Information & Ethics Committee on Feb. 7th, 2017

Good afternoon, Mr. Chair and members of the committee.

I would like to thank you for inviting Global Affairs Canada to speak to you about the Security of Canada Information Sharing Act. I’m the director general of counter-terrorism, crime and intelligence. Mr. Chair, you have just introduced my colleagues.

I will provide a bit of context to help situate the department's perspective on this act. As you are very aware, Canada is facing a wide range of threats to its national and international security.

We are co-operating closely with the many like-minded partners internationally to address the threat posed by terrorists and foreign fighters and to control the export of materials related to the manufacture of chemical weapons and other kinds of weapons of mass destruction. All of these issues are transnational in nature.

The department manages Canada's membership in bilateral or multilateral defence and security organizations that deal with traditional threats to security, as well as non-traditional threats such as threats to cybersecurity and space security.

The department is charged with the maintenance of an international platform with which to perform its functions, namely our network of missions abroad. Global Affairs Canada must therefore continually assess threats to the security of missions abroad, provide appropriate protection, and manage any residual risks to life and property, including diplomatic personnel and assets abroad. Global Affairs Canada provides travel advice and advisories to Canadians, as well as notifications to registered Canadians about safety and security conditions abroad, so they can make their own informed decisions regarding foreign travel.

Our international efforts are complemented by our work with partners within the government to advance Canada's national and international security objectives. A coordinated whole-of-government approach is necessary in addressing international issues like terrorism and foreign fighters. In this respect, the ability to share relevant information is key.

The department already had an established process to facilitate the appropriate sharing of information when issues of national security were at stake. Processes and caveats are in place to ensure that only information that is relevant, reliable, and accurate is shared. The requests must also be compliant with Canada's privacy laws or framework, including the charter and Privacy Act.

Prior to the enactment of the Security of Canada Information Sharing Act, or SCISA as we call it, the information was typically shared under the provisions of paragraph 8(2)(e), when pursuant to a request, or subparagraph 8(2)(m)(i), when proactively shared, of the Privacy Act.

Officials are further guided by the findings of past commissions of inquiry, in particular the report of the Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar.

SCISA was designed to help the government improve how it deals internally with national security issues, by improving national security information sharing domestically. SCISA aims to ensure that information relevant to national security is shared both effectively and responsibly.

SCISA provides an authority for other departments and agencies to share with our department any information that might bear on the safety of our staff or the security of our missions abroad. SCISA also provides other departments and agencies with a clear authority to request from Global Affairs Canada information relevant to national security or for Global Affairs Canada to proactively share such information.

A number of steps have been taken to ensure that the department is appropriately implementing the new legislation, and that officials understand its impact and limitations.

First, the Minister of Foreign Affairs gave three divisions within the department the authority to receive national security-related information pursuant to SCISA. These areas are international security and intelligence; security and legal; and trade, specifically the international business development and chief trade commissioner in addition to trade agreements and negotiations.

Second, a letter explaining SCISA was sent to all Canada’s heads of missions abroad, asking that they sensitize their staff to the importance of timely and appropriate information sharing to keep Canada and Canadians safe. The letter was jointly signed by the deputy ministers of Foreign Affairs, the director of the Canadian Security Intelligence Service and the commissioner of the Royal Canadian Mounted Police. The letter explained that SCISA doesn't create an obligation to disclose and that this authority needs to be balanced against other statutory obligations, including privacy rights. It directed that, to ensure a systematic approach, requests for information to be shared under SCISA should be referred back to headquarters for decision.

With respect to proactive disclosures, the letter confirmed that information available at mission that could be relevant to Canada's security or to other federal institutions' mandates should be sent without delay to headquarters, where officials would determine whether, how, and with whom the information will be disclosed. It emphasized that for urgent cases, headquarters will respond quickly, including outside of normal business hours.

An exception is made for exigent circumstances where there is an imminent threat to life or a threat of serious bodily harm. In those instances, the good judgment of all heads of mission is relied upon, wherever they may be, to share information directly and immediately with the relevant counterparts, and then to report to headquarters to advise of any such disclosures at the first available opportunity.

The third implementation step taken was to develop an information sharing agreement between the consular operations bureau and CSIS. This agreement lays out the parameters within which the department will share consular information with CSIS under SCISA, including practical modalities. We are also seeking to develop a similar agreement with the RCMP based on that model.

Lastly, the department has been taking steps to ensure wider understanding and better use of SCISA. For example, in 2015, the director general for consular policy held a number of teleconferences, open to all heads of missions across the Global Affairs missions network, to discuss SCISA and other privacy and information sharing considerations in the consular context.

Now in terms of practice, since SCISA came into force, most of the department's sharing of consular-related information with national security agencies is done under SCISA rather than pre-existing authorities. In practical terms, there are two types of disclosure that are taking place.

The first type of disclosure is a result of a request from a national security agency. In these situations, the national security agency will send in a request in writing. These requests must provide sufficient detail to indicate a clear link to the agency's national security mandate. The requests also indicate the type of information that the agency is seeking. If the division targeted by the request, which is normally consular operations, determines that they have relevant information, they will gather the relevant information and seek legal advice regarding compliance with SCISA and Canada's privacy laws. Officials then exercise their discretion on whether or not to share the information.

The second type of disclosure is proactive disclosure. These arise when department officials—again typically with consular operations—collect information that they believe is relevant to the national security mandate of a Canadian department or agency. The same process for requests is followed as for proactive disclosures.

The decision to share is always taken at headquarters. Although we have left open the possibility of sharing directly at a mission where there is imminent risk to life or bodily harm, in practice this has not happened. The reason for the headquarter's decision is, first, to ensure that individuals with sufficient experience and level are ultimately making the decision following our established process; second, to ensure consistency in the interpretation and use of SCISA to disclose the information, including confirming that the threshold for disclosure has been met; and finally, to ensure documentation and tracking of disclosures to meet reporting and accountability requirements.

As you are likely aware, the Office of the Privacy Commissioner commenced an investigation of SCISA under section 37 of the Privacy Act last fall. Global Affairs has met with the OPC and has provided information on the number and nature of the disclosures we made under the act during the first year it has come into effect.

It is also worth noting that SCISA amended the Chemical Weapons Convention Implementation Act to permit Global Affairs Canada to share information pertaining to the production, processing, consumption, import, and export of certain chemicals and related facilities where appropriate. Before SCISA came into force, we were prohibited from sharing this information. This was an important change for the department.

To conclude, as I mentioned before, SCISA does not alter the department's existing authorities to collect national security information. However, before it came into force, we anticipated that it would create new possibilities for sharing information that is relevant to national security. I would say that SCISA provided an opportunity to refresh the discussion on how this type of information is shared. Also, practically speaking, it has created a context and a tool, both of which have focused efforts on ensuring that national security information is flowing appropriately yet responsibly.

Mr. Chair, that brings my remarks to an end. Some of your questions may require a detailed answer, for which I may not be the best person to answer, and therefore we have experts from different parts of the organization to respond.

Thank you very much.

Thank you, Mr. Chair.

My name is Glen Linder. I’m the director general of international and intergovernmental relations at Immigration, Refugees and Citizenship Canada, or IRCC. My branch is the policy lead for the implementation of the Security of Canada Information Sharing Act, or SCISA, within IRCC.

I’m accompanied today by Michael Olsen, chief privacy officer of IRCC.

Today, I’ll be discussing how IRCC’s mandate relates to national security, how SCISA was implemented within the department and how IRCC is using these new authorities.

Following my opening remarks, my colleague and I will be happy to answer any questions committee members may have on this topic.

IRCC is responsible for a diverse mandate, which includes facilitating the arrival of people and their integration into Canada while protecting the health, safety, and security of Canadians; managing the granting of Canadian citizenship; and issuing Canadian passports. Several of IRCC 's powers, duties, and functions relate directly to addressing activities that undermine the security of Canada. These include assessing the criminal and security admissibility of immigration, citizenship, and passport applicants.

One of the Immigration and Refugee Protection Act's objectives with respect to immigration is “to promote international justice and security by fostering respect for human rights and by denying access to Canadian territory to persons who are criminals or security risks”.

In an effort to maintain the integrity of the immigration, citizenship, and passport programs, IRCC works closely with its security partners to identify applicants who are inadmissible to Canada on security grounds, to remove or revoke the status of those who engage in activities deemed to undermine Canada's national security, and to deny passport services to persons posing a threat to our national security. For example, IRCC ensures that individuals who are deemed inadmissible by engaging in terrorism, or instigating the subversion by force of any government, are not admitted to Canada. IRCC is also responsible for conducting revocations of citizenship if a person has obtained citizenship by false representation or fraud with respect to facts that may render persons inadmissible to Canada on grounds of security.

IRCC takes very seriously the operationalization of the new authorities granted by SCISA. The Department of Public Safety has developed a desk book and related resources that support government institutions in the implementation of SCISA to ensure its effective and responsible use. To complement this, IRCC has developed department-specific guidelines for employees authorized to disclose information under SCISA and receive information disclosed by other institutions under the act.

IRCC has developed a policy manual on how IRCC officials may work with SCISA. The manual provides information regarding topics such as disclosure and collection of information, directives on safekeeping, retention and record-keeping, and lists the limited IRCC positions that have been delegated for disclosure and receiving information under the act. Other tools, such as a step-by-step instructional document on the disclosure of information under SCISA, have also been made available to IRCC employees.

Given IRCC's responsibilities with regard to immigration, citizenship, and passport issuance, it is required to maintain a large volume of immigration records, and is a key institution for questions pertaining to the identity of newcomers and Canadians born here or abroad. Consequently, IRCC engages in reciprocal information-sharing with other government institutions to ensure the efficient use of government holdings while safeguarding the privacy rights of all individuals.

In the past, the absence of clear national security disclosure authorities made it cumbersome for partner agencies to support each other in countering threats to national security. SCISA has added a valuable tool to the information-sharing toolbox by allowing for the disclosure, sometimes proactive, of specific and targeted information to listed institutions. SCISA does not override any provisions found in existing legislation, such as the Privacy Act, but it does constitute a clear authority for efficient and expeditious information-sharing for national security purposes.

Since August 2015, IRCC has disclosed information in response to requests from security partners on 64 occasions, and in six instances has proactively disclosed information to partner agencies. IRCC has also been the recipient of information on one occasion, information that has been used in an investigation for revocation of citizenship under the Citizenship Act.

For illustrative purposes, I'd like to present you two possible scenarios for when information might be disclosed under SCISA.

First, in the context of an individual suspected of travelling abroad to engage in terrorism-related activity, IRCC may be the first institution aware of the potential return to Canada of this individual, as he or she may have to apply for travel documents to return to Canada. Under SCISA, IRCC has the authority to proactively inform institutions listed under the act to ensure that key partners are aware of the imminent return and are ready to respond to the potential threat to the national security of Canada. Prior to SCISA, there was no mechanism in place to promptly and proactively share such information.

Second, as a listed institution under SCISA, IRCC can also benefit from other federal institutions disclosing information to IRCC, which could support the department's mandate in relation to national security. A federal institution may come across information demonstrating that an individual who is a citizenship applicant has ties to terrorism, for example, through the financing of terrorist organizations. SCISA is an explicit authority for all federal government institutions to disclose information to designated recipients such as IRCC. Therefore, the institution could release to IRCC information related to the applicant's ties to terrorism, allowing the department to make an informed decision on the individual's citizenship grant. Before SCISA, it would have been difficult for an institution that had no specific information-sharing mechanism or authority related to national security in place to disclose such information to IRCC, and the individual may have received Canadian citizenship.

The authorities provided for in SCISA enable enhanced collaboration and better targeted information sharing through interactions among program experts of the listed institutions. The number of instances in which SCISA has been used is minimal compared to the volume of IRCC holdings, and it has been used in very specific situations.

Once again, we would like to thank you for inviting us to appear here today to discuss SCISA. We are happy to answer any questions from committee members about anything we have presented today.

Thank you, Mr. Chair, for inviting Stéphane Cousineau and me, on behalf of FINTRAC, to speak with you regarding the committee's study of the Security of Canada Information Sharing Act.

I can assure you that we will be as forthcoming as we can with our answers today; however, I know you understand that we cannot provide classified information in this public venue. We are also limited by legislation in what we can say about specific information that FINTRAC holds.

I would like to take a few minutes to describe FINTRAC's mandate and the role we play in helping to protect Canadians and the integrity of the Canadian financial system, as well as the comprehensive measures we have adopted in our privacy framework to safeguard the personal information of Canadians. I will also focus on the centre's responsibilities under the Security of Canada Information Sharing Act.

FINTRAC was created in 2000 by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. As Canada’s financial intelligence unit, FINTRAC facilitates the detection, prevention and deterrence of money laundering and the financing of terrorist activities, while ensuring the protection of personal information under its control.

The legislation establishes obligations for financial services entities, real estate brokers, money services businesses, casinos and many other business sectors. These obligations require them to establish an internal compliance program; identify clients; monitor business relationships; keep certain records; and report specific types of financial transactions to FINTRAC, including suspicious transactions, international electronic funds transfers of $10,000 or more and large cash transactions of $10,000 or more.

As part of Canada’s anti-money laundering and anti-terrorist financing regime, FINTRAC houses supervisory, compliance and intelligence functions. Our supervisory function involves assessing and enforcing the compliance of regulated businesses with their legal obligations. Our intelligence function enables us to produce financial intelligence for our police, law enforcement and national security partners.

As a result of the financial transaction reports received from regulated businesses across the country through its supervisory function, FINTRAC can provide financial intelligence that assists our partners in combatting money laundering, terrorism financing and threats to the security of Canada. FINTRAC also produces strategic intelligence about trends and typologies of money laundering and terrorist financing.

FINTRAC's role under the Security of Canada Information Sharing Act is limited, given that the provisions of FINTRAC's governing legislation set out narrow disclosure provisions and take precedence over any other legislative provisions related to the reception and communication of information. To be very clear, we can only receive information in accordance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. As well, FINTRAC can only disclose information as specified under the same act to the appropriate police or national security agency when it has reasonable grounds to suspect that it would be relevant to investigating or prosecuting a money laundering or a terrorist activity financing offence, or that it would be relevant to threats to the security of Canada.

Section 5 of SCISA does not change in any way when, or to whom, FINTRAC discloses financial intelligence. The centre may only disclose financial intelligence when the legislated thresholds have been met, and only to recipients listed in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Given this, to date, FINTRAC has not received or collected any information under SCISA.

Before concluding, I would like to touch on the protection of personal information. FINTRAC's first priority is to safeguard the information it receives, including financial transaction reports under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Indeed, the obligation to do so is set expressly in FINTRAC's mandate. Clear principles for the protection of privacy are set out in its governing legislation, which respects both the Canadian Charter of Rights and Freedoms and the Privacy Act, and are reinforced by FINTRAC's own operational policies and security measures.

FINTRAC does not have access to the bank accounts of Canadians. It does not have any legal authority or the technical means to monitor the financial activities of individuals. It develops the financial intelligence that it discloses to its police, law enforcement, and national security partners exclusively from the information received from reporting entities and partners as specified under its legislation.

In addition, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires that the Office of the Privacy Commissioner conduct a review every two years of the measures FINTRAC takes to protect the information held. FINTRAC is the only government institution subject to this type of mandatory audit by the Office of the Privacy Commissioner.

The protection of Canadians’ privacy is the key reason FINTRAC was created. We understand very clearly that, to maintain our credibility and the confidence of Canadians, we need to continually demonstrate that we take the protection of personal information and the limits of our mandate seriously. The protection of privacy is a clear priority for FINTRAC. We’re determined to help protect Canada and Canadians, while meeting our obligations under the Privacy Act, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and the Security of Canada Information Sharing Act.

Thank you, Mr. Chair.

I would be more than happy to answer your questions.

Good afternoon, Mr. Chairman and honourable members of the committee.

My name is Terry Jamieson and I’m the vice-president of the technical support branch at the Canadian Nuclear Safety Commission, or CNSC.

I’m joined today by Lisa Thiele, our senior general counsel.

Thank you for inviting us to discuss the CNSC’s participation as a recipient institution under the Security of Canada Information Sharing Act.

Here's a little bit about the CNSC. The CNSC is Canada's nuclear regulator. Under the Nuclear Safety and Control Act, or NSCA, the CNSC carries out its threefold mandate.

First, we regulate the use of nuclear energy and materials to protect health, safety, security, and the environment. Second, we implement Canada's international commitments on the peaceful use of nuclear energy; and third, we disseminate objective scientific, technical, and regulatory information to the public.

We are an independent, quasi-judicial administrative tribunal. The CNSC regulates all things nuclear in Canada, including uranium mining, nuclear fuel fabrication, nuclear reactors and power plants, the production and use of medical isotopes, the decommissioning and remediation of nuclear sites, and the safe management of nuclear waste.

The CNSC was established in 2000 under the Nuclear Safety and Control Act and reports to Parliament through the minister of Natural Resources. The commission may have up to seven appointed permanent members whose decisions are supported by more than 800 employees. Our employees review applications for licences according to regulatory requirements. We make recommendations to the commission and we also enforce compliance with the Nuclear Safety and Control Act, regulations, and any licensed conditions imposed by our commission members.

The CNSC has two key responsibilities related to national security under the NSCA. First, the CNSC is responsible for preventing risk to national security by regulating the development, production, and use of nuclear energy, nuclear substances, prescribed equipment, and prescribed information.

The CNSC has one of the top nuclear security programs in place in the world. Our focus is on preventing sabotage of a nuclear facility or theft or loss of nuclear materials. We identify potential risks and threats to the Canadian nuclear industry and we develop the regulatory requirements necessary to ensure these risks are mitigated and that the threats are prevented, detected, or responded to appropriately.

In 2015, Canada welcomed a peer review mission from the International Atomic Energy Agency that concluded that Canada operates a mature, effective, and well-established nuclear security regime.

Our second area of responsibility related to national security is the implementation of Canada's obligations relating to the safeguarding and non-proliferation of nuclear materials. An example of how the CNSC works to prevent proliferation is through our licensing program, which controls the import and export of nuclear material, equipment, and information. This program requires information in order to assess applications and verify compliance with control measures.

The CNSC became a recipient organization under SCISA to ensure that we receive timely information about a nuclear-related activity that could potentially undermine the security of Canada. The frequency of such events is thankfully low, and I'd like to stress that to date, CNSC has not had to use SCISA. Under the act, the CNSC's authorities to receive information have not changed, but rather, other Government of Canada institutions are provided a better understanding of our mandate as a recipient institution and are given the authority to disclose relevant information to us.

As a recipient institution under SCISA, the CNSC considers the protection of national security information and the personal information handling provisions of the Privacy Act to be of the highest priority.

While we have existing processes in place, we are committed to continuous improvement and, as a result of the Privacy Commissioner's annual report, the CNSC is undertaking a privacy impact assessment that will capture SCISA. We're also working to clarify our procedures to ensure that they're well understood by all impacted areas of our organization.

This concludes my remarks, and I would be pleased to answer any questions that you might have.

Thank you.

Yes. That's correct.

I'm going to ask my colleague Victoria Fuller to respond.

Global Affairs Canada has received requests, which we responded to 25 times. We've made 20 responses in which we did not provide information for one reason or another, and we've made 16 proactive responses.

There would be three reasons to be in that category. One was a decision not to share the information. One was a decision that this was not the appropriate mechanism to share the information, and the information was shared in another way. The third reason was that we had no information that met what they were looking for.

In our case to answer your question directly, yes, in all cases the information could have been provided without SCISA, but SCISA essentially allows for a dedicated service channel for national security cases and for a much simpler approach for our being able to disclose that information.

In view of the timeliness often associated with national security cases, it facilitates that prompt information-sharing, provided all the tests within SCISA are met in that particular case.

With respect to our department, essentially outside of SCISA the authorities are in the Privacy Act. What do we have in the Privacy Act? We have the provision on consistent use. In our case we're collecting information to assess someone's admissibility to Canada, to assess their request for a passport or their application for citizenship.

The consistent use with respect to national security is somewhat limited in that case. We're essentially limited to being able to confirm the person's name and immigration status in Canada with respect to consistent use, so it doesn't provide much of an avenue.

The other area we can share information under the Privacy Act is when it's requested by an investigative body. There, absolutely, the information can be shared, but in that particular case, it's on request only. We can't proactively provide anything. It's also done as part of the other business under the Privacy Act, whereas under SCISA you again have this designated channel, you have these national security experts who are dealing with it, who are cleared to the appropriate level, and who have the expertise to be able to assess much more clearly and promptly what's provided.

That's entirely in your hands, obviously, as our elected representatives.

From my perspective on having a more stringent test, we take the test of relevancy very seriously. If there were to be a more stringent test in terms of necessity, for example, it would be helpful for you to consider what that would do in terms of balance. There has been a lot of discussion at this table about balance. If it were a test of necessity, we would need to be convinced with a lot more information that were necessary, in fact, not simply relevant. And what would that mean in practice? I think that would mean that our national security agencies, the investigative bodies that were requesting information from us, would possibly have to give us a lot more national security information for us to make that determination and be satisfied that it was, in fact, necessary and not simply relevant.

Could we do that? Absolutely, but it's worth considering whether the benefit of having that higher standard is outweighed by having more sensitive national security information in circulation, in order for us to make that determination. More generally—and I think this is possibly the intent—it obviously would put a chilling effect on the amount of information we would disclose under SCISA. That would be a necessary outcome.