I call the meeting to order.
Good morning, colleagues.
We are at our 40th meeting of the Standing Committee on Access to Information, Privacy and Ethics. We are resuming our study of the Security of Canada Information Sharing Act, otherwise known as SCISA.
We are delighted to have witnesses with us today, from the Office of the Communications Security Establishment Commissioner, Mr. Jean-Pierre Plouffe, who is commissioner. With him is Mr. J. William Galbraith, the executive director. From the Security Intelligence Review Committee, we have Pierre Blais, who is the chair, and Ms. Chantelle Bowers, who is the deputy executive director. From the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police, we have Mr. Richard Evans, who is the senior director of operations, and Ms. Joanne Gibb, acting director, research, policy and strategic investigations unit.
Welcome, all, and thank you very much for being here today.
I'm sure none of you are rookies at appearing before a committee, so you know exactly what's going to happen. The translation devices are there. The committee's routine proceedings and standing orders allow for 10-minute presentations from each group. How you want to use that time is up to you. If only one person wants to do all of the talking, that's fine. Then we'll proceed to several rounds of questions and answers. We'll encourage you to be as insightful as possible, but as succinct as possible at the same time. I appreciate you all being here this morning.
We will start with the Office of the Communications Security Establishment Commissioner.
The floor is yours, Mr. Plouffe.
Thank you, Mr. Chair and honourable members.
I am pleased to appear before this committee on the subject of the Security of Canada Information Sharing Act. As the chair has mentioned, I am accompanied by Mr. Bill Galbraith, the executive director of my office.
Before I make a few remarks about activities under this act, and since this is my first appearance before this committee, I will very briefly describe my mandate and the role of my office.
You have my biographical note, so I won't go over that, but I would like to say that I have found that my decades-long experience as a judge has stood me in very good stead in my three years as CSE Commissioner.
Being a retired or supernumerary judge of a superior court is a requirement set out in the National Defence Act, the legislation that mandates both my office and the Communications Security Establishment.
The CSE Commissioner is independent and arm's length from government. My office has its own budget granted by Parliament. I have all the powers under Part II of the Inquiries Act, which gives me full access to all CSE facilities, files, systems and personnel, including the power of subpoena, should that be necessary.
My mandate is threefold. First, I review the activities of CSE to determine whether they are in compliance with the law, including protecting the privacy of Canadian citizens. This is the major portion of my work. Second, I may receive and investigate any complaints I consider necessary. Complaints are rare, reflecting the foreign focus of CSE activities. Third, I have a duty to inform the and the of any activity of CSE that I believe may not be in compliance with the law.
The commissioner’s external, independent role, focused on CSE, assists the minister responsible for CSE—that is, the —in his accountability to Parliament, and subsequently to Canadian citizens, for that agency. My annual report tabled in Parliament describes the results of my reviews.
Let me turn now to the Security of Canada Information Sharing Act, or SCISA. What I have to say will be relatively brief. I will describe to you the experience of my office with respect to SCISA and then make a number of brief points regarding the act.
First, my office, as a government institution, has not shared information under SCISA, and in all probability is unlikely ever to do so. During the first year that SCISA was in effect, the agency I that review—namely, the Communications Security Establishment, or CSE—has neither received nor shared information under that law.
My reviews of CSE include CSE information sharing with domestic and international partners. I review CSE activities to ensure that the information it collects and discloses complies with the law, ministerial direction, and internal CSE policies. This includes ensuring that satisfactory measures are in place to protect privacy and that these measures are effectively applied. I will continue to monitor whether CSE receives or shares any information pursuant to SCISA.
That CSE has neither received nor shared information under SCISA demonstrates that currently existing authorities are sufficient for it to share or disclose information with other government institutions.
The point was made more broadly in the annual report of the Privacy Commissioner, Mr. Therrien, noting from a survey of government institutions his office conducted of the first six months SCISA was in effect, that only five institutions either received or shared information pursuant to the act. Most institutions, a little like CSE, have been using pre-existing authorities.
I cannot answer if in the future CSE would receive or share information under SCISA, but the track record to date suggests little, if any. As I said, I will monitor this.
As to the act itself, there are three points I would comment on. These points were also raised by the Privacy Commissioner in his testimony before this committee, and I must say that I am in general agreement.
First is the question of threshold in order for information to be shared. In SCISA the threshold is relevance, and I quote from subsection 5(1) of the act:
||if the information is relevant to the recipient institution’s jurisdiction or responsibilities
Where personal information is concerned, in my view the threshold should be higher. The Privacy Commissioner suggests necessity as a threshold. He states that this an international privacy standard, noting that the CSIS Act uses the threshold “strictly necessary” for CSIS to collect, analyze, and retain information.
Another example can be taken from the National Defence Act, where the established threshold is essentiality. In essence, in order for CSE to use and retain a private communication—where one end is in Canada—collected under ministerial authorization, CSE must determine whether the private communication is “essential”. I review these communications to ensure that is the case, and that information that is not “essential” has been destroyed.
The next point with regard to SCISA relates to safeguards to protect privacy. Given that CSE has not received or shared information under SCISA, I have no direct experience with this act in this regard. However, I can comment that the legislation mandating CSE has built-in privacy safeguards. These safeguards require CSE to have satisfactory measures in place to protect any information with a privacy interest that it can legally collect, retain, and use. I would agree with the Privacy Commissioner that there should be safeguards in SCISA to ensure protection of personal information.
A third point relates to the government institutions listed in Schedule 3 of SCISA. Only three of the 17 institutions listed in Schedule 3 are subject to expert review: CSE, which I review; CSIS, which is reviewed by my colleagues from SIRC; and the RCMP, reviewed by my colleagues from the Civilian Review and Complaints Commission, where Mr. Evans works.
The Privacy Commissioner has a mandate to review personal information policies and practices of all federal government institutions. In this context, Mr. Therrien is examining the schedule 3 institutions' use of SCISA and privacy protections. However, this is not enough. I suggest that there is a need for expert review for the 14 institutions not currently subject to review. This could be done either by a new review body, or bodies, or divided among the existing expert review bodies, much as recommended by Justice O'Connor in his commission of inquiry report 10 years ago in the Arar affair.
Perhaps there is a role here for the national security and intelligence committee of parliamentarians. The committee will have to establish its priorities, and this may be one area to examine. I look forward to working closely with the committee of parliamentarians and its secretariat.
Thank you for this opportunity to appear before you today. My executive director and I would be pleased to answer your questions.
We will be pleased to answer your questions to the best of our knowledge.
Good morning, Mr. Chair and members.
Thank you for providing this opportunity to appear before you today in the context of your study of SCISA—I will not repeat the long name, either in French or in English—and specifically its impact on privacy and any desired changes in light of the national security consultation and review process that is currently under way.
Today, I hope to enrich your study by focusing on three key points.
First, I will briefly outline SIRC's work in reviewing CSIS's information sharing practices with domestic partners. Second, I will provide insight into SIRC's current review examining the impact of the Security of Canada Information Sharing Act, or SCISA, on CSIS's information sharing with domestic partners.
Third, I will explain SIRC's limitations when examining these exchanges, including those made under SCISA.
I will not take much time now to describe SIRC's mandate and responsibilities. I will be pleased to answer any questions about our work following my remarks.
I will simply state that SIRC is an independent external review body that reports directly to Parliament, as you know, on CSIS activities through an annual report. SIRC has three core responsibilities: to certify the CSIS director's annual report to the Minister of Public Safety, to conduct investigations into complaints from the public that happen from time to time, and to carry out in-depth reviews of CSIS activities. Simply put, SIRC is key in providing accountability to CSIS.
The issue of information sharing was thrust in the spotlight post 9/11 as greater integration became the new modus operandi of intelligence work. As such, information sharing has been, and remains, at the forefront of SIRC's review work. In fact, I would say this issue is an integral component of almost every review we undertake: whether through the lens of a review of a particular CSIS investigation, activity or program, in Canada or abroad, SIRC must invariably examine exchanges of information with domestic or foreign partners.
SIRC assesses these exchanges against a number of criteria. We ask ourselves the following questions.
First, did CSIS act in a manner that complies with Canada's laws and legal obligations? Second, did this exchange fall within the scope of the established framework for co-operation, such as a memorandum of understanding or a foreign arrangement? Third, was the information shared factually correct and did it accurately reflect the nature and extent of the threat? Fourth, what were the disclosure risks of sharing this information, and did CSIS take appropriate action to mitigate these risks? For example, did CSIS take into consideration the human rights records of the foreign agency? Finally, did CSIS collect and retain information only to the extent that was “strictly necessary”? My colleague spoke about this idea of “strictly necessary” earlier.
As a result of this work, SIRC has put forward a number of recommendations in recent years aimed at enhancing CSIS's information sharing practices. To give you an idea, with respect specifically to domestic partners, SIRC recommended that CSIS develop clearer and more robust overarching principles of co-operation with CSEC, that CSIS finalize the completion of sections of a memorandum of understanding with CBSA, and that it develop deconfliction guidelines and renegotiate a protocol with Global Affairs Canada, which is the new Department of Foreign Affairs.
Let me move to my second point. Consistent with our ongoing scrutiny of CSIS's information-sharing practices, this year SIRC committed to a review of SCISA to gain an understanding of SCISA's impact on CSIS's information sharing with domestic partners.
As part of this work, SIRC will review all exchanges of information involving CSIS that have taken place under the authority of SCISA. This will give us an appreciation of the nature and scope of these exchanges. More broadly, SIRC will seek to assess whether existing practices were altered by the new legislation and, if so, the direction of these changes.
SIRC also intends to examine CSIS's engagements with federal partners as they move forward with the implementation of SCISA. In this context, I will echo the views of others in underscoring the importance of putting in place a supporting framework, such as specific formalized agreements between and among the various government partners involved in exchange of information under SCISA.
You have heard from witnesses who have commented on the broad nature of the threshold for sharing contained in SCISA. On this point, SIRC is of the opinion that formalized agreements to address the finer points of what information will be shared, how it will be shared, and what safeguards are attached to the information once it is shared are especially important. For this reason, in our review we will be attentive to these formalized agreements, where much of the work of determining the precise balance of security and privacy concerns will inevitably take place.
Indeed, insofar as there is always a level of interpretation, an important emphasis must be on review as a safeguard against unreasonable exchanges. For that reason, the role of review bodies such as SIRC is essential in ensuring that the proper balance is maintained.
I should end by noting that our broad access to CSIS information is key to allowing us to review CSIS's exchanges of information with partners. As you may know, SIRC—and it's important to remember this—has the absolute authority to examine all information under CSIS's control, no matter how classified or sensitive, with the only exception of cabinet confidences. Therefore, SIRC can examine all information that is shared with CSIS and, equally, all information that is shared by CSIS to its partners.
There remain blind spots, however, and this brings me to my last point. Although SIRC has great powers to review CSIS, this ability does not extend beyond CSIS. This means that SIRC cannot assess the source, validity or reliability of the information provided to CSIS by its domestic partners, nor how CSIS information or advice is used by these partners. In short, SIRC cannot follow the thread of information to allow for a more comprehensive review of CSIS's interactions and exchanges with domestic partners. We have already outlined this in previous reports.
This limitation is compounded by two other interrelated issues, which we discussed in the context of debate surrounding the Anti-terrorism Act, 2015, and SCISA. Seventeen departments with a national security nexus, including CSIS, are listed in the legislation as the recipients of information sharing in respect “of activities that undermine the security of Canada”.
The first issue is that of those 17 departments, only three—CSIS, CSE and the RCMP—are subject to a dedicated review body. There is no review mechanism to scrutinize the exchanges of information of the other 14 departments.
The second issue is that the three review bodies in question, namely, SIRC, the Office of the Communications Security Establishment Commissioner—my colleague's organization—and the Civilian Review and Complaints Commission for the RCMP, cannot carry out joint work as their legislation extends only to the respective organizations they review.
In fact, we can share some information on our results generally and on operating practices, but we cannot share information, even if our relationship is very close.
In the absence of a body with jurisdiction over the broader national security community, or to a lesser extent an ability for review bodies to work together, there will be clear accountability gaps regarding domestic information sharing.
As many have commented on, considerations of SCISA cannot be separated from an assessment of the strength of the safeguards in place to monitor the exchanges that take place under its authority.
Let me conclude by thanking you for your work on this matter. Bringing this forward in this place is important for everybody, I would say.
The government has made a firm commitment to enhancing accountability. There is no doubt, in my view, that information sharing within Canada’s national security community should be subject to appropriate scrutiny. SIRC’s work no doubt helps to further this goal.
With respect to SCISA, SIRC looks forward to communicating the results of its SCISA review when they are finalized. As I mentioned, we are in the process of doing that right now. At the same time, I will take the opportunity to affirm to the committee that information sharing has always been a priority for SIRC and that we will continue to be alive to issues of information sharing.
With my colleague, I will be happy to answer any questions you have.
Thank you, Mr. Chairman.
Thank you, Mr. Chair and members of the committee, for inviting us here today to discuss the Security of Canada Information Sharing Act and its implications for the RCMP and our commission.
In 2014, amendments to the RCMP Act resulted in the creation of the Civilian Review and Complaints Commission. While the previous RCMP Public Complaints Commission was largely reactive and driven by public complaints, the new commission has been given a broad mandate to oversee RCMP activities. The change most relevant to the question before this committee today is that the commission now has the ability to conduct systemic reviews of any RCMP activity to ensure it is being carried out in accordance with legislation, regulations, ministerial direction, or any policy, procedure, or guideline, without having a complaint from the public or linking it to member conduct.
With this new authority we are currently undertaking two such systemic reviews. The first, into workplace harassment within the RCMP, was initiated last year at the request of the Minister of Public Safety. The second, initiated by the commission chairperson, is into the RCMP's implementation of the relevant recommendations contained in the Report of the Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar. The commission's review on the latter is examining the RCMP's national security framework, including policies, training, and operational files, to determine whether they are consistent with Justice O'Connor's recommendations.
Specifically, the commission’s review is examining six key areas: one, the centralization and coordination of RCMP national security activities; two, the RCMP’s use of border lookouts; three, the role of the RCMP when Canadians are detained abroad; four, training of RCMP members in national security operations; five, RCMP information sharing with foreign entities; and six, RCMP domestic information-sharing practices.
Regarding the domestic information sharing, the commission is currently examining the adequacy, appropriateness, sufficiency, and clarity of RCMP policies, procedures, and guidelines as they pertain to domestic co-operation with federal agencies and departments involved in national security investigations. The goal is to measure their consistency with Justice O’Connor’s recommendations, including screening information for relevance, reliability, accuracy, and privacy; the use of caveats; and that the RCMP is continuing to refine its policy of co-operating with other federal agencies or departments involved in national security investigations.
With regard to the Security of Canada Information Sharing Act, the commission is examining, as part of this ongoing review, what the RCMP has put in place to address its new information-sharing powers, such as record-keeping of disclosures under the act, and how that relates to Justice O’Connor’s recommendations. For example, Justice O’Connor’s report stressed that information-sharing agreements or arrangements pertaining to integrated national security operations should be reduced to writing. This is important, and the commission will be examining whether the RCMP adheres to this recommendation with respect to information sharing relating to the Security of Canada Information Sharing Act.
With that, we'd be happy to answer any questions.
In the United States, just to give you a flavour, they have 71 inspectors general looking at different areas of national security. I think it's about how you put those people together and about the mechanism for co-operation. Speaking for myself, I could say that the creation of the new parliamentary committee will give some power to....
I don't want to comment too much on that. The bill is before the House of Commons right now, at the report stage, probably, or close to it. This committee, when it's in place, will be able to have a look and co-operate with us. I think all of us have offered our co-operation to the committee to look into all the matters, because the committee will not be limited. It will have access to all. It may be limited access; I don't know, but it will be for Parliament to decide. Probably it will be
a step in the right direction.
It will be a first step, and we will see later on how it develops. For us, you cannot ask us to.... We do our jobs. We try to co-operate. We did inform the ministers that we should probably have the means to “follow the thread”. It's in the air. The government expressed their views on that.
For us, the more we can co-operate, the better for the information and national security community, I would say. You should remember what we all have in common, that we all want to protect Canadians from any threats from inside or outside. It's a goal that we all have. We cover a little angle of that. We ourselves don't do the operations, but we make sure that the operations of CSIS are done within the law.
We're all on the same side. All of the organizations are on the same side, the side of protecting Canadians against threats to national security.
It's interesting, your question, because our name in English is “review committee” and in French it's
Intelligence Oversight Committee.
It's not the same. It's been there for 31 years, and I know that the first day I was appointed, I said, “What is that? It's not surveillance. Surveillance is oversight?”
Just to mention this point, we try in our review to get as close as we can to the factual points that are raised. For example, if there is an issue that is in the public domain, we try to put a team in quickly to look into the matter, but we cannot, I would say for obvious reasons, oversee when there are operations. It would be against all the rules and even the capacity of CSIS.
At the same time, we understand that our report is a little bit delayed compared to when things happen. We should remember nevertheless that in our report we mention when we did it, when CSIS reacted, and what the reaction was to it, which is the best we can do.
Maybe the committee of parliamentarians will have a little bit of oversight. I don't know, but it's the best we can do.
We aren't the ones who decided which institutions would be in the schedule. However, I can say that these institutions share information one way or another.
For example, the role of the Canada Border Services Agency is different from what it was 15 or 20 years ago. Currently, the agency directly addresses the possibility that some foreigners are entering Canada, while representing a terrorism threat. The same is true of organized crime, and the Department of Finance has a role to play in that area. The Department of Transport must deal with potentially dangerous situations that occur on board airplanes and trains or in stations.
That is why the government decided to put all these institutions in schedule 3, even if the percentage of security information that they may provide is 2%, 10% or 80%. The government didn't want any department with security-related information to be left out. In fact, the government would be better equipped than I am to answer this question.
Here is my vision of things. We often receive information, and it may have taken a different route than through the police or CSIS. It may come from another department. I think that we wanted to ensure that all information will be shared.
At one point in France, there was a problem at customs. The people responsible for I don't know how many deaths at an establishment in France entered the country from Belgium. Information from border services hadn't been shared. If that information had been shared, one of those people might have been stopped.
In order to act, all the services involved must receive information from every possible source. That's the best answer I could give you on that, Mr. Lightbound.