistreatment of an individual. While the previous MD guided the activities of a selection of Canada’s security and intelligence departments, the Act broadened this scope to capture all departments whose interactions with foreign entities included information exchanges where such a concern may apply.
The focus of the Act is to ensure departments take the necessary steps during their information sharing activities to avoid contributing in any way to the mistreatment of an individual. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. There is an expectation that each department will satisfy these requirements by leveraging departmentally established mechanisms and procedures, or frameworks that will allow each department to confidently demonstrate how it has responded to its responsibilities under the Act.
During the first year that the Act was in force, written directions using nearly identical language were sent to the Deputy Heads of 12 departments. In regard to disclosure, the directions read as follows:
“If the disclosure of information to a foreign entity would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not disclose the information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”
With respect to requesting information, the directions state:
“If the making of a request to a foreign entity for information would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not make the request for information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”
Lastly, as it relates to the use of information, the directions indicate:
“The Deputy Head must ensure that information that is likely to have been obtained through the mistreatment of an individual by a foreign entity is not used by the Department
At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. This determination is done on a case-by-case basis. Each department is responsible for making these determinations as it applies to its activities. Following the outcome of a department’s determination of these important questions, cases may be approved, denied, or elevated to the Deputy Head for consideration. For the latter cases, this then results in additional reporting requirements for the Deputy Head. Throughout this process, there is also a requirement to ensure the accuracy, reliability, and limitations of use of all information being handled.
After the Avoiding Complicity Act came into force in July 2019, the Governor in Council’s written directions were sent to each applicable department in September 2019. The period for this year’s review is September 4, 2019 to December 31, 2019. The short timeframe (approximately 4 months) associated with this year’s review means that departments are being assessed, in large part, on what they would already have had in place to address risks of mistreatment associated with information sharing, or what they were able to implement in a four-month window. NSIRA is cognizant that for the departments that were not previously subject to the 2017 MD on Avoiding Complicity in Mistreatment by Foreign Entities, the timeframe to implement the written directions was somewhat limited, as it would have been challenging to create and operationalize new procedures such that they would be reflected in the department’s activities during the period being reviewed.
While it was essential to ensure that both NSIRA and the departments being reviewed met their obligations, these challenges were kept in mind when evaluating the objectives for this first review. Given these considerations, the objectives of this year’s review were to determine whether:
To capture a complete view of the departmental implementation of the Act, NSIRA constructed a series of questions related directly to every department’s obligations under the Act and the directions. The responses and associated information captured what specific activities took place during the review period and what departmental frameworks were leveraged to adequately support these activities.
The information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken to build and formalize their frameworks to meet their obligations under the Act and directions. The information provided and the knowledge gained will help set up the foundation for future reviews and help create consistent implementation across departments.
The method used to gather information during a global pandemic was designed for this first and unique review period. We believe it allowed departments to quickly and efficiently indicate both whether the directions had been implemented, and what frameworks, processes, and policies had been leveraged or put in place.
Responses to many of the RFI questions were simply yes/no answers. Often, answers were dependent on what information handling activities took place with foreign entities by the department during the review period. As such, a number of questions could be returned with ‘not applicable’, and this was an acceptable response. Many of the questions were related to specific and easily defined requirements under the Act and its associated directions, e.g. ‘was a report submitted to the Minister?’ or ‘Did the Deputy Minister inform the applicable bodies of all their decision made under the act?’.
Other questions were designed to capture the details of the underlying processes that supported a department’s implementation, i.e. a department may indicate that they ensured no substantial risk of mistreatment was present in any of their information sharing activities, but how did they support this claim? Likewise, for an assertion that a possible substantial risk of mistreatment had been mitigated, what was in place that allowed a department to make this assertion? Therefore, this series of questions required sufficiently detailed responses to fully capture what a department had in place that allowed it to confidently state that it has met its implementation obligations under the Act and the issued directions.
Finally, a portion of the questions was intended to capture the level of uniformity in implementation across departments. This includes such things as country/entity assessments, triage practices, and record keeping. Much of this information will also help with recommendations going forward. This multi-faceted approach resulted in three main areas being evaluated to assess implementation for this review period and help set the groundwork for future reviews.
The table in Annex A captures a summary of both the departmental responses to the implementation questions and NSIRA’s assessment regarding these responses. The assessment was based on the associated details provided by departments in the context of the specific information requested. As explained above, many of the responses were returned as not applicable (n/a). Since many implementation requirements are connected to specific activities, the absence of such activities would mean that the requirement does not come into play. The best example of this for the current review is the absence of any Deputy Minister level determinations. All 12 departments indicated that they did not have any cases referred to the Deputy Minister level for determination. All additional reporting requirements associated with this level of decision were not applicable and thus considered satisfied.
If a specific requirement was not met, it was flagged. The relatively few instances of this were connected with departments not meeting certain reporting obligations under the Act. In all cases, the department involved pre-identified these missing requirements and indicated that efforts were underway to address them.
The concerns and findings captured in the table (and others) are discussed subsequently. A concern was flagged in two situations: where there was an uncertainty associated with a department’s ability to support their implementation requirements; and cross-cutting issues related to general aspects of all of the frameworks described, both of which led to the findings and recommendations proposed.
A challenge for departments for this first review was associated with one of the assessment items listed above, i.e. whether they had established frameworks to demonstrate how they supported the implementation of the directions they received.
With the Avoiding Complicity Act coming into force in July 2019, it was not feasible that departments would create and stand-up new frameworks for information exchanges in time for the period being reviewed. Although the Act did specify several Deputy Heads that were to receive directions, it only included those who received the previous 2017 MD. The remaining new departments received their directions in September 2019. Regardless of this two-month difference, each department would have been required to rely on, to some extent, existing procedures when handling information sharing with foreign entities during the review period.
This put the departments that had previously formalized policies and processes at an advantage when implementing the directions. For those departments who were not subject to the previous 2017 MD on information sharing, NSIRA considered how they leveraged and adjusted what was already in place to respond to their new responsibilities under the Act. What we then expected to see, for all departments, was what subsequent steps were taken during the review period and afterwards, to either adjust or create frameworks to better meet implementation requirements going forward. NSIRA noted that in response to questions on frameworks for handling information and mitigating risk, several of the departments new to the considerations of the Act provided extensive detail on their efforts and progress on building out their frameworks to support the directives. References to having these frameworks formalized over the subsequent year were also encouraging.
Finding no. 1: NSIRA found that several departments, new to the considerations of the Act, described considerable progress being made during the review period and afterwards to build out formalized frameworks to support implementation.
As discussed, having fully established operational frameworks in place for this review period may not have been feasible for the departments that did not previously have processes to support their activities. This, however, did not exempt a department from the requirements of implementation. Each department was still expected to leverage what it currently had in place to properly address the concerns associated with the Avoiding Complicity Act. Furthermore, there was a logical follow-on expectation that departments would take subsequent steps to build out formal frameworks to address any perceived gaps to support the implementation of the Act going forward if necessary.
After reviewing the responses received, NSIRA is concerned that departments with minimal information sharing activities taking place during their operations have yet to address the necessity of having a robust framework in place, regardless of how often that framework is leveraged. For example, although PS and TC may primarily act as facilitators or coordinators for information exchanges on specific programs, they are still interacting with foreign entities, and therefore are required to fully assess their interactions with a foreign entity in this regard.
If a department without a formal framework assesses that it has few or no cases associated with the Act, then it may believe it is adequately positioned to address any sharing concerns should they arise. This, however, is not the case. Even single instances of information exchange in which the concerns of the Act may apply require a framework to support it properly. In many cases, it will be the framework itself that properly identifies whether a sharing activity raises concerns under the Act. If there is no formal process in place, then this identification becomes problematic. Simply saying that there are no cases or activities associated with the Act is not sufficient. That determination can only be made after a sharing activity is scrutinized through the lens of a robust framework. Going forward, all departments who receive directions should demonstrate a formal framework that ensures all information sharing activities are adequately evaluated against the considerations of the Act.
Finding no. 2: NSIRA found that departments conducting minimal information exchanges with foreign entities have not yet fully addressed the importance of having an official information sharing framework in place.
Recommendation no. 1: NSIRA recommends that all departments in receipt of directions under the Act have an official framework that ensures they can fully support their implementation of the directions.
While departmental coordination and the sharing of best practices are not a requirement of the Avoiding Complicity Act or the directions, NSIRA considered such an approach’s value. What became clear during this first review was that every department employs a very different framework to guide their information sharing activities with foreign entities. This is to be expected to some extent, given the different mandates, sharing requirements, and areas of focus associated with each department. However, these differences are also a reflection of the independent, internal development that has taken place for the different frameworks being used. While the departments receiving directions under the Act do interact on this subject to some extent, to date, based on the responses provided, it appears that the majority of the work done by the departments to build supporting frameworks to address their responsibilities associated with the Act have been done so independently. There was little to no overlap with how departments described the various aspects of their frameworks, even amongst the departments subject to the earlier MD on this issue.
There would be value in departments collectively identifying the key aspects common or required in all information exchanges with foreign entities and then working together to craft best practices, irrespective of what a department currently has in place. This process should draw on all available resources to make this determination. Each department can then turn to their existing frameworks to consider where and how they can be adjusted to match this community-agreed upon ideal. This is not to say that aspects of what a department already has in place in their framework will not ultimately be seen as the best practice. Several departments do have robust sharing frameworks in place, and these will contribute significantly to this exercise. However, arriving at this determination independently will provide an additional level of confidence.
Department-specific challenges, of course, cannot be ignored. In fact, they will weigh in strongly on such a conversation. Departments share information under their mandates for various reasons, and this will mean that coordination on certain aspects of a sharing framework may not be possible. However, this needs to be evaluated. It is important that what already exists, or what is hard change, does not unduly influence what may be best. This approach will create uniformity (where possible) across the community and provide a starting point for ‘must haves’ for each department to evaluate their existing processes against.
The Public Safety Information Sharing Coordination Group (ISCG) was established to support departments on information sharing. As such, it is in an ideal position to help mitigate issues arising from the lack of coordination. Leading such efforts would build on the work already being done by this group. During recent discussions with NSIRA, the ISCG indicated that the tracking of lessons learned and the sharing of best practices was not yet routine. Going forward, there would be value in a more coordinated effort when departments are updating/changing their framework. Ensuring that this coordination takes place will require support and leadership by senior-level officials. This will help in sharing best practices once identified, and establish more consistent approaches across departments.
Finding no. 3: NSIRA found that the differences and variability in departmental frameworks demonstrate a previous lack of coordination across the community and a need to identify best practices.
Recommendation no. 2: NSIRA recommends that departments coordinate to identify best practices for all essential components of information sharing frameworks and that the ISCG is leveraged to ensure these practices are shared where possible across the community to support the implementation of the Act.
A series of questions in this review was related to aspects of consistency in how departments apply their frameworks. From this series, a comparison was made on how many times an information sharing/use event triggered an evaluation of any kind against the considerations of the Avoiding Complicity Act, versus how many of these triaged cases were elevated or referred up for decision. The results helped gauge two important aspects of a framework: One, the threshold requirements, i.e. how often a sharing activity triggers an evaluation of any kind; and two, the decision making power given to the operators who are initially handling these activities.
The feedback and the responses received demonstrate potential inconsistencies in both aspects across departments. For example, several departments indicated zero cases as being triaged/evaluated under the concerns of the Act during the review period, yet also specified that they are involved in regular information sharing or, specified that no information received from foreign entities was derived from mistreatment. These responses appear to be inconsistent as it would be problematic to participate in information sharing or to make such mistreatment determinations without the activity being evaluated on some level.
Other departments indicated a larger number of cases as initial triaged/evaluated, but also indicated that none of them were elevated in their decision making process for higher-level decisions. This would seem to suggest that all determinations were being made at the operational level. Such a result puts significant weight on the operator and the initial assessment tools they are leveraging if they are making all determinations independently. This reinforces the importance of a robust framework to help make these determinations, as previously indicated in Finding no. 2. As a result of these differences, potential challenges arise on accurately assessing the volume of cases being handled by departments, the tracking of those cases deemed to present a substantial risk, those which can be mitigated for, and those where the risk was not found to be substantial or even present.
These responses may result from how each department defines a ‘case’ or how it records a case, or they may be a result of differences in how a department’s decision-making process is leveraged. NSIRA’s concern is that these differences may indicate an inconsistency in application thresholds at different departments. As such, the following results were viewed as a potential issue based on the responses received:
Such results do not necessarily indicate a problem as aspects of a framework may be able to account for this, however, looking further into how and why the department’s framework produced these outcomes is important. Future reviews will be able to do this. Consistent initial steps for information sharing activities, including triage/evaluation thresholds and documentation, are critical to the effective application of a framework, and ultimately to identifying best practices.
Finding no. 4: NSIRA found that there are inconsistencies in the application of existing sharing frameworks between departments, specifically concerning information evaluation thresholds, and decisions being elevated for senior level determinations,
Recommendation no. 3: NSIRA recommends that departments establish consistent thresholds for triggers in their information sharing frameworks, including initial evaluations against the concerns of the Act, when a case is to be elevated in the decision process, and how this is documented.
A key recommendation of NSIRA’s previous review on information sharing related to the country/entity assessments being used by departments to inform their decision making process when sharing or using information with a foreign entity. While the use of country/entity assessments is not a required aspect of implementing the directions under the Act, NSIRA continues to support this tool as an important aspect of any sharing framework. In its previous review, NSIRA determined that having a firm grasp on the human rights situation, as well as any other pertinent information associated with a country/entity, was essential to making an informed decision on whether there should be concerns, caveats, or limitations when handling information with that country/entity. Moreover, having such information captured to ensure all departments consistently approach these countries/entities is critical. At the time of the previous review, the following recommendation was made:
It is important to note that there has been no formal response from departments on this previous recommendation as of the date of this report. Furthermore, during this report, two departments continue to raise concerns with NSIRA’s stance on this issue during the consultation process. While NSIRA continues to support this recommendation, as explained below, further discussions with departments on how to approach this matter may be warranted, specifically on the distinction between how this recommendation may apply to a foreign country/entity vs a specific foreign partner a department may be dealing with.
Based on the responses provided on this topic for the current review period, there is still inconsistency in this area. While almost all departments indicated that country/entity assessments were a standard part of their framework, the responses also indicate differences in which country assessments are used, how they are leveraged, and who is responsible for updating them. For example, several departments rely on their own in-house created assessments, while others leverage the assessments created by Global Affairs Canada and others. While departments who indicated that they are leveraging country/entity assessment tools in their process also indicated that these assessments captured human rights concerns, this has yet to be independently evaluated. NSIRA is concerned that these differences could result in different approaches/stances being taken by departments when dealing with the same foreign entity. While the country/entity assessments tools themselves are not necessarily in question, the fact that every department is not leveraging or does not have access to all useful or applicable information is.
NSIRA remains of the view that having a consistent stance on all countries and entities when implementing the requirements of the Act is important. Issues such as mistreatment and human rights should not be decided at a departmental level, but on a whole-of-government level. While mindful of classification levels, ensuring all departments have access to the same relevant information associated with a foreign country/entity is critical to making an informed decision. Due to the nature of their work, departments may be privy to unique information on a country/entity, some or all of which can be shared. This would lead to fully informed assessments that allow for a consistent approach when dealing with any country/entity. In addition to improving duplication of effort in this area by departments, NSIRA continues to see standardized country and entity assessments, which can be accessed and contributed to by all departments, as key to moving toward a more consistent and effective implementation of the Act across the community
Finding no. 5: NSIRA found a lack of unification and standardization in the country and entity assessments being leveraged by departments, resulting in inconsistencies in approach/stance by the community when interacting with Foreign Entities of concern related to the Act.
Recommendation no. 4: NSIRA recommends that departments identify a means to establish unified and standardized country and entity risk assessment tools to support a consistent approach by departments when interacting with Foreign Entities of concern under the Act.
While aspects of implementation can be easily quantified and evaluated e.g. reporting requirements to a Minister, others, which support implementation are more difficult to measure, e.g.:
Measuring and weighing the answers to such questions is challenging. They are more nuanced, and can’t be as easily quantified. Regardless, they must be considered and addressed. Drawing on the considerations and concerns identified in this review will help departments to ask the questions that will improve their underlying frameworks with the following goals in mind:
Future reviews will push towards these goals by seeking answers to those questions above. By looking more closely at specific case studies, departmental legal opinions, items of inconsistency, and the departmental frameworks that are already demonstrating best practices that should be shared. Ultimately the results of such efforts will contribute to improving the implementation of the Act across the community.
In 2011, the Government of Canada implemented a general framework for Addressing Risks of Mistreatment in Sharing Information with Foreign Entities. The framework aimed to establish a coherent and consistent approach across government when sharing and receiving information with Foreign Entities. Following this, Ministerial Direction was issued to applicable departments in 2011 on Information Sharing with Foreign Entities, and then again in 2017 on Avoiding Complicity in Mistreatment by Foreign Entities.
On July 13, 2019, the Avoiding Complicity Act came into force. This Act codifies and enshrines Canada’s commitments in respect to the Canadian Charter of Rights and Freedoms, and Canada’s international legal obligations on prohibiting torture and other cruel and inhumane treatment.
On September 4, 2019, pursuant to section 3 of the Act, the Governor in Council (GiC) issued written directions to the Deputy Heads of the following 12 departments and agencies: Canada Border Services Agency (CBSA), Canada Revenue Agency (CRA), Canadian Security Intelligence Service (CSIS), Communications Security Establishment (CSE), Department of Fisheries and Oceans Canada (DFO), Department of National Defence and Canadian Armed Forces (DND/CAF), Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Global Affairs Canada (GAC), Immigration, Refugees, and Citizenship Canada (IRCC), Public Safety Canada (PS), the Royal Canadian Mounted Police (RCMP) and Transport Canada (TC).
The GiC issued directions focused on three aspects of handling information when interacting with a foreign entity: the disclosure of information, the requesting of information, and the use of any information received.
Pursuant to section 7 of the Act, every Deputy Head having received direction must, before March 1 of each year, submit to the appropriate Minister a report regarding the implementation of those directions during the previous calendar year. Following this, every Deputy Head must, as soon as feasible after submitting the report, make a version of it available to the public.
