The national intelligence watchdog says Canada’s cyberspy agency may have broken the law in disclosing personal information about Canadians.
The Ottawa-based Communications Security Establishment, given its foreign-intelligence mandate, suppresses details that identify Canadians, or even people in Canada, in its reports.
Such identifying information ranges from names of people to email addresses and computer IP addresses.
However, other federal agencies and foreign partners who receive these reports can ask for details of the information if they have legal authority and proper justification.
The National Security and Intelligence Review Agency looked at 2,351 disclosures of information about Canadians over a five-year period and found that more than one-quarter of them were not sufficiently justified.
During the review period, the CSE approved 99 per cent of such requests from domestic clients, says an unclassified version of the findings made public Friday.
The CSE also released additional personal information to clients beyond what was requested and explained this to be a standard practice, says the review agency report.
“For example, NSIRA observed cases where CSE disclosed Canadians’ names and other personal information even when the recipient only asked CSE for a company’s identity,” the report says.
“NSIRA observed other types of scenarios where CSE disclosed more identifiers than requested.”
Given this and other findings related to the cyberspy agency’s internal practices, the review agency found that the CSE’s implementation of its disclosure regime may not be in compliance with the Privacy Act.
As a result, the review agency issued what is known as a compliance report to Defence Minister Harjit Sajjan, the minister responsible for the CSE.
The review agency found the Canadian Security Intelligence Service, RCMP and Canada Border Services Agency generally demonstrated a clear link between the information in question and their mandates.
It recommended the CSE stop disclosing identifying information about Canadians to clients other than these three agencies until it addresses the review’s findings and recommendations.
The review agency says the CSE has accepted all recommendations flowing from the probe.
Still, in a response attached to the report, the CSE said the Privacy Act does not require the documentation of legal authorities before information can be collected and disclosed.
Want to support local journalism? Make a donation here.