Date of Publishing:

List of Acronyms

CBSA	Canada Border Services Agency
CFIA	Canadian Food Inspection Agency
CNSC	Canadian Nuclear Safety Commission
CRA	Canada Revenue Agency
CSE	Communications Security Establishment
CSIS	Canadian Security Intelligence Service
DND/CAF	Department of National Defence/Canadian Armed Forces
FINTRAC	Financial Transactions and Reports Analysis Centre of Canada
GAC	Global Affairs Canada
GC	Government of Canada
IRCC	Immigration, Refugees and Citizenship Canada
NSIRA	National Security and Intelligence Review Agency
PHAC	Public Health Agency of Canada
PS	Public Safety Canada
RCMP	Royal Canadian Mounted Police
SCIDA	Security of Canada Information Disclosure Act
TC	Transport Canada

Glossary of Terms

Contribution test	The first part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (paragraph 5(1)(a)).
Proportionality test	The second part of the two-part threshold that must be met before an institution can make a disclosure under the SCIDA: it must be satisfied that the information will not affect any person’s privacy interest more than reasonably necessary in the circumstances (paragraph 5(1)(b)).

Executive summary

This review provides an overview of the Security of Canada Information Disclosure Act (SCIDA)’s use in 2022. In doing so, it documents the volume and nature of information disclosures made under the SCIDA; assesses compliance with the SCIDA; and highlights patterns in the SCIDA’s use across Government of Canada (GC) institutions and over time.

In 2022, four disclosing institutions made a total of 173 disclosures to five recipient institutions. The National Security and Intelligence Review Agency (NSIRA) found that institutions complied with the SCIDA’s requirements for disclosure and record keeping in relation to the majority of these disclosures. Instances of non-compliance related to subsection 9(3), regarding the timeliness of records copied to NSIRA; subsection 5.1(1), regarding the timeliness of destruction or return of personal information; and subsection 5(2), regarding the provision of a statement on accuracy and reliability. The observed non-compliance did not point to any systemic failures in GC institutions’ implementation of the SCIDA.

NSIRA also made findings in relation to practices that, although compliant with the SCIDA, left room for improvement. These findings related to:

• the use of information sharing arrangements;
• the format of records prepared by institutions and copied to NSIRA, including the characteristics of effective records;
• the nature of information provided under paragraph 9(1)(e) and relied upon in the conduct of assessments under subsection 5(1);
• the provision of statements regarding accuracy and reliability prepared under subsection 5(2); and
• the timeliness of administrative processes supporting information disclosure.

NSIRA made six recommendations designed to increase standardization across the GC in a manner that is consistent with institutions’ demonstrated best practices and the SCIDA’s guiding principles.

Overall, NSIRA observed improvements in reviewee performance as compared with findings from prior years’ reports and over the course of the review. These improvements include corrective actions taken by reviewees in response to NSIRA’s requests for information in support of this review.

1. Introduction

Authority

This review was conducted pursuant to paragraph 8(1)(b) and subsection 39(1) of the National Security and Intelligence Review Agency Act (NSIRA Act).

Scope of the Review

This review provides an overview of the Security of Canada Information Disclosure Act (SCIDA)’s use in 2022. In doing so, it:

1. Documents the volume and nature of information disclosures made under the SCIDA;
2. Assesses Government of Canada (GC) institutions’ compliance with the SCIDA’s requirements for record keeping;
3. Assesses GC institutions’ compliance with the SCIDA’s requirements for disclosure, including the destruction or return of personal information, as appropriate; and
4. Highlights patterns in the SCIDA’s use across GC institutions and over time.

The review’s scope was defined by records provided to NSIRA under the SCIDA, subsection 9(3) (see Annex A for a copy of institutions’ section 9 obligations under the Act). As such, the review’s assessment of compliance was limited to the seven GC institutions identified within these records as either disclosers or recipients (Canada Border Services Agency [CBSA], Communications Security Establishment [CSE], Canadian Security Intelligence Service [CSIS], Department of National Defence/Canadian Armed Forces [DND/CAF], Global Affairs Canada [GAC], Immigration, Refugees and Citizenship Canada [IRCC], and the Royal Canadian Mounted Police [RCMP]); and to instances of information disclosure where the SCIDA was identified by these institutions as an authority for disclosure. The review also included Public Safety Canada (PS) in its capacity as manager of the Strategic Coordination Centre on Information Sharing, which provides SCIDA-related policy guidance and training across the GC. 

The review satisfies the NSIRA Act’s section 39 requirement for NSIRA to report to the Minister of Public Safety on disclosures made under the SCIDA during the previous calendar year.

Methodology

The review’s primary source of information was records provided to NSIRA by disclosing and recipient institutions under the SCIDA, subsection 9(3). NSIRA also identified a targeted sample of disclosures for which it requested and assessed all associated documents provided by both the disclosing and recipient institution. This information was supplemented by a document review of institutions’ SCIDA policies and procedures, and related explanations.

NSIRA assessed administrative compliance with the SCIDA’s record-keeping obligations in relation to all disclosures identified in the records provided to NSIRA under subsection 9(3) (N=173). Where these records were incomplete, NSIRA provided an opportunity for institutions to supply the missing records. NSIRA accounted for such late submissions in its assessment of compliance with subsections 9(1) and 9(2).

NSIRA assessed substantive compliance with the SCIDA’s disclosure requirements in relation to the sample of disclosures (n=19). The sample was designed to reflect a non-representative cross-section of the SCIDA’s use, with particular attention to areas at higher risk of non-compliance. Disclosures were selected for the sample based on the content of records provided to NSIRA under subsection 9(3), according to defined parameters (see Annex B, Sample of Disclosures).

Review Statements

NSIRA found that, overall, its expectations for responsiveness by CSE, CSIS, DND/CAF, GAC, IRCC, PS, and RCMP during this review were met. Its expectations for responsiveness by CBSA were partially met, as CBSA required repeated follow-up to provide the requested information.

NSIRA was able to verify information for this review in a manner that met NSIRA’s expectations.

2. Backgrounder

The SCIDA provides an explicit, stand-alone authority to disclose information between GC institutions in order to protect Canada against activities that undermine its security. Its stated purpose is to encourage and facilitate such disclosures.

Section 9 of the SCIDA prescribes record-keeping obligations for all institutions who (1) disclose or (2) receive information under the Act. Each paragraph under subsections 9(1) and 9(2) identifies particular elements that must be set out in the records prepared and kept by each institution (see Annex A). Subsection 9(3) requires that these records be provided to NSIRA within 30 days after the end of each calendar year.

Subsection 5(1) of the SCIDA authorizes GC institutions to disclose information – subject to any prohibitions or restrictions in other legislation or regulations – to designated recipient institutions, if the disclosing institution is satisfied that (a) the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada (the “contribution test”); and (b) the information will not affect any person’s privacy interest more than is reasonably necessary in the circumstances (the “proportionality test”).

Subsection 5(2) requires institutions that disclose information under subsection (1) to, at the time of the disclosure, also provide information regarding its accuracy and the reliability of the manner in which it was obtained.

When a GC institution receives information under the Act, subsection 5.1(1) requires that the institution destroy or return any unnecessary personal information as soon as feasible after receiving it.

The Act’s guiding principles underscore the importance of effectiveness and responsibility across disclosure activities. Of note, subsection 4(c) sets out that information sharing arrangements are appropriate in particular circumstances.

3. Findings, Analysis, and recommendations

Volume and Nature of Disclosures

In 2022, four disclosing institutions made a total of 173 disclosures to five recipient institutions (see Table 1). 79% (n=136) of these disclosures were requested by the recipient institution. The other 21% of disclosures (n=37) were sent proactively by the disclosing institution.

Table 1: Number of SCIDA disclosures made in 2022, by disclosing and recipient institution [all disclosures (proactive disclosures)]

		Designated Recipient Institutions
Disclosing Institution		CBSA	CFIA	CNSC	CRA	CSE	CSIS	DND/CAF	Finance	FINTRAC	GAC	Health	IRCC	PHAC	PSC	RCMP	TC	TOTAL (proactive)
	CBSA	–	–	–	–	–	–	–	–	–	–	–	–	–	–	4 (3)	–	4 (3)
	GAC	–	–	–	–	–	39 (18)	2 (2)	–	–	–	–	–	–	–	12 (12)	–	53 (32)
	IRCC	–	–	–	–	59 (0)	56 (2)	–	–	–	–	–	–	–	–	–	–	115 (2)
	RCMP	–	–	–	–	–	–	–	–	–	–	–	1 (0)	–	–	–	–	1 (0)
	TOTAL (proactive)	–	–	–	–	59 (0)	95 (20)	2 (2)	–	–	–	–	1 (0)	–	–	16 (15)	–	173 (37)

The total number of disclosures made under the SCIDA since its implementation reflects a slight downward trend, with a generally constant proportion of requested versus proactive disclosures for the years in which this data was collected (see Figure 1).

Figure 1: Number of SCIDA disclosures over time

In 2022, these disclosures were made and received by institutions that had each disclosed or received information, as the case may be, in at least two prior review years (see Annex C, Overview of SCIDA Disclosures in Prior Years).

Finding 1: NSIRA found that CSE, CSIS, GAC, and IRCC regularly use the SCIDA in a manner that warrants information sharing arrangements, as encouraged by subsection 4(c) of the SCIDA.

CSE, CSIS, GAC, and IRCC were the most frequent users of the SCIDA in 2022. The number of disclosures between these institutions was comparable to those observed by NSIRA in prior years (see Annex C), indicating the occurrence of regular exchange over time.

NSIRA also observed regular patterns in the purpose and nature of the information exchanged between these institutions in 2022, as described in Table 2. These information exchanges were not governed by up-to-date information sharing arrangements.

Table 2: Nature of disclosures between the SCIDA’s most frequent users

GAC-to-CSIS (N=39)	IRCC-to-CSIS (N=56)	IRCC-to-CSE (N=59)
GAC information holdings relevant to threats to the security of Canada Often (85%) made in direct response, or as a follow-up, to CSIS requests	IRCC information holdings relevant to threats to the security of Canada Almost always (96%) made in response to CSIS requests	IRCC confirmation of Canadian status of named individuals of interest, required to ensure lawfulness of CSE operational activities All (100%) made in response to CSE requests

NSIRA has previously recommended that information sharing arrangements be updated (for GAC and CSIS) or created (for IRCC and CSE) to govern certain information exchanges made under the SCIDA.

Recommendation 1: NSIRA recommends that information sharing arrangements be used to govern regular SCIDA disclosures between GAC and CSIS; IRCC and CSIS; as well as IRCC and CSE.

Record Keeping

Copy to NSIRA: Subsection 9(3)

Finding 2: NSIRA found that CBSA, DND/CAF, and IRCC were non-compliant with subsection 9(3) of the SCIDA, as they failed to provide all records created under subsections 9(1) or 9(2) to NSIRA within the legislated timeframe.

Requests for information from NSIRA during the course of this review prompted the late production of additional records relating to paragraphs under subsections 9(1) or 9(2) from each of CBSA, DND/CAF, and IRCC (see Table 3).

Table 3: Number [and associated subsection 9(1) or 9(2) paragraph] of late records leading to non-compliance with subsection 9(3), by cause

	Administrative Error	Delayed Preparation of Records
CBSA	2 [paragraph 9(1)(e)]	–
DND/CAF	–	2 [paragraphs 9(2)(e-g)]
IRCC	6 [paragraph 9(1)(e)]	1 [paragraphs 9(2)(e-g)]

CBSA and IRCC were non-compliant with subsection 9(3) due to administrative error; the records they eventually supplied had existed at the time of the reporting deadline, but were not copied to NSIRA as required.

NSIRA expected that all records would be prepared within 30 days after the end of the calendar year, in order to meet the subsection 9(3) requirement to provide a copy of those records to NSIRA within that timeframe.

DND/CAF and IRCC were non-compliant with subsection 9(3) on account of delayed preparation of records; they did not prepare the records referred to in Table 3 within 30 days after the end of the calendar year, and therefore did not provide a copy of them to NSIRA within the legislated timeframe.

NSIRA underscores the importance of administrative precision and timeliness in preparing records and copying them to NSIRA.

Format of Records

Finding 3: NSIRA found improved compliance outcomes in instances where departments prepared record overview spreadsheets under subsections 9(1) and 9(2) of the SCIDA that displayed the following characteristics:

• a row for each disclosure made or received;
• columns explicitly tied to each individual paragraph under section 9; and
• additional columns to capture relevant administrative details, such as whether the disclosure was requested or proactive; the date of the request (if applicable); and any applicable file reference numbers.

The SCIDA does not specify a format for records prepared under section 9. Accordingly, in 2022, GC institutions fulfilled their record-keeping obligations in different ways.

Most institutions provided NSIRA with an overview of each disclosure made or received. These overviews were submitted to NSIRA as spreadsheets that generally captured the information required in records under subsections 9(1) and 9(2).

Most institutions also provided NSIRA with a copy of the disclosure itself and a selection of related documents. These documents often included email consultations with legal services, disclosure request letters, and other correspondence between disclosing and recipient institutions. The scope of requests for information in the course of the review was minimized in cases where institutions provided such documents.

DND/CAF and IRCC (for its one disclosure receipt) were the only institutions that originally provided NSIRA with a copy of the raw disclosure, including transmittal details, in the absence of a record overview or other related documents.

NSIRA observed that DND/CAF and IRCC’s choice in records format for these disclosures contributed to their non-compliance with subsection 9(3), described in Table 3. The information elicited under paragraphs 9(2)(e-g) cannot by definition be found within a copy of the disclosure itself, as it relates to action taken by recipient institutions following the disclosure’s receipt. A copy of the disclosure on its own is therefore insufficient to comply with all requirements under subsection 9(2).

Both DND/CAF and IRCC were infrequent recipients of disclosures under the SCIDA in 2022, accounting for only two and one disclosures, respectively. Each of the more frequent recipients of information (CSE, CSIS, and RCMP) included express columns in their record overview spreadsheets to capture whether and, if applicable, when personal information was destroyed or returned, per the requirements of paragraphs 9(2)(e-g).

NSIRA also observed that CBSA and IRCC’s choice in records format contributed to their non-compliance with subsection 9(3) due to administrative error. These institutions did not account for the full scope of information required under paragraph 9(1)(e) in their record overview spreadsheets.

The information relied upon to satisfy the disclosing institution that a disclosure is authorized under the Act is not required to be conveyed within the disclosure itself. Completing an appropriately-specified record overview spreadsheet is therefore an effective way to ensure that the corresponding information is documented and conveyed to NSIRA ahead of the legislated deadline.

The RCMP’s record overview spreadsheet was particularly effective in demonstrating compliance with the Act. The spreadsheet included columns that were explicitly tied to individual paragraphs under section 9, with additional fields limited to RCMP administrative information such as file and database reference numbers.

Spreadsheets designed in this way enable institutions’ efficient self-assessment against the requirements of the Act. They also facilitate the task of review by clearly matching the information provided with its corresponding requirement under the SCIDA, and by organizing disclosures and receipts of information in a manner that supports cross-verification.

Recommendation 2: NSIRA recommends that all GC institutions prepare record overviews to clearly address the requirements of subsections 9(1) and 9(2) of the SCIDA; and provide them to NSIRA along with a copy of the disclosure itself and, where relevant, a copy of the request.

Preparing and Keeping Records: Subsections 9(1) and 9(2)

Finding 4: NSIRA found that all GC institutions complied with their obligation to prepare and keep records that set out the information prescribed under subsections 9(1) and 9(2) of the SCIDA.

Finding 5: NSIRA found that more than half of the descriptions provided by CBSA and IRCC under paragraph 9(1)(e) of the SCIDA did not explicitly address their satisfaction that the disclosure was authorized under paragraph 5(1)(b), the proportionality test.

Although NSIRA expected an express statement describing the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under the SCIDA, in this review, NSIRA considered any records that demonstrated the corresponding assessment had been conducted.

IRCC n’a pas fait de déclaration expresse précisant que les communications demandées par le SCRS, qui représentent 57 % (n=54) de l’ensemble de ses communications, lui semblaient satisfaisantes du point de vue du critère de proportionnalité. En revanche, IRCC a fourni des copies des lettres de demande et de l’information communiquée en guise de réponse, ce qui confirme que la communication était manifestement conforme aux besoins précis de la demande (et donc témoigne d’une évaluation de la proportionnalité).

L’ASFC n’a pas fourni de déclaration expresse concernant sa satisfaction au regard du critère de proportionnalité pour 75 % (n=3) de ses communications. Elle a plutôt démontré qu’elle tenait compte du principe de proportionnalité en fournissant divers documents justificatifs, y compris de la correspondance interne.

La feuille de calcul utilisée par AMC pour donner une vue d’ensemble de ses documents a été particulièrement efficace pour répondre aux exigences de l’alinéa 9(1)e). L’analyse détaillée qu’elle a consignée en ce qui concerne les critères de contribution et de proportionnalité lui a permis de remplir ses obligations en matière de conservation des dossiers et de démontrer qu’elle respectait en substance le paragraphe 5(1).

Recommendation 3: NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.

Disclosure of Information

Contribution and Proportionality Tests: Paragraphs 5(1)(a) and 5(1)(b)

Finding 6: NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves of both the contribution and proportionality tests, in compliance with subsection 5(1) of the SCIDA.

Finding 7: NSIRA found that GAC satisfied itself under the SCIDA’s paragraph 5(1)(a) contribution test based on an incorrect understanding of the recipient’s national security mandate in two cases.

The threshold for compliance with subsection 5(1) is that the disclosing institution has satisfied itself of the contribution and proportionality tests, and that it has done so prior to having made the disclosure.

In relation to the two disclosures that it made proactively to DND/CAF, GAC provided a rationale for the information’s contribution to DND/CAF’s mandate in respect of national security. Upon receipt of the information, however, DND/CAF did not agree with GAC’s assessment and therefore assessed that the SCIDA was not an appropriate disclosure mechanism in the circumstances.

Informal communication between the two institutions may have allowed DND/CAF and GAC to resolve this issue prior to the disclosure. When such communications occur, it is important that they be limited to the information necessary to confirm that the information contributes to the recipient’s mandate in respect of activities that undermine the security of Canada.

Recommendation 4: NSIRA recommends that GC institutions contemplating the use of proactive disclosures under the SCIDA communicate with the recipient institution, ahead of making the disclosure, to inform their assessments under subsection 5(1).

Statement Regarding Accuracy and Reliability: Subsection 5(2)

Finding 8: NSIRA found, within the sample of disclosures reviewed, that CBSA and GAC (in one and two disclosures, respectively) were non-compliant with the SCIDA’s subsection 5(2) requirement to provide a statement regarding accuracy and reliability.

Finding 9: NSIRA found, in relation to the remaining disclosures within the sample, that GAC, IRCC, and RCMP included their statements regarding accuracy and reliability within the disclosures themselves, whereas CBSA provided its statements in the disclosures’ cover letters.

Providing the statement on accuracy and reliability in a cover letter for the disclosure satisfies the Act’s requirement to provide the statement at the time of disclosure. However, separating the statement from the information disclosed increases the risk that the information may be subsequently used without awareness of relevant qualifiers. The location of the statement on accuracy and reliability – and not just its contemporaneous provision to the recipient – is therefore relevant to its value added.

Recommendation 5: NSIRA recommends that all disclosing institutions include statements regarding accuracy and reliability within the same document as the disclosed information.

Requirement to Destroy or Return Personal Information: Subsection 5.1(1)

Finding 10: NSIRA found that DND/CAF destroyed information under the SCIDA subsection 5.1(1), but they were non-compliant with the requirement to do so “as soon as feasible after receiving it.”

DND/CAF determined, upon receipt of the two disclosures it received from GAC, that the personal information contained within the disclosures should not be retained. The information, however, was not destroyed until April 2023 – 12 days following a request for information from NSIRA to provide a copy of records that set out whether and when the information had been destroyed or returned. The date of destruction was 299 and 336 days following DND/CAF’s receipt of each disclosure.

Taking into consideration the elapsed time between receipt of the information and its destruction, as well as DND/CAF’s timely conclusion that the information should not be retained, DND/CAF’s ultimate destruction of the information was non-compliant with the requirement to destroy the information “as soon as feasible after receiving it.” Its delay in this respect was also inconsistent with the responsible use and management of the information.

DND/CAF was the only institution to identify any disclosures as containing information that was destroyed or returned under subsection 5.1(1) in 2022. NSIRA did not identify any other disclosures within the sample for which personal information disclosed should have been destroyed or returned.

Purpose and Principles: Effective and responsible disclosure of information

Finding 11: NSIRA found delays between when a disclosure was authorized for sending and when it was received by the individual designated by the head of the recipient institution to receive it in at least 20% (n=34) of disclosures.

These 34 disclosures include 29 for which there was a delay between the dates provided by disclosing and recipient institutions in their section 9 records, as well as an additional five for which CSIS reported both the date of administrative receipt within the institution and the subsequent date of receipt by the person designated by the head to receive it (i.e., the relevant operational unit).

NSIRA attributes most of these delays to expected dynamics in classified information sharing: the individual authorizing the disclosure is not always the same individual who administratively sends it to the recipient, and the person who administratively receives the disclosure is not always the same person who is designated by the head to receive it.

In the majority of cases, the observed delays were shorter than one week. In nine cases, however, the delay ranged from 30 to 233 days.

Such delays mean that information is not processed and actioned within the recipient institution until long after it was sent – or intended to be sent – by the individual authorizing the disclosure. While these delays do not amount to non-compliance with the SCIDA, they are inconsistent with the Act’s purpose and guiding principles.

Recommendation 6: NSIRA recommends that GC institutions review their administrative processes for sending and receiving disclosures under the SCIDA, and correct practices that cause delays.

4. Conclusion

The SCIDA’s requirements for disclosure and record keeping apply to both disclosing and recipient institutions in all cases where the SCIDA is invoked as a mechanism for disclosure. This review assessed GC institutions’ compliance with requirements for record keeping in respect of all 173 disclosures that were made and received in 2022. It assessed their compliance with requirements for disclosure in relation to a targeted sample of 19 disclosures.

NSIRA found that institutions complied with the SCIDA’s requirements for disclosure and record keeping in relation to the majority of disclosures. GC institutions’ non-compliance with subsection 9(3) was driven by irregularities in the reporting of 11 disclosures. Observed non-compliance with substantive requirements under subsection 5(2) related to three disclosures; and non-compliance with subsection 5.1(1) related to two disclosures. These instances of non-compliance do not point to any systemic failures in GC institutions’ implementation of the SCIDA.

Within this context, NSIRA observed improvements in reviewee performance as compared with findings from prior years’ reports and over the course of the review. Of note, NSIRA’s requests for information in support of this review prompted corrective action by CBSA, DND/CAF, and IRCC that would have otherwise amounted to non-compliance with requirements under section 9.

NSIRA also observed several practices that, although compliant with the SCIDA, leave room for improvement. NSIRA’s recommendations in this review are designed to increase standardization across the GC in a manner that is consistent with institutions’ demonstrated best practices and the SCIDA’s guiding principles.

Annex A. Record Keeping Obligations for Disclosing and Recipient Institutions

Obligation – disclosing institution	Obligation — recipient institution
9 (1) Every Government of Canada institution that discloses information under this Act must prepare and keep records that set out	(2) Every Government of Canada institution that receives information under this Act must prepare and keep records that set out
(a) a description of the information;	(a) a description of the information;
(b) the name of the individual who authorized its disclosure;	(b) the name of the institution that disclosed it;
(c) the name of the recipient Government of Canada institution;	(c) the name or position of the head of the recipient institution — or of the person designated by the head — who received the information;
(d) the date on which it was disclosed;	(d) the date on which it was received by the recipient institution;
(e) a description of the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under this Act; and	(e) whether the information has been destroyed or returned under subsection 5.1(1); (f) if the information has been destroyed under subsection 5.1(1), the date on which it was destroyed; (g) if the information was returned under subsection 5.1(1) to the institution that disclosed it, the date on which it was returned; and
(f) any other information specified by the regulations.	(h) any other information specified by the regulations.

Copy to National Security and Intelligence Review Agency

Within 30 days after the end of each calendar year, every Government of Canada institution that disclosed information under section 5 during the year and every Government of Canada institution that received such information must provide the National Security and Intelligence Review Agency with a copy of every record it prepared under subsection (1) or (2), as the case may be, with respect to the information.

Annex B. Sample of Disclosures

Disclosures were selected for the sample based on the content of records provided to NSIRA under subsection 9(3), according to the following parameters:

• At least two disclosures per discloser-recipient pair, if available;
• At least one proactive disclosure per discloser, if available;
• At least one requested disclosure per recipient, if available;
• All disclosures identified by recipient institutions as including personal information that was destroyed or returned under the SCIDA, subsection 5.1(1);
• All disclosures for which there is a high-level discrepancy in the discloser and recipient records (i.e., a record of receipt, but no record of disclosure; a substantive misalignment in the description of the information; greater than seven days’ discrepancy in the date sent and received; date of receipt earlier than the date of sending);
• All disclosures made by an institution that is not listed in Schedule 3 of the SCIDA; and
• All disclosures received by institutions added to Schedule 3 in the preceding year.

Annex C. Overview of SCIDA Disclosures in Prior Years

Drawing on information published in previous NSIRA reports, Table 5 summarizes the number and distribution of disclosures made under the SCIDA in prior years.

Table 5: Number of SCIDA disclosures, by disclosing and recipient institution, 2019-2021

		Designated Recipient Institutions
	Disclosing Institution	CBSA	CFIA	CNSC	CRA	CSE	CSIS	DND/CAF	Finance	FINTRAC	GAC	Health	IRCC	PHAC	PSC	RCMP	TC	TOTAL (proactive)
2021	DND/CAF	–	–	–	–	–	2	–	–	–	–	–	–	–	–	–	–	2
	GAC	–	–	–	–	–	41	–	–	–	–	–	1	–	–	2	–	44
	IRCC	–	–	–	–	68	79	–	–	–	2	–	–	–	–	–	–	149
	TOTAL	–	–	–	–	68	122	–	–	–	2	–	1	–	–	2	–	195
2020	CBSA	–	–	–	–	–	1	–	–	–	–	–	–	–	–	3	–	4
	GAC	–	–	–	–	1	25	–	–	–	–	–	1	–	–	13	–	40
	IRCC	–	–	–	–	60	61	–	–	–	–	–	–	–	–	37	1	159
	RCMP	–	–	–	–	–	–	1	–	–	3	–	5	–	–	–	–	9
	TC	–	–	–	–	–	–	–	–	–	–	–	–	–	–	2	–	2
	Other	–	–	–	–	–	1	–	–	–	–	–	–	–	–	–	–	1
	TOTAL	–	–	–	–	61	88	1	–	–	3	–	6	–	–	55	1	215
2019	CBSA	–	–	–	–	–	1	–	–	–	–	–	–	–	–	2	–	3
	GAC	–	–	–	–	–	23	–	–	–	–	–	3	–	1	15	–	42
	IRCC	–	–	–	–	5	17	1	–	–	–	–	–	–	–	36	–	59
	RCMP	–	–	–	4	–	–	–	–	1	3	–	1	–	–	–	–	9
	TC	–	–	–	–	–	–	–	–	–	–	–	–	–	–	1	–	1
	TOTAL	–	–	–	4	5	41	1	–	1	3	–	4	–	1	54	–	114

Annex D. Findings and Recommendations

Findings

NSIRA found that CSE, CSIS, GAC, and IRCC regularly use the SCIDA in a manner that warrants information sharing arrangements, as encouraged by subsection 4(c) of the SCIDA.

NSIRA found that CBSA, DND/CAF, and IRCC were non-compliant with subsection 9(3) of the SCIDA, as they failed to provide all records created under subsections 9(1) or 9(2) to NSIRA within the legislated timeframe.

NSIRA found improved compliance outcomes in instances where departments prepared record overview spreadsheets under subsections 9(1) and 9(2) of the SCIDA that displayed the following characteristics:

• a row for each disclosure made or received;
• columns explicitly tied to each individual paragraph under section 9; and
• additional columns to capture relevant administrative details, such as whether the disclosure was requested or proactive; the date of the request (if applicable); and any applicable file reference numbers.

NSIRA found that all GC institutions complied with their obligation to prepare and keep records that set out the information prescribed under subsections 9(1) and 9(2) of the SCIDA.

NSIRA found that more than half of the descriptions provided by CBSA and IRCC under paragraph 9(1)(e) of the SCIDA did not explicitly address their satisfaction that the disclosure was authorized under paragraph 5(1)(b), the proportionality test.

NSIRA found, within the sample of disclosures reviewed, that disclosing institutions demonstrated they had satisfied themselves of both the contribution and proportionality tests, in compliance with subsection 5(1) of the SCIDA.

NSIRA found that GAC satisfied itself under the SCIDA’s paragraph 5(1)(a) contribution test based on an incorrect understanding of the recipient’s national security mandate in two cases.

NSIRA found, within the sample of disclosures reviewed, that CBSA and GAC (in one and two disclosures, respectively) were non-compliant with the SCIDA’s subsection 5(2) requirement to provide a statement regarding accuracy and reliability.

NSIRA found, in relation to the remaining disclosures within the sample, that GAC, IRCC, and RCMP included their statements regarding accuracy and reliability within the disclosures themselves, whereas CBSA provided its statements in the disclosures’ cover letters.

NSIRA found that DND/CAF destroyed information under the SCIDA subsection 5.1(1), but they were non-compliant with the requirement to do so “as soon as feasible after receiving it.”

NSIRA found delays between when a disclosure was authorized for sending and when it was received by the individual designated by the head of the recipient institution to receive it in at least 20% (n=34) of disclosures.

Recommendations

1. NSIRA recommends that information sharing arrangements be used to govern regular SCIDA disclosures between GAC and CSIS; IRCC and CSIS; as well as IRCC and CSE.
2. NSIRA recommends that all GC institutions prepare record overviews to clearly address the requirements of subsections 9(1) and 9(2) of the SCIDA; and provide them to NSIRA along with a copy of the disclosure itself and, where relevant, a copy of the request.
3. NSIRA recommends that disclosing institutions explicitly address the requirements of both paragraphs 5(1)(a) and 5(1)(b) in the records that they prepare under paragraph 9(1)(e) of the SCIDA.
4. NSIRA recommends that GC institutions contemplating the use of proactive disclosures under the SCIDA communicate with the recipient institution, ahead of making the disclosure, to inform their assessments under subsection 5(1).
5. NSIRA recommends that all disclosing institutions include statements regarding accuracy and reliability within the same document as the disclosed information.
6. NSIRA recommends that GC institutions review their administrative processes for sending and receiving disclosures under the SCIDA, and correct practices that cause delays.