Information & Ethics Committee on Oct. 25th, 2016

We try to do that at the beginning, especially for policy development work. Early engagement is always the best, based on our experience. They have a lot of good ideas, information, and experience to share, so if you can start your deliberations with the Privacy Commissioner at the beginning of your policy development, we think it is an asset, and you go from there.

To touch a bit on the question that you asked before, and this one as well, regarding the CBSA's written collaborative arrangement you were asking about, and the sharing of information either with levels of government or with international entities, for example, we always define specific elements of personal information to be shared. We always define a specific purpose of the sharing in our working collaborative arrangements. We limit the secondary use and onward transfer of our information, and we outline other measures to be prescribed by regulations, such as specific safeguards, retention, and accountability measures. In all of our purposes for information-sharing, there are always caveats regarding each disclosure that prohibit the activities, or the ongoing sharing of information, unless it's permitted by law or they obtain our permission to do so. Another way to make sure things are done the right way is through audit and redress as well.

Once you build the agreement and it's signed by the two parties, there should be no exceptions to the rules, because it's a signed understanding between two governments or two countries. Apart from audit, I guess you would not know if everyone is respecting their side of the agreement, but they're all in writing for us, when you're talking about agreements with other entities or international partners that are not covered in the consistent use provision that we talked about earlier.

The RCMP does have a very co-operative, collaborative, and constructive relationship with the Office of the Privacy Commissioner. We don't necessarily consult them at the beginning of a draft policy that's in the works, but doing so would be in our interest as the policy starts to take shape, and we start identifying privacy implications. Then we do reach out and get their advice, for sure.

We wouldn't do it at the beginning, not at the twinkle-in-the-eye portion, but when we have something a little more substantive we can exchange on, we do.

Early engagement is the principle. What constitutes early engagement? As my colleagues have said, it's an art to determine that now is the time to go. It's in our interests to work with them and to ensure that they understand what we're trying to achieve and to get their guidance in trying to achieve it.

Interpol is an organization of more than 180 members. There are information-sharing arrangements put in place when it comes to specific information. Those are based on agreements. There is a structure around how that information is shared. What I could say is that sharing your information is never taken lightly. It's always considered in the context of the relevancy, the accuracy, the need to know, the right to know, and all of those things, which is consistent with the principles that we live by in Canada—and with our values, of course.

But I can't emphasize enough the importance of the right time for information to be shared quickly and efficiently, as exemplified by the case in Strathroy, Ontario, in which information was received in the early hours of the morning. It was then shared with local law enforcement agencies. That prevented a terrorist attack from happening in Canada.

Those types of things show us the value of sharing information in an efficient and effectively managed situation, with the understanding that it be done responsibly and with the appropriate caveats and so forth.

I would say that you articulated the balance that is there. It's a challenge that we live with every day in our work. We certainly strive to share information in a proportionate way. It is, in some respects, even more complex than just the dynamic that you've suggested, because in sharing information we have to be mindful of the individual's interests, the personal information being shared, for instance. We also have to look at the impact of our capacity to continue to investigate. In situations where we have threat-related information, we have to consider whether sharing in that situation is required to counter the threat, and what the impact will be on the investigation itself. Is there a risk of disclosure of a human source in sharing the information? Is there a risk of disclosure of a technical source in sharing the information?

It's a very complex matrix in making that call. That said, certainly, in any circumstances where there is a risk of imminent harm—the Strathroy example is an outstanding one—we will act quickly to share that information with our police colleagues, to ensure that preventative action can be taken.

Yes. I'm somewhat familiar. I don't know all of the details of that particular case, but it's under the Customs Act that officers have the right to access the goods that someone possesses. It's the interpretation of what is a good. A cellphone is a good, and its contents were considered a good for review.

What is often found, in terms of child pornography cases, is what's found on hardware. The issue is the consent that the individual is providing to access that information. It is an outstanding legal question, and we're getting some jurisprudence from it as a result of cases such as this.

Technology has actually improved the lives of Canadians, and we've adopted technology more quickly than most nations. We spend the most time online. But with the advancements in technology also come opportunities for criminals and terrorists who can use that technology as well.

Investigating crime in the digital age is particularly challenging for law enforcement when it comes to our ability to collect evidence, and there are a number of barriers: whether we have the ability to intercept certain types of information, the use of advanced encryption when we know that evidence exists, the lack of data-retention standards in Canada, things like the Cloud, and the fact that evidence may be stored outside of Canada's jurisdiction.

Even with judicial authorization, even when we've gone to a judge and convinced a judge that we believe that evidence exists at a specific location, and we convince a judge that we have the authority to go search, we are impeded by things like encryption. In fact, one of the biggest barriers to advancing investigations in the digital age is encryption.

I'm not against encryption, because to me encryption is the same idea as police advising people to lock their doors and protect their belongings. But when it comes to the public's expectation of policing, if someone is actually committing a crime in a certain dwelling or in a building, and there's information that the crime exists or there's evidence of that, there's an expectation from the public that we would go in, and get that evidence, and pursue the investigation. In the current digital environment, we are severely encumbered by the inability for us to get past encryption.

In fact, it's recognized even by the Canadian Association of Chiefs of Police. This is not just a question of encryption in national security cases; it's a question of fraud, identity theft, and it's seen throughout the policing community. One of the resolutions that was passed by the Canadian Association of Chiefs of Police called on the federal government to enact some sort of legislation that would give police the authority to go to a judge and seek an order that would compel someone to give their password.

In the context of law enforcement, we don't have an authority, such as CBSA has in the border zone, which the court has recognized as a unique environment. We have to seek authority and judicial authorization to obtain certain authorities to compel the production of information. While it's controversial, it's one of the most significant barriers we're confronted with today. I think the response will have to be measured and transparent, and it will have to include things like safeguarding rights, and accountability when it comes to police using some sort of coercive powers, if that's the direction the government so chooses to go.

Thank you for your question. You're absolutely right in your description of it. Our ability to share information is fundamental to our mandate, and describing the relationship with the RCMP is a useful way of exploring it.

Certainly l can say unequivocally that the relationship with the RCMP has never been better. We work extremely closely together. The way we work together operates within, quite frankly, a difficult legal environment because it is a challenge to protect our information when we do share it, and it's very important to us to be able to protect that information for our ongoing investigative purposes.

When we share information with the RCMP, we do it according to an agreed-upon structure called the one vision process. That process ensures that we can sit down with the RCMP regularly and share strategically first of all. So here's the overall picture in regard to a threat, and we can discuss at that level who is going to take the lead on it, who is going to manage it, and how. In some circumstances when we do that, the RCMP will say to us, “We would like a disclosure letter from you that simply discloses the fact of the threat” and that can be used then to launch an investigation by the RCMP.

In some circumstances, the RCMP may not be in a position to investigate to the level that we're currently investigating, so for instance, if we have human sources next to the target of investigation, the RCMP may not be in a position to get up and running as quickly as necessary, and we'll have to share information beyond the mere disclosure of the threat. In so doing, we'll share it in the form of an advisory letter with the RCMP to give them additional information that allows them to, for instance, potentially go and get a part VI warrant under the Criminal Code to intercept communications and facilitate that.

All of those discussions that we have with the RCMP are then documented in a record of decision that says, “This is what we discussed in regard to the case. This is the action that's going to be taken in regard to it”, and then the two organizations will continue on.

At any given time, if an issue arises, we are able to reconstitute the meeting and discuss further the strategic approach to it. That allows us to protect our information to the greatest extent possible. There still will be situations, particularly of imminent threat, in which we have to respond quickly and have to provide the necessary information, and in those circumstances, we may be called upon to disclose investigative information that may actually put at risk our investigation. But, in the face of imminent harm, we'll take that step.