National Security: Removing Barriers to Intra-Governmental Sharing of Information

The House of Commons in Canada is back in session. The federal Conservative Government wasted no time in introducing sweeping anti-terrorism bill (Bill C-51, the Anti-terrorism Act, 2015). I canvassed the legislative and political background to this anticipated legislation in a recent post for the International Association of Privacy Professionals (requires membership to access).

Much of the media attention on Bill C-51 has rightly focused on the creation of a new criminal offence of knowingly advocating or promoting the commission of terrorism offences and the new judicial power to remove terrorist propaganda from websites using Canadian Internet service providers. These have significant implications for freedom of expression. However, our multi-part review of the privacy implications of Bill C-51 begins with the new Security of Canada Information Sharing Act.

Purpose and need for information sharing

The Security of Canada Information Sharing Act is contained in Part 1 of Bill C-51.  This part of the Bill responds to perceived barriers to Government institutions sharing of information relating to threats to the security of Canada. The Government perceived that there were barriers to effective anti-terrorism coordination as a result of some institutions lacking clear authority to share national security-relevant information or as a result of legal barriers to timely sharing of information. An example cited by the Government are the limitations on proactive sharing of passport and immigration information by Canada Customs with Citizenship and Immigration Canada.

To remedy this, the Security of Canada Information Sharing Act’s self-declared purpose is “to encourage and facilitate the sharing of information among Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada” (s. 3).

“Relevant” information can be shared

Section 5 of the Act provides express authorization to Government institutions to share either on their own initiative or on request information that is relevant to the detection, identification, analysis, prevention, investigation or disruption of “activities that undermine the security of Canada.”

Critically, the test for sharing is not whether the information at issue “concerns” an activity that undermines the security of Canada but rather whether the information is “relevant” to the recipient institution’s jurisdiction or responsibilities in respect of such activities. What may be relevant will need to be determined on a case by case basis but the elastic concept of “relevance” clearly has many concerned. Commissioner Therrien, Canada’s new Privacy Commissioner, reacted with a statement raising this issue as a red flag:

“At this early stage, I can say that I am concerned with the breadth of the new authorities to be conferred by the proposed new Security of Canada Information Sharing Act.  This Act would seemingly allow departments and agencies to share the personal information of all individuals, including ordinary Canadians who may not be suspected of terrorist activities, for the purpose of detecting and identifying new security threats.  It is not clear that this would be a proportional measure that respects the privacy rights of Canadians. In the public discussion on Bill C-51, it will be important to be clear about whose information would be shared with national security agencies, for which specific purpose and under what conditions, including any applicable safeguards.”

The Government institutions with which information can be shared includes federal institutions that have critical roles to play in Canada’s overall national security (listed in Schedule 3). These include the Armed forces, CSIS, the RCMP, the Communications Security Establishment, Canadian Border Services Agency and the Department of Foreign Affairs. The list also includes organizations with significant sectoral national security roles, such as the Canadian Food Inspection Agency, the Canadian Nuclear Safety Commission, the Financial Transactions and Reports Analysis Centre of Canada, and the Public Health Agency of Canada. However, the list also includes departments with more general responsibilities such as the Department of Finance, the Department of Health and the Department of Transport.

To facilitate the information sharing provided for in s. 5, the Act would also amend several existing statutes to explicitly authorize the sharing of information. Among these are:

  • Excise Tax Act and Excise Act, 2001: Would be amended to specifically permit the sharing of confidential information if it is “reasonable to suspect” that it would be relevant to (among other things) an investigation of whether the activity may constitute threats to the security of Canada.
  • Income Tax Act: Would be amended to extend the types of information that may be shared and the recipient institutions who may receive information about taxpayers.
  • Department of Fisheries and Oceans Act: The mandate of the Department would be amended to include receiving information relating to activities that undermine the security of Canada. However, the Department is not listed in Schedule 3. Therefore, it appears that the purpose of this provision is to permit the gathering of information by the Department or the onward sharing of the information to the Department by an institution listed in Schedule 3.
  • Customs Act: Would be amended to extend the circumstances in which information may be shared, including with the Department of Citizenship and Immigration.
  • Chemical Weapons Convention Implementation Act: Would permit disclosure of privileged information obtained under the Act with other government institutions in accordance with the Security of Canada Information Sharing Act.

 Activities that undermine the security of Canada

“Activities that undermine the security of Canada” is defined broadly (s. 2) to include any activity that undermines the “sovereignty, security or territorial integrity of Canada or the lives or the security of the people of Canada”. The government has been careful to state that lawful advocacy, protest, dissent and artistic expression are not activities that undermine the security of Canada (s. 2). However, the types of activities that could fall within the definition are quite broad. The Act sets out ten examples of activities that undermine the security of Canada:

  • Interference with the capability of Government administration in relation to the machinery of government intelligence, defence, border operations, public safety, the administration of justice, or diplomatic or consular relations;
  • Interference with the capability of Government administration in relation to economic or financial stability of Canada;
  • Changing or unduly influencing a federal, provincial or municipal government in Canada by force or unlawful means;
  • Espionage, sabotage or covert foreign-influenced activities;
  • Terrorism;
  • Proliferation of nuclear, chemical, radiological or biological weapons;
  • Interference with critical infrastructure;
  • Interference with the global information communications infrastructure (Internet, satellites, telecommunications, etc.);
  • Activities that cause serious harm to a person or their property because of that person’s association with Canada; and
  • An activity that take place in Canada and undermines the security of another state.

Effect of sharing

The sharing activity will not result in a presumption of a joint investigation by Government institutions (s. 7(a)).

It is also important to note that shared information can be further disclosed under the Security of Canada Information Sharing Act or used or disclosed for any other purpose permitted by law (ss. 5(2) and 6). Once the information is shared, the organization who provided the information no longer controls the use and further disclosure of the information (subject to any caveats or express controls by the disclosing institution).

Principles of Information Sharing

Section 4 of the Security of Canada Information Sharing Act sets out information-sharing principles that are to guide the sharing of information under the Act. Curiously, the Government has provided that this section might come into force on a different date than the information sharing provisions themselves. It not clear why this should be so, particularly as these provisions provide a framework for responsible information sharing.

The information sharing principles include the following:

  • There should be respect for caveats on and originator control over shared information.
  • If institutions share information regularly, there should be formalized information-sharing arrangements.
  • Effective and responsible information sharing should include feedback as to how the shared information was used and whether it was useful.
  • Only those within an institution who need the information in respect of the institution’s jurisdiction or responsibilities in respect activities that undermine the security of Canada should receive information disclosed under the Act.

Immunity from civil proceedings

Any person who shares information in good faith under the Security of Canada Information Sharing Act is immune from liability provided that the person acted in good faith (s. 9).

Oversight

Information sharing is not wholly without oversight. Although the sharing of the information is facilitated by the new Act, the information, once shared, will remain subject to the Privacy Act, including the jurisdiction of the Office of the Privacy Commissioner of Canada. However, for many this will not be enough. As Commissioner Therrien stated:

“I am also concerned that the proposed changes to information sharing authorities are not accompanied by measures to fill gaps in the national security oversight regime. Three national security agencies in Canada are subject to dedicated independent oversight of all of their activities.  However, most of the organizations that would receive and use more personal information under the legislation introduced today are not. Gaps in the oversight regime were identified long ago, notably by Justice O’Connor in the report he made at the conclusion of the Arar Inquiry.  Extending the jurisdiction of oversight bodies would be an important step towards the greater transparency that Canadians expect.”

Indeed, it is worthy to note that the Government has seemingly ignored the recommendations of the Office of the Privacy Commissioner of Canada from January 2014. A summary of those recommendations can be found here.

Watch this space for more information and analysis of Bill C-51.