Evidence of meeting #40 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was sharing.
A recording is available from Parliament.
11:35 a.m.
Conservative
The Chair Conservative Blaine Calkins
Good. Thank you, Mr. Erskine-Smith.
We now move to Mr. Kelly for around seven minutes.
December 8th, 2016 / 11:35 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Thank you, Mr. Chair.
I had the opportunity earlier in this Parliament to introduce a private member's motion that dealt with Canada Revenue Agency, which is one of the agencies within this. It was not related to national security, but one of the anecdotes that came up during my dealing with that motion was the damage that can be done to someone through the sharing of incorrect information. In that case the CRA had marked somebody as deceased. They then shared that information with other government agencies, and so in the process of bringing this person back to life, so to speak, with all of the various government agencies with which this woman had to interact, her damages and the issues she faced were compounded by the fact that the information had been shared with Service Canada and with other agencies.
I'd like to address my question to Mr. Evans. If the RCMP collects and shares inaccurate information about an individual, what are the procedures to correct that information? When you try to correct information that's incorrectly shared and audit the accuracy, how can you ensure that you don't end up reporting incorrect information back and forth to each other from one agency to another? That is what really happened in this one case I'm aware of with the CRA, and it started this snowball effect of continually trying to mark this person as deceased.
11:40 a.m.
Senior Director, Operations, Civilian Review and Complaints Commission for the Royal Canadian Mounted Police
There are a couple of ways I can answer the question. The first is to say that in our reviews of RCMP activities and the conduct of individuals and incidents, we use that to inform broader systemic issues, so we will also be looking at internal processes within the RCMP.
We're approximately 60 people in our organization, and the RCMP has roughly 30,000 employees, so it's impossible for us to look at individual files.
My point is that we spend a lot of time reviewing practices and procedures to ensure there is effective internal oversight of the RCMP itself. Part of the answer, I guess, would be that we're looking to make sure that somebody is verifying, especially for that type of sensitive information sharing, what types of policies and procedures are in place to make sure there is sufficient scrutiny, potentially centralized control, before it happens.
The second part is that disclosure of personal information in the scenario you have described is a matter for the Privacy Commissioner. That is an area that would have to be reported. That breach of personal information being shared would be reported to the Privacy Commissioner.
11:40 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
It wasn't so much a breach. It was inaccuracy. If the information had been accurate in her case, it would have been appropriate to share that information.
11:40 a.m.
Chair, Security Intelligence Review Committee
In the first place, that says that there was a problem, in this case inaccuracy, so it would have to be corrected by, I would say, anybody. Nobody should provide any inaccurate information in the first place.
It's not a problem of sharing. It's a problem of having accurate information in the first place.
11:40 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Fair enough, but I don't think any of us has an expectation that an organization—for example, the RCMP—with 30,000 employees will never make a mistake. I don't think it's a reasonable starting position to say that we'll just be perfect and then we won't have a problem with sharing inaccurate information.
Currently, how do you fix the mistake of information that was shared that was inaccurate, and what ought to be the way we go about this if we're to improve?
11:40 a.m.
Commissioner, Office of the Communications Security Establishment Commissioner
If I may, I'll comment on your question.
I think maybe one way to do it would be to incorporate into the act a provision that any information that is not relevant, which is the threshold used presently in the act, should be destroyed. This is not built into the act right now. In my view, that's a problem.
For example, I'm looking at section 10 of the act, which talks about regulations that could be made by the Governor in Council. They have three ways to make regulations. I would add a fourth one, which should read “destruction of information that is not relevant”. If you have a built-in provision to the effect that if it's not relevant, it is to be destroyed within a certain time, I think you would avoid the problem you just raised.
We have that with regard to CSE right now, the body I'm reviewing. If the information doesn't meet the criteria set out in the National Defence Act, the information must be destroyed.
11:45 a.m.
Senior Director, Operations, Civilian Review and Complaints Commission for the Royal Canadian Mounted Police
I can say in the context of the RCMP that there are accountability mechanisms built in. If you're talking about the conduct of individuals who have either collected or inappropriately shared inaccurate information, and members of the public become aware of that, they can certainly make a complaint that would come to us. The RCMP itself has its own internal mechanisms to discipline members if it is done in a way that's negligent or if there is some misconduct involved. There are adequate measures to address that.
The first part of my answer was that we try to make sure that it doesn't happen in the first place by having better practices, some oversight internally to make sure those mistakes don't happen, but there are mechanisms built in to deal with the consequences as well.
11:45 a.m.
Chair, Security Intelligence Review Committee
This is an important point: corroboration.
CSIS has been collecting a lot of information, as you know, for 30 years. We were even blamed for keeping it too long. They often use corroboration to know whether information is right or wrong. Having information that is not right is a problem in the first place.
You have mechanisms in any organization to make sure that information is correct. Sometimes corroboration, or having many sources regarding the same information, is a good practice, and improving practices would probably help any of those organizations. It exists at CSIS. It exists for us as well, but as was mentioned—
we are not immune
of a mistake. Everybody makes mistakes. It happens from time to time.
11:45 a.m.
Conservative
11:45 a.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Thank you very much.
My first question I think is relatively straightforward, and it's for the review bodies that have already started looking into information sharing under SCISA.
We've heard that there are a handful of agencies that have either transmitted or received information under SCISA and that there have been only 50-some instances of this. I'm curious to know how that's recorded. How many Canadians could be covered under one of those acts of information sharing? Fifty-some shares sounds modest, but if the information of tens of thousands of Canadians counts as one of those shares.... I'm curious to know, when shares are recorded under SCISA, how many people, potentially, are covered by one share of information. Presumably it's not a one-to-one correlation so that the personal information of only 50-some Canadians has been exchanged under the authority of SCISA.
11:45 a.m.
Senior Director, Operations, Civilian Review and Complaints Commission for the Royal Canadian Mounted Police
From our perspective, the best answer I can give you is that I'll have to get back to you when our report comes out. We are literally just at the stage now of reviewing those files. You're right that it could be one to one. It could be all sorts of different types of information sharing. We're just at a very preliminary stage right now in terms my being able to answer that.
11:45 a.m.
Chair, Security Intelligence Review Committee
It's the same for us. It looks bad, somehow, but as we mentioned, we're in the process of a review. Maybe we'll have some more information when we table our report later this year.
11:45 a.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
For now it would be up to agencies like CSIS and the RCMP to characterize their shares. If they tell you that they've shared 18 times, it's up to them to generate that output based on whatever the sharing was. There's actually no established rule for saying what constitutes a sharing of information. They could reveal the entire content of a database and call that one instance of sharing.
11:45 a.m.
Chair, Security Intelligence Review Committee
Remember that some arrangements, some MOUs and agreements, already exist between certain of those institutions. We recommend that you develop more agreements and probably put in place some guidance on that. We obviously need some guidance. You cannot say, “Well, bring all that.” You should mention how to manage that. It's done already in some instances, but not everywhere, as I mentioned in my document earlier.
11:50 a.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Okay.
I want to return briefly to the conversation around the possibility of having one super-office, if you will, that reviews information sharing across government agencies. I respect that the government obviously will have to make a decision about exactly how they want to do that, but I wonder if you could comment, given your experience, on the pros and cons of going with that approach, versus continuing to have multiple review bodies working in collaboration, versus bringing all those functions for the various agencies under one office.
11:50 a.m.
Chair, Security Intelligence Review Committee
In the United States, just to give you a flavour, they have 71 inspectors general looking at different areas of national security. I think it's about how you put those people together and about the mechanism for co-operation. Speaking for myself, I could say that the creation of the new parliamentary committee will give some power to....
I don't want to comment too much on that. The bill is before the House of Commons right now, at the report stage, probably, or close to it. This committee, when it's in place, will be able to have a look and co-operate with us. I think all of us have offered our co-operation to the committee to look into all the matters, because the committee will not be limited. It will have access to all. It may be limited access; I don't know, but it will be for Parliament to decide. Probably it will be
a step in the right direction.
It will be a first step, and we will see later on how it develops. For us, you cannot ask us to.... We do our jobs. We try to co-operate. We did inform the ministers that we should probably have the means to “follow the thread”. It's in the air. The government expressed their views on that.
For us, the more we can co-operate, the better for the information and national security community, I would say. You should remember what we all have in common, that we all want to protect Canadians from any threats from inside or outside. It's a goal that we all have. We cover a little angle of that. We ourselves don't do the operations, but we make sure that the operations of CSIS are done within the law.
We're all on the same side. All of the organizations are on the same side, the side of protecting Canadians against threats to national security.
11:50 a.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
I think you mentioned in your presentation that one of the challenges, though, was not being able to chase down the information outside of the realm of CSIS. Do you think just simply expanding the scope of SIRC would be the way to do that, or do you think it would be having one office or creating a mandate for review bodies to work more collaboratively? What are the relative pros and cons? Is there something lost in having one office?
11:50 a.m.
Commissioner, Office of the Communications Security Establishment Commissioner
The short answer is in Justice O’Connor's report. He has studied in depth having one super-agency versus keeping the existing agencies as they are. As an example, with regard to CSE or the Office of the CSE commissioner, Justice O'Connor has stated that it should not be included in this so-called super-agency because of its uniqueness. As you know, CSE is the foreign intelligence agency, or the electronic agency, and it's unique in itself.
Having said that, I think if you go to Justice O'Connor's report, you will find several pages on the pros and cons. For example, with regard to CSE, as the commissioner, I have one agency to look after. Therefore, I can go in depth because I have only one agency to review. Let's say, for argument's sake, that I would have five, six, or 10 agencies to review; I have the impression that the reviews that I would be making would not be as thorough. There are pros and cons about this so-called super-agency versus more focused agencies. As I said, Justice O'Connor has studied the matter thoroughly.
11:55 a.m.
J. William Galbraith Executive Director, Office of the Communications Security Establishment Commissioner
Mr. Blaikie, you raised two elements. One is the sharing of information and how to review the sharing of information between government agencies. The other part is the ability of the expert review process to get in depth into the agencies, as the commissioner stated. However, there is the issue that's raised by SCISA of who would be best suited to review the information sharing that's going on. The survey that the Privacy Commissioner has done gives some indication, and as the commissioner mentioned, perhaps the committee of parliamentarians might be able to follow that, but two distinct....
I think there has been general agreement on the need for expert review. The Privacy Commissioner has stated that need, and I think the results of the existing review bodies, as the commissioner and others have described, demonstrate the positive results of expert review and the need for it.
11:55 a.m.
Chair, Security Intelligence Review Committee
This is a major point. We should remember that we need experts drilling down in detail to the factual elements, as we do. We have done that for 31 years now, in our case, and we have experts. I'm sorry—
11:55 a.m.
Conservative
The Chair Conservative Blaine Calkins
I need to move on, since we're almost at 10 minutes for Mr. Blaikie, but I'm sure you'll get an opportunity.
Go ahead, Mr. Saini, please.
11:55 a.m.
Liberal
Raj Saini Liberal Kitchener Centre, ON
First of all, good morning everybody. Thank you very much for coming here.
I want to stay with the same theme, but I want to just ask your advice on something, or where you think things could be improved.
We know the process of gathering information has changed over the last 30 to 50 years. We're relying less on human sources and more on technological sources, and this question probably pertains more to Mr. Plouffe.
We're talking about information gathering, and Mr. Blais, in your opening comments you talked about having specific, detailed information-sharing agreements. When you have 17 government departments and 110 agencies that have the possibility to share information and you're sharing information among yourselves, there are going to be ambiguous points. Information is shared and information is collected and then it's going to be shared with another body, so that information is going to be stored in one area and it's going to be shared with another area. How do we determine—Mr. Plouffe, I know you highlighted this in your opening comments—how that information is to be stored and how it is to be disposed of, if that information is not required?
I know the RCMP often conducts search warrants and that in some cases the information that you derive from the search warrant may be sent off to another organization. In the end, that information may be determined to be not actionable or not relevant, so I'm wondering where the information is being stored right now. Maybe you can give us some guidance about that. Also, could you comment on how that information should be disposed of so that it's not residing in one place in perpetuity.