During the study, several witnesses indicated that there is no binding provision in SCISA to protect the privacy of Canadians.[306] Several witnesses felt that the Act should include a number of privacy safeguards, particularly with respect to information reliability, information-sharing agreements, privacy impact assessments (PIAs), and the retention and deletion of personal information.[307] In fact, several witnesses told the Committee that errors in information sharing can cause grave injustices and serious harm to Canadians.[308]

SCISA does, however, contain guiding principles which are set out in section 4 as follows:

• 4 Information sharing under this Act is to be guided by the following principles:
• (a) effective and responsible information sharing protects Canada and Canadians;
• (b) respect for caveats on and originator control over shared information is consistent with effective and responsible information sharing;
• (c) entry into information-sharing arrangements is appropriate when Government of Canada institutions share information regularly;
• (d) the provision of feedback as to how shared information is used and as to whether it is useful in protecting against activities that undermine the security of Canada facilitates effective and responsible information sharing; and
• (e) only those within an institution who exercise its jurisdiction or carry out its responsibilities in respect of activities that undermine the security of Canada ought to receive information that is disclosed under this Act.

Privacy Commissioner Therrien, however, pointed out that there is nothing binding about these principles:

There is a reference in the preamble to SCISA that says, among other things, that information sharing should occur responsibly. That's advice given by Parliament to departments, and I'm sure this advice in the preamble will lead to certain actions within the public service. However, it's left completely to the public service to determine what kind of controls or governance structure they will put in place to live by this principle of responsible information sharing. We don't need to be overly prescriptive, but I think there need to be some high-end controls, safeguards, and governance mechanisms to ensure that this broad authority given by Parliament is exercised responsibly.[309]

In this regard, the “[Canadian Bar Association] recommends that SCISA include effective mechanisms to enforce the principles outlined in section 4.”[310]

In his appearance before the Committee, Mr. Davies stated that “each institution is responsible for how they implement SCISA.”[311] He added, however, that

Public Safety's role is to help institutions understand the Act. To that end, we create guidance on SCISA. We've conducted information sessions for government officials and we released a framework to guide SCISA's implementation. We continue to provide support to government departments and agencies, as required, and are looking to improve the guidance we provide, including addressing the issues raised recently by the Privacy Commissioner in his annual report.[312]

Moreover, several representatives of federal institutions explained to the Committee the various privacy safeguards that had been put in place within their organizations, such as policies and directives, as well as training.[313]

In light of the testimony, the Committee recommends:

Recommendation 9

That the Government of Canada amend the Security of Canada Information Sharing Act in order that the guiding principles listed in section 4 become legal obligations.

7.1 Reliability of Shared Information

As mentioned above, the reliability of information can have severe implications for individuals. According to Mr. Roach, SCISA should put more emphasis on information reliability:

Justice O'Connor in the Arar commission report stressed that there need to be assurances that the reliability of the information is discussed, and also the respect for caveats, which is mentioned in section 4.

The problem with section 4 right now is simply that principles are placed out there, but there are no teeth, unless there's a requirement for protocols through regulations or through amendments of the statutes.[314]

Similarly, Mr. Elder of the CBA argued:

The Arar commission stressed the importance of precautions to ensure that information is accurate and reliable before it is shared. Omitting safeguards in SCISA ignores lessons learned through the Arar saga and the recommendations of the Arar commission, and risks repeating the same mistakes.[315]

Indeed, Mr. Elder specified that the CBA’s concern “stems from the tragic case of Maher Arar. From information that turned out to be inaccurate and that may not have been adequately vetted before being handed off to foreign governments, we wound up with a Canadian citizen being detained and tortured, with all kinds of horrible things. That's really the worst-case scenario, and it's a great reason for being really careful with the information we're sharing.”[316] Hence, the “CBA recommends that SCISA include safeguards to ensure that any shared information is reliable.”[317]

For Mr. Mia and Mr. Kapoor, the test of whether information is “necessary” would make it possible to obtain more-reliable information.[318] Mr. Kapoor indicated that “the ‘necessary’ test would impose some rigour that at least has the prospect of doing so more efficiently than a relevancy test would.”[319] Mr. Mia added that this would reduce the risk of making mistakes.[320] In addition, Mr. Mia feels that controls also have a role to play in ensuring the reliability of shared information.[321]

In light of the evidence, the Committee recommends:

Recommendation 10

That the Government of Canada amend the Security of Canada Information Sharing Act by creating a legal obligation to ensure the reliability of any shared information.

7.2 Retention, Deletion and Correction of Information

As mentioned above, Privacy Commissioner Therrien is of the opinion that SCISA should include “some high-end controls, safeguards, and governance mechanisms”[322] to ensure that this new information-sharing authority is exercised responsibly. More specifically, with regard to the retention of information, the Commissioner feels that “[i]t should not be for the bureaucracy to decide how long they are going to keep the information”[323] and that “[t]here should be rules of law on this.”[324] The Commissioner explained that this means the recipient institutions listed in Schedule 3 to SCISA should be required to delete information:

If the government maintains that the sharing of information about ordinary citizens (such as travellers or taxpayers) to one or more of the 17 recipient institutions under SCISA is necessary to undertake analyses meant to detect new threats, national security agencies should be required to dispose of that information immediately after these analyses are completed and the vast majority of individuals have been cleared of any suspected terrorist activities. This would be in keeping with the recent judgment of the Federal Court which held that retention of "associated data" for people who are not a threat to national security was illegal.[325]

Mr. Therrien also pointed out that a “receiving institution must determine whether it has the authority to collect [information], to receive it,” and that if it receives information it does not have the authority to collect, it should be required to delete the extra information.[326]

Several witnesses also noted the importance of clear rules on information retention, in particularly with respect to how long information should be retained before it must be deleted.[327] To support their arguments, some also made reference to the recent Federal Court decision[328] in which CSIS was found to have retained data illegally.[329]

Mr. Israel of CIPPIC stated that his organization “would suggest that the remedying of this lack of retention obligation would be best achieved through overarching amendments to the Privacy Act that would apply across all of government and impose an overarching retention obligation.”[330] Mr. Israel noted that several institutions set their own limits on information retention while others have limitations set for them by law, “but an overarching retention limitation in the Privacy Act would provide for a more principled and across-the-board process.”[331]

Mr. Mia of the CMLA also argued that when the government gathers information as part of a national security investigation, that information should be expunged as soon as the government determines that the individual under investigation is not a suspect.[332] He added that this would help reduce the size of databases and avoid errors.[333] However, Mr. Kapoor disagreed with Mr. Mia on this point for the following reason:

To the extent that the service [CSIS] properly receives — and I underscore “properly” — information about national security threat information, I don't think it's wise for the service to destroy it. I don't think it's wise. Today it may not mean much, but 10 years from now or five years from now, when circumstances change and you're continually revising your analytics, you need to have a rich environment to be able to stay on top of the threat environment.”[334]

Currently at CSE, information gathered that does not meet the criteria set out in the National Defence Act is destroyed.[335] Mr. Blais, Chair of SIRC, told the Committee that the recent decision by the Federal Court indicated “that they have to review all the documents on a regular basis to make sure that they don't keep that data too long, or for a period that will not be considered strictly necessary.”[336] Mr. Roussel of the Department of Transport stated that his organization did not gather personal information as such, but rather used information from other institutions and that a policy governed the retention of information.[337] Mr. Linder specified that as far as IRCC is concerned, “[I]f we receive information in error or information that's not relevant, the guidelines we have within the department are that the information must be destroyed immediately.”[338]

Mr. Picard of the Department of Foreign Affairs, Trade and Development indicated that, to his knowledge, the standard for retention of information that is collected legitimately is “a minimum of two years.”[339] Mr. Burt of the Department of National Defence pointed out that the information gathered by his institution did not necessarily touch on individuals and sometimes needed to be databased for quite a long time to allow for cross-checking.[340] He added that “there is no formal process around how long you can keep [operational information]. The goal is to database it usefully so that you have good information to look back upon.”[341] Mr. Rochon of CSE specified that his organization has “retention periods for most of the collection of information that we have. We have ministerial directives that impose those retention periods. We follow them and they are reviewed by our commissioner to make sure that we adhere to them.”[342]

Mr. Wark pointed out that retention mechanisms currently exist, sometimes in the form of ministerial directives.[343] He stated that “some of those ministerial directives around retention of information could be made public without endangering national security to reassure the Canadian public that information is not being kept in an abusive and overly long way.”[344]

Regarding the correction of information and problems linked to the sharing of inaccurate information, CSE Commissioner Jean-Pierre Plouffe indicated that one of the ways to reduce risks associated with the inaccuracy of shared information “would be to incorporate into the Act a provision that any information that is not relevant, which is the threshold used presently in the Act, should be destroyed. This is not built into the act right now. In my view, that's a problem.” Mr. Plouffe went on to state that it would be possible to add to section 10 of SCISA, “which talks about regulations that could be made by the Governor in Council. They have three ways to make regulations. I would add a fourth one, which should read ‘destruction of information that is not relevant.’ If you have a built-in provision to the effect that if it's not relevant, it is to be destroyed within a certain time, I think you would avoid the problem you just raised.”[345] Mr. Evans of the CRCC noted that one way to reduce risks associated with the sharing of inaccurate information would be to institute better practices and have internal oversight mechanisms.[346] Lastly, Mr. Blais, Chair of SIRC, specified that CSIS uses corroboration to verify the accuracy of information.[347]

Regarding oversight of the new information-sharing powers conferred by SCISA, CSE Commissioner Plouffe and Mr. Blais, Chair of SIRC, both felt that “review bodies” should not have the power to compel the 17 recipient institutions listed in Schedule 3 to delete information.[348]

In light of the evidence, the Committee recommends:

Recommendation 11

That the Government of Canada amend section 10 of the Security of Canada Information Sharing Act to confer upon the Governor in Council the power to make regulations concerning the correction and deletion of information and that the Governor in Council make regulations regarding the correction, deletion and retention of information.

7.3 Information-Sharing Arrangement

One of the guiding principles set out in section 4 of SCISA is as follows: “entry into information-sharing arrangements is appropriate when Government of Canada institutions share information regularly.”

According to the Privacy Commissioner, there is a “need for an explicit requirement for written information agreements.”[349] He added that

[e]lements addressed in these Agreements should include, as a legal requirement, the specific elements of personal information being shared; the specific purposes for the sharing; limitations on secondary use and onward transfer; and other measures to be prescribed by regulations, such as specific safeguards, retention periods and accountability measures.[350]

Commissioner Therrien also specified that “OPC should also be given explicit authority to review and comment, and the right to review existing agreements on request by OPC to assess compliance. Finally, departments should be required to publish the existence and nature of information-sharing agreements between departments or with other governments.”[351]

Ms. Pillay explained that if there are no information-sharing agreements between the institution disclosing information and the recipient institution regarding limitations on how information can be used and who it can subsequently be shared with, the institution disclosing such information loses all control over it.[352] Ms. Tribe of OpenMedia also emphasized that information sharing under SCISA should be done within the context of arrangements.[353] Ms. Austin pointed out that written agreements “were very key to the Arar commission report.”[354] Mr. Forcese also indicated that putting in place information-sharing protocols “that mitigate the spread of information through government agencies is probably the best we can do, coupled with effective auditing thereafter to ensure compliance and conformity with those dictates.”[355]

Mr. Pierre Blais, Chair of SIRC, underscored the importance of information-sharing agreements, noting that, in reviewing such agreements, his organization “will be attentive to these formalized agreements, where much of the work of determining the precise balance of security and privacy concerns will inevitably take place.”[356]

Mr. Burt of the Department of National Defence told the Committee that his organization did not have any formal information-sharing agreements under SCISA.[357] However, other institutions did indicate that new arrangements had been entered into since SCISA was enacted. For instance, Ms. Geddes of CSIS specified that CSIS has signed a new arrangement with Global Affairs Canada that integrates SCISA.[358] Mr. Drake of Global Affairs Canada also indicated that his organization had concluded an information-sharing arrangement with CSIS pursuant to SCISA.[359]

In light of the evidence, the Committee recommends:

Recommendation 12

That the Government of Canada amend the Security of Canada Information Sharing Act so as to:

a) make it a duty for recipient institutions to enter into information-sharing arrangements with disclosing institutions; and

b) confer upon the Privacy Commissioner of Canada the power to review and comment on all existing or future information-sharing arrangements.

7.4 Privacy Impact Assessments

During the hearings, various witnesses emphasized the importance of PIAs as a means of protecting privacy.

In his submission, Commissioner Therrien emphasized the importance of PIAs:

An additional tool to determine whether government initiatives involving the use of personal information raise privacy risks is the Privacy Impact Assessment (PIA), which describes and quantifies these risks, and proposes solutions to eliminate or mitigate them to an acceptable level. At the federal level, the obligation to conduct PIAs is currently at the policy level, and is triggered by a new or substantially modified program or activity. Despite this policy obligation, the OPC was concerned to see how few PIAs were undertaken in relation to SCISA.[360]

In fact, a survey conducted by the OPC on the implementation of SCISA revealed that 12 of the 17 institutions authorized to collect information under the Act “had undertaken some form of analysis to determine whether Privacy Impact Assessments (PIA) for their respective information sharing processes were necessary,”[361] and two of these institutions determined that PIAs were necessary and had begun to develop them.[362]

Mr. Davies of the Department of Public Safety and Emergency Preparedness told the Committee that “departments and agencies must also continue to abide by government requirements. These include the Treasury Board Directive on Privacy Impact Assessment.”[363] He added that the “Minister of Public Safety has also written to his colleagues regarding the importance of completing PIAs when required.”[364]

Commissioner Therrien indicated that he was concerned by the results of his survey regarding PIAs. He was “encouraged by what the Minister said [concerning PIAs], but it has not translated into [OPC] receiving anything [in the way of PIAs] at this point.[365]

Mr. Israel of CIPPIC suggested that “other overarching safeguards that could be adopted within the Privacy Act could provide additional safeguards and a better framework for legitimate information within a modified and reduced SCISA. These safeguards could include the adoption of privacy impact assessments and a more robust enforcement of the Privacy Act.”[366]