Driving Naari Programme launched in Chandigarh
OTTAWA—Canada’s electronic spies are concerned reporting too many details about serious privacy breaches could reveal too much about the agency’s highly secretive surveillance and cyber-defence activities, the Star has learned.
The Communications Security Establishment has been in a yearlong spat with privacy commissioner Daniel Therrien’s office over reporting “material” privacy breaches.
The spy agency’s reluctance comes despite government-wide regulations requiring all serious privacy breaches — those that potentially could cause serious harm to an individual, or involving a large number of Canadians — to be disclosed to the independent watchdog.
“As with all (government) departments and agencies, CSE is required to report material privacy breaches to the Office of the Privacy Commissioner,” CSE spokesman Ryan Foreman wrote in a statement.
“However, we do continue to discuss the most effective manner to report material privacy breaches when they occur in the operational space, in a matter that safeguards the sensitive nature of information related to CSE’s mandated activities.”
Documents obtained by the Star show that “discussion” has been going on since at least January of last year.
In a letter sent to a senior Treasury Board employee, released under access to information law, Therrien took aim at a proposal to provide only limited information to his office about privacy violations at CSE.
“A report that does not state the number of breaches does not give the Office of the Privacy Commissioner enough information to have a clear discussion with the institution in question,” Therrien wrote. “The expertise of the Office of the Privacy Commissioner can not, therefore, be put to use.”
A change in Treasury Board policy under the previous Conservative government requires all federal departments and agencies to report “material” privacy breaches to the commissioner and the Treasury Board.
As the single largest repository of Canada’s top secret information, CSE certainly handles sensitive information. The agency is a member of the Five Eyes alliance, a group of closely aligned security and intelligence agencies in the U.K., U.S., Australia and New Zealand.
The alliance was shaken by revelations from whistleblower Edward Snowden in 2013, who pulled back the curtain on those countries’ mass surveillance capabilities and tools. In the wake of those disclosures, the normally press-adverse CSE has been more open about its mandate and the steps it takes to protect Canadians’ privacy.
Since 2007, CSE has kept a single database for all privacy violations, from the mundane to the serious. Every year, a small team at the CSE commissioner’s office, an arm’s-length review body, reviews privacy violations self-reported by the agency.
William Galbraith, a spokesman for CSE commissioner Jean-Pierre Plouffe, said that his office has been in discussions with Treasury Board and Therrien about CSE’s privacy breach reporting.
Galbraith said the 12-person office already examines privacy infractions, and it’s important to avoid “duplication” in reviewing CSE’s activities.
“The CSE commissioner has spoken with the privacy commissioner on this issue, recognizing that (Therrien’s) mandate covers all government departments and receives reports for breaches, and also noting that (Plouffe’s) mandate is specific to CSE and includes examination of compliance with the law including the Charter and the Privacy Act,” Galbraith wrote in a statement.
But Therrien’s letter noted that while the CSE commissioner reviews the legality of CSE’s actions, the expertise to investigate privacy breaches is housed in the privacy commissioner’s office. Therrien is not an outsider on these questions, having served as a senior Department of Justice lawyer responsible for intelligence and law enforcement agencies.
Plouffe reported earlier this year that CSE illegally, if inadvertently, transmitted Canadian metadata to a Five Eyes partner. The mistake, which CSE says did not identify any specific Canadians, was reported by the agency to the commissioner, not uncovered by Plouffe’s team themselves.
Documents tabled in Parliament earlier this month show that reporting serious privacy breaches has varied widely between government departments.
Treasury Board President Scott Brison, who is responsible for enforcing the government-wide reporting, vowed in an interview with iPolitics that Ottawa will do better on reporting the infractions.
“It’s an area that we will work with the (privacy commissioner’s) office and with departments and agencies to understand fully what we can do to improve results and we’re seized with (the issue),” Brison told the outlet.
The details about what each side is proposing in the debate between CSE and Therrien’s office remain secret. Details only emerged through multiple documents, obtained by the Star over the course of several months, from Treasury Board, CSE and the privacy commissioner’s office.
In statements to the Star, all three organizations said they continue to discuss the matter and hope for a resolution in the near future.
