Evidence of meeting #35 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was scisa.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Clerk of the Committee  Mr. Hugues La Rue
Wesley Wark  Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
Tamir Israel  Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic

Wayne Long Liberal Saint John—Rothesay, NB

How do you change that? There's obviously a culture. If only two of 17 departments felt they were necessary, there's a problem there.

11:35 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I heard Minister Goodale ask departments to pay attention to their obligations to assess the privacy risks of these activities. That is more encouraging, but to this day, we haven't seen the privacy impact assessments of these other institutions.

So, yes, it is alarming. I'm somewhat encouraged by what the minister said, but it has not translated into us receiving anything at this point.

Wayne Long Liberal Saint John—Rothesay, NB

You haven't seen any substantial change?

11:35 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Have we ween any new PIAs? No.

Wayne Long Liberal Saint John—Rothesay, NB

Also, in the paper, you criticized the tone of government's online consultation. There was a consultation paper that was asking for feedback. You didn't like the tone of it. How come?

11:35 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

That consultation deals with the national security framework, writ large, way beyond SCISA.

I said a number of things. One, I think it makes a lot of sense to look at the framework as a whole and not focus on constituent parts. That's why I say I think you should look at information-sharing authorities beyond SCISA, because to have a real picture of what's going on, you need to look at the whole situation. So that is a positive aspect of the consultation.

What I did not like about the tone or the perspective was that you started an exercise with a view to reviewing and repealing potentially problematic elements of legislation that give additional powers to state officials, but the consultation paper in large part suggests further extensions of state powers as opposed to more privacy protection or more human rights protection.

I'm not saying that it's illegitimate or that it's not a good idea to look at the framework, writ large. It's a good idea, but the framework, writ large, should be looked at in a balanced way, such that, as it should be for SCISA, the new state power should be demonstrated to be necessary. As you look at these other issues, you should also look at what safeguards should be added or enhanced to create the right balance. The latter I did not see a whole lot of in the consultation paper.

Wayne Long Liberal Saint John—Rothesay, NB

Thank you.

11:35 a.m.

Conservative

The Chair Conservative Blaine Calkins

Colleagues, do you mind if I take the five-minute round? Our party is a little thin here today, so is that okay with you?

I cleared it with him.

Thank you, Commissioner.

One of my questions I think might have been asked by my colleague Mr. Kelly. At the end of the day, it sounds to me as though there is a mishmash of lawful authorities and no orchestrated plan for the sharing of information among various departments and agencies. You said that there are a number of other authorities that government agencies are using outside of SCISA.

My question to you is, from a policy perspective at the national level, should all of these authorities be consolidated in one piece of legislation so that parliamentarians, lawmakers, judges, and law followers all have an easy, accessible source of legislation when it comes to the sharing of information?

11:40 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It would be difficult, but it's an interesting idea.

Among the sources of authority are common-law or non-statutory sources of information, including the common-law powers of the police to collect and share information for investigative purposes, and the defence prerogative under which the defence department collects information. These are non-statutory sources of authority that, by definition, exist outside of the statute that you're envisaging. It's not obvious how all of this would work, but it's an interesting idea.

What I would say that may be helpful is that in respect of the safeguards I'm suggesting for SCISA as a threshold of necessity and proportionality, and in respect of the requirement for agreements that create clearer rules, some accountability, and retention periods, there is no reason these safeguards could not be in a statute of general application that would apply to the sum total of the sources of authority. That might be one way to ensure that safeguards for the rights of Canadians apply regardless of whether SCISA , the Customs Act, some other piece of legislation, or the common law is used. That would be the most practical advice I could give you on that point, but it's an interesting suggestion.

11:40 a.m.

Conservative

The Chair Conservative Blaine Calkins

At the opening of your remarks, you offered up your suggestions as an opinion. Your opinion is a professional opinion, because privacy is your wheelhouse, your bailiwick. It's what you know and that's the way it should be.

When it comes to security, in the staffing of your office, do you have people with specific skill sets to deal with privacy as it relates specifically to terrorism and national security?

11:40 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We can always improve on any subject matter, but we certainly have, not all of our employees, but a number of employees with both subject-matter expertise and the security classification to undertake this work. We could improve.

Of course, I would say that since 9/11 and the increase in state powers that have an effect on privacy, the number of investigations or reviews or privacy impact assessments we perform in this area is increasing considerably, so the number of people with the right expertise is inherited from a past in which these issues were less prevalent from a privacy perspective.

I do think that we have a core of people with the right skill set, which could be improved, but we certainly have a certain capacity.

11:40 a.m.

Conservative

The Chair Conservative Blaine Calkins

Excellent.

In one of your answers to a previous question, you said 99.99% of people's information that is collected is not needed. I'm wondering where you got that number.

11:40 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Ultimately, it's not needed. What I'm saying here is that if you accept the view that security agencies need to collect information about people other than suspected terrorists, say travellers to a certain country, in order to identify new threats, if you accept that as a premise, the activity to be performed by the security agency would be to go through the information from all these travellers, the vast majority of whom are not security threats, with a view to doing analysis, correlating this information, and finding in the thousands of people whose information you have, the one, two, or three who may be security threats. So my premise is that out of the information on the thousands of travellers whose information is sent, only that of the two or three should be kept after it has been analyzed.

11:45 a.m.

Conservative

The Chair Conservative Blaine Calkins

I see. Thank you very much.

Mr. Erskine-Smith, go ahead for five minutes, please.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thanks very much.

You mentioned to my colleague Mr. Long that one of the most important changes is the threshold. You've hit that over the head a number of times. To be fair, when the previous government introduced this bill, we had John Davies before us, and he said that in 2004 the Auditor General examined how departments and agencies worked together to investigate counter-threats, and then again in a follow-up report in 2009 the AG found that departments and agencies were not sharing intelligence information because of concerns over violating provisions of the Privacy Act or the charter, whether this concern was valid or not.

You and Professors Forcese and Roach, who were before us, proposed a necessity threshold as well. We had the departmental officials before us and they said, hang on a second, that would be problematic for us because the disclosing institutions, 100 or so agencies, don't have the expertise to determine necessity. Therefore, we want to make it easier for them to get the information out the door while keeping in mind that the recipient institutions must stick within their mandate.

If we're looking at amendments and trying to balance the concerns of the department, would a possible amendment be that disclosing institutions disclose relevant information, but recipient institutions are subject to a necessity standard? Would that help both sides to find a compromise there?

November 22nd, 2016 / 11:45 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I think it's a very worthwhile idea to explore.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Okay, I'll take that.

11:45 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I think you were told by officials that section 5 deals with disclosure. It is true that it deals with disclosure, i.e. not receipt, but once the disclosure has occurred under the relevance test, there is nothing that says—certainly not explicitly anyway, and I think it would be extremely ambiguous at best—what a receiving institution should do.

CSIS, under its legislation, has a clear collection-test necessity. I'm less concerned about it, but I'm concerned about all the other receiving institutions that may not have that kind of test.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Exactly. So when Professors Forcese and Roach say as one of their recommendations “to make crystal clear that receiving recipients must operate within their existing mandates and legal authorities and that agencies put in place protocols for ensuring the reliability of shared information, as per the Arar commission recommendations”, I presume you would agree, but it might also make sense to go further. CSIS obviously has a necessity test built into its mandate in terms of receiving information, and it might be even better, when we look at the 17 recipient institutions, to actually subject all of them, in order to receive information, to prove the necessity of it to their mandate. Therefore we want to allow for the government's concern with respect to disclosing institutions. They're obviously not going to get into the nuts and bolts to understand necessity. They could be subject to proving relevance on disclosure, but recipient institutions wouldn't be required to show that it was necessary to their mandate.

11:45 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I think that would be helpful, provided that there would be a difference, there would be a misalignment of thresholds between the sending and the receiving institution, which would by definition mean that the receiving institution would receive too much.

And there needs to be a clear rule—

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

—as to what they do with that excess of information.

11:45 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

—that they need to destroy or dispose of that information.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Absolutely.

Okay, I agree with you there. My final minute goes to the review of whether these powers are being exercised appropriately.

We had department officials before us last week, and the CBSA official mentioned that obviously CBSA does not have an expert review body and that your office would in fact be the appropriate review body for the sharing of information. If we don't have a super-SIRC type of body, does your office have the capacity to review the sharing of information with 17 agencies, or is the answer in fact to have a super-SIRC type of body?

11:45 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We have some experts, but we certainly do not have experts in sufficient numbers to credibly review the activities of all departments other than the three that have existing review bodies.

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

I have one final question.

Would you support the recommendation of Forcese and Roach to match information powers with amendments that give independent review bodies review over all of the Government of Canada's information-sharing activities under the new act, as well as their recommendation that the body would have the power to compel deletion of unreliable information?