Evidence of meeting #30 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was rcmp.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Robert Mundie  Director General, Corporate Secretariat, Canada Border Services Agency
Rennie Marcoux  Chief Strategic Policy and Planning Officer, Royal Canadian Mounted Police
Michael Peirce  Assistant Director Intelligence, Canadian Security Intelligence Service
Stefanie Beck  Assistant Deputy Minister, Corporate Services, Department of Citizenship and Immigration
Dan Proulx  Director, Access to Information and Privacy Division, Canada Border Services Agency
Commissioner Joe Oliver  Assistant Commissioner, Technical Operations, Royal Canadian Mounted Police

11:10 a.m.


The Chair Conservative Blaine Calkins

Good morning, everyone.

Good morning to our witnesses. Thank you very much for your patience as we had to consider a vote in the House of Commons. We're only a few minutes behind, so I appreciate colleagues getting here as quickly as possible.

We're continuing on with our study of the Privacy Act. We're pleased to have with us representatives from the Canada Border Services Agency, the RCMP, the Canadian Security Intelligence Service, and the Department of Citizenship and Immigration. The list of names is long, and I'll let each of you introduce yourself at the start. We'll allow 10 minutes of opening comments for each department, so you can decide how you want to use that time accordingly.

We thank you very much for being here today. I ask you to be succinct, within that 10 minutes, and then we can get to the rounds of questioning. You all know how this works. I think all of you have been before a committee before. I'm looking forward to this.

I'll just go in the order you appear here on my agenda. We'll start with the Canada Border Services Agency for up to 10 minutes, please.

11:10 a.m.

Robert Mundie Director General, Corporate Secretariat, Canada Border Services Agency

Thank you, Mr. Chair.

My name is Robert Mundie. I'm the director general of the corporate secretariat at the Canada Border Services Agency. I am also the chief privacy officer for CBSA. I have with me Mr. Dan Proulx, who is the director of our ATIP division.

The ATIP division is responsible for oversight of the privacy function at the agency, which includes administering and fulfilling all legislative requirements of the Privacy Act related to the processing of requests; interacting with the public, CBSA employees, other government institutions, and the Office of the Privacy Commissioner regarding investigations and audits; and implementing measures to enhance our capacity to process privacy requests.

I will briefly outline the CBSA's privacy function and the way the agency performs against established service standards, and I'll highlight some of the successes and challenges we experience in our administration of the act.

The Canada Border Services Agency is responsible for border functions related to customs; the enforcement of the Immigration and Refugee Protection Act; and food, plant and animal inspection.

The agency administers and enforces two principal pieces of legislation. First, the Customs Act outlines the agency's responsibilities to collect duties and taxes on imported goods, interdict illegal goods, and administer trade legislation and agreements. Second, the Immigration and Refugee Protection Act governs both the admissibility of people into Canada, and the identification, detention and removal of those deemed to be inadmissible under the act.

The agency also enforces over 90 other statutes on behalf of other federal government departments and agencies.

Mr. Chair, given the numerous daily interactions that the agency has with businesses and with individuals on a variety of matters, we are no strangers to privacy requests. Approximately 60 employees work in the ATIP division, 34 of whom are dedicated to the processing of privacy and access to information requests. The division also has an internal network. It works with 16 liaison officers who provide support across the agency's branches at headquarters and in the regions in fulfillment of access and privacy requests.

The CBSA's operating expenditures to run its program for privacy and access totalled approximately $5.4 million in the previous fiscal year, with $4.4 million dedicated to salary and $1 million to non-salary expenditures. This amount includes the costs of administering both the Access to Information Act and the Privacy Act, as work on both acts is done concurrently.

With respect to volumes, the CBSA received just over 11,200 requests in the previous fiscal year, 2015-16, the second-highest number within the Government of Canada. In addition to these, the agency received approximately 5,500 access to information requests.

The high volumes are largely attributable to individuals seeking copies of their history of arrival dates into Canada. In 2015-16, 78% of all the requests that came to the CBSA were from individuals seeking their traveller history report, which is used to support residency requirements for programs administered by Immigration, Refugees and Citizenship Canada and by Employment and Social Development Canada. Of all the requests completed, the CBSA was successful in responding to 88.7% of them within the legislated timelines in the previous fiscal year.

ATI analysts in case-processing units have direct access to the database that houses the traveller history reports, and the review of these reports and the application of law are relatively standard, which allows them to complete these requests without needing to obtain recommendations on disclosure from departmental officials. This greatly reduces the time it takes analysts to process these types of requests.

As indicated in the Office of the Privacy Commissioner of Canada’s 2015-16 annual report to Parliament, 88 complaints were filed against the CBSA to the Privacy Commissioner of Canada. Given the large volume of requests the agency processes, this number is a very small proportion of the total requests closed.

However, we always aspire to better serve the requesters. Our successes reflect the agency’s commitment to ensuring that every reasonable effort is made to meet obligations under the Privacy Act.

The CBSA strives to provide Canadians with the information to which they have a right in a timely and helpful manner, by balancing the right of access with the need to protect the integrity of border services that support national security and public safety. We take our responsibilities under the Privacy Act very seriously.

In closing, we welcome the review of the Privacy Act, and will fully support and adopt any measures that are introduced by the Treasury Board Secretariat in response to changes made to the act.

I want to thank you, Mr. Chair, for the opportunity to provide our input into your study, and for welcoming us here today. I look forward to questions members of the committee may have.

11:15 a.m.


The Chair Conservative Blaine Calkins

Thank you very much, Mr. Mundie, it's great to have you at committee.

We'll move to the Royal Canadian Mounted Police, for 10 minutes please.

Ms. Marcoux.

11:15 a.m.

Rennie Marcoux Chief Strategic Policy and Planning Officer, Royal Canadian Mounted Police

Thank you, Mr. Chair, for the opportunity to appear before this committee to assist in your review of the Privacy Act.

This is an important review, given the profound changes in society, and the security landscape changes since the Privacy Act came into force in 1983. The RCMP welcomes this review and is committed to working with all government departments and agencies in considering changes to the act that balance privacy in an environment driven by constantly evolving information technology.

My name is Rennie Marcoux and I am the chief strategic policy and planning officer responsible for the access to information and privacy branch at the RCMP. I am accompanied by my colleague, assistant commissioner Joe Oliver, who is responsible for technical operations.

I will begin by describing how the RCMP is structured to respond to privacy requests. Then, I will explain some of the measures we have in place to promote compliance with the Privacy Act. Lastly, I will close with a few words on the importance of information in fulfilling our mandate.

The RCMP is divided into 15 divisions plus the national headquarters in Ottawa, each of which is under the direction of a commanding officer. At the local level, there are more than 750 detachments.

Given the size of our organization, the diversity and complexity of our operations, and the sensitive nature of our information holdings, responding to Access to Information and Privacy Act requests imposes a significant demand on the organization. Notably, we must be very careful in the collection, use, and disclosure of personal information in accordance with the Privacy Act.

The access to information and privacy branch at the RCMP is responsible for responding to all formal requests for information under the two acts. In addition, the access to information and privacy branch develops policies and procedures for use within the RCMP to ensure compliance with the legislation, regulations and associated guidelines.

We have approximately 68 employees, whose main focus of work is meeting the RCMP's obligations under the act. A quarter of these positions require police officers to ensure sensitive law enforcement information is properly protected, and to reduce the need for time-consuming consultations with our program managers. The employees are required to work with approximately 750 points of contact in our divisions across Canada.

The ATIP branch is responsible for coordinating the retrieval and release of records for the entire organization. The contacts in the divisions assist in identifying relevant records and ensuring that regional employees are aware of their responsibilities under the act.

In 2015-16, the RCMP received slightly over 5,000 Privacy Act requests, and our compliance rate was 82% compared to 78% from the previous year. For the first time since the fiscal year 2010-11, the RCMP was able to raise its compliance above the 80% standard set by the Office of the Privacy Commissioner.

The RCMP’s overall performance improved last fiscal year, since we closed more files, reduced late responses, and received fewer complaints.

These results follow an organizational workload review that led to the restructuring of the access to information and privacy branch so that it could process access requests more efficiently at intake. These changes represent a positive step for the RCMP.

The RCMP is very careful to comply with the Privacy Act when releasing information. For example, information is released only with consent or only to individuals and institutions authorized to receive the information. When disclosing personal information, the RCMP ensures that it has the disclosure authority under the act and that the requesting or recipient agency has the proper statutory authority.

In disclosures of personal information deemed to be of public interest, apart from a few senior officials at headquarters, only the commanding officers are authorized to make the decision.

As part of the ATIP branch's initiative to educate all RCMP employees, 21 presentations explaining their responsibilities under the Privacy Act were given to more than 200 employees last year. The RCMP is developing enhanced privacy training tools for all employees and reviewed its policies and definitions relating to personal information, including guidance around the release of information in the public interest.

An access to information and privacy training plan has been developed and implemented. Access to information and privacy personnel are regularly attending sessions provided by the Treasury Board Secretariat as well as other training sessions and workshops as part of their development.

The training strategy encourages the employees to enrol in various access to information and privacy-related courses as a way to gain knowledge and improve their efficiency as specialists in the field.

As a part of their orientation, all employees receive five days of training on the two acts when they arrive in the branch.

We're also focusing on training at the detachment level to ensure that frontline employees know the RCMP’s obligations under the federal legislation.

The mandate of the RCMP is to prevent crime and apprehend offenders. The collection and sharing of information is essential to this mandate. The fast-paced transactional nature of crime requires that we act quickly and partner with other police forces and security agencies in Canada and around the world. Effective and responsible information sharing with our security partners has become increasingly essential to identify threats and protect public safety.

The RCMP enforces the laws of Canada in accordance with appropriate judicial authorization. We adhere to privacy standards set forth by the Government of Canada, and we're conscious of the need to take the utmost care when handling the sensitive or private information of suspects and victims.

We take our obligations under the Privacy Act very seriously and make every effort to balance those obligations with our main priority to ensure the security of Canadians.

Any review of the Privacy Act should continue to balance the need to protect the privacy rights of Canadians with the need for security agencies to have the appropriate authorities to investigate criminal activities and to protect the safety and security of Canadians.

Thank you again, Mr. Chair, for the opportunity to appear before the committee.

11:20 a.m.


The Chair Conservative Blaine Calkins

Thank you, Ms. Marcoux. We very much appreciate that.

We'll now move on to CSIS, Mr. Michael Peirce, for up to 10 minutes, please.

11:20 a.m.

Michael Peirce Assistant Director Intelligence, Canadian Security Intelligence Service

Good morning, Mr. Chair and members of the committee.

I'm pleased to be here this morning before you, and with my colleagues.

My name is Michael Peirce. I am the assistant director of intelligence at CSIS. I am responsible for the production and dissemination of service intelligence. I am also responsible for matters pertaining to litigation and disclosure, including access to information and privacy.

I want to thank you for the invitation to be here today to contribute to your study of the Privacy Act, and for the opportunity to provide some insight into how CSIS manages privacy requests.

To begin, I would like to assure members that privacy and the protection of personal information are essential considerations for the service, both in its collection activities and in the information management policies and practices of our organization. Balancing transparency and accountability with our operational requirements is an ongoing effort that we respect and take seriously.

As is every other government institution, CSIS is subject to the Privacy Act. In that context, CSIS's mandate and operational activities create distinct requirements as they relate to privacy and access to information. That being said, and to contextualize my statements here today, I would like to provide members with a brief overview of CSIS's authorities and reasons that special consideration is required to protect the integrity of the work that we do.

CSIS's mandate is clearly defined in the CSIS Act. We are authorized to collect information only to the extent strictly necessary on activities suspected of constituting a threat to the security of Canada.

These threats are explicitly defined in section 2 of our act. They are limited to terrorism, espionage, sabotage, and foreign interference. In order to achieve our mission—that is, to protect national security—we collect this information to detect, assess, and respond to threats to the security of Canada. In terms of our response, we are specifically mandated to advise government on matters of national security, which can include sharing information with partners to inform their lawful investigations or their enforcement actions.

I would note, however, that CSIS itself is not an enforcement agency. We do not have the authority to arrest or detain individuals, nor do we enforce laws or make administrative decisions.

Because of our duties and functions, access to reliable and accurate information is the essence of what we do. CSIS understands its unique role in this regard and therefore strives to diligently manage and protect information it collects.

In this regard, Mr. Chair, in August 2015, the Security of Canada Information Sharing Act, or SCISA as I'll refer to it, entered into force, providing explicit authority for Government of Canada departments and agencies to share information with designated recipients in accordance with the relevant provisions of the act. CSIS is a designated recipient under this legislation.

To give effect to this legislation, CSIS is engaging with partners bilaterally, on a prioritized basis, to renew information-sharing relationships. This incremental approach has being adopted as a practical matter to ensure that relevant legal, policy, and privacy considerations are fully considered.

In fall 2015, CSIS presented its overall approach to the implementation of SCISA to officials at the Office of the Privacy Commissioner. Engagement is constructive and ongoing.

Now to return more specifically to the issue of privacy and access to information, I can tell members that CSIS devotes considerable efforts to addressing all mandatory reporting requirements under the Privacy Act, and we continue to maintain a high performance standard in its administration.

The service's ATIP section has 15 employees who fulfill the service's obligations under the Access to Information Act and Privacy Act, a relatively small number of resources, given the volume and complexity of the requests that we have, but they have demonstrated that they are up to the task.

During the 2015-16 fiscal year, CSIS received 1,212 requests under the Privacy Act alone, an increase of 149% over the previous year. Despite this—and I am rather proud to be able to tell you this—CSIS achieved an on-time completion rate of 99%.

CSIS is also one of 32 government institutions that accept online access to information requests, which has contributed to the increase in the number of requests that we receive.

I would also note that CSIS has a very productive relationship with the Office of the Privacy Commissioner in regard to complaints, and our ATIP section works diligently with the Office of the Privacy Commissioner to address every complaint that is filed.

As you are aware, the Privacy Act grants individuals the right to access their personal information. We diligently strive to balance the individual's right to access and our operational requirements to safeguard sensitive information pertaining to lawful investigations.

With respect to access to personal information, it is easy to appreciate why CSIS information requires some special consideration. It includes information on active national security investigations as well as information on investigative techniques that are unique to CSIS.

We also have to protect the personal safety of our employees and human sources who provide information to us. Of interest, there are a number of personal information banks that are unique to CSIS, including investigational records, security assessments, and advice.

The majority of Privacy Act requests to CSIS are for information contained in these banks. The investigational records bank, for instance, includes personal information on identifiable individuals whose activities are suspected of constituting threats to the security of Canada, and on identifiable individuals who are or were confidential sources of information. Clearly, these are records that must be protected.

While in principle this may seem straightforward, in practice it presents challenges. For example, we receive requests from individuals who are subjects of investigations, but also many more from individuals who are not and who have never been part of an investigation. Our policy is that we will neither confirm nor deny the existence of records in those circumstances. To do so would inadvertently confirm our investigative interests.

It should be noted that each privacy request is established and reviewed on a case-by-case basis. For each request, CSIS seeks to strike a balance that satisfies the legislated disclosure requirements and the need to protect matters of national security, public safety, and individual privacy.

I hope this usefully illustrates the balance that is achieved in fulfilling our obligations under the Privacy Act and our mandate under the CSIS Act. More broadly, all of CSIS' activities are pursued within a broad framework for accountability, both internally and externally. CSIS maintains an open relationship with the Privacy Commissioner, who is charged with overseeing compliance with the Privacy Act. Our activities are also subject to review by SIRC, the Security Intelligence Review Committee, which reports to Parliament on our operations.

I welcome the opportunity to appear before the committee today to discuss these matters, and with that, Mr. Chair, I will conclude my remarks.

11:30 a.m.


The Chair Conservative Blaine Calkins

Thank you very much, Mr. Peirce. We'll now have our last witnesses from the Department of Citizenship and Immigration.

Ms. Beck, you're going to lead us off for up to 10 minutes, please.

11:30 a.m.

Stefanie Beck Assistant Deputy Minister, Corporate Services, Department of Citizenship and Immigration

Thank you.

Good morning, Mr. Chair and members. My name is Stefanie Beck. I am the assistant deputy minister of corporate services at Immigration, Refugees and Citizenship Canada.

I'm joined by Audrey White, the director of our access to information and privacy division.

We've been here before to talk about access to information, and we are very happy to be back to talk about privacy as well. Thank you very much for welcoming me and my colleagues here today. We're very happy to provide IRCC's input into this important matter.

We congratulate the committee on its study. It has been more than three decades since the Privacy Act came into play. I know we all agree it's time for an update. As the Privacy Commissioner has pointed out to this committee, developments in technology have made it possible to collect and retain enormous amounts of information. We must make sure that our ability to safeguard this information reflects this reality.

Mr. Chair, before I take questions from the committee, I would like to provide an overview of how Immigration, Refugees and Citizenship Canada deals with the challenges of protecting the personal information entrusted to it. It's a duty my colleagues and I take extremely seriously.

Our department has an access to information and privacy division with approximately 70 staff and a network of 85 liaison officers across the many branches and regions of the department.

Immigration, Refugees and Citizenship Canada receives more privacy requests than any other federal institution. In 2015-16, our most recent reporting year, we received 15,292 privacy requests. This year, we expect to receive over 16,000 requests.

I had the opportunity to appear before this committee earlier this year. Today, I will focus my comments on the Privacy Act.

Due to the nature of our work, which involves the processing of over 2.8 million applications for permanent and temporary residence every year, we receive an enormous amount of documentation containing personal information every day. This comes in every format—digital, print, and even photographs.

At IRCC, protecting privacy and personal information is paramount. The department has named a chief privacy officer to provide strategic leadership and direction on privacy. IRCC will hold its first annual privacy day next month. We plan to bolster privacy awareness and to champion the protection of personal information among staff. IRCC runs mandatory and voluntary online and in-person training activities such as workshops and awareness sessions. This is an ongoing process, not just once a year when it happens to be privacy day.

We have also adopted a widely disseminated privacy framework that promotes best practices for the handling of personal information all across the department. The privacy framework outlines key responsibilities and establishes a common set of standards and procedures. It identifies key privacy principles, such as limiting the collection, use, disclosure, and retention of information. The framework also provides employees with tools to ensure they are meeting their responsibilities and following the appropriate practices in line with Treasury Board Secretariat and departmental policies.

Just as a couple of examples, the privacy framework provides employees with information to ensure they are fully aware that personal information can be collected only as set out in IRCC's enabling legislation, primarily the Immigration and Refugee Protection Act, the Citizenship Act, and the Canadian Passport Order. It emphasizes that only employees with the appropriate security clearance should have access to personal information, and furthermore, that access to personal information should only be granted on a need-to-know basis. It's not sufficient just to have clearance, you have to need to know the information.

These principles that are at the heart of IRCC's privacy practices closely reflect many of the concerns raised by the Privacy Commissioner.

IRCC’s privacy practices are in line with most of what is contained in the commissioner’s recommendations for changes to the Privacy Act.

For example, as recommended by the commissioner, IRCC follows the Treasury Board Secretariat's policies, as well as its own privacy breach guidelines, which require all privacy breaches considered material in nature to be reported to the Privacy Commissioner and to the Treasury Board Secretariat.

The commissioner also recommends that government institutions be required to conduct privacy impact assessments for new or significantly amended programs, and to submit these assessments to the Office of the Privacy Commissioner before implementing the programs.

Again, Mr. Chair, this is something IRCC already does by following the privacy policies of the Treasury Board Secretariat and our own internal ones. Furthermore, in certain complex cases, IRCC officials will meet with the Privacy Commissioner's office to inform them in advance of the initiative and to provide a detailed briefing on potential impacts regarding privacy. We find that seeking feedback at an early stage enables us to develop better products.

These are just a couple of examples, Mr. Chair, of how the majority of the recommendations put forward by the Privacy Commissioner align with our practices for managing and handling personal information.

I should mention that there is one recommendation that could have a significant operational impact on our work. As you know, Mr. Chair, the Privacy Act currently affords access rights only to Canadian citizens, permanent residents, or people physically present in Canada. Currently, foreign nationals and those outside of Canada can obtain access to their personal information by hiring a Canadian representative and filing a request under the Access to Information Act. We discussed this the last time I was here, and as you know, they pay a fee when they make a request under the Access to Information Act.

The Privacy Commissioner has recommended that foreign nationals and those outside Canada should be able to submit a request for their personal information under the act. Our concern with this proposal is that, because of IRCC’s lines of business and international mandate, the proposed recommendation could lead to an enormous increase in privacy requests that would place an undue burden on our resources and create considerable operational constraints. This could seriously compromise our ability to meet the deadlines for responding to requests as set out in the act.

Mr. Chair, I would like to thank you again for the invitation to provide IRCC’s views on this important subject.

I'm happy to answer your questions.

11:35 a.m.


The Chair Conservative Blaine Calkins

Thank you very much, Ms. Beck. We appreciate that.

We are going to proceed to our rounds of questioning.

I'll just remind my colleagues at the table that our questions should be eliciting responses pursuant to the study of the Privacy Act that we're undertaking right now.

Mr. Massé, you have seven minutes.

11:35 a.m.


Rémi Massé Liberal Avignon—La Mitis—Matane—Matapédia, QC

Thank you, Mr. Chair. Are you worried our questions won't be related to the specific field of the study? I'm kidding.

Thank you for being here this morning as witnesses. Your presence is greatly appreciated. This study is very important for the committee.

Thank you, Ms. Marcoux. You covered the essence of my question.

My question is for the four organizations. Please answer with a yes or no. I want to know whether all your employees receive training on their privacy responsibilities.

11:35 a.m.

Director General, Corporate Secretariat, Canada Border Services Agency

11:35 a.m.

Chief Strategic Policy and Planning Officer, Royal Canadian Mounted Police

11:35 a.m.

Assistant Director Intelligence, Canadian Security Intelligence Service

Michael Peirce

Yes, absolutely.

11:35 a.m.

Assistant Deputy Minister, Corporate Services, Department of Citizenship and Immigration

Stefanie Beck


11:40 a.m.


Rémi Massé Liberal Avignon—La Mitis—Matane—Matapédia, QC

Thank you.

Given the complexity of your organizations, the number of employees in your organizations, the number of documents you develop and receive, and all your complex information systems, how can you ensure the personal information in those systems and documents is properly protected?

Obviously, the question is broad. It can be answered in one or two minutes.

In short, how can you confirm the personal information in your possession is properly protected?

We'll start with Mr. Mundie.

11:40 a.m.

Director General, Corporate Secretariat, Canada Border Services Agency

Robert Mundie

I'll start and then ask Mr. Proulx to add his comments.

The first thing, as you mentioned, is the training that's provided to our employees, so that there's an awareness of the act and how it applies to our operations. We have different types of training for different situations, from online to in-class to very specialized sessions for people who have particular functions within the organization. That's a key element.

Awareness is something that I support at the executive table and through different activities that are conducted on a regular basis. That's the awareness component.

We do a lot to prepare ourselves in terms of understanding the implications for privacy of different programs. We have privacy impact assessments that are prepared and occasionally refreshed, depending on changes in our environment in the program. We do consultations with the Office of the Privacy Commission on those. We have a clear understanding of what the implications are for us. We have mitigation measures that we can put in place whereby we identify potential risks to privacy due to our operations. Those are a couple of things that I would identify.

Dan, is there anything else you want to add?

11:40 a.m.

Dan Proulx Director, Access to Information and Privacy Division, Canada Border Services Agency

I would add that our agency records are always properly classified and properly designated.

We have a departmental security officer who we follow regarding the strict security requirements on the safeguarding of the information. We have an IT infrastructure that keeps all of that intact.

The same applies to my ATIP office. It's all on a need-to-know basis. We make sure that the information we retain is accurate and up to date and that it is treated according to its designation and classification.

Thank you.

11:40 a.m.

Chief Strategic Policy and Planning Officer, Royal Canadian Mounted Police

Rennie Marcoux

I'll answer part of the question and then I'll turn the floor over to my colleague, if you don't mind.

As mentioned by my colleagues from the agency, our employees receive ongoing training and in-depth training. Privacy policies are in place. The employees responsible for access to information and privacy work closely with the staff in charge of information management in the RCMP. There is also information technology and oversight mechanisms implemented by the Privacy Commissioner. The duty to report privacy breaches creates a certain level of discipline and awareness in the organization. Lastly, the Office of the Privacy Commissioner regularly audits our information.

I'll now turn the floor over to Mr. Oliver.

11:40 a.m.

Assistant Commissioner Joe Oliver Assistant Commissioner, Technical Operations, Royal Canadian Mounted Police

Thank you, Ms. Marcoux.

I'll answer in English.

When it comes to the protection of information, we also follow the government's policy on security, which that includes a suite of policies on things such as physical security controls, personnel security controls, and IT security. When I talk about physical security, that could mean high-security areas where there's sensitive information. Only certain individuals will have access, so there's restricted access into high-security zones. When it comes to individual access, people are security cleared to a certain level. There are security controls in terms of the reliability of individuals to access information and the need to know and the right to know. The IT systems are also configured in such a way that certain individuals will only have access to certain information. For instance, in our National Sex Offender Registry, it's only those individuals within the national sex offender program who are designated who can access that information, not everybody in the RCMP.

There are administrative controls put on our security systems, as well as built-in controls to prevent cyber-attacks and those types of things.

I will conclude with those remarks. Thanks.

11:45 a.m.


Rémi Massé Liberal Avignon—La Mitis—Matane—Matapédia, QC

Thank you.

11:45 a.m.

Assistant Director Intelligence, Canadian Security Intelligence Service

Michael Peirce

I'll start and then I'll turn the floor over to my colleague.

Protecting information is part of our core business. Every piece of information that we collect, that we retain, is reported into a specific data bank. Those data banks have limited access, so that they are not available to individuals throughout the organization. Again, this is similar to what Ms. Beck referred to. It's the need-to-know principle that governs, and we have strong restrictions on the access to that information within the service.

We train our people from day one in how to manage information that they collect. When you enter the service, particularly as an intelligence officer, you undergo a course of training before you ever begin to work, so that you know how to collect, manage, and report information, and report it into the right area. We track all of the information that's reported. We have systems that allow us to call it up quickly, particularly because we may need that information in an urgent situation with respect to national security. It also facilitates our ability to respond to privacy requests, which is one of the reasons why we have such a high response rate within the allotted times.

Besides that, we have an ethic of compliance within the organization that leads us to ensure that our people are constantly retrained on how to do this work, how to make sure that they're reporting it in the right place, and that we're protecting the information and that it can't be inadvertently disclosed, both because we have to protect personal information and because we have to protect national security.

11:45 a.m.


The Chair Conservative Blaine Calkins

We're already at eight minutes in the seven-minute question, but I do want to give Citizenship and Immigration a chance. Just be as succinct as you can, please.

11:45 a.m.

Assistant Deputy Minister, Corporate Services, Department of Citizenship and Immigration

Stefanie Beck

I could just say what they said, because, in fact, I think we all approach it the same way. There are really three major aspects: the personnel side, the physical side, and the IT side. We have similar structures in place on the prevention and detection and the auditing to make sure that it doesn't happen in the first place, but that if it does happen, that we catch it quickly and we deal with it.

11:45 a.m.


The Chair Conservative Blaine Calkins

Thank you very much.

We'll now move to Mr. Kelly for up to seven minutes.

11:45 a.m.


Pat Kelly Conservative Calgary Rocky Ridge, AB

This is my first question. I'd like to start with Mr. Peirce.

Are you concerned that any of the Privacy Commissioner's recommendations would impede CSIS in performing its duties, and if so, which ones would? Are there particular recommendations that you might struggle with as an organization in fulfilling your mandate?