Information & Ethics Committee on Dec. 6th, 2016

Generally speaking, as I said, intelligence agencies tend to abide by this notion of an implicit caveat. There are also explicit caveats that are placed on intelligence that will say “Not to be used for...”, and you fill in the blanks. We rely upon our partners to follow those caveats, as they rely upon us to follow theirs. There is a mutuality to it.

I think that when you step out of the Five Eyes, European intelligence agencies will probably follow the caveats as well, for the most part. When you get further afield, it's much more difficult to ensure, but within the Five Eyes I think caveats are well respected, and everybody gets the protocol.

I want to add something very briefly. I'm going to part company with my colleague here on the question of retention, and I'm going to do it in this way.

To the extent that the service properly receives—and I underscore “properly”—information about national security threat information, I don't think it's wise for the service to destroy it. I don't think it's wise. Today it may not mean much, but 10 years from now or five years from now, when circumstances change and you're continually revising your analytics, you need to have a rich environment to be able to stay on top of the threat environment.

I think that with respect to information that's properly in the hands of the service—and I underscore “properly”—they should be able to maintain their files.

Well, no. I do accept that, but I'll give an example.

Let's say that you destroy a piece of information, and three years later. something happens. Perhaps a bomb goes off somewhere.

Where was the information? Why did nobody know about it? Well, you've destroyed the information or you weren't able to stay on top of that particular threat circumstance.

I think it would require extraordinary circumstances to destroy information that the service properly has, because they have an ongoing national security mandate.

From my perspective, if the service takes action and they do something and pass it to the RCMP for an investigation, it's going to end up in a court process, but I think it would be wrong to put an arbitrary time frame on how long the service should maintain it.

In terms of the principles in those arrangements, you've heard from others that reliability is a core principle. We've talked about relevancy versus necessity. I'd concur with my colleagues Roach, Forcese, and Anil about necessity being a threshold. I believe Professor Forcese talked about “materiality”. I think that gets us more reliable information, so changing that standard would help, as would ensuring in those arrangements that there is rigour in the sharing, that we're looking to those criteria, and that there is necessity as well.

We talked about the life cycle of data. I'd like to see something about that. I don't entirely disagree with Mr. Kapoor. Yes, relevant information needs to be maintained, but a lot of irrelevant information may be pulled in, especially in the case of SCISA. That is what I'm concerned about. Therefore, I think those arrangements should also have an eye to the life cycle. How is data shared? How is it used? What happens to it afterwards? Also, is there some tracking of where it has gone within government agencies?

I come back to my suggestion that there be some kind of stickhandler in government who is overseeing this and setting standards in creating these arrangements, maybe with a model agreement or an arrangement that comes from the centre and has gone out to agencies.

On this issue about necessity and the nature of the information-sharing agreements, I don't necessarily agree that materiality is a workable test. I am saying that because I think necessity is much easier to manage.

Materiality brings into relief not only what you know at the transmitting agency but also what the recipient agency or the requesting agency knows, because under this legislation the service could request from any one of the other 17 agencies. It's unworkable to say that the transmitting agency should know the service file. We have one intelligence agency, CSIS, so if CSIS thinks.... Pick somebody else, such as the CRA or the Department of Health. Let's say that for some reason CSIS thinks the Department of Health has important information for their case. The people at the Department of Health aren't going to know the entire CSIS brief, nor is it practical for them to know it, but they would need to know that to execute on materiality.

Necessity, by contrast, I think is more modest. The service can warrant why it's important to them, and Health Canada can then do its own due diligence on its own side. Materiality is just a very broad concept that brings it into a whole mosaic that I think is just not practical for all the various agencies to transact in parallel.

It certainly allows for sharing of information, but this problem that existed in terms of Air India was really the result of a very immature approach by the RCMP and CSIS to their respective mandates. Of course, keep in mind that CSIS was a baby at that time. It had just been created.

The infrastructure problems and the lack of coordination that we saw in Air India have to a large extent been ameliorated by changes in the way in which the RCMP and the service deal with each other on a regular basis. That problem is working itself out, and the agencies are much closer and have a much more mature relationship today than they did then. This statute doesn't really affect that. It's going to happen anyway; it happened before this statute. The statute doesn't really enable that. It's just kind of more stuff, more information, but the real rigour happens in the ways in which those two agencies have decided to change how they coordinate with each other.

I'll take a quick shot at it, and then I'll let Mr. Kapoor handle the rest.

On the all-of-government sharing, clearly some government agencies may have information that would be useful in national security investigations. In terms of casting the net that wide, I don't know if a case has been made that it's just every conceivable government agency. That would be the troubling thing—that it would be cast so wide—but I wouldn't say that no other agency, other than national security agencies, would have information. Clearly there may be information in other agencies that may be useful in a national security investigation.

To answer the question, there's a bit of irrationality going on here. The primary actors for national security are the service, the RCMP, the CSE, and then National Defence and the CBSA. Let's call them the main actors.

When you drill away from that and look at the Department of Transport, they may have a national security remit, but it would be sort of a knock-on remit, if I can put it that way. Let's say CSIS has intelligence about some weakness to some rail system somewhere, or somebody's going to blow up something at a rail system. They would then want to activate the Department of Transport for assistance, and our provincial partners as well.

It seems to me that it should be about information getting to the main actors in national security, because that's what this is about. It's not just simply the service giving information to the CRA to help them collect your taxes.

I don't agree with that. The section says “any person”. My concern with this....

I would agree with the first statement, that this act purportedly encourages information sharing. You don't need section 9 to do that.

I didn't have a chance to read her testimony, but the other piece is good faith. They may hang their hat on that, saying that these aren't malicious shares, but you can be negligent and act in good faith as well, in my view.

I think it includes the crown. I think it's pretty broadly worded. I think it's disingenuous to suggest that this facilitates sharing or—

—encourages that. I think civil servants should be acting in good faith all the time, and I think they should act within the law. When they step outside those bounds, the government should be held accountable. That would be my position.

Really, this is just an indemnification issue. The government has to be responsible for mistakes. Individual persons are on this team and are transmitting information. Just by indemnification, the government can solve this problem so that they're not hung out to dry. From my perspective, we can get rid of this provision and have proper indemnification agreements.

The Privacy Commissioner plays an important role because of the privacy protections, but the Privacy Commissioner is not a national security expert. That department does not have that expertise. That would be one of the issues. Would they have the clearances to get at everything and look at everything? That would be a concern, although certainly the expertise of the Privacy Commissioner is welcome.

The recommendation I've also made is that other than the committee of parliamentarians, we need to have one unified, arm's-length, well-resourced review agency—some call it super-SIRC, but I like it call it the Canada national security review agency—to oversee all of national security. That organization could play a role in reviewing information sharing as well. The other piece, which I don't think would be touching as much on information sharing as on the law policy side, is the independent reviewer of national security law and policy.

The last piece I've suggested is that within government itself, probably within Public Safety and reporting to the minister, there should be some sort of information-sharing czar to oversee all of it. When you have all these pieces moving, we could actually have a national security disaster if something weren't caught or we could have a disaster when mistakes were made. Someone in government who's actually a bureaucrat could be overseeing all of this and reporting to the minister.

Those would be all the pieces, I think. There would be one from the public watchdog side but also one in government to make sure all the parts are moving well.