Date of Publishing:
OTTAWA, February 22, 2022 – A review of information sharing related to national security under the Security of Canada Disclosure Act (SCIDA) has found the vast majority of disclosures by federal organizations to be in compliance with the requirements of the Act. There were, however, a few cases that raised significant concerns, particularly one disclosure by the Royal Canadian Mounted Police (RCMP) that involved the personal information of thousands of people.
This was the first-ever joint review by the National Security and Intelligence Review Agency (NSIRA) and the Office of the Privacy Commissioner of Canada (OPC).
The joint report on disclosures under SCIDA has been tabled in Parliament. NSIRA earlier carried out a review of 2019 disclosures.
Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment were the primary recipients of information under SCIDA in 2020. The RCMP was also one of the top recipients of information and made a number of disclosures itself.
The primary disclosers of information included Immigration, Refugees and Citizenship Canada, which was responsible for 159 disclosures, or approximately 74% of all disclosures in 2020, many of which related to information contained in passport applications, primarily confirming citizenship status or to provide biographical information.
Global Affairs Canada was responsible for 40 disclosures (approximately 19%), many of which contained information gathered by diplomatic missions regarding the movements of individuals in foreign countries.
The review found that 212 of 215 disclosures of information in 2020 met the requirements of a disclosure test set out under SCIDA.
The review found that most of the disclosures involved one or a few individuals. A handful involved larger numbers of people, including one of particular concern, which accounted for the vast majority of individuals affected by SCIDA disclosures in 2020.
In that case, the RCMP disclosed to the Department of National Defence and the Canadian Armed Forces the biometric information of thousands of men, women and children detained by a foreign entity on suspicion of being members or supporters of a terrorist organization.
The review raised concerns about that instance because it involved the RCMP disclosing highly sensitive information based on incomplete data. The missing information would have been necessary to properly assess both the effect on privacy interests and the reasonable necessity of the disclosure, as required by SCIDA.
Following their review, NSIRA and the OPC made 11 recommendations aimed at improving compliance with SCIDA. These related to, for example, record keeping, governance and measures to ensure SCIDA’s disclosure test is met.
NSIRA and the OPC are calling on institutions to implement the recommendations within six months.
For more information, please contact:
National Security and Intelligence Review Agency
Office of the Privacy Commissioner of Canada