Thanks very much, and good afternoon, Mr. Chair and members of the committee.
My name is David Elder. I am an executive committee member of the privacy and access law section of the Canadian Bar Association. I also co-lead the privacy and data protection practice at Stikeman Elliott LLP. I was formerly the chief privacy officer for a major Canadian telecommunications company, and I have been practising privacy law for over 20 years.
Thank you for the invitation to present the CBA's view on the Security of Canada Information Sharing Act.
The CBA is a national association of over 36,000 lawyers, law students, notaries, and academics. An important aspect of the CBA's mandate is seeking improvements in the law and the administration of justice, and it is that perspective that brings us to appear before you today.
Our submission to the committee on SCISA was prepared by a CBA national security working group, with contributions from the privacy and access law section as well as other sections. The section's membership represents lawyers with in-depth knowledge in the areas of privacy law and access to information from every part of the country, drawn from private practice, industry, and government sectors.
Our section also worked on the CBA submission this past fall in response to the government's national security green paper, and the year before that on the CBA submission to the public safety and national security committee respecting Bill C-51, part of which contains SCISA.
I'll now address the substance of our submission.
The CBA supports information sharing for the purpose of national security when that sharing is necessary, proportionate, and accompanied by adequate measures against potential abuse. However, sharing too much information or sharing information for unrestricted purposes can lead to harmful consequences. Moreover, such oversharing is contrary to the principles underlying privacy laws in Canada.
SCISA has significantly expanded intragovernmental information sharing for national security purposes in Canada, including the sharing of potentially sensitive personal information, without precise definitions, basic privacy protections, or clear limitations on the purposes for sharing. While some helpful changes were made to SCISA before its final passage into law in 2015, the statute still causes concern on several fronts.
The CBA has four main concerns with the law as enacted.
The first is independent oversight. SCISA includes a number of useful guiding principles for information sharing, including the principle that originators should retain control over shared information and the principle that information should be disclosed under the act only to institutions carrying out responsibilities in respect of activities that undermine the security of Canada.
However, to be meaningful, SCISA must include a robust oversight and accountability mechanism to enforce these principles. In the CBA's view, any oversight body should have independence from the government institutions that will be sharing information under the act in order to avoid any potential conflicts of interest.
There may be several oversight models that could work in this regard. The committee of parliamentarians that was proposed in Bill C-22 could be one such option. Existing institutions, such as the Office of the Privacy Commissioner of Canada, might also work.
Whatever oversight mechanism is pursued, in order to better facilitate the review of activities carried out under SCISA, the CBA submits that regulations should be introduced requiring disclosing institutions to keep a record of all disclosures made under SCISA and requiring receiving institutions to maintain records of subsequent use and disclosure of information received pursuant to SCISA. If such records do not exist, it will be nearly impossible for any oversight body to determine whether the guiding principles of the act are indeed being respected.
The second concern is balanced information sharing.
The CBA notes that subsection 5(1) of SCISA permits disclosure among the 17 government institutions listed in the schedules of the act if the information is relevant to the recipient institution's jurisdiction or responsibilities under an act of Parliament or another lawful authority respecting national security. In the CBA's view, mere relevance is a very low standard for what should be an exceptional sharing of information between government institutions, and this could allow for unnecessary and overbroad sharing of information, undermining the privacy rights of Canadians. The CBA agrees with the previous submissions of the Privacy Commissioner of Canada and others that a test of necessity would better balance the objectives of SCISA with privacy rights and principles. In other words, in order for information to be shared with another institution, such sharing must not only be relevant to the receiving institution's mandate respecting national security, but also have to be necessary in order to allow the receiving institution to fulfill that mandate.
The CBA is also of the view that the existing schedule 3 to SCISA, which lists the institutions with which information may be shared under the act, should be expanded to include references to the specific sections of the statute supervised or implemented by those institutions that might relate to national security concerns. Greater specificity would assist both disclosing and receiving institutions, as well as any oversight body, in assessing whether disclosure to another institution might be appropriate.
Our third concern with SCISA is the lack of restrictions around subsequent use and disclosure of information disclosed to an institution under section 5 of SCISA. More specifically, the current provision seems to allow for the subsequent disclosure by a recipient institution to other non-designated government institutions, to individuals, to foreign governments, or even to the private sector, and for purposes unrelated to national security.
In the CBA's view, the information sharing between government institutions contemplated by SCISA should be seen as an extraordinary measure designed to fulfill an explicit narrow purpose. Accordingly, SCISA must be designed to eliminate what is sometimes called “purpose creep”, including potential disclosure to third parties.
The CBA is particularly concerned about subsequent use and further disclosures by a receiving institution when the information has been obtained by the disclosing institution through the exercise of extraordinary powers, such as powers to compel production of information or enter premises. It would be inappropriate for a receiving institution to be able to leverage, for purposes unrelated to national security, any investigation and enforcement powers not conferred on the receiving institution by Parliament. SCISA should not allow receiving institutions to obtain indirectly that which they cannot obtain directly.
Fourth, the CBA is concerned about reliability of information.
The CBA is concerned that SCISA includes few effective checks and balances on information sharing or safeguards to ensure that shared information is reliable. The Arar commission stressed the importance of precautions to ensure that information is accurate and reliable before it is shared. Omitting safeguards in SCISA ignores lessons learned through the Arar saga and the recommendations of the Arar commission, and risks repeating the same mistakes.
In conclusion, once again the CBA appreciates the opportunity to share our views on SCISA. We support balanced information sharing for the purpose of national security when it is necessary and proportionate, and is accompanied by safeguards that are adequate to protect individual privacy rights and to ensure the reliability of any information shared pursuant to the act.
I'd be pleased to respond to any questions the committee members may have.