Backgrounder
Early after its inception, the National Security and Intelligence Review Agency (NSIRA) conducted a review of how the Communications Security Establishment (CSE) shares Canadian Identifying Information (CII), such as names, email addresses, and IP addresses. This review focused on disclosures made to other Government of Canada departments. After many efforts to produce a declassified version of the report, NSIRA is now able to publish this review’s final report in redacted form.
When CSE gathers foreign signals intelligence, it removes any identifying information about Canadians and persons in Canada from its reports to protect privacy. However, government departments or foreign partners can request this information if they have legal authority and a valid operational reason.
NSIRA examined a sample of these disclosures made between July 1, 2015, and July 31, 2019. This included cases where CSE was assisting the Canadian Security Intelligence Service’s (CSIS) foreign intelligence collection under section 16 of the CSIS Act.
NSIRA found, based on the sample of disclosures it examined, that while CSE approved 99% of requests for CII disclosure from its domestic partners, 28% of all requests were not sufficiently justified to warrant the release of CII. NSIRA concluded that CSE’s implementation of the CII disclosure regime lacked rigour, and may not have complied with its responsibilities under the Privacy Act. As a result, NSIRA issued a compliance report under section 35 of the NSIRA Act.
NSIRA also found that CSE’s releases of CII collected under section 16 of the CSIS Act were conducted in a manner that was unlikely to have been communicated to the Federal Court by CSIS. CSIS had provided the Federal Court with testimony about its treatment of information about Canadians collected through section 16 of the CSIS Act. Yet, when NSIRA compared this testimony with how CSE handled information about Canadians collected when assisting CSIS in relation to section 16, NSIRA found notable discrepancies in the standards communicated to the Federal Court. CSIS was not involved in assessing or releasing the disclosures about which NSIRA had concerns; these disclosures were handled solely by CSE.
The report contains 11 recommendations, primarily focused on enhancing the rigour of CSE’s CII disclosure regime, including with respect to CII collected under section 16 of the CSIS Act.