Appearances before Parliamentary Committees
ARCHIVED - Rights and reality: enhancing oversight for national security programs in Canada
Submission to the Standing Committee on Public Safety and National Security
Review of the Findings and Recommendations of the Internal Inquiry into the Actions of Canadian Officials in relation to Abdullah Almalki, Ahmad Abou-Elmaati and Muayyed Nureddin (Iacobucci Inquiry) and the report from the Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar (Arar Inquiry)
May 7, 2009
Privacy Commissioner of Canada
Table of Contents
For the past decade, officials from the Office of the Privacy Commissioner (OPC) have been urging government to adopt stronger mechanisms for oversight of national security programs. As the agent of Parliament charged with safeguarding the privacy of Canadians, it has been the OPC view that security oversight must mirror the multi-organizational approach taken in intelligence-gathering and information sharing. In summary, my suggestions for your consideration are the following:
- Reiterate the importance of integrating the approach of existing review bodies to allow for more coordination and cooperation on reviews and reports across the system. Joint investigations with provincial offices and collaborative reporting with federal review bodies have worked to great effect in the experience of the OPC and all government operations would benefit;
- Address privacy and data management within agencies. Both the O’Connor and Iacobucci Inquiries focused on how information was shared and the quality of that information. Enhanced training around the theory and practice of privacy, fair information practices and data protection could effect great change;
- Urge appointment of Chief Privacy Officers across government – but in particular to departments and agencies where collection of sensitive personal information is widespread;
- Provide the Commission for Public Complaints against the RCMP with the resources and legal authorities required to exercise more meaningful review;
- Emphasize the urgency of the Treasury Board and Ministers issuing new policy requirements for departments and agencies to use Information Sharing Agreements, conduct Privacy Impact Assessments and develop privacy direction and guidance;
- Urge government to move on reform for the Privacy Act. Departments must be held to a higher standard for privacy, information handling and data protection. A legal necessity test for the collection of personal information, statutory requirements for Privacy Impact Assessments and expanded review by the Federal Court for violations of the Act would strengthen the privacy protections for Canadians in the national security context;
- Increase Parliament’s role in national security oversight: Given the critical importance of the file, additional resources and involvement of this House Committee and its counterpart in the Senate to review national security agencies is needed. By pooling expertise, coordinating reviews and sharing information, existing mechanisms could be augmented.
In the past four years, in particular, in statements and submissions before Parliamentary reviews, special reports and before various Public Inquiries, our Office has stressed the need for greater transparency and accountability in Canada’s national security programs and intelligence gathering activities. This paper seeks to consolidate and restate the urgency of this advice. To be clear, the OPC is hardly a lone voice on this point – a long succession of other public bodies, interest groups, academics, commissioners of inquiry and public figures have made similar recommendations in the course of various legislative reviews, studies, reports and public statements.
While these entreaties have ranged from judiciously prescriptive (e.g. O’Connor Inquiry, to the Auditor General’s reports on safety and security) to soundly critical (e.g. Senate review of the Anti-Terrorism Act) to quietly damning (e.g. editorial pieces by Maher Arar), an underlying theme has been consistent: poor information handling practices, patchwork accountability mechanisms and limited oversight have led to tragic, costly mistakes in the realm of national security operations. Owing to a lack of privacy protections and poor information handling, as recent Inquiries have established, individual Canadians and their families have suffered. To date, the Government’s response to calls for expanded oversight has been non-committal.
Internal investigations and external inquiries cannot substitute for ongoing oversight. Canada has conducted many public inquires into security matters: from the Wells (1966) and Spence (1966) inquiries into the tactics of the RCMP hunt for suspected Communist infiltrators, to the Mackenzie Commission (1969) recommendation to detach state security operations from the mandate of the RCMP, the Marin Commission into RCMP Complaints (1974), to the Keable and McDonald inquiries (1981) which focused on RCMP activities in Quebec to monitor and undermine separatists. More recently, we have seen the Inquiries of O’Connor (2006), Iacobucci (2008) and Major (2009), all focused on one facet of Canada’s national security structure or another. A number of changes have flowed from these proceedings, their findings and recommendations, which have led in many instances to improvements.
As the Iacobucci report underscored, "the importance of accuracy in communications to foreign agencies cannot be overstated." Commissioner Iacobucci offered a clear distillation of the problem. "Mistakes were made,” and as a result, “detention and mistreatment were connected to those mistakes in my view in an indirect way."
Privacy rights under the law are not simply about who is allowed to collect information. It also sets out who is accountable for protecting that information, ensuring it is accurate and limiting disclosure. That is the crux of the matter.
In Canada, as in most other countries, the security operations of government are conducted in secret. There are valid reasons for these differences. A certain level of autonomy is necessary for sensitive, covert work. However, this detachment has historically led to problems. It is imperative that this need for secrecy be offset with strong, external oversight.
One of the key recommendations of Commissioner O’Connor following the Arar Inquiry was to expand the powers and mandate of the Commission for Public Complaints against the RCMP (CPC) to mirror the role the Security and Intelligence Committee (SIRC) plays in overseeing the Canadian Security and Intelligence Service (CSIS). Given past problems, a well-resourced, arms length review body for the RCMP and its national security functions is critically important. He also recommended that an independent review and complaints investigation process be extended to encompass the Canada Border Services Agency, Citizenship and Immigration, Transport, the Financial Transactions and Reports Analysis Centre and others. The recommendations from the O’Connor Policy Review have yet to be implemented.
As the Auditor General stated in 2003, in her assessment of national security governance, review powers over security organizations need to be "proportionate to the intrusiveness of the powers" wielded by these agencies; anything less falls short of true oversight. There is also the issue of public trust. In a more recent report on intelligence and information sharing, the Office of the Auditor General concluded Canadians “need to know that government agencies and departments maintain a balance between protecting the privacy of citizens and ensuring national security. Canadians also need to have confidence that the decisions and activities of intelligence agencies are legal, consistent, and appropriate, and that they are subject to examination by independent review.”
At the same time, the complexity and secrecy of these organizations can make meaningful redress for the public challenging, and in some cases next to impossible. We believe the current Canadian system of intelligence oversight is fundamentally compartmentalized and fragmented. This seriously undercuts accountability. An integrated, high-level approach to oversight of intelligence and security at the national level would be far more effective.
The widening scope of intelligence information-sharing has an enormous impact on the privacy of Canadians. Privacy is not just a legal provision under federal statute. The Supreme Court of Canada has stated on numerous occasions that the fundamental right to privacy deserves constitutional protection and goes to the very heart of our democratic state.
1. Allow for integrated security review
As the O’Connor Report recommended, “statutory gateways” should be put in place allowing the major independent national security review bodies – the CPC SIRC and the CSE Commissioner – to share information, coordinate, conduct joint investigations and prepare reports. We would urge members of this Committee to emphasize the importance of this integrated approach to review.
Although CSIS operates with several layers of oversight and reporting requirements, the Communications Security Establishment (CSE), Financial Transactions Reports Analysis Centre of Canada (FINTRAC) and the RCMP are subject to less review, while the intelligence operations of the Canada Border Services Agency (CBSA) and Department of National Defence (DND) bear little scrutiny at all. With Parliamentarians in the dark with regard to many of Canada’s national security activities, lawmakers are effectively cut off from implications of their own legislative decisions. This makes informed comment on the nature, extent and cost of the country’s intelligence operations exceedingly difficult.
What Canada needs to develop for networks of intelligence are networks of oversight. The relatively modest ability of review bodies to conduct joint investigations and report in tandem would be a great improvement. The Office of the Privacy Commissioner is one example, in that it can investigate and report with both provincial and federal counterparts – to better effect and efficiency.
2. Address privacy and data management within agencies.
As various public inquiries and investigations have determined, practices within government departments around information sharing have to change. Too often information sharing is viewed as a foregone conclusion or of immediate benefit. Yet as the O’Connor and Iacobucci inquiries establish, the unforeseen consequences of information sharing can lead to tragic consequences.
Without proper attention to internal controls, additional layers of oversight may not address all the operational issues and problems at hand. Enhanced training around the theory and practice of privacy, fair information practices and data protection could change this dynamic. The government should also consider other innovations for intelligence handling from abroad. For example, agencies should be required to implement information verification and challenge functions.
3. The Government of Canada creating executive-level Chief Privacy Officers in all government departments and agencies
Our Office has recently made this a recommendation to Passport Canada, following our audit of personal information handling practices in that organization. The US Department of Homeland Security has a full-fledged CPO and Privacy Office. Our Office also recommended that the government put in place a Chief Privacy Officer position for the Public Safety portfolio in 2004, in our submission on that department’s enacting legislation. Following the major data breaches in the UK in 2007, all government departments there began appointing Senior Information Risk Officers.
There has been a dramatic increase in the collection of personal information in all lines of government program administration, but especially in security operations. Given the sensitivity of personal information collected, analysed and shared within the security and public safety portfolio, we feel internal oversight processes need to be given just as much emphasis as external review bodies. When information is treated and protected as an asset, with a senior management role responsible for data protection and privacy, how agencies treat personal information will finally merit a place on the leadership agenda.
4. Provide the Commission for Public Complaints against the RCMP with the resources and legal authorities required to exercise more meaningful review
Our Office notes in the latest Report on Plans and Priorities (RPP) for Public Safety Canada, one of the main priorities was to “develop proposals for government consideration to strengthen RCMP governance and accountability, including modernizing the RCMP review and complaints body.” Given ongoing work we share with the RCMP on oversight of programs like the National DNA Databank and other systems, concrete movement on this file is a very positive development in our view. We would only stress its urgency, and reiterate the importance of O’Connor’s vision for integrated oversight across the system, not simply along bureaucratic silos.
One of the key recommendations of Commissioner O’Connor following the Arar Inquiry was to expand the powers and mandate of the RCMP Complaints Commission. This would in effect mirror the role which SIRC effectively plays in overseeing CSIS. Given past problems, a well-resourced, arms length review body for the RCMP and its national security functions is critically important.
5. Emphasize the urgency of the Treasury Board and Ministers issuing new policy requirements for departments and agencies to use Information Sharing Agreements, conduct Privacy Impact Assessments and develop privacy direction and guidance
In the broadest sense, as was observed in the final report of the O’Connor Inquiry, Iacobucci concluded Canadian intelligence officials recently seem to have a record of mismanaging investigative files. In these cases, officials gave little weight to the possibility that information might be unreliable or could be misused. In addition, misleading, inaccurate, out-of-date or improperly sourced information was kept on file, retained too long, shared too broadly, and with few or no caveats on the use of that intelligence.
Treasury Board Secretariat has developed important new guidance for departments on how to better manage and track the sharing of information between agencies and countries. We would ask this Committee to encourage government to commit the necessary resources to finishing this important work and to seeing it is implemented. Information Sharing Agreements for exchange of sensitive information, Privacy Impact Assessments for new security programs and serious reinvestment in training departments in data protection fundamentals are a critical preventive step in this area. Ministerial directives in security agencies should also be developed to reinforce sound privacy practices.
6. Urge government to move on reform of the Privacy Act
The Privacy Act forms a cornerstone protection against government intrusion and surveillance in Canada, yet it has remained largely unaltered since coming into effect in 1983. In light of this Committee’s current review and all the testimony it has heard, we urge members to consider endorsing a renewal of the Privacy Act. Barring a full revision of the law, our Office asked government to consider ten quick fixes that might address the problems of increased information collection and sharing by security and law-enforcement agencies.
These ‘quick fixes’ included a legal necessity test for the collection of personal information, new requirements for Privacy Impact Assessments, expanded review by the Federal Court for violations of the Act and new provisions governing disclosure of personal information to foreign states. A fully modernized Privacy Act could establish a new benchmark for government bodies working in security and reinforce the pivotal importance of these rights.
7. Increase Parliament’s role in national security oversight
With so much intelligence-sharing underway, data protection commissioners around the world are struggling to effectively review security programs across a range of jurisdictions and borders. This must happen within Canadian jurisdictions and at an international level. While models for this process are different around the world, the effective bodies share certain characteristics: independence, proper resourcing, broad mandates and solid expertise.
If the resources and research of this House Committee and its counterpart in the Senate were coordinated and undertaken in tandem, both Members and Senators could exercise more active, in-depth review of national security agencies and their operations. By pooling expertise, coordinating work and sharing information, mechanisms for Parliamentary review could be augmented.
The ongoing involvement of the legislature is a critical check on national security operations in the United States, Australia, the United Kingdom and Germany. Given recent findings relating to the treatment of Maher Arar, Abdullah Almalki, Ahmad Abou-Elmaati and Muayyed Nureddin, we would reassert the view that Canada’s intelligence community is in need of closer scrutiny. Simply put, we need more insight into and controls upon these operations.
Commission of Inquiry Concerning Certain Activities of the Royal Canadian Mounted Police (1979-1981) URL: http://epe.lac-bac.gc.ca/100/200/301/pco-bcp/commissions-ef/mcdonald1979-81-eng/mcdonald1979-81-eng.htm
Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar. Analysis and Recommendations (2006). URL: http://epe.lac-bac.gc.ca/100/206/301/pco-bcp/commissions/maher_arar/07-09-13/www.ararcommission.ca/eng/AR_English.pdf
Ibid. A New Review Mechanism for the RCMP’s National Security Activities (2006). URL: http://epe.lac-bac.gc.ca/100/206/301/pco-bcp/commissions/maher_arar/07-09-13/www.ararcommission.ca/eng/EnglishReportDec122006.pdf
Ibid. “A Background Paper to the Commission’s Roundtable of Canadian Experts on Review and Oversight” (June 2005)
Ibid. “National Security and Rights and Freedoms Background Paper”
(December 2004) URL: http://epe.lac-bac.gc.ca/100/206/301/pco-bcp/commissions/maher_arar/07-09-13/www.ararcommission.ca/eng/National%20Security%20and%20Rights%20and%20Freedoms.pdf
Ibid. ”Accountability and Transparency Background Paper” (December 2004) URL: http://epe.lac-bac.gc.ca/100/206/301/pco-bcp/commissions/maher_arar/07-09-13/www.ararcommission.ca/eng/Accountability%20and%20Transparency.pdf
Ibid. “Accountability of Security Intelligence in Canada Background Paper” (December 2004) URL: http://epe.lac-bac.gc.ca/100/206/301/pco-bcp/commissions/maher_arar/07-09-13/www.ararcommission.ca/eng/Accountability%20of%20Security%20Intelligence.pdf
Ibid. “International Models of Review and Oversight of Police Forces and Security Intelligence Agencies Background Paper” (December 2004) URL: http://epe.lac-bac.gc.ca/100/206/301/pco-bcp/commissions/maher_arar/07-09-13/www.ararcommission.ca/eng/International%20Models.pdf
Department of Justice. The Position of the Attorney-General of Canada on Certain Recommendations of the McDonald Commission (1983)
Parliament. Report of the Interim Committee of Parliamentarians on National Security (2004) URL: http://www.pco-bcp.gc.ca/docs/information/Publications/cpns-cpsn/cpns-cpsn_e.pdf
Office of the Auditor General of Canada. Reports to Parliament – Security and Safety (1982-2008) URL: http://www.oag-bvg.gc.ca/internet/English/parl_lpt_e_1736.html
Public Safety Canada. “A National Security Committee of Parliamentarians: A Consultation Paper to Help Inform the Creation of a
Committee of Parliamentarians to Review National Security” (2004) URL: http://ww2.ps-sp.gc.ca/publications/national_security/pdf/nat_sec_cmte_e.pdf
Special Senate Committee on the Anti-terrorism Act. “Fundamental Justice in Extraordinary Times” (2007) URL: http://www.parl.gc.ca/39/1/parlbus/commbus/senate/Com-e/anti-e/rep-e/rep02feb07-e.pdf
Hannah, Greg. “Intelligence and Security Legislation for Security Sector Reform” prepared for the UK Security Sector Development Advisory Team by RAND Europe (2005)
Kowalik, Craig. “Parliaments and Security Sector oversight: an emerging area for capacity development” Parliamentary Centre Governance Knowledge Network Project (2006)
Michaels, Jon D. “All the President’s Spies: Private-Public Intelligence Partnerships in the War on Terror”, California Law Review (2008)
Raaflaub, Tim R. “Civilian Oversight of the RCMP’s national security functions” Parliamentary Information and Research Service (2006) URL: http://www.parl.gc.ca/information/library/PRBpubs/prb0409-e.htm
Rosen, Philip. “The Canadian Security Intelligence Service.” Parliamentary Information and Research Service (2000) URL: http://www.parl.gc.ca/information/library/PRBpubs/8427-e.htm
Salot, Jeff. “Royal Commission of Inquiry into Certain Activities of the Royal Canadian Mounted Police” from the Canadian Encyclopaedia (2008)
United Kingdom. Parliamentary Intelligence and Security Committee. “Intelligence Oversight” (2004)
Ian Leigh, “Oversight of Security and Intelligence in the United Kingdom” (2003) URL: http://www.dcaf.ch/legal_wg/ev_oslo_030919_leigh.pdf
Wark, Wesley. “National Security and Human Rights Concerns in Canada: A Survey of Eight Critical Issues in the Post-9/11 Environment” (2006)