Government of Canada Response to the Recommendations of the NSIRA Review of Federal Institutions’ Disclosures of Information under the Security of Canada Information Disclosure Act (“SCIDA”) in 2022
|1. NSIRA recommends that information sharing arrangements be used to govern regular SCIDA disclosures between GAC and CSIS; IRCC and CSIS; as well as IRCC and CSE.
|Finding no. 1: CSE, CSIS, GAC, and IRCC regularly use the SCIDA in a manner that warrants information sharing arrangements, as encouraged by subsection 4(c) of the SCIDA.
The Government of Canada recognizes the value of using information sharing arrangements to facilitate the effective and responsible sharing of information between federal institutions that frequently disclose information of a similar nature under the SCIDA. In response to this recommendation, and in consultation with the designated recipient institutions under the SCIDA, Public Safety Canada has developed an information sharing agreement template.
The template has been reviewed by the Office of the Privacy Commissioner of Canada and specifically assessed against the SCIDA, the Privacy Act, the 10 fair information principles of the Canadian Standards Association Model Code for the Protection of Personal Information (the Model Code), applicable Treasury Board of Canada Secretariat (TBS) policies, directives and guidelines, and internationally recognized best practices.
Public Safety Canada has disseminated this template to federal institutions, including those named in NSIRA’s findings and recommendations, so that they may adapt it to their unique operating environments and the types of information that they frequently disclose and receive, while continuing to respect the Charter, the Privacy Act, the SCIDA, as well as other relevant policies, legislation and regulation.
In addition, several departments and agencies have already entered into information sharing agreements to facilitate the disclosure of information under the SCIDA. For example, CSIS and GAC entered into an information sharing agreement in 2016 under the SCISA (the precursor to the SCIDA). The agreement outlines the types of information that GAC may share with CSIS. While it is still in effect, it is currently being reviewed to ensure the scope remains current. CSIS and IRCC are currently holding preliminary discussions to establish an information sharing agreement to address disclosures under SCIDA. IRCC and CSE also recently signed an information sharing agreement, as recommended in the 2020 SCIDA Annual Report.
2. NSIRA recommends that all GC institutions prepare record overviews to clearly address the requirements of subsections 9(1) and 9(2) of the SCIDA; and provide them to NSIRA along with a copy of the disclosure itself and, where relevant, a copy of the request.
Finding no. 2: CBSA, DND/CAF, and IRCC were non-compliant with subsection 9(3) of the SCIDA, as they failed to provide all records created under subsections 9(1) or 9(2) to NSIRA within the legislated timeframe.
Finding no. 3: Improved compliance outcomes in instances where departments prepared record overview spreadsheets under subsections 9(1) and 9(2) of the SCIDA that displayed the following characteristics:
The Government of Canada recognizes the importance of keeping records of SCIDA disclosures and receipts, as required under the Act.
Public Safety Canada assists partners in adopting best practices that facilitate ease-of-review and improve compliance. Government of Canada partners implement Public Safety Canada’s guidance in a manner that complies with the SCIDA and works best with their unique mandates and internal procedures.
In March 2023, the Step-by-Step SCIDA Guide 2022 (“SCIDA Guide 2022”) was updated and published on Public Safety Canada’s public-facing webpage. The SCIDA Guide 2022 includes templates that support federal institutions with their record-keeping requirements. Public Safety Canada will continue to review and update existing SCIDA resources, including advice pertaining to record keeping. Public Safety Canada has also circulated a record overview template that NSIRA found particularly effective during the course of its 2022 review.
In addition, CSIS has developed clear policy and subsequent guidelines on how to handle and document information disclosures in line with the SCIDA, including a requirement to maintain a record overview along with an associated template. This template has been adjusted for clarity based on feedback from NSIRA’s 2022 review. The CBSA and IRCC have also reviewed their current operational and reporting practices with regards to SCIDA and are making the necessary functional adjustments to ensure that they remain compliant in future information sharing activities.
3. NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
Finding no. 5: More than half of the descriptions provided by CBSA and IRCC under paragraph 9(1)(e) of the SCIDA did not explicitly address their satisfaction that the disclosure was authorized under paragraph 5(1)(b), the proportionality test.
Finding no. 6: within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves of both the contribution and proportionality tests, in compliance with subsection 5(1) of the SCIDA.
The Government of Canada recognizes the importance of the SCIDA’s contribution and proportionality tests in 5(1)(a) and 5(1)(b), respectively. It also recognizes the need for disclosing institutions to demonstrate their satisfaction that these two tests are met for each disclosure by providing NSIRA with a description of the information that was relied on to satisfy themselves that the disclosure was authorized under the SCIDA.
Through the publication of the SCIDA Guide 2022 and the delivery of training sessions, Public Safety Canada has provided guidance to federal institutions on ensuring that the contribution and proportionality thresholds are met when disclosing information under the SCIDA.
Recently, IRCC has added a new “Proportionality” section to their SCIDA template to require that the delegated official documents their satisfaction that the disclosure is authorized under paragraph 5(1)(b) before disclosing personal information to a recipient institution.
In addition to disclosing institutions having to satisfy the contribution and proportionality tests, CSIS independently assesses its authority to collect and retain the disclosure under the CSIS Act as a recipient institution. This includes an obligation for CSIS to ensure that the collection and retention of a SCIDA disclosure is compliant with all relevant legislation, including the Avoiding Complicity in Mistreatment by Foreign Entities Act. The SCIDA procedure published in 2022 includes direction on processing disclosures that do not meet CSIS’ threshold for collection, ensuring that the disclosure is appropriately documented and destroyed.
|4. NSIRA recommends that GC institutions contemplating the use of proactive disclosures under the SCIDA communicate with the recipient institution, ahead of making the disclosure, to inform their assessments under subsection 5(1).
|Finding no. 7: GAC satisfied itself under the SCIDA’s paragraph 5(1)(a) contribution test based on an incorrect understanding of the recipient’s national security mandate in two cases.
The Government of Canada recognizes the value of general informal discussions ahead of SCIDA disclosures.
The SCIDA Guide 2022 emphasizes the importance of preliminary, high-level consultations between disclosing and recipient institutions prior to a disclosure in a manner that does not itself constitute a disclosure. The guidance specifies that informal communication should only include enough general information to ensure that the SCIDA contribution and proportionality thresholds are met before making a disclosure.
Annex F of the SCIDA Guide 2022 outlines the national security mandates of the designated recipient institutions under SCIDA. Public Safety Canada endeavours to keep the mandates updated to aid disclosing institutions in making their assessment required under subsection 5(1).
5. NSIRA recommends that all disclosing institutions include statements regarding accuracy and reliability within the same document as the disclosed information.
Finding no. 8: Within the sample of disclosures reviewed, that CBSA and GAC (in one and two disclosures, respectively) were non-compliant with the SCIDA’s subsection 5(2) requirement to provide a statement regarding accuracy and reliability.
Finding no. 9: In relation to the remaining disclosures within the sample, that GAC, IRCC, and RCMP included their statements regarding accuracy and reliability within the disclosures themselves, whereas CBSA provided its statement in the disclosures’ cover letters.
The Government of Canada notes that providing statements on the accuracy and reliability of the manner in which information was obtained in a cover letter or in the disclosure itself both satisfy the legislated requirement under subsection 5(2) for disclosing institutions to provide such a statement.
The Government of Canada recognizes the additional value of including the statements in the actual disclosure, especially in the event of onward disclosure. Public Safety Canada will update its guidance to reflect this best practice.
6. NSIRA recommends that GC institutions review their administrative processes for sending and receiving disclosures under the SCIDA, and correct practices that cause delays.
Finding no. 10: DND/CAF destroyed information under the SCIDA subsection 5.1(1), but they were non-compliant with the requirement to do so “as soon as feasible after receiving it.”
Finding no. 11: Delays between when a disclosure was authorized for sending and when it was received by the individual designated by the head of the recipient institution to receive it in at least 20% (n=34) of disclosures.
The Government of Canada recognizes the need to destroy unnecessary information as soon as feasible under the SCIDA, as well as the value of timely disclosures.
Government of Canada institutions each have their own systems, standards and procedures for physically and/or electronically sending and receiving information. Departments and agencies will work to review their own processes to ensure information is handled efficiently and appropriately in compliance with the SCIDA and other legislation.