RCMP violates national security disclosure rules, potentially placing thousands of individuals at risk

In late February, the latest annual review on national security-related information sharing was published to little fanfare. While it found that, overall, rules were being followed, it revealed a significant problem that deserves greater scrutiny and raises concerns about how the RCMP treats sensitive, personal information.

The study, conducted jointly by the National Security and Intelligence Review Agency (NSIRA) and the Office of the Privacy Commissioner of Canada (OPC), revealed that in 2020 the RCMP disclosed to the Department of National Defence/Canadian Armed Forces (DND-CAF) a dataset with the biometric information of thousands of individuals — men, women and children — who have been “detained by a third party on suspicion of being members or supporters of a terrorist organization.” The disclosure was made proactively by the RCMP, on the basis that they believed it fell within the scope of the DND-CAF’s counterterrorism mandate and because the CAF was active in the region where the individuals were detained.

While not explicitly stated, it is almost certain that this dataset relates to the thousands of individuals who continue to be detained in camps and prisons in North Eastern Syria by the Kurdish administration on allegations that they support and/or are members of Daesh (also known as ISIS). There is simply no other ongoing situation that meets the description provided and that, plausibly, would be of interest for DND-CAF based both on their own counterterrorism activities and on where they were active.

It’s important to note that the individuals detained have not faced trial or even been formally charged. There are ongoing efforts to have those who are not citizens of Syria repatriated to their home countries for reintegration and, if deserved, to face trial. Currently more than 40 Canadians, including nearly two dozen children, are in those camps and prisons. The families of 26 of those Canadians initiated a lawsuit last year to force the Canadian government’s hand to protect its own citizens and aid them in returning to Canada. While some countries have made efforts to bring their citizens home, more than 40,000 foreigners are estimated to be in the camps.

The RCMP received this dataset from a “trusted foreign partner,” which is also unnamed, but that is believed to be the FBI. 

The Security of Canada Information Disclosure Act (SCIDA), as the rules are formally known, was implemented to regulate how national security information is disclosed to Canadian national security agencies, including the protection of personal information. It includes safeguards around what information can be disclosed, how it is requested, how it can be proactively disclosed, and around record keeping to allow for after-the-fact review. This includes determining whether the information being disclosed will contribute to the recipient institution’s jurisdiction or mandate in respect to activities that undermine the security of Canada, and will not affect any person’s privacy interest more than is reasonably necessary. Disclosing and requesting institutions must also document the reasoning for the disclosure/request, and the disclosing institution must record information pertaining to the accuracy of the information shared.

In this case, while the RCMP removed any information related to Canadians in the dataset, it shared the remainder details of thousands of individuals with DND-CAF. However, NSIRA and the OPC discovered that when the RCMP originally received the dataset, it was meant to be accompanied by a detailed description of the dataset, including crucial information related to how the information was obtained, and caveats on its use. However, that detailed description apparently never arrived. Months later, the RCMP still went ahead and shared the dataset with DND-CAF proactively — there was no request for the information — without the supporting description of the dataset. 

The report finds that because of this failure to share important supporting information, it would be impossible to adequately evaluate the privacy impact on the individuals listed, especially given the fact that it meant that they are linked to a terrorist organization. Therefore, the disclosure was not compliant with SCIDA.

It is extremely troubling that the personal biometric information relating to thousands of individuals was shared without taking every precaution to ensure accuracy and the protection of privacy. This is especially important given the accusations being laid against these individuals, and the already precarious position that they are in. What if some of the information was inaccurate, and led to CAF misidentifying an individual as being a suspected terrorism sympathizer?

The sheer scope of the problematic disclosure raises serious questions. We do not know how many thousands of people are included, nor how the RCMP may be using this list (even if DND-CAF has said they are not). And while this accounted for only one of the 215 disclosures made under SCIDA for 2020, it makes up the vast majority of individual records shared. It’s important to note that one disclosure does not equal information related to one individual, and can range from one or a handful of people to bulk information related to hundreds or thousands of individuals.*

In the end, DND-CAF did not integrate the information — which again, it did not request — into their operational info. NSIRA and the OPC have asked that DND-CAF review whether they should retain the information, which the department says they will do, taking into account “any new information provided by the RCMP, NSIRA and the OPC’s findings, and associated DND-CAF directives and policies.”

The RCMP, though, has astonishingly said it only “partially accepts” the review’s findings, stating that despite not having received key details about the information from their trusted partner, they were “satisfied that the disclosure would not affect any person’s privacy interest more than was reasonably necessary in the circumstances.” How this is possible is not clear, and raises serious questions about how the RCMP assesses information it shares with partners.

RCMP violated disclosure rules on at least three occasions in 2020

Taken alone, this violation of SCIDA would be concerning, but the RCMP’s name continues to pop up throughout this year’s report. The review examines whether organizations met the two-part test for disclosure. First, whether the information disclosed was relevant to the national security mandate of the receiving organization. Second, whether the disclosure would impact the privacy of individuals more than is reasonably necessary given the circumstances.

They found that of 215 disclosures made in 2020, 213 met the first standard for disclosure. The two cases that did not comply? Both were proactive disclosures from the RCMP, one to Global Affairs, the other to Immigration, Refugees and Citizenship Canada (IRCC). 

For the second standard, again the report found that there were only two instances of non-compliance, both related to the RCMP. One was the previously discussed disclosure to DND-CAF, and another disclosure to IRCC (it is unclear whether this is the same disclosure to IRCC mentioned above, or a separate disclosure).

If the RCMP was responsible for the bulk of the 215 disclosures made in 2020, their violation of the Act could be excused as a minor aberration. However, the RCMP only accounted for nine of the 215 disclosures. So in fact, at least a third of the RCMP’s disclosures (3 out of 9) did not meet the requirements set up in SCIDA.

The report also found that the RCMP has failed to fully update its policies since SCIDA was enacted in 2019, whereas most other departments covered by SCIDA have. This is especially troubling, because the entire reason for the introduction of SCIDA was to try and make up for the lack of safeguards included in its predecessor, the Security of Canada Information Sharing Act. And yet the RCMP, the largest law enforcement agency tasked with national security, has still yet to fully update its policies. 

“Verbal disclosure” raises further questions

The report shares lots of other interesting information including the overall number of disclosures and requests from various agencies. It shows that most requests and disclosures are made between agencies explicitly named in Schedule 3 of the bill as having a national security-related mandate.

For the first time this year, the report documents that one federal agency without a national security-related mandate disclosed personal information, in this case to CSIS. The report does not name this agency. In response to an email follow-up asking why this would be kept secret when all other disclosing agencies are named, NSIRA stated that the decision was specific to this case. Revealing the agency, they wrote, “would have jeopardized CSIS’ investigation of the security risk identified.” They also assured that withholding the name of disclosing agencies is not automatic nor a standard practice.

While this is only one case, it too raises a red flag: When CSIS reached out verbally to the agency for information, instead of following the formal protocols under SCIDA, the agency simply shared the information verbally. Shortly thereafter, the agency did consult with the Justice Department, and a more detailed written disclosure did follow SCIDA regulations. However, why did CSIS — which is fully aware of the rules — not formally request information with the appropriate guidelines in the first place? And if SCIDA disclosures are to be used more broadly, as was the hope when the rules were adopted, what will stop this from happening more frequently? While some may argue it is unlikely, it is entirely possible that other verbal disclosures that did not require follow-up have already been made and would not have been caught by this review.

NSIRA and the OPC have made suggestions for better training, and for agencies requesting disclosures to proactively inform the department they are approaching about SCIDA regulations. But this speaks to the central concerns that we and others raised about SCIDA and its predecessor, SCISA: that in opening the gates to more information sharing in regards to national security, we run the real risk of breaches in privacy and overly-broad disclosures and requests. 

This is difficult to measure though, since we do not have any comparative, comprehensive statistics prior to the introduction of SCIDA, and many of these agencies have their own, separate, information sharing agreements that fall outside of SCIDA; for example, information sharing between the RCMP and CSIS falls under their own, separate agreement.

Happily, this report shows that most departments take their duties to limit the information disclosed to that which is necessary, and to even destroy information that is disclosed to them if they find that it is not compliant with the law. IRCC, which made the single largest number of disclosures, seemed to take this particularly seriously, limiting what information it shared, placing caveats on it, and destroying information that was non-compliant.

However, we still harbor deep reservations about aspects of SCIDA, and will continue to advocate for reforms, including its overly-broad definition of “threats to the security of Canada.”

* As the report notes, most disclosures related to one or a small number of individuals. However, five related to 20 individuals or more, the RCMP disclosure discussed included information about thousands of individuals, and another Global Affairs Canada disclosure impacted possibly thousands of people as well (when it shared several thousand Twitter handles with the Communications Security Establishment). As the report notes, the government should examine implementing specific policies around the “bulk disclosure” of information.

Since you’re here…

… we have a small favour to ask. Here at ICLMG, we are working very hard to protect and promote human rights and civil liberties in the context of the so-called “war on terror” in Canada. We do not receive any financial support from any federal, provincial or municipal governments or political parties. You can become our patron on Patreon and get rewards in exchange for your support. You can give as little as $1/month (that’s only $12/year!) and you can unsubscribe at any time. Any donations will go a long way to support our work.panel-54141172-image-6fa93d06d6081076-320-320You can also make a one-time donation or donate monthly via Paypal by clicking on the button below. On the fence about giving? Check out our Achievements and Gains since we were created in 2002. Thank you for your generosity!