Review of the Communications Security Establishment’s Disclosures of Canadian Identifying Information

Executive Summary

Subsequent to the collection of foreign signals intelligence by the Communications Security Establishment (CSE), any incidentally collected Canadian identifying information (CII) is suppressed in CSE’s intelligence reporting to protect the privacy of Canadians and persons in Canada. However, the Government of Canada (GC) and foreign clients of such reports can request the details of this information if they have lawful authority and operational justification.

The National Security and Intelligence Review Agency (NSIRA) conducted a review of CSE’s disclosures of CII to GC clients. In reviewing disclosures containing 2,351 Canadian identifiers over a five year period, NSIRA found that 28% of requests from all clients were not sufficiently justified to warrant the release of CII. . Nevertheless, during the period under review, CSE approved 99% of these requests for CII from its domestic clients. Given this and other findings related to CSE’s internal practices, NSIRA found that CSE’s implementation of its CII disclosure regime may not be in compliance with the Privacy Act.

Moreover, NSIRA found that CSE has released CII to GC clients from its technical and operational assistance to the Canadian Security Intelligence Service (CSIS) in relation to section 16 of the CSIS Act, in a manner that was likely not communicated to the Federal Court by CSIS.

This report is a summary of the more detailed, classified report provided to the Minister of National Defence on November 25, 2020.

Introduction

  1. The Communications Security Establishment (CSE) may incidentally acquire information about Canadians or persons in Canada in its collection of foreign signals intelligence (SIGINT). Canadian identifying information (CII) refers to any information that can identify an individual, ranging from names to email addresses and IP addresses. CII is suppressed in intelligence reports to protect the privacy of Canadians and persons in Canada. Government of Canada (GC) and foreign clients may subsequently request the details of this information if they have lawful authority and operational justification to collect it. This information sharing regime has been in place since the 2001 enactment of CSE’s powers under the National Defence Act, and has been previously reviewed by the Office of the CSE Commissioner (OCSEC)
  2. Following a review of CSE’s disclosures of CII, the National Security and Intelligence Review Agency (NSIRA) concluded that CSE’s implementation of its disclosure regime may not be in compliance with the Privacy Act. Therefore, pursuant to subsection 35(1) of the NSIRA Act, NSIRA submitted a compliance report to the Minister of National Defence on November 25, 2020.
  3. CSE’s disclosure regime, in place for nearly two decades, is one of the most important national security information sharing structures in the federal government, surpassing the volume of disclosures processed through the information sharing mechanism under the Security of Canada Information Disclosure Act (SCIDA). Unlike CSE’s disclosure regime, information sharing processes under SCIDA have recently undergone comprehensive scrutiny and debate both in Parliament and by the public as part of the deliberation of Bill C-59.
  4. CSE’s work results in special responsibilities to protect the privacy of Canadians. In this context, NSIRA assessed CSE’s operational structures, policies, and processes to determine the rigour of the CII disclosure regime. NSIRA found serious problems with several aspects of the governance and implementation of CSE’s CII disclosure regime. NSIRA also found that CSE discloses information collected pursuant to the authority of Federal Court issued warrants as part of its assistance to the Canadian Security Intelligence Service (CSIS). NSIRA believes that although the Federal Court is aware of CSIS’ disclosure of CII, the Court may not have been fully informed about the parallel disclosure process taking place at CSE. In January 2021, CSIS provided the Federal Court with a copy of NSIRA’s full, classified review, excluding information protected by solicitor-client privilege.

Methodology

  1. As part of its review, NSIRA examined a selected sample of CII disclosures and their associated intelligence reports – initially from July 1, 2018 to July 31, 2019, though the review period was later expanded to cover July 1, 2015 to July 31, 2019 for certain types of disclosures. Over that period, CSE received requests for 3,708 Canadian identifiers. NSIRA received information about the outcome of all of these requests. Additionally, NSIRA was able to closely review requests pertaining to 2,351 identifiers.
  2. In all, NSIRA examined electronic records, correspondence, intelligence reports, legal opinions, policies, procedures, documents pertaining to judicial proceedings, Ministerial Authorizations, and Ministerial Directives of relevance to CSE’s CII disclosure regime. CSE also responded to NSIRA’s questions throughout the review.
  3. While this began as a review of solely CSE, it became evident that NSIRA also needed to engage with CSE’s Government of Canada clients of CII. In the spirit of its legislation, NSIRA “followed the thread” by engaging with a range of federal departments, from recurring clients of CII, such as CSIS and the Royal Canadian Mounted Police (RCMP), to less frequent clients, such as Innovation Science and Economic Development Canada (ISED). Through this engagement, NSIRA was able to understand the lifecycle of CII disclosures, from their origin within intelligence reporting to their eventual use by Government of Canada clients.
  4. NSIRA also assessed CSE’s disclosures of CII arising from its assistance to CSIS in relation to section 16 of the CSIS Act. When CSE assists CSIS in that context, it is bound by the applicable Federal Court warrants’ conditions. While CSIS’ disclosures were not the subject of this review, they helped contextualize the adherence of CSE’s section 16 CII disclosures with the conditions and principles on which the Court issued the relevant warrants.
  5. NSIRA also reviewed CSIS affidavits to the Federal Court in relation to Canadian information acquired through section 16 warrants, which served as the basis for a recent decision issued on this program by the Court (reported as 2020 FC 697). Given this window into the parallel practices and policy requirements of CSIS, NSIRA had the opportunity to contextualize CSE’s disclosures of CII arising from section 16 collection in a way that was unprecedented for an external review body.
  6. Based on the records provided by CSE, CSIS, and other federal government entities, NSIRA made several findings and recommendations to improve the governance of CSE’s CII disclosure regime and to bring to the attention of the Federal Court important aspects of CSE’s disclosures of information acquired in relation to section 16 of the CSIS Act.

Legal Framework

  1. For CSE to disclose Canadians’ personal information without their consent, both CSE and the CII recipient must comply with relevant legislation, which, for the period under review, consisted of the Privacy Act and the National Defence Act:

GC client's authority to collect

  • Privacy Act, section 4
  • “No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.”

CSE's authority to disclose

  • Privacy Act, paragraph 8(2)(b)
  • “Personal information under the control of a government institution may be disclosed … in accordance with any Act of Parliament.”

CSE's requirements

  • National Defence Act, paragraph 273.64(2)(b)
  • CSE’s activities were “subject to measures to protect the privacy of Canadians in the use and retention of intercepted information.”
  1.  In assessing CSE’s disclosures, NSIRA applied a two-pronged test in line with the Privacy Act requirements: the institution holding the personal information must have a disclosure authority to disclose it to another institution, and the recipient institution must have a collection authority. These thresholds derive from existing Privacy Act jurisprudence. In other words:
    • CSE’s CII clients are required to meet the section 4 collection requirement of the Privacy Act by establishing a direct and immediate relationship (with no intermediary) between the information to be collected through a CII request and their operating programs or activities.
    • On CSE’s side, its disclosures of CII had to comply with section 8 of the Privacy Act, and the National Defence Act, which was the governing statute for CSE during the review period.
    • Because the disclosure authority within the National Defence Act required CSE to protect the privacy of Canadians, NSIRA assessed whether CSE evaluated each disclosure request rigorously on its own merits, including the operational justification provided by clients, to determine whether the requests were reasonable and whether the disclosure was appropriate under the Privacy Act regime.

CSE’s internal practices

  1. NSIRA assessed CSE’s privacy protection measures for compliance with its legal responsibilities and Ministerial Direction. NSIRA assessed whether CSE’s CII disclosures are subject to a thorough, well-documented evaluation and approval process that demonstrates each disclosure’s compliance with legal and operational requirements. Specifically, NSIRA assessed whether CSE’s clients demonstrated their legal authority to collect CII, and did so in compliance with section 4 of the Privacy Act by showing a direct and immediate relationship between their mandated activities and the requested CII.
  2. During the period under review, CSE received requests for 3,708 identifiers from 15 domestic departments, releasing 3,671 – which represents a release rate of 99%. This release rate was also reflected in the eventual sample of disclosures selected for detailed review by NSIRA. NSIRA expected to find disclosure requests of a consistently high quality commensurate with their near-absolute approval by CSE. Nevertheless, the findings below represent several areas in which NSIRA observed shortcomings.

Employee training and documentation requirements

  1. CSE employees generally decide whether to release CII. NSIRA did not find evidence of written guidance or training to guide employees’ assessment of the substance of disclosure requests; instead, the training materials and procedures that employees receive primarily focus on the logistical processes to release CII.
  2. In their assessment of CII requests, CSE personnel can take a range of actions, including conducting further research into a requesting department and its mandate or communicating with the requester to obtain clarity. NSIRA found that these actions are generally not documented for requests from domestic clients, and the approved disclosures only contain the requested CII without the reasons for approving the request. NSIRA was unable to confirm that CSE personnel were taking steps to communicate with a requestor to clarify incomplete or unclear disclosure requests.
  3. While this is not a requirement in CSE’s policies for domestic requests, NSIRA observed detailed rationales provided by personnel responsible for approving and denying CII requests originating from foreign clients for CII. NSIRA believes CSE should require employees to document their assessment of requests from domestic clients, including the rationale for their approval.
  4. In sum, NSIRA found that CSE’s employees do not receive sufficient written training and guidance on assessing the substance of disclosure requests and are not required to document mandatory actions and assessments they make when releasing CII. NSIRA recommended that CSE require, through procedures and policy, that employees document their decision-making and rationales and train them to assess the substance of disclosure requests in light of applicable legal obligations.

Management oversight

  1. Certain types of disclosures are elevated for review and approval at a higher level within the organization. This is another process that lacked the appropriate documentation. Based on data compiled by NSIRA, all requests for CII reviewed at this level were approved, with no documentation of the rationale behind the decision to approve the remainder.
  2. An internal monthly compliance check is conducted to confirm that releases of CII follow sufficient justification, that only the requested CII is released, and to determine whether any procedural errors have occurred. The compliance checks reviewed by NSIRA did not contain any analysis of the disclosure requests. While CSE explained that employees are informally coached if disclosures do not meet requirements, this is not documented within the compliance checks, which provide only statistical summaries of CII disclosures.
  3. NSIRA found that personnel responsible for approving certain CII disclosures and conducting periodic compliance checks did not document their decision-making and assessment of requests. NSIRA recommended that similar to employees at the working level, CSE management must document their decision-making and rationales.

CSE’s assessment of CII disclosure requests

  1. CSE’s CII disclosure request form requires that the requestor state an applicable legal authority for collecting the information. NSIRA observed requests where this information was not provided. In this context, NSIRA expected that CSE would follow up with requestors or assure itself through its own assessment that the requestor had the appropriate legal authority for collecting CII. NSIRA found no evidence that this process was taking place.
  2. NSIRA used its ability to follow the thread of a disclosure and engaged some of CSE clients for CII regarding their legal authority to collect Canadians’ personal information. Where these departments had not indicated a legal authority to receive CII, NSIRA inquired directly with them about their legal authorities, receiving detailed legal assessments prepared in response to NSIRA’s questions. NSIRA found no documented evidence that CSE had similarly assured itself of the clients’ legal authorities at the time of disclosure.
  3. As the custodian of incidentally collected CII, CSE has the responsibility to assure itself and document that both a collection and disclosure authority exist before sharing it with third party clients.
  4. Next to a legal authority, the second key component of a disclosure request is the recipient’s operational justification for collecting the CII. A demonstrable operational nexus is required to justify a requester’s collection of CII in line with the Privacy Act regime.
  5. NSIRA found that CSIS, the RCMP, and the Canada Border Services Agency (CBSA) generally demonstrated a clear link between the intelligence reporting and associated CII to their mandated activities, with some exceptions. This was a result of the strong operational justifications provided proactively by these clients, and does not reflect a more rigorous process on CSE’s end. Disclosures to these departments comprised approximately half of NSIRA’s sample.
  6. CSE has accepted operational justifications provided by these and other clients that NSIRA found to be inadequate. In these cases, the clients’ justifications pertained to CII that was not demonstrably related to their mandate or operations.
  7. From the sample of all disclosures reviewed by NSIRA, we found 69% to be justified, 28% to be insufficiently justified to warrant the release of CII, 2% that could not be evaluated, and 1% that CSE denied. Nevertheless, within this sample, CSE had approved these disclosure requests at a 99% rate.[1]
  8. CSE also released additional personal information to clients beyond that which was requested and explained this to be a standard practice. For example, NSIRA observed cases where CSE disclosed Canadians’ names and other personal information even when the recipient only asked CSE for a company’s identity. NSIRA observed other types of scenarios where CSE disclosed more identifiers than requested.
  9. In sum, NSIRA found that CSE has not sufficiently assessed the legal authorities invoked by its clients and recommended that CSE and these clients obtain legal advice from the Department of Justice to determine the extent of their legal authority to collect CII. NSIRA further found that CSE’s implementation of its CII disclosure regime may not have been in compliance with the Privacy Act framework and recommended that CSE cease disclosing CII to clients other than CSIS, RCMP, and CBSA until it addresses the findings and recommendations contained in NSIRA’s review.

CSE’s governance of the disclosure regime

  1. Many of the systemic issues presented in NSIRA’s review arise from CSE’s CII disclosure regime governance. CSE develops its internal policies, procedures, and legal assessments to which its disclosure clients are generally not privy. CSE’s existing arrangements with its clients govern operational issues such as security standards, information handling and system access. However, at an institutional level, NSIRA has not found a consistent understanding among CSE’s CII disclosure clients of the legal requirements underlying this practice.
  2. A more transparent governance structure would allow all parties to understand and formally acknowledge at an institutional level the legal and operational requirements behind disclosing and collecting CII. It is not sufficient for CSE to manage the regime with its clients not privy to the policies, procedures, and legal requirements that underlie it.
  3. NSIRA found that CSE’s governance of the CII disclosure regime does not foster an environment where its clients can take equal responsibility for CII disclosures. NSIRA recommended that CSE work with the Department of Justice and the Treasury Board of Canada Secretariat to establish Information Sharing Agreements with its regular domestic clients.

CSE’s disclosure of CII collected through its assistance to CSIS

  1. Throughout the review, NSIRA encountered reporting and associated disclosures that pertained to activities of foreign persons within Canada. As CSE is prohibited from directing its activities at such persons, NSIRA submitted a series of questions and received briefings on the subject. NSIRA learned that CSE discloses CII collected as part of its assistance to CSIS in relation to section 16 of the CSIS Act.
  2. Under section 16 of the CSIS Act, CSIS may assist the Minister of Foreign Affairs or the Minister of National Defence by collecting foreign intelligence within Canada in relation to Canada’s defence or international affairs. In turn, CSIS can apply to the Federal Court for a warrant, under section 21 of the CSIS Act, to obtain judicial authorization for intrusive collection powers in support of the section 16 investigation. Subsequently, CSIS may request CSE assistance if it does not have the tools or capacity to carry out this collection. CSE’s assistance takes the form of developing tools and techniques, intercepting target communications, decryption, report writing, and translation.
  3. In its assistance to CSIS, CSE must respect the legal authorities and limitations imposed on CSIS by law and Federal Court warrants. In its documented requests for CSE assistance, CSIS does not explicitly request that CSE disclose the CII collected under warrant. Such disclosures are also absent from internal CSE plans that set out CSE’s support parameters. At the same time, both agencies insist that CSE can disclose such CII using its regular disclosure policies and procedures.
  4. The practice of handling CII incidentally collected pursuant to section 16-related warrants has been the subject of ongoing treatment by the Federal Court. CSIS has described its own practices to the Court, including detailed summaries of how section 16 information is collected, its processing for intelligence reporting, and the rigorous disclosure regime associated with this reporting. CSIS also noted, in less detail and with omissions, some aspects of CSE’s parallel disclosure of CII collected through its assistance to CSIS under these warrants.
  5. Overall, the stringent practices described by CSIS to the Court do not present a complete picture. For instance, CSIS’s limited distribution of section 16 intelligence reports and associated CII is not mirrored in CSE’s wider release of this information. Additionally, the senior approval levels that CSIS has in place for disclosing information about Canadian officials are also not reflected in CSE’s practices. In fact, CSE does not have a policy on how to treat Canadian officials’ information through its assistance mandate, and generally releases it at the working level. Further, CSE personnel are not generally aware that the information they are releasing originates from section 16 collection, and its associated Federal Court warrants and conditions. Moreover, CSIS has communicated to the Court that its own disclosure practice includes an assessment of a disclosure request by the operational branch responsible for the warrant, while CSE discloses such CII independent of CSIS operational branches.
  6. In recent testimony before Parliament, CSE was asked how it operationalizes its assistance mandate. In its response, CSE stated that information collected under assistance is segregated, returned to CSIS, and belongs to CSIS, emphasizing that CSE effectively acts as an agent of CSIS in supporting section 16 activities.[2] NSIRA is of the view that this is not a complete representation of the lifecycle of information collected by CSE in its assistance. By approving CSE’s section 16 intelligence reports, CSIS effectively releases ownership of this information to CSE, which was not conveyed to the Federal Court by CSIS in its affidavits detailing the reporting and use of section 16 information.
  7. CSE’s treatment and dissemination of this information differs from the stringent standards communicated to the Court by CSIS, particularly when it pertains to Canadian public officials and other sensitive groups. NSIRA believes that fully describing the CII disclosure process during warrant applications is necessary to support the process of imposing any terms and conditions advisable in the public interest, as contemplated by paragraph 21(4)(f) of the CSIS Act.
  8. Given the findings of the review, NSIRA recommended that the Federal Court be fully informed of CSE’s disclosure practices and that, in the interim, CSE cease disclosing CII incidentally collected under the authority of federal court warrants related to section 16 investigations.

Conclusion

  1. NSIRA’s findings and observations over the course of this review indicate that CSE’s implementation of its disclosure regime may not be in compliance with its obligations under the Privacy Act. Throughout this review, CSE has defended practices that NSIRA believes do not reflect a commitment to rigorous implementation of the Privacy Act. Finally, CSE has released CII as part of its assistance to CSIS in a manner that contradicts the procedures communicated to the Federal Court.
  2. Accordingly, NSIRA made a number of recommendations as outlined above, to improve the governance of CSE’s CII disclosure regime and to bring to the attention of the Federal Court important aspects of CSE’s disclosures of information acquired in relation to section 16 of the CSIS Act.

Footnotes

  1. These figures, in addition to the figures in the chart, are rounded.
  2. Standing Committee on Public Safety and National Security, Number 101, 1st Session, 42nd Parliament, Thursday, March 22, 2018. https://www.ourcommons.ca/DocumentViewer/en/42-1/SECU/meeting-101/evidence

Privacy Preference Center