Information & Ethics Committee on Nov. 22nd, 2016

Thank you, Mr. Chair and members of the committee, for inviting me to discuss the Security of Canada Information Sharing Act, or SCISA, which was enacted under Bill C-51, the Anti-terrorism Act, 2015.

When Bill C-51 was introduced in Parliament in early 2015, I expressed strong reservations, which remain true today. In my remarks this morning, I'll briefly summarize these reservations and will then encourage you to review national security information sharing issues more broadly. Finally, I'll explain the review we have undertaken of how SCISA has operated so far and how other legal authorities are used by federal institutions to share information for national security purposes.

My first point is that the justification for SCISA should be made clearer. I recognize at a general level that greater information sharing may sometimes lead to the detection and suppression of security threats, but we have yet to hear a clear explanation, with practical examples, of how the previous law prevented the sharing of information needed for national security purposes. A clearer articulation of the problems with the past law would help define a proportionate solution.

Second, I remain concerned that SCISA authorizes information to be shared where it's merely relevant to national security goals. Setting such a low standard is a key reason why the risks to law-abiding citizens are excessive. If the necessity or strictly necessary criteria is adequate for CSIS to collect, analyze and retain information, as has been the case since its inception, it's unclear to us why this standard can’t be adopted for all departments and agencies with a stake in national security. Necessity is the international privacy standard.

On a side note, the issue of standards leads me to the preamble of the act, which you discussed with government officials last week. This preamble indicates that information is to be shared among departments in a manner that is consistent with the charter and the protection of privacy. However, this is not a true legal standard, but rather a wish or a pious hope.

As we indicated in our submissions to Parliament last year, we believe that effective privacy protection requires more than guiding principles that don't have the force of law. It requires the adoption of real legal standards. The obligation to disclose information in a manner that is consistent with privacy protection should therefore become an enforceable legal standard, as is the case with the rules governing the disclosure of information. To that end, SCISA should adopt not only the principle of necessity, but also that of proportionality.

Third, independent review of information-sharing activities is incomplete, given that 14 of the 17 receiving institutions under SCISA don't have dedicated review bodies. A parliamentary review, such as the one suggested by Bill C-22, will help but is insufficient. All departments involved in national security also need to be reviewed by independent experts.

Fourth, retention rules should be clarified. If the government maintains that the sharing of information about ordinary citizens—such as travellers or taxpayers—is necessary to identify new threats, national security agencies should be required to dispose of that information after these analyses and when the vast majority of individuals have been cleared of any terrorist activities.

Fifth, the law should require written information agreements. Required elements to be addressed in these agreements should include the personal information being shared, the specific purposes for the sharing, and limitations on secondary use or onward transfer. Other measures should be prescribed by the regulations, such as safeguards, retention periods and accountability measures.

While SCISA was an important addition to the Canadian legal framework related to national security, it is intended to be one element of a much larger whole. Limiting your review to SCISA will give you a very incomplete picture of national security information-sharing activities. I would therefore encourage you to also examine information-sharing with international partners and domestic information-sharing under legal authorities other than SCISA. Knowing more about other authorities will give you a better insight into whether SCISA is really necessary.

When Bill C-51 was tabled, I committed to examining and reporting on how its implementation would ensure compliance with the Privacy Act and inform the public debate. Our findings following the first phase of our review of the first six months of SCISA implementation are tabled in the most recent annual report. We have identified a number of concerns and offered recommendations. The OPC has concluded that the privacy impact of the new authorities conferred by SCISA was not properly evaluated during implementation, and we recommended that formal privacy impact assessments be performed.

The OPC also found several weaknesses with a Public Safety Canada guidance document intended to help departments implement SCISA. Although Public Safety Canada agreed to improve the guidance, no changes have been made a year after the OPC provided recommendations aimed at minimizing privacy risks. During our review, the OPC sent a questionnaire to all federal institutions to determine how often SCISA was used and, more particularly, whether it had been used to share information about persons suspected of terrorist activities or about law-abiding citizens. Most institutions told us that they had not used SCISA during the review period, but that they relied, instead, on other authorities.

So, there is information sharing for national security purposes, but most institutions told us that they are relying on other sources of authority than SCISA.

Five institutions told us that they have used SCISA for a total of 58 disclosures and 52 receipts of information. Institutions also told us that all SCISA information-sharing activities in the first six months following implementation concerned persons suspected of terrorism.

During phase 2 of our audit, we will review departmental records to verify whether that information is accurate and whether information sharing under authorities other than SCISA concerned suspects or persons not suspected of terrorist activities.

The goal of this review is to provide as clear a picture as possible on the use of SCISA, and other laws, in order to inform public and parliamentary debate as we head toward the government's planned review of Bill C-51. We would like that review of Bill C-51 to occur with a clear, factual, evidentiary basis, as opposed to simply a discussion of principles, however important the principles are.

With that, I would be happy to take your questions.

You're in the shoes of which person, then?

Which is the sending institution or the—

With the bill as stated, the sending institution would not know unless, as we're suggesting, there is an agreement between the sending institution and the receiving institution on the purposes for which the receiving institution will use the information, and there may be limits to other purposes. That's why the law, as it stands, is silent on this point. That's one of the reasons we think agreements would be helpful.

I think it takes a number of instruments. On your point that the sending institution may not be an expert, in the context of this legislation, on national security, that's quite correct. I think government envisions that before information is shared, there will be a discussion between the sending and receiving institutions as to whether, in the context of the current act, it is relevant to the mandate of the receiving institution, on which the first department may not be an expert, but the second is. There's a discussion about that.

Also, according to section 5 of SCISA as it is, the information has to relate to detection or suppression of national security threats. It may be that the sending institution is an expert, but it's more likely that the sending institution is not an expert and the receiving institution is.

It's the conversation between the two departments before the personal information is given by the sending to the receiving institution that I think will enlighten both parties as to whether the criteria of the legislation are met.

Absolutely. There's a risk of that for intelligence-analysis purposes.

From my perspective, from a privacy-protection perspective, that is why you need a number of tools to ensure that information sharing occurs, because there is a value in information sharing for national security purposes, but you have to ensure that not too much information is shared and retained. It's through the sum total of the safeguards we propose that we think the risk of over-collection and over-retention will be minimized.

I think there are at least two steps to this question.

The receiving institution must determine whether it has the authority to collect it, to receive it. It may be that the sending institution will send too much information to the receiving institution. I would suggest that there need to be clear rules, which do not currently exist under SCISA, which require the receiving institution to get rid of it ASAP because it doesn't have the authority to collect it. That's the first thing.

Then there will be situations in which the information may be relevant for the analysis to be performed by the receiving institution, say CSIS. The information will generally lean towards the vast majority of people about whom we receive information not being security threats. That's another step where, at that point, the information needs to be set aside. It was useful for analytical purposes initially, but the analysis has now taken place and the vast majority of people about whom information is shared are not security threats. It should be destroyed then as well.

What we're saying is that there were authorities, and they continue to be used. That's one of the things we found in our review of SCISA. There are many other lawful authorities for information sharing and national security that have been used in the past. What I'm saying in terms of necessity is that we have not seen a clear articulation with clear examples of how the previous law created an impediment to desirable information sharing. There's a discourse that information sharing is desirable from a national security perspective. I think that's correct. But there was no absence of legislation before SCISA. There were many authorities. What we've not seen is evidence that the previous law was insufficient or created impediments to the work of national security agencies.

That may be, but I would say that at the end of the day, to argue that the previous law led to concerns about what authority officials had with regard to sharing goes to whether the previous law was sufficiently clear and well understood. It doesn't go to the necessity for a new law. If, previously, officials were unclear, then the officials should have received better guidance and information as to what the law provided. But if this law, SCISA, is really necessary, it should not be so on the basis that previously officials were unclear. That lack of clarity doesn't necessitate legislation. It would be on the basis that not only was it unclear, but it was insufficient, that it was an impediment, and we've not seen evidence of that.

We did not ask in our questionnaire what the other authorities were and how often they had been used, because we focused on SCISA. But we did ask whether they were using SCISA, and if so how often—hence the numbers we have—and whether they were using other authorities. We did not ask how often and which types.

We know that there are other authorities, such as the immigration act, the Customs Act, and at a more general level, the common law authority of the police in the course of investigations, to share information for the purpose of investigations, and the defence prerogative, which authorizes the defence department and the Canadian Armed Forces to share information for national security purposes. There is a whole list of other authorities that previously existed. I'm not surprised to see that these other authorities continue to be used. That's a fact. But I think knowing what these other authorities are, how often they are used, and what this means in terms of the necessity of this new piece of legislation should be part of your consideration.