- Executive Summary
- Introduction
- Background
- Findings, Analysis, and Recommendations
- Compliance with the ACA
- Implementation of the Directions
- Decisions on Substantial Risk of Mistreatment
- Discrepant applications of the threshold for SRM
- Incorporating mitigations into baseline assessments of risk, while overestimating their effects
- Lack of checks and balances in the risk assessment process
- Conclusion
- Appendices
Date of Publishing:
| Abbreviation | Full Form |
|---|---|
| ACA | Avoiding Complicity in Mistreatment by Foreign Entities Act |
| CBSA | Canada Border Services Agency |
| CRA | Canada Revenue Agency |
| CSE | Communications Security Establishment |
| CSIS | Canadian Security Intelligence Service |
| DFO | Department of Fisheries and Oceans |
| DND/CAF | Department of National Defence/Canadian Armed Forces |
| FINTRAC | Financial Transactions and Reports Analysis Centre of Canada |
| GAC | Global Affairs Canada |
| GC | Government of Canada |
| HRR | Human Rights Report |
| IRCC | Immigration, Refugees and Citizenship Canada |
| ISCG | Information Sharing Coordination Group |
| MD | Ministerial Direction |
| NSIRA | National Security and Intelligence Review Agency |
| OiC | Order in Council |
| PS | Public Safety Canada |
| RCMP | Royal Canadian Mounted Police |
| SRM | Substantial risk of mistreatment |
| TC | Transport Canada |
| Abréviation | Forme complète |
|---|---|
| AMC | Affaires mondiales Canada |
| ARC | Agence du revenu du Canada |
| ASFC | Agence des services frontaliers du Canada |
| CANAFE | Centre d’analyse des opérations et déclarations financières du Canada |
| CST | Centre de la sécurité des télécommunications |
| OC | Décret en conseil |
| GC | Gouvernement du Canada |
| GCER | Groupe de coordination d’échange de renseignements |
| GRC | Gendarmerie royale du Canada |
| IM | Instructions du ministre |
| IRCC | Immigration, Réfugiés et Citoyenneté Canada |
| LECCMTIEE | Loi visant à éviter la complicité dans les cas de mauvais traitements infligés par des entités étrangères |
| MON/FAC | Ministère de la Défense nationale/Forces armées canadiennes |
| MPO | Ministère des Pêches et des Océans |
| OSSNR | Office de surveillance des activités en matière de sécurité nationale et de renseignement |
| RDP | Rapport sur les droits de la personne |
| RSMT | Risque sérieux de mauvais traitements |
| SCRS | Service canadien du renseignement de sécurité |
| SP | Sécurité publique Canada |
| TC | Transports Canada |
| Term | Definition |
|---|---|
| 2017 MDs | Ministerial Directions (MDs) issued to CBSA, CSIS, CSE, DND/CAF, GAC, and RCMP in 2017 regarding avoiding complicity in mistreatment by foreign entities. |
| departments | Refers, in the context of this review, to those departments and agencies whose deputy heads have been issued written directions under the ACA. |
| foreign entities | As defined in the 2017 MDs: “may include foreign governments, their departments, agencies and militaries, and may also refer to military coalitions, alliances, and international organizations.” |
| mistreatment | As defined in section 2 of the ACA: “torture or other cruel, inhuman or degrading treatment or punishment, within the meaning of the Convention Against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment, signed at New York on December 10, 1984 (mauvais traitements).” |
| policy | Frameworks, policies, directives, standards, guidelines, and tools developed to, in the context of this review, govern departments’ implementation of the ACA. |
| instruments | Developed to, in the context of this review, govern departments’ implementation of the ACA. |
| residual risk | The level of risk that remains in a given context after mitigations are applied. |
| substantial risk | As defined in the 2017 MDs: “A personal, present, and foreseeable risk of mistreatment. In order to be ‘substantial’, the risk must be real and must be based on something more than mere theory or speculation. In most cases, the test of a substantial risk of mistreatment will be satisfied when it is more likely than not that there will be mistreatment; however, in some cases, particularly where the risk is of severe harm, the ‘substantial risk’ standard may be satisfied at a lower level of probability.” |
| untreated risk | The level of risk in a given context before any mitigations are applied. |
| Terme | Définition |
|---|---|
| Entités | Terme employé dans les IM de 2017 pour désigner « les gouvernements étrangers, leurs ministères et organismes, et leurs forces militaires. Il peut aussi s’appliquer à des coalitions militaires, à des alliances et à des organisations internationales. » |
| IM de 2017 | Instructions du ministre (IM) émises en 2017 à l’intention de l’ASFC, du SCRS, du CST, du MON/FAC, d’AMC et de la GRC visant à éviter la complicité dans les cas de mauvais traitements infligés par des entités étrangères. |
| Instruments de politique | Cadres de travail, politiques, directives, normes, lignes directrices et outils conçus pour encadrer la mise en œuvre de la LECCMTIEE par divers ministères. |
| Mauvais traitements | Terme défini à l’article 2 de la LECCMTIEE : « [t]orture ou autres peines ou traitements cruels, inhumains ou dégradants », selon la Convention contre la torture (1984). |
| Risque non atténué | Terme désignant le niveau de risque qui existe avant l’application de mesures d’atténuation. |
| Risque résiduel | Terme désignant le niveau de risque qui persiste après l’application de mesures d’atténuation. |
| Risque sérieux | Terme employé dans les IM de 2017 pour désigner « un risque personnel, sérieux, présent et prévisible de mauvais traitements. Pour être “sérieux”, le risque doit être réel et reposer sur plus que des spéculations. Dans la plupart des cas, le critère sera satisfait lorsque le risque de mauvais traitements est plus probable qu’improbable. » |
Executive Summary
This review assessed departments’ compliance with the Avoiding Complicity in Mistreatment by Foreign Entities Act (or Avoiding Complicity Act; ACA) and their implementation of the ACA’s associated directions during the 2022 calendar year. Within this context, the review pursued a thematic focus on departments’ conduct of risk assessments, including the ways in which their methodologies may lead to a systematic under-assessment of the level of risk involved in an information-sharing transaction.
NSIRA’s findings and recommendations in this report reflect both developments and stagnations in departments’ implementation of the directions over time. Of note, NSIRA observed efforts in 2022 to collaborate interdepartmentally, and standardize certain practices across the Government of Canada. While these efforts reflect an improvement over past approaches, they fall short of the directions’ envisioned consistent framework for foreign information sharing government-wide. Additionally, NSIRA observed a number of practices that may lead departments to systematically under-assess the risks involved in contemplated information exchanges. Such under-assessments may, in turn, lead to information being exchanged in contravention of the directions’ prohibitions.
NSIRA made five recommendations in this review. Collectively, they would ensure that all departments’ ACA frameworks reflect a degree of standardization commensurate with the spirit of the ACA and its associated directions; and that these frameworks are designed to support compliance with the directions.
Introduction
Authority
This review was conducted pursuant to paragraph 8(1 )(b), paragraph 8(2.1 )(c), and subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act).
Scope of the Review
This review assessed departments’ compliance with the Avoiding Complicity in Mistreatment by Foreign Entities Act (or Avoiding Complicity Act; ACA) and their implementation of the ACA’s associated directions during the 2022 calendar year. Within this context, the review pursued a thematic focus on departments’ conduct of risk assessments, including the ways in which their methodologies may lead to a systematic under-assessment of the level of risk involved in an information-sharing transaction.
The review included all departments that have been issued directions under the ACA: Canada Border Services Agency (CBSA); Canada Revenue Agency (CRA); Communications Security Establishment (CSE); Canadian Security Intelligence Service (CSIS); Department of Fisheries and Oceans (DFO); Department of National Defence and Canadian Armed Forces (DND/CAF); Financial Transactions and Reports Analysis Centre of Canada (FINTRAC); Global Affairs Canada (GAC); Immigration, Refugees and Citizenship Canada (IRCC); Public Safety Canada (PS); Royal Canadian Mounted Police (RCMP); and Transport Canada (TC).
The review also considered DND/CAF’s implementation of Ministerial Direction (MD) it received in 2022 regarding avoiding complicity in mistreatment by foreign entities.
Methodology
NSIRA conducted a document review of departments’ ACA policy instruments, and departments’ associated written explanations, provided in response to requests for information. NSIRA also conducted a comparative analysis of a targeted sample of departmental risk assessments pertaining to 19 countries, and to the foreign entities within those countries for which such assessments existed. NSIRA assessed compliance with reporting requirements based on primary records made public or submitted to NSIRA in accordance with the ACA and its directions.
Review Statements
CBSA, CRA, DFO, DND/CAF, FINTRAC, IRCC, PS, RCMP, and TC met NSIRA’s expectations for responsiveness during this review. CSE, CSIS, and GAC only partially met NSIRA’s expectations, as CSE did not consistently respond to NSIRA’s requests for information in a format that met the review’s requirements; and CSIS and GAC did not consistently respond to NSIRA’s requests in a timely manner
NSIRA was able to verify information for this review in a manner that met expectations.
NSIRA wishes to thank PS for its assistance in coordinating the factual accuracy consultations for this review.
Background
The ACA and the directions issued pursuant to it seek to prevent the Government of Canada (GC) from disclosing information to—or requesting information from—a foreign entity that would result in substantial risk of mistreatment (SRM) of an individual, and to set limitations on the use of information that is likely to have been obtained through mistreatment. The objective of the directions is to demonstrate the Government’s commitment to make Canada’s information sharing regime more transparent, consistent, and accountable; and to enhance oversight on a government-wide basis.
In 2019, directions were issued pursuant to the ACA, by Order in Council (OiC), to the deputy heads of twelve departments and agencies. For CBSA, CSE, CSIS, DND/CAF, GAC, and RCMP, the OiC directions replaced MDs that had been issued in 2017. In adding CRA, DFO, FINTRAC, IRCC, PS, and TC as recipients, the OiC directions broadened the application of measures to prevent mistreatment.
NSIRA has previously reviewed departments’ implementation of the 2017 MDs and, as required under the NSIRA Act, implementation of the OiC directions in every year since the ACA’s coming into force. This is NSIRA’s fourth such annual review.
Findings, Analysis, and Recommendations
Compliance with the ACA
Finding 1. NSIRA found that all departments, with the exception of DFO in respect of subsection 7(1), complied with the reporting requirements set out in the ACA.
Subsection 7(1) of the ACA requires deputy heads to submit, before March 1 of each year, a report to their Minister in respect of the directions’ implementation during the previous calendar year. DFO submitted its report to the Minister of Fisheries, Oceans, and the Canadian Coast Guard on April 12, 2023, which was 42 days following the legislated deadline.
Sections 5 through 8 of the ACA set out additional reporting requirements with which all deputy heads and Ministers complied.
Implementation of the Directions
Finding 2. NSIRA found that all departments had frameworks to govern their implementation of the ACA and its associated directions by the end of 2022.
NSIRA’s ACA review for 2021 found that all departments, with the exception of CBSA and PS, had fully implemented ACA governance frameworks. Both CBSA and PS implemented such frameworks in the course of this year’s review. Their policies came into effect on September 1, 2022 and January 1, 2022, respectively.
Finding 3. NSIRA found that most departments demonstrated continual refinements of their ACA frameworks based on self-identified gaps, NSIRA recommendations, and community-wide coordination efforts.
In 2022, most departments focused their refinement efforts on codifying existing practices in formal policy instruments, and developing more fine-grained procedures and guidance to support their implementation. Degrees of refinement varied across departments, generally in line with the maturity of their respective frameworks. Of note amongst these efforts:
- DND/CAF finalized an updated policy framework, which now includes, among other elements, a new MD to supplement the OiC directions and facilitate their implementation;
- ROMP restructured and internally reallocated resources to support the conduct of ACA risk assessments and related approvals;
- CRA, DFO, DND/CAF, and RCMP were taking steps to broaden their frameworks’ application across departmental business lines;
- CBSA, CRA, DND/CAF, IRCC, PS, and RCMP were elaborating or enhancing risk assessment tools to support decision-makers’ identification of cases involving SRM; and
- CBSA, CRA, CSIS, DND/CAF and RCMP were developing ACA-related internal training modules.
In 2022, CSE, DND/CAF, and GAC each undertook internal reviews of aspects of their ACA implementation frameworks. Where formal reviews were not undertaken, observed refinements reflected topics raised in prior NSIRA reviews and informal interdepartmental benchmarking conducted in forums like the PS-chaired Information Sharing Coordination Group (ISCG), which includes all departments subject to the directions as members.
Finding 4. NSIRA found that TC’s ACA governance framework did not include policies and procedures for:
- escalating cases to the deputy head; or
- assessing the risks of information sharing with foreign entities.
The directions require that cases be referred to deputy heads under specified conditions (elaborated in paragraph 34, below). Departments may determine the mechanism and thresholds for such referrals according to their operational requirements. In practice, the governance frameworks of all departments but TC use pre-determined escalation ladders—beginning with operational staff and concluding with referral to the deputy head—to triage ACA cases.
Although TC’s responses to information requests from NSIRA described an escalation ladder culminating with the Deputy Minister of Transport, its policy instruments do not include any policies or procedures for escalating ACA cases beyond operational staff.
TC’s corporate policy for ACA implementation states that TC must “develop and maintain policies and procedures for assessing the risks posed by foreign entities.” NSIRA’s ACA review for 2019 critiqued the lack of detail in TC’s policy, citing concerns with the department’s framework for deciding whether a disclosure would result in SRM and its lack of a framework for determining whether an identified SRM could be mitigated. TC has stated that these gaps have not yet been addressed, given interdepartmental efforts to implement program enhancements to reduce the risk of mistreatment related to the exchange of information.
All ACA frameworks require a mechanism for case escalation to the deputy head, and a sufficiently-robust risk assessment process to identify when an information exchange may involve SRM, even when such exchanges are infrequent.
Recommendation 1. NSIRA recommends that TC update its ACA governance framework to include policies and procedures for:
- escalating cases to the deputy head; and
- assessing the risks of information sharing with foreign entities
Finding 5. NSIRA found that all departments, with the exception of DFO, GAC, PS, and TC, used country and/or entity risk assessments to inform their assessments of substantial risk of mistreatment and corresponding case escalation.
In order to implement the directions, departments must understand the risks of sharing information with particular foreign entities, including country-level human rights conditions. To this end, most departments use formalized country and/or entity risk assessments as a baseline for assessing case-specific risks and for considering case-specific mitigations.
In some departments, levels of baseline country or entity risk correlate directly with particular levels of approval within their ACA escalation ladders, such that increasingly-senior levels of officials are expected to oversee any mitigations considered or applied in risky contexts. In other departments, escalation is tied to case-specific mistreatment risk assessments that incorporate mitigations, such that escalation is based on residual risks. In these departments, cases of satisfactorily- mitigated substantial risk do not always trigger departmental thresholds for more senior oversight. CSIS’s escalation framework is unique in that the required level of approval depends on both the risk of the transaction itself and the status of the Service’s information-sharing arrangement with the foreign entity.
DFO, GAC, PS, and TC’s risk assessment processes do not involve a baseline assessment of untreated country or entity risk. At DFO, PS, and TC, this is because relevant information exchanges are seen to be so infrequent that case-specific assessments may be conducted when required. GAC, conversely, compiles relevant baseline information in a set of descriptive Human Rights Reports (HRRs), which convey relevant country context—including specifics related to torture and mistreatment—but do not assign a corresponding risk rating or assessment; GAC assesses risk in relation to particular information exchanges, as they arise.
In 2022, CBSA, CSE, CSIS, DND/CAF, FINTRAC, and RCMP each used country and/or entity assessments that they had developed internally to inform their assessments of mistreatment risk. They relied on similar sources of information to conduct these assessments, including GAC’s HRRs (although these did not exist for every country with which departments exchanged information).
In 2022, CRA and IRCC used the country risk ratings assigned by CSIS and RCMP, respectively, as their baseline indicator of a transaction’s potential risk. In both cases, CRA and IRCC received only the overall level of risk assigned to each country, and not any supporting assessment details. Both CRA and IRCC have identified their lack of in-house baseline assessments as gaps in their ACA risk assessment frameworks and are taking steps to develop the required methodologies.
While residual risks in case-specific risk assessments are expected to reflect the particularities of individual information exchanges, these must be considered in relation to the broader human rights environment in which the exchange will be made. Some departments’ case-specific risk assessment methodologies explicitly integrate the corresponding baseline country or entity risk rating. At CBSA, CSE, and DND/CAF, these ratings are matrixed with particularities of the information being considered for exchange. At GAC and RCMP, the ratings are matrixed with personal characteristics of the individual(s) who may be subject to mistreatment.
Finding 6. NSIRA found that departments’ country risk assessments were inconsistent with one another.
In its 2017 MD review, NSIRA recommended that departments develop a unified framework for assessing mistreatment risks at the country level. In each ACA review since, NSIRA has maintained its position that human rights risks within a given country should be assessed consistently across the GC.
In 2022, NSIRA observed widespread discrepancies across departments’ baseline country risk assessments, despite their reliance on similar sources of information. Within the sample of risk assessments reviewed, there were only two countries for which all departments assigned the same risk rating. For some countries, discrepancies were so drastic that different GC departments simultaneously assessed the human rights risk as low, medium, and high. Annex A presents a comparison of risk ratings assigned by each assessing department for each country within the sample.
Three main factors contributed to these discrepancies. First, risk ratings were often tied to dated assessments that failed to account for more recent developments within a country. Second, departments used different indicators of mistreatment in their methodologies. Third, departments weighted the impact of these indicators differently. For example, whereas CSIS weighted each indicator equally, in service of an overall human rights picture, CSE attributed a higher weight for indicators more likely to impact the mistreatment of an individual. DND/CAF was the only department to include an automatic trigger for a high risk rating, irrespective of other moderating considerations, when systemic mistreatment was observed within a country.
To identify differences in risk ratings and to understand the reasons for them, DND/CAF convened a working-level “human rights summit” in late 2022, with participation by CSE, CSIS, and GAC. While the summit was considered a success by all participants, identifying and understanding discrepancies falls short of NSIRA’s recommended unified set of assessments. Although participants regularly signalled that they would consider new information within their own internal assessment frameworks, they rarely committed to changes that would align their risk ratings.
In response to recommendations made in NSIRA’s ACA review for 2019, GC institutions stated their position that a standardized approach was unfeasible, given the “diverse operational activities and mandates” of the twelve implicated departments. NSIRA does not agree that the activities or mandates of the assessing GC departments are relevant considerations in the determination of baseline country or entity risks.
Finding 7. NSIRA found that the simultaneous conduct of independent human rights risk assessments in different departments reflected a substantial duplication of effort across the GC, and created the opportunity for discrepant outcomes.
Departments’ conduct of independent human rights risk assessments leads to an unnecessary drain on resources. This duplication of efforts also creates the opportunity for discrepant assessments, which are replicated across the GC when siloed risk ratings are borrowed by departments that do not internally assess risk. Where discrepancies reflect an under-assessment of baseline risk, departments may undertake information exchanges that contravene the directions’ prohibitions.
Within the sample of countries for which NSIRA requested departments’ risk assessments, departments did not frequently engage with the same foreign entities. While the present report does not, therefore, comment on the alignment of entity assessments across departments in 2022, NSIRA emphasizes the importance of aligning assessments in cases where multiple departments do deal with the same foreign entity. Departments may apply mitigations that are unique to their bilateral partnerships with the entity in question, but—for the same reasons elaborated above vis-a-vis country risk—this should always be done in relation to a baseline risk that is assessed consistently across the GC.
Recommendation 2. NSIRA recommends that the Government of Canada designate a body responsible for developing:
- a unified set of assessments of the human rights situations in foreign countries including a standard “risk of mistreatment” classification level for each country; and
- to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.
Decisions on Substantial Risk of Mistreatment
Finding 8. NSIRA found, for the fourth consecutive year, that no departments escalated cases to their deputy heads for determination or decision.
Subsections 1(2) and 2(2) of the directions require, respectively, that information disclosures and requests be referred to deputy heads for determination in cases where departmental officials are unable to determine whether an associated SRM can be mitigated. Paragraph 3(1 )(c) requires deputy—or, exceptionally, senior official—authorization to use information that is likely to have been obtained through mistreatment in any way that would deprive someone of their rights or freedoms.
When cases are escalated under these provisions, subsection 4(1) of the directions imposes reporting requirements for deputy heads. Since no cases were escalated in 2022, departments did not engage these requirements.
The lack of referrals under subsections 1(2) and 2(2) is conspicuous, given that cases had been escalated to deputy heads under the 2017 MDs. The lack of authorizations under paragraph 3(1)(c) is inconspicuous, given the rarity of factual circumstances that would warrant such authorization.
Finding 9. NSIRA found that some high-risk sharing activities were stopped prior to escalation for consideration of possible mitigations.
The lack of referrals to deputies under subsections 1(2) and 2(2) should not be construed as implying that departments failed to identify any cases meeting the threshold of “substantial,” or that all cases of mitigated SRM were approved before they could be escalated for deputy-level consideration.
CRA, CSIS, DND/CAF, GAC, IRGC, and RCMP each reported to NSIRA that they had contemplated transactions involving SRM in 2022—but not all of these contemplated transactions resulted in an information exchange. In some cases, the transaction was stopped before it could be escalated for more senior consideration of potential mitigations. Table 1 summarizes the outcomes of decisions taken in relation to each contemplated transaction involving SRM in 2022.
| Department | Total # Considered | # approved | # denied / not approved | # ongoing as of 2022-12-31 |
|---|---|---|---|---|
| CRA | [**redacted**] | [**redacted**] | [**redacted**] | [**redacted**] |
| CSIS | [**redacted**] | [**redacted**] | [**redacted**] | [**redacted**] |
| DND/CAF | [**redacted**] | [**redacted**] | [**redacted**] | [**redacted**] |
| GAC | [**redacted**] | [**redacted**] | [**redacted**] | [**redacted**] |
| IRCC | [**redacted**] | [**redacted**] | [**redacted**] | [**redacted**] |
| RCMP | [**redacted**] | [**redacted**] | [**redacted**] | [**redacted**] |
| All departments: | [**redacted**] | [**redacted**] | [**redacted**] | [**redacted**] |
While the vast majority of substantial risk transactions contemplated in 2022 were approved, [**redacted**] were denied or otherwise not completed. For GAC and IRCC, the transactions that did not move forward reflect a substantial proportion of all substantial risk cases subject to formal consideration (64% and 33%, respectively).
Departmental frameworks often include features that reflect a fundamental risk aversion that would result in fewer cases being escalated to deputies. CSE, for instance, allows a transaction to be denied at the initial stages of consideration when it is abundantly clear that there is SRM that cannot be mitigated below the level of substantial. Other departments, like DND/CAF, PS, and RCMP, explicitly incorporate strategic considerations, such as the operational rationale for pursuing the exchange or the importance of the bilateral relationship, when deciding whether to escalate or deny a case. If the operational rationale is lacking, the corresponding cases will fall out of (or never enter into) the ACA escalation ladder, in a manner consistent with the directions’ spirit.
Finding 10. NSIRA found that certain departments’ ACA governance frameworks and risk assessment methodologies included features that may systematically under-assess the level of risk involved in a transaction. These features include:
- discrepant applications of the threshold for substantial risk of mistreatment;
- incorporating mitigations into baseline assessments of risk, while overestimating their effects; and
- a lack of checks and balances in the risk assessment process.
When the level of risk is under-assessed, cases involving substantial risk may be approved at lower levels in departments’ escalation ladders without the intended levels of corresponding oversight, or may never be escalated in the first place. In these contexts, there is an increased likelihood that information may be disclosed or requested in contravention of the directions’ prohibitions.
Discrepant applications of the threshold for SRM
Mid-2021, all ISCG members agreed to adopt the definition for “substantial risk’’ that was provided in the 2017 MDs:
“a personal, present and foreseeable risk of mistreatment In order to be “substantial”, the risk must be real and must be based on something more than mere theory or speculation. In most cases, the test of a substantial risk of mistreatment will be satisfied when it is more likely than not that there will be mistreatment; however, in some cases, particularly where the risk is of severe harm, the “substantial risk” standard may be satisfied at a lower level of probability.”
The same definition was also codified in DND/CAF’s 2022 MD.
The agreed-upon definition is reflected in the policy documents of CSE, DFO, FINTRAC, GAG, PS, and ROMP, as well as (with some added precisions) CSIS and DND/CAF. Despite their agreement to adopt the same definition, however, CBSA, ORA, IRGC, and TO have not consistently updated their internal policy instruments to reflect the definition in its entirety.
Even where the definition has been formally integrated within broader policies, the threshold of probability for “substantial” has not been consistently applied. Risk assessment tools often failed to incorporate the language of “more likely than not” (and the greater-than-50% threshold it entails), or to clarify how to apply a lower level of probability when there is risk of severe harm. [**redacted**]
Lack of clear direction within policy suites increases the likelihood that departments may apply a threshold for SRM that is incommensurate with the circumstances.
Applying the SRM threshold requires clarity, as well, on what constitutes “mistreatment.” Although a definition for “mistreatment” is provided in the ACA, departments did not always agree on appropriate indicators thereof. At the 2022 “human rights summit,” for instance, it was noted that [**redacted**] whereas DND/CAF included it as an indicator of “due process.” When the definition of mistreatment is too narrowly scoped, SRM may be under-assessed.
Recommendation 3. NSIRA recommends that departments apply the “substantial risk” threshold in a manner consistent with the definition adopted government-wide; and that departments whose broader policy frameworks do not yet reflect this definition (CBSA, CRA, IRCC, and TC) make the attendant updates.
Incorporating mitigations into baseline assessments of risk, while overestimating their effects
The directions allow departments to apply mitigations, such as caveats or assurances, to lower the level of a transaction’s risk below “substantial.” Departments that use entity assessments as their starting point for assessing SRM often incorporate such mitigations into their baseline assessment of risk, such that risk ratings reflect a lowered, residual risk of mistreatment instead of an untreated SRM for which subsequent mitigations may be considered.
Within the sample of risk assessments reviewed, CSIS and DND/CAF tended to assess entity risk as lower than the corresponding country risk. NSIRA did not find that their entity risk assessments sufficiently accounted for systemic risks of mistreatment observed in the entity’s country-level operating environment. For CSIS, this dynamic was particularly evident in [**redacted**].
The impact of incorporating mitigations into baseline assessments of risk is accentuated when departments overestimate the effect of mitigations, or base their entity assessments on inappropriate considerations.
The weight attributed to caveats and assurances, as baseline mitigations, was often artificially high. Prior NSIRA reviews have observed gaps in departments’ ability to verify whether a country or entity has actually complied with caveats or assurances. NSIRA did not observe evidence, in 2022, that departments had taken steps to improve their confidence in entities’ compliance with caveats or assurances, nor that they had moderated the expected effect of such mitigations when assigning entity risk levels.
Additionally, NSIRA observed assessments where entity risk may have been influenced by inappropriate considerations, such as the strength of a department’s bilateral relationship with the entity in question, or an absence of derogatory information particular to that entity. For example, FINTRAC’s SRM assessment form specifically prompts users to evaluate the strength of FINTRAC’s bilateral relations with its foreign counterpart. In addition, some departments’ assessments appeared to discount risks reported in open sources in situations where confirmatory intelligence was unavailable.
NSIRA maintains the position elaborated in its ACA review for 2020 that all bilateral exchanges should be assessed through the lens of country risk, given that even so- called “trusted partners” are embedded in the information-sharing hierarchies and human rights contexts of their respective countries. Understanding the human rights risks within a country is a precursor for developing sound entity or case specific risk assessments.
Recommendation 4. NSIRA recommends that departmental assessments of substantial risk of mistreatment be grounded in countries’ human rights records; and that subsequent entity-level considerations be based on validated, current, and consistent respect for caveats and assurances, rather than the absence of derogatory information particular to that entity or other bilateral considerations.
Lack of checks and balances in the risk assessment process
Including checks and balances in the risk assessment process minimizes the likelihood of generating an under-assessment of risk. Checks and balances are present where decisions on case escalation are separated from decisions on whether a case meets the threshold for SRM.
In 2022, many departments achieved this separation by building robust case triage practices into their case escalation frameworks. For instance, CRA, IRCC and RCMP initially escalate cases based on an externally-assigned or pre-determined country or entity risk rating, irrespective of the level of risk attributed to the specific transaction.
Similarly, CBSA and DND/CAF initially escalate cases based on case-specific assessments that matrix a baseline, externally-assigned, risk rating with features of the information being considered for exchange.
DFO’s framework achieves the same effect, despite not relying on a baseline risk rating, by escalating individual cases based on the presence of any potential risk of mistreatment. This threshold is feasible at DFO, given its low frequency of foreign information exchange; departments with higher volumes of information exchange may feasibly achieve a similar effect by escalating cases, at the outset, based on a threshold lower than “substantial.”
Other frameworks achieve a similar separation by ensuring that decisions on substantial risk are decided by officials outside the chain of command of operational personnel involved in the exchange. The ROMP, for instance, prohibits a member of its ACA senior management advisory committee from chairing the discussion of a case recommended from their own business line. To enhance this separation of powers, NSIRA recommended in its ACA review for 2021 that recommendations flowing from this committee be referred to an Assistant Commissioner who is not accountable for the branch from which the case originates. Such practices are consistent with NSIRA’s 2017 MD review recommendation that, in cases where the risk of mistreatment approaches the threshold of “substantial,” decisions should be made independently of operational personnel directly invested in the outcome.
CSE’s ACA policy instruments convey a layering of checks and balances: every instance of foreign information exchange that could lead to the identification of an individual is subject to a mistreatment risk assessment; these assessments are conducted by dedicated information-sharing teams, independently from operational personnel; determinations on the nature of mistreatment risk assessment required (annual, in low risk contexts; case-by-case, in all others) are made on the basis of pre-determined country risk ratings; subsequent case escalation reflects an upward triage based on gradations of mistreatment risk; and this escalation occurs exclusively within CSE’s Authorities, Compliance, and Transparency sector, as opposed to an operational branch.
CSIS’s policy instruments do not convey the same degree of checks and balances [**redacted**].
Recommendation 5. NSIRA recommends that all ACA governance frameworks incorporate layered checks and balances in the risk assessment and escalation of cases that may involve substantial risk of mistreatment.
Conclusion
In this fourth annual review of the ACA directions’ implementation, NSIRA made findings related to compliance with the ACA’s reporting requirements; the alignment of departments’ governance frameworks with the direction’s provisions for information sharing; and departmental practices for identifying cases that may involve SRM.
NSIRA’s findings and recommendations in this report reflect both developments and stagnations in departments’ implementation of the directions over time. Of note, NSIRA observed efforts in 2022 to collaborate interdepartmentally, and standardize certain practices across the GC. While these efforts reflect an improvement over past approaches, they fall short of the directions’ envisioned consistent framework for foreign information sharing government-wide. Additionally, NSIRA observed a number of practices that may lead departments to systematically under-assess the risks involved in contemplated information exchanges. Such under-assessments may, in turn, lead to information being exchanged in contravention of the directions’ prohibitions.
NSIRA made five recommendations in this review. Collectively, they would ensure that all departments’ ACA frameworks reflect a degree of standardization commensurate with the spirit of the ACA and its associated directions; and that these frameworks are designed to support compliance with the directions.
Appendices
Annex A. Sample of Country Risk Ratings
Table 2 presents the risk ratings for each country within the sample (n=19), as assigned by each department that relied on its own internally-developed country risk assessments in 2022.
| CBSA | CSE | CSIS | DND/CAF | FINTRAC | RCMP | |
|---|---|---|---|---|---|---|
| Country 1 | No Assessment | Mixed (Medium risk) |
Low (Low risk) |
High (High risk) |
Moderate (Medium risk) |
No Assessment |
| Country 2 | No Assessment | Poor (High risk) |
Low (Low risk) |
Medium (Medium risk) |
No Assessment | Medium (Medium risk) |
| Country 3 | High (High risk) |
Poor (High risk) |
High (High risk) |
High (High risk) |
High (High risk) |
High (High risk) |
| Country 4 | No Assessment | Poor (High risk) |
Low (Low risk) |
Medium (Medium risk) |
No Assessment | No Assessment |
| Country 5 | No Assessment | Poor (High risk) |
High (High risk) |
High (High risk) |
Moderate (Medium risk) |
Medium (Medium risk) |
| Country 6 | No Assessment | Poor (High risk) |
High (High risk) |
High (High risk) |
No Assessment | High (High risk) |
| Country 7 | No Assessment | Poor (High risk) |
High (High risk) |
High (High risk) |
Moderate (Medium risk) |
Medium (Medium risk) |
| Country 8 | No Assessment | Poor (High risk) |
High (High risk) |
Medium (Medium risk) |
No Assessment | Medium (Medium risk) |
| Country 9 *No GAC HRR available | Low (Low risk) |
Mixed (Medium risk) |
Low (Low risk) |
Low (Low risk) |
Low (Low risk) |
Low (Low risk) |
| Country 10 | High (High risk) |
Poor (High risk) |
Medium (Medium risk) |
Medium (Medium risk) |
Moderate (Medium risk) |
Medium (Medium risk) |
| Country 11 | No Assessment | Poor (High risk) |
High (High risk) |
High (High risk) |
No Assessment | Medium (Medium risk) |
| Country 12 | High (High risk) |
Mixed (Medium risk) |
High (High risk) |
Medium (Medium risk) |
High (High risk) |
Medium (Medium risk) |
| Country 13 | No Assessment | Poor (High risk) |
High (High risk) |
High (High risk) |
Moderate (Medium risk) |
High (High risk) |
| Country 14 | No Assessment | Poor (High risk) |
High (High risk) |
High (High risk) |
High (High risk) |
Medium (Medium risk) |
| Country 15 | Medium (Medium risk) |
Mixed/Poor (High risk) |
Low (Low risk) |
High (High risk) |
Moderate (Medium risk) |
No Assessment |
| Country 16 | No Assessment | Mixed (Medium risk) |
Low (Low risk) |
High (High risk) |
Moderate (Medium risk) |
Medium (Medium risk) |
| Country 17 | No Assessment | Mixed (Medium risk) |
Low (Low risk) |
Medium (Medium risk) |
Moderate (Medium risk) |
Medium (Medium risk) |
| Country 18 | No Assessment | Poor (High risk) |
High (High risk) |
High (High risk) |
Moderate (Medium risk) |
High (High risk) |
| Country 19 | High (High risk) |
Poor (High risk) |
Medium (Medium risk) |
High (High risk) |
Moderate (Medium risk) |
Medium (Medium risk) – Under Review |
Annex B. Findings and Recommendations
NSIRA made the following findings and recommendations in this review:
Compliance with the ACA
Finding 1. NSIRA found that all departments, with the exception of DFO in respect of subsection 7(1), complied with the reporting requirements set out in the ACA.
Implementation of the Directions
Finding 2. NSIRA found that all departments had frameworks to govern their implementation of the ACA and its associated directions by the end of 2022.
Finding 3. NSIRA found that most departments demonstrated continual refinements of their ACA frameworks based on self-identified gaps, NSIRA recommendations, and community-wide coordination efforts.
Finding 4. NSIRA found that TC’s ACA governance framework did not include policies and procedures for:
- escalating cases to the deputy head; or
- assessing the risks of information sharing with foreign entities.
Recommendation 1. NSIRA recommends that TC update its ACA governance framework to include policies and procedures for:
- escalating cases to the deputy head; and
- assessing the risks of information sharing with foreign entities.
Finding 5. NSIRA found that all departments, with the exception of DFO, GAC, PS, and TC, used country and/or entity risk assessments to inform their assessments of substantial risk of mistreatment and corresponding case escalation.
Finding 6. NSIRA found that departments’ country risk assessments were inconsistent with one another.
Finding 7. NSIRA found that the simultaneous conduct of independent human rights risk assessments in different departments reflected a substantial duplication of effort across the GC, and created the opportunity for discrepant outcomes.
Recommendation 2. NSIRA recommends that the Government of Canada designate a body responsible for developing:
- a unified set of assessments of the human rights situations in foreign countries including a standard “risk of mistreatment” classification level for each country; and
- to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.
Decisions on Substantial Risk of Mistreatment
Finding 8. NSIRA found, for the fourth consecutive year, that no departments escalated cases to their deputy heads for determination or decision.
Finding 9. NSIRA found that some high-risk sharing activities were stopped prior to escalation for consideration of possible mitigations.
Finding 10. NSIRA found that certain departments’ ACA governance frameworks and risk assessment methodologies included features that may systematically underassess the level of risk involved in a transaction. These features include:
- discrepant applications of the threshold for substantial risk of mistreatment;
- incorporating mitigations into baseline assessments of risk, while overestimating their effects; and
- a lack of checks and balances in the risk assessment process.
Recommendation 3. NSIRA recommends that departments apply the “substantial risk” threshold in a manner consistent with the definition adopted government-wide; and that departments whose broader policy frameworks do not yet reflect this definition (CBSA, CRA, IRGC, and TC) make the attendant updates.
Recommendation 4. NSIRA recommends that departmental assessments of substantial risk of mistreatment be grounded in countries’ human rights records; and that subsequent entity-level considerations be based on validated, current, and consistent respect for caveats and assurances, rather than the absence of derogatory information particular to that entity or other bilateral considerations.
Recommendation 5. NSIRA recommends that all ACA governance frameworks incorporate layered checks and balances in the risk assessment and escalation of cases that may involve substantial risk of mistreatment.
