Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information

Sommaire

Subsequent to the collection of foreign signals intelligence by the Communications Security Establishment (CSE), any incidentally collected Canadian identifying information (CII) is suppressed in CSE’s intelligence reporting to protect the privacy of Canadians and persons in Canada. However, the Government of Canada (GC) and foreign clients of such reports can request the details of this information if they have lawful authority and operational justification.

The National Security and Intelligence Review Agency (NSIRA) conducted a review of CSE’s disclosures of CII to GC clients. In reviewing disclosures containing 2,351 Canadian identifiers over a five year period, NSIRA found that 28% of requests from all clients were not sufficiently justified to warrant the release of CII. . Nevertheless, during the period under review, CSE approved 99% of these requests for CII from its domestic clients. Given this and other findings related to CSE’s internal practices, NSIRA found that CSE’s implementation of its CII disclosure regime may not be in compliance with the Loi sur la protection des renseignements personnels.

De plus, l’OSSNR a conclu que le CST a communiqué des IIC à des clients du gouvernement du Canada dans le cadre de son aide technique et opérationnelle au Service canadien du renseignement de sécurité (SCRS), conformément à l’article 16 de la Loi sur le SCRS, d’une manière qui n’a probablement pas été communiquée à la Cour fédérale par le SCRS.

Le présent rapport est un résumé du rapport plus détaillé et classifié présenté au ministre de la Défense nationale le 25 novembre 2020.

Introduction

  1. The Communications Security Establishment (CSE) may incidentally acquire information about Canadians or persons in Canada in its collection of foreign signals intelligence (SIGINT). Canadian identifying information (CII) refers to any information that can identify an individual, ranging from names to email addresses and IP addresses. CII is suppressed in intelligence reports to protect the privacy of Canadians and persons in Canada. Government of Canada (GC) and foreign clients may subsequently request the details of this information if they have lawful authority and operational justification to collect it. This information sharing regime has been in place since the 2001 enactment of CSE’s powers under the National Defence Act, and has been previously reviewed by the Office of the CSE Commissioner (OCSEC)
  2. Following a review of CSE’s disclosures of CII, the National Security and Intelligence Review Agency (NSIRA) concluded that CSE’s implementation of its disclosure regime may not be in compliance with the Privacy Act. Therefore, pursuant to subsection 35(1) of the NSIRA Act, NSIRA submitted a compliance report to the Minister of National Defence on November 25, 2020.
  3. CSE’s disclosure regime, in place for nearly two decades, is one of the most important national security information sharing structures in the federal government, surpassing the volume of disclosures processed through the information sharing mechanism under the Security of Canada Information Disclosure Act (SCIDA). Unlike CSE’s disclosure regime, information sharing processes under SCIDA have recently undergone comprehensive scrutiny and debate both in Parliament and by the public as part of the deliberation of Bill C-59.
  4. CSE’s work results in special responsibilities to protect the privacy of Canadians. In this context, NSIRA assessed CSE’s operational structures, policies, and processes to determine the rigour of the CII disclosure regime. NSIRA found serious problems with several aspects of the governance and implementation of CSE’s CII disclosure regime. NSIRA also found that CSE discloses information collected pursuant to the authority of Federal Court issued warrants as part of its assistance to the Canadian Security Intelligence Service (CSIS). NSIRA believes that although the Federal Court is aware of CSIS’ disclosure of CII, the Court may not have been fully informed about the parallel disclosure process taking place at CSE. In January 2021, CSIS provided the Federal Court with a copy of NSIRA’s full, classified review, excluding information protected by solicitor-client privilege.

Méthodologie

  1. As part of its review, NSIRA examined a selected sample of CII disclosures and their associated intelligence reports – initially from July 1, 2018 to July 31, 2019, though the review period was later expanded to cover July 1, 2015 to July 31, 2019 for certain types of disclosures. Over that period, CSE received requests for 3,708 Canadian identifiers. NSIRA received information about the outcome of all of these requests. Additionally, NSIRA was able to closely review requests pertaining to 2,351 identifiers.
  2. In all, NSIRA examined electronic records, correspondence, intelligence reports, legal opinions, policies, procedures, documents pertaining to judicial proceedings, Ministerial Authorizations, and Ministerial Directives of relevance to CSE’s CII disclosure regime. CSE also responded to NSIRA’s questions throughout the review.
  3. While this began as a review of solely CSE, it became evident that NSIRA also needed to engage with CSE’s Government of Canada clients of CII. In the spirit of its legislation, NSIRA “followed the thread” by engaging with a range of federal departments, from recurring clients of CII, such as CSIS and the Royal Canadian Mounted Police (RCMP), to less frequent clients, such as Innovation Science and Economic Development Canada (ISED). Through this engagement, NSIRA was able to understand the lifecycle of CII disclosures, from their origin within intelligence reporting to their eventual use by Government of Canada clients.
  4. L’OSSNR a également évalué les divulgations par le CST de l’IIC découlant de son aide au SCRS en vertu de l’article 16 de la Loi sur le SCRS. Lorsque le CST aide le SCRS dans ce contexte, il est lié par les conditions des mandats de la Cour fédérale. Bien que les divulgations du SCRS n’aient pas fait l’objet de cet examen, elles ont aidé à mettre en contexte le respect des divulgations d’IIC du CST au terme de l’article 16 avec les conditions et les principes en vertu desquels la Cour émet les mandats pertinents.
  5. NSIRA also reviewed CSIS affidavits to the Federal Court in relation to Canadian information acquired through section 16 warrants, which served as the basis for a recent decision issued on this program by the Court (reported as 2020 FC 697). Given this window into the parallel practices and policy requirements of CSIS, NSIRA had the opportunity to contextualize CSE’s disclosures of CII arising from section 16 collection in a way that was unprecedented for an external review body.
  6. Based on the records provided by CSE, CSIS, and other federal government entities, NSIRA made several findings and recommendations to improve the governance of CSE’s CII disclosure regime and to bring to the attention of the Federal Court important aspects of CSE’s disclosures of information acquired in relation to section 16 of the Loi sur le SCRS.

Cadre juridique

  1. For CSE to disclose Canadians’ personal information without their consent, both CSE and the CII recipient must comply with relevant legislation, which, for the period under review, consisted of the Loi sur la protection des renseignements personnels et de la National Defence Act:

Pouvoir de collecte du client du GC

  • Loi sur la protection des renseignments personnels, article 4
  • "Les seuls renseignments personnels que peut recueillir une institution fédérale sont ceux qui ont un lien direct avec ses programmes ou ses activités. "

Pouvoir de divulgation du CST

  • Loi sur la protection des renseignments personnels, alinéa
  • "Les seuls renseignments personnels qui relévent d'une institution fédérale peuvent etre communiqués... [conformément] avec le lois fédérales."

Exigences du CST

  • Loi sur la défense nationale, alinéa 273.64(2)(b)
  • CSE’s activities were “subject to measures to protect the privacy of Canadians in the use and retention of intercepted information.”
  1.  In assessing CSE’s disclosures, NSIRA applied a two-pronged test in line with the Privacy Act requirements: the institution holding the personal information must have a disclosure authority to disclose it to another institution, and the recipient institution must have a collection authority. These thresholds derive from existing Privacy Act jurisprudence. In other words:
    • CSE’s CII clients are required to meet the section 4 collection requirement of the Privacy Act by establishing a direct and immediate relationship (with no intermediary) between the information to be collected through a CII request and their operating programs or activities.
    • On CSE’s side, its disclosures of CII had to comply with section 8 of the Privacy Act, and the National Defence Act, which was the governing statute for CSE during the review period.
    • Étant donné que le pouvoir de divulgation prévu par la Loi sur la défense nationale exigeait du CST qu’il protège la vie privée des Canadiens, l’OSSNR a examiné la question de savoir si le CST évaluait rigoureusement chaque demande de divulgation en fonction de son bien-fondé, y compris la justification opérationnelle fournie par les clients, afin de déterminer si les demandes étaient raisonnables et si la divulgation était appropriée en vertu du régime de la Loi sur la protection des renseignements personnels.

CSE’s internal practices

  1. NSIRA assessed CSE’s privacy protection measures for compliance with its legal responsibilities and Ministerial Direction. NSIRA assessed whether CSE’s CII disclosures are subject to a thorough, well-documented evaluation and approval process that demonstrates each disclosure’s compliance with legal and operational requirements. Specifically, NSIRA assessed whether CSE’s clients demonstrated their legal authority to collect CII, and did so in compliance with section 4 of the Privacy Act by showing a direct and immediate relationship between their mandated activities and the requested CII.
  2. During the period under review, CSE received requests for 3,708 identifiers from 15 domestic departments, releasing 3,671 – which represents a release rate of 99%. This release rate was also reflected in the eventual sample of disclosures selected for detailed review by NSIRA. NSIRA expected to find disclosure requests of a consistently high quality commensurate with their near-absolute approval by CSE. Nevertheless, the findings below represent several areas in which NSIRA observed shortcomings.

Exigences en matière de formation et de documentation des employés.

  1. CSE employees generally decide whether to release CII. NSIRA did not find evidence of written guidance or training to guide employees’ assessment of the substance of disclosure requests; instead, the training materials and procedures that employees receive primarily focus on the logistical processes to release CII.
  2. Lorsqu’ils évaluent des demandes d’IIC, les employés du CST peuvent prendre une série de mesures, notamment effectuer des recherches plus poussées sur un ministère requérant et son mandat ou communiquer avec le demandeur pour obtenir des éclaircissements. L’OSSNR a conclu que ces mesures ne sont généralement pas documentées pour les demandes des clients nationaux, et que les divulgations approuvées ne contiennent que l’IIC demandée sans les motifs justifiant l’approbation de la demande. L’OSSNR n’a pas pu confirmer que les employés du CST prenaient des mesures pour communiquer avec un demandeur afin de clarifier les demandes de divulgation incomplètes ou manquant de clarté.
  3. While this is not a requirement in CSE’s policies for domestic requests, NSIRA observed detailed rationales provided by personnel responsible for approving and denying CII requests originating from foreign clients for CII. NSIRA believes CSE should require employees to document their assessment of requests from domestic clients, including the rationale for their approval.
  4. In sum, NSIRA found that CSE’s employees do not receive sufficient written training and guidance on assessing the substance of disclosure requests and are not required to document mandatory actions and assessments they make when releasing CII. NSIRA recommended that CSE require, through procedures and policy, that employees document their decision-making and rationales and train them to assess the substance of disclosure requests in light of applicable legal obligations.

Surveillance de la gestion

  1. Certains types de divulgations sont transmises pour examen et approbation à un niveau supérieur au sein de l’organisation. Il s’agit d’un autre processus pour lequel une documentation appropriée faisait défaut. D’après les données compilées par l’OSSNR, toutes les demandes d’IIC examinées à ce niveau ont été approuvées, sans qu’il y ait de documentation sur les motifs de la décision d’approuver le reste.
  2. Une vérification interne mensuelle de la conformité est effectuée pour confirmer que les rejets de demandes de divulgation d’IIC sont suffisamment justifiés, que seule l’IIC demandée est divulguée et pour déterminer si des erreurs de procédure se sont produites. Les vérifications de la conformité examinées par l’OSSNR ne contenaient aucune analyse des demandes de divulgation. Bien que le CST ait expliqué que les employés sont encadrés de façon informelle si les divulgations ne satisfont pas aux exigences, ce processus n’est pas documenté dans les vérifications de la conformité, qui fournissent seulement des résumés statistiques des divulgations d’IIC.
  3. L’OSSNR a conclu que le personnel chargé d’approuver certaines divulgations d’IIC et d’effectuer des vérifications périodiques de la conformité n’a pas documenté sa prise de décision et son évaluation des demandes. L’OSSNR a recommandé que, comme les employés, le personnel de la direction du CST documente sa prise de décision et ses justifications

CSE’s assessment of CII disclosure requests

  1. CSE’s CII disclosure request form requires that the requestor state an applicable legal authority for collecting the information. NSIRA observed requests where this information was not provided. In this context, NSIRA expected that CSE would follow up with requestors or assure itself through its own assessment that the requestor had the appropriate legal authority for collecting CII. NSIRA found no evidence that this process was taking place.
  2. NSIRA used its ability to follow the thread of a disclosure and engaged some of CSE clients for CII regarding their legal authority to collect Canadians’ personal information. Where these departments had not indicated a legal authority to receive CII, NSIRA inquired directly with them about their legal authorities, receiving detailed legal assessments prepared in response to NSIRA’s questions. NSIRA found no documented evidence that CSE had similarly assured itself of the clients’ legal authorities at the time of disclosure.
  3. En tant que dépositaire de l’IIC recueillie incidemment, le CST a la responsabilité de s’assurer et de documenter qu’il existe à la fois un pouvoir de collecte et de divulgation avant de la divulguer à des tiers clients.
  4. Next to a legal authority, the second key component of a disclosure request is the recipient’s operational justification for collecting the CII. A demonstrable operational nexus is required to justify a requester’s collection of CII in line with the Privacy Act regime.
  5. NSIRA found that CSIS, the RCMP, and the Canada Border Services Agency (CBSA) generally demonstrated a clear link between the intelligence reporting and associated CII to their mandated activities, with some exceptions. This was a result of the strong operational justifications provided proactively by these clients, and does not reflect a more rigorous process on CSE’s end. Disclosures to these departments comprised approximately half of NSIRA’s sample.
  6. CSE has accepted operational justifications provided by these and other clients that NSIRA found to be inadequate. In these cases, the clients’ justifications pertained to CII that was not demonstrably related to their mandate or operations.
  7. Pour l’échantillon total examiné par l’OSSNR,69 % des demandes étaient justifiées,28 % étaient insuffisamment justifiées pour justifier la communication de l’IIC, 2 % ne pouvaient pas être évaluées et 1 % des demandes ont été refusées par le CST. Néanmoins, dans cet échantillon, le CST avait approuvé les demandes de divulgation à un taux de 99 %.[1]
  8. CSE also released additional personal information to clients beyond that which was requested and explained this to be a standard practice. For example, NSIRA observed cases where CSE disclosed Canadians’ names and other personal information even when the recipient only asked CSE for a company’s identity. NSIRA observed other types of scenarios where CSE disclosed more identifiers than requested.
  9. In sum, NSIRA found that CSE has not sufficiently assessed the legal authorities invoked by its clients and recommended that CSE and these clients obtain legal advice from the Department of Justice to determine the extent of their legal authority to collect CII. NSIRA further found that CSE’s implementation of its CII disclosure regime may not have been in compliance with the Privacy Act framework and recommended that CSE cease disclosing CII to clients other than CSIS, RCMP, and CBSA until it addresses the findings and recommendations contained in NSIRA’s review.

CSE’s governance of the disclosure regime

  1. Many of the systemic issues presented in NSIRA’s review arise from CSE’s CII disclosure regime governance. CSE develops its internal policies, procedures, and legal assessments to which its disclosure clients are generally not privy. CSE’s existing arrangements with its clients govern operational issues such as security standards, information handling and system access. However, at an institutional level, NSIRA has not found a consistent understanding among CSE’s CII disclosure clients of the legal requirements underlying this practice.
  2. Une structure de gouvernance plus transparente permettrait à toutes les parties de comprendre et de reconnaître formellement, au niveau institutionnel, les exigences juridiques et opérationnelles qui sous-tendent la divulgation et la collecte d’IIC. Le fait que le CST gère le régime sans mettre au courant les clients des politiques, des procédures et des exigences juridiques qui le sous-tendent n’est pas satisfaisant.
  3. NSIRA found that CSE’s governance of the CII disclosure regime does not foster an environment where its clients can take equal responsibility for CII disclosures. NSIRA recommended that CSE work with the Department of Justice and the Treasury Board of Canada Secretariat to establish Information Sharing Agreements with its regular domestic clients.

CSE’s disclosure of CII collected through its assistance to CSIS

  1. Tout au long de l’examen, l’OSSNR a observé des rapports et des communications connexes concernant les activités de personnes étrangères au Canada. Étant donné qu’il est interdit au CST de diriger ses activités auprès de ces personnes, l’OSSNR a soumis une série de questions et a reçu des renseignements à ce sujet. L’OSSNR a appris que le CST divulgue de l’IIC recueillie dans le cadre de son aide au SCRS en vertu de l’article 16 de la Loi sur le SCRS.
  2. Under section 16 of the CSIS Act, CSIS may assist the Minister of Foreign Affairs or the Minister of National Defence by collecting foreign intelligence within Canada in relation to Canada’s defence or international affairs. In turn, CSIS can apply to the Federal Court for a warrant, under section 21 of the CSIS Act, to obtain judicial authorization for intrusive collection powers in support of the section 16 investigation. Subsequently, CSIS may request CSE assistance if it does not have the tools or capacity to carry out this collection. CSE’s assistance takes the form of developing tools and techniques, intercepting target communications, decryption, report writing, and translation.
  3. In its assistance to CSIS, CSE must respect the legal authorities and limitations imposed on CSIS by law and Federal Court warrants. In its documented requests for CSE assistance, CSIS does not explicitly request that CSE disclose the CII collected under warrant. Such disclosures are also absent from internal CSE plans that set out CSE’s support parameters. At the same time, both agencies insist that CSE can disclose such CII using its regular disclosure policies and procedures.
  4. The practice of handling CII incidentally collected pursuant to section 16-related warrants has been the subject of ongoing treatment by the Federal Court. CSIS has described its own practices to the Court, including detailed summaries of how section 16 information is collected, its processing for intelligence reporting, and the rigorous disclosure regime associated with this reporting. CSIS also noted, in less detail and with omissions, some aspects of CSE’s parallel disclosure of CII collected through its assistance to CSIS under these warrants.
  5. Overall, the stringent practices described by CSIS to the Court do not present a complete picture. For instance, CSIS’s limited distribution of section 16 intelligence reports and associated CII is not mirrored in CSE’s wider release of this information. Additionally, the senior approval levels that CSIS has in place for disclosing information about Canadian officials are also not reflected in CSE’s practices. In fact, CSE does not have a policy on how to treat Canadian officials’ information through its assistance mandate, and generally releases it at the working level. Further, CSE personnel are not generally aware that the information they are releasing originates from section 16 collection, and its associated Federal Court warrants and conditions. Moreover, CSIS has communicated to the Court that its own disclosure practice includes an assessment of a disclosure request by the operational branch responsible for the warrant, while CSE discloses such CII independent of CSIS operational branches.
  6. In recent testimony before Parliament, CSE was asked how it operationalizes its assistance mandate. In its response, CSE stated that information collected under assistance is segregated, returned to CSIS, and belongs to CSIS, emphasizing that CSE effectively acts as an agent of CSIS in supporting section 16 activities.[2] NSIRA is of the view that this is not a complete representation of the lifecycle of information collected by CSE in its assistance. By approving CSE’s section 16 intelligence reports, CSIS effectively releases ownership of this information to CSE, which was not conveyed to the Federal Court by CSIS in its affidavits detailing the reporting and use of section 16 information.
  7. CSE’s treatment and dissemination of this information differs from the stringent standards communicated to the Court by CSIS, particularly when it pertains to Canadian public officials and other sensitive groups. NSIRA believes that fully describing the CII disclosure process during warrant applications is necessary to support the process of imposing any terms and conditions advisable in the public interest, as contemplated by paragraph 21(4)(f) of the CSIS Act.
  8. Given the findings of the review, NSIRA recommended that the Federal Court be fully informed of CSE’s disclosure practices and that, in the interim, CSE cease disclosing CII incidentally collected under the authority of federal court warrants related to section 16 investigations.

Conclusion

  1. NSIRA’s findings and observations over the course of this review indicate that CSE’s implementation of its disclosure regime may not be in compliance with its obligations under the Loi sur la protection des renseignements personnels. Throughout this review, CSE has defended practices that NSIRA believes do not reflect a commitment to rigorous implementation of the Loi sur la protection des renseignements personnels. Finally, CSE has released CII as part of its assistance to CSIS in a manner that contradicts the procedures communicated to the Federal Court.
  2. Accordingly, NSIRA made a number of recommendations as outlined above, to improve the governance of CSE’s CII disclosure regime and to bring to the attention of the Federal Court important aspects of CSE’s disclosures of information acquired in relation to section 16 of the Loi sur le SCRS.

Notes de bas de page

  1. Ces données, en plus de celles du tableau, sont arrondies.
  2. Comité permanent de la sécurité publique et nationale, Numéro 101, 1re session, 42e législature, le jeudi 22 mars 2018. https://www.noscommunes.ca/DocumentViewer/fr/42-1/SECU/reunion-101/temoignages

Privacy Preference Center