Overview of 2015–2016 Findings and Recommendations
During the 2015–2016 reporting year, the Commissioner submitted seven classified reports to the Minister on his reviews of CSE activities.
The reviews last year were conducted under the Commissioner's authority:
- to ensure CSE activities are in compliance with the law — as set out in paragraph 273.63(2)(a) of the National Defence Act (NDA); and
- to ensure CSE activities carried out under a ministerial authorization are authorized — as set out in subsection 273.65(8) of the NDA.
The first review examined CSE support to the Canadian Security Intelligence Service (CSIS) under part (c) of CSE's mandate regarding a certain type of reporting involving Canadians, in particular, the risk such reporting presents to the privacy of Canadians.
One review examined certain metadata activities related to CSE's foreign signals intelligence activities. This review was the second in an ongoing comprehensive review of CSE's metadata activities.
Another review looked at a specific method used by CSE to collect foreign signals intelligence that regularly results in the highest number of private communications unintentionally intercepted.
As in previous years, the Commissioner conducted annual reviews of ministerial authorizations for foreign signals intelligence and cyber defence, including spot check examinations of private communications intercepted, used, retained and destroyed by CSE; of CSE disclosures of Canadian identity information; and of CSE incidents and procedural errors related to privacy.
The results
Each year, the Commissioner provides an overall statement on findings about the lawfulness of CSE activities. This past year, all of the CSE activities reviewed complied with the law.
As well, this year, the Commissioner made five recommendations to promote compliance with the law and strengthen privacy protection, including that:
- CSE keep the Minister informed of its activities to transmit to CSIS a certain type of reporting involving Canadians;
- CSE reconcile the discrepancies between its practices and the administrative requirements in the ministerial directive for a specific method of foreign signals intelligence collection;
- CSE issue guidance on marking and counting cyber defence private communications to ensure accuracy and consistency in reporting to the Minister;
- CSE make certain that future records in the Privacy Incidents File contain adequate information to describe and document each incident in a thorough manner; and
- the NDA be amended in order to clarify CSE's authority to collect, use, retain, share and disclose metadata.
20 years of effecting change through review
The Commissioner's reviews are an important factor in promoting a culture of compliance within CSE. The following are but a few examples of how the Commissioners' reviews have shaped CSE practices and strengthened the protection of the privacy of Canadians.
- Request memoranda for ministerial authorizations now contain enhanced explanations and rationales, so that the Minister can better understand what CSE is proposing that he authorize.
- CSE suspended certain metadata activities, that the Commissioner questioned, to re-examine how they are conducted.
- CSE implemented systems to better document and track requests from and disclosures to clients and partners of Canadian identity information.
- CSE enhanced its information management procedures, including centralizing its records management system and bolstering its rules for record retention and disposal, so that CSE can better document, track and provide evidence of its activities and compliance.
- CSE clarified authorities and revised procedures for the provision of operational assistance to Canadian law enforcement and security agencies.
- CSE sought input from the Commissioner's office when it made significant changes to the accountability framework and policies and procedures for cyber defence activities conducted under ministerial authorizations.
- CSE reports to the Minister relating to privacy are now more comprehensive, for example, relating to one-end Canadian communications and to information shared with and received from second party partners.
- CSE strengthened its policy for the active monitoring by CSE managers of the activities of employees relating to compliance and privacy protection, and ensuring employees are adequately trained on compliance and privacy requirements.
- Another success story demonstrates the importance of entrenching review body collaboration and cooperation in legislation, since security and intelligence agencies already work together. In a review of CSE operational assistance to the Canadian Security Intelligence Service (CSIS) under certain Federal Court warrants authorizing collection of intelligence on Canadians outside of Canada, the Commissioner recommended that CSE advise CSIS to further inform the Court of the nature of the assistance CSE was providing with the involvement of its second party partners. With the tabling of the Commissioner's public annual report, the Court became aware of the matter and found that it had no jurisdiction to approve the assistance, and that the failure to disclose certain information to the Court was the result of a deliberate decision to keep it in the dark. At the time, CSIS suspended its requests to CSE for assistance involving the second party partners.
- Date modified: