(Ottawa) National intelligence watchdog says Canada’s cyber espionage agency may have broken the law by disclosing personal information about Canadians.
Posted on June 18, 2021 at 8:46 p.m.
The Canadian Press
The Communications Security Establishment (CSE) of Ottawa, given its foreign intelligence mandate, suppresses details that identify Canadians in its reports.
These identifying information include personal names, email addresses and computer IP addresses.
However, other federal agencies and foreign partners that receive these reports may request details of the information if they have legal authority and appropriate justification.
The National Security and Intelligence Review Office (OSSNR) reviewed 2,351 disclosures of information about Canadians over a five-year period and found more than a quarter to be insufficiently substantiated.
Despite this, during the period under review, CSE approved 99% of such requests from domestic customers, an unclassified version of the findings released Friday said.
The CSE also disclosed additional personal information to clients beyond what had been requested and explained that this was standard practice, according to the review agency’s report.
“For example, OSSNR observed instances where CSE disclosed names and other personal information of Canadians even though the recipient had only asked CSE for the identity of a company,” the report said.
“OSSNR observed other types of scenarios where CSE disclosed more identifying information than was requested. ”
In light of this and other findings related to the cyberespionage agency’s internal practices, the oversight body found that CSE’s implementation of its disclosure regime may not be in compliance with the Privacy Act. protection of personal information.
Therefore, the review agency submitted what is known as a compliance report to Defense Minister Harjit Sajjan, the minister responsible for CST.
The review agency found that the Canadian Security Intelligence Service, the RCMP and the Canada Border Services Agency generally demonstrated a clear link between the information in question and their warrants.
The agency recommended that CSE stop disclosing identifying information about Canadians to clients other than these three organizations until it responds to the findings and recommendations of the review.
The review agency says CSE accepted all recommendations arising from the investigation.
Yet, in a response attached to the report, CSE said the Privacy Act does not require documentation of legal powers before information is acquired and disclosed.