Measures to anonymize sensitive polygraph records mitigated privacy impacts of NSIRA review

Complaint under the Privacy Act (the Act)

January 24, 2025

Description

As part of its review of the Communication Security Establishment’s (CSE)’s Internal Security Program, the National Security and Intelligence Review Agency (NSIRA) requested access to polygraph records, which led to complaints regarding its authority to collect this highly sensitive personal information. As the NSIRA Secretariat (but not NSIRA itself) is subject to the Act, as part of our investigation, we examined whether personal information was collected by the Secretariat and reviewed the safeguards implemented to protect privacy and reduce the risk that polygraph subjects could be re-identified.

Overall, we found that the safeguards that had been put in place significantly reduced the risk that subjects could be re-identified. This included the fact that the source material at issue in the complaints – the polygraph examination recordings – were sufficiently anonymized such that they did not contain personal information in relation to the polygraph subjects. In light of these measures and of NSIRA’s broad right of access to information under the NSIRA Act, as well as the NSIRA Secretariat’s role to assist NSIRA in fulfilling its mandate, we found the collection issue to be not well-founded.

However, we did raise concerns regarding the timeliness of the NSIRA Secretariat’s requests to TBS for the approval of several changes respecting Personal Information Banks (PIBs), including the establishment of a new Review-specific PIB. The NSIRA Secretariat committed to collaborate with TBS on a priority basis to obtain approvals of the PIBs.

Takeaways

Measures and safeguards aimed at minimizing the collection of personal information will mitigate privacy risks and is key to building individuals’ trust.
De-identification can reduce privacy risks, but may not always render the information non-personal or outside the scope of the Act.
The publication of up-to-date Personal Information Banks (PIBs) and Info Source pages are key for transparency and accountability to the public about an institution’s personal information practices, and for compliance with the Act and relevant Treasury Board policies.

Report of findings

Overview

In March 2021, the National Security and Intelligence Review Agency (NSIRA or the Review Agency) commenced a review of the Communications Security Establishment’s (CSE)’s Internal Security Program (Safeguarding) pursuant to paragraphs 8(1)(a) and (b) of the National Security and Intelligence Review Agency Act (the NSIRA Act)^{Footnote 1} (the Review). The Review included the first-ever evaluation of the use of the polygraph in the security screening process at CSE.

In June 2022, the OPC received six complaints against NSIRA in relation to its Review of CSE, and specifically, regarding its request to access and examine polygraph recordings of a sampling of CSE employees as part of that Review. The complainants raised concerns that the collection of personal information related to polygraph examinations was outside the scope of NSIRA’s national security and intelligence review mandate as it relates to the activities of CSE, and therefore did not meet the requirements of section 4 of the Privacy Act (the Act). Concerns were also raised regarding the Secretariat’s compliance with section 10 of the Act to ensure that all personal information under its control is included in Personal Information Banks (PIBs).

As a preliminary matter, it should be noted that there is a legal distinction to be made between the Review Agency [established by section 3 of the NSIRA Act] and the NSIRA Secretariat [established by subsection 41(1) of the NSIRA Act]. Only the Secretariat^{Footnote 2} is a “government institution” and therefore subject to the Act. The Secretariat plays a substantive role in assisting the Review Agency in fulfilling its mandate, including conducting reviews.^{Footnote 3} To the extent that the Secretariat collects, uses or discloses personal information while providing this assistance, the Secretariat’s activities in support of reviews are subject to the Act.

The OPC’s investigation sought to assess the Secretariat’s compliance with sections 4 and 10 of the Act. The broadly recognized ‘necessity and proportionality’ data principles were also examined and this report includes observations regarding the policy requirement to complete a Privacy Impact Assessment (PIA) in relation to NSIRA’s review activities.

For the purposes of the investigation, we therefore examined whether personal information was collected by the Secretariat and reviewed the mitigation measures implemented to protect privacy and reduce the overall risk that a polygraph subject^{Footnote 4} could be re-identified^{Footnote 5} (including the redactions, obfuscation techniques and administrative controls). In doing so, the OPC sought and considered representations from CSE with respect to the measures it implemented to anonymize the records. CSE also facilitated the OPC’s onsite review of a sampling of records that were implicated in the Review.

Overall, we found that while the mitigation measures in place significantly reduced the risk that subjects could be re-identified, they did not eliminate it completely. Our key observations with respect to personal information include the following:

given the data elements that remained un-redacted from the security screening files, there was a risk for subjects to be re-identified using the information available to the reviewers – we determined this information to be ‘personal information’ and therefore within the scope of the Act;
our review revealed that the identity of a subject was disclosed (not redacted) in error in a file;^{Footnote 6}
the polygraph examination recordings were sufficiently anonymized such that they contained no personal information in relation to the polygraph subjects; and
the notes taken by the Secretariat were devoid of personal information; therefore, no personal information was recorded or collected by the Secretariat in the circumstances.

While findings (i) and (ii) above raise the question of whether the Secretariat’s potential viewing of personal information constitutes a collection (section 4 of the Act), we found that this question was not determinative of our findings in this case given NSIRA’s broad mandate and right of access to information under the NSIRA Act. Accordingly, we find the collection issue to be not well-founded.

With respect to the Secretariat’s compliance with section 10 of the Act, our investigation highlighted issues regarding the timeliness of the Secretariat’s request to the Treasury Board Secretariat (TBS) for the approval of several changes respecting PIBs, including the establishment of a new Review-specific PIB. We also noted that NSIRA completed reviews and initiated new ones (including the present Review) in the absence of a Review-specific PIB. As a result, we are not satisfied that the Secretariat fulfilled its obligations under section 10 of the Act when it began the present Review and find this issue well-founded. However, as the Secretariat submitted the request to TBS in January 2022, we find that it has now fulfilled its obligations under section 10 and that this issue is resolved.

Notwithstanding the above, in order to ensure transparency to the public as required by section 10, as well as the TBS requirements that support it, we recommended that the Secretariat take the steps outlined at paragraphs 70 to 71 of this report. The Secretariat acknowledged the OPC’s concerns regarding the timeliness of the request to TBS for approval of the requested PIBs and accepted our findings. It also indicated its commitment to engage with TBS on a priority basis to obtain final approval of the requested PIB changes, and to publish its Info Source page on the institutional website in the coming months to ensure transparency to the public.

The complainants also questioned the reasonableness and proportionality of NSIRA’s access to and review of polygraph examinations. While not currently requirements under the Act, the OPC advocates for the important and broadly recognized data principles of necessity and proportionality, and therefore encourages all institutions that handle Canadians’ personal information to make a conscientious effort to minimize the collection, use and disclosure of personal information required to fulfil the objectives of their programs or activities.

As pertains to the access to security screening files, including audiovisual recordings of polygraph examinations, we find that despite NSIRA’s broad right of access to information, mitigation measures were implemented to address privacy concerns and ultimately, to minimize the negative impacts of the Review on individuals’ privacy. From a necessity and proportionality perspective, we find that these measures minimized privacy impacts.

Lastly, our investigation found that the Secretariat met its obligations under the TBS Directive on Privacy Practices since it had completed a PIA for NSIRA’s review function and published a summary of it. We share certain observations at paragraphs 60 to 62 of this report regarding the timeliness of its PIA submission to TBS.

Background

In March 2021, NSIRA commenced a review of CSE’s Internal Security Program (Safeguarding) (the Review) pursuant to paragraphs 8(1)(a) and (b) of the NSIRA Act, which included the first-ever evaluation of the use of the polygraph in the security screening process at CSE.
The Terms of Reference (TOR) for the Review were shared with CSE in October 2021. The TOR detailed how the use of the polygraph examination will form part of NSIRA’s review. Specifically, the Review TOR note that:

This is NSIRA’s first review of CSE’s internal security programs, as such this will be a comprehensive review to assess whether CSE’s internal policies and procedures are compliant with applicable laws, Ministerial Directives and are reasonable and necessary. Furthermore, in past reviews, NSIRA identified a number of deficiencies related to the use of the polygraph examination for enhanced top secret clearances. As such, NSIRA has committed to examining the use of the polygraph examination in this review to assess the legal ramifications and the utility of this investigatory tool.^{Footnote 7}
NSIRA posted a “Backgrounder” on its website and publicly released a copy of both the TOR and a Communique to CSE employees to address concerns about the potential impact the Review may have on individuals’ privacy, given the nature and degree of personal information collected by CSE during the security screening process.^{Footnote 8}
The Communique to CSE employees provided details regarding the purpose and scope of NSIRA’s review, including how it would protect individuals’ privacy. According to NSIRA, its access to this information would be protected and limited to only what was required to conduct the review, the sample to be consulted would be limited to a small percentage of security screening files carried out during the review period,^{Footnote 9} and files would be selected based on generic file identifiers, not names nor other personally identifiable information.
NSIRA further indicated that the Review’s focus was on the process of the polygraph exam and not the details of personal disclosures. It also stated that no more than two NSIRA staff would review each selected file and that no copy of any file would be removed from CSE security offices. It noted that any findings or recommendations in NSIRA’s final report regarding this aspect of the review (polygraphs) would address the content of screening files in the aggregate and would not identify specific individuals or situations.
NSIRA also reported to the OPC that it was open to measures to anonymize specific employee information that it would have access to in order to respect the privacy of individuals, recognizing the sensitivity of the material involved. CSE employees were informed at an all-staff meeting to direct any concerns regarding NSIRA’s Review to their Member of Parliament, and/or to file a complaint with the OPC.

The Complaints

The OPC received six complaints regarding NSIRA’s Review, and specifically, regarding its review of CSE’s use of the polygraph requiring NSIRA to access the audio and video recordings of polygraph examinations of a sampling of employees. According to the complainants, a polygraph examination is an extremely invasive interview, both physically and psychologically, in which an individual’s most personal and private details may be disclosed, including details relating to family members, relatives and friends. The complainants raised concerns that disclosure of these interviews for any other purpose or use beyond the security clearance process is unnecessary, intrusive and a significant invasion of privacy.
The complainants raised the following privacy concerns to the OPC:
1. The NSIRA Act provides NSIRA with a broad review mandate and right of access to information; however, NSIRA has a responsibility to exercise its powers in a way that is reasonable and for a legitimate national security and intelligence review purpose. Polygraph interviews are conducted under the authority and requirements of the TBS Standard on Security Screening for the explicit purpose of security screening activities. While the scope of NSIRA’s review of CSE’s internal policies and procedures may reasonably include the merits of polygraph examinations as investigatory tools, the complainants noted that it cannot reasonably and justifiably include the collection and review of recorded interviews from CSE employees. As such, they felt that the proposed review was both unnecessary and outside the scope of NSIRA’s national security and intelligence review mandate as it relates to the activities of CSE, and therefore does not meet the requirements of section 4 of the Act.
2. NSIRA’s apparent lack of transparency and accountability in meeting its obligations under section 10 of the Act to identify, describe and publicly report PIBs and classes of personal information in the TBS annual publication entitled Info Source.^{Footnote 10}
3. Polygraph examinations are conducted for the explicit purpose of the security clearance process – that is to assess an individual’s criminality and/or loyalty to Canada for the purpose of granting an Enhanced Top Secret clearance. The complainants consented to the polygraph examination for this purpose only, which included signing a statement of consent, and alleged that NSIRA’s viewing of these recordings without consent may not meet the requirements of the Act.
4. Given the limited scope of NSIRA’s review (i.e., to assess the legal ramifications and utility of polygraph examinations as an investigatory tool), the complainants felt that the review could have been accomplished without the privacy intrusion being proposed. The complainants indicated that numerous alternatives were proposed to NSIRA and were rejected, which calls into question the reasonableness and proportionality of NSIRA’s access to and review of polygraph examinations.
5. Polygraph examinations are administered by qualified personnel according to recognized techniques and written standards that are designed to protect an individual’s rights under the Canadian Charter of Rights and Freedoms. As such, the complainants noted that this calls into question the value and effectiveness of NSIRA’s review, given that NSIRA is not qualified to conduct or interpret polygraph results, including visual, physiological or psychological indicators or reactions.
6. In light of a statement NSIRA made regarding Privacy Impact Assessments (PIAs) in the context of a previous review [“NSIRA believes that a PIA is necessary for a program as invasive as the polygraph not only to help ensure the proper collection, handling and storage of personal information; yet equally important to signal to employees that the process is as transparent and respectful as possible”], concerns were raised as to whether NSIRA has conducted any PIAs in relation to its review program and activities.

Jurisdiction

As a preliminary matter, the NSIRA Act created two distinct entities: the Review Agency [established pursuant to section 3 of the NSIRA Act] and the Secretariat [established pursuant to section 41 of that Act]. Only the Secretariat is a “government institution” and therefore subject to the Privacy Act.
The Review Agency is the entity that has the mandate to conduct review activities (such as the present Review of CSE), pursuant to section 8 of the NSIRA Act. The mandate of the Secretariat “is to assist the Review Agency in fulfilling its mandate,” as provided for under subsection 41(2) of the NSIRA Act. To this end, the Secretariat plays a substantive role in assisting the Review Agency in conducting reviews, and to the extent the Secretariat collects, uses or discloses personal information while providing this assistance, the Secretariat’s activities in support of reviews are subject to the Privacy Act.^{Footnote 11}

Scope and Methodology

In light of the concerns raised by the complainants, the OPC’s investigation examined whether (i) the Secretariat’s collection of personal information in the context of the Review was compliant with section 4 of the Act; and whether (ii) the Secretariat has met its obligations under section 10 of the Act to include in PIBs all personal information under its control that (a) has been used, is being used, or is available for use for an administrative purpose; or (b) is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual.
With respect to the concerns raised in the complaints regarding the policy requirement to limit the collection of personal information to that which is “demonstrably necessary”,^{Footnote 12} the OPC considered the broadly recognized ‘necessity and proportionality’ data principles. Similarly, we considered the policy requirement to complete a PIA in relation to NSIRA’s review activities, which will also address the concerns raised in a complaint.
Finally, we note that the concerns raised regarding the value and effectiveness of NSIRA’s Review are beyond the scope of the Act. These matters were therefore not considered in the OPC’s investigation.
In arriving at our conclusions, we considered representations submitted by the complainants and the NSIRA Secretariat, as well as CSE, given its role and implication in the Review. Our investigation also entailed site visits to CSE, meetings with key stakeholders, a review of the anonymized polygraph materials accessed by the NSIRA reviewers, as well as a review of the notes taken by the reviewers during the Review.
While not a named respondent in this matter, CSE was deemed a third party given its role and implication in the Review. CSE openly and collaboratively engaged with the OPC during the investigation, cooperated with our requests for information, and facilitated access to the anonymized records for the purposes of the OPC’s investigation.

Analysis

Issue 1: Was the Secretariat’s collection of personal information compliant with section 4 of the Act?

Section 4 of the Act states that no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.
As a preliminary matter, and to address the concerns raised in the complaints regarding consent (i.e., that NSIRA’s viewing of polygraph recordings without consent may not meet the requirements of the Act), we note that consent is not required for collection under section 4 of the Act. To comply with section 4, the personal information collected must “relate directly to the institution’s operating programs or activities”.^{Footnote 13}
The OPC’s assessment of the Secretariat’s compliance with section 4 of the Act in this investigation took into account the unique mandate of the Review Agency and the Secretariat’s role in assisting it. The Review Agency has the mandate to conduct review activities (such as the present Review of CSE), pursuant to section 8 of the NSIRA Act. In particular, pursuant to paragraph 8(1)(a), the Review Agency has the mandate to review any activity carried out by CSE. The mandate of the Secretariat is to assist the Review Agency in fulfilling its mandate, as provided for under subsection 41(2) of the NSIRA Act.
Our review also took into account the Review Agency’s broad right of access to information in relation to its reviews of the national security and intelligence activities of federal government departments and agencies, which includes CSE. Specifically, subsection 9(1) of the NSIRA Act provides that, “Despite any other Act of Parliament and subject to section 12, the Review Agency is entitled, in relation to its reviews, to have access in a timely manner to any information that is in the possession or under the control of any department.”
In addition, our assessment was informed by a review of: (i) the privacy protection measures implemented by CSE to reduce privacy risks and to limit access to personal information; (ii) a sampling of anonymized security screening files and polygraph recordings that were implicated in NSIRA’s review; and (iii) a sampling of the notes taken by the NSIRA reviewers during the review.

Privacy protection measures implemented by CSE

As a preliminary matter, the Secretariat redirected our Office to CSE for information regarding the privacy mitigation measures employed in the context of NSIRA’s review.
CSE noted that it is legally required to provide timely access to any information in its holdings to NSIRA, in accordance with subsection 9(1) of the NSIRA Act. At the same time, CSE must ensure that it handles personal information in accordance with the Privacy Act and supporting policy instruments. According to the Terms of Reference (TOR) for NSIRA’s Review, NSIRA determined that “employee/applicant security screening files, including, but not limited to audiovisual recordings of polygraph interviews/examinations are highly relevant to NSIRA’s review of CSE’s Internal Security Program (Safeguarding) and that access to them will be required in order to accomplish the stated objectives of the review.”
CSE submitted that NSIRA’s Requests for Information (RFIs) did not, however, include details regarding how it planned to apply privacy protections, despite the fact that NSIRA’s requests covered large volumes of highly sensitive personal information. CSE reported that it engaged with NSIRA for more than a year to ensure that its employees’ privacy concerns were clearly communicated to NSIRA, that other less invasive methods of conducting the Review were considered, and that privacy mitigations were applied to minimize the impacts on individuals’ privacy. CSE explained that its efforts to protect the privacy of individuals throughout the Review were twofold: continuously engaging with NSIRA to voice privacy concerns related to the methodology of the Review and applying privacy protection measures to the personal information itself before its disclosure to NSIRA.^{Footnote 14}
In its response to our request for information, CSE outlined the privacy protection measures it implemented before its disclosure of the personal information, as well as the steps taken to limit access to the information. These measures included:
- providing certain information to NSIRA as aggregate statistical information;
- de-identifying certain information using a number that only select CSE security personnel could connect to an identifiable individual;
- applying technical solutions to blur faces and modulate voices in polygraph videos;
- redacting information that could allow NSIRA to identify an individual from polygraph videos, audio, and written records;
- requiring NSIRA to carry out its review (including viewing polygraph videos) in a secure, private space on CSE premises, on a standalone computer not connected to a network or the Internet, to ensure that no personal information from polygraph records would leave CSE premises;
- minimizing the number of individuals at CSE who had knowledge of whose polygraph records were selected by NSIRA for the Review;
- minimizing the number of individuals at CSE who had access to the polygraph records selected by NSIRA for the Review; and
- using standalone computers (not connected to a network) to redact most of the video/audio records, to eliminate the risk that a system administrator from another internal IT security team, networking team, or corporate storage team could gain access to the unmasked video files, accidentally or otherwise.
CSE explained the process it undertook to provide NSIRA with a deidentified list of the polygraph examinations that took place during the review period (January 2018 to July 2021). The intent was to ensure that NSIRA randomly selected files to be included in the Review and did not learn the identity of the employees associated with the selected files.
Given the extreme sensitivity of the personal information that may be contained in the security screening files sought by NSIRA, CSE reported that it redacted “any and all information that could allow the NSIRA reviewers to identify the subjects”; however, CSE also indicated that it complied with NSIRA’s request for specific information due to its legal authority under subsection 9(1) of the NSIRA Act.^{Footnote 15} CSE did indicate that due to the obfuscation measures (blurring of images) applied to the polygraph recordings, there was little chance of markings (e.g., tattoos, scars, markings and other physical descriptions) being clearly visible.
CSE explained that NSIRA was not authorized to remove the records from CSE premises or make copies of the records, but that CSE did not have access to or control over the notes taken by NSIRA reviewers during their review of the records.
CSE confirmed that it had informed each employee impacted by NSIRA’s review, advising that their files had been selected. These individuals were provided details regarding the selection methodology and the privacy protection measures applied to their personal information before disclosure to NSIRA in the context of the Review.

Review of anonymized records

CSE facilitated the OPC’s review (on CSE’s premises) of a sampling of the records it anonymized for the purposes of NSIRA’s Review.^{Footnote 16} This included the subject’s security screening file and polygraph examination recording. We also reviewed the notes taken by Secretariat staff during their review of these specific files. The OPC’s key observations are outlined below.

Security screening files

The OPC’s investigation included a review of the redactions applied by CSE to anonymize the security screening files and to comply with NSIRA’s request. In the information that CSE did provide to NSIRA, we found that: (i) the disclosure of certain information elements (such as descriptions of tattoos or other physical markings (scars)) increased the risk that a subject could be identified; (ii) the combination of certain information elements (e.g., physical descriptors such as height, weight and eye colour) increased the risk of re-identification; and (iii) there was an oversight in applying redactions to a file, resulting in the accidental disclosure of a subject’s first and last name, home address and telephone number.^{Footnote 17}
Overall, we found that while the redactions applied to the files, combined with the administrative controls and safeguards implemented during the Review, as well as the objectives of the Review (i.e., focused on the polygraphist’s behaviour and line of questioning, not the subjects), significantly reduced the risk that a subject could be re-identified, it did not eliminate it completely. Indeed, we found that these measures were insufficient to render the information ‘non-personal’ and outside the scope of the Act. As noted above, our investigation also revealed that the identity of one subject was not redacted and therefore disclosed in error in one of the sample files we reviewed.

Polygraph Recordings

Our review of the anonymized polygraph examination recordings enabled us to confirm that steps were taken by CSE to blur the subjects’ faces, and to modulate their voices. CSE also shared with the OPC a description of the technology and methods implemented to obfuscate the video files.
Given the privacy mitigation measures that were applied to the recordings, combined with the administrative controls and safeguards implemented during the Review, we found that the risk of re-identification of the subjects was very low. In fact, we agree with the Secretariat’s position that, “The videos as modified are so deeply anonymized with the subject so heavily pixelated that one can barely detect that a human silhouette is sitting in a chair, not to mention the voice modulation and the effects of additional content editing of the conversation.” We are therefore satisfied that the polygraph recordings contained no personal information relating to the subjects.

The Secretariat’s Notes

The Secretariat consistently asserted in its representations to the OPC that it has no personal information in its possession relating to polygraph examinations. Specifically, the Secretariat submitted that “any notes taken by NSIRA Secretariat staff during the review of the recordings are entirely focused on the behaviours of the polygraph examiners and are devoid of any personal information about the (already anonymized) interview subjects.”
Following our review of a sampling of notes taken by NSIRA reviewers, we were satisfied that no personal information related to the subjects was recorded in the notes taken. We were able to confirm that the notes focus specifically on the polygraphist and line of questioning during the polygraph interview.

Did the Secretariat collect personal information directly related to its operating program or activity?

As stated above, our investigation found that the measures implemented to protect individuals’ privacy in the paper files (redactions) presented some risks to privacy given the data elements that remained un-redacted. In our view, there was a risk that subjects could be re-identified based on the information available to the reviewers such that we consider it ‘personal information’ and within the scope of the Act. Relatedly, our review revealed that the identity of a subject was disclosed (not redacted) in error in a file, which is clearly personal information.
In a situation where personal information is seen (or heard) but not recorded or retained in a physical or virtual copy, it becomes less clear whether that information was ‘collected’ by the institution. Even if information is seen but not collected, there may nevertheless be a subsequent ‘use’ of that information, meaning that even when there is absence of a record or retention of a copy, this information may not be automatically out of scope of section 4 of the Act.
However, given that section 4 of the Act only requires a direct connection between the personal information collected and the operating program or activity, this question was not determinative of our findings. In this case, NSIRA conducted the review pursuant to its significant statutory mandate and broad right of access to information under its enabling legislation.
Finally, our investigation confirmed that the source material at issue in the complaints – the polygraph examination recordings – were sufficiently anonymized such that they contained no personal information in relation to the polygraph subjects. Further, we are satisfied that the notes taken by the Secretariat were devoid of personal information, and that therefore, no personal information was recorded or collected by the Secretariat in the circumstances.
In light of the above and given the broad mandate and right of access in the NSIRA Act, we find the collection issue to be not well-founded.

Issue 2: Is the Secretariat compliant with PIB obligations under the Act?

Under section 10 of the Act, heads of government institutions are required to ensure that all personal information under their control that has been used, is being used, or is available for use for an administrative purpose or that is organized or retrievable by the name of the individual, identifying number or symbol etc., is included in PIBs.^{Footnote 18}
The President of the Treasury Board, as designated Minister, holds general responsibility for registering all PIBs and is responsible for reviewing and approving new or substantially modified PIBs, as required under subsection 71(4) of the Act, and in line with the requirements of the Directive on Privacy Practices.^{Footnote 19} That Directive supports the President of the Treasury Board’s responsibilities by ensuring that privacy implications will be appropriately identified, assessed and resolved before a new or substantially modified program or activity involving personal information is implemented. As required by section 11 of the Act, the President of the Treasury Board is also responsible for ensuring that at least once a year, an index of PIBs, describing the banks and various required elements, is published for all government institutions.
The Secretariat reported that in January 2022, it submitted a request to TBS for the approval of several changes respecting PIBs, including the establishment of a new Review-specific PIB. The requested changes were still pending the approval by TBS at the time of writing of this report. The Secretariat submitted that it is compliant with applicable legal and policy requirements in respect of PIBs, and that any delays associated with the pending approval by TBS of these PIBs is beyond its control.
The Standard on Privacy Impact Assessment (Appendix C of the Directive on Privacy Practices) requires institutions to fulfill certain responsibilities related to section 10 of the Act, including obtaining approval of any new or substantially modified PIB before implementing the new or substantially modified program or activity that is related to the PIB. While we understand that delays by TBS are beyond the Secretariat’s control, we noted that the Secretariat did not submit a request to TBS until almost two and half years after NSIRA was established.^{Footnote 20} With respect to the Review-specific PIB, we also noted that more than 20 reviews have been completed by NSIRA (including the present Review which recently concluded)^{Footnote 21} and five reviews remain ongoing in the absence of this PIB. In fact, NSIRA initiated the present Review in March 2021, almost 10 months before it submitted the request to TBS.
Under Sections 10 and 11 of the Act, government institutions administering programs and TBS have a shared responsibility to ensure that PIB descriptions available to the public are up to date and published on a timely basis. However, to give effect to section 11 of the Act and make it meaningful, we expect institutions to fulfil their obligations under section 10 as soon as reasonably possible to ensure that all PIB updates are captured in the annual publication of the personal information index. Subsection 71(4) of the Act makes it clear that TBS approval is required to establish a new PIB or substantially modify an existing PIB.
In order to comply with section 10, institutions must draft new PIBs or propose modifications to existing PIBs, get them approved by the delegated head of privacy for their institution and submit them to TBS before implementing any new or substantially modified programs or activities.
In light of the above, we are not satisfied that the Secretariat was compliant with the requirements of section 10 when it began the present Review and we therefore find this issue well-founded. However, as the request was submitted to TBS in January 2022, we are satisfied that the Secretariat has now fulfilled its obligations under section 10 and this issue is resolved.
Notwithstanding the above, as the PIBs in question are still pending TBS approval, we expect the Secretariat to collaborate with TBS on a priority basis to have the requested changes to the existing PIBs and the new proposed PIB approved and published, to ensure transparency to the public in respect of its collection and handling of personal information.
We also noted that, since the creation of NSIRA in 2019, there is no evidence to demonstrate that steps were taken by the Secretariat to publish NSIRA’s institutional Info Source page on the NSIRA website, as required by TBS’s Info Source Online Publishing Requirements.^{Footnote 22} In fact, our online searches found that the NSIRA listing on the TBS Info Source: List of Institutions website connects users to the Info Source page of the former Security Intelligence Review Committee (SIRC).^{Footnote 23}
The TBS Online Publishing Requirements took effect on July 1, 2023, and outline the responsibilities of the heads of institutions (or their delegates) for Info Source publication and updates on their websites, including the requirements to: (i) publish specific content (e.g., a description of (or links to) the institution’s history, legislative foundation, mandate, program responsibilities, etc.), (ii) annually update the Info Source page in advance of the institution’s due date,^{Footnote 24} and (iii) list all PIBs that are registered, pending approval and registration or pending termination (section 4.7.4).
Pursuant to the spirit and objectives of the Act, we expect institutions to be compliant with TBS requirements. This includes publishing and annually updating their institutional Info Source page and description of PIBs to ensure transparency to the public. In light of the foregoing, we strongly encourage the Secretariat to publish the NSIRA Info Source page on its website, in line with TBS requirements.

Other

Necessity and Proportionality

According to the complainants, numerous alternatives for access and review of polygraph examinations were proposed to NSIRA and rejected, which the complainants assert calls into question the reasonableness and proportionality of NSIRA’s request. For instance, CSE noted in its submissions that it proposed a consent-based approach that involved seeking volunteers to participate in the Review. However, NSIRA rejected this approach.
It is clear that NSIRA’s Review underscored the need to carefully balance important interests. On the one hand, NSIRA has a legitimate need to access information to fulfil its review mandate; on the other hand, the complainants have raised concerns that there must be appropriate limits on the amount and type of personal information that NSIRA can access.
Despite the broad authority conferred on NSIRA under its enabling legislation, our investigation revealed that NSIRA recognized the sensitivity of the information that is collected during a polygraph examination and took steps to collaborate with CSE for the implementation of safeguards to mitigate privacy risks.
The broadly recognized principles of necessity and proportionality have been adopted in many jurisdictions around the world under privacy laws, or as policy requirements or best practices. These principles are important considerations in protecting individuals’ fundamental right to privacy, and the OPC therefore encourages all institutions that handle Canadians’ personal information to make a conscientious effort to minimize the information required to fulfil the objectives of their programs or activities.
It should be noted that the OPC has recommended for several years that the collection of personal information by government institutions should be governed by a necessity and proportionality standard.^{Footnote 25} However, this is not yet required under the Act and to this day only remains a policy requirement. Specifically, section 4.2.9 of the TBS Directive on Privacy Practices states that government institutions should limit the collection of personal information to only that which is “demonstrably necessary”.^{Footnote 26}

Privacy Impact Assessment

A PIA is the most comprehensive process currently in place to evaluate the effects of a specific initiative on individuals’ privacy; it represents a core component of an institution’s privacy compliance framework. When done properly and approved by TBS before launching an initiative, PIAs can help ensure that legal requirements are met and that privacy impacts are either addressed or mitigated.
The Standard on Privacy Impact Assessment^{Footnote 27} provides details on the requirements set out in section 4 of the Directive on Privacy Practices for completing PIAs. Institutions seeking TBS approval for programs or activities that involve personal information should make every reasonable effort to initiate the PIA at the earliest possible phase of project planning.^{Footnote 28} TBS has a responsibility to review the PIA, and to fulfill its obligations with respect to the review and approval of PIBs. Institutions are also required to provide their completed PIA to the OPC at the same time that they provide it to TBS,^{Footnote 29} and to publish a summary of the PIA. Public reporting allows individuals to better understand how a government institution is using their personal information and helps foster trust in the institution’s operations.
With respect to the complainants’ concerns regarding NSIRA’s obligations to complete a PIA (for its review program and activities), our investigation confirmed that a PIA was completed when NSIRA was established (which covers the review function of NSIRA’s mandate) and submitted to TBS and the OPC in January 2022.^{Footnote 30} We also confirmed that a summary of the PIA was published on NSIRA’s website in August 2022, which includes a completed risk area identification and categorization section.^{Footnote 31}
In light of the above, we are satisfied that the Secretariat met its obligations under the TBS Directive on Privacy Practices since it completed a PIA and published a summary of it. Nevertheless, we noted that the Secretariat did not submit the PIA to TBS until almost two and half years after NSIRA was established (at the same time it submitted its request for changes to PIBs), and in that time, NSIRA conducted a number of reviews. In fact, the Review that is the subject of this report was launched in 2021, almost a year before the PIA and PIB request were submitted to TBS.
The timeliness of PIA submissions to TBS is directly related to the obligations that TBS has vis-à-vis PIBs. Specifically, TBS is required to review PIAs to fulfill its obligation with respect to the review and approval of PIBs, and institutions are required to obtain approval of any new or substantially modified PIB before implementing the new or substantially modified program or activity that is related to the PIB.^{Footnote 32}
To this end, we wish to remind the Secretariat of the importance of submitting to TBS and the OPC in a timely manner (before the implementation of the program or activity) its completed PIAs, along with any proposed new or substantially modified PIB descriptions.

NSIRA’s Review of CSE

The OPC reviewed NSIRA’s final report in relation to its Review of CSE’s Use of the Polygraph for Security Screening, published on September 26, 2024. We confirmed that the review findings were represented in aggregated format (summary) and do not contain personally identifiable information. This is consistent with the representations made by NSIRA.

Findings and Recommendations

The OPC’s investigation assessed whether personal information was collected by the Secretariat in the circumstances outlined in the complaints. Overall, we found that while the mitigation measures implemented to de-identify the information and to limit access to personal information significantly reduced the risk that subjects could be re-identified, it did not eliminate it completely.
Notwithstanding, we confirmed that the source material at issue in the complaints – the polygraph examination recordings – were sufficiently anonymized such that they did not contain personal information in relation to the polygraph subjects. Moreover, the notes taken by the Secretariat were also devoid of personal information.
While our findings raise the question of whether the Secretariat’s potential viewing of personal information constitutes a collection to engage section 4 of the Act, this question was not determinative of our findings in this case.
In light of the above and given NSIRA’s broad right to access information that is relevant to its independent review function, as well as the Secretariat’s role to assist in this function, we find the collection issue not well-founded.
With respect to the Secretariat’s obligations under section 10 of the Act, our investigation highlighted concerns with respect to the timeliness of the Secretariat’s request to TBS for the approval of several changes respecting PIBs, including the establishment of a new Review-specific PIB. We also noted that NSIRA completed reviews and initiated new ones (including the present Review), in the absence of a Review-specific PIB.
We therefore find that the Secretariat did not fulfill its obligations under section 10 of the Act when it began the present Review and find this issue well-founded. However, as the Secretariat submitted the request to TBS in January 2022, we are satisfied that it has now fulfilled its obligations under section 10 and this issue is resolved.
While the Secretariat noted that the PIBs in question are still pending TBS approval and that this approval remains beyond its control, we expect the Secretariat to collaborate with TBS on a priority basis to obtain TBS’s final approval of the requested changes to the existing PIBs, as well as the new proposed PIB. This will ensure greater transparency to the public in respect of its collection and handling of personal information.
We also noted that, since the creation of NSIRA in 2019, there is no evidence to demonstrate that steps were taken by the Secretariat to publish NSIRA’s institutional Info Source page on the NSIRA website, as required by TBS’s Info Source Online Publishing Requirements. We therefore strongly encourage the Secretariat to publish the NSIRA Info Source page on its website, in line with the requirements of the TBS Info Source Online Publishing Requirements.
In its response to the OPC’s preliminary report, the Secretariat acknowledged the OPC’s concerns regarding the timeliness of the request to TBS for approval of PIB-related changes and indicated its commitment to engage with TBS on a priority basis to obtain final approval. Additionally, the Secretariat indicated that it is committed to publish its Info Source page on the institutional website in the coming months to meet its obligations under TBS’s Info Source Online Publishing Requirements and to ensure transparency to the public.

Observations

The polygraph is one of the primary tools used to assess an individual’s reliability and loyalty during the security screening process. A significant amount of highly personal and sensitive information is collected as a result of the use of the polygraph.^{Footnote 33} Furthermore, the personal information disclosed in a polygraph examination could have potentially significant and lasting negative impacts on the reputation of the individual, their career and relationships. We therefore wish to recognize and acknowledge the concerns raised by the complainants in this case regarding NSIRA’s Review and its request to access polygraph examinations.
We also acknowledge that previous reviews conducted by NSIRA and its predecessor, SIRC, found deficiencies related to the use of the polygraph, including privacy and reliability concerns.^{Footnote 34} In its 2019 Annual Report, NSIRA shared its observations regarding the use of the polygraph, including its concerns as they relate to the TBS Standard on Security Screening (the Standard).^{Footnote 35} We note that similar issues were found by NSIRA in its recent Review of CSE.^{Footnote 36} As conveyed by NSIRA in the Communique it issued to CSE employees, these concerns underline the importance of striking a balance between security requirements and employee privacy rights.
We find that the underlying concerns raised in the complaints (i.e., NSIRA’s access to highly sensitive personal information collected during a polygraph examination) underpin the objectives of NSIRA’s Review. Indeed, it would be very difficult for NSIRA to assess the privacy intrusiveness and utility of the polygraph examination without access to the source material. We therefore wish to take this opportunity to highlight the efforts of NSIRA – and also of CSE for the role it played in the circumstances – to address privacy concerns and mitigate privacy risks through the implementation of safeguards. Despite the broad authority conferred on NSIRA under the NSIRA Act, it recognized the sensitivity of the information that is collected during a polygraph examination and took steps to anonymize specific personal information.
Lastly, we take this opportunity to highlight the importance of PIAs in helping institutions ensure compliance with the legal requirements set out in the Privacy Act. Effective PIAs, can help institutions build trust with Canadians by demonstrating due diligence and compliance with legal and policy requirements, as well as privacy best practices. While not a requirement under the Act, ensuring that completed PIAs (and any proposed new or substantially modified PIB descriptions) are submitted to TBS and the OPC in a timely manner is a key measure to ensure that privacy implications are appropriately identified, assessed and resolved before a new or substantially modified program or activity involving personal information is implemented.

Footnotes

Footnote 1

National Security and Intelligence Review Agency Act, S.C. 2019, c.13, s.2

Return to footnote 1

Footnote 2

The Secretariat supports and assists NSIRA members in fulfilling NSIRA’s mandate, including the conduct of reviews and the quasi-judicial investigation of complaints.

Return to footnote 2

Footnote 3

As provided under subsection 41(2) of the NSIRA Act.

Return to footnote 3

Footnote 4

Individual undergoing the security screening/polygraph examination.

Return to footnote 4

Footnote 5

A risk that the individual could be identified, even after names and other identifiers have been removed. This risk could occur through the information in the dataset alone or in combination with other sources of information.

Return to footnote 5

Footnote 6

The information disclosed included the subject’s first and last name, home address and telephone number. CSE acknowledged that this was an oversight when processing the file (i.e., it unintentionally failed to redact this information).

Return to footnote 6

Footnote 7

Terms of Reference: Review of CSE’s Internal Security Program (Safeguarding), October 6, 2021. See also Appendix 1.

Return to footnote 7

Footnote 8

According to NSIRA, it released these documents publicly to address concerns and dispel any myths about the purpose, scope and methodology of the review, as well as to describe some of the measures NSIRA is taking to respect the privacy of individuals. See: Update on NSIRA’s Review of the Communications Security Establishment’s Internal Security Program (Safeguarding)

Return to footnote 8

Footnote 9

According to the Terms of Reference: “The review will cover the period between January 1, 2018 and July 1, 2021.”

Return to footnote 9

Footnote 10

Info Source provides individuals with relevant information to access personal information about themselves held by government institutions subject to the Privacy Act and to exercise their rights under the Privacy Act.

Return to footnote 10

Footnote 11

The term “government institution” is defined in section 3 of the Privacy Act as “any department or ministry of state of the Government of Canada, or any body or office, listed in the schedule,” as well as Crown corporations and subsidiaries. The schedule to the Act lists the Secretariat as a government institution, and not the Review Agency.

Return to footnote 11

Footnote 12

Section 4.2.9 of the TBS Directive on Privacy Practices states that government institutions should limit the collection of personal information to what is directly related to and demonstrably necessary for an institution’s programs or activities.

Return to footnote 12

Footnote 13

Section 4 does not include a necessity test but a less onerous test of establishing a direct, immediate relationship with no intermediary between the information collected and the operating programs or activities of the government. See Union of Canadian Correctional Officers v. Canada (Attorney General), 2016 FC 1289 and 2019 FCA 212 (CanLII).

Return to footnote 13

Footnote 14

In addition, CSE submitted that it took several steps to engage with its employees regarding the Review. This included emails to all staff notifying them of the Review and the implementation of privacy mitigation measures, two question and answer (Q&A) sessions with all staff and contacting employees whose files were selected for the Review.

Return to footnote 14

Footnote 15

For instance, CSE submitted that, at NSIRA’s request, it did not redact specific information such as medical information, list of tattoos and scars, and physical description (height, weight, eye/hair colour).

Return to footnote 15

Footnote 16

The review sample (3 files) was identified in advance by the Secretariat as files that would provide context for the OPC to assess the source material. A fourth file was randomly selected by the OPC to supplement the review sample.

Return to footnote 16

Footnote 17

CSE submitted that this was an unintentional error when the file was prepared for disclosure to NSIRA (i.e., when the redactions were applied).

Return to footnote 17

Footnote 18

PIBs are defined in section 3 of the Act as “a collection or grouping of personal information described in section 10”.

Return to footnote 18

Footnote 19

The Directive on Privacy Practices took effect on October 9, 2024, and replaced the Directive on Privacy Practices (2022) and the Directive on Privacy Impact Assessment (2010). See Appendix C (Standard on Privacy Impact Assessment) of the Directive which provides details on PIB requirements.

Return to footnote 19

Footnote 20

NSIRA was established in July 2019 when the NSIRA Act came into force.

Return to footnote 20

Footnote 21

NSIRA’s website: Completed Reviews

Return to footnote 21

Footnote 22

These requirements are issued pursuant to paragraph 70(1)(c) of the Access to Information Act and paragraph 71(1)(d) of the Privacy Act.

Return to footnote 22

Footnote 23

SIRC’s Info Source page provides a link to SIRC’s 2013 Info Source content (including SIRC’s PIBs for complaints and review activities).

Return to footnote 23

Footnote 24

See Appendix A: NSIRA’s assigned due date is September 30th.

Return to footnote 24

Footnote 25

Public Consultation on the Modernization of the Privacy Act: Submission of the OPC to the Minister of Justice and Attorney General of Canada (March 22, 2021).

Return to footnote 25

Footnote 26

The OPC’s Guide to the Privacy Impact Assessment Process provides guidance to institutions on limiting collection (e.g., consider the need for each element of personal information being collected).

Return to footnote 26

Footnote 27

See Appendix C of the TBS Directive on Privacy Practices.

Return to footnote 27

Footnote 28

See the OPC’s Guide to the Privacy Impact Assessment Process.

Return to footnote 28

Footnote 29

The OPC reviews completed PIAs and provides written recommendations where additional risks or gaps are identified. For additional information relating to the OPC’s advisory services for federal public sector institutions, visit our Government Advisory Directorate webpage. For additional information regarding the OPC’s PIA process, see the OPC’s Guide to the Privacy Impact Assessment Process.

Return to footnote 29

Footnote 30

Due to the creation of NSIRA through the transfer of the former SIRC and OCSEC, including an expanded mandate, the PIA was intended as a high-level assessment of NSIRA as it was developing its procedures and policies. The PIA was broadly scoped to include HR and security screening, and other internal services, as well as the Review function of NSIRA’s mandate.

Return to footnote 30

Footnote 31

See NSIRA’s website: Privacy Impact Assessment (published August 29, 2022). NSIRA’s PIA identified ten risks and 18 corresponding recommendations to mitigate those risks. As noted in the PIA, “none of the risks were considered High and all mitigation measures will be completed before the end of FY [fiscal year] 2021-22.”

Return to footnote 31

Footnote 32

See Appendix C (Standard on Privacy Impact Assessment) of the TBS Directive on Privacy Practices.

Return to footnote 32

Footnote 33

For example, information that reveals intimate details on the health, financial situation, religious or lifestyle choices of the individual and which, by association, reveals similar details about other individuals such as relatives.

Return to footnote 33

Footnote 34

Source NSIRA’s website: Review of the Canadian Security Intelligence Service’s (CSIS) Internal Security Branch

Return to footnote 34

Footnote 35

Source NSIRA’s 2019 Annual Report: The Standard cites the use of the polygraph as an appropriate tool for assessing candidates seeking an Enhanced Top Secret (ETS) clearance; however, TBS was unable to provide any policy rationale for the use of this tool.

Return to footnote 35

Footnote 36

Review of CSE’s Use of the Polygraph for Security Screening

Return to footnote 36

Date modified:: 2025-06-05

Language selection

Search and menus

Search