Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information

Backgrounder

On November 25, 2020, the National Security and Intelligence Review Agency (NSIRA) presented the Minister of National Defence and the Minister of Public Safety with a classified compliance report on its review of CSE’s disclosures of Canadian identifying information (CII). In this review, NSIRA found that the CII disclosure regime lacked rigour and that its implementation may not have been in compliance with the Privacy Act. Additionally, NSIRA found that the Federal Court may not have been adequately informed about key elements of CSE’s disclosures of CII collected on the authority of warrants issued in relation to section 16 of the Canadian Security Intelligence Service (CSIS) Act. Given the findings of the review, NSIRA has published its unclassified summary of the compliance report.

In carrying out its foreign intelligence mandate, CSE may incidentally acquire information about Canadians or person(s) in Canada. CII is information that could be used to identify an individual, and is normally suppressed from reporting unless Government of Canada or foreign clients request these details and are able to demonstrate that they have operational justification and legal authority to receive it.

After a thorough review of CSE’s disclosures of CII, which also involved direct engagement with other Government of Canada departments that request CII, NSIRA made 6 findings and 11 recommendations. This unclassified summary provides an overview of the CII disclosure regime, and NSIRA’s observations related to the policies, procedures, training, and the legal authorities governing it.

Publishing this summary aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work. Looking forward, NSIRA will conduct future reviews of the CII disclosure regime to ensure that its recommendations are implemented in a way that will improve the CII disclosure program and that this program is compliant with the applicable legal framework.

As per section 8(1)(a) of the NSIRA Act, independent review of CSE’s activities is a statutory requirement for NSIRA. As such, NSIRA will continue to review CSE activities and report on compliance issues if they arise.

To learn more about NSIRA’ mandate, click here.

Questions & Answers

NSIRA had concerns about approximately 28% of CSE’s disclosures of CII, amounting to 493 pieces of Canadian identifying information, in the review period of July 1, 2015 to July 31, 2019. Each disclosure can contain any number of Canadian identifiers, and the justification provided by Government of Canada recipients was assessed toward each requested identifier.

In some cases, the requestor did not demonstrate that it met Privacy Act thresholds to obtain the CII and/or received CII that they did not specifically request. Those thresholds arise from sections 4 and 8 of the Act. In other cases, while we found the disclosure to have been insufficiently justified, the Privacy Act would not have been contravened as the CII pertained to a company or another institution. While such institutions are not protected under the Act, we still assessed their disclosure for alignment with the Act’s standards, given that CSE has committed to protecting this information the same way it does personal information.

NSIRA believes this activity met the threshold defined in section 35 of the NSIRA Act – namely, that the Committee believed CSE’s implementation of its CII disclosure regime may not have been in compliance with the law. Given the lack of documentation regarding decision-making for disclosures, NSIRA assessed each disclosure based on the available materials and CSE’s responses to our questions.

The conclusion was applied to the entirety of CSE’s disclosure regime, as CSE’s answers to our questions indicated the standards applied to disclosures writ large were not sufficiently rigorous. For those disclosures that NSIRA found the Privacy Act thresholds to have been met, this was not due to any greater rigour on the part of CSE. Rather, the requesting government departments themselves provided sufficient justification for their requests of CII.

One of NSIRA’s key concerns pertained to CSE’s independent management of the disclosure regime, when in fact, each disclosure engages legal authorities and responsibilities of other federal departments. To allow these departments to fully take responsibility for their aspect of the information sharing, we recommended that CSE establish information sharing agreements with them.

CSIS provided the Federal Court with testimony about its treatment of information about Canadians collected through its section 16, CSIS Act mandate. NSIRA compared this testimony to how CSE handled information about Canadians collected when assisting CSIS in relation to section 16 of the CSIS Act, and found notable discrepancies with how the Federal Court was informed this information was treated. CSIS did not have any part in assessing or releasing the disclosures NSIRA had concerns about, as they were handled solely by CSE.

NSIRA understands that in January 2021, the Federal Court was provided with the complete classified CII report, with only solicitor-client privileged information redacted.

CSE has stated that it accepted all the recommendations made as part of this review. We look forward to reviewing the CII disclosure regime again when CSE has had a chance to implement the recommendations. Additionally, NSIRA utilized its authority pursuant to section 31 of the NSIRA Act to direct CSE to conduct a study of CII disclosures made since the end of the review period of this report, to ensure that they have complied with the CSE’s new legal requirements under the CSE Act

Given the findings of the report, NSIRA considered issuing a public interest report as per section 40 of the NSIRA Act and, as a result, prepared an unclassified version of the classified compliance report to ensure that the Federal Court would be made aware of its findings. Before issuing the section 40 report, the Federal Court was informed and was provided NSIRA’s complete classified report. In light of these new circumstances, NSIRA did not believe that issuing a section 40 report was necessary. Though, in keeping with sustained efforts towards transparency, NSIRA chose to publish the unclassified version of the report as a mechanism to inform Canadians.

NSIRA has the unique ability to ‘follow the thread’ during the review process, meaning it can engage other federal departments if they are relevant to the review in question. NSIRA used this ability during the CII review, and obtained a comprehensive understanding of the complete lifecycle of CII by engaging with other federal departments. This ability to extend a review beyond CSE may have contributed to our wider understanding of the disclosure program and led us to make our findings.

NSIRA’s findings pertain to CSE’s implementation and approach to its disclosure regime, reflected in the wide approval of disclosure requests. This approach is not specific to any one legal framework or regime. At the same time, the CSE Act now explicitly allows CSE to disclose CII, and with it has established a very high threshold at which CII is to be disclosed – namely that the disclosure be essential to international affairs, defence, security, or cybersecurity. Based on our findings under the NDA, we consider it important to review CII disclosures under the new legal framework in the future to assess whether they are meeting the high disclosure threshold of essentiality

Privacy Preference Center