Language selection

Government of Canada / Gouvernement du Canada

Search


Review of Information Sharing Across Aspects of CSE’s Mandate – CSE Responses

Recommendation CSE Response

NSIRA Recommendation 1: CSE should obtain additional legal advice on its internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate, explicitly in relation to compliance with the Privacy Act. which thoroughly addresses the following two issues:

  • Whether the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is a use or a disclosure of information for the purposes of the Privacy Act: and
  • Whether uses and disclosures a re done in accordance with sections 7 and 8 of the Privacy Act.
CSE Response: Disagree. CSE does not accept recommendation 1. CSE has already received comprehensive and clear legal advice on this matter from the Department of Justice and has relied on that advice in the conductof its activities (which NSIRA has found lawful).
NSIRA Recommendation 2: All foreign intelligence and cyber security applications from the Chief of CSE should appropriately inform the Minister of National Defence that retained information might be used to support a different aspect. CSE Response:CSE has already implemented the recommended action. CSE notes that it had and continues to inform the Minister a bout the use of information for other aspects of its mandate. Applications for all foreign intelligence and cybersecurity Ministerial Authorizations in 2021-2022 included wording to clearly reflect that information collected under one aspect of CSE’s mandate could be used to support a different aspect.

Share this page
Date Modified:

Review of Air Passenger Targeting by the Canada Border Services Agency (CBSA) – Government responses

NSIRA Recommendation 1: NSIRA recommends that the CBSA document its triaging practices in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions.

GOC Response: The CBSA agrees with this recommendation. The CBSA will complete a review of its APT triaging practices to ensure practices are in place which will enable effective verification of compliance with statutory and regulatory restrictions.

NSIRA Recommendation 2: NSIRA recommends that the CBSA ensure, in an ongoing manner, that its triaging practices are based on information and/or intelligence that justifies the use of each indicator. This justification should be well-documented to enable effective internal and external verification of whether the CBSA’s triaging practices comply with its non-discrimination obligations.

GOC Response: The CBSA agrees with this recommendation. While we are satisfied that justification for triaging and targeting practices exist, the CBSA acknowledges that better documentation practices could be implemented to enable effective internal and external verification of whether the CBSA’s triaging practices comply with its non-discrimination obligations. The CBSA’s Scenario Based Targeting Governance Framework will be updated to include information and/or intelligence that justifies the use of each indicator. Annual reviews of scenarios will continue to be conducted and documented to confirm that each active scenario is supported by recent and reliable intelligence.

NSIRA Recommendation 3: NSIRA recommends that the CBSA ensure that any Air Passenger Targeting related distinctions on protected grounds that are capable of reinforcing, perpetuating, or exacerbating a disadvantage constitute a reasonable limit on travellers’ equality rights under the Charter.

GOC Response: The CBSA agrees with this recommendation. The CBSA will review its APT practices to ensure that distinctions based on protected grounds are reasonable and can be demonstrably justified in the border administration and enforcement context.

NSIRA Recommendation 4: NSIRA recommends that the CBSA develop more robust and regular oversight for Air Passenger Targeting to ensure that its practices are not discriminatory. This should include updates to the CBSA’s policies, procedures, training, and other guidance, as appropriate.

GOC Response: The CBSA agrees with this recommendation. The CBSA acknowledges that policies, procedures, training, and other guidance, as appropriate can be improved to ensure robust and regular oversight for Air Passenger Targeting to ensure that its practices are not discriminatory. The CBSA will complete a review of its policies, procedures, guidelines and training to ensure practices are not discriminatory.

NSIRA Recommendation 5: NSIRA recommends that the CBSA start gathering and assessing the necessary data to identify, analyze, and mitigate discrimination-related risks. This includes disaggregated demographic data, data on the effects of Air Passenger Targeting on secondary examinations that may be apparent from related human rights complaints, and data on a baseline comparator group.

GOC Response: The CBSA agrees with this recommendation. To that end, the CBSA is taking deliberate steps to develop its capacity to capture and analyze reliable and accurate data in non-intrusive ways. The Agency is working on developing standard and consistent positions and frameworks on the collection, use, management and governance of disaggregated data, developing  metrics and indicators to measure the impact of decisions and policies on different groups; using data to build more inclusive and representative policies and strategies, and; identifying possible discrimination and bias.

Share this page
Date Modified:

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2022 – Government Responses

Responses

Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2022 – Government Responses


Government of Canada Response to the Recommendations of the NSIRA Review of Federal Institutions’ Disclosures of Information under the Security of Canada Information Disclosure Act (“SCIDA”) in 2022

NSIRA Recommendation Related Findings(s) Government Response Explanation
1. NSIRA recommends that information sharing arrangements be used to govern regular SCIDA disclosures between GAC and CSIS; IRCC and CSIS; as well as IRCC and CSE. Finding no. 1: CSE, CSIS, GAC, and IRCC regularly use the SCIDA in a manner that warrants information sharing arrangements, as encouraged by subsection 4(c) of the SCIDA. Agree The Government of Canada recognizes the value of using information sharing arrangements to facilitate the effective and responsible sharing of information between federal institutions that frequently disclose information of a similar nature under the SCIDA. In response to this recommendation, and in consultation with the designated recipient institutions under the SCIDA, Public Safety Canada has developed an information sharing agreement template.

The template has been reviewed by the Office of the Privacy Commissioner of Canada and specifically assessed against the SCIDA, the Privacy Act, the 10 fair information principles of the Canadian Standards Association Model Code for the Protection of Personal Information (the Model Code), applicable Treasury Board of Canada Secretariat (TBS) policies, directives and guidelines, and internationally recognized best practices.

Public Safety Canada has disseminated this template to federal institutions, including those named in NSIRA’s findings and recommendations, so that they may adapt it to their unique operating environments and the types of information that they frequently disclose and receive, while continuing to respect the Charter, the Privacy Act, the SCIDA, as well as other relevant policies, legislation and regulation.

In addition, several departments and agencies have already entered into information sharing agreements to facilitate the disclosure of information under the SCIDA. For example, CSIS and GAC entered into an information sharing agreement in 2016 under the SCISA (the precursor to the SCIDA). The agreement outlines the types of information that GAC may share with CSIS. While it is still in effect, it is currently being reviewed to ensure the scope remains current. CSIS and IRCC are currently holding preliminary discussions to establish an information sharing agreement to address disclosures under SCIDA. IRCC and CSE also recently signed an information sharing agreement, as recommended in the 2020 SCIDA Annual Report.

2. NSIRA recommends that all GC institutions prepare record overviews to clearly address the requirements of subsections 9(1) and 9(2) of the SCIDA; and provide them to NSIRA along with a copy of the disclosure itself and, where relevant, a copy of the request.
Finding no. 2: CBSA, DND/CAF, and IRCC were non-compliant with subsection 9(3) of the SCIDA, as they failed to provide all records created under subsections 9(1) or 9(2) to NSIRA within the legislated timeframe.

Finding no. 3: Improved compliance outcomes in instances where departments prepared record overview spreadsheets under subsections 9(1) and 9(2) of the SCIDA that displayed the following characteristics:

  • a row for each disclosure made or received;
  • columns explicitly tied to each individual paragraph under section 9; and
  • additional columns to capture relevant administrative details, such as whether the disclosure was requested or proactive; the date of the request (if applicable); and any applicable file reference numbers.
Agree The Government of Canada recognizes the importance of keeping records of SCIDA disclosures and receipts, as required under the Act.

Public Safety Canada assists partners in adopting best practices that facilitate ease-of-review and improve compliance. Government of Canada partners implement Public Safety Canada’s guidance in a manner that complies with the SCIDA and works best with their unique mandates and internal procedures.

In March 2023, the Step-by-Step SCIDA Guide 2022 (“SCIDA Guide 2022”) was updated and published on Public Safety Canada’s public-facing webpage. The SCIDA Guide 2022 includes templates that support federal institutions with their record-keeping requirements. Public Safety Canada will continue to review and update existing SCIDA resources, including advice pertaining to record keeping. Public Safety Canada has also circulated a record overview template that NSIRA found particularly effective during the course of its 2022 review.

In addition, CSIS has developed clear policy and subsequent guidelines on how to handle and document information disclosures in line with the SCIDA, including a requirement to maintain a record overview along with an associated template. This template has been adjusted for clarity based on feedback from NSIRA’s 2022 review. The CBSA and IRCC have also reviewed their current operational and reporting practices with regards to SCIDA and are making the necessary functional adjustments to ensure that they remain compliant in future information sharing activities.

3. NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
Finding no. 5: More than half of the descriptions provided by CBSA and IRCC under paragraph 9(1)(e) of the SCIDA did not explicitly address their satisfaction that the disclosure was authorized under paragraph 5(1)(b), the proportionality test.

Finding no. 6: within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves of both the contribution and proportionality tests, in compliance with subsection 5(1) of the SCIDA.

Agree The Government of Canada recognizes the importance of the SCIDA’s contribution and proportionality tests in 5(1)(a) and 5(1)(b), respectively. It also recognizes the need for disclosing institutions to demonstrate their satisfaction that these two tests are met for each disclosure by providing NSIRA with a description of the information that was relied on to satisfy themselves that the disclosure was authorized under the SCIDA.

Through the publication of the SCIDA Guide 2022 and the delivery of training sessions, Public Safety Canada has provided guidance to federal institutions on ensuring that the contribution and proportionality thresholds are met when disclosing information under the SCIDA.

Recently, IRCC has added a new “Proportionality” section to their SCIDA template to require that the delegated official documents their satisfaction that the disclosure is authorized under paragraph 5(1)(b) before disclosing personal information to a recipient institution.

In addition to disclosing institutions having to satisfy the contribution and proportionality tests, CSIS independently assesses its authority to collect and retain the disclosure under the CSIS Act as a recipient institution. This includes an obligation for CSIS to ensure that the collection and retention of a SCIDA disclosure is compliant with all relevant legislation, including the Avoiding Complicity in Mistreatment by Foreign Entities Act. The SCIDA procedure published in 2022 includes direction on processing disclosures that do not meet CSIS’ threshold for collection, ensuring that the disclosure is appropriately documented and destroyed.

4. NSIRA recommends that GC institutions contemplating the use of proactive disclosures under the SCIDA communicate with the recipient institution, ahead of making the disclosure, to inform their assessments under subsection 5(1). Finding no. 7: GAC satisfied itself under the SCIDA’s paragraph 5(1)(a) contribution test based on an incorrect understanding of the recipient’s national security mandate in two cases. Agree The Government of Canada recognizes the value of general informal discussions ahead of SCIDA disclosures.

The SCIDA Guide 2022 emphasizes the importance of preliminary, high-level consultations between disclosing and recipient institutions prior to a disclosure in a manner that does not itself constitute a disclosure. The guidance specifies that informal communication should only include enough general information to ensure that the SCIDA contribution and proportionality thresholds are met before making a disclosure.

Annex F of the SCIDA Guide 2022 outlines the national security mandates of the designated recipient institutions under SCIDA. Public Safety Canada endeavours to keep the mandates updated to aid disclosing institutions in making their assessment required under subsection 5(1).

5. NSIRA recommends that all disclosing institutions include statements regarding accuracy and reliability within the same document as the disclosed information.
Finding no. 8: Within the sample of disclosures reviewed, that CBSA and GAC (in one and two disclosures, respectively) were non-compliant with the SCIDA’s subsection 5(2) requirement to provide a statement regarding accuracy and reliability.

Finding no. 9: In relation to the remaining disclosures within the sample, that GAC, IRCC, and RCMP included their statements regarding accuracy and reliability within the disclosures themselves, whereas CBSA provided its statement in the disclosures’ cover letters.

Agree The Government of Canada notes that providing statements on the accuracy and reliability of the manner in which information was obtained in a cover letter or in the disclosure itself both satisfy the legislated requirement under subsection 5(2) for disclosing institutions to provide such a statement.

The Government of Canada recognizes the additional value of including the statements in the actual disclosure, especially in the event of onward disclosure. Public Safety Canada will update its guidance to reflect this best practice.

6. NSIRA recommends that GC institutions review their administrative processes for sending and receiving disclosures under the SCIDA, and correct practices that cause delays.
Finding no. 10: DND/CAF destroyed information under the SCIDA subsection 5.1(1), but they were non-compliant with the requirement to do so “as soon as feasible after receiving it.”

Finding no. 11: Delays between when a disclosure was authorized for sending and when it was received by the individual designated by the head of the recipient institution to receive it in at least 20% (n=34) of disclosures.

Agree The Government of Canada recognizes the need to destroy unnecessary information as soon as feasible under the SCIDA, as well as the value of timely disclosures.

Government of Canada institutions each have their own systems, standards and procedures for physically and/or electronically sending and receiving information. Departments and agencies will work to review their own processes to ensure information is handled efficiently and appropriately in compliance with the SCIDA and other legislation.

Share this page
Date Modified:

Review of the Canadian Security Intelligence Service’s (CSIS) use of Geolocation information – CSIS responses

Geolocation Data Tool (SIRC 2018-05)

NSIRA Recommendation: NSIRA recommends that CSIS review its use of [the geolocation tool] to date and make a determination as to which of the operational reports generated through the use of [the geolocation tool] were in breach of section 8 of the Charter. These operational reports and/or any documents related to those results should be purged from its systems.

CSIS Response: CSIS has received advice from the Department of Justice on its use of a geolocation data tool in Canada and the disposition of information derived from its use. CSIS is working to implement this advice to ensure compliance with the Charter, CSIS Act and other legal obligations.

More broadly, CSIS recognizes that keeping pace with the global threat environment and rapid technological change necessitates continuous reflection to ensure that we have the tools, authorities required of a modern intelligence agency; CSIS must be fully equipped to protect Canada’s national security. Canadians expect CSIS to leverage technology to keep them safe in a manner that is entirely in keeping with the Canadian expectation of privacy.

NSIRA Recommendation: NSIRA recommends that policy be developed or amended as appropriate that would require a documented risk assessment, including legal risks, in situations like [the geolocation tool] when information collected through new and emerging technologies may contain information in respect of which there may be a reasonable expectation of privacy. If not, NSIRA further recommends that a policy centre for this type of collection be clearly identified.

CSIS Response: CSIS is modifying its policy framework to address this recommendation. This aligns with the most recent Ministerial Direction on Accountability from September 2019. The MD requires CSIS to notify the Minister of Public Safety when a novel technology is used.

Share this page
Date Modified:

Review of the Canadian Security Intelligence Service’s (CSIS) Internal Security Branch – CSIS responses

CSIS Internal Security (SIRC 2018-15)

NSIRA Recommendation: CSIS develop an internal policy, in consultation with Treasury Board Secretariat (TBS), outlining parameters on reporting information obtained during the course of IS screening, inquiries, and investigations to law enforcement in a timely manner.

CSIS Response: CSIS has established an internal set of procedures for disclosing information obtained during the course of Internal Security screening to law enforcement, as required. CSIS will continue to review these procedures and will continue to seek legal advice from the Department of Justice regarding these disclosures, as required. CSIS and the Department of Justice have a collaborative relationship that fosters discussion and allows for robust engagement in these matters.

NSIRA Recommendation: CSIS strengthen internal governance over polygraph activities, including modifying the methodology for conducting polygraph assessments, as appropriate.

CSIS Response: CSIS considers the findings and observations in this review as an opportunity to enhance its internal processes. As such, CSIS is working to address this recommendation by strengthening internal governance. New policy and procedures will provide clarity, accountability and transparency to its polygraph program by outlining roles and the ethical and procedural responsibilities of polygraph examiners.

NSIRA Recommendation: CSIS update applicable policy and procedures on the use of the polygraph to address security and procedural fairness implications stemming from failed polygraph results.

CSIS Response: CSIS values the important work done by the National Security and Intelligence Review Agency (NSIRA). To address gaps identified by NSIRA, CSIS is currently updating the polygraph policy and procedures to ensure an enhanced degree of transparency and procedural fairness.

NSIRA Recommendation: IS further align its overarching policy suite with the assessment criteria for adverse information outlined in the Standard on Security Screening, as well as update the its Questionnaire Guidebook with clear definitions and risk indicators.

CSIS Response: CSIS continually engages in the process of updating its guides, procedures and policies. CSIS will ensure that procedures are well aligned with the Treasury Board Secretariat’s Standard on Security Screening. Providing consistency in assessments between cases remains a priority.

Share this page
Date Modified:

Review of the CSIS-RCMP relationship in a region of Canada through the lens of an ongoing investigation – NSIRA recommendations and CSIS-RCMP responses

Responses

Review of the CSIS-RCMP relationship in a region of Canada through the lens of an ongoing investigation – NSIRA recommendations and CSIS-RCMP responses


CSIS-RCMP relationship in a region of Canada through the lens of an ongoing investigation (NSIRA 2019-04)

NSIRA Recommendation: CSIS invest the resources needed to develop a broader range of sources of information in order to prevent further serious damage to the reviewed investigation.

CSIS-RCMP Response: Due to the variety of factors inherent in each investigation, CSIS always considers how best to collect information and mitigate threats, drawing on a number of tools and resources – in accordance with the CSIS Act and ministerial direction – dependent on the situation.

NSIRA Recommendation: CSIS and the RCMP prioritize the deployment of usable and compatible secure communications systems in order to make regional de-confliction more efficient.

CSIS-RCMP Response: CSIS and the RCMP are prioritizing the deployment of compatible secure communication. The CSIS Director and the RCMP Commissioner approved the development of a CSISRCMP Secure Communications Strategy, the implementation of which is already underway.

NSIRA Recommendation: CSIS and the RCMP continue to prioritize the timely implementation of recommendations from the Operational Improvement Review (OIR) in order to help address the operational shortcomings reported by the OIR and further illustrated in this review.

CSIS-RCMP Response: CSIS and the RCMP remain committed to implementing the OIR recommendations as well as the implementation of One Vision 3.0.

The OIR resulted in 76 recommendations, some of which include enhanced collaboration and information sharing in national security investigations, additional training for national security personnel, as well as the improved handling and disclosure of sensitive and classified information. Significant effort has been undertaken to ensure recommendations are adopted and implemented within both organisations. Some of the early successes include pilot projects such as the Leads Pilot that has resulted in enhanced CSISRCMP de-confliction within national security areas of focus.

The RCMP and CSIS continue to be fully supportive of implementing these needed changes to our organisations. This work, and efforts of the broader community, will ensure that the Government of Canada has a strong foundation of enhanced collaboration and the best tools available to mitigate threats and ensure public safety. This complex work however, is ongoing and challenges remain, particularly as it relates to the issue of intelligence and evidence. These significant challenges will require a whole-ofgovernment approach in order to address.

NSIRA Recommendation: CSIS and the RCMP develop a properly resourced complimentary strategy to address the threat examined in this report. In accordance with the vision set out in the Operational Improvement Review, the strategy should consider the full range of tools available to both agencies.

CSIS-RCMP Response: CSIS and the RCMP coordinate and collaborate on national security threats and use strategies and resources best suited to individual operations.

As a result of the OIR, discussions between CSIS and the RCMP are more frequent and occur earlier in the process which has reduced the duplication of efforts between both of our agencies

Share this page
Date Modified:

Review of CSIS threat reduction activities – NSIRA recommendations and CSIS responses

CSIS Threat Reductions Activities (NSIRA)

NSIRA Recommendation: CSIS create an accountability framework for information related to TRMs, and that this information be documented and retained in a central, easily retrievable location.

CSIS Response: CSIS’s robust governance framework for its TRM authorities has been the subject of review by both SIRC and NSIRA. As a result of these reviews, considerable adjustments have been made to the governance of TRMs.

CSIS is developing an improved organisational case management tool. While that work occurs, CSIS is implementing interim measures to respond to NSIRA’s recommendations. Finally, CSIS is leveraging additional communication methods to ensure awareness of the TRM specific requirements.

NSIRA Recommendation: CSIS create a formalized and documented process that ensures pertinent facts regarding TRM subjects are provided to the National Security Litigation and Advisory Group (NSLAG) to ensure that it has the information necessary to provide considered legal advice on the identification and selection of interviewees for inclusion in TRMs.

CSIS Response: CSIS and the Department of Justice have a collaborative relationship that fosters discussion and allows for continuous engagement. When parliament established CSIS’s threat reduction mandate, CSIS worked closely with the Department of Justice to develop an appropriate and robust governance framework. This framework includes a formal and documented process to seek a legal risk assessment as well as practical guidance regarding relevant information and level of detail required for TRM submissions.

CSIS engages the Department of Justice to ensure all requirements of the CSIS Act are met including consideration that measures are reasonable and proportional to the threat and warrants are obtained if required. CSIS ensures this guidance is applied so that TRMs remain lawful and respect all Canadian laws, including Charter rights and freedoms.

NSIRA Recommendation: CSIS develop an accountability framework for compliance with legal advice on TRMs, including documenting when and why legal advice was not followed.

CSIS Response: CSIS’s compliance framework provides an opportunity to report instances of potential non-compliance with Ministerial Direction, internal policies or procedures, and the law. In instances where this may occur, CSIS’s Compliance program remains well situated to complete requisite fact finding and engage with the Department of Justice.

The Department of Justice provides advice to ensure TRMs remain lawful and respect the right of Canadians. CSIS diligently applies these principles and guidance from the Department of Justice in the execution of all TRMs. While advice from the Department of Justice does not provide explicit and tactical directions on the execution of TRMs, CSIS considers all Justice advice during its operational deliberations.

NSIRA Recommendation: When considering whether a Charter right is limited by a proposed TRM, NSLAG should undertake a case-by-case analysis that assesses factors identified in our report.

CSIS Response: The Department of Justice will further consider this recommendation and factor it into its work related to TRM under the CSIS Act. CSIS and the Department of Justice will continue to build their long-established and collaborative relationship in order to improve and refine the governance of TRMs.

Share this page
Date Modified:

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information – CSE responses

Responses

Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information – CSE responses


CSE Management Response to NSIRA Review of 2018-2019 Disclosures of Canadian Identifying Information

NSIRA delivered its classified review to the Minister of National Defence in November 2020.

Throughout NSIRA’s review of CSE’s disclosure process, CSE responded to NSIRA requests in a timely manner and offered to provide additional context and briefings to NSIRA regarding CSE processes.

Importance of independent external review

CSE values independent, external review of our activities, and we remain committed to a positive and ongoing dialogue with NSIRA and other review and oversight bodies.

This oversight frameworks allows us to deliver our important mission of foreign intelligence, cyber security and foreign cyber operations in a way that demonstrates accountability, and that builds trust and confidence with Canadians.

CSE operates within a culture of compliance, grounded in our understanding of and commitment to our legal and policy regime, and evidenced by our record of self-reporting and addressing incidents and errors that may occur.

We appreciate NSIRA and their continued work to provide Canadians with greater insight and understanding of the important work that CSE does on a regular basis to keep Canadians safe.

We accept the recommendations aimed at improving our processes, yet are concerned that the overall conclusions do not fully appreciate CSE’s commitment to, and work on protection of privacy.

Canadian Identifying Information and CSE’s Commitment to Privacy

CSE is Canada’s national lead for foreign signals intelligence and cyber operations, and the national technical authority for cybersecurity. We provide critical foreign intelligence and cyber defence services for the Government of Canada (GC). Protecting Canadian information and the privacy of Canadians is an essential part of our mission.

CSE does not direct its foreign signals intelligence activities at Canadians or anyone in Canada. The CSE Act, however, recognizes that incidental collection of Canadian communications or Canadian information may occur even when targeting only foreign entities outside Canada. CSE takes very seriously our responsibility to protect Canadian privacy interests that may occur as a result of this incidental collection.

In the event that Canadian information is incidentally acquired in foreign signals intelligence collection, CSE may include obfuscated references to Canadian individuals or organizations in intelligence reporting if those references are essential to understand the foreign intelligence.

The obfuscation of this Canadian Identifying Information (CII) in reporting represents one of many layered privacy measures that are applied at different points in CSE’s end-to-end intelligence process. These include, among others, legal and policy training and on-site support for intelligence analysts, mandatory annual privacy tests for all operational employees, data tagging and auto-deletion, strict retention limits, specific handling guidelines, escalating approvals for reporting that includes CII, compliance spot checks, and separate vetting processes for disclosing obfuscated information and taking action on intelligence reporting.

Pursuant to the Privacy Act, government clients who receive CSE foreign intelligence reports may ask for obfuscated CII to be “disclosed” to them if that information relates directly to their department’s operating program or activities. Any disclosed CII is provided solely to inform their understanding of the foreign intelligence presented in the report. Government officials may not take action, share or otherwise use the CII disclosed to them under the disclosure process.

CSE continually refines its CII disclosure process. For example, to help support audit and review, CSE implemented a requirement for government clients to provide an operational justification to support their CII disclosure requests. It is important to note, however, that this is a matter of internal policy and that the Privacy Act does not require the documentation of legal authorities before information can be collected and disclosed.

Review Recommendations

CSE is committed to continuous improvement. We know that the recommendations from independent external review play an important role in that improvement. CSE has 25 years of experience working with the Office of the CSE Commissioner and now NSIRA to help improve our processes. We thank these review bodies for their work to help build trust and confidence with Canadians.

CSE continuously refines our privacy-protection measures, including those associated with the disclosure process. Improvements made over the past decade have been informed by the recommendations made by the CSE Commissioner as part of his annual reviews of CSE’s CII disclosures. Prior to NSIRA taking over review duties, CSE had accepted and implemented 95% of the recommendations made by the CSE Commissioner. Those not adopted were duplicative or overtaken by events such as new legislation. In his final 2018-2019 review, the Commissioner confirmed that CSE’s disclosures of CII complied with the law and were done in accordance with ministerial direction.

In this NSIRA review, as with previous CSE Commissioner reviews, we appreciate and have accepted the recommendations aimed at improving our internal policies and practices.

Given the overlap in this review period between the two bodies, certain NSIRA recommendations duplicate some presented in the CSE Commissioner’s reviews. As a result, we are pleased to note that many have already been implemented at this time; other NSIRA recommendations are in the process of being implemented.

Review Findings

Throughout this CII disclosure review, CSE provided extensive feedback and context to NSIRA, and sought clarification regarding the assessment criteria used to determine adequacy or inadequacy of specific records, the vast majority of which were deemed adequate by NSIRA. Without explaining the methodology used to support the findings, we are concerned that broad generalizations based on specific aspects of certain records within a single privacy measure may leave the reader with an incorrect impression about CSE’s overall commitment to privacy protections for Canadians.

CSE’s case-by-case process for disclosing CII to authorized GC recipients is part of robust and comprehensive internal measures that protect Canadians’ privacy. We balance the sharing of our intelligence with the privacy and safety of Canadians at all times. CSE disclosure analysts receive training and follow internal policies, guidelines and standard operating procedures to guide decision making.

While committed to implementing the recommended process improvements contained in the report, CSE remains concerned by NSIRA’s overall conclusions and characterization of the disclosure process and its role in the broader privacy framework, which we have expressed to NSIRA.

Referral to Attorney General of Canada

The Minister of National Defence submitted NSIRA’s classified report to the Attorney General of Canada in January 2021, supported by a comprehensive analysis of each record identified by NSIRA in its review.

The analysis supports the view that our activities, including applying protections for the privacy of Canadians, were conducted within a robust system of accountability, including compliance with the Privacy Act.

Additional Information

Top Secret-cleared and special intelligence-indoctrinated GC clients received thousands of foreign intelligence reports via CSE’s mandate under the CSE Act. These reports corresponded to Cabinet-approved intelligence priorities and were delivered to government clients who had both the authority to receive them and the ‘need to know’ their contents.

These reports reflect a wide range of intelligence requirements, from support to Canadian military operations, espionage, terrorism and kidnappings to geostrategic concerns, cyber threats, foreign interference and global crises, among others. While only a very small percentage of these reports contain obfuscated CII, the underlying Canadian information is often essential for GC officials to understand the context of the threat and its Canadian nexus.

Share this page
Date Modified: