Thank you for the invitation to be here today to discuss the Security of Canada Information Sharing Act, or what we call SCISA. In addition to being a potential recipient of information disclosed under SCISA, Public Safety helps facilitate the use of the act by departments and agencies, and in collaboration with our colleagues at the Department of Justice we played a role in the development of the act.
As you know, the government is reviewing the act to ensure that it furthers collective security while respecting Canadians' rights and freedoms. We believe your study will be most helpful as part of this review process.
With my opening remarks, I would like to provide you with background on three areas of significant discussion: what information institutions are authorized to collect, the disclosure threshold, and how the SCISA works as a discretionary authority within the framework of the Privacy Act.
I will conclude by discussing Public Safety Canada's role for the SCISA.
I will briefly outline how SCISA fits into the history of policy on national security information sharing at the federal level. I will try to condense my notes here.
Back in 2004 the Auditor General examined how departments and agencies work together to investigate and counter threats. Then, and again in a follow-up report in 2009, she found that departments and agencies were not sharing intelligence information because of concern with violating provisions of the Privacy Act or the Charter of Rights and Freedoms, whether this concern was valid or not.
There were a number of commissions, and I won't go through the details here: in 2006, Justice O'Connor; in 2010, the commission of inquiry for the bombing of Air India; and finally, in 2011, the government of the day committed to an action on the issue of information sharing in its action plan on Air India flight 182. In 2015 that commitment was fulfilled with the introduction of SCISA.
SCISA permits disclosure of information related to an activity that undermines the security of Canada when the information is relevant to the jurisdiction or responsibility of an institution listed as a potential recipient. Institutions are listed as recipients because of their national security responsibilities, meaning that they could, in accordance with the law, already collect this type of information. The important point to underline here is that SCISA does not change their collection authorities.
As noted, disclosure hinges on whether information relates to an “activity that undermines the security of Canada”. This is defined in section 2 of SCISA to include any activity that undermines Canada's sovereignty, security, or territorial integrity, or the lives or the security of the people of Canada. Some activities that could fall within the scope of this definition are also listed in SCISA as examples.
The definition of “activity that undermines the security of Canada” is broader than the definition of “threats to the security of Canada” used in the CSIS Act. SCISA's definition is broader to capture the role not only of CSIS but also of all departments and agencies with a national security jurisdiction or responsibility.
It's important to remember that information can only be shared if it is relevant to the specific jurisdiction or responsibility of the recipient institution within their respective authorities.
As a threshold, “relevant” allows institutions to disclose information when it is linked to the mandate of the recipient institution. “Relevant” also integrates important aspects of responsible information sharing. In particular, to reasonably determine whether information is relevant, the institution must assess whether the information is accurate and reliable.
Finally, “relevant” requires that the connection be real and present at the time of disclosure. Information cannot be disclosed on the basis that it is potentially relevant or will likely be relevant at some time in the future.
Lastly, if there is a legal restriction or prohibition on disclosing information, SCISA does not apply.
The Privacy Act includes a general restriction on disclosing personal information without the consent of the related individual. However, as noted in section 8 of the Privacy Act, it also includes a list of situations in which personal information can be disclosed despite this general restriction. For example, personal information may be disclosed for the purpose for which the information was collected. In addition, personal information may be disclosed in accordance with disclosure authorities in other acts of Parliament, such as SCISA.
When they receive information disclosed under SCISA's authorities, as noted in section 4 of the Privacy Act, departments and agencies must still ensure that personal information “relates directly” to an operating program or activity before they collect it.
In addition to these requirements, departments and agencies must also continue to abide by government requirements. These include the Treasury Board Directive on Privacy Impact Assessment.
Privacy impact assessments, or PIAs, help institutions ensure they are meeting the Privacy Act obligations. Under the directive, a PIA must be initiated whenever a substantial modification is made to a program or activity. While SCISA has no impact on collection authorities, the way programs or activities collect information under these authorities may change. If there are changes that result in a program or activity being substantially modified, a PIA is required.
While each institution is responsible for how they implement SCISA, Public Safety's role is to help institutions understand the act. To that end, we create guidance on SCISA. We've conducted information sessions for government officials and we released a framework to guide SCISA's implementation. We continue to provide support to government departments and agencies, as required, and are looking to improve the guidance we provide, including addressing the issues raised recently by the Privacy Commissioner in his annual report.
The Minister of Public Safety has also written to his colleagues regarding the importance of completing PIAs when required. Looking forward, the national security consultation launched by the Minister of Public Safety and the Minister of Justice represents an important step forward on Canada's national security framework. The input we are receiving on, for example, how activities under the act are reviewed, the list of potential recipients, and record-keeping of SCISA disclosures is of great value to us as policy advisers to the government.
I look forward to discussing this topic with you today and reading the outcomes of your study.
Thank you.