SUMMARY OF THE PRIVACY IMPACT ASSESSMENT
Investigations
Government Institution
National Security and Intelligence Review Agency (NSIRA) Secretariat
Government official responsible for the PIA
Charles Fugère
Executive Director, NSIRA Secretariat
Head of the government institution or Delegate for section 10 of the Privacy Act
Charles Fugère
Executive Director, NSIRA Secretariat
Standard or institution specific personal information bank:
NSIR PPU 005 (Investigations). The former Security Intelligence Review Committee’s PIB called Complaints (SIR PPU 005) was pending transfer approval from Treasury Board Secretariat at the writing of this PIA. In parallel to that transfer approval, this PIA has determined that updates and modifications to the PIB (now called NSIR PPU 005 – Investigations) is warranted.
Legislated authority for activity:
NSIRA was established pursuant to Part 1 (NSIRA Act) of the National Security Act, 2017, which received Royal Assent on June 21, 2019 (the NSIRA Act came into force on July 12, 2019). NSIRA is comprised of the Review Agency established under s. 3 of the NSIRA Act (Chair, Vice-Chair and Members) and the Secretariat established pursuant to ss. 41(1) of that Act whose role it is to assist the Review Agency in fulfilling its mandate. For the purposes of the Privacy Act, it is the Secretariat – headed by the Executive Director – that is the government institution.
NSIRA is largely comprised of the former Security Intelligence Review Committee (SIRC) while assuming responsibilities over the review and complaints mandate of the former Office of the Communications Security Establishment Commissioner (OCSEC); the remaining responsibilities under OCSEC were assumed by the newly created Office of the Intelligence Commissioner.
The legal authority for NSIRA’s personal information collection, use and disclosure in accordance with its mandate is derived from its enabling legislation, the NSIRA Act; most notably, section 8. Specific to the scope of this PIA, paragraph 8(1)(d) of the NSIRA Act mandates the Review Agency to investigate:
- Any complaint related to the activities of the Canadian Security Intelligence Service (CSIS) per ss. 16(1) of the NSIRA Act.
- Any complaint related to the activities of the Communications Security Establishment (CSE) – per ss. 17(1) of the NSIRA Act.
- Any complaint related to a government employee or contractor having their security clearance being denied or revoked and for that reason only they were dismissed, demoted, transferred, denied a promotion or transfer, denied a contract, or denied from providing goods or services to the Government of Canada – per ss. 18(3) of the NSIRA Act.
- Any complaint referred to the Agency under ss. 45.53(4.1) or 45.67(2.1) of the Royal Canadian Mounted Police Act (RCMP Act) – per s. 19 of the NSIRA Act.
- Reports made to the Agency under section 19 of the Citizenship Act; and
- Matters referred to the Agency under s. 45 of the Canadian Human Rights Act.
These mandates, and the legal authority to collect information, is supported by other sections of the NSIRA Act and other Acts (as mentioned above).
Summary of the project / initiative/ change:
This PIA was authored to assess the business practices and privacy safeguards of NSIRA related to its investigations mandate.
Investigations by NSIRA are triggered by complaints submitted by any individual related to the activities of CSIS, CSE, or related to the denial or revocation of a security clearance. Furthermore, NSIRA is required to investigate reports and referrals from the CRCC, CHRC and the Minister of Immigration, Refugees and Citizenship Canada when issues are presented to those institutions that involve national security.
Investigations are handled by Review Agency Members who are appointed by the Governor in Council (GIC) after various consultations by, and on the recommendation of, the Prime Minister. Each Member may serve a term not to exceed five years and can be reappointed for one additional term (s. 4 of the NSIRA Act).
With support from the NSIRA Secretariat’s Investigation Team, documents are collected and reviewed from the respondent federal institution(s) – the institution whose activities are the subject of the complaint, referral, or report. Investigative interviews are conducted with the complainant, respondent and witnesses, and, in some instances, a hearing is held to arrive at its conclusions. Ultimately, the assigned Member issues a quasi-judicial report which includes findings and in some instances recommendations to the respondent federal institution(s) – a final report. A declassified final report is shared with the Complainant and, under the discretion of the assigned Member, a declassified and depersonalized final report may be posted publicly. NSIRA uses caution in its decision to make public a final report as the details, even with the removal of names and other identifiable information, may identify a person(s).
The investigation processes and procedures of NSIRA (Members and the Investigations Team) involve the collection of personal information which in most cases, if not all, results in a report which directly impacts the complainant or the individual impacted by the referred/reported matter. Therefore, for the purposes of the Privacy Act and Treasury Board (TB) privacy policy instruments, the use of personal information for NSIRA’s investigation activities is for an administrative purpose.
Each risk identified in this PIA has been assessed by the NSIRA and a risk mitigation plan has been created for each of the risk’s corresponding recommendations. None of the risks were considered High and all mitigation measures will be completed before the end of FY 2023-24.
Risk Area Identification and Categorization
In its Directive on Privacy Impact Assessment, TB has expressed that the PIA must include a completed risk area identification and categorization section, which must be made public. A risk rating must be assigned to each risk area named and described in Appendix C of the TB Directive on Privacy Impact Assessment. The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area.
| Risk Area | Risk Level |
|---|---|
|
Type of Program or Activity: Compliance / Regulatory investigations and enforcement Personal information is used for purposes of detecting fraud or investigating possible abuses within programs where the consequences are administrative rather than criminal in nature (e.g., a discontinuation of benefits or an audit of personal income tax file). |
3 |
|
Type of Personal Information Involved and Context: Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive. For example: personal information that reveals intimate details on the health, financial situation, religious or lifestyle choices of the individual and which, by association, reveals similar details about other individuals such as relatives. |
4 |
| Program or Activity Partners and Private Sector Involvement: With other federal institutions. | 2 |
|
Duration of the Program or Activity: Long-term program Existing program that has been modified or is established with no clear “sunset”. |
3 |
| Program Population: The program affects certain individuals for external administrative purposes. | 3 |
|
Technology and Privacy: NSIRA investigations do not involve the development of a new system or modifications to existing systems. NSIRA collects and stores up to CLASSIFIED documents using appropriate safeguards. Investigative interviews and hearings are audio recorded. NSIRA investigations require federal institutions and NSIRA personnel to match complainant information to the records of that federal institution. Most data matching activities require the person’s name and date of birth (DOB) to be the main data elements in determining a match. One of NSIRA’s initial tasks in reviewing records is to ensure the records are of the intended individual, with no doubt about identity. |
|
|
Personal Information Transmission: The personal information is transferred to a portable device or is printed. USB key, diskette, laptop computer, or any transfer of the personal information to a different medium. |
3 |
|
In the Event of a Privacy Breach, Impact on the Individual: A privacy breach of complainant information could have significant reputational harm to NSIRA. The types of information referred to NSIRA are highly sensitive — both from a government security classification perspective and a personal information perspective. Embarrassment, relationship impacts, media attention, and negative employment consequences are all potential risks if NSIRA investigative records were to be breached. |
|