Information & Ethics Committee on Feb. 7th, 2017

Good afternoon, Mr. Chair and members of the committee.

I would like to thank you for inviting Global Affairs Canada to speak to you about the Security of Canada Information Sharing Act. I’m the director general of counter-terrorism, crime and intelligence. Mr. Chair, you have just introduced my colleagues.

I will provide a bit of context to help situate the department's perspective on this act. As you are very aware, Canada is facing a wide range of threats to its national and international security.

We are co-operating closely with the many like-minded partners internationally to address the threat posed by terrorists and foreign fighters and to control the export of materials related to the manufacture of chemical weapons and other kinds of weapons of mass destruction. All of these issues are transnational in nature.

The department manages Canada's membership in bilateral or multilateral defence and security organizations that deal with traditional threats to security, as well as non-traditional threats such as threats to cybersecurity and space security.

The department is charged with the maintenance of an international platform with which to perform its functions, namely our network of missions abroad. Global Affairs Canada must therefore continually assess threats to the security of missions abroad, provide appropriate protection, and manage any residual risks to life and property, including diplomatic personnel and assets abroad. Global Affairs Canada provides travel advice and advisories to Canadians, as well as notifications to registered Canadians about safety and security conditions abroad, so they can make their own informed decisions regarding foreign travel.

Our international efforts are complemented by our work with partners within the government to advance Canada's national and international security objectives. A coordinated whole-of-government approach is necessary in addressing international issues like terrorism and foreign fighters. In this respect, the ability to share relevant information is key.

The department already had an established process to facilitate the appropriate sharing of information when issues of national security were at stake. Processes and caveats are in place to ensure that only information that is relevant, reliable, and accurate is shared. The requests must also be compliant with Canada's privacy laws or framework, including the charter and Privacy Act.

Prior to the enactment of the Security of Canada Information Sharing Act, or SCISA as we call it, the information was typically shared under the provisions of paragraph 8(2)(e), when pursuant to a request, or subparagraph 8(2)(m)(i), when proactively shared, of the Privacy Act.

Officials are further guided by the findings of past commissions of inquiry, in particular the report of the Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar.

SCISA was designed to help the government improve how it deals internally with national security issues, by improving national security information sharing domestically. SCISA aims to ensure that information relevant to national security is shared both effectively and responsibly.

SCISA provides an authority for other departments and agencies to share with our department any information that might bear on the safety of our staff or the security of our missions abroad. SCISA also provides other departments and agencies with a clear authority to request from Global Affairs Canada information relevant to national security or for Global Affairs Canada to proactively share such information.

A number of steps have been taken to ensure that the department is appropriately implementing the new legislation, and that officials understand its impact and limitations.

First, the Minister of Foreign Affairs gave three divisions within the department the authority to receive national security-related information pursuant to SCISA. These areas are international security and intelligence; security and legal; and trade, specifically the international business development and chief trade commissioner in addition to trade agreements and negotiations.

Second, a letter explaining SCISA was sent to all Canada’s heads of missions abroad, asking that they sensitize their staff to the importance of timely and appropriate information sharing to keep Canada and Canadians safe. The letter was jointly signed by the deputy ministers of Foreign Affairs, the director of the Canadian Security Intelligence Service and the commissioner of the Royal Canadian Mounted Police. The letter explained that SCISA doesn't create an obligation to disclose and that this authority needs to be balanced against other statutory obligations, including privacy rights. It directed that, to ensure a systematic approach, requests for information to be shared under SCISA should be referred back to headquarters for decision.

With respect to proactive disclosures, the letter confirmed that information available at mission that could be relevant to Canada's security or to other federal institutions' mandates should be sent without delay to headquarters, where officials would determine whether, how, and with whom the information will be disclosed. It emphasized that for urgent cases, headquarters will respond quickly, including outside of normal business hours.

An exception is made for exigent circumstances where there is an imminent threat to life or a threat of serious bodily harm. In those instances, the good judgment of all heads of mission is relied upon, wherever they may be, to share information directly and immediately with the relevant counterparts, and then to report to headquarters to advise of any such disclosures at the first available opportunity.

The third implementation step taken was to develop an information sharing agreement between the consular operations bureau and CSIS. This agreement lays out the parameters within which the department will share consular information with CSIS under SCISA, including practical modalities. We are also seeking to develop a similar agreement with the RCMP based on that model.

Lastly, the department has been taking steps to ensure wider understanding and better use of SCISA. For example, in 2015, the director general for consular policy held a number of teleconferences, open to all heads of missions across the Global Affairs missions network, to discuss SCISA and other privacy and information sharing considerations in the consular context.

Now in terms of practice, since SCISA came into force, most of the department's sharing of consular-related information with national security agencies is done under SCISA rather than pre-existing authorities. In practical terms, there are two types of disclosure that are taking place.

The first type of disclosure is a result of a request from a national security agency. In these situations, the national security agency will send in a request in writing. These requests must provide sufficient detail to indicate a clear link to the agency's national security mandate. The requests also indicate the type of information that the agency is seeking. If the division targeted by the request, which is normally consular operations, determines that they have relevant information, they will gather the relevant information and seek legal advice regarding compliance with SCISA and Canada's privacy laws. Officials then exercise their discretion on whether or not to share the information.

The second type of disclosure is proactive disclosure. These arise when department officials—again typically with consular operations—collect information that they believe is relevant to the national security mandate of a Canadian department or agency. The same process for requests is followed as for proactive disclosures.

The decision to share is always taken at headquarters. Although we have left open the possibility of sharing directly at a mission where there is imminent risk to life or bodily harm, in practice this has not happened. The reason for the headquarter's decision is, first, to ensure that individuals with sufficient experience and level are ultimately making the decision following our established process; second, to ensure consistency in the interpretation and use of SCISA to disclose the information, including confirming that the threshold for disclosure has been met; and finally, to ensure documentation and tracking of disclosures to meet reporting and accountability requirements.

As you are likely aware, the Office of the Privacy Commissioner commenced an investigation of SCISA under section 37 of the Privacy Act last fall. Global Affairs has met with the OPC and has provided information on the number and nature of the disclosures we made under the act during the first year it has come into effect.

It is also worth noting that SCISA amended the Chemical Weapons Convention Implementation Act to permit Global Affairs Canada to share information pertaining to the production, processing, consumption, import, and export of certain chemicals and related facilities where appropriate. Before SCISA came into force, we were prohibited from sharing this information. This was an important change for the department.

To conclude, as I mentioned before, SCISA does not alter the department's existing authorities to collect national security information. However, before it came into force, we anticipated that it would create new possibilities for sharing information that is relevant to national security. I would say that SCISA provided an opportunity to refresh the discussion on how this type of information is shared. Also, practically speaking, it has created a context and a tool, both of which have focused efforts on ensuring that national security information is flowing appropriately yet responsibly.

Mr. Chair, that brings my remarks to an end. Some of your questions may require a detailed answer, for which I may not be the best person to answer, and therefore we have experts from different parts of the organization to respond.

Thank you very much.

Thank you, Mr. Chair.

My name is Glen Linder. I’m the director general of international and intergovernmental relations at Immigration, Refugees and Citizenship Canada, or IRCC. My branch is the policy lead for the implementation of the Security of Canada Information Sharing Act, or SCISA, within IRCC.

I’m accompanied today by Michael Olsen, chief privacy officer of IRCC.

Today, I’ll be discussing how IRCC’s mandate relates to national security, how SCISA was implemented within the department and how IRCC is using these new authorities.

Following my opening remarks, my colleague and I will be happy to answer any questions committee members may have on this topic.

IRCC is responsible for a diverse mandate, which includes facilitating the arrival of people and their integration into Canada while protecting the health, safety, and security of Canadians; managing the granting of Canadian citizenship; and issuing Canadian passports. Several of IRCC 's powers, duties, and functions relate directly to addressing activities that undermine the security of Canada. These include assessing the criminal and security admissibility of immigration, citizenship, and passport applicants.

One of the Immigration and Refugee Protection Act's objectives with respect to immigration is “to promote international justice and security by fostering respect for human rights and by denying access to Canadian territory to persons who are criminals or security risks”.

In an effort to maintain the integrity of the immigration, citizenship, and passport programs, IRCC works closely with its security partners to identify applicants who are inadmissible to Canada on security grounds, to remove or revoke the status of those who engage in activities deemed to undermine Canada's national security, and to deny passport services to persons posing a threat to our national security. For example, IRCC ensures that individuals who are deemed inadmissible by engaging in terrorism, or instigating the subversion by force of any government, are not admitted to Canada. IRCC is also responsible for conducting revocations of citizenship if a person has obtained citizenship by false representation or fraud with respect to facts that may render persons inadmissible to Canada on grounds of security.

IRCC takes very seriously the operationalization of the new authorities granted by SCISA. The Department of Public Safety has developed a desk book and related resources that support government institutions in the implementation of SCISA to ensure its effective and responsible use. To complement this, IRCC has developed department-specific guidelines for employees authorized to disclose information under SCISA and receive information disclosed by other institutions under the act.

IRCC has developed a policy manual on how IRCC officials may work with SCISA. The manual provides information regarding topics such as disclosure and collection of information, directives on safekeeping, retention and record-keeping, and lists the limited IRCC positions that have been delegated for disclosure and receiving information under the act. Other tools, such as a step-by-step instructional document on the disclosure of information under SCISA, have also been made available to IRCC employees.

Given IRCC's responsibilities with regard to immigration, citizenship, and passport issuance, it is required to maintain a large volume of immigration records, and is a key institution for questions pertaining to the identity of newcomers and Canadians born here or abroad. Consequently, IRCC engages in reciprocal information-sharing with other government institutions to ensure the efficient use of government holdings while safeguarding the privacy rights of all individuals.

In the past, the absence of clear national security disclosure authorities made it cumbersome for partner agencies to support each other in countering threats to national security. SCISA has added a valuable tool to the information-sharing toolbox by allowing for the disclosure, sometimes proactive, of specific and targeted information to listed institutions. SCISA does not override any provisions found in existing legislation, such as the Privacy Act, but it does constitute a clear authority for efficient and expeditious information-sharing for national security purposes.

Since August 2015, IRCC has disclosed information in response to requests from security partners on 64 occasions, and in six instances has proactively disclosed information to partner agencies. IRCC has also been the recipient of information on one occasion, information that has been used in an investigation for revocation of citizenship under the Citizenship Act.

For illustrative purposes, I'd like to present you two possible scenarios for when information might be disclosed under SCISA.

First, in the context of an individual suspected of travelling abroad to engage in terrorism-related activity, IRCC may be the first institution aware of the potential return to Canada of this individual, as he or she may have to apply for travel documents to return to Canada. Under SCISA, IRCC has the authority to proactively inform institutions listed under the act to ensure that key partners are aware of the imminent return and are ready to respond to the potential threat to the national security of Canada. Prior to SCISA, there was no mechanism in place to promptly and proactively share such information.

Second, as a listed institution under SCISA, IRCC can also benefit from other federal institutions disclosing information to IRCC, which could support the department's mandate in relation to national security. A federal institution may come across information demonstrating that an individual who is a citizenship applicant has ties to terrorism, for example, through the financing of terrorist organizations. SCISA is an explicit authority for all federal government institutions to disclose information to designated recipients such as IRCC. Therefore, the institution could release to IRCC information related to the applicant's ties to terrorism, allowing the department to make an informed decision on the individual's citizenship grant. Before SCISA, it would have been difficult for an institution that had no specific information-sharing mechanism or authority related to national security in place to disclose such information to IRCC, and the individual may have received Canadian citizenship.

The authorities provided for in SCISA enable enhanced collaboration and better targeted information sharing through interactions among program experts of the listed institutions. The number of instances in which SCISA has been used is minimal compared to the volume of IRCC holdings, and it has been used in very specific situations.

Once again, we would like to thank you for inviting us to appear here today to discuss SCISA. We are happy to answer any questions from committee members about anything we have presented today.

Thank you, Mr. Chair, for inviting Stéphane Cousineau and me, on behalf of FINTRAC, to speak with you regarding the committee's study of the Security of Canada Information Sharing Act.

I can assure you that we will be as forthcoming as we can with our answers today; however, I know you understand that we cannot provide classified information in this public venue. We are also limited by legislation in what we can say about specific information that FINTRAC holds.

I would like to take a few minutes to describe FINTRAC's mandate and the role we play in helping to protect Canadians and the integrity of the Canadian financial system, as well as the comprehensive measures we have adopted in our privacy framework to safeguard the personal information of Canadians. I will also focus on the centre's responsibilities under the Security of Canada Information Sharing Act.

FINTRAC was created in 2000 by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. As Canada’s financial intelligence unit, FINTRAC facilitates the detection, prevention and deterrence of money laundering and the financing of terrorist activities, while ensuring the protection of personal information under its control.

The legislation establishes obligations for financial services entities, real estate brokers, money services businesses, casinos and many other business sectors. These obligations require them to establish an internal compliance program; identify clients; monitor business relationships; keep certain records; and report specific types of financial transactions to FINTRAC, including suspicious transactions, international electronic funds transfers of $10,000 or more and large cash transactions of $10,000 or more.

As part of Canada’s anti-money laundering and anti-terrorist financing regime, FINTRAC houses supervisory, compliance and intelligence functions. Our supervisory function involves assessing and enforcing the compliance of regulated businesses with their legal obligations. Our intelligence function enables us to produce financial intelligence for our police, law enforcement and national security partners.

As a result of the financial transaction reports received from regulated businesses across the country through its supervisory function, FINTRAC can provide financial intelligence that assists our partners in combatting money laundering, terrorism financing and threats to the security of Canada. FINTRAC also produces strategic intelligence about trends and typologies of money laundering and terrorist financing.

FINTRAC's role under the Security of Canada Information Sharing Act is limited, given that the provisions of FINTRAC's governing legislation set out narrow disclosure provisions and take precedence over any other legislative provisions related to the reception and communication of information. To be very clear, we can only receive information in accordance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. As well, FINTRAC can only disclose information as specified under the same act to the appropriate police or national security agency when it has reasonable grounds to suspect that it would be relevant to investigating or prosecuting a money laundering or a terrorist activity financing offence, or that it would be relevant to threats to the security of Canada.

Section 5 of SCISA does not change in any way when, or to whom, FINTRAC discloses financial intelligence. The centre may only disclose financial intelligence when the legislated thresholds have been met, and only to recipients listed in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Given this, to date, FINTRAC has not received or collected any information under SCISA.

Before concluding, I would like to touch on the protection of personal information. FINTRAC's first priority is to safeguard the information it receives, including financial transaction reports under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Indeed, the obligation to do so is set expressly in FINTRAC's mandate. Clear principles for the protection of privacy are set out in its governing legislation, which respects both the Canadian Charter of Rights and Freedoms and the Privacy Act, and are reinforced by FINTRAC's own operational policies and security measures.

FINTRAC does not have access to the bank accounts of Canadians. It does not have any legal authority or the technical means to monitor the financial activities of individuals. It develops the financial intelligence that it discloses to its police, law enforcement, and national security partners exclusively from the information received from reporting entities and partners as specified under its legislation.

In addition, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires that the Office of the Privacy Commissioner conduct a review every two years of the measures FINTRAC takes to protect the information held. FINTRAC is the only government institution subject to this type of mandatory audit by the Office of the Privacy Commissioner.

The protection of Canadians’ privacy is the key reason FINTRAC was created. We understand very clearly that, to maintain our credibility and the confidence of Canadians, we need to continually demonstrate that we take the protection of personal information and the limits of our mandate seriously. The protection of privacy is a clear priority for FINTRAC. We’re determined to help protect Canada and Canadians, while meeting our obligations under the Privacy Act, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and the Security of Canada Information Sharing Act.

Thank you, Mr. Chair.

I would be more than happy to answer your questions.

Good afternoon, Mr. Chairman and honourable members of the committee.

My name is Terry Jamieson and I’m the vice-president of the technical support branch at the Canadian Nuclear Safety Commission, or CNSC.

I’m joined today by Lisa Thiele, our senior general counsel.

Thank you for inviting us to discuss the CNSC’s participation as a recipient institution under the Security of Canada Information Sharing Act.

Here's a little bit about the CNSC. The CNSC is Canada's nuclear regulator. Under the Nuclear Safety and Control Act, or NSCA, the CNSC carries out its threefold mandate.

First, we regulate the use of nuclear energy and materials to protect health, safety, security, and the environment. Second, we implement Canada's international commitments on the peaceful use of nuclear energy; and third, we disseminate objective scientific, technical, and regulatory information to the public.

We are an independent, quasi-judicial administrative tribunal. The CNSC regulates all things nuclear in Canada, including uranium mining, nuclear fuel fabrication, nuclear reactors and power plants, the production and use of medical isotopes, the decommissioning and remediation of nuclear sites, and the safe management of nuclear waste.

The CNSC was established in 2000 under the Nuclear Safety and Control Act and reports to Parliament through the minister of Natural Resources. The commission may have up to seven appointed permanent members whose decisions are supported by more than 800 employees. Our employees review applications for licences according to regulatory requirements. We make recommendations to the commission and we also enforce compliance with the Nuclear Safety and Control Act, regulations, and any licensed conditions imposed by our commission members.

The CNSC has two key responsibilities related to national security under the NSCA. First, the CNSC is responsible for preventing risk to national security by regulating the development, production, and use of nuclear energy, nuclear substances, prescribed equipment, and prescribed information.

The CNSC has one of the top nuclear security programs in place in the world. Our focus is on preventing sabotage of a nuclear facility or theft or loss of nuclear materials. We identify potential risks and threats to the Canadian nuclear industry and we develop the regulatory requirements necessary to ensure these risks are mitigated and that the threats are prevented, detected, or responded to appropriately.

In 2015, Canada welcomed a peer review mission from the International Atomic Energy Agency that concluded that Canada operates a mature, effective, and well-established nuclear security regime.

Our second area of responsibility related to national security is the implementation of Canada's obligations relating to the safeguarding and non-proliferation of nuclear materials. An example of how the CNSC works to prevent proliferation is through our licensing program, which controls the import and export of nuclear material, equipment, and information. This program requires information in order to assess applications and verify compliance with control measures.

The CNSC became a recipient organization under SCISA to ensure that we receive timely information about a nuclear-related activity that could potentially undermine the security of Canada. The frequency of such events is thankfully low, and I'd like to stress that to date, CNSC has not had to use SCISA. Under the act, the CNSC's authorities to receive information have not changed, but rather, other Government of Canada institutions are provided a better understanding of our mandate as a recipient institution and are given the authority to disclose relevant information to us.

As a recipient institution under SCISA, the CNSC considers the protection of national security information and the personal information handling provisions of the Privacy Act to be of the highest priority.

While we have existing processes in place, we are committed to continuous improvement and, as a result of the Privacy Commissioner's annual report, the CNSC is undertaking a privacy impact assessment that will capture SCISA. We're also working to clarify our procedures to ensure that they're well understood by all impacted areas of our organization.

This concludes my remarks, and I would be pleased to answer any questions that you might have.

Thank you.

Yes. That's correct.

I'm going to ask my colleague Victoria Fuller to respond.

Global Affairs Canada has received requests, which we responded to 25 times. We've made 20 responses in which we did not provide information for one reason or another, and we've made 16 proactive responses.

There would be three reasons to be in that category. One was a decision not to share the information. One was a decision that this was not the appropriate mechanism to share the information, and the information was shared in another way. The third reason was that we had no information that met what they were looking for.

In our case to answer your question directly, yes, in all cases the information could have been provided without SCISA, but SCISA essentially allows for a dedicated service channel for national security cases and for a much simpler approach for our being able to disclose that information.

In view of the timeliness often associated with national security cases, it facilitates that prompt information-sharing, provided all the tests within SCISA are met in that particular case.

With respect to our department, essentially outside of SCISA the authorities are in the Privacy Act. What do we have in the Privacy Act? We have the provision on consistent use. In our case we're collecting information to assess someone's admissibility to Canada, to assess their request for a passport or their application for citizenship.

The consistent use with respect to national security is somewhat limited in that case. We're essentially limited to being able to confirm the person's name and immigration status in Canada with respect to consistent use, so it doesn't provide much of an avenue.

The other area we can share information under the Privacy Act is when it's requested by an investigative body. There, absolutely, the information can be shared, but in that particular case, it's on request only. We can't proactively provide anything. It's also done as part of the other business under the Privacy Act, whereas under SCISA you again have this designated channel, you have these national security experts who are dealing with it, who are cleared to the appropriate level, and who have the expertise to be able to assess much more clearly and promptly what's provided.

That's entirely in your hands, obviously, as our elected representatives.

From my perspective on having a more stringent test, we take the test of relevancy very seriously. If there were to be a more stringent test in terms of necessity, for example, it would be helpful for you to consider what that would do in terms of balance. There has been a lot of discussion at this table about balance. If it were a test of necessity, we would need to be convinced with a lot more information that were necessary, in fact, not simply relevant. And what would that mean in practice? I think that would mean that our national security agencies, the investigative bodies that were requesting information from us, would possibly have to give us a lot more national security information for us to make that determination and be satisfied that it was, in fact, necessary and not simply relevant.

Could we do that? Absolutely, but it's worth considering whether the benefit of having that higher standard is outweighed by having more sensitive national security information in circulation, in order for us to make that determination. More generally—and I think this is possibly the intent—it obviously would put a chilling effect on the amount of information we would disclose under SCISA. That would be a necessary outcome.

With regard to citizenship revocation, essentially citizenship can be revoked if we have evidence that the person made a false or misleading statement, or committed fraud with respect to an element regarding admissibility. A ground for admissibility, for example, would be whether a person is a threat to the security of Canada. So if we later determined that there had been fraud, that the person had covered up membership in a terrorist organization at the time he or she applied for citizenship, we would be able to go through a process that would essentially allow us to revoke citizenship if we could determine fraud had been committed or misrepresentation with respect to what was told us at the time of application for citizenship.

No, not necessarily. It would have to be a grounds of inadmissibility that's listed under the act. It's usually regarding security, criminality, or public health, so a simple misrepresentation is not necessarily grounds for inadmissibility in itself.

Thank you.

The answer is no. We certainly have not seen any kind of misuse of this. I would also point out that, of course, as I made clear in my statement, we deal with these issues with great attention to detail according to the law and individual agreements we have set up with other organizations. The answer is clearly no.

Thank you.

I'm sorry. I'm going to ask you to quickly repeat the question.

No, we have not.

It's the same thing with FINTRAC. We haven't received or disclosed anything under SCISA.

For CNSC, likewise, we have not received or disclosed and we've seen no misuse.

I think, from our perspective, there is no question that it helps. It provides an additional tool. As I mentioned, it provides a general context in which to address these things positively, so I think it definitely helps us in our day-to-day practice, although we do not use it for absolutely all instances.

Victoria, do you want to comment on that?

My only comment is that one of the benefits is that it allows for greater coordination across government departments, because more departments have more relevant information available in order to make decisions.

I would agree with my colleagues from Global Affairs. As I said before, we do see it as helpful. We do see it as creating this dedicated service channel for national security information to be discussed and exchanged among relevant experts who have the appropriate security classification.

From our standpoint, the legislation hasn't had any impact on our operation, positive or negative.

Again, there has been no impact on either our mandate or our operations. But in terms of commentary, we would view SCISA as being a very efficient, effective, and consistent framework to facilitate information sharing across a broad range of government entities.

Thank you. I think this probably would be best addressed to CSIS.

Under SCISA, we don't share with the Five Eyes. My own level of contact with the Five Eyes is not specific enough to really be able to honestly respond to your question.

It may not pertain specifically to SCISA, but when it comes to FINTRAC, in fact, we were created to prevent law enforcement agencies from accessing directly the information of Canadians without a warrant or a production order.

If you compare us, for instance, to other organizations or colleagues abroad, lots of organizations do receive the information, structure it, and leave it in their database, and then the database is accessible to all law enforcement agencies of that country. We do not do that in Canada. Basically, our responsibility is to make sure that the information that is disclosed responds directly to the mandate that was given to us by Parliament, so from that standpoint our regime is much more rigorous than what you will see elsewhere.

With your permission, Mr. Chair, I'm going to ask my colleague Victoria Fuller, from the consular area, who is a specialist in this area, to respond. Thanks.

Those would be the same numbers that I provided to Mr. Erskine-Smith. I'm not a set delegated recipient of information, so I couldn't address whether the department as a whole has ever received under SCISA.

At IRCC, we have disclosed information on 70 occasions under SCISA. Sixty-four of those times it was as a result of a request to us, and six times we've disclosed it proactively. We have been the recipient of information on one occasion.

In each case, the request for disclosure tends to be very specific to a particular situation. To my knowledge, it is usually associated with a single individual. I think it's possible that it could be a family as well, but in general, it is extremely limited. Within that data set, we take extreme care to make sure that we're only providing those information fields that are absolutely necessary for the objective of the act to be carried out.

I can't answer that specifically. I can tell you that in my experience and to my knowledge, we've only had situations that have been on that one-off basis, and we look at each one very carefully in each case. Within the department, we have put together a very detailed desk book for anyone who deals with SCISA. It lays out the rules very carefully. There is a detailed checklist that a delegated official needs to go through each time to make sure that everything is done in accordance with the act. Each delegated official also undergoes training, which we provide internally in the department, to make sure that the parameters of the act are respected.

It's difficult for me to answer that. To a great extent, we're in your hands. A lot of legislation, particularly legislation around information sharing, is accompanied by directives, policy documents, and so on for their implementation. The balance between what you put in the legislation versus what you put in regulations or directives and policy documents varies on a case-by-case basis. Where those rules are located, from my perspective, is less important than the fact that the rules need to be followed to ensure that we get that right balance between protecting privacy and protecting Canada's national security.

Oh, oh!

I don't have a quick response, Mr. Chair.

From the perspective of Canada's nuclear regulator, we do have statutory authority to enter into information-sharing arrangements with other regulators in other countries. We have several of those. The type of information that we share is regulatory information; it's never going to be personal information.

Some of the information has to be adequately protected with classifications, but that's usually to protect commercial interest. It's not about personal information. Our information sharing is unaffected, I would say.

For IRCC, I can't comment specifically on that particular situation, but I can say that we are looking into all the elements of all three executive orders that have been issued so far to determine the impacts, if any, and are working with our U.S. counterparts. This is one that we would look at.

I'm sorry. I don't have that information with me today.

On the Global Affairs Canada side, under SCISA we only share information very, very carefully, as I pointed out, with Canadian government entities. It's not the role of our ministry to share information of a personal nature with other governments, so it doesn't apply to our ministry. Thank you.

As we mentioned before, we do not exchange information internally, and surely not externally under SCISA, but under our mandate we have signed 92 MOUs with different countries of the world. The MOUs are quite specific as to the kind of privacy protection we're asking for from the countries with whom we've signed those MOUs.

We ask those countries to be members of the Egmont Group, a group of 146 countries with exactly the same responsibilities—well, not 146 countries, but 146 FIUs, or financial intelligence units, because they do not represent their national governments—to have the same framework as we do. Also, we have the authority to disclose or not and can decide what we are willing to disclose.

When it comes to FINTRAC, it is always the same issue. It has to relate to money laundering, terrorism financing, or the national security of Canada. If the country that requests the information is not specific enough, we don't have to provide anything. We may also provide information proactively. Most of the requests we receive are fairly specific and relate, as I said, to money laundering, and in our exchanges with the Americans, a significant number of exchanges on terrorism financing also.

For IRCC, if we receive information in error or information that's not relevant, the guidelines we have within the department are that the information must be destroyed immediately.

On our side, SCISA is not a collection authority. I'm just looking to my colleagues, Victoria or perhaps Patrick, on the privacy side, because it's a very specialized question.

On the privacy side, for information that's collected legitimately, I believe the standard is a minimum of two years. If the information is not collected for the purpose intended, then I would suspect we wouldn't keep it as long.

Thank you.

With respect to the information we have shared under SCISA, what I can do is perhaps give you some illustrative examples of the kinds of information that we might disclose. For example, if there's a national security investigation under way by one of our national security organizations, say the RCMP, we might disclose to them personal information to confirm the identity of someone who's suspected of planning or performing an act that would undermine the security of Canada. That would assist them in making a positive identification of the person and be able to take appropriate law enforcement action. That might be one example in terms of our disclosing to another organization.

In terms of a proactive disclosure that we might do under SCISA, an example might be an individual who is suspected of travelling abroad to engage in a terrorism-related activity and who has just acquired a Canadian passport to return to Canada. There again, proactively providing that information to our national security agencies could help them in terms of making sure that appropriate enforcement action is taken when that person returns to Canada.

Another example might be information disclosed to us by a security organization. As I mentioned in my opening remarks, we're responsible for determining admissibility of people into Canada, so if an organization has information that a person is a threat to Canada's national security, that is very helpful to us in terms of determining that they're inadmissible to Canada and we should not issue a visa to them to facilitate their entry into Canada.

Those are some illustrative examples of where SCISA can be used in our context.

I wouldn't want to comment on any specific case, but those are some potential uses.

I guess what I can say about the threshold of undermining the security of Canada is that it's working for us. I would say a more stringent threshold would have a chilling effect in terms of the amount of information we would disclose or that others would disclose to us. I think that would be normal, but we're in your hands on that.

At present I can say that we have made, as I said, a total of 70 disclosures by our department, which has a considerable amount of personal information on Canadian citizens, permanent residents, and foreign nationals. It's not a lot of times that we've used it, but when we have used it, I think it has been helpful and effective.

No, I wouldn't say it would affect the culture in that way, but I think, as we do currently, that we would take that new threshold very seriously. If you do have a higher threshold, I think it's fair to assume that you would have fewer cases of disclosures simply because there wouldn't be the same number that would meet that more stringent threshold.

Okay. Thank you for the question.

With all due respect, I don't want to avoid your question. I want to respond as clearly as possible. I think we were misunderstood earlier. I have someone with me who is really an expert and who handles this type of communication every day. She could be called on to do so on the consular side. I'll ask Victoria Fuller to give you an accurate response that describes our perspective in greater detail.

Thank you.

I'll respond in English.

For us, the better coordination comes from the fact that, under SCISA, once we realize that the information is relevant and necessary and meets the national security test, we're able to take a 24/7 decision to share that information. In the world that we work in, many of our cases are in Asia or the Middle East where the hours of work are quite different; and to go through the previous exercise, which was using paragraph 8(2)(m) of the Privacy Act regarding a public interest in disclosure, required us to get authority from the head of the organization who has the delegation to do that. It's a much more bureaucratic process; it takes longer for the information to flow. As a result, at the moment of a terrorist attack abroad, for example, or in the initial stages of the detention of a Canadian citizen abroad, key things would not necessarily be able to move as quickly, and as you're likely aware, the first 72 hours of detention are the most critical for us. For us, in cases where we have a Canadian citizen detained on national security grounds, we would like to notify our partner departments immediately, where the test was met, because that ensures, first, that any relevant information they have would be given to us, and, second, that our consular officials are going first in taking the lead and providing services to the Canadian citizen now that he or she has been detained overseas.

In regard to the term “collection”, I don't collect information, but I have proactively disclosed information under SCISA; and we have received requests under SCISA that we have responded to.

The distinction is that our organization is one of the 17 listed entities. Within that, they have subdelegated certain parts of the department that can receive that information. Mr. Drake's part of the department is one of those areas. In consular operations, we are not one of those areas.

Consular operations does not, but other parts of our organization would have the ability to receive the information that was disclosed.

To receive the information, that's right. We're not a collector ourselves. That would be CSIS or others. Of course, what we're talking about here is not collection per se, but in the case of consular operations, they have a database based on their engagement with Canadians who require assistance. It's that database that is accessed in the case.

Perhaps you'd like to explain a bit more so we can clarify this.

The consular database is information received from Canadian citizens who have sought consular assistance abroad. That database is restricted to the consular program only within Global Affairs. So, any information in that database is covered under the Privacy Act. To access information that I would hold would require a request under one of the authorities from another government department before we would take a decision on whether that threshold was met and what would be shared.

Just to be absolutely clear, while my title includes “intelligence”, this is really as a result of the requirement to make sure that my group is connecting with the intelligence agencies. We are not an intelligence agency ourselves. The term is perhaps a bit open to a misunderstanding, but it's other organizations that do that, not us. We act as an interface.

Thank you.

Previously, there was an ability to share information. The challenge was that while consular works 24/7, and we have a 24/7 watch and response centre and are accessible at all hours of the day, other departments, especially officials in the privacy area who would have to sign off on disclosures, do not work on that same cycle. To track them down and to disclose lawfully and properly with the advance authority was much more of a bureaucratic hurdle for us.

The introduction of SCISA has allowed the decision to be taken at headquarters very quickly based on the ability to call on people who know they could be called in the middle of the night to make a quick decision, and to get all the information, including the legal opinion, and whatever's required. It has provided a mechanism with our partner departments so they can access that information in a secure way.

Well, I'd like to stress that the CNSC does not collect personal information in the context of security, so we would not say that that's the case.

In terms of IRCC, SCISA contains no new authorities with respect to collection. When we do obtain information from applicants who are seeking benefits under our existing legislative authorities—be it the Immigration and Refugee Protection Act or the Citizenship Act—disclosure of that information, as I mentioned before, is done on a case-by-case basis. Again, SCISA only permits disclosure to the 16 other listed agencies.

I'm not even aware of there being an ability to share bulk data under SCISA.

I know you've had previous discussions about this with relevant parts of our organization. Certainly, from my department's perspective, it's simply not an issue. We don't deal with bulk data, and we certainly don't share it. We don't share any information under SCISA outside of the federal government.

I think, from my reading of the previous testimony, others have answered your query.

From the different business sectors, we only receive information that is designated under the legislation. It may be semantics to people, but we do not collect information; we receive information. We have no authority to go back to a financial institution and ask. So what we receive is what we have.

The legislation itself doesn't change our ability to receive or share information. However, it gives other departments that didn't have the authority to share information with us the ability to do so now.

As a result, the institutions and citizens that communicate with us under these circumstances would have more authority than certain departments in possession of relevant information.

We had the authority before, but we could share the information only with the institutions mentioned in the legislation, meaning our own legislation and not the legislation on information sharing.

No. The RCMP and law enforcement in major Canadian cities receive the most information from our agency. We communicated 204 times with the Canada Revenue Agency last year. However, to communicate with the Canada Revenue Agency, we first need to establish that money laundering then tax evasion occurred. Two thresholds must be reached in the Canada Revenue Agency's case.

Yes.

Yes. However, as I was saying, we ourselves need to establish that the threshold has been reached before the information is shared.

In order to do a revocation of citizenship, one of the aspects is whether the person meets the grounds for admissibility. As I mentioned before, citizenship can be revoked if a person has obtained the citizenship by false representation or fraud with respect to issues that could render a person inadmissible to Canada on grounds of security.

I fully admit that it's a bit of a complex formulation and the test in the act is a bit complex, but essentially what it means is that if there is fraud with respect to what the person said at the time they applied for citizenship, then, absolutely.... In this case, that fraud related to the grounds of admissibility, specifically to national security. The information that we were proactively given by another agency was to do with national security, was legitimately received under SCISA, and was helpful to our being able to make a determination as to whether or not to revoke citizenship in that case.

That's correct.

To begin with, I think it would be important for the committee members to understand from the various agencies here today just what mechanisms they already have in place to ensure that there's proper use of the information. Certainly from the CNSC that test starts with relevance. We would only receive information if it were relevant to the continued assurance of nuclear security in Canada. We have internal mechanisms to oversee this. We have our audit and ethics group. We have our departmental audit committee. Where appropriate, we could use our independent commission tribunal—

For external oversight, perhaps all I can offer is that all decisions of the commission can be reviewed by the Federal Court, so ultimately there is that outlet.

No, I don't have much to add on that point. I hear what you're saying. I think that the review you're doing, the review that's being done internally within the 17 departments we're collaborating with as part of that review.... Ultimately, if there are improvements that we can make to the legislation, and there is a necessity to change the balance along the lines you describe, I don't have any concerns with that. But I do think it is important both to have the confidence of Canadians about their private information and to ensure that we are meeting the expectations of Canadians as well in ensuring that national security information is shared at the appropriate time with the appropriate people.

Drawing on what's already been said, I don't want to repeat it, but certainly I think on our side we've done a lot to try to increase the robustness of what we're trying to do. We negotiated a specific agreement with CSIS. We've tried to communicate with our posts abroad to make sure everyone is plugged in and that we know what to do. There are very specific issues that we've tried to address. Certainly I think using that kind of experience and working.... For example, what we agreed and are trying to do with the RCMP and so forth are the sorts of things that eventually can be fed into that process, and we're making them available to you as much as we can.

I do think that not entirely correct that we're not subject to oversight. For example, when we share with CSIS, it has an oversight body. That oversight body certainly does not deal formally with us, but functionally it does because it deals with everything that CSIS deals with, and likewise with the RCMP.

So, those are a couple of points to respond to your question. Thank you.

The Privacy Commissioner basically conducts an assessment of our privacy framework every second year. So far he has conducted two audits, and he is in the process, in fact, of finalizing his third one. On every occasion his conclusion has been that we never disclose information for purposes other than those provided for under the legislation. Therefore, I'm quite confident that this mechanism works well.

There are other things in our framework. People have access on a need-to-know basis and that kind of thing. So internally there are a series, if you wish, of mechanisms that ensure that the information is properly protected.

But as a third party, the OPC does that on a two-year basis.

At IRCC, there has not been.

At Global Affairs—and I'm checking with both of my colleagues here—there has not been.

I'm not personally aware of it.