The Year in Review

Safeguarding privacy: Regular review of identity disclosures

Following my in-depth review of CSEC's disclosure of information about Canadians to Government of Canada clients, completed in December 2008, it was suggested by CSEC that reviews of this kind could be conducted on a regular basis. Since this CSEC activity lies at the heart of my mandate, I believe it is worthwhile to examine it regularly. As a result, my office has arranged with CSEC to begin reviews at regular intervals throughout the coming reporting year.

I believe the nature of this CSEC suggestion, and the manner in which it was presented to my office, speaks to the professional trust that has evolved in the relationship between our respective organizations. It is a positive sign, and one which I am pleased to highlight in this report.

Briefings from CSEC

My office is briefed regularly on CSEC operational policies and relevant administrative activities. In 2008–2009, my office was also provided with presentations and training in the areas of information management and information technology (IT) databases, on the safeguarding of IT networks of importance to the Government of Canada, and on the status of CSEC's policy framework. In addition, CSEC provided briefings specific to certain reviews prior to those reviews being undertaken.

More effective review through annual roundtables

For the past two years, my staff and CSEC officials have participated in what has become an annual roundtable meeting aimed at optimizing the review process, while minimizing any adverse impact on CSEC's legislated activities. The roundtable meeting is also an opportunity to reinforce open communication and to enhance mutual understanding and trust in the working relationship between the two organizations. These meetings have proven useful in removing obstacles to effective review and will, I am sure, enable us to make progress in the years ahead.

Strengthening lawful compliance

The objective of my review mandate is to assess whether CSEC's activities comply with the law, including the extent to which CSEC has adequate measures to protect the privacy of Canadians. While I am to report to the Minister and to the Attorney General of Canada any instances of non-compliance with the law, I also make it a point, wherever possible, to identify preventive measures that reinforce CSEC's lawful compliance.

One area in which my predecessors and I consistently called for preventive measures is improved information management practices. As we all previously noted, the absence of an adequate records management system impaired CSEC's ability to account for its activities. In response to these concerns, CSEC has taken positive steps to rectify gaps in record management practices. In fact, a new corporate records management system is expected to be fully operational during the 2009–2010 reporting period. CSEC is to be commended for its efforts in this important area.

A comprehensive review process

In its reviews, my office sometimes goes into great depth, observing CSEC operators and analysts first hand to gain better knowledge of their work. This knowledge is particularly important when my staff examine an area in which I have made a recommendation with which CSEC disagrees.

This year, in one such case, which I describe in the section on Review Highlights, I revisited a recommendation relating to privacy, which was made last year. Following completion of a second, focussed review, I retracted that recommendation because I was satisfied that the risk to privacy was minimal and that CSEC had appropriate safeguards in place. I believe this retraction results from a rigourous but fair review approach which, in this instance, recognized the professional manner in which these particular analysts strive to conduct their work.