Highlights of Reports Submitted to the Minister in 2015–2016

1. Annual review of CSE support to the Canadian Security Intelligence Service under part (c) of CSE's mandate regarding a certain type of reporting involving Canadians

Background

The cooperative agreements that exist between the five eyes partners include a commitment to respect the privacy of each nation's citizens and to act in a manner consistent with each nation's policies relating to privacy. Nevertheless, it is recognized that each of the partners is an agency of a sovereign nation that may, in exceptional circumstances, derogate from the agreements if it is judged necessary for their respective national interests. In such exceptional circumstances, one of CSE's partners may acquire and report on information about a Canadian or a person in Canada. A partner may report on Canadians located outside of Canada who are known to be engaging in or supporting terrorist activities, for example, a report about a known Canadian “foreign fighter” that may be planning to return to Canada or to attack Canadians. When a partner does undertake an activity relating to a Canadian, the partner may acquire information that, in addition to meeting its own national security requirements, relates to the security of Canada and, as such, may be provided to the Canadian Security Intelligence Service (CSIS) in support of its mandate to investigate and advise government on threats to the security of Canada.

Prior to February 2015, the process to provide this kind of reporting to CSIS was manual and did not involve CSE. To help address the evolving terrorist threat and the increase in the number of foreign fighters, CSIS required a more timely mechanism to securely exchange information. To this end, CSIS requested CSE assistance under part (c) of CSE's mandate (paragraph 273.64(1)(c) of the National Defence Act (NDA)), to establish a mechanism for CSIS to receive and handle these reports via CSE's established channels.

The objectives of this review were: to acquire detailed knowledge of and to document CSE assistance to CSIS with respect to these reporting activities; to assess whether the activities complied with the law and ministerial direction; and to assess the extent to which CSE protected the privacy of Canadians in carrying out the activities.

The Commissioner conducted a review of all such reporting that CSE transmitted to CSIS from February 5, 2015, to May 15, 2015.

Findings

When undertaking activities under part (c) of its mandate, CSE is subject to any limitations imposed by law on the requesting agency (subsection 273.64(3) of the NDA). For the activities reviewed, CSE assistance to CSIS was, therefore, subject to the legal limitations enshrined in the Canadian Security Intelligence Service Act (CSIS Act). Section 12 of the Act sets out CSIS's mandate to “collect, by investigation or otherwise, to the extent that it is strictly necessary, and analyze and retain information and intelligence respecting activities that may on reasonable grounds be suspected of constituting threats to the security of Canada and, in relation thereto, shall report to and advise the Government of Canada.”

In addition, as a government institution, all CSE activities are subject to the Canadian Charter of Rights and Freedoms, which protects a person's reasonable expectation of privacy, and ministerial direction requires CSE — when providing assistance — to manage information in a manner consistent with the Privacy Act.

The Commissioner found that CSE's activities to transmit these reports to CSIS were conducted in accordance with the law and with ministerial direction relating to the protection of the privacy of Canadians.

Specifically, the Commissioner was satisfied that:

• the activities consisted of technical and operational assistance that is permitted under part (c) of CSE's mandate;
• it was lawful for CSE to approve CSIS's request for assistance in the development of a mechanism to transmit these reports because it is within CSIS's mandate to receive reports that pertain to threats to the security of Canada as defined in section 2 of the CSIS Act; and
• all reports transmitted to CSIS during the period under review contained information that pertained to a threat to the security of Canada; CSIS had both the authority and the operational justification for obtaining the information relating to a Canadian.

CSE has procedures in place that provide sufficient direction to its employees respecting the protection of the privacy of Canadians for the activities. An operational plan contains clearly delineated roles and responsibilities, and restricts access to the reports to a very limited number of employees. CSE managers routinely and closely monitored the conduct of the activities to make certain the transmission of this reporting complied with relevant authorities. The office verified the monthly logs kept by CSE management to record which employees had viewed these reports and was satisfied with the written rationale given for their access.

The Commissioner noted that the CSIS request encompassed threats to the security of Canada defined in section 2 of the CSIS Act. In addition, although CSE — as an agent of CSIS — provided guidance to partners, the determination of what constitutes information pertaining to a threat to the security of Canada was left to those partners.

Conclusion and recommendation

Because the reporting transmitted to CSIS during the period under review contained information relating to Canadians, there is a risk to the privacy of Canadians associated with these activities. Therefore, the Commissioner recommended that CSE keep the Minister informed, on an annual basis, of its activities under part (c) of its mandate to transmit this kind of reporting to CSIS.

The Commissioner's office will continue to examine this assistance to CSIS to verify that CSE complies with the law, namely that the information relating to Canadians that CSE obtains and transmits to CSIS is consistent with CSIS's authority and operational justification, and that CSE takes sufficient measures to protect the privacy of Canadians in the conduct of the activities.

Subsequent to the completion of the review, officials from the office met with officials from the Security Intelligence Review Committee (SIRC) — which was commencing a review of CSIS activities relating to this subject — to describe the review methodology employed, to provide a summary of findings, and to outline areas of inquiry relating to CSIS that were outside of the Commissioner's mandate, but that SIRC could follow up on as it deems appropriate.

2. Review of CSE foreign signals intelligence metadata activities (Part 2)

Background

The Commissioner's office has been reviewing CSE metadata activities for quite some time. In fact, almost every review addresses metadata, which is fundamental to both CSE's foreign signals intelligence and cyber defence activities. Metadata helps CSE understand the global information infrastructure. It is also used by CSE to direct its activities at foreign entities located outside of Canada, and to mitigate the risk of intercepting the private communications of Canadians. An initial review focused on metadata was completed in 2006, and planning for a broad review of metadata started in 2012. The first part of this review, summarized in last year's annual report, included detailed information on CSE foreign signals intelligence metadata authorities and on certain activities relating to the use and disclosure of metadata. This second part of the review addressed specific foreign signals intelligence metadata activities that were set aside during the first part of the review in order to fully investigate incidents relating to CSE's failure to minimize Canadian identity information in certain metadata it shared with its second party partners. Minimization is the process by which Canadian identity information contained in metadata is rendered unidentifiable before it is shared.

The objectives of this review were: to examine specific CSE signals intelligence metadata activities to assess whether the activities complied with the law, ministerial direction, and CSE operational policies and procedures; to assess the extent to which CSE protected the privacy of Canadians in carrying out the activities; to follow up on past findings of Commissioners; and to identify any areas for future in-depth review.

Findings

Three distinct metadata activities were examined.

First, certain metadata analysis activities undertaken for foreign intelligence purposes were examined. While it is a positive development that CSE updated its relevant operational policy, the Commissioner found that guidance on a specific metadata activity that involves Canadian identity information remains vague and should be clarified. The Commissioner's office will continue to examine the conduct of these activities as part of future activity-based reviews.

For these activities, we examined in depth a sample involving Canadian identity information conducted over a one-year period. While a small number of the activities raised questions about CSE authorities and the Commissioner noted inconsistencies in CSE documentation and record-keeping practices, he found that the activities were authorized and generally conducted in a manner consistent with ministerial direction and policy. While not fully satisfied with CSE's approach, the Commissioner did not make any recommendations to address the identified issues and irregularities because, subsequent to the period under review, CSE suspended indefinitely these particular metadata analysis activities in response to case law developments (Canadian Security Intelligence Service Act (Re), 2012 FC 1437, relating to the application of “directed at”). It is positive to observe that CSE followed and modified its practices to address related jurisprudence.

Prior to its decision to suspend these activities, CSE did not meet its commitment to address a recommendation the Commissioner made in a February 2014 review of the activities of the Office of Counter Terrorism (OCT) to amend relevant policy to reflect current practices and to enhance record keeping. However, this can be explained by the short period of time between the OCT review and the suspension of the activities. As long as the suspension remains in effect, the Commissioner does not expect CSE to implement the recommendation.

Second, the Commissioner followed up on another recommendation he had made in the OCT review that CSE issue written guidance to formalize and strengthen existing practices for addressing potential privacy concerns with second party partners. The Commissioner accepts CSE's responses to the issues identified in the OCT review and CSE issued guidance to operational employees to address cases where the privacy of Canadians may be at risk.

Third, the office examined certain network analysis activities involving metadata that help CSE, for example, to identify foreign threat actors, such as terrorist groups and cyber actors. The Commissioner had no questions about the authorities or policies for the activities and found that this analysis remains critical to the execution of CSE's foreign signals intelligence mandate.

Conclusion

The broad review of CSE use of metadata in a foreign signals intelligence context is now complete. In this part of the review, the Commissioner found no evidence of non-compliance, nor did he make any recommendations. The Commissioner's office will continue to review CSE use and disclosure of metadata, which is fundamental to all of its foreign signals intelligence activities. A third report, which will be completed in the coming year, is focused on CSE use of metadata in a cyber defence context.

3. Review of a specific CSE foreign signals intelligence method of collection conducted under ministerial authorization

Background

This year the office completed an ongoing review of CSE foreign signals intelligence activities relating to a specific method of collection under ministerial authorization. This method of collection provides information about: foreign targets relating to international affairs, defence and security; metadata in support of target discovery and network analysis; and information about cyber threats. A 2004 ministerial directive set out specific requirements — including an approval framework and expectations relating to security and the management of the risk of operational activities — applicable to the sample that was selected for review. Subsequent to the period under review, the Minister issued an updated directive on these activities.

The objectives of the review were to assess whether the activities complied with the law, ministerial direction, and CSE operational policies and procedures, and to assess the extent to which CSE protected the privacy of Canadians in carrying out the activities.

Compared with other foreign signals intelligence methods of collection, these activities result in the highest number of unintentionally intercepted private communications recognized by CSE. One particular aim of the review was to better understand any potential impact of these activities on the privacy of Canadians.

In 2008, Commissioner Gonthier completed a comprehensive review of the activities. One finding of consequence was that CSE had not acted in accordance with all of the administrative requirements of the ministerial directive relating to security and risk management. As a result, he recommended that CSE reconcile the discrepancies between its practices and the directive's requirements. Commissioner Gonthier also identified deficiencies relating to insufficient and incomplete records. This review followed up on CSE actions to address the past recommendations and negative findings.

Findings and recommendation

For a number of reasons — including limited resources of the office and of CSE, employee turnover, and an unanticipated incident of high priority — this review, which had been ongoing for some time, could not be completed until now. In addition, CSE answers to the office's questions relating to this particular review were often delayed, incomplete or inconsistent, requiring officials to regularly follow up. However, in this context, based on the information reviewed and the interviews conducted, the Commissioner found no evidence of non-compliance with the law.

CSE has made improvements since the 2008 review. A number of issues remain outstanding, however, and the Commissioner made negative findings that are similar to those of his predecessor. CSE did not, for example, maintain an up-to-date plan to prevent and mitigate the potential negative impact of an unauthorized disclosure, as prescribed by the ministerial directive. Other documents have been in draft form for years, and contain insufficient information. The Commissioner is concerned that certain important documents relating to security and risk management remain incomplete. Therefore, like his predecessor, the Commissioner recommended that CSE reconcile the discrepancies between its practices and the administrative requirements in the ministerial directive.

The Commissioner found more than one instance where, because of a lack of clarity and explanation of key terms found in the approval framework of the ministerial directive, it could be argued that CSE should have sought specific approval prior to conducting an activity. The updated ministerial directive does, however, contain a new approval framework and additional guidance that the Commissioner's office will assess as part of a planned follow-up review.

In addition, the office sought statistics for the number of communications intercepted by CSE on behalf of, and sent to, its second party partners using this specific method of collection. Although CSE provided some information, its existing systems did not automatically track and record such information, and it was difficult and time-consuming for CSE to provide it. In a 2013 review of foreign signals intelligence ministerial authorizations, CSE indicated that it was working on a technical solution to more easily track the number of communications intercepted by CSE and sent to its second party partners. In a subsequent review, the Commissioner's office will follow up on CSE efforts to implement the solution. Recording and regularly reporting to the Minister a wider range of statistical information relating to information shared with the Second Parties would support the Minister in his accountability for CSE.

Conclusion

Given the scope and nature of this method of foreign signals intelligence collection, the newer ministerial directive, the ongoing negative findings and the time that has elapsed since this review was started, at the time of writing, the Commissioner has already commenced another review of these activities, with a particular focus on CSE targeting activities, that is, the process and practices by which CSE determines that entities of foreign intelligence interest are foreign entities located outside of Canada. The Commissioner will monitor the timeliness of the responses from CSE.

4. Annual combined review of CSE foreign signals intelligence ministerial authorizations and private communications

Background

This is the sixth consecutive annual combined review of foreign signals intelligence ministerial authorizations. It is one way Commissioners fulfill the obligation under the NDA to review activities carried out under ministerial authorization to ensure they are authorized and to report annually to the Minister on the review.

The review encompassed three foreign signals intelligence ministerial authorizations in effect from December 1, 2014, to June 30, 2015, relating to three distinct methods of collection. This involved examining the authorization documents themselves and the activities described in the authorizations compared with previous years, to identify any significant changes to each method of collection and to the foreign signals intelligence collection program as a whole. It was an objective of the review to assess the impact of any changes on the risks to compliance and privacy, and, as a result, identify any subjects requiring follow-up review.

According to CSE policy, if an analyst whose functions are directly related to the production of foreign intelligence reports recognizes that an intercepted communication is a private communication, a communication of a Canadian located outside Canada, or contains Canadian identity information, and that the communication is not essential to international affairs, defence or security, then the analyst must, on recognition of these characteristics, process this communication for deletion. A communication deemed essential to international affairs, defence or security can be used in a CSE report or retained.

To verify compliance with the law and to assess the extent to which CSE protected the privacy of Canadians, the Commissioner examined the status of the 13 recognized foreign signals intelligence private communications that CSE had used or retained at the end of the 2013–2014 ministerial authorization period and of the 342 private communications that CSE had used or retained at the end of the 2014–2015 ministerial authorization period. The review included two spot check reviews of the 262 private communications used or retained by CSE during the periods of March 1, 2015, to April 30, 2015, and September 1, 2015, to October 31, 2015. CSE had no prior warning that the office was about to conduct the spot checks.

Findings

The Commissioner found that the 2014–2015 foreign signals intelligence ministerial authorizations met the conditions for authorization set out in the NDA, namely that:

• the interception will be directed at foreign entities located outside Canada;
• the information could not be reasonably obtained by other means;
• the expected value of the interception would justify it; and
• satisfactory measures are in place to protect the privacy of Canadians.

There were no significant changes to the 2014–2015 ministerial authorizations and associated request memoranda to the Minister.

Accountability was enhanced respecting solicitor-client communications by incorporating measures to inform the Minister of cases when unintentionally intercepted solicitor-client communications containing foreign intelligence are retained, used or disclosed. CSE operational policy is not, however, fully consistent with the new process, and it should be revised. During the period under review, there were no solicitor-client communications used or retained by CSE; in fact, CSE has not used or retained a solicitor-client communication in the past five years. The office will continue to monitor and examine CSE retention or use of private communications, including any solicitor-client communications.

It is also positive that details were added to the ministerial authorizations and memoranda about what is an “essential” private communication, and to clarify the circumstances under which CSE may unintentionally intercept a private communication.

CSE implemented a recommendation of the Commissioner from 2013–2014 by modifying operational policy to specify who is responsible to approve specific foreign signals intelligence collection activities. CSE is also working on an updated policy for certain other activities, which the office will examine when it is issued.

CSE made changes to technology used for some of its foreign signals intelligence collection activities that continue to be challenged by unauthorized disclosures made by Edward Snowden in 2013. The disclosures resulted in the increased use of encryption and other countermeasures by foreign intelligence targets who hope to evade CSE and second party collection efforts.

Protection of Canadians' privacy

CSE is prohibited from directing its foreign signals intelligence and cyber defence activities at Canadians anywhere in the world or at any person in Canada. The foreign focus of CSE's work means that, unlike Canada's other security and intelligence agencies, CSE has limited interaction with Canadians. When CSE does incidentally acquire information relating to a Canadian, it is required by law to take measures to protect the privacy of the Canadian. The Commissioner's review of CSE activities includes verifying that CSE does not target Canadians and that CSE effectively applies satisfactory measures to protect the privacy of Canadians in all the operational activities CSE undertakes.

Respecting private communications, based on the information reviewed and the interviews conducted, the Commissioner was satisfied that:

• all private communications that were recognized by CSE were intercepted unintentionally and treated in accordance with CSE policies and procedures — nothing suggested that any of the private communications that were recognized by CSE during this period were intercepted intentionally, which would have been unlawful;
• all private communications used and retained by CSE were essential to international affairs, defence or security, as required by the NDA; and
• private communications that were non-essential were deleted. CSE did not retain private communications beyond the retention and disposition periods prescribed by its policy.

The Commissioner observed that, during the review period, the number of private communications recognized by CSE increased in comparison to previous ministerial authorization periods. This was a consequence of the technical characteristics of a particular communications technology and of the manner in which private communications are counted.

It is positive that the Chief's ministerial authorization year-end report to the Minister for 2014–2015 contained more comprehensive information respecting the number of private communications retained throughout the reporting period as the Commissioner had recommended, including an explanation of the reason for the increase during the period of March to April 2015.

Conclusion

CSE is taking action to implement recommendations from previous reviews relating to ministerial authorizations and private communications. This current review did not result in any recommendations. The Commissioner's office will continue to conduct annual reviews to verify that ministerial authorizations are authorized, and to conduct spot check reviews of one-end Canadian communications acquired and recognized by CSE to verify that CSE does not target Canadians and protects Canadians' privacy. Next year, to provide additional assurance, spot check reviews will be expanded to encompass a sample of other one-end Canadian communications acquired by CSE, including from second party partners.

5. Annual review of CSE cyber defence activities conducted under ministerial authorization

Background

To detect and protect against sophisticated cyber threats — including foreign state, criminal and terrorist threat actors — CSE may, on receiving a written request from a Government of Canada institution to conduct cyber defence activities, deploy measures to collect and analyze data from that client's computer systems or networks. Because these CSE cyber defence activities risk the interception of private communications, CSE must conduct these activities under the authority of a ministerial authorization.

This annual review encompassed two cyber defence ministerial authorizations in effect from December 1, 2013, to November 30, 2014, and from December 1, 2014, to June 30, 2015.

The review included examining the cyber defence ministerial authorization documents and the activities they described to ensure the conditions for authorization set out in the NDA were met. The authorizations and activities were compared with previous years to identify any significant changes. An objective of the review was to assess the impact of any changes on the risks to compliance and privacy, and, as a result, identify any issues requiring follow-up review.

To verify compliance with the law and to assess the extent to which CSE protected the privacy of Canadians, the office examined a sample of intercepted data and recognized private communications intercepted pursuant to the ministerial authorizations that were used or retained on the basis that they were essential to identify, isolate or prevent harm to Government of Canada computer systems or networks.

The office selected and examined a sample of intercepted data relating to approximately 20 percent of the total number of cyber incidents identified in the 2013–2014 and 2014–2015 ministerial authorization periods. A cyber incident may involve one or more cyber events, and one or more private communications. Approximately 70 percent of the sample contained one or more recognized private communications. It is not possible to reveal the number of private communications used and retained by CSE relating to cyber defence activities because it would allow adversaries to assess CSE's capabilities. The office examined:

• the cyber events that made up the incidents;
• the malware, which is the software used by the threat actors, for example, to attempt to steal information from a computer system or to disrupt a network;
• CSE internal and external reports relating to the cyber threats;
• e-mails;
• analyst notes; and
• details contained in associated tools and databases, such as the rationale for the retention of a particular private communication, and information about the threat actor.

Another objective was to follow up on past findings and recommendations of Commissioners, including those in last year's in-depth review of cyber defence activities conducted during the 2009–2010 to 2011–2012 ministerial authorization periods.

Findings and recommendation

The Commissioner found that the 2013–2014 and 2014–2015 cyber defence ministerial authorizations met the conditions for authorization set out in the NDA, namely that:

• the interception was necessary to identify, isolate or prevent harm to Government of Canada computer systems or networks;
• the information could not be reasonably obtained by other means;
• the consent of persons whose private communications may be intercepted could not reasonably be obtained;
• satisfactory measures are in place to ensure that only information that is essential to identify, isolate or prevent harm to Government of Canada computer systems or networks was used or retained; and
• satisfactory measures were in place to protect the privacy of Canadians in the use or retention of that information.

Based on the information reviewed and the interviews conducted, the Commissioner found no evidence of non-compliance with the law as interpreted by the Department of Justice Canada. CSE's compliance validation framework for cyber defence activities — which includes extensive audit logging and monitoring of compliance with operational policies and procedures — provides evidence that CSE complied with legal requirements.

There were no significant changes to the ministerial authorizations and associated request memoranda to the Minister or to the conduct of the cyber defence activities that affected the risks to compliance or privacy.

The cyber defence ministerial authorizations contained changes similar to those made to the foreign signals intelligence authorizations to enhance accountability respecting solicitor-client communications. Cyber defence operational policy should also be amended to address the new requirements.

The Commissioner recognized the benefit of another change made in 2014–2015, which is to notify the Minister when CSE accepts a request from a Government of Canada institution to conduct cyber defence activities under the authority of a ministerial authorization. This will streamline CSE assistance to clients and support a timely response to cyber incidents (the 2013–2014 and previous authorizations required CSE to inform the Minister before it could accept such activities).

Recently, CSE started using a new specialized defensive technology to detect and mitigate malicious or abnormal cyber activity on Government of Canada client systems and networks. The technology appears to be generally consistent with existing CSE cyber defence activities, and CSE is applying the existing operational policies and procedures, compliance validation framework, and privacy protections to the new activities. However, as a newly deployed technology, the new activities merit in-depth examination in a future comprehensive review.

Respecting private communications, based on the information reviewed and the interviews conducted, the Commissioner was satisfied that:

• all private communications that were recognized by CSE were intercepted unintentionally and treated in accordance with CSE policies and procedures — nothing suggested that CSE directed any of its cyber defence activities at Canadians or at any person in Canada;
• all private communications used and retained by CSE were essential to identify, isolate or prevent harm to Government of Canada computer systems or networks, as required by the NDA; and
• private communications that were non-essential were deleted; CSE did not retain private communications beyond the retention and disposition periods prescribed by its policy.

However, analysts were observed using two different methods for marking and counting cyber defence private communications. For accuracy and consistency in reporting to the Minister, the Commissioner recommended that CSE issue guidance on this subject.

All of the cyber defence private communications used or retained by CSE that were examined this year contained nothing more than malware or anomalous system and network activity.

As has generally been the case in the past, the private communications examined involved no exchange of any personal or other consequential information between the cyber threat actor and a Government of Canada employee or other Canadian. The Commissioner continues to question CSE's practice of treating all unintentionally intercepted one-end-in-Canada e-mails related to cyber defence activities as private communications and whether this accurately reflects the privacy risk and how that risk is portrayed to the Minister. The Commissioner noted the progress made in that CSE reporting to the Minister on private communications now highlights the important differences — including in the expectation of privacy — between private communications intercepted under foreign signals intelligence activities and under cyber defence activities. However, the Commissioner remains of the view that a communication containing nothing more than malicious code or an element of social engineering sent to a computer system in order to compromise it is not a private communication as defined by the Criminal Code.

The Commissioner observed an increase in the proportion of incidents that did not contain a private communication. CSE explained that this resulted from increased use of certain techniques designed to reduce the risk of unintentionally intercepting private communications.

It is positive that the Chief's ministerial authorization year-end report to the Minister for 2014–2015 contained more comprehensive information respecting the number of recognized private communications acquired by CSE using particular cyber defence activities.

In last year's report, the Commissioner noted that CSE could improve some policies and procedures relating to the retention of certain private communications. However, in view of explanations provided in the context of this review, this suggestion was withdrawn; the Commissioner has no expectation that CSE should take any action on this subject.

CSE is taking action to address negative findings and to implement past recommendations, including:

• new guidance and regular communications to operational management and employees on changes to policy;
• a new mandatory policy course to enhance analyst understanding of policy requirements;
• enhanced record keeping through the planned deployment of a new cyber defence data repository; and
• more detailed and accurate marking and recording of private communications — including more comprehensive information about the justification for the retention of a private communication — which provided enhanced evidence of compliance and facilitated the conduct of the review.

Conclusion

The Commissioner made one recommendation to enhance policy relating to consistency in the marking and counting of private communications. The office will continue to conduct annual reviews of cyber defence ministerial authorizations and private communications to verify that the activities are authorized and that CSE does not target Canadians and protects Canadians' privacy. The office will monitor CSE actions to address issues identified in this review. This year, the Commissioner will complete a study of cooperation and information sharing between CSE's IT Security employees and its foreign signals intelligence employees to defend against cyber threats, which will be summarized in the 2016–2017 annual report.

6. Annual review of CSE disclosures of Canadian identity information, 2014–2015

Background

This is the seventh consecutive annual review of a sample of CSE disclosures of Canadian identity information — which includes any information uniquely relating to and that may identify a Canadian. The objective of the review was to verify that CSE, in its disclosures of Canadian identity information, complied with the law, ministerial direction and its policies and procedures, including assessing the extent to which it protected the privacy of Canadians.

For this year's review, the Commissioner's office selected and examined a sample of approximately 20 percent (225 requests) of the 1,126 requests from CSE's Government of Canada clients for disclosure of Canadian identity information contained in CSE reports. The requests were received during the period of July 1, 2014, to June 30, 2015. The sample included all government institutions that made a request during that period. The office also examined all 111 requests from second party partners and the six requests for disclosure to non-five eyes entities; one Government of Canada client made five requests and a second party made one request — which was denied — to share specified Canadian identity information with non-five eyes entities. It is important to note that the number of requests represent the number of instances that institutions or partners submitted separate requests for disclosure of identity information suppressed in reports, providing a unique operational justification in each case. One request may involve multiple Canadian identities, and one Canadian identity may be disclosed multiple times to different institutions or partners. Different types of Canadian identity information may have different levels of privacy interest.

Findings

The Commissioner was satisfied that:

• CSE disclosures of Canadian identity information complied with the law;
• the requesting Government of Canada client or second party partner had both the authority and operational justification for obtaining the information;
• CSE effectively applied the privacy protections contained in ministerial direction and in its operational policies and procedures;
• CSE acted in accordance with the Cabinet framework for addressing risks in sharing information with foreign entities that could result in the mistreatment of an individual; and
• no privacy incidents were identified that had not already been found and recorded by CSE in its Privacy Incidents File.

CSE is responsible for conducting a mistreatment risk assessment when it is the approval authority for the release of the information; however, other Government of Canada institutions continue to be responsible when the information is being released via their own channels. It is a positive development that in disclosures involving non-five eyes recipients CSE included a specific caveat to remind the requesting government client of its responsibility to conduct an assessment of the risks in sharing information with a foreign entity that could result in the mistreatment of an individual.

During the course of the review, the Commissioner informed the Chair of SIRC of information involving CSIS for any follow-up that SIRC may deem appropriate.

The automated information and records management system for requests from government clients continues to be effective. For a number of valid reasons, work on a similar system for processing second party partner requests has been delayed. The office will monitor changes to systems and processes for the disclosure of Canadian identity information.

Conclusion

The review did not result in any recommendations. The office will continue to conduct annual reviews of CSE disclosures of Canadian identity information to clients and partners to verify that CSE complies with the law and protects Canadians' privacy.

7. Annual Review of CSE's Privacy Incidents File and Minor Procedural Errors Record, 2015

Background

Since 2011, Commissioners have conducted an annual review of all incidents recorded by CSE that put the privacy of a Canadian at risk in a manner that runs counter to, or is not provided for, in its operational policies. CSE records in its Privacy Incidents File those incidents where privacy was breached. CSE uses the File to monitor and address incidents involving a privacy interest and to enhance processes and policies where required. The Minor Procedural Errors Record contains operational errors that occurred in connection with privacy-related information, but did not result in the information leaving the control of CSE or being exposed to external recipients who ought not to have received that information.

The Commissioner may investigate a material privacy breach, which according to government-wide policy is defined as a breach that involves sensitive personal information and could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals. The Commissioner also investigates privacy incidents in detail in the course of reviews of particular activities.

The objectives of this review were:

• to acquire knowledge of the privacy incidents, procedural errors and consequent actions taken by CSE to correct the incidents or mitigate the consequences;
• to acquire knowledge of any CSE operational material privacy breaches and associated corrective actions;
• to determine what incidents, if any, may raise questions about compliance with the law or the protection of the privacy of Canadians;
• to identify any trends or systemic weaknesses that might suggest a need for additional corrective action by CSE, changes to CSE processes or policies, or in-depth review by the Commissioner of a specific incident or activity; and
• to help evaluate CSE's policy compliance validation framework and monitoring activities.

The Commissioner examined all of the privacy incidents and the subsequent actions taken by CSE to address them. The incidents involved, for example: the unintentional sharing or inclusion in a report to, or in an e-mail exchange with, clients of unminimized Canadian identity information; unknowingly targeting a Canadian or a person in Canada; and unknowingly querying information related to a Canadian or person in Canada. Some of the incidents will be examined next year because CSE was continuing to take action to address them at the time of review.

Certain other incidents that relate to the transmission to CSIS of information from CSE's partners will also be investigated next year as part of the planned follow-up review of CSE support to CSIS under part (c) of CSE's mandate regarding a certain type of reporting involving Canadians.

The Commissioner also examined all of the minor procedural errors recorded by CSE in 2015. The procedural errors included, for example: the retention of Canadian identity information longer than permitted by policy; the disclosure of information relating to a Canadian to the wrong recipients within CSE; and sending Canadian identity information to external recipients, although in this instance, the error was corrected before the recipients accessed the information.

Findings and recommendation

Based on review of the Privacy Incidents File and the Minor Procedural Errors Record, answers to questions, and verification of information contained in CSE databases, the Commissioner found that CSE took appropriate corrective actions in response to the privacy incidents and minor procedural errors it identified in 2015.

The Commissioner had no questions about CSE's assessment that the privacy incidents it identified in 2015 did not consist of material privacy breaches, and the Commissioner agreed with CSE's assessment that the procedural errors it recorded were minor and did not result in privacy incidents.

CSE added information to the Privacy Incidents File to indicate whether the incidents consisted of a material privacy breach and whether the incidents required consideration or action by management. However, overall, the file contained less detail than in previous years. While CSE answered the office's questions about the incidents, it is important to document in the File sufficient information to demonstrate compliance and that appropriate actions have been taken to correct or mitigate any consequences of an incident. Therefore, the Commissioner recommended that CSE make certain that its Privacy Incidents File contains adequate information to describe and document each incident in a thorough manner.

While reviewing reports referred to in one privacy incident, it was discovered that a small number of reports had not been cancelled or reissued as recommended and documented by CSE. As a result, CSE corrected the problem, and the office verified that the reports were cancelled.

CSE implemented a recommendation contained in the 2013 review of privacy incidents by revising its operational policy to clarify issues related to naming conventions and the suppression of Canadian identity information in foreign signals intelligence reports. The office will review the application of the new policy in the conduct of future activity-based reviews.

Conclusion

The recording and reporting of privacy incidents continues to be one effective measure used by CSE to promote compliance with legal and ministerial requirements, operational policies and procedures, and to enhance the protection of the privacy of Canadians. The review did not reveal any material privacy breaches, systemic deficiencies or issues that required follow-up review. According to CSE, it did not become aware of any adverse impact on the Canadian subjects of the privacy incidents. Commissioners will continue to investigate CSE privacy incidents and procedural errors. The office will continue to monitor developments relating to the findings and recommendation made in this review. It will also collaborate with the Office of the Privacy Commissioner on material privacy breaches, as appropriate.