Date of Publishing:

Government Institution

National Security and Intelligence Review Agency Secretariat

Government official responsible for the PIA

John Davies
Executive Director

Head of the government institution or Delegate for section 10 of the Privacy Act

John Davies
Executive Director, NSIRA

Standard or institution specific personal information bank:

Most standard PIBs apply to NSIRA’s internal services. Also, this PIA implicates the two former SIRC PIBs (Complaints, SIR PPU 005 and Contracts, SIR PPU 010), as well as the recommendation that a Review specific PIB is necessary pursuant to paragraph 10(1)(b) of the Privacy Act.

Legislated authority for activity:

NSIRA was established pursuant to section 3 of the National Security and Intelligence Review Agency Act (NSIRA Act), which came into force on July 12, 2019. NSIRA is largely comprised of the main components of the former Security Intelligence Review Committee (SIRC), which had been established pursuant to the Canadian Security Intelligence Service Act, and it also assumed the responsibilities of the former Office of the Communications Security Establishment Commissioner (OCSEC), as established by the National Defence Act.

The transition from the above two organizations to the new NSIRA (with an expanded mandate) is governed by the National Security Act, 2017.

The legal authority for NSIRA’s personal information collection, use and disclosure in accordance with its mandate is derived from its enabling legislation, the NSIRA Act; most notably, section 8.

Summary of the project / initiative/ change:
Due to the creation of NSIRA through the transfer of the former SIRC and OCSEC, as well as an expanded mandate, this Privacy Impact Assessment (PIA) was intended as a high-level assessment of the NSIRA as it was developing its procedures and policies, including but not limited to, an overarching privacy policy suite.

The intent of the PIA was to assess any risks or gaps present at the time of the assessment and to ensure proper privacy standards and safeguards are in place or improved upon in a timely manner.

NSIRA’s collection of personal information is integrated into its review process wherein it collects such information from the federal institutions for which it is conducting a review. However, the collection of personal information for reviews is for a non-administrative purpose – NSIRA’s use is to complete a review of the institution only; no decision is made in regard to the individuals whose personal information personnel access.

NSIRA also has a complaints and investigations mandate which involves the collection of personal information directly from complainants and decisions that directly impact the individual (administrative purpose). At the writing of the PIA, that activity was under review and change, therefore, that program was not assessed as part of this PIA. Instead, a subsequent and fulsome PIA on that specific program activity will be performed later in FY 2021-22.

NSIRA’s Secretariat also collects information on its employees in order to perform various employer services such as pay, benefits, and leave, as well as security screening.

This high level PIA identified ten risks and 18 corresponding recommendations to mitigate those risks. None of the risks were considered High and all mitigation measures will be completed before the end of FY 2021-22.

Risk Area Identification and Categorization

In its Directive on Privacy Impact Assessment, TB has expressed that the PIA must include a completed risk area identification and categorization section, which must be made public. A risk rating must be assigned to each risk area named and described in Appendix C of the TB Directive on Privacy Impact Assessment. The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. For this PIA the risk areas and associated risk levels vary due to the broad scope of the PIA to include HR and security screening, and other internal services, as well as the review function of the NSIRA mandate.

Risk Area	Risk Level
Type of Program or Activity Criminal investigation and enforcement / National Security Personal information is used for investigations and enforcement in a criminal context (i.e. decisions may lead to criminal charges/sanctions or deportation for reasons of national security or criminal enforcement).	4
Type of Personal Information Involved and Context Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive. For example: personal information that reveals intimate details on the health, financial situation, religious or lifestyle choices of the individual and which, by association, reveals similar details about other individuals such as relatives.	4
Program or Activity Partners and Private Sector Involvement With other federal institutions and in limited instances – Private sector organizations or international organizations or foreign governments	4
Duration of the Program or Activity Long-term program Existing program that has been modified or is established with no clear “sunset”.	3
Program Population The program affects certain individuals for non-administrative purposes, as well as NSIRA employees for internal administrative purposes.	3
Technology and Privacy The creation of NSIRA requires the management of new networks to manage the sensitive personal information collected by the Agency under its review mandate, as well as the personal information of Secretariat employees.	N/A
Personal Information Transmission The personal information is transferred to a portable device or is printed. USB key, diskette, laptop computer, any transfer of the personal information to a different medium.	3
In the Event of a Privacy Breach, Impact on the Individual A privacy breach of employee information may have moderate to significant reputational or financial harm. The amount of sensitive personal details (criminal records, audio files of security interviews) and documents (credit reports) is significant and could, at times, support identity theft. However, the more likely impact is embarrassment and reputational harm. Also, the breach of any vaccination attestation, accommodation, or rapid testing information could have minor to significant reputational harm on an NSIRA Secretariat employee or GIC Appointee (Executive Director and NSIRA Members).	N/A