Public Safety Committee on Feb. 13th, 2018

It's a legally defined mandate.

The short answer is that I think the decisions about which committee this should go to.... We are merely servants. We come to testify before whoever would like to ask us the questions. It's not for us to opine on the appropriateness of the forum.

Because it's about updating a national security framework that includes the activities of an agency such as CSE.

Go ahead.

When we say we need privacy measures in the disclosure of information, it means that in the course of our foreign intelligence or cyber-security operations, we may come across an entity, an IP address, an individual, or a company that is unknown to us. So we need to do research from open sources to contextualize that and to make sure we understand what we're dealing with.

If it turns out that the individual, that company, or that IP address is Canadian, then we put in place measures to mask that identity if that information leaves CSE. It's about protecting that information.

As I said, the information that's collected.... Actually, it's not collected; it's consulted. It's research information that we use. If that information is germane to foreign intelligence or cyber-security reporting, then we will include a reference to that. But we would mask it. We would suppress any Canadian information and replace it with a generic term. Instead of listing the Canadian IP address or the Canadian name, we would say “a Canadian person” or “a Canadian IP address”.

I'll just to that add, as well.

Again, we cannot direct our activities at Canadians. We direct them at foreign targets. If a foreign target talks about a Canadian, or, say, calls somebody in Canada and we pick that up, we have to destroy that information under current legislation, if it's not essential for international affairs security and defence. If we do retain it, then we have to count it. We would have to account for the fact that the information had been picked up, the fact that we had destroyed it, or if we had retained it, the reason we had retained it. That's reviewed now by the CSE commissioner.

There are policies and procedures and things baked into our system that we have available on our website in the form of a privacy fact sheet that breaks out all the different measures now in place, and our adherence to those measures is reviewed by the CSE commissioner.

Right now in the bill, the minister, in the ministerial authorization space, will lay out the privacy measures specific in that authorization on the use, retention, and disposition of that information, and we have to follow that. Again, some of those elements are listed on our website now. I can walk through them. There are policies, procedures, training, and what have you.

I think an important element to underscore is that the only way we would assist other law enforcement security agencies under their mandates is if they came to us with their own lawful authorities—under our assistance mandate—and then we would help them within the bounds of that lawful authority and that activity.

With respect to the kinds of things we're talking about here, for anything that we do in CSE, whether it's our intelligence collection, cyber-security, or dealing with publicly available information, we have to have privacy measures in place. There could be things that engage our privacy interests, so those measures have to be there.

There's a range of things, in terms of privacy measures, for the kinds of general research that we do, the kinds of intelligence-collection activities that we do in support of the Government of Canada's intelligence priorities, and the kinds of things that we do in response to requests from partners.

CSE does have a retention schedule, but we have not published those retention schedules at this time.

Oh yes.