Appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the study of the Security of Canada Information Sharing Act (SCISA)

November 22, 2016
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Thank you, Mr. Chair and Members of the Committee, for inviting me to discuss SCISA, the Security of Canada Information Sharing Act, which was enacted under Bill C-51, the Anti-terrorism Act, 2015.  I am joined today by Patricia Kosseim, Senior General Counsel, and Steven Morgan, Director General of Audit and Review.

When Bill C-51 was introduced in Parliament in early 2015, I expressed strong reservations which remain true today. In my remarks, I will briefly summarize these reservations and will then encourage you to review national security information sharing issues more broadly. Finally, I will explain the review we have undertaken of how SCISA has operated so far and how other legal authorities are used by federal institutions to share information for national security purposes.

My first point is that the justification for SCISA should be made clearer. I recognize at a general level that greater information sharing may sometimes lead to the detection and suppression of security threats, but we have yet to hear a clear explanation, with practical examples, of how the previous law prevented information sharing necessary for national security purposes. A clearer articulation of the problems with the past law would help define a proportionate solution.

Second, I remain concerned that SCISA authorizes information to be shared where it is merely relevant to national security goals. Setting such a low standard is a key reason why the risks to law abiding citizens are excessive. If “strictly necessary” is adequate for CSIS to collect, analyze and retain information, as has been the case since its inception, it is unclear to us why this standard cannot be adopted for all departments and agencies with a stake in national security. Necessity is the international privacy standard for the collection of personal information.

On a side note, the issue of standards leads me to the preamble of the Act, which you discussed with government officials last week. This preamble indicates that the sharing of information between departments must take place in a manner consistent with the Charter and the protection of privacy. However, this is not a true legal standard, but rather a wish or a pious hope.

As we indicated in our submissions to Parliament last year, we believe that effective privacy protection requires more than guiding principles which do not have the force of law. It requires the adoption of real legal standards.

The obligation to disclose information in a manner consistent with privacy protection should therefore become an enforceable legal standard, as are the rules governing the disclosure of information. To that end, SCISA should adopt not only the principle of necessity, but also that of proportionality.

Third, independent review of information-sharing activities is incomplete, given that 14 of the 17 receiving institutions under SCISA do not have dedicated review bodies. Parliamentary review will help but is insufficient. All departments involved in national security need to be also reviewed by independent experts.

Fourth, retention rules should be clarified. If the government maintains that the sharing of information about ordinary citizens (such as travelers or taxpayers) is necessary to identify new threats, national security agencies should be required to dispose of that information after these analyses  and when the vast majority of individuals have been cleared of any terrorist activities. 

Fifth, the law should require written information agreements. Required elements to be addressed in these agreements should include: the personal information being shared; the specific purposes for the sharing; limitations on secondary use and onward transfer, and other measures to be prescribed by regulations, such as specific safeguards, retention periods and accountability measures.

While SCISA was an important addition to the Canadian legal framework related to national security, it is intended to be one element of a much larger whole. Limiting your review to SCISA will give you a very incomplete picture of national security information sharing activities. I would encourage you to also examine information sharing with international partners, and domestic information sharing under legal authorities other than SCISA. Knowing more about other authorities will give you a better insight into whether SCISA is really necessary.

When C-51 was tabled, I committed to examining and reporting on how its implementation would ensure compliance with the Privacy Act and inform the public debate.  Our findings following the first phase of our review of the first six months of SCISA implementation are tabled in the most recent Annual Report.  We have identified a number of concerns, and offered recommendations.

The OPC has concluded that the privacy impact of the new authorities conferred by SCISA was not properly evaluated during implementation and recommended that formal Privacy Impact Assessments be performed.

The OPC has also found several weaknesses with a Public Safety Canada guidance document intended to help departments implement SCISA. Although Public Safety Canada agreed to improve the guidance, no changes have been made a year after the OPC provided recommendations aimed at minimizing privacy risks.

The OPC sent a questionnaire to all federal institutions to determine how often SCISA was used and, more particularly, whether it had been used to share information about persons suspected of terrorist activities or about law abiding citizens. Most institutions told us they had not used SCISA during the review period, relying instead on other authorities. Five institutions told us they had used SCISA, for a total of 58 disclosures and 52 receipts of information.

Institutions also told us that all SCISA information sharing activities in the first six months following implementation concerned persons suspected of terrorism. During phase 2 of our audit, we will review departmental records to verify whether that information is accurate and whether information sharing under authorities other than SCISA concerned suspects or persons not suspected of terrorist activities.

The goal of this work is to provide as clear a picture as possible of the use of SCISA and other laws, in order to inform public and parliamentary debate as we head towards the government’s planned review of Bill C-51.

With that, I would welcome your questions.