Information & Ethics Committee on Feb. 2nd, 2017

Hello everyone.

Pursuant to Standing Order 106(2), we need to elect the first vice-chair, who must be a member of the government party.

I'm now ready to receive motions for the election of the first vice-chair.

It was moved by Mr. Kelly that Mr. Erskine-Smith be elected vice-chair of the committee.

Are there any other motions?

Mr. Erskine-Smith is duly elected vice-chair of the committee.

(Motion agreed to)

Thank you, Mr. Chairman, for the invitation to appear before the committee. My name is Donald Roussel, and I am the associate assistant deputy minister for safety and security at Transport Canada. I am joined, as you mentioned, by Marie-France Paquet, director general, intermodal surface, security, and emergency preparedness.

I will go through an overview of the mandate of our department, which includes the promotion of safe, secure, and efficient transportation for Canada and Canadians.

To fulfill our mandate, the department uses, updates, or develops legislation, regulations, policies, and standards to safeguard the integrity of the air, marine, and surface modes of transportation for Canada. We also implement programs. We monitor, test, and inspect to enforce the regulations and the standards.

The main groups in charge of promoting security are aviation security, marine safety and security, surface and intermodal security, the security screening program, and security intelligence assessment.

The aviation security directorate is responsible for safeguarding the integrity and security of the Canadian aviation system through a comprehensive suite of legislation, policies, regulations, and security measures. The directorate regulates and conducts oversight of the industry, including airports, air carriers, and airport tenants, and the Canadian Air Transport Security Authority, more known as CATSA, which provides screening services of passengers, their baggage, and non-passengers at 89 designated airports.

The marine safety and security directorate develops and implements policies and regulations promoting the safety and security of the marine transportation system, and conducts related oversight. This includes mandatory reporting of security incidents by industry, and comprehensive safety and security inspection regimes.

The surface and intermodal security directorate manages Transport Canada's rail security program. Guided by the Railway Safety Act, the International Bridges and Tunnels Act, and the Transportation of Dangerous Good Act, SIMS works with partners to enhance the security of surface and intermodal transportation across Canada.

The security screening branch collaborates with security and intelligence agencies and administers the transportation security clearance program to mitigate risks posed by individuals who are potential threats to aviation or maritime transportation and infrastructure.

The security intelligence assessment branch is the departmental point of contact with the intelligence community. It is responsible for analyzing and disseminating relevant intelligence within Transport and to industry stakeholders.

Finally, the emergency preparedness branch, which includes our situation centre, responds to emergency situations, safety and security incidents, natural disasters, or emerging threats impacting the national transportation system. The situation centre operates on a 24/7 basis and works in close co-operation with other government response centres.

On national security responsibilities, I will now turn to Transport's jurisdiction and responsibilities with respect to measures to mitigate external activities that undermine the national security of Canada and describe the safeguards ensuring that exchanges of information are conducted in compliance with federal legislation and policies.

Canada's national transportation system is vital to our economic prosperity and a key national security component that can be undermined by criminal activity, threats to, or interference with this vast and complex system.

Our responsibilities include identifying, tracking and responding to threats to surface—including rail, international bridges and tunnels—marine, and aviation transportation emanating from terrorists, sabotage, or other forms of unlawful interference, such as hostile cyber activity. Our security intelligence assessment branch depends on open source information, as well as classified information from agencies like the Canadian Security Intelligence Service or CSIS, the Royal Canadian Mounted Police, Global Affairs Canada, and the Communications Security Establishment Canada.

Access to security intelligence information allows Transport Canada to effectively and proactively identify and address threats to transportation. Any restrictions or reductions in the quality and quantity of information originating from the agencies with national security responsibilities could undermine our ability to meet or legislate responsibilities and negatively impact the security of Canada.

Transport Canada relies on multiple legislative and policy instruments to fulfill its mandate. These instruments allow the department to implement appropriate policies and regulations, deploy technologies that enhance transportation security, and conduct oversight and enforcement. I will briefly describe some of the legislation that Transport administers in relation to its national security responsibilities.

The Aeronautics Act is the primary legislation governing civil aviation in Canada and authorizes the development of regulations and security measures for the security of aerodromes and commercial aircraft operations. The Marine Transportation Security Act and the marine transportation security regulations provide the Minister of Transport with the authority to establish measures and regulations to ensure the security of Canada's marine transportation industry. This includes preventive measures and a framework to detect incidents that could affect vessels or marine facilities.

The Railway Safety Act promotes and provides for the safety and security of the public and personnel, as well as the protection of property and the environment for railway operations. The act has a number of instruments that can be used to promote security, including the issuance of emergency directives and security measures. TC has yet to resort to Security of Canada Information Sharing Act provisions to fulfill its national security responsibilities. Information exchanges occur under existing TC legislation or legal authorities of other institutions, as well as under the Privacy Act.

Regarding information safeguard mechanisms, information on security threats is found in different government institutions. That is why efficient and responsible sharing of information among government institutions is essential to a government's ability to identify, understand, and respond to threats to its national security. I will now describe the mechanisms in place to ensure that exchanges of information at Transport Canada respect Canadian laws and policies.

Since 2012, we have been guided by a comprehensive document entitled “The Transport Canada Intelligence Function Guidelines to Intelligence and Information Sharing”. It has clear instructions on information disclosure, including personal information among Government of Canada departments and agencies. All TC programs involving national security information disclosure include effective tracking systems to ensure privacy rights are respected. Here are some examples on how personal information disclosure is managed in two key programs with major national security implications.

First, the security screening program involves the use of a records management database and a stand-alone network to manage personal information on government employees, as well as workers who require access to restricted areas of ports and airports. Information is collected and disclosed pursuant to the appropriate consent obtained with the applicant's signature.

Secondly, the passenger protect program administered by Public Safety and the application of the Secure Air Travel Act aim to prevent listed individuals from threatening transportation security or using civil aviation to travel for the purposes of terrorism. TC is mainly responsible for delivering the operational components of the program, including sharing the SATA list with air carriers, vetting potential matches identified by air carriers on a 24/7 basis, contacting PSC in the event of a positive match, communicating PSC's decisions to air carriers, and conducting oversight, compliance, and enforcement of SATA and its regulations. All sharing is authorized by and performed within the authorities and scope of the SATA.

Transport Canada identifies a limited number of officials authorized to receive information for exchanges under the Security of Canada Information Sharing Act, and a similar instrument for disclosure is in preparation. Continual efforts, including training, are under way in the department to ensure that the employees are aware of their responsibilities concerning the collection and use of personal information under the Privacy Act.

Sharing information on known threats or to prevent threats from developing is critical. We are committed to doing so in a responsible manner.

I would like to thank you for the opportunity to contribute to your study, and I welcome your questions.

Thank you and good afternoon, Mr. Chair and members of the committee.

My name is Dominic Rochon, and I am CSE's deputy chief for policy and communications. I'll add that I have the distinction of being CSE's chief privacy officer and the delegated authority under the Access to Information Act and the Privacy Act. It is a pleasure to appear before you today as you continue your study of the Security of Canada Information Sharing Act, otherwise known as SCISA.

I’ve been invited here today to clarify the mandate of the Communications Security Establishment, or CSE, and to provide insights into how CSE protects the privacy of Canadians while engaging in activities that ultimately protect Canadians from foreign threats.

For committee members unfamiliar with CSE and CSE's history, I can tell you that CSE has been in the business of protecting Canadians for over 70 years. Protecting the privacy interests of Canadians and persons in Canada has always been integral to the performance of this mission.

Let me first start by explaining our mandate and the work that CSE does to protect Canada. Our mandate consists of three parts, as defined in the National Defence Act. The first part, referred to as part (a), authorizes CSE “to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities”.

I emphasize “foreign” because CSE only directs its activities at foreign communications. CSE is prohibited by law from directing its activities at Canadians anywhere or at anyone in Canada.

CSE produces valuable intelligence under part (a) of its mandate. For example, CSE provides vital information to protect Canadian troops in Iraq as they contribute to the global coalition to dismantle and defeat Daesh.

In addition, CSE’s foreign signals intelligence has also played a vital role in uncovering foreign-based extremists’ efforts to attract, radicalize and train individuals to carry out terrorist attacks in Canada and abroad.

The second part of our mandate, known as part (b), authorizes CSE “to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada”. This part of our mandate authorizes CSE to protect Canada from the growing cyber threat.

Cyber threats used to be the exclusive domain of nation-states. That is not the case anymore, as malicious cyber tools become easier to obtain and the motivations for malicious actors become more diverse. In this rapidly changing threat environment, the services of CSE have become increasingly important.

Across the government, CSE is protecting 700 million connections daily from a user population of about 377,000 people. Every day we block over 100 million malicious attempts to identify vulnerabilities and to penetrate or compromise Government of Canada networks. CSE also shares cyber threat information with Public Safety Canada for further dissemination to the private sector in order to protect the intellectual property of Canadian businesses.

Finally, the third part of our mandate, referred to as part (c), authorizes CSE to provide technical and operational assistance to federal law enforcement and security agencies in support of their lawful mandate. This part of the mandate is important for Canada's national security given that CSE possesses unique skills and tools not found in other government departments, particularly in the area of encryption. We know, for example, that terrorists are adaptive and tech-savvy. They use cutting-edge technology, smartphones and messaging applications to communicate. They also use very advanced encryption techniques to avoid detection.

As a result, the threat puzzle that intelligence agencies try to piece together is not always straightforward and requires co-operation to solve—a reality, in fact, highlighted in the preamble of SCISA. Sharing foreign intelligence and cyber threat information with our domestic partners is crucial to a whole-of-government approach to protecting Canadians. It is by sharing intelligence that we warn the Government of Canada about the intentions and capabilities of those beyond our borders who mean us harm.

When doing so, Canadians and persons in Canada cannot be the focus of CSE's activities, and CSE must apply measures to protect the privacy interests of Canadians included in any information being shared. These privacy measures take the form of rendering Canadian identifying information found in the intelligence being shared unintelligible, leaving it to the receiving Government of Canada department or agency to demonstrate a need for that information and the authority to receive it.

Although information sharing is essential to protecting Canada’s security, CSE recognizes that the sharing of information could potentially touch upon fundamental rights and freedoms, particularly the right to privacy.

I want to stress that, not only is protecting the privacy of Canadians a fundamental part of CSE's organizational culture, it's also enshrined in CSE's mandate. The National Defence Act directs CSE to protect the privacy of Canadians in the use and retention of information.

As such, CSE has multiple policies, structures and processes in place to ensure continued adherence to privacy laws and policies.

These structures include executive control and oversight, operational policies, procedures and compliance measures, an on-site legal team from the Department of Justice, and active ongoing monitoring of internal processes. CSE's privacy framework includes operational policies that set out specific handling processes, retention periods, and sharing guidelines. These policies also allow for the validation, tracking, and auditing of information received.

CSE also provides regular training and testing for staff on our mandate, privacy rules, and compliance. In addition, all of CSE's activities are subject to robust, external, expert review by the independent CSE commissioner. The CSE commissioner, who is usually a supernumerary judge or retired judge of a superior court, has full access to CSE employees and records.

I would also like to add that the CSE commissioner has all the power of the commissioner under part II of the Inquiries Act, including the ability to inspect any records held by CSE and the power to subpoena CSE employees to provide information.

The work of the CSE commissioner has had a positive impact on CSE's accountability, transparency and compliance. It has also led to CSE strengthening a number of its policies and practices. The Office of the CSE Commissioner staff regularly interact with CSE employees when conducting reviews. Since 1996, CSE has accepted and implemented all the CSE commissioner’s privacy-related recommendations.

Though much of what we do is classified, we are committed to becoming more open and transparent about how we protect Canadians' security and their privacy. We know that openness is crucial to ensuring public trust in what we do, and as the government pursues its overall national security agenda, we continue to be forthcoming about our operations.

With respect to SCISA, you are aware that SCISA lists CSE as an entity that can receive information from another Government of Canada institution. I want to emphasize that SCISA does not supersede or expand CSE's authorities to collect or receive information from our domestic partners. To date, CSE has not relied on SCISA to receive or disclose information. CSE's existing procedures and processes to authorize and manage information sharing meet or exceed those set out in SCISA.

When sharing information, CSE currently relies on authorities under the National Defence Act. Information sharing at CSE is undertaken in accordance with the provisions of the Privacy Act. CSE's established information-sharing arrangements are set out in information-sharing agreements with our domestic security and intelligence partners.

CSE may also receive information from Government of Canada agencies under the National Defence Act and the Privacy Act authorities when relevant to its mandate, although the need to receive information is minimal considering CSE cannot direct its activities against Canadians or persons in Canada.

I should add that the CSE commissioner does conduct an annual review of our information-sharing disclosure activities, and to date he has always found that these activities were done in compliance with the law.

I'll conclude my remarks by stating that I am confident in our ability to fulfill our mandate while safeguarding the privacy of Canadians. My confidence stems from both the rigorous legal and policy frameworks in place to protect the privacy of Canadians, and the professionalism and commitment of CSE's highly skilled workforce.

Thank you for inviting me here today. It would be my pleasure to answer any questions you might have.

Mr. Chair and members of Parliament, thank you very for the invitation to appear here this afternoon.

It’s my distinct pleasure to speak to you today about the Security of Canada Information Sharing Act, or SCISA.

Before I speak about SCISA and provide my organization's perspective on it, I'd like to provide some background on the role of my organization because I think it is perhaps not as well known as some of the others.

The chief of defence intelligence, or CDI, is the functional authority for defence intelligence in Canada. The CDI is also the commander of the Canadian Forces intelligence command, or CFINTCOM, an organization with a mandate to provide credible, timely, and integrated defence intelligence capabilities, products, and services to the Canadian Armed Forces, the Department of National Defence, the Government of Canada, and our allies in support of Canada's national security objectives.

Defence intelligence is a key element in the ability of the Government of Canada to make informed decisions on defence issues, national security, and foreign affairs. You can be assured that our intelligence capability is world class, boasting a strong team of dedicated professionals and benefiting from productive relationships with other government departments as well as our partners in the Five Eyes community

CFINTCOM focuses the vast majority of its energy on foreign military threats and support to CAF operations abroad. However, I appreciate the opportunity to discuss domestic information sharing under SCISA and turn now to the subject at hand.

First, please allow me a word concerning our current information-sharing authorities outside of SCISA and the measures we take to protect personal information when it comes into our care. Department of National Defence and the Canadian Armed Forces information-sharing activities are generally conducted under the crown prerogative for National Defence, and we have in place a robust governance regime that includes numerous policies, memoranda of understanding, and other information-sharing arrangements as well as oversight and accountability mechanisms related to the handling of that information.

The majority of the information that National Defence and the CAF share and receive is operational and not personal in nature. This can include information regarding deployed CAF assets, defence intelligence in support of operations such as satellite imagery products, or imagery in support of activities undertaken with foreign defence partners.

However, although SCISA could be used to receive and share that type of information, the Crown prerogative also serves as the legal basis to receive and share personal information in the national security field as part of the mandate of the national counter-intelligence program.

Under this program, the Canadian Armed Forces ensure that threats to the security of National Defence and the Canadian Armed Forces in Canada or on deployments abroad are identified, investigated and countered.

In fulfilling this mission, the Canadian Forces national counter-intelligence unit shares and receives information, including personal information, with police and security intelligence agencies under the auspices of the security intelligence liaison program. Activities conducted under this program are authorized by an internal oversight to ensure compliance and consistency with the national counter-intelligence program's mandate, including that the receipt and dissemination of information is carried out in accordance with National Defence and CAF policy and access to information and privacy legislation.

With respect to SCISA, let me first point out that the act does not create or expand the collection mandates of any federal departments or agencies, including those who use the act. Any information that will be shared with listed departments or agencies will have been collected lawfully and in accordance with the collector's mandate. The type and nature of information that is being shared with listed departments and agencies are the same as they have been receiving in the past. Only the sharing has been facilitated.

The main contribution of SCISA is the following. A department that will have collected information in accordance with its mandate, and therefore for a certain purpose, is now able to share that information with another department, even though the recipient will use it for a different purpose, as long as it is in line with its mandate and the information relates to an activity that undermines the security of Canada.

Further, only the head of an institution listed in the schedule or his or her delegate can receive this information. This is a marked departure from normal business where anyone in an organization can be part of a sharing arrangement. Having the head of the institution involved helps ensure that the requirements will be followed.

At the time of our last communication to the Privacy Commissioner in September 2016, DND and the CAF had not shared or received any information under SCISA. Since then, there has been a single instance in which we shared information under the act.

In addition to the authority found under SCISA, other forms of authority, notably the crown prerogative, can and will continue to be used by DND and the CAF. Note that SCISA does not in any way limit or affect the information-sharing authorities provided under the prerogative. For clarity, this is stated in the act itself in section 8. SCISA does, however, assist other government organizations in sharing with DND and the CAF. For this reason, we remain supportive of SCISA and wish to remain on the list of recipient organizations in schedule 3 of the act.

Should a government institution wish to share information with DND or the CAF under SCISA, we will adhere to the following process for receipt. Discussions with the providing institution will take place to establish whether the information is relevant and within our mandate to receive and whether it relates to activities that undermine the security of Canada. Once received, the information will be examined to determine which internal organizations in DND and CAF should have access to it.

Any information received under SCISA will be assessed in accordance with the requirements of the Privacy Act, the Access to Information Act, and all associated Treasury Board Secretariat policy and direction.

This concludes my presentation.

Thank you for your attention, and I look forward to answering your questions.

I'm a bit of an anomaly in Ottawa. Next week I will have been with Transport Canada for 29 years. I started as a field inspector and moved up to DG of marine safety and security, and I've been the associate ADM in the safety and security group since 2014.

Yes, I know a bit about the business.

First, it is a fairly young piece of legislation, 2015. As a young piece of legislation, we need to learn the tools. Mr. Burt commented that this is like a tool box. When we requested to be in the annex, the review of all of our legislation demonstrated that we had some limitations on what we could ask for or share.

For example, under the Aeronautics Act, we could only share a series of elements on the passengers and how they wanted to travel, which would not necessarily be broad enough to help us mitigate the risk. We needed a broader tool. In our analysis, we may have a screwdriver and a hammer but we needed the whole tool box to be able to do a better job.

The other element, which is significantly troublesome, is that if we have information and we know information is out there, not being able to ask the intelligence gatherers for that information is not very useful. We have to be able to ask specifically for what we're looking for and what information they could have gathered to share with us to be able to do our work more broadly.

They were dealt with, but with a significant amount of complexity and legal challenges that made the work a lot more complicated. When we are in security measures, time is of the essence. How fast can we receive the information to make the proper analysis and then convey the appropriate actions?

When we have a cumbersome suite of legislation that we have to navigate, it makes our work fairly difficult. SCISA does help us to be able to move faster. We have not used it yet but we know potentially we could use it.

That's an interesting question. I wasn't expecting that. To be fair, I don't know specifically what the answer to that question would be. I would say that, no, we don't get anonymous tips through brown envelopes and the like. We do have, obviously, long-standing partnerships with our security and intelligence domestic partners. Obviously, we work closely with RCMP and CSIS, which both, I would say, understand our mandate, which is very much foreign, particularly when it comes to part (a) of our mandate. When you're speaking about foreign signals intelligence, if they perceive they have a tip or a lead on a foreign threat, there could be a sharing of information in that context. I would say that each department, each agency, has a mandate to already share that, and we obviously have a mandate to receive that.

The same applies in part (b) of our mandate when it comes to protecting systems of importance to the Government of Canada. If there's relevant cyber information that we need to receive in order to be able to protect systems of importance, those tips can come.

Going back to the original question that you asked Mr. Roussel, about the fact that we haven't used the act to date, I think that speaks more to the fact that there are possibly departments and agencies out there in the broader security intelligence field, or maybe even beyond, within the Government of Canada, that don't necessarily understand what our mandate is. I think SCISA will educate departments and agencies specifically on the 17 departments and agencies that are listed as recipient agencies. As that education becomes deeper, I think you'll see people starting to see the benefits of being able to say, “Well, actually, here's an opportunity where I would be able to share because I understand their mandate better.” That might not be happening now.

Again, in our particular case, and as I mentioned in my opening remarks, as it pertains to foreign signals intelligence, because our main focus is foreign, the use of SCISA might not be that predominant, but it remains to be seen.

I'll use foreign signals intelligence as an example and I'll leave part (b) aside for the moment.

What they understand is that we collect foreign signals intelligence in accordance with intelligence priorities that are set by cabinet. They understand what those intelligence priorities are. They understand that we're limited within our mandate to direct our activities outside of Canada at foreigners. As a result, if they have something in that context, they'll obviously say, “Here's something that might lead to the collection of foreign intelligence that we're interested in. Therefore you have a mandate to collect it, ultimately assess it, and disseminate that across governments for the benefit of the intelligence community.” It's understood.