Information & Ethics Committee on Oct. 25th, 2016

From a bureaucratic perspective, it's always easier if we have legislative authority to do it without having to negotiate a whole separate agreement, if that's what you're suggesting, in order to operate. If we had to write information-sharing agreements among all of us, there are guidelines, drafts, formats, and things like that we could do, but it would seem to me, in an era of red-tape reduction, that is not the direction we would want to take.

The acts are all public, and they are online. As I said, about 50 of ours are already online, and we're reviewing to see which others we could put up. The documentation itself isn't classified in any way. There may be parts of it in some instances. You can even read our information-sharing agreements with the U.K. and the U.S. They're up on our website.

Naturally it would be difficult for CSIS to publicize its relationships with all of the security intelligence agencies around the world with whom we work. That would disclose relationships that are closely guarded by some of our partners at times, relationships that may prove problematic to our ability to gather national security information from them about threats to the security of Canada.

Simply put, some organizations would not work with us if they had to publicize that relationship.

That's correct.

Where we have long-standing relationships whereby the information is regularly shared, normally that is supported by an agreement that outlines the information protections required. However, it would be operationally impossible, I think, to negotiate an agreement with everybody we share with. If you look at the North American context, you have 360 law enforcement agencies in Canada and 17,000 in the United States. Where the offence takes place may have international implications. For us to share maybe a small portion of information with a state police in the United States, we would have to go through an onerous negotiation process for the sharing of information that is relevant to law enforcement. In some instances, this information has to be shared in a timely manner in order to prevent a more serious crime from taking place.

It would be very challenging to negotiate an agreement with everybody we share with. That's why we have strict policies that dictate how we share and with whom we share. There's a need to know and there's a right to know. Plus, we assess the relevancy of any request, the reliability of the information we are sharing, and the accuracy of that information before we share it. Then it's shared with the caveat that for any further dissemination, you would have to come back to the originator in order to share onward.

There's also the ongoing training of our employees so that they understand exactly what their responsibilities are—i.e., to share information or not.

At CBSA we have policies that cover basically all possible legislative authorities for disclosure. We have a policy, for example, under section 107 of the Customs Act. We have a policy under the Privacy Act, section 8. We have a policy under SCISA. Granted, there might not be written agreements for every exchange of information, but there's policy governance to assist with those disclosures.

Now, our concern, if you will, is that you would try to implement a written agreement for all consistent-use disclosures. As you know, the Privacy Act is subject to other acts of Parliament that already have governing disclosure provisions, so in terms of consistent use, to have a written agreement for every single one would be very problematic.

Apart from that, when it's not a consistent use, we would agree, and support, that you need a governing framework, an authority, written and signed, to share that information.

I think it would probably be better for Dan to answer the question on frequency. I think in our last report we did seven or eight in the course of the year...?

At CBSA we do have a lot of privacy impact assessments under development. If I had to guesstimate, I would say we probably have 40 of them on the go right at the present time. We commonly do privacy impact assessments. We do an assessment of the need for privacy impact assessments.

In terms of how we built in the process at CBSA, we start off with what's called a “privacy impact questionnaire”. Basically, that questionnaire is an assessment that is done, based on a review by my office and legal services, to determine if the new program or activity, or the substantive change to the program or activity, requires the development of a new privacy impact assessment. If it does, that privacy impact questionnaire basically serves as chapter one of the PIA. We have a regular review, at a director general level, of all proposed and new PIAs being developed. That is chaired by my director general, Robert Mundie. We have regular follow-ups with the program areas to make sure they're done.

We do have a lot, yes.

No, it would not. Granted, they're challenging and resource-intensive to put together, because they require a certain level of expertise, which you do not have normally in-house either within an ATIP office or within the agency or the program area. That is a challenge we need to look into.

Thank you.

Like CBSA, the RCMP does conduct privacy impact assessments for any new programs or any programs that are substantially amended. Last year, for 2015-16, we completed three privacy impact assessments, and provided three addenda to previously submitted privacy impact assessments. They're listed and explained in depth in our annual report to Parliament.

We're in the same situation. We conduct our privacy assessments. We work with the Office of the Privacy Commissioner in doing so, to make sure that they're effective at providing the information necessary.

The same, as I said in our opening remarks, and in fact we've recently revised our PIA templates and guidelines for the officers writing them. I will say they are lengthy and time-consuming. It's not a simple effort. Even if we're doing, say, seven or eight a year, they can be telephone books, these things.