Language selection

Government of Canada / Gouvernement du Canada

Search


Review of the Canadian Security Intelligence Service’s (CSIS) use of Geolocation information

Review Backgrounder

On August 23rd, 2019, the National Security and Intelligence Review Agency (NSIRA) presented the Minister of Public Safety and Emergency Preparedness with a classified report on its review of CSIS’s use of geolocation information.

In this review, NSIRA found that CSIS’s use of this geolocation data without a warrant risked breaching section 8 of the Canadian Charter of Rights and Freedoms (Charter), which protects against unreasonable search and seizure. On March 16, 2020, NSIRA submitted a report under section 35 of the NSIRA Act, to the Minister of Public Safety regarding the possible unlawful activity.

This review raised pressing questions regarding the use of publically available data, but that nevertheless engages a person’s reasonable expectation of privacy. NSIRA’s review examined the decision-making process that led CSIS to use this data without a warrant, and found that CSIS lacked the policies or procedures to ensure that, prior to using the data, CSIS sought legal advice to avoid its unlawful use.

The review was also an opportunity to note more broadly that, in this environment, ongoing legal support to CSIS’s data exploitation activities is essential in allowing CSIS to operate at an acceptable level of risk. It also noted that CSIS and the Department of Justice are expected to demonstrate institutional leadership in this regard.

Going forward, NSIRA will prioritize the scrutiny of CSIS’s use of technology, particularly new or emerging technologies that pose the greatest risks.

Date of Publishing:

1. Authorities

This review began under the authority of the Security Intelligence Review Committee (SIRC) articulated in subsection 38(1 ) of the Canadian Security Intelligence Service’s (CSIS Act), which provided SIRC the mandate to review CSIS’s operations in the performance of its duties and functions.

During the course of the review. Bill C-59 -An Act Respecting National Security Matters received Royal Assent on June 21, 2019. Part 1 of Bill C-59 enacted the National Security and Intelligence Review Agency Act (NSIRA Act), which came into force by order of the Governor in Council on July 12, 2019. The NSIRA Act repeals the provisions of the CSIS Act that established and governed SIRC and establishes in its place the National Security and Intelligence Review Agency (NSIRA). The NSIRA Act sets out the composition, mandate and powers of NSIRA and amends the CSIS Act, and other Acts, in order to transfer certain powers, duties and functions to NSIRA.

This review continued under the authority described in subsections 8(1 )(a) and 8(3) of the NSIRA Act to review any activity carried out by CSIS and to make any finding and recommendation that NSIRA considers appropriate.

2. Introduction

In its review function, NSIRA expects CSIS’s activities to be lawful and comply with ministerial direction. This review focused on CSIS’ s non-warranted collection of geolocation information and is part of NSIRA’s ongoing interest in CSIS’s collection and exploitation of both warranted and unwarranted data. Past reviews have assessed CSIS’s warranted collection and retention of metadata and CSIS’s unwarranted collection and exploitation of bulk personal datasets. This is NSIRA’s first dedicated look at CSIS’s collection of geolocation data.

The review takes place in the context of Federal Court decisions, most particularly the IMSI decision of September 27. 2017, that impact on CSIS’s collection, use and retention of data, including geolocation data. The IMSI decision found that, though CSIS’s authority under section 12 does authorize it to obtain geolocation information for which there is a low expectation of privacy, anything beyond that, such as geolocating an individual, would require a warrant.

It is worth noting that the scope of the review was broader at the outset and was intended to include a more comprehensive examination of the collection of different types of geolocation information, both warranted and unwarranted. Although the scope was reduced in the course of the review, NSIRA will be mindful of this for future reviews.

3. Objectives

The objective of this review is to assess whether CSIS’s collection of unwarranted geolocation information used by CSIS in support of its operations is compliant with applicable sources of law, including the Canadian Charter of Rights and Freedoms (Charter) and the CSIS Act, as well as ministerial direction and operational policy. A related objective is to determine whether CSIS has sufficient safeguards in the form of formal procedures and policies to ensure that it is able to comply with its legal obligations amid a period of rapid change in technology and a correspondingly fluid legal environment.

4. Scope and Methodology

The scope and direction of the review was identified through a preliminary investigation of available documentation and a briefing with the ████████████████████████████████████████████████████████ Further, NSIRA requested that CSIS identify all activities undertaken by the █████ that may result in geographic information collected against non-warranted targets within the review period. This information was used as a foundation to
request specific documents from CSIS.

NSIRA examined all documents provided by CSIS and sought, retrieved and reviewed documents through CSIS’s various computer and email systems to ensure a clear record of activity. Documents reviewed included: ██████████████ taskings from the regions, responses to these taskings, briefing notes, planning documents, legal assessments and internal correspondence.

To conduct a compliance assessment of CSIS’ s use of geolocation information, NSIRA chose to conduct an in-depth case study of ██████████████████████████████████████████ geolocation information. NSIRA reviewed all instances when ██████████ was used by CSIS during the period under review. As this review consists of a single case study. NSIRA is mindful of generalizing the findings and conclusions to other types of geolocation data.

The core review period for this study was from January 1, 2017 to June 30, 2018, although NSIRA examined documentation that fell outside this period in order to provide a complete assessment of relevant issues.

5. Criteria

NSIRA expects CSIS to conduct its activities in accordance with relevant sources of law. including the CSIS Act. the Charter. the Privacy Act. and case law. NSIRA also expects CSIS to conduct its activities in accordance with ministerial direction. Most relevant in this review given the subject matter was an analysis of the Charter, which, in section 8, provides everyone with the right to be secure against unreasonable search and seizure.
In this case, at issue was whether the use of ███████ to collect information about an individual’s location information constitutes a search for the purposes of section 8 such that a warrant would be required.

Policies and Procedures

NSIRA’s expectation was that there would be policies and procedures in place to guide the collection, use and retention of data from ███████ despite its uniqueness, and that those policies and procedures would support compliance with CSIS’s legal obligations, including the Charter, as well as its obligations stemming from ministerial direction.

For reference, the relevant policies that pertain to the collection of information ███████

  • ███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ In principle, this allows collection of this nature on a very broad cross-section of individuals;
  • The collection of █████████ policies, including the DDO Memorandum of 2015 that request the establishment of █████████ as the National Policy Centre for █████████. Additionally there is the procedure on █████████ that allows █████ to conduct █████████ defined as a non-warranted collection tool or technique, against a ██████████████████████████████████████████████████████████████.

6. Background

The Investigative Technique – █████████

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ from users across the world.

█████████ contains three months of data. The information is not available in real-time; however, there is a delay of only 24-48 hours between the collection of the ████ and it becoming available in ████████.

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

See Annex A for an example of the use of █████ against a CSIS target.

A chronology of CSIS’s use of █████

a. From introduction to the beginning of the pilot: July 2015 – January 2018

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

█████ echoed those same governance-related issues; specifically, it questioned whether there were legal issues associated with █████ that needed to be addressed prior to the trial period. █████ asked for “the rules of engagement so that we can plan accordingly and get the most of this evaluation.”█████ further noted that, although the data seemed “wonderful….there must be some legal/governance rules that apply to this when in the hands of a government agency. These questions were raised in an email to both █████ and the ██████████

███████████████████████████████████████████████████████████████████████████████████████████████████████████████████ Nevertheless, by September 2017 █████ was anticipating an evaluation of █████ that would involve using █████ for a trial period of two months with a limited ██████████.

█████convened a meeting in October with █████████████████████████████████████████████████████████████████████████████████████████████████████████ The objective of the meeting was to prepare for a █████ evaluation and, for that purpose, “to make decisions on a few details to ensure compliance with
legal and policy.

The questions to be covered in the agenda were:

  • 1 ) Does existing █████ policy cover the use of █████ or does the policy need to be adapted?
  • 2) Is the information contained in ███████ subject to a reasonable expectation of privacy?
  • 3) Is there anything else that needs to be considered before CSIS can use █████? For example, additional █████ procedures or tests?

According to a written summary of discussions circulated by █████ following the meeting, it was agreed that ███████ would be compliant with collection under the ████████████ which allows ████ to “research and use open information” in support of investigations, it was further decided that the use of ██████ would align with ████ policies as it would constitute threat related queries ██████████████ and would be used only with the ██████████ authorities in place. Finally, it was assessed that the ██████ data invested would meet the “strictly necessary” threshold for collection and retention as set out in the CSIS Act as it would be based on a specific threat.

██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

Following the meeting, approval was granted for the trial use of ██████ by Deputy Chief █████████. Documentation of the approval consists of an email from the Deputy Chief to ███ and ███ with the understanding that, ██████████████████████████████████████████████████████████████████.

b. CSIS’s trial period – March 2018 – July 2018

CSIS began its pilot of ████ on January 14. 2018. It was initially to be for two months; but because of technical issues at the beginning that delayed its full use, and due to ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

During that time, ████████ was tasked a total of approximately ████ times, resulting in ████ operational messages. As noted, efforts were made by ███ to ensure that its use of ████████ was compliant with CSIS’s ████ policies on collection ████████████████████ as well as the CSIS Act provision that collection and retention be done only to the extent that is “strictly necessary.”

████ completed its evaluation of ████ by the end of April 2018. ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████.

The first version of a briefing note to gain approval for the ████████████ was drafted jointly by ████ and ███ in April 2018. The briefing note stated that the pilot for ████ was “conducted operational policies.” The briefing note also ████████████████████ one was a restricted amount of information that would meet the strictly necessary threshold; and the other was a situation in which ████████████████████ in which case it would be ████████████████████████████.

A subsequent version of the briefing note was prepared, also jointly by ████████████. This one was dated May 15, 2018 and was sent to the Director General of ████. In contrast to the first version of the briefing note, this one was the dual purpose of obtaining a legal opinion and ████████████████. This version was ultimately sent to the DG ████████ and also included that ████████ had been assessed as compliant with ████ authorities, following discussion with CSIS’s External Review and Compliance (ERC). ████ as well as informally with a representatives of the DLS. The briefing note stated that ████████████████████████ fall within existing authorities and directives” and, further that “although ████ has assessed that ████████████████ a formal legal opinion has not yet been conducted and suggest this briefing note be used as a mechanism to obtain one.”

NSIRA inquired as to the substance of the ERC and DLS discussion, as well as documentation of those meetings. NSIRA was advised that the ERC compliance officer embedded within ████ was aware of ████ which was presented at a town hall, but that it was not discussed with her beyond that. NSIRA asked for documentation to substantiate the DLS discussions but non was provided.

c. Legal advice: July 2018 – February 2019

Following the May briefing note, on July 20th, the DG ██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

By July 31, preliminary legal advice was received:

██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

A formal legal opinion was provided on December 7, 2018, that called into question CSIS’s use of ████████ without a warrant except in very narrow circumstances, ████████████████████████████████████████████████████████████████████.

A further legal opinion was requested by CSIS to determine whether ████████████████████████████████████████. The resulting legal opinion, dated February 19 2019, ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████. Accordingly, section 8 of the CHarter would not be engaed in this narrow circumstance.

based in part on the February 2019 legal opinion, CSIS subsequently took the decision to ████████████████████████████████████████████████████████████████████████████████████████████████████████. It is NSIRA’s understanding that, presently, ████████████ being used only in very specific circumstances and according to the guidelines set out in the legal opinions.

7. Findings

Finding no. 1 Compliance with the CSIS Act and the Charter NSIRA finds that there was a risk that CSIS breached section 8 of the Charter during the trial period in which it used █████ without a warrant.

DLS was asked to provide a legal opinion to CSIS on this investigative technique; in particular, to address the question of the “legal risk of using ██████████ (i) with respect to Canadians or persons in Canada; and (ii) human sources and employees, with their informed consent”. CSIS was advised in a Legal Memorandum dated December 7,2018 that:

██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

NSIRA’s own review of the file, which is meant to provide the Committee with independent legal advice, supports DLS’s opinion in that regard. In particular, NSIRA believes that the use of ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████. NSIRA observes that it is very unlikely that a court would find that section 12 of CSIS Act was sufficient legal authority to render warrantless use of ██████ reasonable” for the purposes of section 8 of the Charter. Accordingly, CSIS would be required to obtain a warrant pursuant to section 21 of the CSIS Act for such searches. Of note, NSIRA’s legal analysis was based on the same set of facts as DLS used for its opinion.

In reaching this conclusion. NSIRA interprets section 12 of the CSIS Act as only providing authority for collection activities of minimal intrusiveness. In that regard, NSIRA concurs with the DLS opinion that, ██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

At the time of writing, CSIS is pursuing options for how █████████ may be used under the authority of a warrant in the future.

NSIRA recommends that CSIS review its use of █████████ to date and make a determination as to which of the operational reports generated through the use of ███████ were in breach of section 8 of the Charter. These operational reports and/or any documents related to those results should be purged from its systems.

Findings no. 2 Governance related to piloting █████████

NSIRA finds that there was no policy centre clearly responsible for the use of the data contained in ████████.

NSIRA asked about the policies and procedures that guided the decision to authorize the trial period, as well as which unit within the ██████████████████ branch would have been responsible for assessing and authorizing the use of ███████ As described above, the record suggests there were three discrete units involved in the ████████████████████████ for the trial period.

█████████████ was involved in the ██████████████████ As the policy centre with respect to the ███████████████████████████████ the role and mandate of ████ is to coordinate, manage and █████████████████████████████████. In this capacity, ████ would have been responsible for assessing ████████ for privacy impacts, among other things, had ████████ been assessed as a ████████. However, ████████ was not ████████████████ but rather, as ████████████████████████████████████████████████████████████████. Therefore, █████ did not officially assess ███████████████████████████████████████. That said, the briefing note of May 15 2018, clearly indicates that ██████ assessed that the use of ████████████ fall within existing authorities and directives.” Given the lack of a formal record, NSIRA was unable to assess the content of, or the rationale for, this assessment.

██████ is the unit responsible for providing operational support for ████████████████████████ intelligence through the use of covert ████████████████████████████████████████████████████████████████████████████████████ and it was to ████ that the first demonstration of ██████ was given, ███ authorities were eventually identified as those under which ██████ would operate. However ██████ was not the primary user of ██████. Neither did it participate in the formal evaluation of the data contained in ████████████.

Responsibility for developing a means of formally evaluating ██████ fell to the ██████ given its expertise in geolocation information. However, ████ does not generally collect data, but is merely the user of data provided to it. As such, █████ thorough preliminary evaluation to determine whether there were legal or other issues that needed to be addressed, even at the pilot stage. Nevertheless, ████ prepared, on its own initiative, a formal document to guide its evaluation of ██████ during the trial period. NSIRA also notes that ████ followed existing policy in using ███████ only in instances when a valid targeting authority was in place.

NSIRA was not provided any formal documentation on the decision to authorize the pilot period. The record of decision to pilot ██████ consisted of an email, which contained the following:

I don’t see any reason not to start an evaluation – ████████████████████████████████████████████████ In addition, ████████████████████████ are not provided until after we can determine that they are “strictly necessary” and of relevance to the investigation -just until we find something of relevance.

Ultimately, NSIRA was unable to identify which of the three policy areas within ██████ should have had, according to existing policies and procedures, responsibility for the assessment of ████████████████████████████████████████████████████████████████████████████████████.

Finding no. 3 Record of decision

NSIRA finds that the record of approval to pilot ██████ consisted of an email and that this email was not “put-away” as part of the official record, as it should have been.

As noted, the closest thing to a record of decision to pilot ██████ was an email from a Deputy Chief of ██████ the full text of which is cited above.

NSIRA notes that this email was not “put-away” as is should have been given that it represents, de facto, the approval for acquiring ██████ for the purposes of evaluation and is required for robust records management and for accountability purposes. Instead, it was saved on a “personal” drive and only produced as part of the review process.

Findings no. 4-5 Assessment of risk in the case of ██████

NSIRA finds that there are no developed policies or procedures around the assessment and handling of new and emerging collection technologies, such that a formal evaluation of the legal risks of using ██████ would have been required.

NSIRA finds that CSIS overlooked multiple indicators that using ██████ might raise legal issues.

Ministerial Direction requires that the risk of operational activities be assessed across four pillars (operational, political, foreign policy and legal ). In particular, the Direction states that CSIS should “consider its ow n level of experience and novelty of the operational activity in assessing risk”.

NSIRA was told that there is no formal process for the evaluation of risk in cases like ████████████ given that it was assessed as ████████████████████████. This is consistent with NSIRA’s reading of the relevant policies, cited earlier, pertaining to ██████████████████████████████████████████ of which require an assessment of legal risk prior to the use of ████████████ for collection purposes.

██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

It was suggested to NSIRA that it would not have been possible to conduct a thorough assessment of ████████ before the pilot based on the reasoning that a risk assessment is only possible with full ████████. NSIRA accepts in principle that there are situations when it would be difficult to appreciate the legal risks until such time ████████████████ and fully evaluated. Notwithstanding the difficulties, it is the responsibility of CSIS to mitigate these risks to the extent possible.

In this case, moreover. NSIRA notes that there were indications of a need for caution with respect to the ████████ in the period before the trial was even begun, including the IMSI decision of the Federal Court, which found that geolocating an individual would require a warrant.

Internally, there were multiple indications to the effect that there may be reason for particular attention, including:

two emails sent prior to the pilot, one by █████ on June 28. 2017. and the other by █████ September 27. 2017, both containing legal and governance questions;

the meeting convened by █████ for the purpose of discussing whether there existed a reasonable expectation of privacy in the █████ data;

the examples provided by ███████████████████████████████████████████████████████████████████████████████████████████████ and the evaluation of █████ in April 2018. which indicated that there were privacy concerns with this tool given its ability to generate ███████████████ and to ██████████████████████████████████████████████████████████████████████

There were other indications of a need for caution, ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

Despite these signs, no formal action was taken to assess the question of legal risk until the briefing note in May 2018 requested a formal legal opinion.

NSIRA recommends that policy be developed or amended as appropriate that would require a documented risk assessment, including legal risks, in situations like ██████████ when information collected through new and emerging technologies may contain information in respect of which there may be a reasonable expectation of privacy. If not █████ NSIRA further recommends that a policy centre for this type of █████ collection be clearlv identified.

Conclusion

At the outset █████ was characterized as making use of ██████████. This is made clear from the approval email, ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ would consider, it is not clear that the data exploited through ██████████ represents genuinely ██████████ at least as defined in plain language, as was asserted.

Assessing █████ in this way was not without its consequences in that it appears to have justified the lack of a more thorough legal assessment. This assumption proved to be problematic; the consequence was that CSIS placed itself at risk of having violated the Charter. Throughout this review. NSIRA has been mindful of the length of time it took for CSIS to obtain the final legal opinion, which was requested in July but finalized only in December, a full five months later.

NSIRA is aware that there have been discussions within ██████████ on the need to have ongoing legal support. In particular █████ has requested the establishment of a policy and legal operating envelope to ensure that policy and legal questions related to data exploitation are properly covered, including a resource from DLS who would provide ongoing, even weekly, legal assistance. NSIRA understands that this request was made in part due to the difficulties associated with obtaining legal advice on an as needed basis. NSIRA has been advised that █████ request to have weekly legal support has not yet been actioned.

The combination of an expanding scope in the type, volume and sources of data collected by CSIS and a fluid legal situation makes this an area of persistent high legal risk. CSIS has publicly affirmed that the concept of a reasonable expectation of privacy is evolving over time and committed to ensuring that CSIS’s approach to a reasonable expectation of privacy “is kept consistent”.

NSIRA is of the view that, in this environment, legal support to █████ is essential to operate at an acceptable level of risk. NSIRA expects CSIS and the Department of Justice ( DOJ) to demonstrate institutional leadership that would allow responsible decision-making in an environment of uncertainty by making available legal support to █████ as required on a priority basis.

Share this page
Date Modified:

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information

Context

On November 25, 2020, the National Security and Intelligence Review Agency (NSIRA) presented the Minister of National Defence and the Minister of Public Safety with a classified compliance report on its review of CSE’s disclosures of Canadian identifying information (CII). In this review, NSIRA found that the CII disclosure regime lacked rigour and that its implementation may not have been in compliance with the Privacy Act. Additionally, NSIRA found that the Federal Court may not have been adequately informed about key elements of CSE’s disclosures of CII collected on the authority of warrants issued in relation to section 16 of the Canadian Security Intelligence Service (CSIS) Act. Given the findings of the review, NSIRA has published its unclassified summary of the compliance report.

In carrying out its foreign intelligence mandate, CSE may incidentally acquire information about Canadians or person(s) in Canada. CII is information that could be used to identify an individual, and is normally suppressed from reporting unless Government of Canada or foreign clients request these details and are able to demonstrate that they have operational justification and legal authority to receive it.

After a thorough review of CSE’s disclosures of CII, which also involved direct engagement with other Government of Canada departments that request CII, NSIRA made 6 findings and 11 recommendations. This unclassified summary provides an overview of the CII disclosure regime, and NSIRA’s observations related to the policies, procedures, training, and the legal authorities governing it.

Publishing this summary aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work. Looking forward, NSIRA will conduct future reviews of the CII disclosure regime to ensure that its recommendations are implemented in a way that will improve the CII disclosure program and that this program is compliant with the applicable legal framework.

As per section 8(1)(a) of the NSIRA Act, independent review of CSE’s activities is a statutory requirement for NSIRA. As such, NSIRA will continue to review CSE activities and report on compliance issues if they arise.

To learn more about NSIRA’ mandate, click here.

Date of Publishing:

Executive Summary

Subsequent to the collection of foreign signals intelligence by the Communications Security Establishment (CSE), any incidentally collected Canadian identifying information (CII) is suppressed in CSE’s intelligence reporting to protect the privacy of Canadians and persons in Canada. However, the Government of Canada (GC) and foreign clients of such reports can request the details of this information if they have lawful authority and operational justification.

The National Security and Intelligence Review Agency (NSIRA) conducted a review of CSE’s disclosures of CII to GC clients. In reviewing disclosures containing 2,351 Canadian identifiers over a five year period, NSIRA found that 28% of requests from all clients were not sufficiently justified to warrant the release of CII. . Nevertheless, during the period under review, CSE approved 99% of these requests for CII from its domestic clients. Given this and other findings related to CSE’s internal practices, NSIRA found that CSE’s implementation of its CII disclosure regime may not be in compliance with the Privacy Act.

Moreover, NSIRA found that CSE has released CII to GC clients from its technical and operational assistance to the Canadian Security Intelligence Service (CSIS) in relation to section 16 of the CSIS Act, in a manner that was likely not communicated to the Federal Court by CSIS.

This report is a summary of the more detailed, classified report provided to the Minister of National Defence on November 25, 2020.

Introduction

The Communications Security Establishment (CSE) may incidentally acquire information about Canadians or persons in Canada in its collection of foreign signals intelligence (SIGINT). Canadian identifying information (CII) refers to any information that can identify an individual, ranging from names to email addresses and IP addresses. CII is suppressed in intelligence reports to protect the privacy of Canadians and persons in Canada. Government of Canada (GC) and foreign clients may subsequently request the details of this information if they have lawful authority and operational justification to collect it. This information sharing regime has been in place since the 2001 enactment of CSE’s powers under the National Defence Act, and has been previously reviewed by the Office of the CSE Commissioner (OCSEC)

Following a review of CSE’s disclosures of CII, the National Security and Intelligence Review Agency (NSIRA) concluded that CSE’s implementation of its disclosure regime may not be in compliance with the Privacy Act. Therefore, pursuant to subsection 35(1) of the NSIRA Act, NSIRA submitted a compliance report to the Minister of National Defence on November 25, 2020.

CSE’s disclosure regime, in place for nearly two decades, is one of the most important national security information sharing structures in the federal government, surpassing the volume of disclosures processed through the information sharing mechanism under the Security of Canada Information Disclosure Act (SCIDA). Unlike CSE’s disclosure regime, information sharing processes under SCIDA have recently undergone comprehensive scrutiny and debate both in Parliament and by the public as part of the deliberation of Bill C-59.

CSE’s work results in special responsibilities to protect the privacy of Canadians. In this context, NSIRA assessed CSE’s operational structures, policies, and processes to determine the rigour of the CII disclosure regime. NSIRA found serious problems with several aspects of the governance and implementation of CSE’s CII disclosure regime. NSIRA also found that CSE discloses information collected pursuant to the authority of Federal Court issued warrants as part of its assistance to the Canadian Security Intelligence Service (CSIS). NSIRA believes that although the Federal Court is aware of CSIS’ disclosure of CII, the Court may not have been fully informed about the parallel disclosure process taking place at CSE. In January 2021, CSIS provided the Federal Court with a copy of NSIRA’s full, classified review, excluding information protected by solicitor-client privilege.

Methodology

As part of its review, NSIRA examined a selected sample of CII disclosures and their associated intelligence reports – initially from July 1, 2018 to July 31, 2019, though the review period was later expanded to cover July 1, 2015 to July 31, 2019 for certain types of disclosures. Over that period, CSE received requests for 3,708 Canadian identifiers. NSIRA received information about the outcome of all of these requests. Additionally, NSIRA was able to closely review requests pertaining to 2,351 identifiers.

In all, NSIRA examined electronic records, correspondence, intelligence reports, legal opinions, policies, procedures, documents pertaining to judicial proceedings, Ministerial Authorizations, and Ministerial Directives of relevance to CSE’s CII disclosure regime. CSE also responded to NSIRA’s questions throughout the review.

While this began as a review of solely CSE, it became evident that NSIRA also needed to engage with CSE’s Government of Canada clients of CII. In the spirit of its legislation, NSIRA “followed the thread” by engaging with a range of federal departments, from recurring clients of CII, such as CSIS and the Royal Canadian Mounted Police (RCMP), to less frequent clients, such as Innovation Science and Economic Development Canada (ISED). Through this engagement, NSIRA was able to understand the lifecycle of CII disclosures, from their origin within intelligence reporting to their eventual use by Government of Canada clients.

NSIRA also assessed CSE’s disclosures of CII arising from its assistance to CSIS in relation to section 16 of the CSIS Act. When CSE assists CSIS in that context, it is bound by the applicable Federal Court warrants’ conditions. While CSIS’ disclosures were not the subject of this review, they helped contextualize the adherence of CSE’s section 16 CII disclosures with the conditions and principles on which the Court issued the relevant warrants.

NSIRA also reviewed CSIS affidavits to the Federal Court in relation to Canadian information acquired through section 16 warrants, which served as the basis for a recent decision issued on this program by the Court (reported as 2020 FC 697). Given this window into the parallel practices and policy requirements of CSIS, NSIRA had the opportunity to contextualize CSE’s disclosures of CII arising from section 16 collection in a way that was unprecedented for an external review body.

Based on the records provided by CSE, CSIS, and other federal government entities, NSIRA made several findings and recommendations to improve the governance of CSE’s CII disclosure regime and to bring to the attention of the Federal Court important aspects of CSE’s disclosures of information acquired in relation to section 16 of the CSIS Act.

For CSE to disclose Canadians’ personal information without their consent, both CSE and the CII recipient must comply with relevant legislation, which, for the period under review, consisted of the Privacy Act and the National Defence Act:

In assessing CSE’s disclosures, NSIRA applied a two-pronged test in line with the Privacy Act requirements: the institution holding the personal information must have a disclosure authority to disclose it to another institution, and the recipient institution must have a collection authority. These thresholds derive from existing Privacy Act jurisprudence. In other words:

  • CSE’s CII clients are required to meet the section 4 collection requirement of the Privacy Act by establishing a direct and immediate relationship (with no intermediary) between the information to be collected through a CII request and their operating programs or activities.
  • On CSE’s side, its disclosures of CII had to comply with section 8 of the Privacy Act, and the National Defence Act, which was the governing statute for CSE during the review period.
  • Because the disclosure authority within the National Defence Act required CSE to protect the privacy of Canadians, NSIRA assessed whether CSE evaluated each disclosure request rigorously on its own merits, including the operational justification provided by clients, to determine whether the requests were reasonable and whether the disclosure was appropriate under the Privacy Act regime.

CSE’s internal practices

NSIRA assessed CSE’s privacy protection measures for compliance with its legal responsibilities and Ministerial Direction. NSIRA assessed whether CSE’s CII disclosures are subject to a thorough, well-documented evaluation and approval process that demonstrates each disclosure’s compliance with legal and operational requirements. Specifically, NSIRA assessed whether CSE’s clients demonstrated their legal authority to collect CII, and did so in compliance with section 4 of the Privacy Act by showing a direct and immediate relationship between their mandated activities and the requested CII.

During the period under review, CSE received requests for 3,708 identifiers from 15 domestic departments, releasing 3,671 – which represents a release rate of 99%. This release rate was also reflected in the eventual sample of disclosures selected for detailed review by NSIRA. NSIRA expected to find disclosure requests of a consistently high quality commensurate with their near-absolute approval by CSE. Nevertheless, the findings below represent several areas in which NSIRA observed shortcomings.

Employee training and documentation requirements

CSE employees generally decide whether to release CII. NSIRA did not find evidence of written guidance or training to guide employees’ assessment of the substance of disclosure requests; instead, the training materials and procedures that employees receive primarily focus on the logistical processes to release CII.

In their assessment of CII requests, CSE personnel can take a range of actions, including conducting further research into a requesting department and its mandate or communicating with the requester to obtain clarity. NSIRA found that these actions are generally not documented for requests from domestic clients, and the approved disclosures only contain the requested CII without the reasons for approving the request. NSIRA was unable to confirm that CSE personnel were taking steps to communicate with a requestor to clarify incomplete or unclear disclosure requests.

While this is not a requirement in CSE’s policies for domestic requests, NSIRA observed detailed rationales provided by personnel responsible for approving and denying CII requests originating from foreign clients for CII. NSIRA believes CSE should require employees to document their assessment of requests from domestic clients, including the rationale for their approval.

In sum, NSIRA found that CSE’s employees do not receive sufficient written training and guidance on assessing the substance of disclosure requests and are not required to document mandatory actions and assessments they make when releasing CII. NSIRA recommended that CSE require, through procedures and policy, that employees document their decision-making and rationales and train them to assess the substance of disclosure requests in light of applicable legal obligations.

Management oversight

Certain types of disclosures are elevated for review and approval at a higher level within the organization. This is another process that lacked the appropriate documentation. Based on data compiled by NSIRA, all requests for CII reviewed at this level were approved, with no documentation of the rationale behind the decision to approve the remainder.

An internal monthly compliance check is conducted to confirm that releases of CII follow sufficient justification, that only the requested CII is released, and to determine whether any procedural errors have occurred. The compliance checks reviewed by NSIRA did not contain any analysis of the disclosure requests. While CSE explained that employees are informally coached if disclosures do not meet requirements, this is not documented within the compliance checks, which provide only statistical summaries of CII disclosures.

NSIRA found that personnel responsible for approving certain CII disclosures and conducting periodic compliance checks did not document their decision-making and assessment of requests. NSIRA recommended that similar to employees at the working level, CSE management must document their decision-making and rationales.

CSE’s assessment of CII disclosure requests

CSE’s CII disclosure request form requires that the requestor state an applicable legal authority for collecting the information. NSIRA observed requests where this information was not provided. In this context, NSIRA expected that CSE would follow up with requestors or assure itself through its own assessment that the requestor had the appropriate legal authority for collecting CII. NSIRA found no evidence that this process was taking place.

NSIRA used its ability to follow the thread of a disclosure and engaged some of CSE clients for CII regarding their legal authority to collect Canadians’ personal information. Where these departments had not indicated a legal authority to receive CII, NSIRA inquired directly with them about their legal authorities, receiving detailed legal assessments prepared in response to NSIRA’s questions. NSIRA found no documented evidence that CSE had similarly assured itself of the clients’ legal authorities at the time of disclosure.

As the custodian of incidentally collected CII, CSE has the responsibility to assure itself and document that both a collection and disclosure authority exist before sharing it with third party clients.

Next to a legal authority, the second key component of a disclosure request is the recipient’s operational justification for collecting the CII. A demonstrable operational nexus is required to justify a requester’s collection of CII in line with the Privacy Act regime.

NSIRA found that CSIS, the RCMP, and the Canada Border Services Agency (CBSA) generally demonstrated a clear link between the intelligence reporting and associated CII to their mandated activities, with some exceptions. This was a result of the strong operational justifications provided proactively by these clients, and does not reflect a more rigorous process on CSE’s end. Disclosures to these departments comprised approximately half of NSIRA’s sample.

CSE has accepted operational justifications provided by these and other clients that NSIRA found to be inadequate. In these cases, the clients’ justifications pertained to CII that was not demonstrably related to their mandate or operations.

From the sample of all disclosures reviewed by NSIRA, we found 69% to be justified, 28% to be insufficiently justified to warrant the release of CII, 2% that could not be evaluated, and 1% that CSE denied. Nevertheless, within this sample, CSE had approved these disclosure requests at a 99% rate.

CSE also released additional personal information to clients beyond that which was requested and explained this to be a standard practice. For example, NSIRA observed cases where CSE disclosed Canadians’ names and other personal information even when the recipient only asked CSE for a company’s identity. NSIRA observed other types of scenarios where CSE disclosed more identifiers than requested.

In sum, NSIRA found that CSE has not sufficiently assessed the legal authorities invoked by its clients and recommended that CSE and these clients obtain legal advice from the Department of Justice to determine the extent of their legal authority to collect CII. NSIRA further found that CSE’s implementation of its CII disclosure regime may not have been in compliance with the Privacy Act framework and recommended that CSE cease disclosing CII to clients other than CSIS, RCMP, and CBSA until it addresses the findings and recommendations contained in NSIRA’s review.

CSE’s governance of the disclosure regime

Many of the systemic issues presented in NSIRA’s review arise from CSE’s CII disclosure regime governance. CSE develops its internal policies, procedures, and legal assessments to which its disclosure clients are generally not privy. CSE’s existing arrangements with its clients govern operational issues such as security standards, information handling and system access. However, at an institutional level, NSIRA has not found a consistent understanding among CSE’s CII disclosure clients of the legal requirements underlying this practice.

A more transparent governance structure would allow all parties to understand and formally acknowledge at an institutional level the legal and operational requirements behind disclosing and collecting CII. It is not sufficient for CSE to manage the regime with its clients not privy to the policies, procedures, and legal requirements that underlie it.

NSIRA found that CSE’s governance of the CII disclosure regime does not foster an environment where its clients can take equal responsibility for CII disclosures. NSIRA recommended that CSE work with the Department of Justice and the Treasury Board of Canada Secretariat to establish Information Sharing Agreements with its regular domestic clients.

CSE’s disclosure of CII collected through its assistance to CSIS

Throughout the review, NSIRA encountered reporting and associated disclosures that pertained to activities of foreign persons within Canada. As CSE is prohibited from directing its activities at such persons, NSIRA submitted a series of questions and received briefings on the subject. NSIRA learned that CSE discloses CII collected as part of its assistance to CSIS in relation to section 16 of the CSIS Act.

Under section 16 of the CSIS Act, CSIS may assist the Minister of Foreign Affairs or the Minister of National Defence by collecting foreign intelligence within Canada in relation to Canada’s defence or international affairs. In turn, CSIS can apply to the Federal Court for a warrant, under section 21 of the CSIS Act, to obtain judicial authorization for intrusive collection powers in support of the section 16 investigation. Subsequently, CSIS may request CSE assistance if it does not have the tools or capacity to carry out this collection. CSE’s assistance takes the form of developing tools and techniques, intercepting target communications, decryption, report writing, and translation.

In its assistance to CSIS, CSE must respect the legal authorities and limitations imposed on CSIS by law and Federal Court warrants. In its documented requests for CSE assistance, CSIS does not explicitly request that CSE disclose the CII collected under warrant. Such disclosures are also absent from internal CSE plans that set out CSE’s support parameters. At the same time, both agencies insist that CSE can disclose such CII using its regular disclosure policies and procedures.

The practice of handling CII incidentally collected pursuant to section 16-related warrants has been the subject of ongoing treatment by the Federal Court. CSIS has described its own practices to the Court, including detailed summaries of how section 16 information is collected, its processing for intelligence reporting, and the rigorous disclosure regime associated with this reporting. CSIS also noted, in less detail and with omissions, some aspects of CSE’s parallel disclosure of CII collected through its assistance to CSIS under these warrants.

Overall, the stringent practices described by CSIS to the Court do not present a complete picture. For instance, CSIS’s limited distribution of section 16 intelligence reports and associated CII is not mirrored in CSE’s wider release of this information. Additionally, the senior approval levels that CSIS has in place for disclosing information about Canadian officials are also not reflected in CSE’s practices. In fact, CSE does not have a policy on how to treat Canadian officials’ information through its assistance mandate, and generally releases it at the working level. Further, CSE personnel are not generally aware that the information they are releasing originates from section 16 collection, and its associated Federal Court warrants and conditions. Moreover, CSIS has communicated to the Court that its own disclosure practice includes an assessment of a disclosure request by the operational branch responsible for the warrant, while CSE discloses such CII independent of CSIS operational branches.

In recent testimony before Parliament, CSE was asked how it operationalizes its assistance mandate. In its response, CSE stated that information collected under assistance is segregated, returned to CSIS, and belongs to CSIS, emphasizing that CSE effectively acts as an agent of CSIS in supporting section 16 activities. NSIRA is of the view that this is not a complete representation of the lifecycle of information collected by CSE in its assistance. By approving CSE’s section 16 intelligence reports, CSIS effectively releases ownership of this information to CSE, which was not conveyed to the Federal Court by CSIS in its affidavits detailing the reporting and use of section 16 information.

CSE’s treatment and dissemination of this information differs from the stringent standards communicated to the Court by CSIS, particularly when it pertains to Canadian public officials and other sensitive groups. NSIRA believes that fully describing the CII disclosure process during warrant applications is necessary to support the process of imposing any terms and conditions advisable in the public interest, as contemplated by paragraph 21(4)(f) of the CSIS Act.

Given the findings of the review, NSIRA recommended that the Federal Court be fully informed of CSE’s disclosure practices and that, in the interim, CSE cease disclosing CII incidentally collected under the authority of federal court warrants related to section 16 investigations.

Conclusion

NSIRA’s findings and observations over the course of this review indicate that CSE’s implementation of its disclosure regime may not be in compliance with its obligations under the Privacy Act. Throughout this review, CSE has defended practices that NSIRA believes do not reflect a commitment to rigorous implementation of the Privacy Act. Finally, CSE has released CII as part of its assistance to CSIS in a manner that contradicts the procedures communicated to the Federal Court.

Accordingly, NSIRA made a number of recommendations as outlined above, to improve the governance of CSE’s CII disclosure regime and to bring to the attention of the Federal Court important aspects of CSE’s disclosures of information acquired in relation to section 16 of the CSIS Act.

Share this page
Date Modified:

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019

Completed Reviews

Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019


Backgrounder

In 2011, the Government of Canada implemented a general framework for Addressing Risks of Mistreatment in Sharing Information with Foreign Entities. The framework aimed to establish a coherent and consistent approach across government when sharing and receiving information with Foreign Entities. Following this, Ministerial Direction was issued to applicable departments in 2011 on Information Sharing with Foreign Entities, and then again in 2017 on Avoiding Complicity in Mistreatment by Foreign Entities.

On July 13, 2019, the Avoiding Complicity Act came into force. This Act codifies and enshrines Canada’s commitments in respect to the Canadian Charter of Rights and Freedoms, and Canada’s international legal obligations on prohibiting torture and other cruel and inhumane treatment.

On September 4, 2019, pursuant to section 3 of the Act, the Governor in Council (GiC) issued written directions to the Deputy Heads of the following 12 departments and agencies: Canada Border Services Agency (CBSA), Canada Revenue Agency (CRA), Canadian Security Intelligence Service (CSIS), Communications Security Establishment (CSE), Department of Fisheries and Oceans Canada (DFO), Department of National Defence and Canadian Armed Forces (DND/CAF), Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Global Affairs Canada (GAC), Immigration, Refugees, and Citizenship Canada (IRCC), Public Safety Canada (PS), the Royal Canadian Mounted Police (RCMP) and Transport Canada (TC).

The GiC issued directions focused on three aspects of handling information when interacting with a foreign entity: the disclosure of information, the requesting of information, and the use of any information received.

Pursuant to section 7 of the Act, every Deputy Head having received direction must, before March 1 of each year, submit to the appropriate Minister a report regarding the implementation of those directions during the previous calendar year. Following this, every Deputy Head must, as soon as feasible after submitting the report, make a version of it available to the public.

Date of Publishing:

Executive Summary

The Avoiding Complicity in Mistreatment by Foreign Entities Act (Avoiding Complicity Act or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, September 4, 2019, to the end of the previous calendar year, December 31, 2019. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Act.

While this was the inaugural annual review under the NSIRA Act, it builds upon previous work in this area undertaken by NSIRA and its predecessor SIRC. NSIRA’s review on the 2017 Ministerial Direction on information sharing with Foreign Entities is an example. The results from this previous review were sent to applicable departments in July 2020. NSIRA is building upon this previous review and strongly supports the findings and recommendations within it. As of the date of this report, departmental responses have not been received regarding the recommendations provided in NSIRA’s July 2020 Ministerial Direction review.

(U) It was essential to ensure that both NSIRA and the departments being reviewed met their obligations under the Avoiding Complicity Act and the NSIRA Act. The approach used to gather information during a global pandemic was purposely designed for this first and unique review period.

To capture a complete view on the departmental implementation, NSIRA requested information that related directly to every department’s specific obligations under the Act and the directions. The responses and associated information captured departmental activities related to the Act during the review period, and what procedures, policies, tools, etc. (frameworks) were leveraged to support these activities. NSIRA believes that having a robust framework is an essential part of an effective implementation of the directions departments have received.

Beyond the specific requirements of implementation, the information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken since the review period to build and formalize their frameworks. This information and knowledge will help set up the foundation for future reviews and assist efforts on creating consistent implementation across departments. While many of the issues discussed in this report go beyond the specific requirements of the directions, their consideration is critical to the overall improvement of the implementation process and how departments ultimately support the Act. No case studies were undertaken for this review. However, the information gathered has helped establish a baseline for overarching issues the community is facing. Building on this, future reviews will begin to examine specific sharing framework challenges and questions and look closely at specific cases and departmental legal opinions to guide review findings.

While NSIRA was pleased with the considerable efforts made by many departments new to the Avoiding Complicity Act in building up their supporting frameworks, it was clear during this review that departments are employing very different approaches to guide their information handling activities. The responses received demonstrate various inconsistencies across the departments. Having a consistent and coordinated approach when addressing the concerns related the Act is not a requirement for implementation, however, NSIRA believes that there is value in such an approach. And while departments will always require unique aspects in their sharing frameworks to address the unique characteristics of their mandates and activities, to improve the implementation process, a goal all involved likely have, the identification and sharing of best practices is critical.

For example, determining the best means for having a unified approach when engaging with foreign entities of concern or ensuring that an information sharing activity is consistently evaluated for risk by all departments. The recommendations provided on these issues in this review capture what NSIRA believes to be important concerns and considerations for supporting and improving departmental implementation.

Additionally, as the directives received under the Act do not describe the specific means by which departments ‘implement’ them, it is incumbent on the community to ensure that they have sufficiently robust frameworks and programs in place to fully support an assertion of implementation. Therefore, the information gathered during this review went beyond a strict assessment of implementation, but also considered the aspects required to better support this implementation. Going forward, this approach will help establish the foundation for subsequent reviews. Drawing on the findings and concerns identified here, NSIRA will continue to consider aspects that will ultimately improve underlying frameworks, thereby supporting an improved implementation of the Act across the community.

Authorities

This review was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Avoiding Complicity Act.

Introduction

Focus of the Act

In the same spirit as the Ministerial Direction (MD) that preceded it, the Avoiding Complicity Act and its associated directions seek to prevent the mistreatment of any individual due to the exchange of information between a Government of Canada department and a foreign entity. The Act also aims to limit the use of information received from a foreign entity that may have been obtained through the mistreatment of an individual. While the previous MD guided the activities of a selection of Canada’s security and intelligence departments, the Act broadened this scope to capture all departments whose interactions with foreign entities included information exchanges where such a concern may apply.

The focus of the Act is to ensure departments take the necessary steps during their information sharing activities to avoid contributing in any way to the mistreatment of an individual. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. There is an expectation that each department will satisfy these requirements by leveraging departmentally established mechanisms and procedures, or frameworks that will allow each department to confidently demonstrate how it has responded to its responsibilities under the Act.

During the first year that the Act was in force, written directions using nearly identical language were sent to the Deputy Heads of 12 departments. In regard to disclosure, the directions read as follows:
“If the disclosure of information to a foreign entity would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not disclose the information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”

With respect to requesting information, the directions state:
“If the making of a request to a foreign entity for information would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not make the request for information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”

Lastly, as it relates to the use of information, the directions indicate:
“The Deputy Head must ensure that information that is likely to have been obtained through the mistreatment of an individual by a foreign entity is not used by the Department

  • (a) in any way that creates a substantial risk of further mistreatment;
  • (b) as evidence in any judicial, administrative or other proceeding; or
    (c) in any way that deprives someone of their rights or freedoms, unless the Deputy Head or, in exceptional circumstances, a senior official designated by the Deputy Head determines that the use of the information is necessary to prevent loss of life or significant personal injury and authorizes the use accordingly.”

At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. This determination is done on a case-by-case basis. Each department is responsible for making these determinations as it applies to its activities. Following the outcome of a department’s determination of these important questions, cases may be approved, denied, or elevated to the Deputy Head for consideration. For the latter cases, this then results in additional reporting requirements for the Deputy Head. Throughout this process, there is also a requirement to ensure the accuracy, reliability, and limitations of use of all information being handled.

Review Objectives

After the Avoiding Complicity Act came into force in July 2019, the Governor in Council’s written directions were sent to each applicable department in September 2019. The period for this year’s review is September 4, 2019 to December 31, 2019. The short timeframe (approximately 4 months) associated with this year’s review means that departments are being assessed, in large part, on what they would already have had in place to address risks of mistreatment associated with information sharing, or what they were able to implement in a four-month window. NSIRA is cognizant that for the departments that were not previously subject to the 2017 MD on Avoiding Complicity in Mistreatment by Foreign Entities, the timeframe to implement the written directions was somewhat limited, as it would have been challenging to create and operationalize new procedures such that they would be reflected in the department’s activities during the period being reviewed.

While it was essential to ensure that both NSIRA and the departments being reviewed met their obligations, these challenges were kept in mind when evaluating the objectives for this first review. Given these considerations, the objectives of this year’s review were to determine whether:

  • departments had fully implemented the directions received under the Act in conformity with the obligations set out therein;
  • departments had established and operationalized frameworks that sufficiently enabled them to meet the obligations set out in the Act and directions; and,
  • there was consistency in implementation across applicable departments.

Methodology and assessment focus

To capture a complete view of the departmental implementation of the Act, NSIRA constructed a series of questions related directly to every department’s obligations under the Act and the directions. The responses and associated information captured what specific activities took place during the review period and what departmental frameworks were leveraged to adequately support these activities.

The information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken to build and formalize their frameworks to meet their obligations under the Act and directions. The information provided and the knowledge gained will help set up the foundation for future reviews and help create consistent implementation across departments.

The method used to gather information during a global pandemic was designed for this first and unique review period. We believe it allowed departments to quickly and efficiently indicate both whether the directions had been implemented, and what frameworks, processes, and policies had been leveraged or put in place.

Responses to many of the RFI questions were simply yes/no answers. Often, answers were dependent on what information handling activities took place with foreign entities by the department during the review period. As such, a number of questions could be returned with ‘not applicable’, and this was an acceptable response. Many of the questions were related to specific and easily defined requirements under the Act and its associated directions, e.g. ‘was a report submitted to the Minister?’ or ‘Did the Deputy Minister inform the applicable bodies of all their decision made under the act?’.

Other questions were designed to capture the details of the underlying processes that supported a department’s implementation, i.e. a department may indicate that they ensured no substantial risk of mistreatment was present in any of their information sharing activities, but how did they support this claim? Likewise, for an assertion that a possible substantial risk of mistreatment had been mitigated, what was in place that allowed a department to make this assertion? Therefore, this series of questions required sufficiently detailed responses to fully capture what a department had in place that allowed it to confidently state that it has met its implementation obligations under the Act and the issued directions.

Finally, a portion of the questions was intended to capture the level of uniformity in implementation across departments. This includes such things as country/entity assessments, triage practices, and record keeping. Much of this information will also help with recommendations going forward. This multi-faceted approach resulted in three main areas being evaluated to assess implementation for this review period and help set the groundwork for future reviews.

  • Departments have clear and comprehensive frameworks, policies, and guidelines such that they can demonstrate how they have fully implemented the directions under the Act.
  • All reporting requirements associated with both the Act and its applicable directions have been met.
  • Differences or gaps associate with areas such as country/entities assessments, record keeping, case triage, etc., such that consistent implementation across departments would be challenging.

Summary of the results table

The table in Annex A captures a summary of both the departmental responses to the implementation questions and NSIRA’s assessment regarding these responses. The assessment was based on the associated details provided by departments in the context of the specific information requested. As explained above, many of the responses were returned as not applicable (n/a). Since many implementation requirements are connected to specific activities, the absence of such activities would mean that the requirement does not come into play. The best example of this for the current review is the absence of any Deputy Minister level determinations. All 12 departments indicated that they did not have any cases referred to the Deputy Minister level for determination. All additional reporting requirements associated with this level of decision were not applicable and thus considered satisfied.

If a specific requirement was not met, it was flagged. The relatively few instances of this were connected with departments not meeting certain reporting obligations under the Act. In all cases, the department involved pre-identified these missing requirements and indicated that efforts were underway to address them.

The concerns and findings captured in the table (and others) are discussed subsequently. A concern was flagged in two situations: where there was an uncertainty associated with a department’s ability to support their implementation requirements; and cross-cutting issues related to general aspects of all of the frameworks described, both of which led to the findings and recommendations proposed.

Findings and Recommendations

Realities of Implementation for 2019

A challenge for departments for this first review was associated with one of the assessment items listed above, i.e. whether they had established frameworks to demonstrate how they supported the implementation of the directions they received.

With the Avoiding Complicity Act coming into force in July 2019, it was not feasible that departments would create and stand-up new frameworks for information exchanges in time for the period being reviewed. Although the Act did specify several Deputy Heads that were to receive directions, it only included those who received the previous 2017 MD. The remaining new departments received their directions in September 2019. Regardless of this two-month difference, each department would have been required to rely on, to some extent, existing procedures when handling information sharing with foreign entities during the review period.

This put the departments that had previously formalized policies and processes at an advantage when implementing the directions. For those departments who were not subject to the previous 2017 MD on information sharing, NSIRA considered how they leveraged and adjusted what was already in place to respond to their new responsibilities under the Act. What we then expected to see, for all departments, was what subsequent steps were taken during the review period and afterwards, to either adjust or create frameworks to better meet implementation requirements going forward. NSIRA noted that in response to questions on frameworks for handling information and mitigating risk, several of the departments new to the considerations of the Act provided extensive detail on their efforts and progress on building out their frameworks to support the directives. References to having these frameworks formalized over the subsequent year were also encouraging.

Finding no. 1: NSIRA found that several departments, new to the considerations of the Act, described considerable progress being made during the review period and afterwards to build out formalized frameworks to support implementation.

Importance of establishing operational framework

As discussed, having fully established operational frameworks in place for this review period may not have been feasible for the departments that did not previously have processes to support their activities. This, however, did not exempt a department from the requirements of implementation. Each department was still expected to leverage what it currently had in place to properly address the concerns associated with the Avoiding Complicity Act. Furthermore, there was a logical follow-on expectation that departments would take subsequent steps to build out formal frameworks to address any perceived gaps to support the implementation of the Act going forward if necessary.

After reviewing the responses received, NSIRA is concerned that departments with minimal information sharing activities taking place during their operations have yet to address the necessity of having a robust framework in place, regardless of how often that framework is leveraged. For example, although PS and TC may primarily act as facilitators or coordinators for information exchanges on specific programs, they are still interacting with foreign entities, and therefore are required to fully assess their interactions with a foreign entity in this regard.

If a department without a formal framework assesses that it has few or no cases associated with the Act, then it may believe it is adequately positioned to address any sharing concerns should they arise. This, however, is not the case. Even single instances of information exchange in which the concerns of the Act may apply require a framework to support it properly. In many cases, it will be the framework itself that properly identifies whether a sharing activity raises concerns under the Act. If there is no formal process in place, then this identification becomes problematic. Simply saying that there are no cases or activities associated with the Act is not sufficient. That determination can only be made after a sharing activity is scrutinized through the lens of a robust framework. Going forward, all departments who receive directions should demonstrate a formal framework that ensures all information sharing activities are adequately evaluated against the considerations of the Act.

Finding no. 2: NSIRA found that departments conducting minimal information exchanges with foreign entities have not yet fully addressed the importance of having an official information sharing framework in place.

Recommendation no. 1: NSIRA recommends that all departments in receipt of directions under the Act have an official framework that ensures they can fully support their implementation of the directions.

Community coordination and best practices

While departmental coordination and the sharing of best practices are not a requirement of the Avoiding Complicity Act or the directions, NSIRA considered such an approach’s value. What became clear during this first review was that every department employs a very different framework to guide their information sharing activities with foreign entities. This is to be expected to some extent, given the different mandates, sharing requirements, and areas of focus associated with each department. However, these differences are also a reflection of the independent, internal development that has taken place for the different frameworks being used. While the departments receiving directions under the Act do interact on this subject to some extent, to date, based on the responses provided, it appears that the majority of the work done by the departments to build supporting frameworks to address their responsibilities associated with the Act have been done so independently. There was little to no overlap with how departments described the various aspects of their frameworks, even amongst the departments subject to the earlier MD on this issue.

There would be value in departments collectively identifying the key aspects common or required in all information exchanges with foreign entities and then working together to craft best practices, irrespective of what a department currently has in place. This process should draw on all available resources to make this determination. Each department can then turn to their existing frameworks to consider where and how they can be adjusted to match this community-agreed upon ideal. This is not to say that aspects of what a department already has in place in their framework will not ultimately be seen as the best practice. Several departments do have robust sharing frameworks in place, and these will contribute significantly to this exercise. However, arriving at this determination independently will provide an additional level of confidence.

Department-specific challenges, of course, cannot be ignored. In fact, they will weigh in strongly on such a conversation. Departments share information under their mandates for various reasons, and this will mean that coordination on certain aspects of a sharing framework may not be possible. However, this needs to be evaluated. It is important that what already exists, or what is hard change, does not unduly influence what may be best. This approach will create uniformity (where possible) across the community and provide a starting point for ‘must haves’ for each department to evaluate their existing processes against.

The Public Safety Information Sharing Coordination Group (ISCG) was established to support departments on information sharing. As such, it is in an ideal position to help mitigate issues arising from the lack of coordination. Leading such efforts would build on the work already being done by this group. During recent discussions with NSIRA, the ISCG indicated that the tracking of lessons learned and the sharing of best practices was not yet routine. Going forward, there would be value in a more coordinated effort when departments are updating/changing their framework. Ensuring that this coordination takes place will require support and leadership by senior-level officials. This will help in sharing best practices once identified, and establish more consistent approaches across departments.

Finding no. 3: NSIRA found that the differences and variability in departmental frameworks demonstrate a previous lack of coordination across the community and a need to identify best practices.

Recommendation no. 2: NSIRA recommends that departments coordinate to identify best practices for all essential components of information sharing frameworks and that the ISCG is leveraged to ensure these practices are shared where possible across the community to support the implementation of the Act.

Framework application inconsistency

A series of questions in this review was related to aspects of consistency in how departments apply their frameworks. From this series, a comparison was made on how many times an information sharing/use event triggered an evaluation of any kind against the considerations of the Avoiding Complicity Act, versus how many of these triaged cases were elevated or referred up for decision. The results helped gauge two important aspects of a framework: One, the threshold requirements, i.e. how often a sharing activity triggers an evaluation of any kind; and two, the decision making power given to the operators who are initially handling these activities.

The feedback and the responses received demonstrate potential inconsistencies in both aspects across departments. For example, several departments indicated zero cases as being triaged/evaluated under the concerns of the Act during the review period, yet also specified that they are involved in regular information sharing or, specified that no information received from foreign entities was derived from mistreatment. These responses appear to be inconsistent as it would be problematic to participate in information sharing or to make such mistreatment determinations without the activity being evaluated on some level.

Other departments indicated a larger number of cases as initial triaged/evaluated, but also indicated that none of them were elevated in their decision making process for higher-level decisions. This would seem to suggest that all determinations were being made at the operational level. Such a result puts significant weight on the operator and the initial assessment tools they are leveraging if they are making all determinations independently. This reinforces the importance of a robust framework to help make these determinations, as previously indicated in Finding no. 2. As a result of these differences, potential challenges arise on accurately assessing the volume of cases being handled by departments, the tracking of those cases deemed to present a substantial risk, those which can be mitigated for, and those where the risk was not found to be substantial or even present.

These responses may result from how each department defines a ‘case’ or how it records a case, or they may be a result of differences in how a department’s decision-making process is leveraged. NSIRA’s concern is that these differences may indicate an inconsistency in application thresholds at different departments. As such, the following results were viewed as a potential issue based on the responses received:

  • if a department was involved in any kind for information exchange with a foreign entity during the review period, but did not indicate that any cases were formally triaged/evaluated; or
  • if there was a significant number of cases triaged, but none were elevated to a higher level for determination.

Such results do not necessarily indicate a problem as aspects of a framework may be able to account for this, however, looking further into how and why the department’s framework produced these outcomes is important. Future reviews will be able to do this. Consistent initial steps for information sharing activities, including triage/evaluation thresholds and documentation, are critical to the effective application of a framework, and ultimately to identifying best practices.

Finding no. 4: NSIRA found that there are inconsistencies in the application of existing sharing frameworks between departments, specifically concerning information evaluation thresholds, and decisions being elevated for senior level determinations,

Recommendation no. 3: NSIRA recommends that departments establish consistent thresholds for triggers in their information sharing frameworks, including initial evaluations against the concerns of the Act, when a case is to be elevated in the decision process, and how this is documented.

Country and entity assessments

A key recommendation of NSIRA’s previous review on information sharing related to the country/entity assessments being used by departments to inform their decision making process when sharing or using information with a foreign entity. While the use of country/entity assessments is not a required aspect of implementing the directions under the Act, NSIRA continues to support this tool as an important aspect of any sharing framework. In its previous review, NSIRA determined that having a firm grasp on the human rights situation, as well as any other pertinent information associated with a country/entity, was essential to making an informed decision on whether there should be concerns, caveats, or limitations when handling information with that country/entity. Moreover, having such information captured to ensure all departments consistently approach these countries/entities is critical. At the time of the previous review, the following recommendation was made:

  • a unified set of assessments of the human rights situations in foreign countries including as standardized ‘risk of mistreatment’ classification level for each country; and
  • to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.

It is important to note that there has been no formal response from departments on this previous recommendation as of the date of this report. Furthermore, during this report, two departments continue to raise concerns with NSIRA’s stance on this issue during the consultation process. While NSIRA continues to support this recommendation, as explained below, further discussions with departments on how to approach this matter may be warranted, specifically on the distinction between how this recommendation may apply to a foreign country/entity vs a specific foreign partner a department may be dealing with.

Based on the responses provided on this topic for the current review period, there is still inconsistency in this area. While almost all departments indicated that country/entity assessments were a standard part of their framework, the responses also indicate differences in which country assessments are used, how they are leveraged, and who is responsible for updating them. For example, several departments rely on their own in-house created assessments, while others leverage the assessments created by Global Affairs Canada and others. While departments who indicated that they are leveraging country/entity assessment tools in their process also indicated that these assessments captured human rights concerns, this has yet to be independently evaluated. NSIRA is concerned that these differences could result in different approaches/stances being taken by departments when dealing with the same foreign entity. While the country/entity assessments tools themselves are not necessarily in question, the fact that every department is not leveraging or does not have access to all useful or applicable information is.

NSIRA remains of the view that having a consistent stance on all countries and entities when implementing the requirements of the Act is important. Issues such as mistreatment and human rights should not be decided at a departmental level, but on a whole-of-government level. While mindful of classification levels, ensuring all departments have access to the same relevant information associated with a foreign country/entity is critical to making an informed decision. Due to the nature of their work, departments may be privy to unique information on a country/entity, some or all of which can be shared. This would lead to fully informed assessments that allow for a consistent approach when dealing with any country/entity. In addition to improving duplication of effort in this area by departments, NSIRA continues to see standardized country and entity assessments, which can be accessed and contributed to by all departments, as key to moving toward a more consistent and effective implementation of the Act across the community

Finding no. 5: NSIRA found a lack of unification and standardization in the country and entity assessments being leveraged by departments, resulting in inconsistencies in approach/stance by the community when interacting with Foreign Entities of concern related to the Act.

Recommendation no. 4: NSIRA recommends that departments identify a means to establish unified and standardized country and entity risk assessment tools to support a consistent approach by departments when interacting with Foreign Entities of concern under the Act.

Conclusion

While aspects of implementation can be easily quantified and evaluated e.g. reporting requirements to a Minister, others, which support implementation are more difficult to measure, e.g.:

  • What does a sufficiently robust framework for assessing and mitigating risk when sharing with a foreign entity look like?
  • Does this depend on the specific requirements and activities of the department; or,
  • Are there steps that should always be involved when vetting a foreign entity under the considerations of the Act?

Measuring and weighing the answers to such questions is challenging. They are more nuanced, and can’t be as easily quantified. Regardless, they must be considered and addressed. Drawing on the considerations and concerns identified in this review will help departments to ask the questions that will improve their underlying frameworks with the following goals in mind:

  • To identify the essential/key elements that need to be a part of any framework for it to address the concerns associated with the Avoiding Complicity Act sufficiently; and,
  • To have all identified best practices implemented as consistently as possible across departments.

Future reviews will push towards these goals by seeking answers to those questions above. By looking more closely at specific case studies, departmental legal opinions, items of inconsistency, and the departmental frameworks that are already demonstrating best practices that should be shared. Ultimately the results of such efforts will contribute to improving the implementation of the Act across the community.

Share this page
Date Modified:

Review of the Communications Security Establishment’s Self-Identified Privacy Incidents and Procedural Errors

Table of Contents
No header Tag found

Date of Publishing:

Share this page
Date Modified: