Evidence of meeting #44 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was ircc.
A recording is available from Parliament.
4:45 p.m.
Director, Case Management, Consular Operations, Department of Foreign Affairs, Trade and Development
Those would be the same numbers that I provided to Mr. Erskine-Smith. I'm not a set delegated recipient of information, so I couldn't address whether the department as a whole has ever received under SCISA.
4:45 p.m.
Director General, International and Intergovernmental Relations, Department of Citizenship and Immigration
At IRCC, we have disclosed information on 70 occasions under SCISA. Sixty-four of those times it was as a result of a request to us, and six times we've disclosed it proactively. We have been the recipient of information on one occasion.
4:45 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
I'm curious to know from you, then, Mr. Linder, because you seem to be the only one here today with experience either receiving or disclosing information under SCISA, how is a disclosure or a receipt defined? Does that mean information on 70 individuals? How many people could be captured by any one disclosure or receipt of information under SCISA?
4:45 p.m.
Director General, International and Intergovernmental Relations, Department of Citizenship and Immigration
In each case, the request for disclosure tends to be very specific to a particular situation. To my knowledge, it is usually associated with a single individual. I think it's possible that it could be a family as well, but in general, it is extremely limited. Within that data set, we take extreme care to make sure that we're only providing those information fields that are absolutely necessary for the objective of the act to be carried out.
4:50 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Are there any explicit guidelines somewhere for how to report on those disclosures, and what would count as one disclosure? Or, is it the case that if you were to get a request from CSIS asking for information on a category of persons and you were to make that disclosure, that would count as one instance of disclosure, even though it may cover 100 people, 150 people, or 1,000 people? Are there any explicit guidelines saying say what should count as one instance, as opposed to many, when you're reporting on these disclosures?
4:50 p.m.
Director General, International and Intergovernmental Relations, Department of Citizenship and Immigration
I can't answer that specifically. I can tell you that in my experience and to my knowledge, we've only had situations that have been on that one-off basis, and we look at each one very carefully in each case. Within the department, we have put together a very detailed desk book for anyone who deals with SCISA. It lays out the rules very carefully. There is a detailed checklist that a delegated official needs to go through each time to make sure that everything is done in accordance with the act. Each delegated official also undergoes training, which we provide internally in the department, to make sure that the parameters of the act are respected.
4:50 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
If it is the case that your officials are already working with written and explicit guidelines for how to perform disclosures or receive information under SCISA, do you think there would be any operational consequence for trying to put some of those guidelines into law so that those ways of disclosing or receiving information under SCISA apply fairly across departments, so that Canadians have some confidence?
That's not to impugn any of the organizations that are here today, but it's a fact that part of being able to live safely and securely also means having confidence that, when information is shared, it's done properly. Canadians don't typically have access to internal policies and guidelines, and they want to know that if those are breached, there will be consequences. We have seen instances where government sometimes doesn't follow its own policy, whether it's a Treasury Board policy or otherwise, and there aren't consequences for that as a result. With respect to these kinds of issues, Canadians would like to know that if there is a breach of those guidelines, there will be consequences.
If it's a matter of writing a better law to make legal, or write into law, some of those guidelines, do you foresee negative operational impacts on your organization?
4:50 p.m.
Director General, International and Intergovernmental Relations, Department of Citizenship and Immigration
It's difficult for me to answer that. To a great extent, we're in your hands. A lot of legislation, particularly legislation around information sharing, is accompanied by directives, policy documents, and so on for their implementation. The balance between what you put in the legislation versus what you put in regulations or directives and policy documents varies on a case-by-case basis. Where those rules are located, from my perspective, is less important than the fact that the rules need to be followed to ensure that we get that right balance between protecting privacy and protecting Canada's national security.
February 7th, 2017 / 4:50 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
That's definitely one of the themes that has been coming up in this whole study. How do you get Canadians' confidence that their personal information is not being shared recklessly?
We've heard from the departments that they have their own internal controls and mechanisms, but we've also heard from a number of experts who say that, as far as the law is concerned, this is a pretty broad and sweeping power that has been conferred on your organization.
We saw today in the news that the RCMP has been monitoring protests, or people demonstrating in favour of an inquiry into missing and murdered indigenous women. When Canadians learn about those kinds of things, it undermines their confidence and trust in our governmental institutions. Then, when they see a law as broad and sweeping as SCISA, they say, “Okay, if we can't trust them not to be checking up on people who are just concerned about the plight of indigenous women in Canada, why would we want to let them share so broadly, and though they say they have appropriate internal controls, why should we trust that those are adequate and being followed?”
If you look at SCISA in that light, what kinds of changes do you think could be made to SCISA to give Canadians the confidence that there is someone looking over your shoulder and observing that you're doing things as you say, while retaining the operational flexibility that you need to be able to make use of the information you receive to fulfill your function to ensure that important information about threats to Canada and Canadians is being communicated in a timely fashion? I open that up to anyone here.
4:55 p.m.
Conservative
The Chair Conservative Blaine Calkins
Regrettably, the Chair has to acknowledge that we're already eight minutes into Mr. Blaikie's seven minutes. That was a very long question.
4:55 p.m.
NDP
4:55 p.m.
Some hon. members
Oh, oh!
4:55 p.m.
Conservative
The Chair Conservative Blaine Calkins
That is a correct assumption, but if there's a quick and efficient response, I will entertain it.
4:55 p.m.
Director General, Counter-Terrorism, Crime and Intelligence Bureau, Department of Foreign Affairs, Trade and Development
I don't have a quick response, Mr. Chair.
4:55 p.m.
Conservative
The Chair Conservative Blaine Calkins
Thank you. We'll move on then.
Daniel, you do have three minutes coming up, so maybe we can get your answer then.
Mr. Saini, you have seven minutes, please.
4:55 p.m.
Liberal
Raj Saini Liberal Kitchener Centre, ON
Good afternoon everyone. I thank you so much for coming.
I want to change the conversation a little bit to international sharing agreements. The reason I want to bring this topic up is the executive order that was issued last week in the United States. I will just read you a part of it:
Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
I am sure that a lot of you probably share information with the United States because our two nations are intertwined with various instruments, treaties, and agreements. This executive order is about one week old. Has it affected your ability in any way to exchange information with the United States?
4:55 p.m.
Lisa Thiele Senior General Counsel and Director, Canadian Nuclear Safety Commission
From the perspective of Canada's nuclear regulator, we do have statutory authority to enter into information-sharing arrangements with other regulators in other countries. We have several of those. The type of information that we share is regulatory information; it's never going to be personal information.
Some of the information has to be adequately protected with classifications, but that's usually to protect commercial interest. It's not about personal information. Our information sharing is unaffected, I would say.
4:55 p.m.
Director General, International and Intergovernmental Relations, Department of Citizenship and Immigration
For IRCC, I can't comment specifically on that particular situation, but I can say that we are looking into all the elements of all three executive orders that have been issued so far to determine the impacts, if any, and are working with our U.S. counterparts. This is one that we would look at.
4:55 p.m.
Liberal
Raj Saini Liberal Kitchener Centre, ON
The executive order is pretty clear that it applies to non-United States citizens or lawful permanent residents. Have you stopped sharing information, or is information still ongoing? What protection is there for Canadian information that is currently being shared?
4:55 p.m.
Director General, International and Intergovernmental Relations, Department of Citizenship and Immigration
I'm sorry. I don't have that information with me today.
4:55 p.m.
Director General, Counter-Terrorism, Crime and Intelligence Bureau, Department of Foreign Affairs, Trade and Development
On the Global Affairs Canada side, under SCISA we only share information very, very carefully, as I pointed out, with Canadian government entities. It's not the role of our ministry to share information of a personal nature with other governments, so it doesn't apply to our ministry. Thank you.
4:55 p.m.
Director, Financial Transactions and Reports Analysis Centre of Canada
As we mentioned before, we do not exchange information internally, and surely not externally under SCISA, but under our mandate we have signed 92 MOUs with different countries of the world. The MOUs are quite specific as to the kind of privacy protection we're asking for from the countries with whom we've signed those MOUs.
We ask those countries to be members of the Egmont Group, a group of 146 countries with exactly the same responsibilities—well, not 146 countries, but 146 FIUs, or financial intelligence units, because they do not represent their national governments—to have the same framework as we do. Also, we have the authority to disclose or not and can decide what we are willing to disclose.
When it comes to FINTRAC, it is always the same issue. It has to relate to money laundering, terrorism financing, or the national security of Canada. If the country that requests the information is not specific enough, we don't have to provide anything. We may also provide information proactively. Most of the requests we receive are fairly specific and relate, as I said, to money laundering, and in our exchanges with the Americans, a significant number of exchanges on terrorism financing also.
5 p.m.
Liberal
Raj Saini Liberal Kitchener Centre, ON
The second question I have is whether sometimes you could possibly receive the information from your departments inappropriately or maybe in error. Can you explain to the committee what mechanism you have to dispose of that information? How long do you keep it for? Is there some oversight? When do you dispose of it? How do you make that decision?