Update on CSE Efforts to Address Previous Recommendations
Since 1997, my predecessors and I have submitted 90 classified review reports to the Minister of National Defence who is responsible for CSE. In total, the reports contained 156 recommendations. CSE has accepted and implemented or is working to address 93 percent (145) of these recommendations, including all eight recommendations this year.
Commissioners monitor how CSE addresses recommendations and responds to negative findings as well as areas for follow-up identified in past reviews. This past year, CSE advised my office that work had been completed in response to six past recommendations.
Last year I reported on former Commissioner Décary's review of CSE foreign signals intelligence information sharing with international partners. I explained that the ministerial authorization regime is a Canadian instrument and applies to CSE; it has no application to the Second Parties or to their respective sovereign regimes, since those parties treat information according to their own domestic authorities. As a result, CSE does not report to the Minister of National Defence details, for example, regarding communications involving Canadians or information about Canadians that Second Party partners have shared with CSE. Therefore, to support the Minister of National Defence in his accountability for CSE and as an additional measure to protect the privacy of Canadians, Commissioner Décary recommended that CSE report such details to the Minister on an annual basis. CSE has advised my office that the Chief of CSE's 2013—2014 Annual Report to the Minister of National Defence included statistics on communications CSE acquires from its Second Party partners.
CSE's Five Eyes partners
The Five Eyes partners are CSE and its main international partner agencies in the Five Eyes countries: the United States' National Security Agency, the United Kingdom's Government Communications Headquarters, the Australian Signals Directorate and New Zealand's Government Communications Security Bureau. They are also known to each other as Second Party partners.
In my review of the activities of the CSE Office of Counter Terrorism last year, I found that a sample of metadata activities involving information about Canadians was generally conducted in compliance with operational policy. I did, however, find that parts of CSE policy related to this metadata activity did not reflect standard practices. I recommended that CSE modify its policy for these activities to reflect its current practices, specifically for record-keeping. I pursued my examination of this issue as part of my review of CSE foreign signals intelligence metadata activities and found that CSE has halted some metadata analysis activities that were the subject of the recommendation and is consequently updating its policy framework.
CSE also took action on three of the five recommendations from my review of CSE's 2012—2013 foreign signals intelligence ministerial authorizations. CSE informed my office that it has improved policy in order to respond to my recommendation that CSE promulgate detailed guidance regarding additional approvals required for certain sensitive activities. The other two recommendations CSE implemented related to private communications. First, I had recommended that CSE analysts immediately identify recognized private communications for essentiality to international affairs, defence or security, as required by the National Defence Act, or, if not essential, for deletion. Second, I had recommended that CSE analysts regularly assess, at a minimum quarterly, whether the ongoing retention of a recognized private communication not yet used in a report is strictly necessary and remains essential to international affairs, defence or security or whether that private communication should be deleted. In order to address these recommendations, CSE has developed policy as well as an automated notification system where analysts receive notification when a private communication that has been marked for retention has not been used within a specific timeframe. The notification service allows the analysts to review the need to retain the private communications or otherwise they are automatically deleted.
Finally, in my annual review of privacy incidents and procedural errors identified by CSE in 2013 that affected or had the potential to affect the privacy of Canadians, I recommended that CSE request that its Second Party partners confirm that they have acted on CSE requests to address any privacy incidents relating to a Canadian, and that CSE record the responses in its privacy incident file. CSE accepted this recommendation and is working on updating its procedures to respond to my recommendation.
In addition, my office and I are monitoring 15 active recommendations that CSE is working to address – seven outstanding recommendations from previous years and eight from this year.
- Date modified: