Take the case of travellers, since that is a good example. Many people travel. In fact, almost all of us travel.
It is normal for decisions on overseeing admission to different countries to include a national security component. Of the millions, if not tens of millions of travellers, only a tiny minority pose a problem for national security, but everyone needs to be analyzed. CSIS, in the case of Canada, must have access to the names of travellers, to ensure that they do not pose threats to national security.
There are no specific rules that require CSIS to dispose of the information when it concludes that 99.9% of people do not pose a threat.