Information & Ethics Committee on May 13th, 2008

I'm happy to defer my brief opening remarks, which were only about a page long, if members would like to go straight to questions. I was simply going to introduce the service and make some general comments.

No. I was going to wait for questions for that. My only general comment is that in some cases her remarks are quite general, and I think it's important to look at particular agencies, mandates, and situations.

Thank you.

The essence is that we in the RCMP feel there could be significant impact on police operations, not only within national security criminal investigations, but also across the board in other serious transnational organized crime and serious violent sexual assaults against children. We're concerned that the recommendations of the Privacy Commissioner may impact those operations and we would encourage you--I would encourage you, respectfully--to canvass all senior law enforcement within Canada for their input on the proposed recommendations for changes to the legislation.

Briefly, I would simply say that the balance of individual freedoms and security is one that I think Canada has right. I think we lead the world in that regard. I think we do that because of the existing legislative framework and policies and our ability to manage ourselves--and not just the mounted police, but everyone--in the checks and balances that are there.

Those are my opening comments in a nutshell.

No.

I'd make two comments. One is that we have been subject to privacy and access since CSIS was created in 1984. Privacy legislation was passed in 1983. In some ways that makes us unusual, because a lot of our sister agencies are not subject to equivalent legislation. So I think the shorter answer is no.

I think the longer answer is that with technology changing and the issue of the collection, use, and disclosure of information because of technology and databases and the kind of information that is now available, there are issues that probably would be worth exploring. And I know a number of countries have explored them.

I guess I'd start by saying--and maybe you would expect me to say this--that this kind of balance, in fact, very much informed the whole process of the birth of CSIS. As you probably know, we had four years of the McDonald commission. It spoke about the need for agencies like ours to meet both the requirements of security and the requirements of democracy. The parliamentary committee that reviewed us talked about the delicate balance between collective rights and individual rights. So that has been built in, I would argue, from the get-go, but that's the sort of surface answer.

I think the more difficult question to answer is what kinds of things can you spell out for certain, and what kinds of things lend themselves to a process answer? Frankly, we went through that with the birth of CSIS. We defined our mandate in quite general terms. If you look at section 2 of our act, it talks about activities directed toward or in support of espionage or sabotage--the most general statement. But we built in a whole system of controls and review that then provide the process part to the substance. As you know--and it was quite unusual for its day--SIRC, the Security Intelligence Review Committee, and the inspector general both have complete access to all of our records, and report on a regular basis.

I think part of the answer to that balance is to define what you can, but build in a process to ensure that the world behaves properly. Presumably, that's why, for example, under section 59 of the act, both the Privacy Commissioner and the access commissioner review us. They have complete access to all of our records, and there are only four employees--as you probably know--under section 59 of the act who have the permission to look at all of our stuff. So it's isolated, but there's a system.

What I would say, in respect of security, is that I think you should first consider the need for operational effectiveness and for mitigating the threat with respect to both national security concerns and serious criminal concerns. I think you must consider the principle of reciprocity among like-minded states and even with those states that don't share our values. And you must consider how we can expect our agencies and the RCMP, in particular, to manage those issues in a principled way.

On the other end of the spectrum, in terms of personal freedoms and the need for our citizens to access information, I think transparency and accountability are key principles you would want to consider.

I'm not an expert in privacy law, and I don't think I'm in a position, really, to direct you to which countries you ought to canvass.

In terms of data breaches, my understanding of data breaches is limited to those instances, say, when material or information is misused or is perhaps inadvertently subject to disclosure or is perhaps mishandled, and those sorts of things. As for any other breach of a policy or regulation, that requires the application of the policies we have for understanding and rectifying the root cause of the breach, assessing the seriousness of the breach, and taking action to fix it.

Like Bob, I'm not a member of the Privacy Act club. My old law boss always used to say that the world is made up of clubs, and it just depends which club you're a member of. There is the Privacy Commissioner's club. I noticed that when the Privacy Commissioner testified here, there was a conference in Montreal with 700, I think it was, participants, and so on and so forth. It seems to me that getting the transcripts and sharing the experiences of different countries, obviously like-minded countries, can be hugely useful. But that's a general statement.

In terms of data breaches, CSIS is in a rather unique position, because our information holdings have been in electronic form operationally for a long time. Administratively it has been less--for the last ten years or so. We have no contact with outside systems. Therefore, in terms of breaches, frankly, in some ways our world is simpler, because we don't have a lot of holes in the toothpaste tube. We're self-contained.

As you probably know, with CSIS there's always a question as to how much information is out there. However, Info Source is the government-published directory under the Privacy Act of all of the data banks that every department and agency has. We're in there, and we've listed ten different data banks--which is publicly available--and they're described in some detail. Of the ten, I believe one is an exempt bank, but all the rest of them, all nine, would have to be reviewed individually when someone makes a Privacy Act request, which happens a lot.

In terms of the information that we hold, we obviously have a lot of investigative information. Our standard operating procedure is that we take a raw product and we write a report. That report goes into our electronic holdings, and that is searchable.

Yes. I will answer in English if I may.

The types of information that we have, much like my colleague describes, are essentially in the operational field--all kinds. I'll limit my response to the national security context.

As you asked in your question, we do have personal information about suspects who are identified by one means or another. We have statements of witnesses and suspects. We have background checks, we have intelligence, and we have a fair bit in the criminal context of personal information around the people we are investigating.

I don't think I could limit the types of information. Where we execute a search warrant, for example, we would have banking records or we would have other records. Where we have wiretap we would have very sensitive and personal intercepts of communications. So there is a full range of information in the operational setting.

Sadly, I don't think I'm qualified to speak on our HR holdings around our employees, but we would have your typical employee file, from entry into the force to their current standings with movements and quite a bit of personal information there. And I'm doing a poor job of explaining it, so I'll stop.