Application of the Ministerial Direction: Avoiding Complicity in Mistreatment by Foreign Entities - 2017-2018 Annual Report
In November 2017, the Minister of National Defence issued a Ministerial Direction to the Communications Security Establishment (CSE) on Avoiding Complicity in Mistreatment by Foreign Entities (2017 Direction). This Direction prohibits the disclosure of and request for information (collectively called “exchange of information”) that would result in a substantial riskFootnote 1 of mistreatment of an individual by a foreign entity, as well as certain uses of information that was likely obtained through the mistreatment of an individual by a foreign entity.
This report responds to the 2017 Direction requirement for CSE to report annually to the Minister of National Defence regarding the application of the Direction, including:
- any changes to internal policies and procedures related to the Direction;
- the restriction of any arrangements due to concerns related to mistreatment; and
- details on substantial risk cases where the Direction was engaged, including the number of cases.
CSE Information Sharing Practices and Operational Governance
Sharing information with foreign entities helps CSE fulfill its mandate. Sharing must comply with Ministerial Directions, Canada’s laws and legal obligations, and CSE’s policies.
Mistreatment Risk Assessments (MRAs)
In accordance with the 2017 Direction, CSE employs a formal and comprehensive methodology to assess the potential risk of mistreatment of individuals before sharing information. These classified MRAs are informed by human rights reporting from both government sources and non-governmental organizations, as well as open source and classified reporting. When performing Mistreatment Risk Assessments, CSE:
- assesses the purpose of the information sharing;
- verifies there are mistreatment risk management measures in existing information sharing arrangements;
- reviews CSE’s internal records on the foreign entity under consideration;
- assesses the anticipated effectiveness of risk mitigation measures; and
- evaluates a foreign entity’s compliance with past assurances, based on available information.
CSE officials assess whether the risk of exchanging information with a foreign entity is low, medium, high or substantial, considering the likelihood that action may be taken against an individual, and the potential overall impact of any such action.
Approval authorities for sharing information are commensurate with the level of risk determined by the Mistreatment Risk Assessment. Sharing requests can be escalated to a higher approval authority, if necessary, and a denial may happen at any level. All sharing requests elevated to the Chief are reported to the Minister of National Defence, the National Security and Intelligence Committee of Parliamentarians (NSICOP) and the Office of the Communications Security Establishment Commissioner (OCSEC). Additionally, external review bodies, including OCSEC and NSICOP, can review whether CSE conforms with Canadian laws and with the Direction.
During this reporting period, one sharing request was elevated to the Chief for decision.
Updating Policies and Procedures
Prior to the November 2017 Ministerial Direction: Avoiding Complicity in Mistreatment by Foreign Entities, CSE was guided by internal policies and processes formalized as a result of the 2011 Ministerial Directive to Operationalize the Framework for Addressing Risks in Sharing Information with Foreign Entities. In 2017, OCSEC concluded a Review of CSE Information Sharing Activities with Foreign Entities. In his 2016–2017 annual report tabled in Parliament, the CSE Commissioner stated that CSE’s activities complied with the law, and were consistent with the Framework and Ministerial Direction.
CSE’s ability to fulfill its foreign intelligence and information technology security mandates requires productive relations with foreign counterparts. The CSE Commissioner noted that “sharing information with foreign entities is an integral part of the mandates of Canadian law enforcement and intelligence agencies, including CSE”.
As per the MD, the risk in exchanging information is considered substantial when there is a personal, present and foreseeable risk of mistreatment. The risk must be real and based on something more than theory or speculation. In most cases, the test for substantial risk will be satisfied when it is more likely than not that there will be mistreatment; however, in some cases, particularly where the risk is of severe harm, the “substantial risk” standard may be satisfied at a lower level of probability. Exchanging information when there is a substantial risk of mistreatment is prohibited.