Information & Ethics Committee on Dec. 8th, 2016

Thank you, Mr. Chair and honourable members.

I am pleased to appear before this committee on the subject of the Security of Canada Information Sharing Act. As the chair has mentioned, I am accompanied by Mr. Bill Galbraith, the executive director of my office.

Before I make a few remarks about activities under this act, and since this is my first appearance before this committee, I will very briefly describe my mandate and the role of my office.

You have my biographical note, so I won't go over that, but I would like to say that I have found that my decades-long experience as a judge has stood me in very good stead in my three years as CSE Commissioner.

Being a retired or supernumerary judge of a superior court is a requirement set out in the National Defence Act, the legislation that mandates both my office and the Communications Security Establishment.

The CSE Commissioner is independent and arm's length from government. My office has its own budget granted by Parliament. I have all the powers under Part II of the Inquiries Act, which gives me full access to all CSE facilities, files, systems and personnel, including the power of subpoena, should that be necessary.

My mandate is threefold. First, I review the activities of CSE to determine whether they are in compliance with the law, including protecting the privacy of Canadian citizens. This is the major portion of my work. Second, I may receive and investigate any complaints I consider necessary. Complaints are rare, reflecting the foreign focus of CSE activities. Third, I have a duty to inform the Minister of National Defence and the Attorney General of Canada of any activity of CSE that I believe may not be in compliance with the law.

The commissioner’s external, independent role, focused on CSE, assists the minister responsible for CSE—that is, the Minister of National Defence—in his accountability to Parliament, and subsequently to Canadian citizens, for that agency. My annual report tabled in Parliament describes the results of my reviews.

Let me turn now to the Security of Canada Information Sharing Act, or SCISA. What I have to say will be relatively brief. I will describe to you the experience of my office with respect to SCISA and then make a number of brief points regarding the act.

First, my office, as a government institution, has not shared information under SCISA, and in all probability is unlikely ever to do so. During the first year that SCISA was in effect, the agency I that review—namely, the Communications Security Establishment, or CSE—has neither received nor shared information under that law.

My reviews of CSE include CSE information sharing with domestic and international partners. I review CSE activities to ensure that the information it collects and discloses complies with the law, ministerial direction, and internal CSE policies. This includes ensuring that satisfactory measures are in place to protect privacy and that these measures are effectively applied. I will continue to monitor whether CSE receives or shares any information pursuant to SCISA.

That CSE has neither received nor shared information under SCISA demonstrates that currently existing authorities are sufficient for it to share or disclose information with other government institutions.

The point was made more broadly in the annual report of the Privacy Commissioner, Mr. Therrien, noting from a survey of government institutions his office conducted of the first six months SCISA was in effect, that only five institutions either received or shared information pursuant to the act. Most institutions, a little like CSE, have been using pre-existing authorities.

I cannot answer if in the future CSE would receive or share information under SCISA, but the track record to date suggests little, if any. As I said, I will monitor this.

As to the act itself, there are three points I would comment on. These points were also raised by the Privacy Commissioner in his testimony before this committee, and I must say that I am in general agreement.

First is the question of threshold in order for information to be shared. In SCISA the threshold is relevance, and I quote from subsection 5(1) of the act:

if the information is relevant to the recipient institution’s jurisdiction or responsibilities

Where personal information is concerned, in my view the threshold should be higher. The Privacy Commissioner suggests necessity as a threshold. He states that this an international privacy standard, noting that the CSIS Act uses the threshold “strictly necessary” for CSIS to collect, analyze, and retain information.

Another example can be taken from the National Defence Act, where the established threshold is essentiality. In essence, in order for CSE to use and retain a private communication—where one end is in Canada—collected under ministerial authorization, CSE must determine whether the private communication is “essential”. I review these communications to ensure that is the case, and that information that is not “essential” has been destroyed.

The next point with regard to SCISA relates to safeguards to protect privacy. Given that CSE has not received or shared information under SCISA, I have no direct experience with this act in this regard. However, I can comment that the legislation mandating CSE has built-in privacy safeguards. These safeguards require CSE to have satisfactory measures in place to protect any information with a privacy interest that it can legally collect, retain, and use. I would agree with the Privacy Commissioner that there should be safeguards in SCISA to ensure protection of personal information.

A third point relates to the government institutions listed in Schedule 3 of SCISA. Only three of the 17 institutions listed in Schedule 3 are subject to expert review: CSE, which I review; CSIS, which is reviewed by my colleagues from SIRC; and the RCMP, reviewed by my colleagues from the Civilian Review and Complaints Commission, where Mr. Evans works.

The Privacy Commissioner has a mandate to review personal information policies and practices of all federal government institutions. In this context, Mr. Therrien is examining the schedule 3 institutions' use of SCISA and privacy protections. However, this is not enough. I suggest that there is a need for expert review for the 14 institutions not currently subject to review. This could be done either by a new review body, or bodies, or divided among the existing expert review bodies, much as recommended by Justice O'Connor in his commission of inquiry report 10 years ago in the Arar affair.

Perhaps there is a role here for the national security and intelligence committee of parliamentarians. The committee will have to establish its priorities, and this may be one area to examine. I look forward to working closely with the committee of parliamentarians and its secretariat.

Thank you for this opportunity to appear before you today. My executive director and I would be pleased to answer your questions.

We will be pleased to answer your questions to the best of our knowledge.

Thank you.

Good morning, Mr. Chair and members.

Thank you for providing this opportunity to appear before you today in the context of your study of SCISA—I will not repeat the long name, either in French or in English—and specifically its impact on privacy and any desired changes in light of the national security consultation and review process that is currently under way.

Today, I hope to enrich your study by focusing on three key points.

First, I will briefly outline SIRC's work in reviewing CSIS's information sharing practices with domestic partners. Second, I will provide insight into SIRC's current review examining the impact of the Security of Canada Information Sharing Act, or SCISA, on CSIS's information sharing with domestic partners.

Third, I will explain SIRC's limitations when examining these exchanges, including those made under SCISA.

I will not take much time now to describe SIRC's mandate and responsibilities. I will be pleased to answer any questions about our work following my remarks.

I will simply state that SIRC is an independent external review body that reports directly to Parliament, as you know, on CSIS activities through an annual report. SIRC has three core responsibilities: to certify the CSIS director's annual report to the Minister of Public Safety, to conduct investigations into complaints from the public that happen from time to time, and to carry out in-depth reviews of CSIS activities. Simply put, SIRC is key in providing accountability to CSIS.

The issue of information sharing was thrust in the spotlight post 9/11 as greater integration became the new modus operandi of intelligence work. As such, information sharing has been, and remains, at the forefront of SIRC's review work. In fact, I would say this issue is an integral component of almost every review we undertake: whether through the lens of a review of a particular CSIS investigation, activity or program, in Canada or abroad, SIRC must invariably examine exchanges of information with domestic or foreign partners.

SIRC assesses these exchanges against a number of criteria. We ask ourselves the following questions.

First, did CSIS act in a manner that complies with Canada's laws and legal obligations? Second, did this exchange fall within the scope of the established framework for co-operation, such as a memorandum of understanding or a foreign arrangement? Third, was the information shared factually correct and did it accurately reflect the nature and extent of the threat? Fourth, what were the disclosure risks of sharing this information, and did CSIS take appropriate action to mitigate these risks? For example, did CSIS take into consideration the human rights records of the foreign agency? Finally, did CSIS collect and retain information only to the extent that was “strictly necessary”? My colleague spoke about this idea of “strictly necessary” earlier.

As a result of this work, SIRC has put forward a number of recommendations in recent years aimed at enhancing CSIS's information sharing practices. To give you an idea, with respect specifically to domestic partners, SIRC recommended that CSIS develop clearer and more robust overarching principles of co-operation with CSEC, that CSIS finalize the completion of sections of a memorandum of understanding with CBSA, and that it develop deconfliction guidelines and renegotiate a protocol with Global Affairs Canada, which is the new Department of Foreign Affairs.

Let me move to my second point. Consistent with our ongoing scrutiny of CSIS's information-sharing practices, this year SIRC committed to a review of SCISA to gain an understanding of SCISA's impact on CSIS's information sharing with domestic partners.

As part of this work, SIRC will review all exchanges of information involving CSIS that have taken place under the authority of SCISA. This will give us an appreciation of the nature and scope of these exchanges. More broadly, SIRC will seek to assess whether existing practices were altered by the new legislation and, if so, the direction of these changes.

SIRC also intends to examine CSIS's engagements with federal partners as they move forward with the implementation of SCISA. In this context, I will echo the views of others in underscoring the importance of putting in place a supporting framework, such as specific formalized agreements between and among the various government partners involved in exchange of information under SCISA.

You have heard from witnesses who have commented on the broad nature of the threshold for sharing contained in SCISA. On this point, SIRC is of the opinion that formalized agreements to address the finer points of what information will be shared, how it will be shared, and what safeguards are attached to the information once it is shared are especially important. For this reason, in our review we will be attentive to these formalized agreements, where much of the work of determining the precise balance of security and privacy concerns will inevitably take place.

Indeed, insofar as there is always a level of interpretation, an important emphasis must be on review as a safeguard against unreasonable exchanges. For that reason, the role of review bodies such as SIRC is essential in ensuring that the proper balance is maintained.

I should end by noting that our broad access to CSIS information is key to allowing us to review CSIS's exchanges of information with partners. As you may know, SIRC—and it's important to remember this—has the absolute authority to examine all information under CSIS's control, no matter how classified or sensitive, with the only exception of cabinet confidences. Therefore, SIRC can examine all information that is shared with CSIS and, equally, all information that is shared by CSIS to its partners.

There remain blind spots, however, and this brings me to my last point. Although SIRC has great powers to review CSIS, this ability does not extend beyond CSIS. This means that SIRC cannot assess the source, validity or reliability of the information provided to CSIS by its domestic partners, nor how CSIS information or advice is used by these partners. In short, SIRC cannot follow the thread of information to allow for a more comprehensive review of CSIS's interactions and exchanges with domestic partners. We have already outlined this in previous reports.

This limitation is compounded by two other interrelated issues, which we discussed in the context of debate surrounding the Anti-terrorism Act, 2015, and SCISA. Seventeen departments with a national security nexus, including CSIS, are listed in the legislation as the recipients of information sharing in respect “of activities that undermine the security of Canada”.

The first issue is that of those 17 departments, only three—CSIS, CSE and the RCMP—are subject to a dedicated review body. There is no review mechanism to scrutinize the exchanges of information of the other 14 departments.

The second issue is that the three review bodies in question, namely, SIRC, the Office of the Communications Security Establishment Commissioner—my colleague's organization—and the Civilian Review and Complaints Commission for the RCMP, cannot carry out joint work as their legislation extends only to the respective organizations they review.

In fact, we can share some information on our results generally and on operating practices, but we cannot share information, even if our relationship is very close.

In the absence of a body with jurisdiction over the broader national security community, or to a lesser extent an ability for review bodies to work together, there will be clear accountability gaps regarding domestic information sharing.

As many have commented on, considerations of SCISA cannot be separated from an assessment of the strength of the safeguards in place to monitor the exchanges that take place under its authority.

Let me conclude by thanking you for your work on this matter. Bringing this forward in this place is important for everybody, I would say.

The government has made a firm commitment to enhancing accountability. There is no doubt, in my view, that information sharing within Canada’s national security community should be subject to appropriate scrutiny. SIRC’s work no doubt helps to further this goal.

With respect to SCISA, SIRC looks forward to communicating the results of its SCISA review when they are finalized. As I mentioned, we are in the process of doing that right now. At the same time, I will take the opportunity to affirm to the committee that information sharing has always been a priority for SIRC and that we will continue to be alive to issues of information sharing.

With my colleague, I will be happy to answer any questions you have.

Thank you, Mr. Chairman.

Thank you, Mr. Chair and members of the committee, for inviting us here today to discuss the Security of Canada Information Sharing Act and its implications for the RCMP and our commission.

In 2014, amendments to the RCMP Act resulted in the creation of the Civilian Review and Complaints Commission. While the previous RCMP Public Complaints Commission was largely reactive and driven by public complaints, the new commission has been given a broad mandate to oversee RCMP activities. The change most relevant to the question before this committee today is that the commission now has the ability to conduct systemic reviews of any RCMP activity to ensure it is being carried out in accordance with legislation, regulations, ministerial direction, or any policy, procedure, or guideline, without having a complaint from the public or linking it to member conduct.

With this new authority we are currently undertaking two such systemic reviews. The first, into workplace harassment within the RCMP, was initiated last year at the request of the Minister of Public Safety. The second, initiated by the commission chairperson, is into the RCMP's implementation of the relevant recommendations contained in the Report of the Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar. The commission's review on the latter is examining the RCMP's national security framework, including policies, training, and operational files, to determine whether they are consistent with Justice O'Connor's recommendations.

Specifically, the commission’s review is examining six key areas: one, the centralization and coordination of RCMP national security activities; two, the RCMP’s use of border lookouts; three, the role of the RCMP when Canadians are detained abroad; four, training of RCMP members in national security operations; five, RCMP information sharing with foreign entities; and six, RCMP domestic information-sharing practices.

Regarding the domestic information sharing, the commission is currently examining the adequacy, appropriateness, sufficiency, and clarity of RCMP policies, procedures, and guidelines as they pertain to domestic co-operation with federal agencies and departments involved in national security investigations. The goal is to measure their consistency with Justice O’Connor’s recommendations, including screening information for relevance, reliability, accuracy, and privacy; the use of caveats; and that the RCMP is continuing to refine its policy of co-operating with other federal agencies or departments involved in national security investigations.

With regard to the Security of Canada Information Sharing Act, the commission is examining, as part of this ongoing review, what the RCMP has put in place to address its new information-sharing powers, such as record-keeping of disclosures under the act, and how that relates to Justice O’Connor’s recommendations. For example, Justice O’Connor’s report stressed that information-sharing agreements or arrangements pertaining to integrated national security operations should be reduced to writing. This is important, and the commission will be examining whether the RCMP adheres to this recommendation with respect to information sharing relating to the Security of Canada Information Sharing Act.

With that, we'd be happy to answer any questions.

Thank you.

We are in the process.

As you know, we plan every year. Right now we have over 12 in our research plan, but we have other specific requests by the minister. One of them is on SCISA. We hope it will be completed by the spring. It will be in our report because, as you know, we're reviewing, we're not—

It's not necessarily the way it is.

We conduct our operation of the committee. We review the activities of CSIS. You don't necessarily come to us asking, “Well, could you look at this and that?” We do that on our own. We prefer to be on our own to decide what we look at.

I think the only distinction I would make is that ours is not a plan; it's actually under way.

We will be reporting, hopefully by the spring, on that. It's very actively under way. We've received all the information that we've requested from the RCMP. We hope to report, as I say, in the spring.

If I may just go back to my comments on the way it goes with the sharing of information right now, as I mentioned, there are some bilateral agreements between players most of the time.

For example, Global Affairs Canada has a protocol with CSIS, and they're in a process to review it. It's the same thing in place with many others. With CBSA, there is one that they're working on. It is because the exchange of information existed before the law. CSIS has been collecting information for 30 years. You can imagine that they go in many directions to gather information.

Now, speaking for our committee, we encourage CSIS to have specific agreements with the partners, in Canada and outside, for obvious reasons, as I am sure you would understand, to make sure it's done properly and that there's nothing that could fall through the cracks or is not within the law. That's why we do that.

Just to answer your first point with regard to the possibility for review bodies to carry out joint work, right now we can't do that, as noted by my colleague. We work in silos. This is not adequate.

I have stated in the past that it would be desirable to give the existing review bodies explicit authority to co-operate.

With regard to the 14 institutions, as I said previously, in my view it's important that they be subject to expert review one way or the other, or the committee of parliamentarians could decide that they want to do that themselves. It's up to them to decide that, but I still believe they should be subject to expert review.

How do you do that? Again, it's for the government to decide whether it wants to create one super-agency, for example, or whether it wants to divide those 14 institutions among the existing review bodies or create other review bodies. For example, perhaps the CBSA could be reviewed by the CRCC because, with regard to function, there is something similar, and so on and so forth.

Also, I must add that I feel that if the government feels that a super-agency is not in order, at least we should have a coordinating committee of some sort—and this was suggested by my colleague Justice O'Connor 10 years ago—where all the heads of review agencies meet and discuss problems in common. The committee of parliamentarians would be a practical solution, because they would have to deal with one body and not with 14, 15, or 17 institutions. This is what I would suggest.

I'll just add one comment. There is provision in our legislation that serves as a good example. We do have that authority to conduct joint reviews, hearings, and investigations, but our legislation stops short of allowing us to it with our federal partners. We do it extensively in the law enforcement context with our provincial partners. There is a provision in the RCMP Act that allows that, and it works.

There are a couple of ways I can answer the question. The first is to say that in our reviews of RCMP activities and the conduct of individuals and incidents, we use that to inform broader systemic issues, so we will also be looking at internal processes within the RCMP.

We're approximately 60 people in our organization, and the RCMP has roughly 30,000 employees, so it's impossible for us to look at individual files.

My point is that we spend a lot of time reviewing practices and procedures to ensure there is effective internal oversight of the RCMP itself. Part of the answer, I guess, would be that we're looking to make sure that somebody is verifying, especially for that type of sensitive information sharing, what types of policies and procedures are in place to make sure there is sufficient scrutiny, potentially centralized control, before it happens.

The second part is that disclosure of personal information in the scenario you have described is a matter for the Privacy Commissioner. That is an area that would have to be reported. That breach of personal information being shared would be reported to the Privacy Commissioner.

In the first place, that says that there was a problem, in this case inaccuracy, so it would have to be corrected by, I would say, anybody. Nobody should provide any inaccurate information in the first place.

It's not a problem of sharing. It's a problem of having accurate information in the first place.

If I may, I'll comment on your question.

I think maybe one way to do it would be to incorporate into the act a provision that any information that is not relevant, which is the threshold used presently in the act, should be destroyed. This is not built into the act right now. In my view, that's a problem.

For example, I'm looking at section 10 of the act, which talks about regulations that could be made by the Governor in Council. They have three ways to make regulations. I would add a fourth one, which should read “destruction of information that is not relevant”. If you have a built-in provision to the effect that if it's not relevant, it is to be destroyed within a certain time, I think you would avoid the problem you just raised.

We have that with regard to CSE right now, the body I'm reviewing. If the information doesn't meet the criteria set out in the National Defence Act, the information must be destroyed.

I can say in the context of the RCMP that there are accountability mechanisms built in. If you're talking about the conduct of individuals who have either collected or inappropriately shared inaccurate information, and members of the public become aware of that, they can certainly make a complaint that would come to us. The RCMP itself has its own internal mechanisms to discipline members if it is done in a way that's negligent or if there is some misconduct involved. There are adequate measures to address that.

The first part of my answer was that we try to make sure that it doesn't happen in the first place by having better practices, some oversight internally to make sure those mistakes don't happen, but there are mechanisms built in to deal with the consequences as well.

This is an important point: corroboration.

CSIS has been collecting a lot of information, as you know, for 30 years. We were even blamed for keeping it too long. They often use corroboration to know whether information is right or wrong. Having information that is not right is a problem in the first place.

You have mechanisms in any organization to make sure that information is correct. Sometimes corroboration, or having many sources regarding the same information, is a good practice, and improving practices would probably help any of those organizations. It exists at CSIS. It exists for us as well, but as was mentioned—

we are not immune

of a mistake. Everybody makes mistakes. It happens from time to time.

From our perspective, the best answer I can give you is that I'll have to get back to you when our report comes out. We are literally just at the stage now of reviewing those files. You're right that it could be one to one. It could be all sorts of different types of information sharing. We're just at a very preliminary stage right now in terms my being able to answer that.

It's the same for us. It looks bad, somehow, but as we mentioned, we're in the process of a review. Maybe we'll have some more information when we table our report later this year.

Remember that some arrangements, some MOUs and agreements, already exist between certain of those institutions. We recommend that you develop more agreements and probably put in place some guidance on that. We obviously need some guidance. You cannot say, “Well, bring all that.” You should mention how to manage that. It's done already in some instances, but not everywhere, as I mentioned in my document earlier.

In the United States, just to give you a flavour, they have 71 inspectors general looking at different areas of national security. I think it's about how you put those people together and about the mechanism for co-operation. Speaking for myself, I could say that the creation of the new parliamentary committee will give some power to....

I don't want to comment too much on that. The bill is before the House of Commons right now, at the report stage, probably, or close to it. This committee, when it's in place, will be able to have a look and co-operate with us. I think all of us have offered our co-operation to the committee to look into all the matters, because the committee will not be limited. It will have access to all. It may be limited access; I don't know, but it will be for Parliament to decide. Probably it will be

a step in the right direction.

It will be a first step, and we will see later on how it develops. For us, you cannot ask us to.... We do our jobs. We try to co-operate. We did inform the ministers that we should probably have the means to “follow the thread”. It's in the air. The government expressed their views on that.

For us, the more we can co-operate, the better for the information and national security community, I would say. You should remember what we all have in common, that we all want to protect Canadians from any threats from inside or outside. It's a goal that we all have. We cover a little angle of that. We ourselves don't do the operations, but we make sure that the operations of CSIS are done within the law.

We're all on the same side. All of the organizations are on the same side, the side of protecting Canadians against threats to national security.

The short answer is in Justice O’Connor's report. He has studied in depth having one super-agency versus keeping the existing agencies as they are. As an example, with regard to CSE or the Office of the CSE commissioner, Justice O'Connor has stated that it should not be included in this so-called super-agency because of its uniqueness. As you know, CSE is the foreign intelligence agency, or the electronic agency, and it's unique in itself.

Having said that, I think if you go to Justice O'Connor's report, you will find several pages on the pros and cons. For example, with regard to CSE, as the commissioner, I have one agency to look after. Therefore, I can go in depth because I have only one agency to review. Let's say, for argument's sake, that I would have five, six, or 10 agencies to review; I have the impression that the reviews that I would be making would not be as thorough. There are pros and cons about this so-called super-agency versus more focused agencies. As I said, Justice O'Connor has studied the matter thoroughly.

Mr. Blaikie, you raised two elements. One is the sharing of information and how to review the sharing of information between government agencies. The other part is the ability of the expert review process to get in depth into the agencies, as the commissioner stated. However, there is the issue that's raised by SCISA of who would be best suited to review the information sharing that's going on. The survey that the Privacy Commissioner has done gives some indication, and as the commissioner mentioned, perhaps the committee of parliamentarians might be able to follow that, but two distinct....

I think there has been general agreement on the need for expert review. The Privacy Commissioner has stated that need, and I think the results of the existing review bodies, as the commissioner and others have described, demonstrate the positive results of expert review and the need for it.

This is a major point. We should remember that we need experts drilling down in detail to the factual elements, as we do. We have done that for 31 years now, in our case, and we have experts. I'm sorry—

In our case, as I think I mentioned previously, if the information that is gathered by CSE doesn't meet the criteria set out in the National Defence Act, it will be destroyed. They cannot keep it.

Yes, there is.

I'm not able to say, I guess.

It depends on the type of information. If it relates to information with a privacy interest and if it is not essential, as the commissioner referred to in his opening remarks, it would be destroyed. It's an automated process because of the extent of the technology employed by CSE.

For classified information that is shared within government, there is a government security policy, and departments are required to store and handle classified information according to that policy as well. It is left for those agencies that are receiving classified information to decide whether it is reviewed and to verify that the information is stored and retained properly. There are departmental security officers whose role it is to look after that information once it's received in the various departments.

You should remember, sir, that a recent decision by the Federal Court, by Justice Noël, which you probably heard about, insisted on the notion of “strictly necessary”. It was mentioned by my colleague. CSIS, for example, gathers information. As you mentioned, it has changed. Years ago, and I remember that, you had information on paper. Now it's electronic, and it has changed a lot. It's still there, but Justice Noël rendered a decision with regard to collection and retention, and the government decided not to appeal the decision.

Yes, it was recent.

Absolutely. In this case—and we put this in our report, if you remember, last year in January when we reported on that—the question was whether “strictly necessary” should apply all the time. It's a complex notion, but at the same time it gives the indication that they have to review all the documents on a regular basis to make sure that they don't keep that data too long, or for a period that will not be considered strictly necessary.

This is in the law. It will take some time for the service to get rid of the information that was gathered that was not strictly necessary. This is the guidance that we have in our law.

Do you mean Mr. Coulombe, the director?

Oh, it's not the service. You said director of the service, but you mentioned the director of our organization.

Okay, I'm sorry, because you said the service.

Sorry; could you repeat that?

As was mentioned, we have agreements—and I'm not talking about us but about the service—nationally and internationally to share information. As you know, and I'm not the first to say this, Canada is, as the expression goes, a “net importer” of intelligence. This means that we need intelligence, which we receive from other countries. It's important for our security and the security of our partners, particularly the Five Eyes partners, as you mentioned.

We have an ongoing agreement. CSIS has ongoing agreements, and information is shared within those agreements. I cannot comment on specifics, obviously, as you know.

That's a good question. I did explain that you cannot just push a “delete” button. It's not that simple. Sometimes, and I'll use an example, it's like having the whole phone book, and you need just one page. In a sense, now, to destroy the information that is not strictly necessary, they need to review a lot of information, so it's going to take months to do that.

We have a team right now. As you know, the minister, using one section of our law, asked us to review that and make sure that it will be done. We're in this process right now. From our limited resources, we have taken people to do that. We're in the process of doing that, but it's going to take months. It's not something that you can destroy that quickly.

No, I don't think so.

Do you mean the time frame for our research?

I cannot give you details right now, due to the fact that usually we plan our research for many years, but this research will be done this year. It's in process now, and I'm pretty sure it will be finished by the end of the fiscal year.

Unfortunately, the way we do that is we put that in our report to Parliament and to the minister; however, the minister gets it during the summer, and the House should be sitting when we file the report. This year the report was filed sometime in September.

Do you know something? We are independent. Our committee decided to review the impact of this legislation on the work of CSIS. I say that because it's important to know that it's not the minister who tells us what to do. We decided, because we believed it was important to review it.

It happens that Parliament is also reviewing, but....

I think we are, with all due respect, wandering away a little bit from SCISA, but anyway.

With regard to CSE, CSE has arrangements, or MOUs, with the Five Eyes partners—that's evident—but again what is important in those arrangements and MOUs is the fact that CSE stressed the point to its partners that it cannot target Canadians or people in Canada.

I think the partners have to be aware of that, in our case. It's vital. If not, we have a problem, because the National Defence Act is very clear that CSE cannot target Canadians and cannot target people in Canada. Therefore, this is the main issue we share with our partners.

I would add that the signals intelligence agencies have an agreement not to target each other's nationals and to respect the privacy laws of each of the five members. That's amongst the signals intelligence agencies.

For us, you should remember that in some areas when we look at protecting Canadians and the security of Canadians, foreign fighters are one example of Canadian people are travelling abroad in some area and, as you know, it's public. We discuss this matter in our report almost every year. Obviously, we don't have the same environment as my colleague, Mr. Plouffe, and in those cases we are very prudent in the way we share information among the partners.

However, it shows, nevertheless, the importance of having a strong and clear agreement about how we share this information, given the problems that happened in the past with sharing that information, particularly with other countries.

We are an importer. We need information, but we also provide some information. It's a give and take. It's important, and we follow that very carefully. We look at this every year. This is an important part of our review, and we discuss that in our report every year as well.

Are you quoting from Mr. Therrien?

I guess at first blush what I would answer is that it is important and vital to have a balance between security measures on the one hand and the protection of the privacy of Canadians on the other hand. I know that this objective is not easily attained, but I think this is what it is all about. Security measures are important in our day and age, as we all know. It's vital for our country, but on the other hand, I don't think this should be detrimental to privacy rights.

To be very honest, I'm not....

You should know that when some intrusion is made that would go against the Charter of Rights, for example, it cannot ever be done without the authorization of a judge. The judge will apply the law of the land and will not set aside everything.

He will look at whether it's necessary to allow breaching somehow some fundamental rights, and as I'm sure you know, section 1 of the Canadian Charter of Rights and Freedoms says particularly that. It says that this charter could be infringed, if it's necessary, in some particular case. We forget that from time to time, but it's the case.

CSIS works without warrants when they're not necessary, but there's always.... This is an important point. Nobody raises it often, but it's important to remember that they never intervene without a warrant, and we look into all those warrants. This is part of our job, I would say. It's a major point to track down those warrants to see whether they're acting within the law.

You mean in terms of exchanging information?

When we initiate an investigation resulting from a complaint from a member of the public, or the systemic one that we're doing, the first step is to write to the RCMP, and they're required under the legislation to provide us with all relevant material.

There is a fairly elaborate process within the RCMP Act for providing that material to us. There are provisions in there that the RCMP can withhold certain information. I could go into a fair bit of detail, but it's largely a very co-operative relationship. We receive the information that we deem is relevant; if the RCMP has any objections to it, then there's a process in there for us to discuss it and elevate it. If the RCMP claims privilege over material, then we have to establish that it's relevant and necessary. That's our standard.

I can tell you that we've never been there under the new legislation. We normally can work these things out in a co-operative manner. We'll respect the RCMP's identification of privileged material or sensitive material. We'll go see it on RCMP premises, as opposed to bringing it to ours. There's a fairly elaborate procedure, but I have to say the RCMP have been very co-operative in providing us with what we ask for.

If I understand your question, it's simply a matter of the best practice. If we're looking at an RCMP file and we discover that some erroneous information has been provided to another agency, we'd certainly expect that information to be corrected. We have the authority to make recommendations to the RCMP.

It's a difficult scenario without knowing the specific context, but we have the ability to make recommendations. I would hope that the RCMP would have corrected this on their own initially. They certainly would be able to go after the information, pull it back, and make the corrections. If we did a review of a file and found that they didn't do that, we would certainly have the authority then to make the same recommendations.

If I could comment on this very point, you mentioned that if there's a breach of privacy, in essence it would be for the Privacy Commissioner to investigate, but I want to stress that with regard to CSE, under the law in my mandate, I have also a mandate to protect the privacy of Canadians.

Therefore, every time we conduct a review, this is part of my mandate. I have to investigate whether or not CSE activities are considered a breach of privacy. If it is the case, I have to inform both the Minister of National Defence and the Attorney General of Canada that they are acting illegally, in essence.

If I could just add to that, Commissioner and Mr. Kelly, we review on a regular basis a privacy incident file that CSE maintains.

It's called the PIF.

In that, there may be, for example, the issuance of a report that may have had a name wrong or a named Canadian, and the reports will be retracted and re-issued and an assessment made of whether or not any consequences would be expected from that. We're reviewing that on a regular basis.

It's relatively small, because there's a provision in our legislation that allows us to refer a complaint to another body if it would be more appropriately dealt with elsewhere. When we receive those types, we give them to the Privacy Commissioner or the Access to Information Commissioner as well.

It's interesting, your question, because our name in English is “review committee” and in French it's

Intelligence Oversight Committee.

It's not the same. It's been there for 31 years, and I know that the first day I was appointed, I said, “What is that? It's not surveillance. Surveillance is oversight?”

Just to mention this point, we try in our review to get as close as we can to the factual points that are raised. For example, if there is an issue that is in the public domain, we try to put a team in quickly to look into the matter, but we cannot, I would say for obvious reasons, oversee when there are operations. It would be against all the rules and even the capacity of CSIS.

At the same time, we understand that our report is a little bit delayed compared to when things happen. We should remember nevertheless that in our report we mention when we did it, when CSIS reacted, and what the reaction was to it, which is the best we can do.

Maybe the committee of parliamentarians will have a little bit of oversight. I don't know, but it's the best we can do.

Oh, oh!

You're quoting whom?

You're talking about sharing information with other organizations—

—in Canada or elsewhere.

It remains important all the time. I precisely mentioned with my colleague Mr. Plouffe that the two organizations, CSIS and CSE, share information, but the two bodies that are looking at them cannot.

This is a problem that is there.

Even if we are buddies.

We identified that to the government. The government is aware of that. It's complex. It's easy to see the problem, but the means to address it are complex.

As you know, they're looking at this. That's why there is a consultation process right now to review all of that by the government. We expressed our views on that. I speak for myself, but I think Jean-Pierre and I both agree, and our colleagues in the RCMP as well, that we need more co-operation to help us, but it's up to the government to make the decision on that and find the right way to do it, and there's no magic solution.

I have just one comment on this point. It is true that right now there is no explicit authority to co-operate, but there's no explicit prohibition either. Therefore, practically speaking, over the past five years my predecessors and I have provided 10 or more letters to SIRC referring to specific issues that have arisen in my review of CSE that have implicated CSIS. It just means that even if we don't have the explicit authority, there's a certain amount of co-operation that could be done, and we are doing it.

All of our recommendations are in our report, and what is in our report as well is the response by CSIS. Sometimes they agree and sometimes they do not totally agree. It depends when the operations allow them to.

To give you an example, you remember what happened last year? We made a recommendation that they should go to the Federal Court. They said, “No, we're not going to Federal Court.” What happened? Federal Court—

Finally, even though they didn't agree, we were successful.

Can I add something very quickly?

It's true that there's the Thomson decision of the court that says that our recommendations are non-binding. However, we do have a tracking tool at SIRC for the recommendations we make to the service, and we take it very seriously. We follow up with that, and we do have that tracking mechanism.

We review that every three months.

We should remember, as we mentioned, that years ago we were collecting documents like this, printing copies and so on. Now it's changing to electronics, and sometimes with electronics we cannot collect just one piece; sometimes we need to have a bulk of information to find out what we need from it.

This is the problem that we face with the metadata question. I think it will be there for a while, in the sense that my friend and I have to look into two agencies and scrutinize them to make sure they will not abuse that and take more information than they need. At the same time, we have to allow them to make sure that they gather the information. If they don't have the information, lives could be at stake and problems could arise in other ways. Sometimes we have to balance that.

It has to be looked at on a regular basis. We cannot say it's this way or that way. We will have to follow up. I'm very prudent on that personally. I said it's important to make sure that we protect individuals, but at the same time, we have to protect the large community as well. Sometimes we need to have a bulk of information and find out where it is.

Before, it was easier; now it's more difficult.

Could I add very quickly to what the chairperson added?

When we are reviewing CSIS's activities, we want to make sure that they're complying with the law, the ministerial direction, and policy. That also includes the charter. That also includes making sure that the privacy rights are being addressed as well. When we're looking at it globally, we're reviewing all of CSIS's activities.

I am speaking for my organization. We were in favour of sharing information because it's helpful for CSIS to know more and to be well prepared to face the challenge.

On the question, we should know that our organizations are accustomed to confidentiality. Some of those 17 departments are maybe less accustomed to work in a confidential context, so there's a risk sometimes of something falling through the cracks and being published, but in our case, we're accustomed to that. We've had confidential documents for 31 years. We know that; we know what it is.

CSIS gathers information very easily, and we do look into matters. Other organizations will have to get accustomed to it and be well prepared and well organized to treat this information to protect people's privacy.

From the RCMP's perspective, the answer to your question is in the terms of reference of the review we're doing. Justice O'Connor's report is 10 years old, and the recommendations were made with respect to RCMP information sharing. As my colleague says, it's been going on. Information sharing is the lifeblood of law enforcement, and that's why we're looking into making sure that it's done in a way that's consistent with the law. Regardless of what rules are in place, that's going to be the yardstick that we're using to measure it, whether it's SCISA or the Privacy Act or anything else.

Since CSE has neither received nor shared information under that law, I don't have any additional comments to make, unfortunately.

Well, in speaking for us, we will know more when we get to our report.

Mr. Chair, would you suggest that we provide our report to the committee when it's done?

Excuse me; my only question is technical. I just want to make sure. I will look at how it could be done. We remit the document to the minister, and the minister, I think, has the obligation to file it in the House. We'll make sure that we respect that.

I don't want to be sued by your colleague, the Speaker of the House. You see my point. I just want to be prudent—

We'd be happy to come back once it's tabled.

We aren't the ones who decided which institutions would be in the schedule. However, I can say that these institutions share information one way or another.

For example, the role of the Canada Border Services Agency is different from what it was 15 or 20 years ago. Currently, the agency directly addresses the possibility that some foreigners are entering Canada, while representing a terrorism threat. The same is true of organized crime, and the Department of Finance has a role to play in that area. The Department of Transport must deal with potentially dangerous situations that occur on board airplanes and trains or in stations.

That is why the government decided to put all these institutions in schedule 3, even if the percentage of security information that they may provide is 2%, 10% or 80%. The government didn't want any department with security-related information to be left out. In fact, the government would be better equipped than I am to answer this question.

Here is my vision of things. We often receive information, and it may have taken a different route than through the police or CSIS. It may come from another department. I think that we wanted to ensure that all information will be shared.

At one point in France, there was a problem at customs. The people responsible for I don't know how many deaths at an establishment in France entered the country from Belgium. Information from border services hadn't been shared. If that information had been shared, one of those people might have been stopped.

In order to act, all the services involved must receive information from every possible source. That's the best answer I could give you on that, Mr. Lightbound.

I would like to provide some additional information.

Paragraph 2(a) of SCISA deals with activities that undermine the security of Canada. The passage reads as follows:

(a) interference with the capability of the Government of Canada in relation to intelligence, defence, border operations, public safety, the administration of justice, diplomatic or consular relations, or the economic or financial stability of Canada;

I guess that's the reason for the 17 institutions. Each one has a role to play, based on the definition in that paragraph.

Just to add from our perspective, I agree with my colleagues. You have to think of national security as more than counterterrorism. It does go quite broad.

With our review, it's not just going to be about information sharing under SCISA. It will be information sharing writ large. What that means is that there may even be more than the 17 that are listed where information has been shared. Our report will be made public, so you'll be able to see that. It might give you a better sense of the nature of the information we're talking about and how it touches on so many different areas.

In theory, we could argue that a super-agency would solve all the problems. In practice, and in the meantime, there are ways to improve the system, if I may use the expression. The way to do it is very simple. It's to give the review bodies an explicit authority to co-operate.

This is quite easy to do. The government could it. Then, if they do that, it will be quite easy afterwards to make joint investigations and share operational information that we cannot share right now.

Again, I come back to what I was saying previously: it's that in the meantime, it's very easy to create a coordinating committee among the existing review bodies so that we are more efficient and more open-minded.

Not to my knowledge.

I cannot answer for the agencies. I suspect that, for example, that the CSE chief might appear before you, and this is the type of question I would suggest you ask her at the time. In the meantime, with regard to review bodies, I come back to the comments I made a few seconds ago. It's quite easy, if they want to improve the system as is, to improve it. This is the recommendation that the existing bodies are all making. We are unanimous in that direction. Give us explicit authority to co-operate. Let's create a coordinating committee in the meantime. It will be easier and more efficient to deal with the committee of parliamentarians that is about to be created. Let's be practical in the meantime, and let's be efficient.

I mentioned that already. I said I am in general agreement.

Yes.

It's not for me to comment about it. The government will decide.

It will be no.

I would say so.

Excuse me; I missed the point.

Yes.

When I spoke of “relevant” and “necessary”, I was talking about the relationship between the RCMP and our commission as opposed to the sharing of the RCMP.

I would agree with that.

You're talking about the review bodies?

The law will apply. If the threshold is relevance, fine. If it's not relevant, it should be deleted. If the threshold is necessity, then it's a higher threshold. If it's not necessary, then it should be deleted.

I don't think so. This is not within the mandate in my view of a review body.

The mandate should be reviewed at the same time. It's difficult to respond. It's too narrow, I would say, for me.

The review body normally will ensure that the agency in question does not violate the law and respects the privacy of Canadians. This is the objective of a review body. It's not an oversight body. It's not a refined review. It's a post facto review.

I made a suggestion earlier on about the section that deals with regulations, which is section 10. I suggested with regard to the powers of the Governor In Council to make regulations that a fourth criterion should be added. It should read something like this: “The destruction of information that is not relevant”.

Yes.

I would like to add in the law enforcement context, which is an answer I wanted to provide to an earlier question as well, that there's another layer of complexity in the law enforcement when it's information that's obtained by virtue of a search warrant, because then you're getting into judicial authorization.

When law enforcement bodies obtain information pursuant to judicial authorization, they report back to the issuing authority, so it's out of their hands to destroy or handle that information in any way. It belongs to the judge who issued the search warrant. There's a different set of parameters in the law enforcement context.