This is my third appearance before this committee.
My name is Robert Mundie, as you probably know. I'm the director general of the corporate secretariat and I'm also the chief privacy officer for the Canada Border Services Agency.
Today I'll briefly outline our operating context in general, and then in particular I'll focus on the manner in which information is shared with other government departments, including under the Security of Canada Information Sharing Act, or SCISA.
The CBSA is responsible for border functions related to customs and immigration enforcement, as well as food, plant, and animal inspection.
The agency administers and enforces two principal pieces of legislation in relation to processing people and goods within the border context: the Customs Act, which sets out our responsibilities to collect duties and taxes on imported goods, interdict illegal goods, and administer trade legislation and agreements, and the Immigration and Refugee Protection Act, which governs both the admissibility of people into Canada and the identification, detection, and removal of those deemed to be inadmissible under the act. The agency also administers over 90 statutes on behalf of other federal departments and agencies.
Given the numerous daily interactions the agency has with individuals and their goods, as well as our relationship with our Public Safety partners aimed at upholding national security, the CBSA is well-versed in information sharing activities that are both lawful and respectful of personal privacy.
Many of CBSA's business lines engage in information sharing for specific purposes. These can include trade and commercial facilitation, criminal investigations, national security screening, and interdiction of illegally imported or exported goods.
Regardless of the reason, when information is shared, two important conditions apply in all cases.
First, all information sharing must take place in strict accordance with Canadian law. The vast majority of the CBSA's disclosures take place under the auspices of either the Privacy Act, section 8, or the Customs Act, section 107. These provisions are structured as blanket prohibitions against disclosure of information, accompanied by a number of very specific exceptions to this prohibition. The Customs Act has an exception for disclosing customs-related information for national security purposes, for example, while the Privacy Act does not explicitly allow for disclosure for national security reasons. Three provisions of the Privacy Act can, however, be used to disclose national security-related information, but they are either too restrictive or cumbersome to be of timely and practical use.
To illustrate, the “consistent use” provision in paragraph 8(2)(a) of the Privacy Act could be used, but it requires that the information that was exchanged was used for a similar purpose for which it was collected. Given different departmental mandates, this is not always a reliably available provision for us to use.
Designated investigative bodies can also request information under paragraph 8(2)(e), but this requires that they be aware of the need to make a request in the first place, because proactive disclosure is not permitted under this provision of the Privacy Act. Proactive disclosures made for the public interest are also permitted by paragraph 8(2)(m), but the process is cumbersome, requiring an average of 10 days for a disclosure to be approved.
SCISA addresses all of these limitations.
The second necessary condition is that the CBSA's information-sharing activities are well governed by policy and by training. Each of the acts mentioned above, including SCISA, has a specific CBSA policy dedicated to information sharing. These policies provide succinct guidance on the assessment of privacy rights, approval levels for each disclosure type, and protection of information, amongst other considerations.
Policy implementation is strongly supported by two well-received online information-sharing training courses, and SCISA was specifically introduced with multiple information sessions in August 2015.
As indicated in the Office of the Privacy Commissioner's report of 2015-16, a review of SCISA-related activities has showed sparing use of the provisions. In the first half of the year of implementation, the CBSA made 24 disclosures under SCISA, and during the same time period, eight disclosures were made to the CBSA.
The agency looks forward to working with all stakeholders in the realm of information sharing and privacy so that we may continue to evolve in the right direction.
In closing, I want to thank you, the committee, for the opportunity to provide our input into your study and for welcoming me here today. I'm happy to answer any questions you may have later.