Audit Report of the Privacy Commissioner of Canada
Examination of RCMP Exempt Data Banks
A Special Report to Parliament
February 13, 2008 – An audit by the Office of the Privacy Commissioner of Canada has found that many national security and criminal operational intelligence files sheltered from public access in the RCMP’s exempt data banks did not belong there.
More than half of the files tested as part of the audit should not have been in the exempt banks. These findings are particularly concerning given that, with few exceptions, the audit was conducted on randomly selected files already examined by the RCMP as part of an internal review.
The fact that tens of thousands of records were held in these exempt banks when their inclusion was unwarranted was surprising to the Office of the Privacy Commissioner (OPC) given that the RCMP had undertaken to correct serious compliance problems uncovered by another audit 20 years ago.
The results of the audit were detailed in a special report to Parliament today – the first time the Privacy Commissioner has used her powers to issue such a report.
The complete report is available at www.priv.gc.ca. The following is a summary of the special report:
Exempt Banks - Background
Exempt data banks serve to withhold the most sensitive national security and criminal intelligence information. Government departments and agencies which control these records will consistently refuse to confirm or deny the existence of information in response to an individual’s request for access.
Exempt banks provide institutions with the privilege of keeping information totally exempt from public access. It is therefore incumbent upon those institutions to ensure such banks are restricted to files that legitimately warrant inclusion.
In 1986-87, the OPC conducted an audit of the RCMP’s Criminal Operational Intelligence Records Exempt Bank and found it was not in compliance with section 18 of the Privacy Act. The exempt bank order was rescinded for non-compliance and then reinstated with an understanding there would be strict adherence to guidelines for managing exempt bank holdings.
Section 18 of the Privacy Act permits the Governor in Council to, by order, designate as exempt banks certain personal information banks that contain files, all of which consist predominantly of personal information as described in section 21 or 22 of the Act. Section 21 protects personal information, the disclosure of which could reasonably be expected to be injurious to the defence of Canada or an ally or international affairs. Section 22 is intended to protect information obtained by investigative bodies during the course of lawful investigations. It also protects information, the disclosure of which could be harmful to the enforcement of any law in Canada or the conduct of lawful investigations.
The RCMP currently holds two exempt data banks. They are: Criminal Operational Intelligence Records; and National Security Investigations Records.
With few exceptions, Canadians have a right to access their personal information held by federal government institutions. Government transparency and accountability are fundamental concepts in democratic countries.
Individuals may be the subject of a national security file but have no way of knowing about it or correcting the record.
Being named in a national security exempt bank file could have a harmful impact, particularly in a post 9-11 environment. For example, it could potentially affect someone trying to obtain an employment security clearance, or impede an individual’s ability to cross the border.
Canadians should be able to see that personal information – except under limited circumstances, such as where the disclosure could threaten national security, international affairs or a lawful investigation.
We had hoped this audit would provide Canadians with a level of assurance that the RCMP’s exempt banks contain only the most sensitive national security and criminal intelligence information. Unfortunately, this is not the case.
The OPC’s Role
The Privacy Actattempts to strike a balance between individual access rights and the state’s right to protect information relating to a particular public or private interest.
Section 36 of the Privacy Act empowers the Privacy Commissioner to review files contained in an exempt bank and make recommendations she considers appropriate. For example, the Commissioner could request the removal of any file which, in her opinion, does not meet the established criteria for inclusion in the bank. If the institution refuses to remove the file, the Commissioner may apply to the Federal Court for a review.
The concept of exempt banks is defensible. We appreciate the special circumstances of security and intelligence work. We also recognize the importance of assuring law enforcement and security partners, both domestic and abroad, that information provided in
confidence will be protected accordingly. Any perception that such protection has been lost may adversely affect the flow of information that is vital to the RCMP’s investigative activities.
At the same time, individuals could potentially find themselves the subject of an exempt bank file by being in the wrong place, at the wrong time, talking to the wrong person. Inclusion in the bank may also be the result of information provided by a neighbour, friend or associate motivated by something other than civic responsibility. This is why, as much as possible, people should be able to review their personal information.
Purpose of the Audit
There were a number of risks which led the OPC to believe an audit should be conducted:
- The inherent sensitive nature of the information stored in the banks;
- The increased sharing of information, including exempt bank data, between law enforcement and security partners following 9-11;
- Exempt banks had not been reviewed for 20 years.
The examination was viewed as important in terms of providing Canadians with a level of assurance that the banks are properly managed – and by extension, that the privilege of keeping them totally exempt from public access was defensible.
Key Audit Findings
- Files were readily identifiable as exempt and were examined prior to placement in the exempt banks. However, files have not been sufficiently managed to ensure that their exempt bank status was validated on an ongoing basis as required under RCMP policy.
- Of the exempt bank files opened prior to 2004, approximately 70 per cent of the national security files and 90 per cent of the criminal operational intelligence files the OPC tested had not been subject to ongoing review to validate their exempt bank status.
- Some files did not meet the predominance requirement of section 18 of the Privacy Act. Examples included policy-related records on tips received under the Crime Stoppers program and a file opened to store documents related to the RCMP’s attendance at a Canada-US Security Fraud Enforcement Conference in 1998.
- The RCMP’s exempt bank policy threshold is not being met. Of the 116 files among the audit sample that met the predominance test under the Privacy Act, over 50 per cent of the national security files and 60 per cent of the criminal operational intelligence files did not warrant continued exempt bank status under internal RCMP policy. These files related to investigations that had been closed for an extended period of time and the rationale for continued exempt bank status – from either a criminal intelligence or national security perspective – was not evident.
Examples of files in the National Security Investigations Records Exempt Bank:
A resident contacted police with an allegation that an individual had entered a rooming house in the neighbourhood and suspected drugs may be involved. The investigation revealed that, in fact, the individual had dropped off his daughter at a school down the street from the rooming house and had stepped out of his car to have a cigarette.
The file was still in the exempt bank approximately seven years after the incident occurred.
A participant in a youth project sent an e-mail to other participants in which he made a threat against senior government officials. He was subsequently dismissed from the project and police were contacted.
When he was interviewed by police, the young man indicated he hadn’t realized his comments would be taken so seriously. He was cautioned about the potential consequences of his actions. The RCMP concluded he did not pose a threat.
The file was still in the exempt bank approximately seven years after the incident occurred.
RCMP Internal Review
The RCMP initiated an internal review a few months after the Privacy Commissioner announced her intention to conduct an audit of the exempt banks.
As of September 19, 2007, more than 1,400 national security files and approximately 45,000 criminal operational intelligence documents had been removed from the exempt banks as a result of the RCMP’s internal review.
The internal review found varying rates of compliance with exempt data bank criteria.
For example, almost 99 per cent of criminal intelligence exempt data bank holdings – more than 2,700 documents – at RCMP headquarters should not have been there under the Privacy Act and/or RCMP policy.
At B Division in Newfoundland and Labrador, roughly two-thirds of documents – close to 37,000 – were incorrectly stored in the criminal intelligence exempt bank.
Despite the large number of records removed during the RCMP’s internal review, the two exempt banks remain overpopulated. More work is required.
The audit identified a few key reasons for the problems:
- The RCMP lacks a well-defined accountability infrastructure, which would ensure designated officials are held responsible for ensuring the exempt banks comply with the law and RCMP policy.
- There is a general lack of awareness among staff of exempt bank policy.
- There has been an absence of ongoing monitoring and regular audit of exempt bank files.
While a comprehensive framework for managing the banks has been in place since 1990, key control features – such as prescribed ongoing reviews and compliance monitoring – were largely ignored prior to 2006.
As a result, thousands of records remained in the exempt banks for periods when their inclusion was unwarranted from either a national security or criminal intelligence perspective.
A History of Problems
The audit’s conclusions are particularly concerning given the history of RCMP exempt banks.
In 1990, the RCMP made a commitment to correct serious problems with an exempt data bank and to strictly follow guidelines for managing exempt bank holdings in the future. In our view, the RCMP has not met this commitment.
Approximately 20 years after problems were identified with an RCMP exempt bank, an audit has again identified a large number of compliance issues.
In moving forward, the RCMP must develop a strategy to verify that its current exempt bank holdings comply with the requirements of section 18 of the Privacy Act and associated internal policies. The RCMP’s Access to Information and Privacy (ATIP) Directorate should be fully engaged in this exercise.
Accountability for the ongoing maintenance of exempt banks must be clearly defined and enforced. Further, given that following policy requirements is key to maintaining the integrity of the files over time, exempt bank related compliance audits should be included in the RCMP’s future plans and priorities.
Considerable resources and a coordinated effort will be required to sustain the integrity of the banks. Left unattended, the RCMP runs the risk of placing itself in a position similar to that of the late eighties when the validity of its exempt bank order was challenged – and ultimately revoked by the Governor in Council.
The RCMP has responded positively to our recommendations. Of particular note, the RCMP plans to centralize the review mechanism for files being considered for exempt bank status.
The OPC plans to review actions taken by the RCMP to improve the management of its exempt banks within the next two years.
The RCMP’s National Security Investigations Records exempt bank includes records related to “Project Shock” – the effort to coordinate all tips received related to the 9-11 terrorist attacks.
Project Shock was not examined as part of this audit, however, we examined a sampling of records in 2002. We found tips generally related to suspected terrorist affiliations, suspicious persons or suspicious activity. We noted a number of tips appeared innocuous in nature, and in some cases seemed to amount to little more than public hysteria during a time of crisis.
Shortly after the completion of the OPC audit, the RCMP completed a full examination of this file, which contains tens of thousands of records. Upon review, the records were found not to meet the criteria for continued inclusion in the national security exempt bank and have been removed.