Information & Ethics Committee on Feb. 7th, 2017

Thank you, Mr. Chair.

My name is Glen Linder. I’m the director general of international and intergovernmental relations at Immigration, Refugees and Citizenship Canada, or IRCC. My branch is the policy lead for the implementation of the Security of Canada Information Sharing Act, or SCISA, within IRCC.

I’m accompanied today by Michael Olsen, chief privacy officer of IRCC.

Today, I’ll be discussing how IRCC’s mandate relates to national security, how SCISA was implemented within the department and how IRCC is using these new authorities.

Following my opening remarks, my colleague and I will be happy to answer any questions committee members may have on this topic.

IRCC is responsible for a diverse mandate, which includes facilitating the arrival of people and their integration into Canada while protecting the health, safety, and security of Canadians; managing the granting of Canadian citizenship; and issuing Canadian passports. Several of IRCC 's powers, duties, and functions relate directly to addressing activities that undermine the security of Canada. These include assessing the criminal and security admissibility of immigration, citizenship, and passport applicants.

One of the Immigration and Refugee Protection Act's objectives with respect to immigration is “to promote international justice and security by fostering respect for human rights and by denying access to Canadian territory to persons who are criminals or security risks”.

In an effort to maintain the integrity of the immigration, citizenship, and passport programs, IRCC works closely with its security partners to identify applicants who are inadmissible to Canada on security grounds, to remove or revoke the status of those who engage in activities deemed to undermine Canada's national security, and to deny passport services to persons posing a threat to our national security. For example, IRCC ensures that individuals who are deemed inadmissible by engaging in terrorism, or instigating the subversion by force of any government, are not admitted to Canada. IRCC is also responsible for conducting revocations of citizenship if a person has obtained citizenship by false representation or fraud with respect to facts that may render persons inadmissible to Canada on grounds of security.

IRCC takes very seriously the operationalization of the new authorities granted by SCISA. The Department of Public Safety has developed a desk book and related resources that support government institutions in the implementation of SCISA to ensure its effective and responsible use. To complement this, IRCC has developed department-specific guidelines for employees authorized to disclose information under SCISA and receive information disclosed by other institutions under the act.

IRCC has developed a policy manual on how IRCC officials may work with SCISA. The manual provides information regarding topics such as disclosure and collection of information, directives on safekeeping, retention and record-keeping, and lists the limited IRCC positions that have been delegated for disclosure and receiving information under the act. Other tools, such as a step-by-step instructional document on the disclosure of information under SCISA, have also been made available to IRCC employees.

Given IRCC's responsibilities with regard to immigration, citizenship, and passport issuance, it is required to maintain a large volume of immigration records, and is a key institution for questions pertaining to the identity of newcomers and Canadians born here or abroad. Consequently, IRCC engages in reciprocal information-sharing with other government institutions to ensure the efficient use of government holdings while safeguarding the privacy rights of all individuals.

In the past, the absence of clear national security disclosure authorities made it cumbersome for partner agencies to support each other in countering threats to national security. SCISA has added a valuable tool to the information-sharing toolbox by allowing for the disclosure, sometimes proactive, of specific and targeted information to listed institutions. SCISA does not override any provisions found in existing legislation, such as the Privacy Act, but it does constitute a clear authority for efficient and expeditious information-sharing for national security purposes.

Since August 2015, IRCC has disclosed information in response to requests from security partners on 64 occasions, and in six instances has proactively disclosed information to partner agencies. IRCC has also been the recipient of information on one occasion, information that has been used in an investigation for revocation of citizenship under the Citizenship Act.

For illustrative purposes, I'd like to present you two possible scenarios for when information might be disclosed under SCISA.

First, in the context of an individual suspected of travelling abroad to engage in terrorism-related activity, IRCC may be the first institution aware of the potential return to Canada of this individual, as he or she may have to apply for travel documents to return to Canada. Under SCISA, IRCC has the authority to proactively inform institutions listed under the act to ensure that key partners are aware of the imminent return and are ready to respond to the potential threat to the national security of Canada. Prior to SCISA, there was no mechanism in place to promptly and proactively share such information.

Second, as a listed institution under SCISA, IRCC can also benefit from other federal institutions disclosing information to IRCC, which could support the department's mandate in relation to national security. A federal institution may come across information demonstrating that an individual who is a citizenship applicant has ties to terrorism, for example, through the financing of terrorist organizations. SCISA is an explicit authority for all federal government institutions to disclose information to designated recipients such as IRCC. Therefore, the institution could release to IRCC information related to the applicant's ties to terrorism, allowing the department to make an informed decision on the individual's citizenship grant. Before SCISA, it would have been difficult for an institution that had no specific information-sharing mechanism or authority related to national security in place to disclose such information to IRCC, and the individual may have received Canadian citizenship.

The authorities provided for in SCISA enable enhanced collaboration and better targeted information sharing through interactions among program experts of the listed institutions. The number of instances in which SCISA has been used is minimal compared to the volume of IRCC holdings, and it has been used in very specific situations.

Once again, we would like to thank you for inviting us to appear here today to discuss SCISA. We are happy to answer any questions from committee members about anything we have presented today.

Thank you, Mr. Chair, for inviting Stéphane Cousineau and me, on behalf of FINTRAC, to speak with you regarding the committee's study of the Security of Canada Information Sharing Act.

I can assure you that we will be as forthcoming as we can with our answers today; however, I know you understand that we cannot provide classified information in this public venue. We are also limited by legislation in what we can say about specific information that FINTRAC holds.

I would like to take a few minutes to describe FINTRAC's mandate and the role we play in helping to protect Canadians and the integrity of the Canadian financial system, as well as the comprehensive measures we have adopted in our privacy framework to safeguard the personal information of Canadians. I will also focus on the centre's responsibilities under the Security of Canada Information Sharing Act.

FINTRAC was created in 2000 by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. As Canada’s financial intelligence unit, FINTRAC facilitates the detection, prevention and deterrence of money laundering and the financing of terrorist activities, while ensuring the protection of personal information under its control.

The legislation establishes obligations for financial services entities, real estate brokers, money services businesses, casinos and many other business sectors. These obligations require them to establish an internal compliance program; identify clients; monitor business relationships; keep certain records; and report specific types of financial transactions to FINTRAC, including suspicious transactions, international electronic funds transfers of $10,000 or more and large cash transactions of $10,000 or more.

As part of Canada’s anti-money laundering and anti-terrorist financing regime, FINTRAC houses supervisory, compliance and intelligence functions. Our supervisory function involves assessing and enforcing the compliance of regulated businesses with their legal obligations. Our intelligence function enables us to produce financial intelligence for our police, law enforcement and national security partners.

As a result of the financial transaction reports received from regulated businesses across the country through its supervisory function, FINTRAC can provide financial intelligence that assists our partners in combatting money laundering, terrorism financing and threats to the security of Canada. FINTRAC also produces strategic intelligence about trends and typologies of money laundering and terrorist financing.

FINTRAC's role under the Security of Canada Information Sharing Act is limited, given that the provisions of FINTRAC's governing legislation set out narrow disclosure provisions and take precedence over any other legislative provisions related to the reception and communication of information. To be very clear, we can only receive information in accordance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. As well, FINTRAC can only disclose information as specified under the same act to the appropriate police or national security agency when it has reasonable grounds to suspect that it would be relevant to investigating or prosecuting a money laundering or a terrorist activity financing offence, or that it would be relevant to threats to the security of Canada.

Section 5 of SCISA does not change in any way when, or to whom, FINTRAC discloses financial intelligence. The centre may only disclose financial intelligence when the legislated thresholds have been met, and only to recipients listed in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Given this, to date, FINTRAC has not received or collected any information under SCISA.

Before concluding, I would like to touch on the protection of personal information. FINTRAC's first priority is to safeguard the information it receives, including financial transaction reports under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Indeed, the obligation to do so is set expressly in FINTRAC's mandate. Clear principles for the protection of privacy are set out in its governing legislation, which respects both the Canadian Charter of Rights and Freedoms and the Privacy Act, and are reinforced by FINTRAC's own operational policies and security measures.

FINTRAC does not have access to the bank accounts of Canadians. It does not have any legal authority or the technical means to monitor the financial activities of individuals. It develops the financial intelligence that it discloses to its police, law enforcement, and national security partners exclusively from the information received from reporting entities and partners as specified under its legislation.

In addition, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires that the Office of the Privacy Commissioner conduct a review every two years of the measures FINTRAC takes to protect the information held. FINTRAC is the only government institution subject to this type of mandatory audit by the Office of the Privacy Commissioner.

The protection of Canadians’ privacy is the key reason FINTRAC was created. We understand very clearly that, to maintain our credibility and the confidence of Canadians, we need to continually demonstrate that we take the protection of personal information and the limits of our mandate seriously. The protection of privacy is a clear priority for FINTRAC. We’re determined to help protect Canada and Canadians, while meeting our obligations under the Privacy Act, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and the Security of Canada Information Sharing Act.

Thank you, Mr. Chair.

I would be more than happy to answer your questions.

Good afternoon, Mr. Chairman and honourable members of the committee.

My name is Terry Jamieson and I’m the vice-president of the technical support branch at the Canadian Nuclear Safety Commission, or CNSC.

I’m joined today by Lisa Thiele, our senior general counsel.

Thank you for inviting us to discuss the CNSC’s participation as a recipient institution under the Security of Canada Information Sharing Act.

Here's a little bit about the CNSC. The CNSC is Canada's nuclear regulator. Under the Nuclear Safety and Control Act, or NSCA, the CNSC carries out its threefold mandate.

First, we regulate the use of nuclear energy and materials to protect health, safety, security, and the environment. Second, we implement Canada's international commitments on the peaceful use of nuclear energy; and third, we disseminate objective scientific, technical, and regulatory information to the public.

We are an independent, quasi-judicial administrative tribunal. The CNSC regulates all things nuclear in Canada, including uranium mining, nuclear fuel fabrication, nuclear reactors and power plants, the production and use of medical isotopes, the decommissioning and remediation of nuclear sites, and the safe management of nuclear waste.

The CNSC was established in 2000 under the Nuclear Safety and Control Act and reports to Parliament through the minister of Natural Resources. The commission may have up to seven appointed permanent members whose decisions are supported by more than 800 employees. Our employees review applications for licences according to regulatory requirements. We make recommendations to the commission and we also enforce compliance with the Nuclear Safety and Control Act, regulations, and any licensed conditions imposed by our commission members.

The CNSC has two key responsibilities related to national security under the NSCA. First, the CNSC is responsible for preventing risk to national security by regulating the development, production, and use of nuclear energy, nuclear substances, prescribed equipment, and prescribed information.

The CNSC has one of the top nuclear security programs in place in the world. Our focus is on preventing sabotage of a nuclear facility or theft or loss of nuclear materials. We identify potential risks and threats to the Canadian nuclear industry and we develop the regulatory requirements necessary to ensure these risks are mitigated and that the threats are prevented, detected, or responded to appropriately.

In 2015, Canada welcomed a peer review mission from the International Atomic Energy Agency that concluded that Canada operates a mature, effective, and well-established nuclear security regime.

Our second area of responsibility related to national security is the implementation of Canada's obligations relating to the safeguarding and non-proliferation of nuclear materials. An example of how the CNSC works to prevent proliferation is through our licensing program, which controls the import and export of nuclear material, equipment, and information. This program requires information in order to assess applications and verify compliance with control measures.

The CNSC became a recipient organization under SCISA to ensure that we receive timely information about a nuclear-related activity that could potentially undermine the security of Canada. The frequency of such events is thankfully low, and I'd like to stress that to date, CNSC has not had to use SCISA. Under the act, the CNSC's authorities to receive information have not changed, but rather, other Government of Canada institutions are provided a better understanding of our mandate as a recipient institution and are given the authority to disclose relevant information to us.

As a recipient institution under SCISA, the CNSC considers the protection of national security information and the personal information handling provisions of the Privacy Act to be of the highest priority.

While we have existing processes in place, we are committed to continuous improvement and, as a result of the Privacy Commissioner's annual report, the CNSC is undertaking a privacy impact assessment that will capture SCISA. We're also working to clarify our procedures to ensure that they're well understood by all impacted areas of our organization.

This concludes my remarks, and I would be pleased to answer any questions that you might have.

Thank you.

Yes. That's correct.

I'm going to ask my colleague Victoria Fuller to respond.

Global Affairs Canada has received requests, which we responded to 25 times. We've made 20 responses in which we did not provide information for one reason or another, and we've made 16 proactive responses.

There would be three reasons to be in that category. One was a decision not to share the information. One was a decision that this was not the appropriate mechanism to share the information, and the information was shared in another way. The third reason was that we had no information that met what they were looking for.

In our case to answer your question directly, yes, in all cases the information could have been provided without SCISA, but SCISA essentially allows for a dedicated service channel for national security cases and for a much simpler approach for our being able to disclose that information.

In view of the timeliness often associated with national security cases, it facilitates that prompt information-sharing, provided all the tests within SCISA are met in that particular case.

With respect to our department, essentially outside of SCISA the authorities are in the Privacy Act. What do we have in the Privacy Act? We have the provision on consistent use. In our case we're collecting information to assess someone's admissibility to Canada, to assess their request for a passport or their application for citizenship.

The consistent use with respect to national security is somewhat limited in that case. We're essentially limited to being able to confirm the person's name and immigration status in Canada with respect to consistent use, so it doesn't provide much of an avenue.

The other area we can share information under the Privacy Act is when it's requested by an investigative body. There, absolutely, the information can be shared, but in that particular case, it's on request only. We can't proactively provide anything. It's also done as part of the other business under the Privacy Act, whereas under SCISA you again have this designated channel, you have these national security experts who are dealing with it, who are cleared to the appropriate level, and who have the expertise to be able to assess much more clearly and promptly what's provided.

That's entirely in your hands, obviously, as our elected representatives.

From my perspective on having a more stringent test, we take the test of relevancy very seriously. If there were to be a more stringent test in terms of necessity, for example, it would be helpful for you to consider what that would do in terms of balance. There has been a lot of discussion at this table about balance. If it were a test of necessity, we would need to be convinced with a lot more information that were necessary, in fact, not simply relevant. And what would that mean in practice? I think that would mean that our national security agencies, the investigative bodies that were requesting information from us, would possibly have to give us a lot more national security information for us to make that determination and be satisfied that it was, in fact, necessary and not simply relevant.

Could we do that? Absolutely, but it's worth considering whether the benefit of having that higher standard is outweighed by having more sensitive national security information in circulation, in order for us to make that determination. More generally—and I think this is possibly the intent—it obviously would put a chilling effect on the amount of information we would disclose under SCISA. That would be a necessary outcome.