Notes for Remarks to the HofC Standing Committee on Access to Information, Privacy and Ethics (ETHI)

Re: Security of Canada Information Sharing Act (SCISA)

By the Hon. Jean-Pierre Plouffe

Communications Security Establishment Commissioner

Thursday, 8 December 2016

Check Against Delivery

Chair, honourable members, I am pleased to appear before this committee on the subject of the Security of Canada Information Sharing Act. I am accompanied by Bill Galbraith, the Executive Director of my office.

Before I make a few remarks about activities under this Act, and since this is my first appearance before this committee, I will very briefly describe my mandate and the role of my office.

You have my biographical note, so I won't go over that, but I would like to say that I have found that my decades-long experience as a judge has stood me in very good stead in my three years as CSE Commissioner. Being a retired or supernumerary judge of a superior court is a requirement set out in the National Defence Act, the legislation that mandates both my office and the Communications Security Establishment. 

The CSE Commissioner is independent and arm's length from government. My office has its own budget granted by Parliament.  I have all the powers under Part II of the Inquiries Act which gives me full access to all CSE facilities, files, systems and personnel, including the power of subpoena, should that be necessary.

My mandate is threefold:

First:   To review the activities of CSE to determine whether they are in   compliance with the law, including protecting privacy.  This is the major portion of our work;

Second: I may receive and investigate any complaints I consider necessary. Complaints are rare, reflecting the foreign focus of CSE activities;

Third:    I have a duty to inform the Minister of National Defence and the Attorney General of any activity of CSE that I believe may not be in compliance with the law. 

The Commissioner's external, independent role, focused on CSE, assists the minister responsible for CSE in his accountability to Parliament for that agency. My annual report, tabled in Parliament, describes the results of my reviews.

Let me turn now to the Security of Canada Information Sharing Act, SCISA.

What I have to say will be relatively brief. I will describe to you the experience of my office with respect to SCISA and then make a number of brief points regarding the Act.

First, my office, as a government institution, has not shared information under SCISA and in all probability is unlikely ever to do so.

During the first year that SCISA was in effect, the agency which I review, the Communications Security Establishment, CSE, has neither received nor shared information under that law. 

My reviews of CSE include CSE information sharing with domestic and international partners. I review CSE activities to ensure that the information it collects and discloses complies with the law, ministerial direction and internal CSE policies.  This includes ensuring that satisfactory measures are in place to protect privacy and that these measures are effectively applied.  I will continue to monitor whether CSE receives or shares any information pursuant to SCISA.

That CSE has neither received nor shared information under SCISA demonstrates that currently existing authorities are sufficient for it to share or disclose information with other government institutions.

This point was made more broadly in the annual report of the Privacy Commissioner, Mr. Therrien, noting from a survey of government institutions his office conducted of the first six months SCISA was in effect, that only five institutions either received or shared information pursuant to the Act. Most institutions have been using pre-existing authorities. 

I cannot answer if in the future CSE would receive or share information under SCISA, but the track record to date suggests little, if any. As I said, I will monitor this.

As to the Act itself, there are three points I would comment on. These were also raised by the Privacy Commissioner in his testimony before this committee, and I am in general agreement.

First, the question of threshold in order for information to be shared.  In SCISA, the threshold is relevance: “if the information is relevant to the recipient institution's jurisdiction or responsibilities” (subsection 5(1)).

Where personal information is concerned, the threshold should be higher.

The Privacy Commissioner suggests “necessity”, an international privacy standard, noting that the CSIS Act uses “strictly necessary” for CSIS to collect, analyze and retain information.

Another example can be taken from the National Defence Act where the established threshold is essentiality.  In essence, in order for CSE to use and retain a private communication – where one end is in Canada – collected under Ministerial Authorization, CSE must determine whether the private communication is “essential”.  I review these communications to ensure that is the case, and that information that is not “essential” has been destroyed.

The next point with respect to SCISA relates to safeguards to protect privacy. Given CSE has not received or shared information under SCISA, I have no direct experience with this Act in this regard. 

However, I can comment that the legislation mandating CSE has built-in privacy safeguards. These safeguards require CSE to have satisfactory measures in place to protect any information with a privacy interest that it can legally collect, retain and use.  I would agree with the Privacy Commissioner that there should be safeguards in SCISA to ensure protection of personal information.

A third point relates to the government institutions listed in Schedule 3 of SCISA.

Only three of the 17 institutions listed in Schedule 3 are subject to expert review: CSE, which I review; CSIS which is reviewed by my colleagues from SIRC; and the RCMP reviewed by my colleagues from the Civilian Review and Complaints Commission.

The Privacy Commissioner has a mandate to review personal information policies and practices of all federal government institutions. In this context, Mr. Therrien is examining Schedule 3 institutions use of SCISA and privacy protections. 

However, this is not enough. I suggest that there is a need for expert review for the 14 institutions not currently subject to review.  This could be either by a new review body, or bodies, or divided among the existing expert review bodies, much as recommended by Justice O'Connor in his commission of inquiry report ten years ago in the Arar affair.

Perhaps there is a role here for the National Security and Intelligence Committee of Parliamentarians. The committee will have to establish its priorities and this may be one area to examine. I look forward to working closely with the committee of parliamentarians and its secretariat.    

Thank you for this opportunity to appear before you today. My Executive Director and I would be pleased to answer your questions.