Information & Ethics Committee on Nov. 17th, 2016

Thank you for the invitation to be here today to discuss the Security of Canada Information Sharing Act, or what we call SCISA. In addition to being a potential recipient of information disclosed under SCISA, Public Safety helps facilitate the use of the act by departments and agencies, and in collaboration with our colleagues at the Department of Justice we played a role in the development of the act.

As you know, the government is reviewing the act to ensure that it furthers collective security while respecting Canadians' rights and freedoms. We believe your study will be most helpful as part of this review process.

With my opening remarks, I would like to provide you with background on three areas of significant discussion: what information institutions are authorized to collect, the disclosure threshold, and how the SCISA works as a discretionary authority within the framework of the Privacy Act.

I will conclude by discussing Public Safety Canada's role for the SCISA.

I will briefly outline how SCISA fits into the history of policy on national security information sharing at the federal level. I will try to condense my notes here.

Back in 2004 the Auditor General examined how departments and agencies work together to investigate and counter threats. Then, and again in a follow-up report in 2009, she found that departments and agencies were not sharing intelligence information because of concern with violating provisions of the Privacy Act or the Charter of Rights and Freedoms, whether this concern was valid or not.

There were a number of commissions, and I won't go through the details here: in 2006, Justice O'Connor; in 2010, the commission of inquiry for the bombing of Air India; and finally, in 2011, the government of the day committed to an action on the issue of information sharing in its action plan on Air India flight 182. In 2015 that commitment was fulfilled with the introduction of SCISA.

SCISA permits disclosure of information related to an activity that undermines the security of Canada when the information is relevant to the jurisdiction or responsibility of an institution listed as a potential recipient. Institutions are listed as recipients because of their national security responsibilities, meaning that they could, in accordance with the law, already collect this type of information. The important point to underline here is that SCISA does not change their collection authorities.

As noted, disclosure hinges on whether information relates to an “activity that undermines the security of Canada”. This is defined in section 2 of SCISA to include any activity that undermines Canada's sovereignty, security, or territorial integrity, or the lives or the security of the people of Canada. Some activities that could fall within the scope of this definition are also listed in SCISA as examples.

The definition of “activity that undermines the security of Canada” is broader than the definition of “threats to the security of Canada” used in the CSIS Act. SCISA's definition is broader to capture the role not only of CSIS but also of all departments and agencies with a national security jurisdiction or responsibility.

It's important to remember that information can only be shared if it is relevant to the specific jurisdiction or responsibility of the recipient institution within their respective authorities.

As a threshold, “relevant” allows institutions to disclose information when it is linked to the mandate of the recipient institution. “Relevant” also integrates important aspects of responsible information sharing. In particular, to reasonably determine whether information is relevant, the institution must assess whether the information is accurate and reliable.

Finally, “relevant” requires that the connection be real and present at the time of disclosure. Information cannot be disclosed on the basis that it is potentially relevant or will likely be relevant at some time in the future.

Lastly, if there is a legal restriction or prohibition on disclosing information, SCISA does not apply.

The Privacy Act includes a general restriction on disclosing personal information without the consent of the related individual. However, as noted in section 8 of the Privacy Act, it also includes a list of situations in which personal information can be disclosed despite this general restriction. For example, personal information may be disclosed for the purpose for which the information was collected. In addition, personal information may be disclosed in accordance with disclosure authorities in other acts of Parliament, such as SCISA.

When they receive information disclosed under SCISA's authorities, as noted in section 4 of the Privacy Act, departments and agencies must still ensure that personal information “relates directly” to an operating program or activity before they collect it.

In addition to these requirements, departments and agencies must also continue to abide by government requirements. These include the Treasury Board Directive on Privacy Impact Assessment.

Privacy impact assessments, or PIAs, help institutions ensure they are meeting the Privacy Act obligations. Under the directive, a PIA must be initiated whenever a substantial modification is made to a program or activity. While SCISA has no impact on collection authorities, the way programs or activities collect information under these authorities may change. If there are changes that result in a program or activity being substantially modified, a PIA is required.

While each institution is responsible for how they implement SCISA, Public Safety's role is to help institutions understand the act. To that end, we create guidance on SCISA. We've conducted information sessions for government officials and we released a framework to guide SCISA's implementation. We continue to provide support to government departments and agencies, as required, and are looking to improve the guidance we provide, including addressing the issues raised recently by the Privacy Commissioner in his annual report.

The Minister of Public Safety has also written to his colleagues regarding the importance of completing PIAs when required. Looking forward, the national security consultation launched by the Minister of Public Safety and the Minister of Justice represents an important step forward on Canada's national security framework. The input we are receiving on, for example, how activities under the act are reviewed, the list of potential recipients, and record-keeping of SCISA disclosures is of great value to us as policy advisers to the government.

I look forward to discussing this topic with you today and reading the outcomes of your study.

Thank you.

Thank you, and thank you for the invitation to appear before the committee this afternoon.

I'm Alison Whelan, executive director, strategic policy and external relations within the federal policing program of the RCMP. I'm joined today by Chief Superintendent Scott Doran, from federal policing criminal operations at national headquarters.

Our respective groups were responsible for developing the RCMP's position on the Security of Canada Information Sharing Act, or SCISA, and for ensuring the appropriate information-sharing safeguards are in place on coming into force.

Chief Superintendent Doran and I welcome the opportunity to discuss the act and the RCMP's broader collection, retention, and protection of information related to the organization's national security criminal investigations. This includes the personal information of individuals, both Canadians and non-Canadians, identified during the course of national security criminal investigations.

Prior to the implementation of SCISA, the RCMP had broad authority to exchange national security-related information with domestic and foreign partners, consistent with its mandate, relevant laws, ministerial directives, and in accordance with operational policy. The authority to collect, analyze, exchange, and store national security-related personal information is essential in order to build cases and present evidence against those who violate Canadian law and, equally, to exonerate those who are falsely accused.

The RCMP's national security-related information exchanges range from the sharing of intelligence reports on the tactics and techniques of terrorist organizations to conversations between law enforcement agencies on prevention techniques to notification to and from partner agencies about possible national security threats and attack plans, as well as the disclosure of private information about individuals as part of ongoing criminal investigations.

From the outset, the RCMP supported our partners in the development of the Security of Canada Information Sharing Act, recognizing that there were some government departments and agencies lacking the authority or clarity to share relevant information to protect Canada's security.

The RCMP has taken a number of steps to inform our members of the act and to establish procedures for sharing, storing, and tracking disclosures and receipts of information.

Pursuant to subsection 5(1) of SCISA, the RCMP commissioner has delegated the authority to receive information disclosed to a select number of senior positions in the national capital region. In fact, the manner in which the RCMP both discloses and receives information through SCISA is managed at national headquarters. For example, federal policing's intake unit is the main point of contact for proactive disclosures to the RCMP by Government of Canada institutions.

In the context of national security criminal investigations, particularly those related to high-risk travellers and returnees, federal policing criminal operations is responsible for managing all proactive disclosures by the RCMP, requests for information to Government of Canada institutions, and the information received.

On the same day the act came into force, a communiqué was distributed to all criminal operations officers responsible for overseeing federal investigations across the country. The communiqué provided information about the provisions of the act, the list of institutions authorized to receive information under the act, and a list of the RCMP officials with the delegated authority to receive information disclosed pursuant to SCISA.

As noted, the RCMP already had the authority to disclose national security-related information to domestic security and intelligence partners. However, for the purpose of SCISA, any information about an activity that undermines the security of Canada that the RCMP discloses or receives through its designated recipient institution will be documented as a disclosure under the act. All correspondence related to SCISA must be documented in the RCMP's secure records management system as well.

Federal policing has also established processes to maintain statistics on disclosures made to and by the RCMP under the act, including what was disclosed, who disclosed it, and when it was disclosed.

As you're likely aware, the Office of the Privacy Commissioner recently commenced an investigation of the Security of Canada Information Sharing Act under section 37 of the Privacy Act. The RCMP welcomes the review and has provided data to the Office of the Privacy Commissioner regarding how many disclosures we have both received and made under the act during the two time frames of August 1, 2015, to January 30, 2016, and February 1, 2016, to July 31, 2016. Engagement with the Office of the Privacy Commissioner is continuing, with meetings set for later this month between representatives of the review team and the federal policing program.

To date, the majority of the disclosures the RCMP has both made and received have been as part of the activities undertaken by the RCMP national security joint operations centre.

Briefly, the national security joint operations centre, or NSJOC, was established by the RCMP in October 2014 as a venue for facilitating real-time information exchange among key government departments and agencies to help disrupt and prevent terrorism-related travel abroad or to mitigate imminent threats of terrorism-related violence at home.

The national security joint operations centre is essential in supporting the RCMP-led integrated national security enforcement teams. These teams, located in Vancouver, Edmonton, Calgary, Toronto, Ottawa, and Montreal, have primary responsibility for investigating terrorism-related files.

To effectively counter the threat of terrorism, all the capabilities, experience, and powers of the Government of Canada must be brought to bear. The national security joint operations centre facilitates this by bringing together most of our federal partners in one place. Since its inception, several departments and agencies, including the Canadian Security Intelligence Service, the Canada Border Services Agency, and Immigration, Refugees and Citizenship Canada, have been co-located in an RCMP facility in Ottawa to facilitate information sharing and enable a coordinated approach to operational decision-making. I would emphasize that the national security joint operations centre neither replaces nor impedes the member agencies' prerogative to make independent operational decisions consistent with their respective mandates and applicable laws.

The key strength of the centre is expedient information sharing for effective responses. The officer in charge of the national security joint operations centre has been delegated the authority by the RCMP commissioner to receive information disclosed pursuant to SCISA.

The work carried out via the national security joint operations centre is an excellent example of how the powers granted under the Security of Canada Information Sharing Act enable information sharing to be better targeted and expeditious. Prior to SCISA, when the RCMP needed to access information from federal departments or agencies outside the national security and intelligence community, there were disparate systems for information exchanges, and they were often lengthy. In some cases requests could take up to three weeks to process and could include more information than investigators truly needed. SCISA allows the personnel at the national security joint operations centre to exchange information in a more streamlined way. We now use a standardized form, and requests are typically processed within 24 to 48 hours. I must stress that this expediency has not come at the expense of privacy; exchanges continue to be made in writing and on a case-by-case basis.

I will close by noting that the RCMP finds SCISA to be a critical component in the information-sharing authorities we already have.

Thank you, and we welcome your questions.

This is my third appearance before this committee.

My name is Robert Mundie, as you probably know. I'm the director general of the corporate secretariat and I'm also the chief privacy officer for the Canada Border Services Agency.

Today I'll briefly outline our operating context in general, and then in particular I'll focus on the manner in which information is shared with other government departments, including under the Security of Canada Information Sharing Act, or SCISA.

The CBSA is responsible for border functions related to customs and immigration enforcement, as well as food, plant, and animal inspection.

The agency administers and enforces two principal pieces of legislation in relation to processing people and goods within the border context: the Customs Act, which sets out our responsibilities to collect duties and taxes on imported goods, interdict illegal goods, and administer trade legislation and agreements, and the Immigration and Refugee Protection Act, which governs both the admissibility of people into Canada and the identification, detection, and removal of those deemed to be inadmissible under the act. The agency also administers over 90 statutes on behalf of other federal departments and agencies.

Given the numerous daily interactions the agency has with individuals and their goods, as well as our relationship with our Public Safety partners aimed at upholding national security, the CBSA is well-versed in information sharing activities that are both lawful and respectful of personal privacy.

Many of CBSA's business lines engage in information sharing for specific purposes. These can include trade and commercial facilitation, criminal investigations, national security screening, and interdiction of illegally imported or exported goods.

Regardless of the reason, when information is shared, two important conditions apply in all cases.

First, all information sharing must take place in strict accordance with Canadian law. The vast majority of the CBSA's disclosures take place under the auspices of either the Privacy Act, section 8, or the Customs Act, section 107. These provisions are structured as blanket prohibitions against disclosure of information, accompanied by a number of very specific exceptions to this prohibition. The Customs Act has an exception for disclosing customs-related information for national security purposes, for example, while the Privacy Act does not explicitly allow for disclosure for national security reasons. Three provisions of the Privacy Act can, however, be used to disclose national security-related information, but they are either too restrictive or cumbersome to be of timely and practical use.

To illustrate, the “consistent use” provision in paragraph 8(2)(a) of the Privacy Act could be used, but it requires that the information that was exchanged was used for a similar purpose for which it was collected. Given different departmental mandates, this is not always a reliably available provision for us to use.

Designated investigative bodies can also request information under paragraph 8(2)(e), but this requires that they be aware of the need to make a request in the first place, because proactive disclosure is not permitted under this provision of the Privacy Act. Proactive disclosures made for the public interest are also permitted by paragraph 8(2)(m), but the process is cumbersome, requiring an average of 10 days for a disclosure to be approved.

SCISA addresses all of these limitations.

The second necessary condition is that the CBSA's information-sharing activities are well governed by policy and by training. Each of the acts mentioned above, including SCISA, has a specific CBSA policy dedicated to information sharing. These policies provide succinct guidance on the assessment of privacy rights, approval levels for each disclosure type, and protection of information, amongst other considerations.

Policy implementation is strongly supported by two well-received online information-sharing training courses, and SCISA was specifically introduced with multiple information sessions in August 2015.

As indicated in the Office of the Privacy Commissioner's report of 2015-16, a review of SCISA-related activities has showed sparing use of the provisions. In the first half of the year of implementation, the CBSA made 24 disclosures under SCISA, and during the same time period, eight disclosures were made to the CBSA.

The agency looks forward to working with all stakeholders in the realm of information sharing and privacy so that we may continue to evolve in the right direction.

In closing, I want to thank you, the committee, for the opportunity to provide our input into your study and for welcoming me here today. I'm happy to answer any questions you may have later.

That's correct.

Great. I'm happy to do so. Thank you very much for having me.

First, I'd like to say that I'm offended that I'm not invited as often as my colleague Mr. Mundie here.

Oh, oh!

Good afternoon, Mr. Chair and members of the committee. My name is Tricia Geddes, and I am the director general for policy and foreign relations at CSIS. Though my branch encompasses a wide range of functions, most relevant to the issue at hand is our role in the development of policy advice on strategic issues as well as the negotiation arrangements with our partners in support of CSIS's duties and functions. In support of these efforts, my branch has taken a leadership role in supporting the responsible implementation of SCISA.

SCISA, as you know, creates an explicit authority for federal institutions to share information with designated recipients. The sharing of this information must be relevant to activities that undermine the security of Canada. By virtue of CSIS's national security mandate, we are a designated recipient under SCISA.

SCISA sets the threshold for disclosing institutions; it does not change CSIS's mandate. We continue to undertake our duties and functions in accordance with the CSIS Act. Our collection authorities are clearly defined in our act. CSIS is authorized to collect information, to the extent that it is strictly necessary, on activities suspected of constituting a threat to the security of Canada. We may also conduct investigations in the exercise of our security screening mandate.

For the purpose of fulfilling our mandate, threats to the security of Canada are explicitly defined in section 2 of the CSIS Act and are limited to terrorism, espionage, sabotage, and foreign interference. These have remained constant since 1984. CSIS must ensure that any information it collects meets its own legislative requirements, irrespective of the authority relied upon by the disclosing institutions.

Effective and responsible sharing of information between government institutions is essential to the common goal of ensuring that Canadians remain safe. Timely access to reliable information is critical to the success of CSIS' lawful investigations. Not only is information essential to identifying and understanding the threats we face, but it also enhances our ability to advise government. CSIS intelligence provides the important insight, it provides situational awareness and informs decision making.

To exercise due diligence, CSIS has adopted a strategic and measured approach to implementing SCISA. CSIS presented its overall approach proactively to the Office of the Privacy Commissioner in the fall of 2015 and has remained engaged with the office on this matter.

As part of its implementation approach, CSIS has worked with key partners to consider the particularities of each relationship and to determine how best to integrate SCISA into the overall relationship. This bilateral approach ensures that all relevant legal policy and operational considerations are assessed with other regimes. Engagement with partners in this regard has occurred on a priority basis that is determined by operational needs and requirements. CSIS and Global Affairs Canada, for example, has signed a new arrangement that governs the sharing of consular information. Whereas our former protocol relied exclusively on the Privacy Act, the new protocol integrates SCISA, filling an important gap, a gap that had been identified by SIRC.

I can confirm that we have received information under the authorities of SCISA in support of active investigations, as noted in the Office of the Privacy Commissioner's 2015-2016 annual report. Information shared during the first six months of SCISA respected the threshold set out in law.

This review is an example of how CSIS' activities can be, and are, reviewed within a broader framework of accountability. The Privacy Commissioner can review CSIS' information-sharing policies and practices and issue public recommendations. CSIS continues to co-operate with the Office of the Privacy Commissioner in the context of its review of SCISA.

CSIS' activities are also reviewed by the Security Intelligence Review Committee, or SIRC, which reports to Parliament on our operations. SIRC's findings and recommendations provide valuable feedback and as a result often have a direct impact on policies and practices.

As you are aware, SCISA is also part of the range of issues being examined in the ongoing national security consultations. Though these issues are rightly a question for the public and Parliament to consider, we welcome the discussion and the opportunity to hear from Canadians on these important issues, many of which are at the very heart of what we do.

With that, Mr. Chair, I conclude my remarks.

I know that we all welcome to your comments, observations, and questions.

Mr. Chair, I can answer that question.

The process is different for different agencies. For instance, we have arrangements with CSIS to exchange information, but what Ms. Whelan was referring to, I think, was the process by which we would use the Privacy Act requests under paragraph 8(2)(e). Because the requests were not exclusively dealing with national security issues but were dealing with all sorts of issues that the force may ask of different agencies, they could be cumbersome, and different agencies actually have large offices to deal with those requests coming in. Those are processed, and they can take a long time.

Sometimes what we're dealing with, especially with the high-risk travellers, is that things are unfolding now, and we need answers as quickly as possible to be able to deal with them.

There are a number of ways in which we can get information. If SCISA allows a federal government department to share with us, it's their prerogative as to whether they do or not. If it's outside of the realm of an act of Parliament, then clearly it could be a constitutional issue, in which case we would acquire a warrant.

Depending on the situation that presents itself, I think we would use the legislation that is available to us.

I have just one point, and this was alluded to earlier on: SCISA does not affect collection. It only deals with disclosure.

If, for example, you need a warrant to collect information, SCISA would not interfere with that. That would prevail in circumstances where it would be required.

I think there may be some misunderstanding about the scope of SCISA. SCISA is a disclosure authority only. It does not deal with the use of the information that's collected by a recipient agency or with any downward disclosure of it to another agency. As long as the threshold in SCISA is met—as long as it's relevant to the national security jurisdiction or responsibilities of the recipient institution—it can be disclosed, but it always operates subject to any other law that limits disclosure.

For example, if there was something in the disclosing institution's operating legislation that prevented that, SCISA does not override it. It only deals with disclosure, and the threshold has to be met for disclosure to occur. It's up to the recipient. Whether it's proactively disclosed or by request, they have to make sure that they are authorized to collect it. Nothing changes their existing collection authorities. They may have a very stringent regime. They may need a warrant to collect it. That continues to apply. Also, how they use it has to be within their existing authorities. SCISA doesn't touch that.

I don't really think it pertains to the situation you're talking about.

It's perhaps useful to explain something about this provision. When we decided to include it, we consulted with operating agencies and departments, which revealed that some civil servants were reluctant to lawfully share information because they were afraid they would be found personally liable in terms of committing a criminal act for disclosing information. It was really done to help allay anxiety and to encourage responsible disclosure, charter-compliant disclosure.

The provision is there to inform public servants that they will be protected from civil liability if they disclose information in good faith, and that's why it was included. It shields individuals. It was not ever intended to shield the crown from immunity, and that may be something that people don't understand.

Individuals who are adversely affected by sharing could begin civil liability proceedings against the crown, which could be found vicariously liable for the actions of its employee, but it wouldn't protect them from criminal liability if they maliciously shared information. That's what that provision is for. I just thought I'd explain.