Letter in response to the Policy Review of the Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
November 2, 2005
Ms. Andrea Wright
Commission of Inquiry into the Actions of
Canadian Officials in Relation to Maher Arar
P.O. Box 507, Station B
66 Slater Street, Suite 1720
Dear Ms. Wright:
I am writing to provide the Office of the Privacy Commissioner’s (OPC) comments on the Policy Review component of the Commission of Inquiry. Commissioner O’Connor has been asked to make any recommendations he considers advisable on an independent arm’s length review mechanism for the national security activities of the RCMP.
Under the Privacy Act, we have oversightFootnote 1 responsibility over approximately 150 federal government departments and agencies including the RCMP, CSIS and CSE. However, we are only part of a larger national oversight system that includes Parliament, the courts, other specialized agencies created by Parliament such as the Communications Security Establishment Commissioner, the NGO community and the media.
The Commission of Inquiry has received numerous submissions that call for more effective oversight over the national security activities, including the information handling practices, of the RCMP and other federal departments and agencies that play a role in protecting and enhancing national security. We agree there is a need for greater accountability, transparency and oversight of agencies involved in national security and we appreciate the opportunity to provide our comments to the Commission of Inquiry.
The passage of Bill C-36, the Anti-terrorism Act, in November 2001 marked the beginning of a new national security environment characterized by enhanced surveillance powers for law enforcement and national security agencies, fundamental changes to the machinery of government and increased sharing of personal information with the United States and other governments.
We are also concerned about the blurring of the distinction between national security and law enforcement activities that is evident in some of the post–September 11 initiatives. We believe there is a real risk that the logic of anti-terrorism will permeate all spheres of law enforcement and public safety, without critical assessment of where it is appropriate to draw the line, and that this will result in large-scale systems of surveillance that will increasingly erode privacy rights in Canada.
At the same time as the role and powers of law enforcement and national security agencies have been broadened, as a result of the Anti-terrorism Act, the Public Safety Act and other measures, constraints on the use of these surveillance powers have been weakened and government accountability and transparency have been significantly reduced.
This process is far from complete. The federal government is currently preparing “lawful access” legislation that will further increase the state’s surveillance powers by making it easier to intercept and obtain information about our private communications, our use of the Internet and even our location.
We want to have a safer, more secure country and we understand the need for an effective state intelligence apparatus. We also need processes to ensure that the enhanced powers we are giving these agencies are necessary and proportionate and that, if granted, they are not abused.
We recognize and accept that we cannot exercise effective oversight on our own. The task is simply too large and too important to be entrusted exclusively to any single agency. We do not have the expertise or the resources to provide effective oversight over all of the national security activities of the RCMP although it is not simply a question of resources and expertise. There is also the matter of the tools at our disposal. The Privacy Act, which is now more than twenty years old, was not written in anticipation of an era in which intrusive surveillance, and the technologies to allow this to happen, are constantly increasing. The Privacy Act regulates the flows of personal information; it does not create a strong normative framework that protects privacy.
Some of the submissions to the Commission of Inquiry have recommended expanding the mandate of the Commission for Public Complaints (CPC) to include the RCMP’s national security activities; others have proposed expanding the mandate of the Security Intelligence Review Committee (SIRC) and other submissions have suggested that a “super-agency” be established to review all the national security activities of a wide range of federal departments and agencies.
In our submissions to the Senate and House of Commons committees reviewing the Anti-terrorism Act, we recommended thatParliament should undertake a systematic review of the overall mechanism for oversight of national security activities, taking into account the existing bodies and identifying areas where these bodies overlap, but more importantly, identifying areas where there are gaps in coverage. The Policy Review by the Commission of Inquiry is an important first step in what we hope will be an even broader review of the national security environment.
While we feel strongly about the need for greater oversight of the RCMP, CSIS, CSE, FINTRAC and other agencies we do not have any views on the merits of creating a “super agency” as opposed to enlarging the mandate of the CPC or giving SIRC additional responsibility to oversee the national security activities of the RCMP. We do not think that it is appropriate for our Office to comment on this matter.
When discussing oversight, we should not lose sight of the importance of internal oversight and accountability. Government departments and agencies—especially those that have a national security mandate—should be required to develop and implement privacy management frameworks that include an internal privacy audit capacity, the inclusion of privacy leadership responsibilities in the performance agreement of senior executives, privacy protection performance indicators, and a strengthened role for Access to Information and Privacy coordinators.
We are not experts on national security but we do have over 20 years of experience investigating complaints and reviewing the information handling practices of federal departments and agencies. We have attempted to draw on this experience in commenting on some of the questions posed by the Commission of Inquiry in its October 17, 2005, “Further Questions for Public Consultation” document and in the Commission’s October 20, 2005 letter to Commissioner Stoddart.
The Commission’s letter of October 20, 2005 asked for our views on the potential overlap between our mandate and the mandate of an agency that might be created to oversee the RCMP’s national security activities.
Response of the Privacy Commissioner:
Our comments above should make it clear that we are not opposed to the creation of a new agency, or revising the mandate of an existing agency, to oversee the national security activities of the RCMP. There are other agencies that have mandates that may overlap with our mandate. For example, in dealing with a discrimination complaint, the Canadian Human Rights Commission might deal with issues relating to the use of personal information such as the results of drug tests. The Canadian Radio-television and Telecommunications Commission is explicitly required to take privacy considerations into account in its deliberations. To date, these areas of overlap have not caused any problems or concerns for our Office.
The creation of a review agency that deals with complaints about the RCMP might raise some administrative issues for our Office. For example, under the Privacy Act the Privacy Commissioner does not have the discretion to either decline to investigate a complaint or to refer a complaint to a more appropriate forum for investigation. We have this discretion under the Personal Information Protection and Electronic Documents Act (PIPEDA) which applies to the private sector. A similar provision in the Privacy Act would be desirable.
We can envisage a situation in which an individual may have a complaint that raises issues related to the collection, use or disclosure of personal information under sections 4 to 8 of the Privacy Act that are incidental to a more far reaching set of issues. In such a situation, an individual’s interests might be better served by a review body with multi-dimensional expertise and with a broad mandate that would allow it to examine matters that go beyond the handling of personal information.
Overlap between our complaint process and that of another agency is less likely to occur where the complaint relates to the denial of access to personal information. Generally speaking, the OPC is satisfied with the manner, method, and reasons utilized by the RCMP in determining application of exemptions to access under the Privacy Act.
The one complication that can arise is when an individual requests access to personal information that forms part of an official inquiry, such as the Gomery Inquiry, and Justice O’Connor’s own inquiry, where portions of the inquiry are open and portions of the inquiry are closed. While the Privacy Act has a strong body of jurisprudence built up on proper interpretation of the exemptions to access, it is simply not possible to ignore treatment of documents taking place in another official forum.
We have also given some thought to the issue of possible consultation with a new RCMP review body. The OPC rarely needs to consult another government body that is not a party to the complaint. However, we are permitted to do this if the occasion arises. Section 64(1)(a) of the Privacy Act provides an exception to the general obligation of confidentiality imposed on our staff where the information must be disclosed in order to carry out an investigation under the Act. In all likelihood the name of the complainant would be withheld if there were no need to disclose it—and only minimal information necessary to pursue the investigation would be disclosed. This would normally arise when we are seeking the expertise of another body, rather than asking for assistance in the conduct of the particular investigation, so we would apply the need-to-know principle. If required, we can however disclose full particulars of a complaint where this is necessary to further our investigation.
The Privacy Act would allow the OPC to consult with a new RCMP review body to further one of our own investigations. The opposite does not however hold true. If another review body comes to the OPC for assistance on a specific investigation that it is conducting, the OPC cannot share any specific investigation information due to the statutory prohibition against disclosure in section 63 of the Privacy Act. The best the OPC could offer in such a case is generalized advice on office experience and views. This we can freely do, and often are in the practice of doing with government institutions who seek general guidance.
In terms of the auditFootnote 2 process, we do not foresee major difficulties in terms of overlapping mandates. Given the large number of organizations that are subject to the Privacy Act and our limited resources to date, we have not been in a position to audit the information handling practices of the RCMP as often as might be desirable. During 2002 and 2003 we conducted reviews of four RCMP activities:
- the Integrated National Security Enforcement Teams (INSETs)
- the Integrated Border Enforcement teams (IBETs)
- the Financial Intelligence Branch; and
- the RCMP’s use of video surveillance cameras in the area of Parliament Hill and on Confederation Boulevard.
More information about these audits can be found on pages 48-49 of our 2003-2004 Annual Report.
However, the past is not a predictor of the future. Proposals are now before the Treasury Board Secretariat to increase Office resources, including a significant increase in audit resources. We intend to carry out more audits with a priority on those departments and agencies such as the RCMP, CSIS and CSE that are engaged in national security programs and activities. When it is released, we plan on reviewing the Report of the Commission of Inquiry to learn where we may need to follow up and focus attention on systems and procedures for ensuring compliance with fair personal information management principles. At the same time, perhaps one of the key tasks of a new oversight body will be to follow up recommendations of the Commission to ensure they are implemented.
Accordingly, should a new oversight body be created with audit/investigation powers, we would likely need to coordinate activities in order to avoid duplication and ensure value added efforts. There may be opportunity to develop a process for doing joint audits and/or achieving reliance on each others work.
As a case illustration, under section 36 we can audit exempt information banks. There are presently only four exempt banks that are under the control of CSIS, CSE and the RCMP. The last time exempt banks were reviewed by this Office was over fifteen years ago and that was limited to ascertaining if the information contained in such banks was appropriately exempted from access. This resulted in a significant reduction in the number of “exempt banks”. We have preliminary plans to audit the operations of exempt data banks next year.
Also, we point out that this Office is charged by Treasury Board policy with the responsibility to review Privacy Impact Assessments (PIAs) done by departments and agencies. This includes PIAs submitted to the OPC by the RCMP and we have completed several of these over the past six months. This gives us an opportunity to influence the design and implementation of system changes for the purpose of security and policing. We would assume that the PIA process would not be altered by creation of a new oversight agency but it may require consideration of whether relevant PIAs and our comments thereon should be shared with a new oversight agency.
In summary, we do not foresee any significant problems that are likely to arise as a result of an overlap between our mandate and that of a new agency.
Further Questions for Public Consultation
In this document, dated October 17, 2005, the Commission of Inquiry asks several questions that are of interest to the Privacy Commissioner:
Question # 2. Should audits and complaints-investigations be done by the same body? Why or why not? Would the audit functions be compromised if the same body did not hear complaints?
Response of the Privacy Commissioner
Our Office conducts audits and we receive and investigate complaints. The Privacy Act and PIPEDA give our Office similar, but not identical, authority to conduct audits and investigate complaints. In the case of the Privacy Act, this authority is found in sections 36 and 37. We can carry out these audits—the Act refers to investigation—at the discretion of the Commissioner.
On the whole, we have found that our audit activities and our complaint investigations complement and support one another. Audits and complaint investigations achieve different objectives. Audits are generally more likely to identify systemic problems, possibly before any harm has occurred. The audit function can have an important deterrent effect in that organizations are aware that they could be subject to scrutiny, with all the resultant consequences. Finally, audits provide an opportunity to educate organizations, and engage their employees, about appropriate policies and practices.
In contrast, the complaint process is more reactive. However, a complaint can identify a problem that might not get captured in an audit, for example, the behaviour of individual employees. The complaint process also engages the public in ways that an audit does not.
Based on our experience we believe that there are benefits to giving the same body both audit and complaints investigation responsibilities. Conceptually we see no inherent difficulties in combining these two powers. However, as a practical matter since complaints investigations may be mandatory, depending on the legislation, and audits discretionary, there is risk when resources are scarce that audits may not be done to full potential in order to satisfy mandatory requirements. One way to reduce this risk is to give an oversight agency the discretion to decline to investigate a complaint or to refer the complaint to another agency. This might prove to be particularly valuable in the case of an agency dealing with complaints against the RCMP.
Question # 4. What expertise does a body reviewing RCMP national security activities require? . . . (b) Does it require expertise in national security matters such as intelligence collection, targeting, investigative techniques, analysis, information retention and sharing of information?
Response of the Privacy Commissioner
Over the years, the Office of the Privacy Commissioner has hired numerous audit and investigation staff with experience in police investigation work. This expertise has greatly assisted our Office in evaluating the information collection and management practices of those organizations involved in law enforcement and intelligence work. In our view, it would similarly be of great value to any oversight body mandated to oversee the national security activities of the RCMP to have expertise in all dimensions of intelligence collection, targeting, investigative techniques, analysis, and particularly in privacy aspects of information collection, retention and sharing. As well, we are finding that conflict resolution and mediation skills are becoming more important. One would hope that these skills would become part of the core competencies of the oversight body.
In addition, an oversight body must have some expertise with privacy legislation, which in some cases might be provincial legislation, and more generally with fair information practices. Given the growing importance of information sharing among law enforcement and national security agencies and the problems that can arise from retaining information that is no longer required, an oversight body must be able to assess compliance with these provisions. As well, we think that our comment above about the importance of internal oversight and accountability bear repeating. Government departments and agencies that collect, use or disclose personal information should be required to develop and implement privacy management frameworks with all the requisite control functions that adequate personal information management requires.
Question # 5. . . . SIRC may then evaluate information collection by CSIS against the statutory criteria of “strictly necessary.” (a) What comparable criteria would or should guide an audit of the RCMP’s national security activities, including information-gathering or other investigative activities?
Response of the Privacy Commissioner:
In our recently released 2004-2005 Annual Report on the Privacy Act, we call for the reform of the Privacy Act. The Privacy Act is a first generation data protection act that has been surpassed by emerging technologies, new approaches to governing and heightened public expectations about their privacy rights. The emergence of the new post September 11 surveillance state has only highlighted the need for Privacy Act reform.
Limiting collection is a fundamental principle of all data protection statutes. At present, the standard in the Privacy Act is too low—it requires only that collection of information be “directly related to” an operating program or activity of the government institution. We favour a more rigorous test whereby an institution would be required to demonstrate that the information is necessary for the program or activity.
Limiting collection to personal information that is “strictly necessary”, consistent with the standard that guides SIRC in its evaluation of information collection activities of CSIS, would be equally appropriate with respect to the RCMP’s national security activities.
Question # 9. Should there be special advocates involved in complaints involving RCMP national security activities, to represent the interests of the individual, challenge claims of national security confidentiality or deal with evidence that cannot be disclosed to the complainant because of national security confidentiality? Or are you of the view that participation by special advocates would be unnecessary or undesirable, and if so, why?
Response of the Privacy Commissioner:
In our submissions to the Senate and House of Commons committees reviewing the Anti-terrorism Act, we supported the concept of special advocates. The right of individuals to know what information the government has about them and the right to insist that the information be appropriate and accurate are fundamental components of the right of privacy. Being able to find out what information holds is even more critical when an individual faces accusations of wrongdoing. The amendments to the Canada Evidence Act brought about by the Anti-terrorism Act have added to the secrecy surrounding legal proceedings, contrary to the fundamental principles that court hearings should be conducted openly and that individuals should be entitled to know the charges against them and the evidence relevant to the charges.
We made a number of specific recommendations concerning the procedures under section 38 of the Canada Evidence Act, the section that address the judicial balancing of interests between the public interest in disclosure and the interest of the state in national security and maintaining foreign confidences. The recommendations that might be of potential interest to the Commission of Inquiry include the following:
- The mandatory in camera proceedings and the mandatory ban on even revealing that a section 38 proceeding is taking place should be repealed. A more proportionate alternative would allow the judge to hold proceedings in camera when necessary to protect national security.
- Section 38.13 of the Canada Evidence Act should be repealed on the basis that it is superfluous to empower the executive to trump an adjudicative order for disclosure.
- The Parliamentary committees should give consideration to the creation of a security-cleared special advocate position, to test Government claims that information should not be disclosed because of concerns about national security. This would ensure that a judge hears an advocate for the greatest possible disclosure before making a decision. The special advocate could also examine any evidence that the judge decides cannot be disclosed to the affected person and, where appropriate, challenge the government’s reliance on such secret evidence.
We note that the process used by the Commission of Inquiry with special advocates has ensured a healthy debate on issues of national security confidences.
While we support the concept of a special advocate in complaints involving RCMP national security activities, we recognize that there are a number of questions that arise with their use. We have not had a great deal of experience in Canada with special advocates. Our understanding is that, to date, there has been only one case, Canada (Attorney General) v. Ribic 2003 FCA 246, in which a security cleared federal government lawyer was appointed as a special advocate. Some of the questions that would have to be addressed would include
- in what type of complaints would a special advocate be used;
- who would determine whether an advocate would be appointed;
- who would decide on the advocate to be appointed; and
- what would be the role of the advocate?
Question # 13. In the course of a terrorism investigation, the RCMP may have national security reasons for not confirming whether or not a person is a suspect or under surveillance. If complaints respecting the national security activities of the RCMP are dealt with by a different body than complaints about other RCMP activities, the very handling of a complaint by the national security body might in itself confirm that there is a national security aspect. Would this be problematic? Is there a way to avoid confirming that national security issues exist if national security complaints are dealt with by a separate body? Would the main RCMP body still have to remain involved to avoid such confirmation (e.g., in correspondence with or interviews of the complaint)? Would this be unduly duplicative?
Response of the Privacy Commissioner:
We are sympathetic to this dilemma. A somewhat analogous situation exists under the Privacy Act when an individual complains to the OPC that access to information is being denied and the department, such as CSIS or the RCMP, refuses to confirm or deny whether the requested information exists as permitted under section 16(2) of the Act. The Privacy Act further requires in section 65(b) that the staff of the Privacy Commissioner not disclose any information as to whether personal information exists where the head of the government institution has refused to confirm or deny whether it exists under section 16(2). The Commission of Inquiry may wish to consider if some comparable mechanism might be appropriate for a body which reviews complaints against the RCMP. That is, it would be made clear in the governing legislation that the acceptance and investigation of a complaint by the national security review body does not confirm the existence of national security concerns.
Another way to deal with the dilemma would be to have one body deal with complaints about all RCMP activities. Minimizing the number of agencies dealing with complaints about the RCMP would also reduce duplication of effort, concentrate expertise, make better use of public resources and decrease forum shopping.
Question # 16(e). How would an audit function over these agencies and departments differ from the Privacy Commissioner’s audit functions (see Privacy Act, ss. 36 (review of exempt banks) and s. 37 (review for compliance by government institutions with ss. 4-8 of the Privacy Act)? How would a complaints function differ from the complaints function carried out by the Privacy Commissioner?
Response of the Privacy Commissioner:
One obvious difference is that the agency would be able to examine a broader range of issues. As well, we would expect that an agency that was devoted exclusively to reviewing the national security activities of the RCMP and possibly other agencies would be able to bring a broader perspective to audits and complaint investigations.
Beyond this, we do not necessarily see significant differences. We believe that any oversight agency must have broad powers to conduct audits and investigate complaints. In carrying out an investigation under the Privacy Act, the Privacy Commissioner has the power to
- summon persons and compel testimony;
- to administer oaths;
- to receive and accept such evidence and other information as the Privacy Commissioner sees fit;
- to enter any premises occupied by any government institution;
- to examine or obtain copies of any records relevant to the investigation.
In addition, based on our experience, we would recommend that an oversight agency should have the power to compel an organization to prepare and produce a document based on documents or data already in existence. This power is particularly critical in a digitized environment in which bits of information may be dispersed in databases and electronic files throughout the organization.
I hope that these comments prove useful. If you have any questions please do not hesitate to contact me or Raymond D’Aoust, one of our Assistant Commissioners.
(Original signed by)
Privacy Commissioner of Canada
- Date modified: