CSE Introductory Remarks to The Standing Committee on Access to Information, Privacy and Ethics The Security of Canada Information Sharing Act (SCISA)

Good morning/afternoon, Mr. Chair and Members of the Committee. My name is Dominic Rochon, I am CSE’s Deputy Chief for Policy and Communications.

I am also CSE’s Chief Privacy Officer, and the delegated authority under the Access to Information and Privacy Acts.

It is a pleasure to appear before you today as you continue your study of the Security of Canada Information Sharing Act (SCISA).

I have been invited here today to clarify CSE’s mandate and provide insights into how CSE protects the privacy of Canadians while we engage in activities that ultimately protect Canadians from foreign threats.

For Committee members unfamiliar with CSE and CSE’s history, I can tell you that CSE has been in the business of protecting Canadians for several decades. Protecting the privacy interests of Canadians and persons in Canada has always been integral to the performance of this mission.

Let me first start by explaining our mandate and the work that CSE does to protect Canada.

Our mandate consists of 3 parts as defined in the National Defence Act.

The first part, referred to as Part (A), authorizes CSE to “acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with the Government of Canada intelligence priorities.”

I emphasize “foreign” because CSE only directs its activities at foreign communications.  CSE is prohibited by law from directing its activities at Canadians anywhere or at anyone in Canada.

CSE produces valuable intelligence under Part (A) of our mandate.  For example, CSE provides vital information to protect Canadian troops on the ground in Iraq as they contribute to the Global Coalition to dismantle and defeat Daesh.

In addition, our foreign signals intelligence has also played a vital role in uncovering foreign-based extremists’ efforts to attract, radicalize and train individuals to carry out terrorist attacks in Canada and abroad.

The second part of our mandate, known as Part (B), authorizes CSE to “provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada.”

This part of our mandate authorizes CSE to protect Canada from the growing cyber threat.  

Cyber threats used to be the exclusive domain of nation-states. That is not the case anymore, as malicious cyber tools become easier to obtain and the motivations for malicious actors become more diverse. In this rapidly changing threat environment, the services of CSE have become increasingly important.

Across the government, CSE is protecting 700 million connections daily from a user population of about 377,000 people. Every day, we block over 100 million malicious attempts to identify vulnerabilities and penetrate or compromise Government of Canada networks.

CSE also shares cyber threat information with Public Safety for further dissemination to the private sector in order to protect the intellectual property of Canadian businesses.

Finally, the third part of our mandate, referred to as Part (C), authorizes CSE to “provide technical and operational assistance to federal law enforcement and security agencies in support of their lawful mandate”.

This is important for Canada’s national security given that CSE possesses unique skills and tools not found in other government departments, particularly in the area of encryption.

It is common knowledge that terrorists, for example, are adaptive and tech-savvy. They use cutting edge technology, smartphones and messaging apps to communicate.  And they use powerful encryption to better avoid detection.

As a result, the threat puzzle that intelligence agencies try to piece together is not always straightforward and requires cooperation to solve---a reality, in fact, highlighted in the preamble of the SCISA.

Sharing foreign intelligence and cyber threat information with our domestic partners is crucial to a whole-of-government approach to protecting Canadians.  It is by sharing intelligence that we warn the Government of Canada about the intentions and capabilities of those beyond our borders who mean us harm.

When doing so, Canadians and persons in Canada cannot be the focus of CSE’s activities and CSE must apply measures to protect the privacy interests of Canadians included in the information being shared. These privacy measures take the form of rendering Canadian identifying information (found in the intelligence being shared) unintelligible, leaving it to the receiving Government of Canada department or agency to demonstrate a need for that information and the authority to receive it.   

Although information sharing is essential to protecting Canada’s security, CSE recognizes that the sharing of information could potentially touch upon fundamental rights and freedoms, particularly the right to privacy.   

I want to stress that not only is protecting the privacy of Canadians a fundamental part of our organizational culture, it is also enshrined in our mandate.  The National Defence Act directs CSE to protect the privacy of Canadians in the use and retention of information.  As such, CSE has multiple policies, structures and processes in place to ensure that we continue to adhere to privacy laws and policies.

These structures include executive control and oversight, operational policies, procedures and compliance measures, an onsite legal team from the Department of Justice and active ongoing monitoring of internal processes.

CSE’s privacy framework includes operational policies that set out specific handling process, retention periods, and sharing guidelines, and they allow for the validation, tracking and auditing of information received.

CSE also provides regular training and testing for staff on the mandate, privacy rules and compliance.

In addition, all of CSE’s activities are subject to robust, external expert review by the independent CSE Commissioner.  The CSE Commissioner, who is usually a supernumerary or retired judge of a superior court, has full access to CSE employees and records.

I would also like to add that the CSE Commissioner has all the power of the Commissioner under part II of the Inquiries Act, including the ability to inspect any records held by CSE and the power to subpoena CSE employees to provide information.  

The work of the CSE Commissioner has had a positive impact on our accountability, transparency and compliance and has led to CSE strengthening a number of our policies and practices. The CSE Commissioner’s Office regularly interacts with CSE personnel when conducting reviews. Since 1996, CSE has accepted and implemented 100% of the CSE Commissioner’s privacy-related recommendations.

Though much of what we do is classified, we are committed to becoming more open and transparent about how we protect Canadians’ security and their privacy.  We know that openness is crucial to ensuring public trust in what we do and as the government pursues its overall national security agenda we will continue to be forthcoming about our operations.

With respect to SCISA, you are aware that SCISA lists CSE as an entity that can receive information from another Government of Canada institution.  I want to emphasize that SCISA does not supersede or expand CSE’s authorities to collect or receive information from our domestic partners.

To date, CSE has not relied on SCISA to receive or disclose information under SCISA. CSE’s existing procedures and processes to authorize and manage information sharing meet or exceed those set out in SCISA.

When sharing information, CSE currently relies on authorities under the National Defence Act (NDA). Information sharing at CSE is undertaken in accordance with the provisions of the Privacy Act. CSE’s established information sharing arrangements are set out in information sharing agreements with our domestic security and intelligence partners.

CSE also may receive information from Government of Canada agencies under the National Defence Act and the Privacy Act authorities when relevant to its mandate, although the need to receive information is minimal considering CSE cannot direct its activities against Canadians or persons in Canada.

And I should add that the CSE Commissioner does conduct an annual review of our information sharing/disclosure activities, and to-date he has found that these activities were done in compliance with the law.

I’ll conclude my remarks by stating that I am confident in our ability to fulfill our mandate while safeguarding the privacy of Canadians.

My confidence stems from both the rigorous legal and policy framework in place to protect the privacy of Canadians, and the professionalism and commitment of CSE’s highly skilled workforce.

Thank you for inviting me here today. It would be my pleasure to answer any questions you might have.