Responses to NSIRA’s review: Lifecycle of CSIS’ Warranted Information
Recommendation 2:
NSIRA recommends that CSIS prioritize investing in technical processes and systems that can assess, ingest, label, use, and destroy data in compliance with its legal obligations.
Related finding(s)
Finding 5: NSIRA found that CSIS incorrectly labelled some data collected during [REDACTED] and no quality assurance or compliance process detected this prior to NSIRA’s technical inspection.
Finding 6: NSIRA found that CSIS retained collected information without clearly articulating the authority for its retention.
Finding 7: NSIRA found that CSIS does not adequately consider data stewardship requirements accruing from new collection activities, which introduces heightened non-compliance risks.
Government response
CSIS welcomes Recommendation 2. Data stewardship, technical processes and systems are critical to CSIS’s ability to assess, ingest, label, use, and destroy data in compliance with its legal obligations.
CSIS has identified several areas where investment should be prioritized and where data stewardship can be considered more broadly within the lifecycle of any new technical capability.
CSIS notes that the incorrect labelling cited in this report was an isolated incident that was corrected at the onset of the review.
CSIS disagrees with Finding 6, it is not factually supported.
CSIS agrees with Finding 7 and acknowledges the importance of considering data stewardship requirements. Going forward, CSIS will ensure that these requirements are adequately satisfied prior to the execution of collection activities.
Recommendation 3:
NSIRA recommends that the 2020 Framework for Cooperation Between Public Safety Canada and the Canadian Security Intelligence Service be revised to fully align with the 2019 Ministerial Direction to the Canadian Security Intelligence Service on Accountability.
Related finding(s)
Finding 8: NSIRA found that CSIS relies on the 2020 Framework for Cooperation Between Public Safety Canada and the Canadian Security Intelligence Service to operationalize the 2019 Ministerial Direction to the Canadian Security Intelligence Service on Accountability. However, the 2020 Framework does not fully capture the requirements of the 2019 Ministerial Direction.
Government response
CSIS agrees with the spirit of Recommendation 3, however, a full review of the MD and Framework could lead to the desired outcome, for example, harmonizing the Framework and the MD to remove any misalignment.
CSIS agrees with Finding 8, but there is greater nuance than what the Finding suggests. Importantly, while CSIS does refer to the Framework, it does not rely solely on this document in its operationalization of the 2019 MD. The Framework is one of many considerations CSIS takes in operationalizing the MD. For example, CSIS has taken an inclusive, proactive approach to the novelty notification requirement in the MD, and many decisions pertaining to those notifications are made in consultation with Public Safety.
Recommendation 4:
NSIRA recommends that the definition of “novel technique or technology” in the 2020 Framework for Cooperation Between Public Safety Canada and the Canadian Security Intelligence Service be revised to err on the side of inclusivity.
Related finding(s)
Finding 8: See above.
Government response
In order to be accountable for CSIS activities, the Minister must be informed of CSIS’ operational activities where a novel technology is used. Accordingly, CSIS agrees that the Framework for Cooperation should be revised to err on the side of inclusivity with respect to the novelty consultation and notification requirements in the MD.
CSIS is already proactively taking a more comprehensive approach to notify the Minister of novel techniques and technologies.
Recommendation 5:
NSIRA recommends that CSIS ensure risk assessments performed throughout the lifecycle of new technologies and techniques are rigorous, documented and comprehensive in their scope.
Related finding(s)
Finding 8: See above.
Government response
CSIS already conducts robust risk assessments on certain classes of operational techniques and technologies prior to their deployment and ensures these assessments are documented and comprehensive. CSIS recognizes the need for ongoing review and is exploring areas of potential improvement.
Recommendation 6:
NSIRA recommends that, as part of its ongoing development, the Operational Technology Review Committee refine its processes to:
- consider data lifecycle requirements,
- reference a definition of “novel technology” that has been agreed upon with Public Safety Canada as part of a revised Framework,
- include a requirement to consult Public Safety Canada on plans or proposals to seek or develop novel techniques and technologies,
- define how risk is assessed,
- better document its technical, legal, foreign policy and reputational risk assessments.
Related finding(s)
Finding 9: NSIRA found that the creation of the Operational Technology Review Committee was an important step forward in CSIS’s management of new technologies and techniques.
Government response
CSIS agrees with Recommendation 6 and recognizes the need to develop robust mechanisms for the review of technology and data lifecycles. CSIS remains committed to ongoing review and improvement.
CSIS is already taking an inclusive approach to the determination of whether a particular technology or technique merits Ministerial notification and, in most instances, it consults officials from Public Safety Canada when making such decisions. CSIS briefs Public Safety officials on a quarterly basis. These meetings are in addition to ongoing exchanges and pre-scheduled quarterly meetings and are used to consult Public Safety officials on whether particular techniques/technologies merit notification or not.
It is important to note that CSIS has well-established risk assessment processes that are followed prior to the deployment of technology.
Recommendation 7:
NSIRA recommends that language in the [REDACTED] Warrant more clearly describe the breadth and limitations of what constitutes incidental collection.
Related finding(s)
Finding 10: NSIRA found that, in [REDACTED], CSIS intended to [REDACTED] beyond warranted targets [REDACTED].
Government response
CSIS and the Department of Justice routinely review the language of its warrants, and regularly engage with the Federal Court on the scope of the issued authorities.
However, NSIRA’s Finding 10 and corresponding Recommendation 7 is based on a fundamental misunderstanding of the incidental collection authorities set out in the particular warrant. CSIS had the authority to collect the information obtained in the referenced instance.
Recommendation 8:
NSIRA recommends that CSIS specify the warrant authority in the operational planning documents in support of each type of [REDACTED] to be sought in the operation.
Related finding(s)
Finding 10: See above.
Government response
Further to Recommendation 8, CSIS already specifies the relevant warrant authorities in a warranted operation. CSIS agrees that requiring investigators to align their collection activities with specific authorities (e.g. s.12 or warrant) ensures that collection complies with the relevant legal authorities and any applicable terms or conditions.
Recommendation 9:
NSIRA recommends that the classified version of this report be shared with the Federal Court.
Related finding(s)
Finding 11: NSIRA found that CSIS’s [REDACTED] may not be in compliance with [REDACTED] Regulations.
Finding 12: NSIRA found that CSIS did not advise the Court prior to using [REDACTED] in the execution of warranted powers.
Government response
The final report will be filed with the Federal Court, subject to redactions for solicitor-client privilege.
CSIS agrees with Finding 11.
Finding 12 is based on certain factual inaccuracies that were brought to NSIRA’s attention and not corrected. While the operation proceeded on the basis that it was warranted, CSIS’ position is that the vast majority of the collection could have been carried out pursuant to s.12 alone.