Information & Ethics committee  If the issue is culture and fear, not substance—and that may well be, and it's all right—I'm suggesting to you that to address a cultural issue, legislation may not be the best solution. It may be guidance, information.... But there may be substance to this fear. Then the government should identify what the substance is and the legislation should address the substance.

Information & Ethics committee  We have some experts, but we certainly do not have experts in sufficient numbers to credibly review the activities of all departments other than the three that have existing review bodies.

Information & Ethics committee  I think it's a very worthwhile idea to explore.

Information & Ethics committee  I think you were told by officials that section 5 deals with disclosure. It is true that it deals with disclosure, i.e. not receipt, but once the disclosure has occurred under the relevance test, there is nothing that says—certainly not explicitly anyway, and I think it would be extremely ambiguous at best—what a receiving institution should do.

Information & Ethics committee  I think that would be helpful, provided that there would be a difference, there would be a misalignment of thresholds between the sending and the receiving institution, which would by definition mean that the receiving institution would receive too much. And there needs to be a clear rule—

Information & Ethics committee  —that they need to destroy or dispose of that information.

Information & Ethics committee  It would be difficult, but it's an interesting idea. Among the sources of authority are common-law or non-statutory sources of information, including the common-law powers of the police to collect and share information for investigative purposes, and the defence prerogative under which the defence department collects information.

Information & Ethics committee  We can always improve on any subject matter, but we certainly have, not all of our employees, but a number of employees with both subject-matter expertise and the security classification to undertake this work. We could improve. Of course, I would say that since 9/11 and the increase in state powers that have an effect on privacy, the number of investigations or reviews or privacy impact assessments we perform in this area is increasing considerably, so the number of people with the right expertise is inherited from a past in which these issues were less prevalent from a privacy perspective.

Information & Ethics committee  Ultimately, it's not needed. What I'm saying here is that if you accept the view that security agencies need to collect information about people other than suspected terrorists, say travellers to a certain country, in order to identify new threats, if you accept that as a premise, the activity to be performed by the security agency would be to go through the information from all these travellers, the vast majority of whom are not security threats, with a view to doing analysis, correlating this information, and finding in the thousands of people whose information you have, the one, two, or three who may be security threats.

Information & Ethics committee  I would start with a threshold, but review is also important. To me, in order to have the right balance, you need the right safeguards and the threshold. The issue of relevance versus necessity is very important, but you also need review of these activities by independent review bodies.

Information & Ethics committee  It is alarming.

Information & Ethics committee  I heard Minister Goodale ask departments to pay attention to their obligations to assess the privacy risks of these activities. That is more encouraging, but to this day, we haven't seen the privacy impact assessments of these other institutions. So, yes, it is alarming. I'm somewhat encouraged by what the minister said, but it has not translated into us receiving anything at this point.

Information & Ethics committee  Have we ween any new PIAs? No.

Information & Ethics committee  That consultation deals with the national security framework, writ large, way beyond SCISA. I said a number of things. One, I think it makes a lot of sense to look at the framework as a whole and not focus on constituent parts. That's why I say I think you should look at information-sharing authorities beyond SCISA, because to have a real picture of what's going on, you need to look at the whole situation.

Information & Ethics committee  The latter is certainly possible. I don't see why SIRC, the OPC, or other review bodies would not be able to see the complete text of agreements. There may be some cases in which certain provisions should not be disclosed to the public for reasons of undermining methods of operation, but, by and large, I think the agreements could be public, subject to few and limited exceptions.