Public Safety Committee on Dec. 7th, 2017

There is no doubt that the concept of datasets is very broadly defined, something that could prove problematic without oversight mechanisms or legal standards. To my mind, the two safeguards are more or less adequate in relation to the various stages leading to the use and exploitation of the datasets.

The jumping off point is Judge Noël's Federal Court decision, indicating that CSIS had compiled and retained information on individuals who were not threats. Judge Noël also said that he had heard evidence to the effect that the information in question could be helpful to identify threats.

My view on the dataset provisions is that efforts should be made to use the value of that intelligence—which is very broadly defined, I agree—but with different filters to ensure the data are not retained for an excessive period of time. The Federal Court normally conducts a review within 90 days, which is a pretty good method. CSIS's exploitation of the data, relying on the necessity test, is the standard we think should be used for information-sharing purposes.

It would be tough to call the provisions inadequate. The ultimate use of the data depends on necessity. For two years now, I have advocated for the necessity test in information sharing.

I am asking parliamentarians to apply the same necessity standard in the Security of Canada Information Sharing Act to information sharing, in the case of receiving institutions.

Yes, there is a risk, but I think it is being managed properly, more or less.

The definition could probably be narrower but then national security agencies, such as CSIS, would be deprived of the information they need for their work. However, there is a risk. How can the risk be reduced? The answer is through independent and effective review mechanisms.

The part of Bill C-59 that deals with CSIS has a number of filters exercised by independent members of the executive of the government and the Canadian Security Intelligence Service based on high standards, including necessity. Overall, I think it's a fair balance.

Through collection, the CSE can gather a lot of information. It's sort of the same dynamic as CSIS and the concept of dataset.

The starting point allows for a fairly vast collection of information. However, not only does a provision, clause 25, require the CSE to enforce measures to protect privacy, but those measures are clearly defined elsewhere in the bill, in clauses 35 and 44 as well as other clauses.

Not only does the CSE have a general duty to protect privacy, but privacy is very clearly defined in some provisions. Once again, this ultimately leads us to the following conclusion: the information must be essential to the CSE's mandate before CSE analyzes, stores, uses and exploits the information.

Once again, we are working with the test of necessity. I would even say strict necessity, when we talk about what is essential to the CSE's mandate.

A number of our employees have the required security clearance.

People's opinions vary over time.

Let me use an example based on clear circumstances. As a result of Edward Snowden's revelations, there has, of course, been a spike in public concerns about respect for rights, including the right to privacy. After a terrorist event, the scales usually tip the other way.

I suggest that you assume that the public is concerned about both physical security and their rights. Depending on the events, those concerns may fluctuate.

In my opinion, your job, mine and that of the executive power is to put in place legal rules that respect the balance over a certain period of time, regardless of revelations and terrorist events. Legal rules must also take into account any realities in time. Then there should be a review.

The bill provides a number of good suggestions, but I think we have a role to play in ensuring that officers apply those rules correctly on a daily basis.

Take the case of travellers, since that is a good example. Many people travel. In fact, almost all of us travel.

It is normal for decisions on overseeing admission to different countries to include a national security component. Of the millions, if not tens of millions of travellers, only a tiny minority pose a problem for national security, but everyone needs to be analyzed. CSIS, in the case of Canada, must have access to the names of travellers, to ensure that they do not pose threats to national security.

There are no specific rules that require CSIS to dispose of the information when it concludes that 99.9% of people do not pose a threat.

Right, in part 4 of the bill, which deals with datasets, the conclusion is that the information must be destroyed. The Federal Court must analyze those datasets and authorize or not authorize their retention after 90 days. This is exactly the kind of measure I recommend in the case of information sharing. If it's good for datasets, it should be good for information sharing under part 5 as well.

It's just that things are not always very clear, especially for the department that discloses the information and is not an expert on national security. I agree that, for the institution that discloses the information, the standard is a little more permissive. The new section 5 is not perfect, but it does the job. Its application ensures that the institution that discloses the information—the Department of Agriculture, for example, does not have many national security experts—feels empowered to do so. That's good.

When CSIS receives information, it must analyze it. It knows what it needs for its work and what is superfluous. After the analysis, CSIS should have not only the power but also the legal obligation to dispose of any information that it no longer needs for its work.

We have about 10 employees who have the security clearance and who review these issues from time to time and who, yes, have the expertise to know the context.

To give the other side of the coin, if we're not involved, it would mean that the expertise we have garnered through our work generally vis-à-vis all departments would not benefit national security agencies. That's something to bear in mind.

If my recommendations are adopted, no. We don't need an army of people. We have a broad mandate. We supervise the private sector as well. I don't envisage that we would need more resources.