6.1 The Importance of Oversight

Several witnesses stressed the importance of independent oversight[217] over how federal institutions use the new information-sharing powers established by SCISA, and of national security in general.[218] Indeed, of the 17 recipient institutions listed in Schedule 3 to SCISA, only 3 are subject to independent oversight: CSIS, the CSE and the RCMP. Numerous witnesses highlighted the importance of creating oversight and accountability mechanisms for the new powers established by SCISA, and for information sharing in the context of national security in general:

• “[I]ndependent review of information-sharing activities is incomplete, given that 14 of the 17 receiving institutions under SCISA don’t have dedicated review bodies. … All departments involved in national security also need to be reviewed by independent experts.”[219] Commissioner Therrien, Privacy Commissioner of Canada
• “[I]nsofar as there is always a level of interpretation, an important emphasis must be on review as a safeguard against unreasonable exchanges.”[220] Mr. Blais, Chair, SIRC
• “[T]here is a need for expert review for the 14 institutions not currently subject to review.”[221] Mr. Plouffe, Commissioner, Office of the CSE Commissioner
• “[T]his is information sharing with inadequate or non-existent review structures. … [I]ncreased and integrated information collection and sharing powers are not matched in this act by increased and integrated review structures, and this is a serious concern for CCLA.”[222] Ms. Pillay, CCLA
• “SCISA must include a robust oversight and accountability mechanism to enforce these principles. In the CBA’s view, any oversight body should have independence from the government institutions that will be sharing information under the act in order to avoid any potential conflicts of interest.”[223] Mr. Elder, CBA
• “[E]ven with the best legal language in the world, you’re still dependent on people construing it, which means that you need independent review to ensure that those construals are reasonable.”[224] Mr. Forcese, Professor
• “The notion of an independent reviewer is necessary, as well, as part of the framework of oversight and review in the national security environment.”[225] Mr. Kapoor, Barrister
• “We also broadly support the Privacy Commissioner’s recommendation that in addition to parliamentary review, institutions permitted to receive information for national security purposes should be subject to expert or administrative independent review. We noted with alarm that 14 of the 17 entities authorized to receive information for national security purposes under the SCISA are not subject to dedicated independent review or oversight.”[226] Mr. Karanicolas, CLD
• “[T]here is no common oversight of any of these 17 organizations, and all of them, apparently, are instrumental in our national security. All those functions should be overseen...”[227] Mr. Fraser, Lawyer
• “I think it is really critical to have oversight over information sharing.”[228] Ms. Tribe, OpenMedia

Witnesses provided a variety of explanations for why it is important to establish oversight and accountability mechanisms in SCISA.

According to Mr. Roach, national oversight of information-sharing activities would enhance Canadians’ confidence in government institutions:[229]

The absence of credible review for all of the institutions, combined with the fact that the government appears in the green paper to at least be seriously considering getting more data from metadata and other things feeds into what I would say is a justifiable lack of confidence that many Canadians have about how this information, once it is collected by one part of government, is going to be shared, stored, and accessed by other parts of government.[230]

Commissioner Therrien also stressed that effective oversight is essential for maintaining public confidence in agencies involved in national security.[231] Mr. Fraser commented along those same lines:

[M]ost national security and intelligence activities are obviously top secret. … [T]he only way you can make sure they conduct themselves in accordance with our expectations in a democratic society is to have confidence in the oversight, confidence that somebody is watching and keeping an eye on them, somebody who can keep the secrets but who can also blow the whistle when necessary.[232]

Commissioner Therrien added that although he can investigate potential complaints regarding SCISA, “in this type of area, the people who may complain don’t know what’s happening, so it’s unlikely that there will be complaints raised to my office.”[233] Ms. Pillay of the CCLA made similar comments, noting that “violations can occur without the knowledge of an affected person, and even if there is knowledge, without an appropriate review structure there’s nowhere to bring a complaint, given the absence of any one review structure with jurisdiction to review all the agencies empowered to share information.”[234] Mr. Mia of the CMLA also indicated that there will be no way for people to know whether information about them has been disclosed.[235] Mr. Roach mentioned that

damages cannot be a substitute for effective review, because as Justice O’Connor stressed, most people do not know if information is being shared about them. Mr. Arar and other Canadians who were tortured in Syria, in part because of Canadian information sharing, knew because of the devastating consequences that they experienced, but you or I would not know right now if information about us is being shared.[236]

6.2 Currently Existing Oversight Agencies

6.2.1 The Office of the Communications Security Establishment Commissioner, the Security Intelligence Review Committee and the Civilian Review and Complaints Commission for the RCMP

As previously mentioned, only 3 of the 17 institutions listed in Schedule 3 to SCISA are currently subject to independent expert review. Mr. Plouffe, Communications Security Establishment Commissioner, explained that these are: “CSE, which I review; CSIS, which is reviewed by my colleagues from SIRC [Security Intelligence Review Committee]; and the RCMP, reviewed by my colleagues from the Civilian Review and Complaints Commission.”[237] SIRC and the CRCC have undertaken a study of SCISA.[238]

These three organizations have broad powers for fulfilling their oversight mandate.[239] According to Mr. Blais, Chair of SIRC, however, “there remain blind spots.”[240]

He mentioned that his powers are subject to certain constraints:

Although SIRC has great powers to review CSIS, this ability does not extend beyond CSIS. This means that SIRC cannot assess the source, validity or reliability of the information provided to CSIS by its domestic partners, nor how CSIS information or advice is used by these partners. In short, SIRC cannot follow the thread of information to allow for a more comprehensive review of CSIS’s interactions and exchanges with domestic partners.[241]

He further added that SIRC, the Office of the CSE Commissioner and the CRCC “cannot carry out joint work as their legislation extends only to the respective organizations they review.”[242]

In fact, we can share some information on our results generally and on operating practices, but we cannot share information, even if our relationship is very close.[243]

Mr. Plouffe, the CSE Commissioner, seconded these comments, saying that “it would be desirable to give the existing review bodies explicit authority to co-operate.”[244]

Mr. Forcese also stressed that the three oversight agencies “are constrained in their ability to coordinate.”[245] Mr. Wark and Mr. Mia referred to them as “these siloed mechanisms” of national security institutions.[246]

6.2.2 The Privacy Commissioner of Canada

Furthermore, the “Privacy Commissioner has a mandate to review personal information policies and practices of all federal government institutions. In this context, Commissioner Therrien is examining the Schedule 3 institutions’ use of SCISA and privacy protections.”[247]

Commissioner Therrien mentioned one problem in the context of his mandate relating to national security:

Currently, the confidentiality provisions of the Privacy Act prevent the OPC [Office of the Privacy Commissioner] from sharing information with other review bodies, such as the Security Intelligence Review Committee (SIRC), the Office of the Communications Security Establishment Commissioner (OCSEC) or the Civilian Review and Complaints Commission.[248]

Mr. Forcese commented that the Privacy Commissioner “has a limited subject matter jurisdiction across all of government.”[249] Ms. Pillay of the CCLA also indicated that “[i]n the past, government has stated that the Privacy Commissioner and the Auditor General have review powers, but their mandates and resources do not provide the jurisdiction and powers that would be required to properly review the information sharing that exists under the SCISA.”[250]

6.2.3 The Importance of Cooperation

Several witnesses commented that regardless of the oversight model determined by the government, cooperation among the agencies responsible for that oversight is essential.

Commissioner Therrien indicated in his brief that “review bodies must be able to share information, including classified and personal information, so that their respective reviews can be performed in a collaborative and effective manner rather than in silos as is currently the case.”[251] The Commissioner also stressed the drawbacks of a lack of cooperation:

The detriments to siloed review include duplication of effort with resulting effects on resources, but above all less informed and therefore less effective review by all relevant bodies. Given the OPC’s extensive and ongoing work in this area, it should be included among the review bodies granted the authority to share and receive information.[252]

According to Mr. Blais, Chair of SIRC, “In the absence of a body with jurisdiction over the broader national security community, or to a lesser extent an ability for review bodies to work together, there will be clear accountability gaps regarding domestic information sharing.”[253]

6.3 The Best Oversight Model

6.3.1 The Need for Expert Oversight

For Mr. Plouffe, the CSE Commissioner, it is important that the 14 institutions listed in Schedule 3 to SCISA “be subject to expert review.”[254] Likewise, Mr. Galbraith of the CSE Commissioner’s office stressed the importance of reviews being conducted by experts.[255]

According to Commissioner Therrien, “All departments involved in national security also need to be reviewed by independent experts.”[256]

In that same spirit, Mr. Roach commented that “[o]ne of the reasons we mentioned dedicated national security review is that, particularly with the foreign information sharing and also with the evolving nature of security threats, you need to have some specialized expertise to really judge the information sharing.”[257] Mr. Kapoor and Mr. Mia also stressed the importance of expert oversight.[258]

6.3.2 The Choice of One “Super-Agency” or Several Agencies for Oversight

Some witnesses indicated that several different oversight models exist, but did not advocate for any one in particular. Commissioner Therrien indicated that

in some countries, expert review takes the form of a consolidated model, meaning one review body is responsible for all relevant government institutions – a so-called “Super-SIRC”– whereas in others, different bodies are limited to reviewing one institution or one aspect of national security activities. We have no strong preference between the two models, so long as all government institutions involved in national security are covered. Furthermore, if there is more than one review body, all bodies must be able to collaborate in their review activities, and no longer operate in silos.[259]

Commissioner Therrien did nevertheless indicate that it is preferable to have “the activities of national security agencies reviewed both by the OPC and one or more dedicated national security review bodies.”[260] He said:

This creates some overlap, but it ensures that both national security and privacy can be examined by experts with deep and broad knowledge of both privacy and national security law. Among other factors, there is value in having the privacy impact of the work of national security agencies reviewed by an institution that also reviews the work of other government departments, so that best practices and developments in privacy law can apply across government.[261]

As for creating a single office, Mr. Plouffe indicated that Justice O’Connor’s report looked closely at the issue of creating one super-agency to replace the current agencies: “As an example, with regard to CSE or the Office of the CSE commissioner, Justice O’Connor has stated that it should not be included in this so-called super-agency because of its uniqueness. As you know, CSE is the foreign intelligence agency, or the electronic agency, and it’s unique in itself.”[262] Mr. Plouffe commented that Justice O’Connor’s report described the advantages and disadvantages of a single oversight body. It suggested that having only one agency could lead to more superficial reviews, whereas an agency that oversees only one institution might conduct more in-depth reviews.[263]

Mr. Plouffe feels it is up to the government to decide on the most appropriate oversight model.[264] He added that

if the government feels that a super-agency is not in order, at least we should have a coordinating committee of some sort — and this was suggested by my colleague Justice O’Connor 10 years ago — where all the heads of review agencies meet and discuss problems in common. The committee of parliamentarians would be a practical solution, because they would have to deal with one body and not with 14, 15, or 17 institutions.[265]

Several witnesses commented that real-time oversight is not very realistic, and that timely review after the fact is a more effective option.[266] Other witnesses felt that the government could look to oversight models that have been established elsewhere, such as in Australia or the United Kingdom.[267]

A number of witnesses shared their general opinion with regard to the best independent oversight model:

• “We recommend matching information-sharing powers with amendments that give independent review body(s) review over all of the government of Canada’s information sharing activities under the new Act. As suggested by the Privacy Commissioner, review should be facilitated by agreements between governmental entities that share information. Especially, ensure that this body has the power to compel deletion of unreliable information from all the agencies to which it has been distributed.”[268] Mr. Forcese and Mr. Roach, Professors
• “[W]e’ve called for an integrated review.”[269] Ms. Pillay, CCLA
• “I’m an advocate of a unified, independent, national security review agency, the Canada national security review agency.”[270] Mr. Mia, CMLA
• “I think the one of the solutions is to have a sort of centralized control over it. I recommended in the submission that there needs to be some centralized control of information sharing. The departments could do their piece, but somewhere in government—maybe in Public Safety—there would be someone overseeing all of this. The Privacy Commissioner and SIRC and everybody will do their audits, and we’re calling for a national security review agency.”[271] Mr. Mia, CMLA
• “There’s a broad and specialized basket of issues that come up, and I think they should be dealt with by a dedicated oversight body.”[272] “It’s important to have an oversight body that has access and can view the full picture. There can be a danger in terms of stovepipe oversight … so it’s important to allow an oversight body to get the full picture and to have access to classified information that would let them fully see if the measures that are being taken are appropriate to the needs of the security agencies.”[273] Mr. Karanicolas, CLD
• “Consistent with the other efforts that are going on related to oversight of national security generally and across the board, there is no common oversight of any of these 17 organizations, and all of them, apparently, are instrumental in our national security. All those functions should be overseen, probably by a parliamentary committee that has the ability to summon any information they want, and that committee should have absolute visibility into this. There should probably also be an additional committee, like the Security Intelligence Review Committee currently, that has the ability to go in and routinely do audits. It goes in and double-checks that all this is being done, because a parliamentary committee doesn’t necessarily have the manpower to do that on a regular basis.”[274] “I would be broadly in favour of oversight over the entire national security and intelligence functions within the Government of Canada, which would include the law enforcement components as well.”[275] Mr. Fraser, Lawyer
• “OpenMedia hasn’t put forward a formal proposal on what we think the oversight mechanisms should look like. … To your question of whether there should be oversight within each individual agency, I think there can be that as well in making sure that each department is operating within its purview and making sure the information it receives and shares is being handled appropriately. There is a bigger picture, which Mr. Elder is getting to, which is understanding the big picture and how they all work together, particularly with such top secret information being shared.”[276] Ms. Tribe, OpenMedia
• “At least from a SCISA perspective, for the 17 institutions that are listed—and for many more, because if put on the disclosing end, it could be any institution that is permitted under SCISA to disclose—I think there needs to be a single body that looks at all of that. I don’t think that takes away from responsibilities within each of those institutions, however. I think there still has to be a clear accountability within each of those institutions to comply as well. We do need an oversight body that can look at the whole picture.”[277] Mr. Elder, CBA

6.4 The Role of the Privacy Commissioner

Several witnesses stressed the importance of the work performed by the Privacy Commissioner. Some nevertheless maintained that oversight related to national security should be the responsibility of an agency with solid national security expertise, because there are very specific considerations involved.

CSE Commissioner Plouffe believes that “there is a need for expert review for the 14 institutions not currently subject to review,” and the oversight currently provided by the Privacy Commissioner is inadequate.[278]

As for the Privacy Commissioner’s role, Mr. Forcese commented that “information sharing is going to be intertwined with operational considerations that are specific to national security, and having a dedicated national security reviewer looking at the information sharing probably is more advantageous than using the Privacy Commissioner.”[279] Mr. Roach explained the need for training in the event that the Privacy Commissioner is given the mandate of overseeing information sharing under SCISA:

One of the Arar commission’s recommendations was that some of the people in the RCMP who were sharing information were not adequately trained in national security. If the Privacy Commissioner were to be the sole reviewer of the information sharing, I would also want to see the Privacy Commissioner develop expertise in the particularities of national security sharing, particularly its foreign dimension.[280]

Likewise, Ms. Pillay commented that “the current mandate of the Privacy Commissioner, while extremely laudable, means that he is constrained, and there is only so much that he can do. To change that mandate would have other implications, and I would rather see an independent reviewer.”[281] Likewise, Mr. Mia indicated that the Privacy Commissioner “plays an important role because of the privacy protections, but the Privacy Commissioner is not a national security expert.”[282] Mr. Karanicolas made similar comments, saying that “there needs to be an independent civilian oversight rather than bundling this into the Privacy Commissioner.”[283]

Ms. Austin indicated that her hesitation in “leaving it all up to the Privacy Commissioner is that there are very specific considerations that come up in a national security context that some of these other bodies might have more contextual information on and that would be very useful in reviewing this.”[284] She also commented that “the Privacy Commissioner’s office has not had a strong mandate with respect to Charter issues.”[285]

6.5 A Parliamentary Review

Several witnesses felt that a parliamentary committee reviewing national security elements, including information sharing, would be useful, but should not replace a specialized oversight agency with expertise in national security.

The Commissioner felt that a parliamentary review would be helpful, but insufficient: “All departments involved in national security also need to be reviewed by independent experts.”[286] Commissioner Therrien added the following in his brief:

We note that other countries have implemented an oversight model which includes review by a Committee of Parliamentarians, while maintaining review by experts. While the former provides democratic accountability, the latter ensures that in-depth knowledge of the operations of national security agencies and of relevant areas of the law are applied so that rights are effectively protected.[287]

Mr. Karanicolas of the CLD supported Commissioner Therrien’s recommendation.[288]

Ms. Pillay also felt that the creation “of a parliamentary committee … is not a substitute for an independent reviewer of national security issues, so the two have to work together.”[289] Mr. Mia indicated that “other than the committee of parliamentarians, we need to have one unified, arm’s-length, well-resourced review agency.”[290] Mr. Kapoor commented as follows:

There has to be an expert component to it — that is, people who are expert in the area of national security — and there has to be what I would characterize as a parliamentary review, which is the committee of parliamentarians. The committee of parliamentarians is very important because it has democratic legitimacy. It can bring concerns from constituencies to the agencies and can conduct closed hearings as well.[291]

6.6 Resources, Independence of Oversight Agencies and Access to Information

The Privacy Commissioner stressed that adequate resources and independence from the government are two elements that are essential to effective oversight:

In order to be fully effective, review bodies must also be properly resourced. Greatly enhanced national security activities and initiatives in recent years have resulted in much heightened public concerns about privacy, including mass surveillance, but without any consequential increase in funding for the oversight bodies. For the OPC’s part, it has been forced to risk manage its limited resources, moving efforts from other mandated activities. This is less than ideal. It is also insufficient to produce effective review and privacy oversight, which are essential to maintain trust in national security activities.

The OPC’s research on oversight of security and intelligence agencies has led it to determine that, beyond resourcing, effective review requires meaningful independence from the executive, non-partisanship and institutional expertise, with knowledge of both domestic and international standards and law.[292]

Several other witnesses also stressed the importance of the oversight agency being independent and having adequate resources.[293]

Mr. Forcese explained that even if an oversight agency is well resourced, it cannot fully audit all the activities of an institution. There will have to be a triage in order to determine priorities.[294]

Finally, several witnesses indicated that the independent oversight agency must have access to information to fulfill its oversight mandate.[295]

6.7 Record-Keeping

On the one hand, the Office of the Privacy Commissioner of Canada noted that

record-keeping is an essential prior condition to effective review. The OPC’s advice to Public Safety in the context of the SCISA Deskbook was clear on this point: it called for guidance on the content of records that should be kept, including a description of the information shared and the rationale for disclosure.[296]

Likewise, Mr. Elder of the Canadian Bar Association stated as follows:

Whatever oversight mechanism is pursued, in order to better facilitate the review of activities carried out under SCISA, the CBA submits that regulations should be introduced requiring disclosing institutions to keep a record of all disclosures made under SCISA and requiring receiving institutions to maintain records of subsequent use and disclosure of information received pursuant to SCISA. If such records do not exist, it will be nearly impossible for any oversight body to determine whether the guiding principles of the Act are indeed being respected.[297]

Ms. Tribe of OpenMedia pointed out that “all government institutions should be required to keep thorough records of when they disclose our private information, including to foreign governments.”[298]

Similarly, when he appeared before the Committee, Mr. Evans of the CRCC mentioned that the O’Connor report contained recommendations on record‑keeping: “For example, Justice O’Connor’s report stressed that information-sharing agreements or arrangements pertaining to integrated national security operations should be reduced to writing. This is important, and the Commission will be examining whether the RCMP adheres to this recommendation with respect to information sharing relating to the Security of Canada Information Sharing Act.”[299]

Moreover, as mentioned previously in the report, the manner of consigning what constitutes a “disclosure” within the meaning of SCISA does not seem to be defined. In fact, there did not seem to be an established standard determining whether a disclosure could involve information pertaining to more than one individual.[300]

6.8 The View of Federal Institutions

According to Mr. Burt of DND, mechanisms already exist that govern his institution in the exercise of its powers:

We're subject to the oversight of the Commissioner himself, the Office of the Information Commissioner and the Auditor General. We also have an ombudsman in the Department of National Defence. In terms of counter-intelligence, we have a judge advocate general committee consisting of lawyers who work internally and of external organizations that specifically monitor our counter-intelligence capacity. I'm fairly confident about the mechanisms that govern us to ensure compliance with the legislation and policies under which we operate.[301]

Similarly, Mr. Roussel of Transport Canada told the Committee that his institution was “already subject to a complete set of extremely strict verifications by both the Auditor General and the Privacy Commissioner.”[302]

Ms. Whelan of the RCMP specified that her organization “has also established processes to maintain statistics on disclosures made to and by the RCMP under the Act, including what was disclosed, who disclosed it, and when it was disclosed,”[303] and that “all correspondence related to SCISA must be documented in the RCMP's secure records management system as well.”[304]

6.9 The Committee’s Recommendations

In light of the evidence, the Committee recommends:

Recommendation 7

That the Government of Canada strengthen the oversight of information sharing by Government of Canada institutions, by considering the following options:

a) establishing a super-agency to provide expert oversight that would review all information-sharing activities by federal national security institutions;

b) establishing new oversight bodies, where there are existing gaps, such as the Canada Border Services Agency, capable of cooperating to review information sharing between federal institutions pursuant to the Security of Canada Information Sharing Act;

c) conferring new powers upon the Security Intelligence Review Committee, the Office of the Communications Security Establishment Commissioner, the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police, and the Privacy Commissioner of Canada that would enable them to:

1. oversee information sharing among the 14 Government of Canada institutions listed in Schedule 3 to the Security of Canada Information Sharing Act as well as their use of information; and
2. cooperate with other agencies and conduct joint investigations;

d) establishing a parliamentary review mechanism[305] that, on a complementary basis with one or several other expert oversight agencies, would review the information-sharing activities of federal national security institutions;

e) conferring upon the Privacy Commissioner of Canada the role of overseeing the information sharing of the 14 Government of Canada institutions listed in Schedule 3 to the Security of Canada Information Sharing Act as well as their use of information, and that the Privacy Commissioner report his or her findings to Parliament.

Recommendation 8

That the Government of Canada amend the Security of Canada Information Sharing Act to impose on federal institutions and on the recipient institutions listed in Schedule 3 to the Act a legal duty to keep records in order to report on any use or subsequent sharing of information provided to them under the Act.