Information & Ethics Committee on Oct. 25th, 2016

Evidence of meeting #30 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was rcmp.

A recording is available from Parliament.

On the agenda

Privacy Act
Committee Business

MPs speaking

Blaine Calkins
Rémi Massé
Pat Kelly
Daniel Blaikie
Joël Lightbound
Matt Jeneroux
Raj Saini
Bob Bratina
Wayne Long

Also speaking

Robert Mundie  Director General, Corporate Secretariat, Canada Border Services Agency
Rennie Marcoux  Chief Strategic Policy and Planning Officer, Royal Canadian Mounted Police
Michael Peirce  Assistant Director Intelligence, Canadian Security Intelligence Service
Stefanie Beck  Assistant Deputy Minister, Corporate Services, Department of Citizenship and Immigration
Dan Proulx  Director, Access to Information and Privacy Division, Canada Border Services Agency
Commissioner Joe Oliver  Assistant Commissioner, Technical Operations, Royal Canadian Mounted Police

12:15 p.m.

A/Commr Joe Oliver

From my experience, we put in place the arrangements with them based on guiding principles, and there are guiding principles when it comes to international sharing. We're guided by the ministerial directive in a couple of areas. One is that for any arrangement we have, we must receive advice from Global Affairs, if it's an international arrangement, and legal advice. Global Affairs would have insight and visibility into some of the political dynamics that the RCMP may not have. As we are negotiating, we take that advice and incorporate that into the agreement as well.

When it comes to sharing with national security entities that are international, we also have a ministerial directive on the arrangements that we can enter into with those, and in fact, it limits the number of entities that we can have those arrangements with. But when it comes to compliance—now I can't say in all instances, but in some instances—there are arrangements put in place whereby you can do, not necessarily auditing, but kind of compliance verifications. Of course, if there are instances of a breach of the trust or a breach of the agreement, we can terminate that arrangement as well.

12:20 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

If we can use the Five Eyes as an example, you have one partner, England, the U.K., which probably is integrated with a European intelligence network. You have Australia, which may be integrated with a South Pacific network. It may not be done in a way that is meant to injure, but it may be done because they have to share information with the political geography they're in. That's kind of my question. It's awkward, because you're giving information within the practice of making sure that you share intelligence information, but they may have a requirement to share that information with the political geography they're in.

12:20 p.m.

A/Commr Joe Oliver

Let me just qualify a bit in terms of the RCMP's information-sharing arrangements. Our information sharing is strictly related to criminal investigations, so for law enforcement purposes. We don't share national security intelligence with international partners. That's the role of our colleagues in the service. They perform that function.

When it comes to us sharing, it's on a need-to-know basis with those who have a right to know, and it is specifically limited and focused to a law enforcement objective, either for the receiving jurisdiction, or for Canada receiving information, or for the RCMP, so that we can advance a criminal investigation. It's not as if there is broad information sharing that is not controlled.

12:20 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Mr. Peirce, I'm—

12:20 p.m.

Assistant Director Intelligence, Canadian Security Intelligence Service

Michael Peirce

Do I get a response to that particular question?

12:20 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Yes, I'm very excited to hear your response.

12:20 p.m.

Assistant Director Intelligence, Canadian Security Intelligence Service

Michael Peirce

We have 300 foreign relationships with 150-odd countries. When we enter into a relationship, that must be submitted to the Minister of Public Safety for approval, and that approval will also require consultation with the Minister of Foreign Affairs.

When we enter into a relationship, we will do so on an incremental basis, to test the trust in the relationship. We take slow steps, and we require all institutions, all foreign partners, that we enter into a relationship with, to respect the third-party rule. If we provide information to them, it is not for onward dissemination beyond that organization. If we were to find out that in fact information had been shared beyond that organization, that would compromise our relationship with that organization.

12:20 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

What happens if—

12:20 p.m.

Conservative

The Chair Conservative Blaine Calkins

Before we go any further, Mr. Saini, we're past five minutes.

Is this a quick question?

12:20 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

None of my questions are really quick.

12:20 p.m.

Conservative

The Chair Conservative Blaine Calkins

Can we come back to you at the end, then, Mr. Saini?

12:20 p.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Sure.

12:20 p.m.

Conservative

The Chair Conservative Blaine Calkins

Thank you very much.

I'll move to Mr. Jeneroux.

Go ahead, please.

12:20 p.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

Thank you, Mr. Chair.

Going back to my question on foreign nationals, I'm curious about the impact with the other three departments, if you don't mind weighing in on that particular recommendation from your end.

12:20 p.m.

Chief Strategic Policy and Planning Officer, Royal Canadian Mounted Police

Rennie Marcoux

I would think we would have the same concerns with regard to the implications of opening both the Privacy Act—and I know it's not the mandate—and the Access to Information Act to foreign nationals, just with regard to our ability to comply with the legislation, and, I suspect as well, to confirm that the person making the request is actually the person whose personal information we would or wouldn't share.

12:20 p.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

Okay.

Anybody else?

12:20 p.m.

Director General, Corporate Secretariat, Canada Border Services Agency

Robert Mundie

It's hard to estimate what kind of volume you would get if you opened it up to people outside of Canada.

Certainly anything that adds to our workload and causes us issues, such as Rennie was mentioning—when we want to validate who the person asking for the information is—makes our life more complicated.

October 25th, 2016 / 12:20 p.m.

Assistant Director Intelligence, Canadian Security Intelligence Service

Michael Peirce

We would face the same challenges.

12:20 p.m.

Conservative

Matt Jeneroux Conservative Edmonton Riverbend, AB

I'll turn it over to my colleague Mr. Kelly.

12:20 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

Thank you.

Could I maybe have a quick comment from each agency on one of the recommendations made by the Privacy Commissioner, the legislation for mandatory breach reporting? I'm wondering about the potential for compounding the damage of a breach against a person by reporting the breach. Perhaps I could have a quick comment from each on current practice and what this recommendation might mean to your organization.

12:25 p.m.

Director, Access to Information and Privacy Division, Canada Border Services Agency

Dan Proulx

I can go ahead.

At CBSA, we have in place a robust privacy breach protocol, and it's aligned with Treasury Board standards. Any new requirements would be aligned with our breach protocol as well.

All employees are trained to use the breach protocol, and there is a direct linkage with the departmental security officer. As you all know, a privacy breach, for example, is first and foremost a security incident, so everything is reported to a centralized office, which is a departmental security office. If it involves personal information, then the privacy breach protocol is triggered. Any material privacy breach that involves personal information right now is reported to the Office of the Privacy Commissioner. That is a new requirement.

Any change in legislation obviously would require adjustment, but at CBSA we're not expecting that making breach reporting mandatory to the Privacy Commissioner will be problematic at all.

12:25 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

I'll maybe cut you short there just to give each one a chance since we're have limited time. Thanks.

12:25 p.m.

Chief Strategic Policy and Planning Officer, Royal Canadian Mounted Police

Rennie Marcoux

I would add that we follow exactly the same process as our colleagues from CBSA do, including having a close relationship with our departmental security officer. They're usually reported in as security breaches.

The concern we would have is with the mandatory reporting of all privacy breaches. Now we actually assess the damage, and when there's material damage we will report it to the Privacy Commissioner and Treasury Board. We do that on a regular basis.

I can give you an example where it would be perhaps not deemed necessary to report a privacy breach, if you wish.

12:25 p.m.

Conservative

Pat Kelly Conservative Calgary Rocky Ridge, AB

Mr. Peirce.

12:25 p.m.

Assistant Director Intelligence, Canadian Security Intelligence Service

Michael Peirce

We have a robust regime for reporting on compliance. That regime operates within the service more broadly and includes reporting to the minister, but also we will work with the Office of the Privacy Commissioner and report privacy breaches specifically.

Again, we don't have a large number of those situations that arise currently, so I don't see a particular issue for us in terms of volume.