Information & Ethics Committee on Feb. 2nd, 2017

I can take a crack at that.

Much as I think Mr. Rochon will probably tell you, in the context of our operations abroad, the issue of holding onto information is a bit of a different set of questions. We're not dealing with information that is necessarily touching on individuals in the same way. Information can be databased for quite a long time, because you want your analysts to be able to go back and cross-check things and figure out what has happened in the past on certain files.

There are not the same kinds of timelines that there would be when you're dealing with private information, whether it's of staff or people who you're regulating, or if you were dealing with legal cases or national security investigations regarding Canadians where there are privacy concerns. For the vast majority of what we collect in terms of operational information, there is no formal process around how long you can keep it. The goal is to database it usefully so that you have good information to look back upon.

I would agree with that.

It's very similar in terms of our foreign signals intelligence activities as well as cyber-threat activities. If we've collected information that's useful and there's an ongoing threat, we're going to continue to use that information. Obviously, we're not in the business of collecting information about Canadians. Not to get too technical, but we do come into contact with information. We may collect it incidentally. We have very strict rules that we are to delete that information immediately unless it has value with regard to a threat to Canada. If we can show that it does have that value, and there's an interest when it comes to the security and defence of Canada, then we will keep it and we'll report on it. However, we still put measures in place to protect that information within our systems.

Specifically, as it pertains to retention periods, your question is more about how long we retain things. We have retention periods for most of the collection of information that we have. We have ministerial directives that impose those retention periods. We follow them and they are reviewed by our commissioner to make sure that we adhere to them. That's how I would couch it.

I'll just add that on the aviation security side, we get information on the advance passenger manifest, as we call it. We keep that information for only seven days.

It's a bit like what was just said. Occasionally, you would come across that information incidentally. It does happen on deployed operations that you would come across things that do or may impact on Canadians. When those cases occur, we hand them over to the appropriate Canadian authorities. We would do that regardless of SCISA.

SCISA provides a good framework for doing it. In fact, the one case that we have had involved exactly that kind of information that came from a foreign partner and was relevant to CSIS's mandate.

We don't collect Canadian information intentionally.

We don't collect the Canadian information, and we wouldn't be sending specifically private communications about Canadians. That being said, we're part of a Five Eyes, cryptologic, long-standing arrangement. We have a long-standing agreement that we don't conduct activities on our citizens, and we don't conduct activities on their citizens and vice versa. It's a long-standing protocol, and it has served us in good stead for about 70 years now. That being said, when you say “information”, it gets a little bit more complex in terms of what it is that we do because there's the whole issue of metadata.

Nevertheless, if there's an exchange of information that may or could involve a Canadian, we have measures in place that protect that information. Therefore, we render that information unintelligible, as I mentioned in my opening remarks. If it does get passed on, any information about a Canadian would be rendered unintelligible, so they wouldn't be able to see it. If they wanted to see it, they would have to come back and explain to us that they have an imminent threat and ask for the personal information. Then we would make an assessment as to whether or not we could share it.

My organization does not use warrants. Occasionally, if we are operating in support of a domestic law enforcement agency, we'll be authorized under a warrant by them, and all the rules of that warrant will apply. That's when we're working in support of them, and effectively we're part of their organization for those purposes.

That's exactly the same.

Part (c) of our mandate essentially gives us—

Correct.

For us, it's not within that context that we will use a warrant. It will be under compliance and enforcement, under the safety regulations in particular where we're seeking information. It's not necessarily on individuals but on the operations of a company, the bookkeeping and so forth. It's not under the security mandate.

I'm happy to go first on that.

It's clearly stated in the legislation that SCISA does not affect collection mandates whatsoever, so there is no net effect of SCISA on collection of any kind, bulk or otherwise.

To simply state what's in the act, in terms of sharing I would say what SCISA brings to the table is a clear framework with a couple of tests in it for whether or not the information can be shared. It's a very short piece of legislation. It's written very clearly, and the tests, I think, are laid out with some precision in terms of the wording.

It facilitates sharing, certainly. That was the intent of the act.