Information & Ethics Committee on Nov. 22nd, 2016

The explicit provisions in SCISA allow for sharing only of information already collected, but because it provides a number of agencies with the impetus to begin to look for threat information, primarily on the front line, it may affect the manner in which they approach the information that they collect and retain, because that is now a new consideration they will be using in assessing their own information-sharing practices. At that stage, it could indirectly facilitate the additional collection of information.

When you're talking about the Government of Canada, which is an immense bloc, it's been compartmentalized with regard to the data it collects for good reason, because when you're dealing with the tax agency, you're not dealing within an investigative context, and you're sharing information with the government for tax-assessment purposes. When you're dealing with education insurance, you're not dealing with the government in an investigative context.

Historically, it's been addressed as separate, compartmentalized agencies with different types of information, with the exceptions for information sharing being very specific and targeted. If SCISA facilitates a more generalized information sharing—and I realize it hasn't to date, but it could, as these types of provisions have facilitated that in other jurisdictions—then that could be seen as our facilitating surveillance in a very direct sense, even though the information was already held by one government agency but maybe not by others.

Does that help?

Thank you.

I think the importance of maintaining a balance between need to know and need to share, which has been an ongoing tension in the entire western intelligence world since the 9/11 attacks, is of critical importance. The problem I see in SCISA is that the balance was never properly thought through, and certainly was not found in terms of the legislative language adopted.

In response to the particular question about whether SCISA was a kind of back door to authorizing new information-gathering and intelligence-gathering powers—and this is a concern that many people raised in the context of the original debate over Bill C-51—frankly, I don't see that in SCISA or even implicitly in its knock-on effects. It doesn't change, as I think you probably heard. Certainly other committees have heard from government officials that it doesn't change the actual mandates and lawful information-gathering activities of any of the agencies listed in SCISA. It is purely about information sharing. Information sharing may trigger—and this is my colleague Tamir's point—additional intelligence gathering and investigations by agencies that receive information, but that activity could occur only under their existing lawful mandates.

Thank you, Mr. Kelly. I appreciate the question.

I understand the underlying implications of it. I think that probably all the witnesses you've heard from—including me and, though I wouldn't want to speak on his behalf, Mr. Israel—share the same objective. In other words, we want to ensure that Canadian security and intelligence agencies are able to appropriately share information.

The thing that perhaps a member of the Canadian public interested in this question would not fully understand is the issue of why this particular broader definition is needed. As I said in my testimony, I have not heard a good reason for that. What I would encourage the committee to do is to line up the new definition of undermining the security of Canada and its various clauses with the section 2 definition under the CSIS Act, which is of long standing, that defines threats to the security of Canada. It has been operationalized over decades within the security and intelligence communities.

We have arrived—the this term was used recently, in previous testimony—at a kind of cultural understanding of how that works.

There is nothing in the existing section 2 definition of threats to the security of Canada that would be weak or insufficient in terms of allowing, from my perspective, the kind of information sharing that is necessary and appropriate to securing Canadians' safety. The problem, I think, that many of the witnesses you've heard from see with this broader definition is that it is simply too broad and, worse, unnecessary.

It's a good question, but I think what we're saying to you, Mr. Kelly, is that the answer is, unfortunately, “Who knows?” This is an inappropriate definition that does not advance the interests of the security and intelligence community in terms of operational effectiveness and that threatens that balance of need to know and need to share with information overload, which has all kinds of other knock-on implications.

Going through the list in section 2 of SCISA, where these various activities that undermine the security of Canada are listed, you see that they are broader and looser and baggier definitions that are unnecessary when lined up with section 2 of the CSIS Act. For the life of me, I don't understand why we did not stick with the definition in section 2 of the CSIS Act, which encompasses everything that needs to be encompassed and avoids ambiguity and problems introduced by this newer definition.

If the committee has heard from some government official that there was something inadequate in the section 2 definition in the CSIS Act, then that would be an interesting thing to pay attention to, but I am not aware that you have, or that the public safety committee has either.

Thank you, Mr. Blaikie. I had the pleasure, once upon a time, of meeting your father. I just wanted to say hello.

There are various mechanisms in place. We're in the business, as you all know, of reforming and thinking about reforming the system. But the place to start with regard to SCISA and making sure that the government can be held to account for how this scheme is operated, even if it's amended, has to be proper record keeping.

Unless there's a paper trail, a digital trail, we'll never be able to do any accountability, and the Privacy Commissioner has made this suggestion in his annual report. That's one thing.

There is an issue of ministerial accountability as well. I note that the public safety minister, in recent testimony to the public safety committee, on the back of the Privacy Commissioner's annual report, said he has sent a letter out to all his cabinet colleagues encouraging them to ensure that all of their departments involved in SCISA are maintaining proper privacy protections. That's a step, but on its own, I think, it's an inadequate step, important as it might be.

So there's record keeping and ministerial accountability. Again, I would come back to the importance, certainly for the broader Canadian public, of transparency provisions that are part of the legislation. There is a mandated requirement to provide an annual public report from the relevant minister, in this case probably the public safety minister, on the operations of SCISA. It should be a meaningful report.

Then finally, there's the question of agents of Parliament and independent review bodies. Agents of Parliament, such as the Privacy Commissioner, clearly have a role to play. The Privacy Commissioner was trying to indicate that he has some resources but perhaps not enough. I know the Privacy Commissioner's office well. It's not my place to speak to it, but it has very limited resources on the national security side.

With regard to independent review, as everyone will know, the problem is that we don't have an all-encompassing independent review system. We have these siloed mechanisms that independently deal with CSIS, are meant to deal with the RCMP on the national security side but haven't yet, and deal with CSE, yet there's nothing for CBSA and many of the other core security and intelligence systems.

I think we're all at the point where we recognize that the system of independent review, which we've inherited over the years, is a legacy system that's not functioning well, and there are various proposals on the table for how to change it.

On top of that, a new committee of parliamentarians, if Bill C-22 is passed in Parliament, will be an added element in that picture of accountability.

In addition to everything Professor Wark just said, I would add that I think there are ways to improve the timing of assessments on necessity and proportionality, if those were adopted, and those would involve, I think, better training in government agencies that are going to be the recipients of these requests and that are not inherently national security agencies. You could train people within these agencies to identify this information or to become more familiarized with the standards that are required to make those assessments.

Necessity and proportionality are both very core operative principles that are used all the time in this context. They're not new ones that are just imposed here at random. They're the ones that CSIS currently operates under, as we heard, and they're the ones that other agencies operate under regularly.

Imposing those standards does not really limit the ability of the existing agencies to get information that they're not already getting—and we haven't heard that they're not getting enough information—but with sufficient training and resources, maybe you can get around the issues related to timing.

In addition, one of the outstanding recommendations from Commissioner Major of the Air India commission was to have a centralized national security entity to address information flows between security and policing and other types of agencies, and to have that type of entity or another agency, such as the Privacy Commissioner for Canada, with a better resource and more expansive mandate or a more expanded expert review body with additional operational capabilities, take a more active role in interacting with government agencies and helping them to make assessments around whether specific items of information are or are not necessary to achieve threats. I think having that type of capacity within government or within an entity within government to facilitate that type of information flow could address any of the timing concerns while maintaining the privacy standard that should be kept.

Yes. I agree that the restrictions on the information it can receive and the information it can impart are both too restrictive and too much at the discretion of government. I think at the very least having an objective decision-maker weigh in on those decisions would be a great start in encouraging its independence as an oversight entity.

There are ways to delete information securely. Even a preliminary deletion will eventually lead to the information being deleted, but you can more comprehensively take active steps to delete information, to wipe hard drives, and to insert random data over where the data used to be to make that more concrete.

I think what's really missing, though, right now is the impetus to delete information, because there is no retention requirement, as we've heard. It's easier to keep it forever and even with just the vague prospect of its utility down the road, even if it's a 0.001% chance, the impetus tends to be to retain it just because it is so cheap to do so.

One of the problems with SCISA is that the more the information gets spread around different agencies, the more we have the potential for it to be accessed by a third party one way or another. Again, a retention limitation would facilitate the security concerns as well.

Mr. Bratina, under Bill C-22, the ultimate discretionary authority-holder is the Prime Minister, and the proposed national security and intelligence committee of parliamentarians would be beholden to the Prime Minister in certain instances with regard to the information they can access and information they can report on. Again, I think many people who commented on Bill C-22 believe that it's perhaps over-broadly written and that it could be narrowed in terms of those restrictions. But it's important to say that the essential dilemma of parliamentary scrutiny of intelligence and security revolves around secrecy, and the need to both access secrets, in order to make sense of the security and intelligence world, and to protect secrets in the interests of Canadian national security. Bill C-22 legislation tries to find a fix to that difficult dilemma.

If I can come back just for a minute to your question about retention, it's absolutely true that most information these days is digitally maintained. There are still a lot of paper records around, particularly on higher-level decisions, memoranda to cabinet, and that kind of thing. But I would disagree with my colleague Tamir about the fact that there are no retention schedules. There are plenty of retention schedules. The problem is that they are not legislated and they're not available in the public domain, but the mechanism that is used to enforce retention schedules is ministerial directives to the agencies of the security and intelligence community.

One of the things I have pressed for in various circumstances, including with regard to CSE, is that some of those ministerial directives around retention of information could be made public without endangering national security to reassure the Canadian public that information is not being kept in an abusive and overly long way. The retention mechanisms do exist; they just are, unfortunately, and perhaps in some cases necessarily, secret.

Very briefly about that, the independent arbitrator for Bill C-22 on disagreements, some, including us, have called for a mechanism to allow disagreements to be referred to the Federal Court. The Federal Court has expertise in making these decisions.

Just very briefly, yes, absolutely, some agencies have retention limitations on an ad hoc basis that apply to certain subsets of information they collect, but an overarching retention limitation in the Privacy Act would provide for a more principled and across-the-board process. CSE has some retention limitations that are imposed on it, depending on the type of data it's collecting; CSIS doesn't have any, or didn't until recently; and the RCMP does not have many. It's very ad hoc now, and imposing an overarching principled retention limitation with the Privacy Act that applies to everything would make it a more consistent obligation.