Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities 2017 MD: Backgrounder
Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities 2017 MD
Backgrounder
Review Backgrounder
In 2019-2020, NSIRA conducted its first interdepartmental review on the implementation of the 2017 Ministerial Directions on Avoiding Complicity in Mistreatment by Foreign Entities (2017 MD). The review set out to build NSIRA’s knowledge of the information sharing process adopted by the six departments that received the 2017 MD.
NSIRA conducted a case study for each department that had operationalized the 2017 MD. NSIRA noted significant differences in the six departments’ implementation and operationalization of information sharing processes. NSIRA found that CSE, CSIS and the RCMP had implemented the 2017 MD; DND/CAF was implementing the final elements of the 2017 MD; GAC had not yet fully implemented the 2017 MD; and, the CBSA had not yet operationalized the 2017 MD.
NSIRA examined and found differences in how high-risk decision-making is removed from operational personnel who may have a vested interest in the sharing. CSE and the RCMP had the most independent processes; GAC removed high-risk decision-making from front line personnel, while CSIS and DND/CAF decision makers had a direct operational interest in sharing information. NSIRA recommended that Departments ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.
NSIRA also found a lack of standardization in information sharing risk assessments for both foreign countries and foreign entities. This issue has been noted in other NSIRA information sharing reviews.
In 2019, parliament passed the Avoiding Complicity in Mistreatment by Foreign Entities Act, which in conjunction with the subsequent issued Orders in Council (OIC’s) codified many of the provisions of the 2017 MD and left the essential prohibitions and limits unchanged. Noteworthy, the six departments examined in this review are also the same departments for which there is an obligation to issue OICs pursuant to the Act. This review set out the foundation that has assisted and facilitated NSIRA’s subsequent mandated information sharing reviews.
Publishing this review aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work.
In 2011 and again in 2017, ministers issued direction (hereafter Ministerial Direction or MD) to a number of departments setting out how to manage the risks of mistreatment posed by the sharing of information with foreign entities. Most recently, Parliament passed the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA). In September 2019, direction under the ACMFEA was issued to twelve departments, six of which had never before received formal direction regarding information sharing with foreign entities.
This review set out to build NSIRA’s knowledge of the information sharing processes adopted by departments under the 2017 MD. The direction issued pursuant to the ACMFEA in September 2019 codified many provisions of the 2017 MD and left the essential prohibitions and limits unchanged. As such, this review provided a foundation that will expedite and facilitate NSIRA’s future information sharing reviews.
The review focused on the six departments that had received the 2017 MD: the Canadian Security Intelligence Service (CSIS), the Communications Security Establishment (CSE), the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CSBA), Global Affairs Canada (GAC), and the Department of National Defence and the Canadian Armed Forces (DND/CAF).
Observations and Recommendations
Degrees of implementation vary across departments
NSIRA noted significant differences between the six departments with regard to the level of implementation of information sharing processes. In summary:
CSE, CSIS and the RCMP have implemented the 2017 MD.
DND/CAF is in the process of implementing final elements of the 2017 MD.
GAC has not yet fully implemented the 2017 MD.
In practice, CBSA has not yet operationalized the 2017 MD.
The concept of “substantial risk” of mistreatment is not defined
Like the 2017 MD, the ACMFEA and its associated direction prohibit information sharing that would result in a “substantial risk” of mistreatment. Neither the ACMFEA nor its direction include a definition of substantial risk, however, despite the centrality of this concept to the regime. A definition of substantial risk existed in both the 2011 and 2017 MD; its absence now raises concerns about its interpretation in future.
Recommendation: The definition of “substantial risk” should be codified in law or public direction.
Departments vary with respect to the independence of their decision-making
CSE and the RCMP have the most independent processes.
The information sharing processes implemented by GAC to date remove high- risk decision-making from “front line” personnel.
At CSIS and DND/CAF, decision-makers typically have a direct operational interest in the sharing of information.
CBSA has not yet operationalized its information sharing processes.
Recommendation: Departments should ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.
Lack of standardized information sharing risk assessments
Under the 2017 MD, GAC, CSIS, CSE, and the RCMP all maintain their own sets of foreign country and/or entity profiles, while DND/CAF is currently developing its own as well. The existence of multiple different assessments is duplicative and unnecessary. It may also yield inconsistencies, as departments have at times come to quite different conclusions about foreign countries’ and entities’ human rights records and the associated risks of information sharing.
Recommendation: Departments should develop: (a) a unified set of assessments of the human rights situations in foreign countries including a standardized ‘risk of mistreatment’ classification level for each country; and (b) to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.
Benefits of internal information sharing process reviews
Finally, NSIRA noted that periodic internal reviews of information sharing policies and processes supported their successful functioning in the long term.
Recommendation: Departments should conduct periodic internal reviews of their policies and processes for sharing information with foreign entities in order to identify gaps and areas in need of improvement.
2. Authorities
This review was conducted under the authority of the National Security and Intelligence Review Agency Act (NSIRA Act), specifically paragraphs 8(1)(a) and 8(1)(b) as well as sections 9 and 11.
3. Introduction
Many departments and agencies in the Government of Canada routinely share information with foreign entities. Given that information sharing with entities in certain countries can result in a risk of mistreatment for individuals, it is incumbent upon the Government of Canada to evaluate and mitigate the risks that such sharing creates. This is particularly the case for information sharing related to national security and intelligence, where the information often relates to alleged participation in terrorism or other criminal activity.
Canada has made a number of binding commitments under the International Covenant on Civil and Political Rights (ICCPR), the Convention Against Torture and Other Cruel, Inhumane, or Degrading treatment or Punishment (CAT), and other international agreements. The prohibitions on mistreatment – including complicity in mistreatment – set out in these agreements are also considered to be customary international law. Some of Canada’s obligations have been incorporated into domestic law under section 269.1 of the Criminal Code.
In 2011 and again in 2017, ministers issued direction to a number of departments setting out how to manage the risks in information sharing with foreign entities. Most recently, Parliament passed Bill C-59, which included the ACMFEA. In September 2019, direction under the ACMFEA was issued to twelve departments, six of which had never before received formal direction regarding information sharing with foreign entities.
Subsection 8(2.2) of the NSIRA Act requires NSIRA to review annually every department’s implementation of the directions of the GiC issued under the ACMFEA. In 2020, the NSIRA will undertake its first such review. The purpose of the present review, however, was to build NSIRA’s knowledge and understanding of departments’ implementation of the 2017 MD. The direction issued pursuant to the ACMFEA in September 2019 codified many provisions of the 2017 MD and left the essential prohibitions and limits unchanged. As such, this review provided a valuable foundation that will expedite and facilitate NSIRA’s future information sharing reviews.
The review focused on the six departments that received the 2017 MD: CSIS, CSE, the RCMP, CBSA, GAC, and DND/CAF. NSIRA examined departments’ policies and processes as well as documents related to foreign arrangements. Where possible, NSIRA examined a single case study for each department in order to illustrate how information sharing works in practice. Given the high-level approach taken in this review, NSIRA opted to make a series of broad observations about the strengths and weaknesses of departments’ framework for information sharing with foreign entities, in the place of formal findings. Where NSIRA made recommendations, they were interdepartmental in scope.
This review focused on departmental policies and procedures for the disclosure and requesting of information involving a risk of mistreatment. It did not examine the use of information that may have been derived from mistreatment; NSIRA may review this topic in future.
4. Background
In 2011, the Government of Canada approved a general framework for “Addressing Risks of Mistreatment in Sharing Information with Foreign Entities”. The framework was the first multi-departmental set of instructions issued regarding information sharing and mistreatment. Its main aim was to establish a coherent and consistent approach across government when sharing information with foreign entities.
Later in 2011, a number of departments whose mandate related to national security and/or intelligence received Ministerial Direction on Information Sharing with Foreign Entities (the 2011 MD). Specifically, the 2011 MD was issued to CSIS, CSE, CBSA, and the RCMP. The 2011 MD, which was eventually released under the Access to Information Act, was subject to extensive criticism from non-governmental organizations, civil liberties groups, and others including the Canadian Bar Association. The main critique was that the 2011 MD did not clearly prohibit the disclosure or requesting of information entailing a “substantial risk” of mistreatment, but rather permitted departments to weigh the value of the information against the risk of mistreatment.
In 2017, the 2011 MD was replaced by a new Ministerial Direction on Avoiding Complicity in Mistreatment by Foreign Entities (the 2017 MD). The 2017 MD was received by CSIS, CSE, CBSA, and the RCMP – the departments that had received the 2011 MD – as well as by DND/CAF and GAC. The 2017 MD included numerous changes, but the most significant were clear prohibitions on the disclosure and requesting of information that would result in a substantial risk of mistreatment, as well as new limits on the use of information likely derived from mistreatment by a foreign entity. In addition, the new MD required departments to maintain policies and procedures to assess the risks of their information sharing relationships with foreign entities.
The 2017 MD further directed departments to cooperate in making assessments regarding foreign countries and entities. In response, Public Safety Canada (PS) established the Information Sharing Coordination Group (ISCG) comprised of PS and the six departments that had received the 2017 MD. The objective was to encourage interdepartmental discussions in support of a coordinated approach to the implementation of the MD.
On July 13, 2019, the ACMFEA came into force. The ACMFEA requires the GiC to issue direction to the six departments that had received the 2017 MD, and gives the GiC discretion to issue direction to other departments as well. On September 4, 2019, the GiC issued direction under the ACMFEA to twelve departments. In addition to the six mandatory departments, direction was issued to PS; the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC); Transport Canada; Immigration, Refugees and Citizenship Canada (IRCC); the Canada Revenue Agency (CRA); and Fisheries and Oceans Canada (DFO). These six new departments have now also joined the PS-led ISCG.
In practice, the information sharing regime set out by the ACMFEA and the subsequent GiC direction closely resembles the 2017 MD. The fundamental limits on Canadian departments’ scope to share information remain unchanged. Notably, however, the new regime omits certain aspects of the 2017 MD. The ACMFEA and its associated direction lack the 2017 MD’s requirement that departments maintain policies and procedures for assessing the risks associated with foreign information sharing arrangements, in collaboration with other departments. More importantly, the new system omits a definition of the threshold of “substantial risk”. The ramifications of this are discussed below.
5. Observations and Recommendations
Reporting
One of the new obligations placed on departments in the 2017 MD was a requirement that they provide an annual report to their minister that included:
All of the departments that were issued the 2017 MD fulfilled their obligation to report to their respective ministers by producing a report in late 2018 or early 2019 discussing the first year of activity under the MD. At the time of writing, however, not all of the departments have issued a public report. As this was a foundational review, NSIRA did not critically evaluate the reports.
Department
Report to Minister
Public report
Cases approved
Cases denied
CBSA
Provided
Published
0
0
CSIS12
Provided
Published
1
1
RCMP13
Provided
Published
25
4
CSE14
Provided
Published
1
0
DND/CAF
Provided
Not Published
0
0
GAC
Provided
Not Published
0
0
Implementation of the 2017 Ministerial Direction
When the 2017 MD was issued, departments that had already built information sharing policies and procedures under the 2011 MD found themselves at a significant advantage. CSIS, CSE, and the RCMP in particular were able to quickly adapt their existing systems to the 2017 MD. Accordingly, for departments that had not received the 2011 MD – or had not implemented it – the arrival of the 2017 MD proved more challenging.
CSE: NSIRA observes that CSE has fully implemented all of the elements of the 2017 MD. The MD’s requirements have been integrated directly into CSE’s operational policies and processes. A detailed overview of CSE’s information sharing framework and the results of the case study examined by NSIRA can be found at Annex D.
RCMP: In response to the 2017 MD, the RCMP overhauled their information sharing framework and stood up a new Law Enforcement Assessment Group (LEAG) that, amongst other things, assesses country human rights records and maintains a system for streaming information sharing requests according to risk. The RCMP is currently working to integrate these processes into their comprehensive operational manual. A detailed overview of the RCMP’s information sharing framework and the results of the case study examined by NSIRA can be found at Annex E.
CSIS: Following the issuance of the 2017 MD, CSIS quickly updated their policies and procedures. In 2018, CSIS also created a new system to implement the MD’s requirement to restrict information sharing with foreign entities that engage in mistreatment, with three levels of restriction depending on the seriousness of the problem. CSIS has informed NSIRA that it is overhauling its current policies and procedures. A detailed overview of CSIS’s current information sharing framework and the results of the case study examined by NSIRA can be found at Annex F.
DND/CAF: Although DND/CAF did not receive the 2011 MD, DND/CAF has had internal directives in place governing information sharing with foreign entities since 2010. The DND/CAF policy and process suite for information sharing was updated following the issuance of the 2017 MD to bring it into compliance with the new requirements. While DND/CAF vets partner forces, it does not yet have a fully developed system for assessing and managing the risks of sharing information with foreign entities. DND/CAF is, however, currently developing more extensive country risk profiles and a standardized assessment process that will be used to assess the risks of information sharing prior to establishing information sharing arrangements. A detailed overview of DND/CAF’s information sharing framework can be found at Annex G.
GAC: Following receipt of the 2017 MD, GAC established a new Ministerial Direction Compliance Committee (MDCC) in December 2018. The MDCC’s objective is to review requests for information sharing that may engage the MD. This is the extent of GAC’s policies and processes pursuant to the MD, however. GAC lacks any policies or procedures setting out how employees are to assess instances of possible information sharing to ensure that all appropriate cases reach the MDCC. It is insufficient to merely inform employees that they are responsible for assessing a complex legal threshold – the concept of a “substantial risk” of mistreatment at the core of the 2011 and 2017 MD as well as the ACMFEA – without guidance as to how they should proceed. As such, NSIRA observes that GAC has not yet fully implemented the 2017 MD.
GAC (cont.): Of note, GAC produces human rights reports on countries that are widely used within government to assist in assessing the risks of sharing with foreign entities. Following the 2017 MD, GAC added a subsection specific to mistreatment to these reports. A detailed overview of GAC’s information sharing framework and the results of the case study examined by NSIRA can be found at Annex H.
CBSA: In October 2018, CBSA issued a revised high-level policy document in response to the 2017 MD. The document did not include concrete processes for identifying and handling instances of information sharing involving a risk of mistreatment, however. CBSA employees thus lack effective guidance with which to discharge their responsibilities under the MD. CBSA also has no process for assessing the risks associated with specific foreign countries and entities, as required by the MD. CBSA has since drafted processes and additional policies, but they have not yet been finalized or invoked. Given these significant gaps, NSIRA observes that CBSA has not yet operationalized the 2017 MD. CBSA has informed NSIRA, however, that it intends to introduce significant improvements over the coming year. A detailed overview of CBSA’s information sharing framework can be found at Annex I.
Additional observations are included in the department-specific annexes referenced above. It should also be noted that NSIRA examined departmental policies and processes at a high level, and as such future reviews may make additional findings and recommendations regarding policies and processes. Moreover, a number of departments are in the process of revamping their information sharing practices, including in particular CSIS and DND/CAF.
In its survey of departments, NSIRA noted varying levels of rigour and consistency with regard to record keeping. Accurate and detailed records of deliberations and reasoning in support of decision-making related to information sharing with foreign entities are necessary to support accountability, particularly in light of the Supreme Court’s recent decision in Vavilov. NSIRA may return to this subject in future years.
In June 2019, the RCMP conducted an internal review of the framework and policies in place for its information sharing policies and procedures. The review identified certain shortcomings with regard to policies, processes, training, and resourcing. Based on the draft provided, NSIRA observes that the review was candid and thorough. The review is currently being used to guide improvements. Periodic internal reviews – such as the one conducted by the RCMP – should be considered a best practice.
Recommendation no. 1: Departments should conduct periodic internal reviews of their policies and processes for sharing information with foreign entities in order to identify gaps and areas in need of improvement.
Independent Decision-Making
The concept of risk mitigation is key to the information sharing frameworks of departments. When information sharing would result in a substantial risk that an individual would be mistreated, the information can only be shared if the department takes measures to mitigate the risk of mistreatment such that the residual risk is no longer substantial. Much therefore depends on who, within departments, is authorized to make decisions regarding whether:
an instance of proposed information sharing would result in a substantial risk of mistreatment; and
the proposed mitigation measures are sufficient.
In looking at the various decision-making processes adopted by departments, NSIRA noted varying levels of independence from operational personnel. Of particular interest were processes where the individual making decisions has a direct operational interest in the sharing of the information, creating the potential for conflict between operational imperatives and departmental obligations to respect the MD.
At CSE, the complete Mistreatment Risk Assessment process is conducted by non-operational units. The centralization of information sharing decision-making in a single branch minimizes direct operational pressure while facilitating informed and objective decisions.
The RCMP process uses other mechanisms to ensure independent decision- making. Individual investigators, when they wish to share information, must consult a list of countries and types of information sharing that the RCMP has pre-determined as representing sufficient risk of mistreatment. If the proposed sharing matches the list, then the case is automatically referred to the Foreign Information Risk Advisory Committee (FIRAC). FIRAC comprises a range of senior officials from RCMP headquarters who are a step removed from the operational front-line. The RCMP’s system of referral to FIRAC based on clear criteria removes discretion from officers with a vested interest in the sharing of the information. These officers may not have a full understanding of the geopolitical context of the proposed information sharing and thus are not best-placed to assess whether a substantial risk of mistreatment would result.
GAC requests that Directors General and Heads of Mission refer all cases where proposed information sharing “presents the potential for substantial risk of mistreatment” to the MDCC. The decision as to whether the substantial risk can be mitigated is made centrally by the MDCC, which comprises senior officials from across the department as well as a legal representative. As noted above, however, GAC currently does not provide officials with guidance on how to determine whether the threshold for referral to the MDCC has been met.
Compared to CSE, GAC, and the RCMP, decision-making at CSIS and DND/CAF is much closer to operations. CSIS provides high-level guidance to desks on how to identify information sharing that may result in a substantial risk of mistreatment, but leaves final decision-making regarding whether the situation does in fact create a substantial risk, and whether the risk can be mitigated, to the Deputy Director General or the Director General of each branch. Only if CSIS has heavily restricted information sharing with the foreign entity in question – or else the branch is unsure whether the substantial risk can be mitigated – then the branch must refer the case to the Information Sharing Evaluation Committee (ISEC) for determination. As a result, most of CSIS’s information sharing decisions – even those involving a substantial risk of mistreatment – are made by officials with a direct operational stake in the outcome of the proposed information sharing.
Within DND/CAF, decisions regarding the sharing of information rest with officers within the military chain of command. NSIRA was informed that while routine information sharing is approved by designated lower-level officers in theatre, cases involving unusual circumstances, or where there is uncertainty as to whether a substantial risk of mistreatment exists or can be mitigated, are elevated to senior levels. Once passed up the chain of command, senior officers receive advice from a range of officials at headquarters.
CBSA, at the present time, does not have processes to assess substantial risk or to make decisions regarding whether such risks can be mitigated. In practice, therefore, the onus currently rests on CBSA officers, acting without guidance, to identify cases that invoke the 2017 MD and to manage the associated risks. CBSA has drafted a procedure for cases where there is uncertainty as to whether a substantial risk of mistreatment can be mitigated, but it has not yet been implemented.
Recommendation no. 2: Departments should ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.
Country Assessments
As noted above, a significant addition to the 2017 MD was the requirement that departments maintain policies and procedures to assess the risks of their information sharing relationships with foreign entities. Notably, the MD required departments to assess the human rights records of foreign countries generally and not just of specific foreign entities (i.e., police or intelligence services) within those countries. While the MD did not prohibit information sharing with foreign entities in countries with troubling human rights records, it implied that Canada’s relationships with such foreign entities could not be considered in isolation from the broader human rights environment in which these entities functioned.
In several instances, NSIRA noticed departments citing an absence of direct Government of Canada intelligence of mistreatment by a specific foreign entity in support of a proposed sharing of information, or else in support of a less restrictive information sharing policy towards the entity in question – despite ample reporting of systemic human rights abuses in the public domain. NSIRA observes that a lack of internal Government of Canada reporting of mistreatment by a specific foreign entity is not evidence that the entity does not engage in mistreatment. Departments must consider the full range of sources in assessing risk, including open sources such as the media and non-governmental organizations.
GAC, CSIS, CSE, and the RCMP all maintain their own sets of foreign country and/or entity profiles, while DND/CAF is currently developing its own as well. The existence of multiple different assessments is duplicative and unnecessary. and It may also yield significant inconsistencies, as departments have at times come to quite different conclusions about foreign countries’ and entities’ human rights records and the associated risks of information sharing. With the issuance of direction under the ACMFEA to twelve departments, this issue will likely grow. See Annex F for additional discussion of this point.
The ISCG seeks to guide departments in developing their human rights assessment processes by providing a forum to discuss best practices. PS informed NSIRA that the ISCG had not discussed plans to standardize these assessments.
Recommendation no. 3: Departments should develop:
a unified set of assessments of the human rights situations in foreign countries including a standardized ‘risk of mistreatment’ classification level for each country; and
to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.
The recommendation above does not preclude department-specific approaches to mitigating the risks of mistreatment. For instance, a department may be able to draw upon aspects of its relationship with a foreign entity to reduce the risk of mistreatment not available to other departments. These differences should not affect the initial determination of the underlying risk of mistreatment posed by information sharing with a foreign entity, however.
In India v. Badesha (2017), the Supreme Court of Canada recently provided guidance on contextual factors to be considered when assessing the reliability of assurances sought from foreign entities regarding mistreatment. Though not exhaustive, the decision provides departments with some guidance regarding the adequacy of assurances received.
Duty of Care
In reviewing GAC, NSIRA noted a tension between adherence to the 2017 MD and GAC’s duty of care with regard to the safety and security of mission staff abroad. Indeed, both cases of information sharing referred to the MDCC in 2019 involved threats to mission In one of the cases, information was shared with a foreign entity before the MDCC had had the chance to assess the risk of mistreatment. In this instance, the GAC official cited the need to protect the safety of mission staff (see Annex H).
NSIRA acknowledges the importance of mission security and the seriousness of the conundrums that can arise when the needs of mission security and GAC’s obligations with respect to information sharing collide. Yet the charged atmosphere of a mission under threat may not be the best venue for quick decision-making involving risks of mistreatment.
Substantial Risk
Like the 2017 MD, the ACMFEA and its associated direction prohibit information sharing that would result in a substantial risk of mistreatment. Neither the ACMFEA nor its direction include a definition of “substantial risk”, however, despite the centrality of this concept to the regime. A definition of substantial risk existed in both the 2011 and 2017 MD; its absence now raises concerns about its interpretation in the future.
In consultation with other departments, PS is developing a policy document that includes the same definition of substantial risk that was found in the 2011 and 2017 MD. The document also contains guidance on other requirements contained in the 2017 MD but that were omitted from the ACMFEA and its direction. When asked by NSIRA, the six departments that had been subject to the 2017 MD all stated that they intended to continue abiding by the established definition of substantial risk. This is reassuring, and should limit the potential for inconsistency between departments. Nonetheless, such a crucial definition should not be left up to individual departments to determine.
Recommendation no. 4: The definition of “substantial risk” should be codified in law or public direction.
The definition of substantial risk in the 2017 MD requires that mistreatment be “foreseeable”. As described in Annex G, DND/CAF’s assessment of foreseeability encompasses a number of factors, but a key component is that the risk of mistreatment be a “causal consequence” of DND/CAF information sharing. NSIRA observes that DND/CAF’s interpretation of foreseeability runs the risk of narrowing the definition of substantial risk and therefore the application of the 2017 MD. Given the importance of a clear and consistent understanding of “substantial risk” across departments, in future years NSIRA may review the application of the “substantial risk” threshold by DND/CAF – and other departments – to information sharing with foreign entities.
A substantial risk of mistreatment is defined as existing in cases where mistreatment is more likely than not. The definition includes a qualifier, however, that the threshold may be met at lower level of probability “where the risk is of severe harm”. This reflects a larger point that the assessment of substantial risk is not intended to be a narrowly mechanistic process of balancing probabilities. The 2017 MD notes that the Government of Canada “has no interest in actions associated with the use of torture or other cruel, inhumane or degrading treatment or punishment. Knowingly associating the Government of Canada with any of these actions would damage the credibility and effectiveness of any department or agency associated with them”. When interpreting the threshold of substantial risk, departments should always bear in mind the larger purpose of Canada’s framework for sharing information with foreign entities.
In order to give life to this framework, it is incumbent on departments, first, to ensure that their employees are trained to the point where they fully understand their legal obligations, and second, to establish clear and well-developed processes that foster and facilitate compliance in the broadest sense.
6. Conclusion
This review set out to build NSIRA’s knowledge of the information sharing processes adopted by departments under the 2017 MD. NSIRA noted significant differences between the six departments reviewed with respect to the level of implementation of information sharing processes. Processes also varied widely in terms of the level of independence of decision-making.
Although departmental information sharing frameworks will continue to evolve over time, this review will provide a baseline of comparison for future developments under the ACMFEA. The review also served to identify areas of potential concern that NSIRA may revisit in future years.
Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2021: Backgrounder
Review of federal institutions’ disclosures of information under the Security of Canada Information Disclosure Act in 2021
Backgrounder
Backgrounder
This report describes the results of a review by the National Security and Intelligence Review Agency (NSIRA) of the 2021 disclosures made by federal institutions under the Security of Canada Information Disclosure Act (SCIDA). This is the third year of implementation of the SCIDA regime. This year, NSIRA decided to focus the review on Global Affairs Canada’s (GAC) proactive disclosures.
The SCIDA encourages and facilitates the disclosure of information between federal institutions to protect Canada against activities that undermine or threaten national security, subject to certain conditions. The SCIDA provides a two-part threshold which must be met prior to making a disclosure: that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances. The SCIDA also includes provisions and guiding principles related to the management of disclosures, including accuracy and reliability statements and record keeping obligations.
1.This report describes the results of a review by the National Security and Intelligence Review Agency (NSIRA) of the 2021 disclosures made by federal institutions under the Security of Canada Information Disclosure Act (SCIDA). This is the third year of implementation of the SCIDA regime. This year, NSIRA decided to focus the review on Global Affairs Canada’s (GAC) proactive disclosures.
2.The SCIDA encourages and facilitates the disclosure of information between federal institutions to protect Canada against activities that undermine or threaten national security, subject to certain conditions. The SCIDA provides a two-part threshold which must be met prior to making a disclosure: that the information will contribute to the exercise of the recipient institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances. The SCIDA also includes provisions and guiding principles related to the management of disclosures, including accuracy and reliability statements and record keeping obligations.
3.NSIRA identified concerns that demonstrate the need for improved training. NSIRA found that there is potential for confusion on whether the SCIDA is the appropriate mechanism for certain disclosures of national security-related information. Some disclosures were of concern as GAC did not meet the two-part threshold requirements of the SCIDA prior to disclosing the information. Without meeting these requirements, some disclosures of personal information were not compliant with the SCIDA. Two disclosures did not contain accuracy and reliability statements, as required under the SCIDA. With respect to record-keeping, NSIRA recommends that departments contemporaneously document the information relied on to satisfy themselves that disclosures will not affect any person’s privacy interest more than is reasonably necessary in the circumstances.
4.NSIRA is confident that it received all information necessary to conduct the review.
2. Introduction
5.When federal departments fail to share national security information in a timely, coordinated, or responsible manner, serious and tragic consequences can result – as the Arar and Air India Inquiries found. As a mechanism in Canada’s national security accountability framework, NSIRA is mandated to prepare a report respecting disclosures under the Security of Canada Information Disclosure Act (SCIDA) during the previous calendar year. This is the only NSIRA review that must be made public and laid before both the House of Commons and the Senate, reflecting the importance Parliament has placed on independent review and accountability of national security information disclosure.
6.The SCIDA’s designated long title also reflects its stated purpose: An Act to encourage and facilitate the disclosure of information between Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada.
7.The SCIDA governs how Government of Canada institutions disclose information, including personal information, that is relevant to activities that undermine the security of Canada, to a select group of federal institutions with national security mandates. Disclosures are either made proactively, on the initiative of a Government of Canada institution, or in response to a request by an institution authorized to receive information under the SCIDA.
8.It is important to note that the SCIDA is simply a tool. It is only as useful as its real-time recognition and application. Its success relies on how individuals and institutions interact with and implement its provisions. Those federal government institutions authorized to disclose information under the SCIDA must maintain a certain vigilance for information that may have national security repercussions, including at the most basic operational level. Having recognized information that could involve national security matters, departments must then decide whether they are authorized to disclose that information and to whom, paying close attention to minimizing any impacts on individual privacy rights.
9.Federal departments and agencies with core national security mandates are generally able to rely on their own legal frameworks to share information with other domestic institutions, and do not require the SCIDA to do so. Previous NSIRA reports have found that for many such institutions, disclosures made under the SCIDA comprise only a small portion of their domestic national security information sharing.
10.NSIRA understands the significance of the SCIDA in the overall national security framework, and is concerned with its robust application, in keeping with the provisions of the SCIDA, including its guiding principles, and with respect to the disclosure of personal information. What is more, NSIRA has the ability to review all disclosures across the Government of Canada, and through this broad lens, can identify common themes and trends. This perspective, not available to individual federal departments, enables NSIRA to make findings and recommendations that can strengthen overall information disclosure within the national security framework.
Focus of this Review
11.In determining the focus of this review, NSIRA considered the concerns raised in its review conducted the year prior. In the review of disclosures made under the SCIDA in 2020, which NSIRA undertook jointly with the Office of the Privacy Commissioner (OPC), the review found that the majority of federal department disclosures – approximately 99 per cent – met the threshold requirements that permit information to be disclosed under the SCIDA. In other words, the disclosing institutions sufficiently demonstrated that they had satisfied themselves, prior to providing the disclosures, that the information to be disclosed would contribute to the exercise of the recipient’s jurisdiction or responsibilities respecting activities that undermine the security of Canada, and that it would not affect any person’s privacy interest more than reasonably necessary in the circumstances.
12.The few disclosures that raised concerns, however, were those that had been provided to the recipient institutions on a proactive basis. As such, NSIRA chose to focus on this category for its 2021 review of disclosures under the SCIDA. In 2021, the majority of proactive disclosures came from Global Affairs Canada (GAC). NSIRA therefore chose to focus on GAC’s proactive disclosures in 2021, as a representative sample.
13.In addition to reviewing these disclosures from the perspective of the SCIDA’s prerequisite thresholds, this review also assessed other important requirements under the SCIDA that help to ensure responsible disclosures of national security information. These include the need for disclosures to be accompanied by statements that attest to the accuracy and reliability of the information being disclosed, as well as the obligation on all disclosing institutions to prepare and keep records that set out a description of the information that was relied on to satisfy themselves that the disclosure was authorized under the SCIDA.
14.Although the review sample focused on GAC proactive disclosures, many findings and recommendations are general and illustrative and, in many instances, may be useful to all institutions when disclosing under the SCIDA.
Review Objectives
15.The objectives of this review were to assess proactive disclosures of information under the SCIDA.
16.Specifically, the review assessed whether GAC:
a) Satisfied itself, prior to disclosing any information, that the disclosure would contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, in respect of activities that undermine the security of Canada, as required under paragraph 5(1)(a) of the SCIDA;
b) Satisfied itself, prior to disclosing any information, that the disclosure would not affect any person’s privacy interest more than reasonably necessary in the circumstances, as required under paragraph 5(1)(b) of the SCIDA;
c) Described, at the time of the disclosure, the accuracy of the information disclosed and the reliability of the manner in which it was obtained, as required under subsection 5(2) of the SCIDA; and
d) Kept records that included a description of the information that was relied on to satisfy itself that the disclosure was authorized under the SCIDA, as required under paragraph 9(1)(e) of the SCIDA.
Methodology
17.NSIRA received 195 disclosures of information from federal departments that reported either disclosing or receiving information under the SCIDA between January 1, 2021 and December 31, 2021. NSIRA conducted a preliminary review of all disclosures received.
18.NSIRA focused this year’s review on GAC proactive disclosures only. GAC identified 16 proactive disclosures out of a total of 44 disclosures under the SCIDA in 2021. However, in reviewing the material provided by GAC, NSIRA noted that three of these files were in fact requests for information from another department, and not disclosures of information under the SCIDA. As such, NSIRA removed these three files from the review sample, and only analyzed the remaining 13 disclosures identified by GAC as proactive disclosures.
19.NSIRA sent five follow up requests for information to GAC regarding its disclosures, and assessed all records provided.
3. Analysis
20. In conducting this review, NSIRA observed positive components of disclosures that it endeavours to highlight in this report. Proactive disclosures are an important feature of the SCIDA regime, and the following findings and recommendations aim to enhance compliance with the SCIDA.
Thresholds for disclosing information to federal institutions under the SCIDA
a) Jurisdiction or responsibilities in respect of activities that undermine the security of Canada
21. Paragraph 5(1)(a) of the SCIDA requires departments to satisfy themselves that disclosures “will contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, under an Act of Parliament or another lawful authority, in respect of activities that undermine the security of Canada.”
22. The definition of “activity that undermines the security of Canada” is set out at subsection 2(1) of the SCIDA and includes, for example, espionage and terrorism. Certain activities are excluded from this definition, notably advocacy and protest not carried out in conjunction with an activity that undermines the security of Canada.
23. In conducting this review, NSIRA examined each disclosure in the sample and its corresponding documentation to assess whether GAC had satisfied itself, prior to making the disclosure, that the information to be disclosed would contribute to the recipient department’s jurisdiction in respect of activities that undermine the security of Canada, as defined in the SCIDA.
24. In 12 of the 13 disclosures reviewed, GAC sufficiently demonstrated that it had satisfied itself as to these requirements. Furthermore, in all of these 12 disclosures, GAC documented that it had considered not only whether the recipient had the appropriate jurisdiction, but also how the information would contribute to that jurisdiction in respect of an activity that undermines the security of Canada as defined in the SCIDA. For example, see text box 1. The information in the disclosure file supports the text of this statement.
Text box 1: Example of statement in disclosure demonstrating GAC satisfied itself as to the requirements under 5(1)(a) of the SCIDA
GAC’s disclosure will contribute to the carrying out of CSIS’ responsibilities under section 12 of the CSIS Act, which require CSIS to investigate activities that may on reasonable grounds be suspected of constituting threats to the security of Canada. Section 2.a of the CSIS Act defines threats to the security of Canada as encompassing threats or acts of “espionage or sabotage that is against Canada or is detrimental to the interests of Canada or activities directed toward or in support of such espionage or sabotage.” CSIS collects, analyzes and retains information and intelligence on these threats to the extent that it is strictly necessary to do so, and reports to and advises the Government of Canada. In the circumstances, GAC’s disclosure will contribute to CSIS’ responsibility under section 12 of the CSIS Act to investigate and report on threats to the security of Canada as defined in section 2.a of the CSIS Act. Specifically, the disclosure will contribute to an assessment of a potential espionage threat [against Canadian interests abroad].
25.However, NSIRA observed that in one of those twelve disclosures, GAC consulted on more information than necessary to determine whether the disclosure was authorized under the SCIDA. This disclosure is described below.
Disclosure 1
26.A foreign country provided information about an individual with ties to Canada, to GAC headquarters, and requested that GAC forward the information to appropriate authorities. GAC then met with CSIS and showed them the information in their holdings, in order to clarify whether the information contributed to CSIS’s national security mandate. CSIS reviewed the information and confirmed that the information was of value to their investigation. CSIS did not report any of the information in its holdings.
27.Following that consultation, GAC concluded that a number of the documents did not pertain to an activity that undermines the security of Canada, as they contained “significant amounts of personal information unrelated to [the subject of the investigation] and reflecting acts considered lawful in Canada, such as freedom of speech (with no stated intent to engage in acts of violence) and freedom of peaceful assembly.” As such, GAC subsequently formally disclosed to CSIS only a fraction of the previously consulted documents. With respect to this formal disclosure, GAC demonstrated that it satisfied itself as to the requirements under paragraph 5(1)(a) of the SCIDA.
28. GAC indicated to NSIRA that the Public Safety guide on responsible information-sharing (PS Guide) is its primary policy guidance on the SCIDA. NSIRA notes that the PS Guide encourages government institutions to “communicate with the designated recipient institution prior to disclosure to determine not only whether the information is linked to activities that undermine the security of Canada but also how it contributed to that institution’s national security mandate.” This should not be interpreted as providing authorization to consult on more information than necessary, given the possibility that information outside the scope of a SCIDA disclosure may be included.
29. During its consultation with CSIS, GAC consulted on information that it later assessed as not concerning an activity that undermines the security of Canada as defined in the SCIDA and which was later removed from the formal disclosure under the SCIDA. The consultation involved showing GAC’s full information holdings to CSIS, which was more information than necessary to obtain confirmation from CSIS that the information was of value. Information used in consultations should be limited to the information necessary to obtain confirmation from the potential recipient that the information contributes to the carrying-out of its mandate and is linked to activities that undermine the security of Canada.
30. Furthermore, despite twelve out of thirteen disclosures meeting the requirements of paragraph 5(1)(a) of the SCIDA, one disclosure did not. NSIRA addresses this disclosure below.
Disclosure 2
31. An individual overseas, on their own initiative, identified themselves as a member of that country’s government and provided information to an official at a Canadian embassy about an alleged threat. GAC disclosed this information along with personal information, including the individual’s contact information, to the Canadian Security Intelligence Service (CSIS), invoking the SCIDA as an authority to make the disclosure. However, GAC did not consider whether this disclosure met the two threshold requirements under paragraphs 5(1)(a) and 5(1)(b) of the SCIDA, prior to disclosing this information in its entirety. During the course of this review, GAC explained to NSIRA that the disclosure was erroneously made under the SCIDA, and it was authorized under another authority for disclosing information in such circumstances, that is the Privacy Act or the Crown Prerogative. NSIRA did not assess whether these mechanisms would have been appropriate in the circumstances. Nonetheless this example demonstrates a) that there is potential for confusion on whether the SCIDA is the appropriate mechanism for certain disclosures of national security-related information, and b) that such confusion, in this case, led to the improper use of the SCIDA to disclose.
Finding no. 1: NSIRA finds that, in twelve out of thirteen disclosures, GAC demonstrated that it satisfied itself as to the contribution of the information to the recipient institution’s responsibilities in respect of activities that undermine the security of Canada, as required under paragraph 5(1)(a) of the SCIDA.
Finding no. 2: NSIRA finds that, without first conducting the analysis under paragraph 5(1)(a) of the SCIDA, departments risk disclosing information that does not pertain to the national security mandate of the recipient institution or to activities that undermine the security of Canada.
Finding no. 3: NSIRA finds that, in one of thirteen disclosures, GAC consulted on more information than necessary to obtain confirmation that the disclosure contributed to CSIS’s mandate and was linked to activities that undermine the security of Canada.
Recommendation no. 1: NSIRA recommends that consultations be limited to the information necessary to obtain confirmation from the potential recipient that the information contributes to its mandate and is linked to activities that undermine the security of Canada.
b) Privacy interest not impacted more than reasonably necessary in the circumstances
32. Paragraph 5(1)(b) of the SCIDA requires that disclosing institutions be satisfied that the disclosure will not affect any person’s privacy interests more than reasonably necessary in the circumstances.
33. All thirteen proactive disclosures included personal information as defined in the Privacy Act, that is, identifiable information about an individual, such as name, contact information, background information, or suspicions concerning the individual.
34. The PS Guide provides direction on the type of analysis required prior to disclosing personal information. More specifically, the PS Guide states “whether the information impacting a person’s privacy interest is considered ‘reasonably necessary’ will depend upon the particular circumstances of each case. Relevant considerations may include contextual factors, such as the type and nature of the information in question and the particular purpose for the disclosure.”
35. In response to NSIRA requests for further information, GAC explained how it satisfied itself that these proactive disclosures did not affect any person’s privacy interest more than reasonably necessary in the circumstances.
36. For example, GAC explained that in eight of the thirteen disclosures, GAC determined that some of the information it was considering disclosing was not within the scope of the recipient institution’s mandate. In the same disclosures, GAC also stated that it determined that some of the information in its holdings did not contribute to the institution’s investigation or fall within the recipient institution’s original request for information. For example, in one disclosure, only an individual’s travel status abroad was shared with CSIS as this pertained to the latter’s responsibilities in a national security matter. Other information in GAC’s holdings, such as information concerning other individuals, was determined by GAC not to be relevant, and therefore was not included in the disclosure.
37. Similarly, GAC explained that in two of the thirteen disclosures, GAC determined that some information was necessary to report to the recipient department, and therefore included in the disclosure. More detailed information not linked to activities that undermine the safety of Canada was not disclosed. For example, in one of the two disclosures, only information about suspected espionage activity was disclosed to CSIS, while detailed information about certain personal activities and behaviours was withheld.
38. NSIRA observed that of the 13 disclosures in the sample, three disclosures did not meet the requirements under paragraph 5(1)(b) of the SCIDA.
39. In Disclosure 2, described above, GAC disclosed information that was received from an individual who, on their own initiative, provided information to an official at a Canadian embassy overseas. GAC did not conduct any analysis under the SCIDA including whether the disclosure would affect privacy interests more than reasonably necessary in the circumstances, and proceeded with disclosing the entirety of the information to CSIS. GAC explained to NSIRA that the disclosure was erroneously made under the SCIDA, and was authorized under another authority for disclosing information, that is the Privacy Act or the Crown Prerogative. NSIRA did not assess whether these mechanisms would have been appropriate in the circumstances.
Disclosures 3 and 4
40. A Canadian embassy abroad received screen shots of a private social media group. The screenshots included information about a political movement in a foreign country. They also contained the contact information of all members of the group. While the group shared posters about the movement and information concerning protests in Canada, there were no threats, whether specific or general, in the material. However, based on some information in the screenshots, as well as the broader context of protests, past events, and open source media, GAC determined that the information contributed to the exercise of the Royal Canadian Mounted Police (RCMP)’s and CSIS’s jurisdiction, or the carrying out of their responsibilities, in respect of activities that undermine the security of Canada.
41. GAC disclosed the entirety of the information to both the RCMP and CSIS. The only information redacted was the name and contact information of the individual who provided the information to GAC.
42. GAC explained to NSIRA that it concluded that paragraph 5(1)(b) of the SCIDA was met because it did not identify a reasonable expectation of privacy in the content of the private social media group. NSIRA observes that GAC did not consider all of the relevant factors that would allow it to satisfy itself that the disclosure would not affect any person’s privacy interest more than is reasonably necessary in the circumstances. As such, the disclosure of information did not meet the second threshold requirement under subsection 5(1) of the SCIDA. Therefore, the disclosure of personal information of the group members did not comply with the requirements of the SCIDA.
Finding no. 4: NSIRA finds that, in ten out of thirteen disclosures, GAC satisfied itself that the disclosure will not affect any person’s privacy interest more than reasonably necessary in the circumstances, as required under paragraph 5(1)(b) of the SCIDA.
Accuracy and Reliability Statements
43. The Arar Report noted that “sharing unreliable or inaccurate information does not provide a sound foundation for identifying and thwarting real and dangerous threats to national security and can cause irreparable harm to individuals.”
44. A core theme in the SCIDA’s guiding principles is that of effective and responsible disclosure of information. Disclosing institutions are required, under subsection 5(2) of SCIDA, to provide information at the time of disclosure regarding the accuracy of the information disclosed and the reliability of the manner in which it was obtained.
45. Given the valuable context that accuracy and reliability statements provide to disclosures, precise and complete statements tailored to the specific circumstances of the disclosure can help avoid false perceptions, and can help ensure that recipient institutions have a clear understanding as to the accuracy and reliability of the information disclosed.
46. GAC relied on the PS Guide as its primary policy guidance document on the SCIDA. The PS Guide sets out that ensuring that the information disclosed is as accurate, complete, and as upto-date as possible is key to responsible and effective information sharing.
47. GAC informed NSIRA that partner agencies can better verify the accuracy of the information and the reliability of its source than GAC. NSIRA agrees that in some instances, GAC has limited capability for verification. Nonetheless, the SCIDA requires accuracy and reliability statements in every disclosure; accuracy and reliability statements must be clear and contextspecific in order to be meaningful.
48. In an example of a well-developed statement, GAC provided the following: The information disclosed by GAC was obtained through interactions between GAC officials with [known and credible source X and another individual]. GAC is not in a position to assess the accuracy and reliability of the above information provided to GAC officials by [these individuals]. GAC assesses that [source X] is highly credible, and is likely providing reliable information. In this case, the statement made a distinction between the accuracy and reliability of the information disclosed, depending on the source of that information. The disclosure sets out which information was provided by which source.
49. Overall, eleven of the thirteen disclosures contained accuracy and reliability statements. Two disclosures did not include the statement as the SCIDA requires. These omissions were not tied to GAC’s inability to verify the accuracy and reliability of the information.
Finding no. 5: NSIRA finds that two out of thirteen disclosures did not contain accuracy and reliability statements as required by subsection 5(2) of the SCIDA.
Recommendation no. 2: NSIRA recommends that in order to provide the most valuable and meaningful context for the recipient institution, accuracy and reliability statements should be clear and specific to the circumstances of the disclosure.
Record-keeping
50. Paragraph 9(1)(e) of the SCIDA requires that disclosing institutions prepare a description of the information that they relied on to satisfy themselves that the disclosure was authorized under the SCIDA, including that the disclosure did not affect privacy interests more than reasonably necessary, as part of their record-keeping obligations under the SCIDA.
51. It is noted that the PS Guide sets out the steps to making a disclosure, which include creating a record describing the information that was relied on to satisfy the disclosing institution that the disclosure was authorized under the SCIDA. Furthermore, the PS Guide’s Appendix A: Record-keeping Template for Institutions Disclosing Information under the SCIDA, which is intended to help departments meet record-keeping obligations for disclosing institutions under the SCIDA, contains a field for departments to describe that information. It also restates the requirements under paragraphs 5(1)(a) and (b) of the SCIDA that the disclosing institution be satisfied that the disclosure will contribute to the recipient institution’s national security mandate, and will not affect any person’s privacy interest more than reasonably necessary in the circumstances.
52. The SCIDA 2020 Review observed that GAC’s records describing the information it used to satisfy itself that certain responsive disclosures to CSIS, were robust. The basis for this observation was that GAC’s records contained information provided by CSIS to aid in GAC’s assessment, including details of the potential impact on the subject(s) of the request.
53. During the course of this year’s review, NSIRA requested that GAC provide a description of how it satisfied itself that the disclosure was authorized under both threshold requirements under the SCIDA. NSIRA also requested that GAC provide all supporting documents GAC relied on in its assessment. GAC provided explanations in response to NSIRA’s queries in this regard, referencing supporting documents. Based on a review of the records provided, NSIRA observes that GAC’s practices could be improved by contemporaneously and expressly articulating which information it relied on to satisfy itself that the disclosures would not impact any person’s privacy interest more than reasonably necessary in the circumstances.
Recommendation no. 3: NSIRA recommends that all disclosing departments contemporaneously prepare descriptions of the information that was relied on to satisfy themselves that disclosures were authorized under the SCIDA.
Training on the SCIDA
54. GAC used four distinct PowerPoint documents in 2021 to train employees on the SCIDA.
55. A course entitled Governance, Access, Espionage and Technical Security (GATE) was accessible to all employees going on postings as an introductory course focused on the awareness of information security at GAC. This presentation did not include practical examples or scenarios, but explained that any information sharing under the SCIDA must be done through GAC Headquarters.
56. Furthermore, a presentation provided by the Director General of the Intelligence Bureau to the majority of Heads of Mission going on postings, as an introductory course on intelligence support and security, did not provide illustrative examples or scenarios, but set out that information sharing under the SCIDA must be done through Headquarters.
57. Finally, the Department of Justice legal team provided two presentations: one to Global Security Reporting Program Officers going on postings as an introduction to information sharing policies and practices, including several slides on the SCIDA, and the other to groups of employees at Headquarters as an introduction to information sharing policies and practices. NSIRA noted that each presentation included only one or two examples illustrating the considerations in making a disclosure under the SCIDA.
58. Three of the four presentations also included a range of information about record-keeping requirements. However, the information in the presentations was largely limited to reiterating the requirements under the SCIDA, and no practical examples or scenarios were provided. Similarly, while these presentations reiterated requirements under the SCIDA to include accuracy and reliability statements, no practical examples were provided.
Finding no. 6: NSIRA finds that GAC training on the SCIDA lacks sufficient illustrative examples required to provide employees with adequate guidance to fulfill their obligations under the SCIDA.
Recommendation no. 4: NSIRA recommends that additional illustrative examples and scenarios be included in the SCIDA training, including for disclosure threshold requirements, accuracy and reliability statements and record-keeping requirements.
4. Responsiveness and provision of information
59. All departments met the timelines for the provision of information to NSIRA.
60. Subsections 9(1) and 9(2) of the SCIDA contain record-keeping obligations for disclosing and recipient institutions. Subsection 9(3) of the SCIDA requires all departments to provide every record prepared under those subsections to NSIRA, for the purpose of NSIRA’s annual review of disclosures under SCIDA. Not only is thorough record-keeping a legal requirement for disclosing and recipient institutions, it is not possible for NSIRA to fulfill its mandated annual review without all records from all departments.
61. This review focussed on GAC proactive disclosures. NSIRA conducted a cross-comparison of the number of disclosures reported by GAC and those received by recipient institutions and notes that the numbers align. NSIRA did not independently verify the completeness of the records provided by GAC. Nonetheless, the assessment under the SCIDA requires GAC to demonstrate compliance. Additional requests for information over the course of the review led NSIRA to conclude that it received all information necessary to conduct the review. Finally, GAC had the opportunity to review a preliminary draft of this report and provide additional information. For these reasons, NSIRA is confident that it received all information necessary to conduct the review.
5. Conclusion
62. The SCIDA is a legislative tool meant to encourage and facilitate the responsible and effective disclosure of national security-related information between federal government institutions. Of the thirteen disclosures in the review sample, three did not meet one or both disclosure threshold requirements and two did not contain accuracy and reliability statements. Prior to consulting on potential disclosures, departments should consider what information is necessary to include in the consultation. Departments should also contemporaneously document on what basis they were satisfied that disclosures were authorized under the SCIDA. Furthermore, improvements to ongoing training are recommended, to provide more illustrative examples to guide employees in fulfilling their obligations under the SCIDA. NSIRA looks forward to revisiting the implementation of the SCIDA in future years and expects to find improved compliance, recordkeeping, and delivery of training programs.
Our team is working on an HTML version of this content to enhance usability and compatibility across devices. We aim to make it available in the near future. Thank you for your patience!
The Avoiding Complicity in Mistreatment by Foreign Entities Act (Avoiding Complicity Act or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, September 4, 2019, to the end of the previous calendar year, December 31, 2019. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Act.
While this was the inaugural annual review under the NSIRA Act, it builds upon previous work in this area undertaken by NSIRA and its predecessor SIRC. NSIRA’s review on the 2017 Ministerial Direction on information sharing with Foreign Entities is an example. The results from this previous review were sent to applicable departments in July 2020. NSIRA is building upon this previous review and strongly supports the findings and recommendations within it. As of the date of this report, departmental responses have not been received regarding the recommendations provided in NSIRA’s July 2020 Ministerial Direction review.
(U) It was essential to ensure that both NSIRA and the departments being reviewed met their obligations under the Avoiding Complicity Act and the NSIRA Act. The approach used to gather information during a global pandemic was purposely designed for this first and unique review period.
To capture a complete view on the departmental implementation, NSIRA requested information that related directly to every department’s specific obligations under the Act and the directions. The responses and associated information captured departmental activities related to the Act during the review period, and what procedures, policies, tools, etc. (frameworks) were leveraged to support these activities. NSIRA believes that having a robust framework is an essential part of an effective implementation of the directions departments have received.
Beyond the specific requirements of implementation, the information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken since the review period to build and formalize their frameworks. This information and knowledge will help set up the foundation for future reviews and assist efforts on creating consistent implementation across departments. While many of the issues discussed in this report go beyond the specific requirements of the directions, their consideration is critical to the overall improvement of the implementation process and how departments ultimately support the Act. No case studies were undertaken for this review. However, the information gathered has helped establish a baseline for overarching issues the community is facing. Building on this, future reviews will begin to examine specific sharing framework challenges and questions and look closely at specific cases and departmental legal opinions to guide review findings.
While NSIRA was pleased with the considerable efforts made by many departments new to the Avoiding Complicity Act in building up their supporting frameworks, it was clear during this review that departments are employing very different approaches to guide their information handling activities. The responses received demonstrate various inconsistencies across the departments. Having a consistent and coordinated approach when addressing the concerns related the Act is not a requirement for implementation, however, NSIRA believes that there is value in such an approach. And while departments will always require unique aspects in their sharing frameworks to address the unique characteristics of their mandates and activities, to improve the implementation process, a goal all involved likely have, the identification and sharing of best practices is critical.
For example, determining the best means for having a unified approach when engaging with foreign entities of concern or ensuring that an information sharing activity is consistently evaluated for risk by all departments. The recommendations provided on these issues in this review capture what NSIRA believes to be important concerns and considerations for supporting and improving departmental implementation.
Additionally, as the directives received under the Act do not describe the specific means by which departments ‘implement’ them, it is incumbent on the community to ensure that they have sufficiently robust frameworks and programs in place to fully support an assertion of implementation. Therefore, the information gathered during this review went beyond a strict assessment of implementation, but also considered the aspects required to better support this implementation. Going forward, this approach will help establish the foundation for subsequent reviews. Drawing on the findings and concerns identified here, NSIRA will continue to consider aspects that will ultimately improve underlying frameworks, thereby supporting an improved implementation of the Act across the community.
Authorities
This review was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Avoiding Complicity Act.
Introduction
Focus of the Act
In the same spirit as the Ministerial Direction (MD) that preceded it, the Avoiding Complicity Act and its associated directions seek to prevent the mistreatment of any individual due to the exchange of information between a Government of Canada department and a foreign entity. The Act also aims to limit the use of information received from a foreign entity that may have been obtained through the mistreatment of an individual. While the previous MD guided the activities of a selection of Canada’s security and intelligence departments, the Act broadened this scope to capture all departments whose interactions with foreign entities included information exchanges where such a concern may apply.
The focus of the Act is to ensure departments take the necessary steps during their information sharing activities to avoid contributing in any way to the mistreatment of an individual. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. There is an expectation that each department will satisfy these requirements by leveraging departmentally established mechanisms and procedures, or frameworks that will allow each department to confidently demonstrate how it has responded to its responsibilities under the Act.
During the first year that the Act was in force, written directions using nearly identical language were sent to the Deputy Heads of 12 departments. In regard to disclosure, the directions read as follows: “If the disclosure of information to a foreign entity would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not disclose the information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”
With respect to requesting information, the directions state: “If the making of a request to a foreign entity for information would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not make the request for information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.”
Lastly, as it relates to the use of information, the directions indicate: “The Deputy Head must ensure that information that is likely to have been obtained through the mistreatment of an individual by a foreign entity is not used by the Department
(a) in any way that creates a substantial risk of further mistreatment;
(b) as evidence in any judicial, administrative or other proceeding; or (c) in any way that deprives someone of their rights or freedoms, unless the Deputy Head or, in exceptional circumstances, a senior official designated by the Deputy Head determines that the use of the information is necessary to prevent loss of life or significant personal injury and authorizes the use accordingly.”
At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated or not. This determination is done on a case-by-case basis. Each department is responsible for making these determinations as it applies to its activities. Following the outcome of a department’s determination of these important questions, cases may be approved, denied, or elevated to the Deputy Head for consideration. For the latter cases, this then results in additional reporting requirements for the Deputy Head. Throughout this process, there is also a requirement to ensure the accuracy, reliability, and limitations of use of all information being handled.
Review Objectives
After the Avoiding Complicity Act came into force in July 2019, the Governor in Council’s written directions were sent to each applicable department in September 2019. The period for this year’s review is September 4, 2019 to December 31, 2019. The short timeframe (approximately 4 months) associated with this year’s review means that departments are being assessed, in large part, on what they would already have had in place to address risks of mistreatment associated with information sharing, or what they were able to implement in a four-month window. NSIRA is cognizant that for the departments that were not previously subject to the 2017 MD on Avoiding Complicity in Mistreatment by Foreign Entities, the timeframe to implement the written directions was somewhat limited, as it would have been challenging to create and operationalize new procedures such that they would be reflected in the department’s activities during the period being reviewed.
While it was essential to ensure that both NSIRA and the departments being reviewed met their obligations, these challenges were kept in mind when evaluating the objectives for this first review. Given these considerations, the objectives of this year’s review were to determine whether:
departments had fully implemented the directions received under the Act in conformity with the obligations set out therein;
departments had established and operationalized frameworks that sufficiently enabled them to meet the obligations set out in the Act and directions; and,
there was consistency in implementation across applicable departments.
Methodology and assessment focus
To capture a complete view of the departmental implementation of the Act, NSIRA constructed a series of questions related directly to every department’s obligations under the Act and the directions. The responses and associated information captured what specific activities took place during the review period and what departmental frameworks were leveraged to adequately support these activities.
The information provided by the departments also helped to identify gaps, considerations for best practices, and the work departments have undertaken to build and formalize their frameworks to meet their obligations under the Act and directions. The information provided and the knowledge gained will help set up the foundation for future reviews and help create consistent implementation across departments.
The method used to gather information during a global pandemic was designed for this first and unique review period. We believe it allowed departments to quickly and efficiently indicate both whether the directions had been implemented, and what frameworks, processes, and policies had been leveraged or put in place.
Responses to many of the RFI questions were simply yes/no answers. Often, answers were dependent on what information handling activities took place with foreign entities by the department during the review period. As such, a number of questions could be returned with ‘not applicable’, and this was an acceptable response. Many of the questions were related to specific and easily defined requirements under the Act and its associated directions, e.g. ‘was a report submitted to the Minister?’ or ‘Did the Deputy Minister inform the applicable bodies of all their decision made under the act?’.
Other questions were designed to capture the details of the underlying processes that supported a department’s implementation, i.e. a department may indicate that they ensured no substantial risk of mistreatment was present in any of their information sharing activities, but how did they support this claim? Likewise, for an assertion that a possible substantial risk of mistreatment had been mitigated, what was in place that allowed a department to make this assertion? Therefore, this series of questions required sufficiently detailed responses to fully capture what a department had in place that allowed it to confidently state that it has met its implementation obligations under the Act and the issued directions.
Finally, a portion of the questions was intended to capture the level of uniformity in implementation across departments. This includes such things as country/entity assessments, triage practices, and record keeping. Much of this information will also help with recommendations going forward. This multi-faceted approach resulted in three main areas being evaluated to assess implementation for this review period and help set the groundwork for future reviews.
Departments have clear and comprehensive frameworks, policies, and guidelines such that they can demonstrate how they have fully implemented the directions under the Act.
All reporting requirements associated with both the Act and its applicable directions have been met.
Differences or gaps associate with areas such as country/entities assessments, record keeping, case triage, etc., such that consistent implementation across departments would be challenging.
Summary of the results table
The table in Annex A captures a summary of both the departmental responses to the implementation questions and NSIRA’s assessment regarding these responses. The assessment was based on the associated details provided by departments in the context of the specific information requested. As explained above, many of the responses were returned as not applicable (n/a). Since many implementation requirements are connected to specific activities, the absence of such activities would mean that the requirement does not come into play. The best example of this for the current review is the absence of any Deputy Minister level determinations. All 12 departments indicated that they did not have any cases referred to the Deputy Minister level for determination. All additional reporting requirements associated with this level of decision were not applicable and thus considered satisfied.
If a specific requirement was not met, it was flagged. The relatively few instances of this were connected with departments not meeting certain reporting obligations under the Act. In all cases, the department involved pre-identified these missing requirements and indicated that efforts were underway to address them.
The concerns and findings captured in the table (and others) are discussed subsequently. A concern was flagged in two situations: where there was an uncertainty associated with a department’s ability to support their implementation requirements; and cross-cutting issues related to general aspects of all of the frameworks described, both of which led to the findings and recommendations proposed.
Findings and Recommendations
Realities of Implementation for 2019
A challenge for departments for this first review was associated with one of the assessment items listed above, i.e. whether they had established frameworks to demonstrate how they supported the implementation of the directions they received.
With the Avoiding Complicity Act coming into force in July 2019, it was not feasible that departments would create and stand-up new frameworks for information exchanges in time for the period being reviewed. Although the Act did specify several Deputy Heads that were to receive directions, it only included those who received the previous 2017 MD. The remaining new departments received their directions in September 2019. Regardless of this two-month difference, each department would have been required to rely on, to some extent, existing procedures when handling information sharing with foreign entities during the review period.
This put the departments that had previously formalized policies and processes at an advantage when implementing the directions. For those departments who were not subject to the previous 2017 MD on information sharing, NSIRA considered how they leveraged and adjusted what was already in place to respond to their new responsibilities under the Act. What we then expected to see, for all departments, was what subsequent steps were taken during the review period and afterwards, to either adjust or create frameworks to better meet implementation requirements going forward. NSIRA noted that in response to questions on frameworks for handling information and mitigating risk, several of the departments new to the considerations of the Act provided extensive detail on their efforts and progress on building out their frameworks to support the directives. References to having these frameworks formalized over the subsequent year were also encouraging.
Finding no. 1: NSIRA found that several departments, new to the considerations of the Act, described considerable progress being made during the review period and afterwards to build out formalized frameworks to support implementation.
Importance of establishing operational framework
As discussed, having fully established operational frameworks in place for this review period may not have been feasible for the departments that did not previously have processes to support their activities. This, however, did not exempt a department from the requirements of implementation. Each department was still expected to leverage what it currently had in place to properly address the concerns associated with the Avoiding Complicity Act. Furthermore, there was a logical follow-on expectation that departments would take subsequent steps to build out formal frameworks to address any perceived gaps to support the implementation of the Act going forward if necessary.
After reviewing the responses received, NSIRA is concerned that departments with minimal information sharing activities taking place during their operations have yet to address the necessity of having a robust framework in place, regardless of how often that framework is leveraged. For example, although PS and TC may primarily act as facilitators or coordinators for information exchanges on specific programs, they are still interacting with foreign entities, and therefore are required to fully assess their interactions with a foreign entity in this regard.
If a department without a formal framework assesses that it has few or no cases associated with the Act, then it may believe it is adequately positioned to address any sharing concerns should they arise. This, however, is not the case. Even single instances of information exchange in which the concerns of the Act may apply require a framework to support it properly. In many cases, it will be the framework itself that properly identifies whether a sharing activity raises concerns under the Act. If there is no formal process in place, then this identification becomes problematic. Simply saying that there are no cases or activities associated with the Act is not sufficient. That determination can only be made after a sharing activity is scrutinized through the lens of a robust framework. Going forward, all departments who receive directions should demonstrate a formal framework that ensures all information sharing activities are adequately evaluated against the considerations of the Act.
Finding no. 2: NSIRA found that departments conducting minimal information exchanges with foreign entities have not yet fully addressed the importance of having an official information sharing framework in place.
Recommendation no. 1: NSIRA recommends that all departments in receipt of directions under the Act have an official framework that ensures they can fully support their implementation of the directions.
Community coordination and best practices
While departmental coordination and the sharing of best practices are not a requirement of the Avoiding Complicity Act or the directions, NSIRA considered such an approach’s value. What became clear during this first review was that every department employs a very different framework to guide their information sharing activities with foreign entities. This is to be expected to some extent, given the different mandates, sharing requirements, and areas of focus associated with each department. However, these differences are also a reflection of the independent, internal development that has taken place for the different frameworks being used. While the departments receiving directions under the Act do interact on this subject to some extent, to date, based on the responses provided, it appears that the majority of the work done by the departments to build supporting frameworks to address their responsibilities associated with the Act have been done so independently. There was little to no overlap with how departments described the various aspects of their frameworks, even amongst the departments subject to the earlier MD on this issue.
There would be value in departments collectively identifying the key aspects common or required in all information exchanges with foreign entities and then working together to craft best practices, irrespective of what a department currently has in place. This process should draw on all available resources to make this determination. Each department can then turn to their existing frameworks to consider where and how they can be adjusted to match this community-agreed upon ideal. This is not to say that aspects of what a department already has in place in their framework will not ultimately be seen as the best practice. Several departments do have robust sharing frameworks in place, and these will contribute significantly to this exercise. However, arriving at this determination independently will provide an additional level of confidence.
Department-specific challenges, of course, cannot be ignored. In fact, they will weigh in strongly on such a conversation. Departments share information under their mandates for various reasons, and this will mean that coordination on certain aspects of a sharing framework may not be possible. However, this needs to be evaluated. It is important that what already exists, or what is hard change, does not unduly influence what may be best. This approach will create uniformity (where possible) across the community and provide a starting point for ‘must haves’ for each department to evaluate their existing processes against.
The Public Safety Information Sharing Coordination Group (ISCG) was established to support departments on information sharing. As such, it is in an ideal position to help mitigate issues arising from the lack of coordination. Leading such efforts would build on the work already being done by this group. During recent discussions with NSIRA, the ISCG indicated that the tracking of lessons learned and the sharing of best practices was not yet routine. Going forward, there would be value in a more coordinated effort when departments are updating/changing their framework. Ensuring that this coordination takes place will require support and leadership by senior-level officials. This will help in sharing best practices once identified, and establish more consistent approaches across departments.
Finding no. 3: NSIRA found that the differences and variability in departmental frameworks demonstrate a previous lack of coordination across the community and a need to identify best practices.
Recommendation no. 2: NSIRA recommends that departments coordinate to identify best practices for all essential components of information sharing frameworks and that the ISCG is leveraged to ensure these practices are shared where possible across the community to support the implementation of the Act.
Framework application inconsistency
A series of questions in this review was related to aspects of consistency in how departments apply their frameworks. From this series, a comparison was made on how many times an information sharing/use event triggered an evaluation of any kind against the considerations of the Avoiding Complicity Act, versus how many of these triaged cases were elevated or referred up for decision. The results helped gauge two important aspects of a framework: One, the threshold requirements, i.e. how often a sharing activity triggers an evaluation of any kind; and two, the decision making power given to the operators who are initially handling these activities.
The feedback and the responses received demonstrate potential inconsistencies in both aspects across departments. For example, several departments indicated zero cases as being triaged/evaluated under the concerns of the Act during the review period, yet also specified that they are involved in regular information sharing or, specified that no information received from foreign entities was derived from mistreatment. These responses appear to be inconsistent as it would be problematic to participate in information sharing or to make such mistreatment determinations without the activity being evaluated on some level.
Other departments indicated a larger number of cases as initial triaged/evaluated, but also indicated that none of them were elevated in their decision making process for higher-level decisions. This would seem to suggest that all determinations were being made at the operational level. Such a result puts significant weight on the operator and the initial assessment tools they are leveraging if they are making all determinations independently. This reinforces the importance of a robust framework to help make these determinations, as previously indicated in Finding no. 2. As a result of these differences, potential challenges arise on accurately assessing the volume of cases being handled by departments, the tracking of those cases deemed to present a substantial risk, those which can be mitigated for, and those where the risk was not found to be substantial or even present.
These responses may result from how each department defines a ‘case’ or how it records a case, or they may be a result of differences in how a department’s decision-making process is leveraged. NSIRA’s concern is that these differences may indicate an inconsistency in application thresholds at different departments. As such, the following results were viewed as a potential issue based on the responses received:
if a department was involved in any kind for information exchange with a foreign entity during the review period, but did not indicate that any cases were formally triaged/evaluated; or
if there was a significant number of cases triaged, but none were elevated to a higher level for determination.
Such results do not necessarily indicate a problem as aspects of a framework may be able to account for this, however, looking further into how and why the department’s framework produced these outcomes is important. Future reviews will be able to do this. Consistent initial steps for information sharing activities, including triage/evaluation thresholds and documentation, are critical to the effective application of a framework, and ultimately to identifying best practices.
Finding no. 4: NSIRA found that there are inconsistencies in the application of existing sharing frameworks between departments, specifically concerning information evaluation thresholds, and decisions being elevated for senior level determinations,
Recommendation no. 3: NSIRA recommends that departments establish consistent thresholds for triggers in their information sharing frameworks, including initial evaluations against the concerns of the Act, when a case is to be elevated in the decision process, and how this is documented.
Country and entity assessments
A key recommendation of NSIRA’s previous review on information sharing related to the country/entity assessments being used by departments to inform their decision making process when sharing or using information with a foreign entity. While the use of country/entity assessments is not a required aspect of implementing the directions under the Act, NSIRA continues to support this tool as an important aspect of any sharing framework. In its previous review, NSIRA determined that having a firm grasp on the human rights situation, as well as any other pertinent information associated with a country/entity, was essential to making an informed decision on whether there should be concerns, caveats, or limitations when handling information with that country/entity. Moreover, having such information captured to ensure all departments consistently approach these countries/entities is critical. At the time of the previous review, the following recommendation was made:
a unified set of assessments of the human rights situations in foreign countries including as standardized ‘risk of mistreatment’ classification level for each country; and
to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.
It is important to note that there has been no formal response from departments on this previous recommendation as of the date of this report. Furthermore, during this report, two departments continue to raise concerns with NSIRA’s stance on this issue during the consultation process. While NSIRA continues to support this recommendation, as explained below, further discussions with departments on how to approach this matter may be warranted, specifically on the distinction between how this recommendation may apply to a foreign country/entity vs a specific foreign partner a department may be dealing with.
Based on the responses provided on this topic for the current review period, there is still inconsistency in this area. While almost all departments indicated that country/entity assessments were a standard part of their framework, the responses also indicate differences in which country assessments are used, how they are leveraged, and who is responsible for updating them. For example, several departments rely on their own in-house created assessments, while others leverage the assessments created by Global Affairs Canada and others. While departments who indicated that they are leveraging country/entity assessment tools in their process also indicated that these assessments captured human rights concerns, this has yet to be independently evaluated. NSIRA is concerned that these differences could result in different approaches/stances being taken by departments when dealing with the same foreign entity. While the country/entity assessments tools themselves are not necessarily in question, the fact that every department is not leveraging or does not have access to all useful or applicable information is.
NSIRA remains of the view that having a consistent stance on all countries and entities when implementing the requirements of the Act is important. Issues such as mistreatment and human rights should not be decided at a departmental level, but on a whole-of-government level. While mindful of classification levels, ensuring all departments have access to the same relevant information associated with a foreign country/entity is critical to making an informed decision. Due to the nature of their work, departments may be privy to unique information on a country/entity, some or all of which can be shared. This would lead to fully informed assessments that allow for a consistent approach when dealing with any country/entity. In addition to improving duplication of effort in this area by departments, NSIRA continues to see standardized country and entity assessments, which can be accessed and contributed to by all departments, as key to moving toward a more consistent and effective implementation of the Act across the community
Finding no. 5: NSIRA found a lack of unification and standardization in the country and entity assessments being leveraged by departments, resulting in inconsistencies in approach/stance by the community when interacting with Foreign Entities of concern related to the Act.
Recommendation no. 4: NSIRA recommends that departments identify a means to establish unified and standardized country and entity risk assessment tools to support a consistent approach by departments when interacting with Foreign Entities of concern under the Act.
Conclusion
While aspects of implementation can be easily quantified and evaluated e.g. reporting requirements to a Minister, others, which support implementation are more difficult to measure, e.g.:
What does a sufficiently robust framework for assessing and mitigating risk when sharing with a foreign entity look like?
Does this depend on the specific requirements and activities of the department; or,
Are there steps that should always be involved when vetting a foreign entity under the considerations of the Act?
Measuring and weighing the answers to such questions is challenging. They are more nuanced, and can’t be as easily quantified. Regardless, they must be considered and addressed. Drawing on the considerations and concerns identified in this review will help departments to ask the questions that will improve their underlying frameworks with the following goals in mind:
To identify the essential/key elements that need to be a part of any framework for it to address the concerns associated with the Avoiding Complicity Act sufficiently; and,
To have all identified best practices implemented as consistently as possible across departments.
Future reviews will push towards these goals by seeking answers to those questions above. By looking more closely at specific case studies, departmental legal opinions, items of inconsistency, and the departmental frameworks that are already demonstrating best practices that should be shared. Ultimately the results of such efforts will contribute to improving the implementation of the Act across the community.
Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019: Backgrounder
Review Of Departmental Implementation Of The Avoiding Complicity In Mistreatment By Foreign Entities Act For 2019
Backgrounder
Backgrounder
In 2011, the Government of Canada implemented a general framework for Addressing Risks of Mistreatment in Sharing Information with Foreign Entities. The framework aimed to establish a coherent and consistent approach across government when sharing and receiving information with Foreign Entities. Following this, Ministerial Direction was issued to applicable departments in 2011 on Information Sharing with Foreign Entities, and then again in 2017 on Avoiding Complicity in Mistreatment by Foreign Entities.
On July 13, 2019, the Avoiding Complicity Act came into force. This Act codifies and enshrines Canada’s commitments in respect to the Canadian Charter of Rights and Freedoms, and Canada’s international legal obligations on prohibiting torture and other cruel and inhumane treatment.
On September 4, 2019, pursuant to section 3 of the Act, the Governor in Council (GiC) issued written directions to the Deputy Heads of the following 12 departments and agencies: Canada Border Services Agency (CBSA), Canada Revenue Agency (CRA), Canadian Security Intelligence Service (CSIS), Communications Security Establishment (CSE), Department of Fisheries and Oceans Canada (DFO), Department of National Defence and Canadian Armed Forces (DND/CAF), Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Global Affairs Canada (GAC), Immigration, Refugees, and Citizenship Canada (IRCC), Public Safety Canada (PS), the Royal Canadian Mounted Police (RCMP) and Transport Canada (TC).
The GiC issued directions focused on three aspects of handling information when interacting with a foreign entity: the disclosure of information, the requesting of information, and the use of any information received.
Pursuant to section 7 of the Act, every Deputy Head having received direction must, before March 1 of each year, submit to the appropriate Minister a report regarding the implementation of those directions during the previous calendar year. Following this, every Deputy Head must, as soon as feasible after submitting the report, make a version of it available to the public.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
