Evidence of meeting #34 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was scisa.
A recording is available from Parliament.
12:45 p.m.
Director General, National Security Policy, Department of Public Safety and Emergency Preparedness
Also, the case you're talking about was about sharing with another government—
12:45 p.m.
Director General, National Security Policy, Department of Public Safety and Emergency Preparedness
SCISA is about within the government.
12:45 p.m.
Liberal
Joël Lightbound Liberal Louis-Hébert, QC
I understand that completely, but the principles remain that oversharing of information could lead to certain circumstances. I understand the difference, but I think there are some similarities.
Do I still have time?
12:45 p.m.
Conservative
The Chair Conservative Blaine Calkins
We're past seven minutes, Mr. Lightbound. I apologize, but we need to move on.
Mr. Kelly, you have up to seven minutes, please.
12:45 p.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Thank you, Mr. Chair.
Perhaps I might be in some of the same vein with some of my questions.
We've heard from other witnesses in our study about the constant conflict between the necessity of sharing information for the various security and intelligence agencies to be able to do their jobs correctly to protect Canadians, while at the same time continually being aware of the right to privacy that Canadians expect.
Ms. Geddes, we've heard from other witnesses about the importance of both these conflicts, and also with respect to the sharing of information with our Five Eyes partners in particular, as well as with other international partners.
In your view, does SCISA facilitate both these priorities, the priority to be able to make appropriate disclosures of information to protect Canadians and our allies, as well as to maintain Canadians' privacy? Can you comment?
12:45 p.m.
Director General, Policy and Foreign Relations, Canadian Security Intelligence Service
I'm happy to comment. Thank you for the question.
I believe your question was about whether or not we're striking the right balance with SCISA. Speaking from the services perspective, we had experienced some challenges in information sharing, and SIRC had commented on them. In particular, in one of their reports they focused on our information exchanges with Global Affairs Canada and our ability to receive information from Global Affairs Canada.
That is one area in which I think SCISA has been very helpful to us, for sure. I think that's enhancing national security, absolutely and certainly. I can't speak to any specific investigations, but we have certainly been the beneficiary of information there.
While we had been using the Privacy Act for our information exchanges with Global Affairs before this, now that we have the additional powers or the additional clarity around SCISA, there have certainly been some enhancements there, so I feel confident.
I don't know if your second question was more about how we deal with allies and so on in the current threat environment.
November 17th, 2016 / 12:45 p.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
No, I really wanted you to comment specifically on whether SCISA did strike the right balance between the objectives you have for your agency and protecting privacy.
If I may shift a little, perhaps Ms. Sheppard might be the best one to comment on this. I heard more than one presenter repeat an identified concern about individuals who would be reluctant to make a disclosure for fear of violation of privacy law, whether founded or unfounded.
We as a committee, in studying the Privacy Act, have heard from many witnesses about the demands people have for privacy, and yet a failure to communicate important information that results in a crime, perhaps a horrific or catastrophic crime, is of equal concern to Canadians when something like this has happened. Nobody wants ever again to have a commission that looks into how agencies fail to communicate with each other to prevent a crime.
Does SCISA do enough to allay individual concerns that people have over violating privacy law to do their job correctly?
12:45 p.m.
Senior Legal Counsel, Department of Justice
We've intended to have the provisions developed in a way that meets those goals of both encouraging responsible disclosure and doing so in a charter-compliant way. We have the reference in the preamble to the charter. We have guiding principles that are intended to help guide interpretation and application of the act.
In the end, we did not decide to have a compulsion to share information. We very much had the charter privacy protection in mind there. It's a discretionary authority to disclose. It has to be according to case law and exercised in accordance with the charter. The attempt is to encourage disclosure by having one clear authority that applies to all disclosing institutions, some 200 disclosing institutions, so it's laid over the patchwork of regimes that already existed.
In exercising discretion, the agencies would have to keep in mind the very important national security reasons that their information, if relevant, should be disclosed; however, it's not a rubber-stamp exercise, so in exercising discretion they could also have valid reasons for not sharing it. In developing a one-size-fits-all act, we had to think that there might be impacts on ongoing investigations and things that would mitigate against disclosure. We really tried to put a framework in place that would allow appropriate exercise of discretion in a charter-compliant way and encourage the important national security objectives of the act.
12:50 p.m.
Director General, National Security Policy, Department of Public Safety and Emergency Preparedness
Just to add on that, SCISA has proved to be necessary but non-sufficient, in the sense that other than closing legal gaps and having a clear legal framework from which to encourage departments and agencies to share in the national security agencies, it allows more training, learning, or working on educating people, particularly those in the non-national security world, on how those gaps are closed and how they can use the act in a way that creates safeguards and respect for privacy but also helps on the national security front.
12:50 p.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Then I'll give it back, because I'll probably end up going way over if we ask another question.
12:50 p.m.
Liberal
12:50 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Thank you very much.
My first question has to do with the threshold for sharing. Under SCISA it's that the information has to be “relevant” to identifying a national security threat. My understanding is that the Privacy Commissioner has said that is not a strict enough threshold. He believes that it should be “necessary” for the identification of a security threat.
I'm wondering if we could hear, especially from CSIS and the RCMP, what the operational differences for your organizations would be if you were to switch from a threshold of relevancy to a necessity threshold.
12:50 p.m.
Director General, Policy and Foreign Relations, Canadian Security Intelligence Service
Do you want me to go first?
Why don't you start, John?
12:50 p.m.
Director General, National Security Policy, Department of Public Safety and Emergency Preparedness
Threshold is absolutely key. You're right to ask and to think about that. If the threshold's too low, there are, obviously, negative privacy impacts. If it's too high, the benefits to national security and the viability of the act are threatened.
In my remarks I just tried to talk a bit about what relevancy means. It implies a test on the discloser, whether that's amongst the 17 or outside the 17, to understand the reliability and the accuracy. It has to be something that's in real time, and it can't be something hypothetical or future or anything. Is it actually meaningful? It exists elsewhere in other acts in terms of an information threshold.
The key thing for the agencies here, but particularly the non-national security agencies, is as you go up and you think about higher thresholds, you think about what that would mean. You're putting other agencies in a position to be experts on the mandate of the agency you're giving the information to, right? That could create problems. It could create internal constraints. To be challenged on that decision later would obviously be awkward for them. They would have to show that they really understood that mandate, that it was required to give that information for that agency to do its job, and that may create problems. It's just something to think about as you ponder the threshold in your work.
12:50 p.m.
Director General, Policy and Foreign Relations, Canadian Security Intelligence Service
Let me add to that—briefly, because I'll echo exactly what John said.
One concern is that we sometimes are dealing with partners who are not national security experts. In our case in particular, I've been using the example of working with Global Affairs Canada, for instance.
It's difficult. There are consular officials all over the world, and although they are sensitized to national security issues, I don't think any of them would self-purport to be expert on national security. Working with them over the last few months when we've been setting up this protocol to talk about what the national security indicators are that we're looking for, and so on, has been extremely helpful in terms of identifying the types of things we need that would be relevant, but they will never know whether something is absolutely essential. That's why the threshold for us is at an entirely appropriate level, and I think raising it would create some challenges and would put an awful lot of pressure on a consular officer to determine whether such-and-such is relevant or not. I think that would be a very difficult position to put them in.
12:55 p.m.
Director General, Federal Policing Criminal Operations, Royal Canadian Mounted Police
I'll just top that off. The nature of the information itself may sometimes not be self-evident. It's only when you put pieces of information together that the constellation of those pieces will begin to make sense from a national security perspective.
That doesn't necessarily apply to the proactive disclosures, but we may be making a request. When we make a request and we justify the national security issues, we may be after only a birth date or a name or something that in itself is not national security but is needed for the building of the information together.
For it necessarily to be national security-related on its own doesn't account for the collection of information that's available from disparate agencies.
12:55 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
At the moment, who determines and how is it determined what is relevant in the appropriate sense, and at what point is there a time when you step back and someone else as an oversight body looks at how you as an agency have been characterizing “relevant” or how the consular offices have been characterizing “relevant” and whether that's an appropriate way of characterizing relevancy?
12:55 p.m.
Director General, National Security Policy, Department of Public Safety and Emergency Preparedness
The governance structure linked in the act is that the deputy head is ultimately accountable, but the deputy head can create a delegated structure within his or her department that would include the necessary training and the other people who have authority, for example, to make determinations or advise internally on what is relevant.
I'm not sure whether you've met or will meet the Privacy Commissioner on this act, but he's already reviewing the act for exactly that kind of question. How does that internal governance structure work? Who has been trained to what level? How is it working for them to make sure it's up to the standard that he thinks is acceptable?
12:55 p.m.
Director General, Policy and Foreign Relations, Canadian Security Intelligence Service
Just to add to that from the service's perspective, this has happened a number of times. We've had many conversations with the Office of the Privacy Commissioner on this, and it's the sort of discussion we're engaged in on an ongoing basis, because it's something that's critical to our being able to successfully implement SCISA to ensure that we've met that test properly. The discussion is primarily with the Privacy Commissioner, but of course SIRC is also able to take a look at any aspect of it that they would like to look at.
12:55 p.m.
Executive Director, Strategic Policy and External Relations, Federal Policing, Royal Canadian Mounted Police
The RCMP has been active in the OPC's investigation. They're coming in, I believe, as early as next week. They're going to look at our disclosures, our requests, and then the files that they are related to.
We are open to that. As I said, we've sent out the communique and have tried to impress upon everyone their obligations under SCISA so that the people who have been delegated by the RCMP commissioner are well aware of their responsibilities and their duties related to the handling of national security-related information.
12:55 p.m.
NDP