Good morning, Mr. Chair and members of the committee.
I'm pleased to be here this morning before you, and with my colleagues.
My name is Michael Peirce. I am the assistant director of intelligence at CSIS. I am responsible for the production and dissemination of service intelligence. I am also responsible for matters pertaining to litigation and disclosure, including access to information and privacy.
I want to thank you for the invitation to be here today to contribute to your study of the Privacy Act, and for the opportunity to provide some insight into how CSIS manages privacy requests.
To begin, I would like to assure members that privacy and the protection of personal information are essential considerations for the service, both in its collection activities and in the information management policies and practices of our organization. Balancing transparency and accountability with our operational requirements is an ongoing effort that we respect and take seriously.
As is every other government institution, CSIS is subject to the Privacy Act. In that context, CSIS's mandate and operational activities create distinct requirements as they relate to privacy and access to information. That being said, and to contextualize my statements here today, I would like to provide members with a brief overview of CSIS's authorities and reasons that special consideration is required to protect the integrity of the work that we do.
CSIS's mandate is clearly defined in the CSIS Act. We are authorized to collect information only to the extent strictly necessary on activities suspected of constituting a threat to the security of Canada.
These threats are explicitly defined in section 2 of our act. They are limited to terrorism, espionage, sabotage, and foreign interference. In order to achieve our mission—that is, to protect national security—we collect this information to detect, assess, and respond to threats to the security of Canada. In terms of our response, we are specifically mandated to advise government on matters of national security, which can include sharing information with partners to inform their lawful investigations or their enforcement actions.
I would note, however, that CSIS itself is not an enforcement agency. We do not have the authority to arrest or detain individuals, nor do we enforce laws or make administrative decisions.
Because of our duties and functions, access to reliable and accurate information is the essence of what we do. CSIS understands its unique role in this regard and therefore strives to diligently manage and protect information it collects.
In this regard, Mr. Chair, in August 2015, the Security of Canada Information Sharing Act, or SCISA as I'll refer to it, entered into force, providing explicit authority for Government of Canada departments and agencies to share information with designated recipients in accordance with the relevant provisions of the act. CSIS is a designated recipient under this legislation.
To give effect to this legislation, CSIS is engaging with partners bilaterally, on a prioritized basis, to renew information-sharing relationships. This incremental approach has being adopted as a practical matter to ensure that relevant legal, policy, and privacy considerations are fully considered.
In fall 2015, CSIS presented its overall approach to the implementation of SCISA to officials at the Office of the Privacy Commissioner. Engagement is constructive and ongoing.
Now to return more specifically to the issue of privacy and access to information, I can tell members that CSIS devotes considerable efforts to addressing all mandatory reporting requirements under the Privacy Act, and we continue to maintain a high performance standard in its administration.
The service's ATIP section has 15 employees who fulfill the service's obligations under the Access to Information Act and Privacy Act, a relatively small number of resources, given the volume and complexity of the requests that we have, but they have demonstrated that they are up to the task.
During the 2015-16 fiscal year, CSIS received 1,212 requests under the Privacy Act alone, an increase of 149% over the previous year. Despite this—and I am rather proud to be able to tell you this—CSIS achieved an on-time completion rate of 99%.
CSIS is also one of 32 government institutions that accept online access to information requests, which has contributed to the increase in the number of requests that we receive.
I would also note that CSIS has a very productive relationship with the Office of the Privacy Commissioner in regard to complaints, and our ATIP section works diligently with the Office of the Privacy Commissioner to address every complaint that is filed.
As you are aware, the Privacy Act grants individuals the right to access their personal information. We diligently strive to balance the individual's right to access and our operational requirements to safeguard sensitive information pertaining to lawful investigations.
With respect to access to personal information, it is easy to appreciate why CSIS information requires some special consideration. It includes information on active national security investigations as well as information on investigative techniques that are unique to CSIS.
We also have to protect the personal safety of our employees and human sources who provide information to us. Of interest, there are a number of personal information banks that are unique to CSIS, including investigational records, security assessments, and advice.
The majority of Privacy Act requests to CSIS are for information contained in these banks. The investigational records bank, for instance, includes personal information on identifiable individuals whose activities are suspected of constituting threats to the security of Canada, and on identifiable individuals who are or were confidential sources of information. Clearly, these are records that must be protected.
While in principle this may seem straightforward, in practice it presents challenges. For example, we receive requests from individuals who are subjects of investigations, but also many more from individuals who are not and who have never been part of an investigation. Our policy is that we will neither confirm nor deny the existence of records in those circumstances. To do so would inadvertently confirm our investigative interests.
It should be noted that each privacy request is established and reviewed on a case-by-case basis. For each request, CSIS seeks to strike a balance that satisfies the legislated disclosure requirements and the need to protect matters of national security, public safety, and individual privacy.
I hope this usefully illustrates the balance that is achieved in fulfilling our obligations under the Privacy Act and our mandate under the CSIS Act. More broadly, all of CSIS' activities are pursued within a broad framework for accountability, both internally and externally. CSIS maintains an open relationship with the Privacy Commissioner, who is charged with overseeing compliance with the Privacy Act. Our activities are also subject to review by SIRC, the Security Intelligence Review Committee, which reports to Parliament on our operations.
I welcome the opportunity to appear before the committee today to discuss these matters, and with that, Mr. Chair, I will conclude my remarks.