Eavesdropping agency's personal info banks go unlisted despite legal obligation
Published Thursday, June 20, 2013 7:30PM EDT
OTTAWA -- The Defence Department appears to have broken the law by failing to publish the latest personal information listings of Canada's electronic eavesdropping agency.
Under federal privacy law, ministers are obliged to list the personal data banks -- which hold information about individuals -- compiled by agencies in their portfolios.
However, there is no public listing this year for Communications Security Establishment Canada, known as CSEC, which reports to the defence minister.
The omission has prompted University of Ottawa professor Amir Attaran to lodge a complaint with the federal privacy commissioner, who polices the federal law governing personal information.
It's important for CSEC "to be honest about what data it is gathering," said Attaran, a lawyer who has taken a keen interest in Canadian information law.
The CSE, with a staff of more than 2,000 and an annual budget of about $400 million, monitors foreign communications -- from email and phone calls to faxes and satellite transmissions -- for intelligence of interest to Canada.
It is a key component of the intelligence-sharing network known as the Five Eyes -- Canada, the United States, Britain, Australia and New Zealand.
The personal data bank issue arises amid concerns about the sort of personal information CSEC and its close American ally, the National Security Agency, are collecting.
CSEC spokesman Ryan Foreman said the spy service's personal information banks used to be listed along with other Defence Department holdings in a federal publication called InfoSource, but in future will be cited separately, as CSEC is now a standalone agency.
"CSEC is not exempted from the reporting requirements to publish an InfoSource submission. CSEC will be preparing its first independent InfoSource submission for the 2013-2014 reporting period," Foreman said.
"Previously published versions of InfoSource can be accessed through the Treasury Board Secretariat."
Attaran points out that CSEC became a separate agency in November 2011, and the Privacy Act clearly states that the responsible minister -- in this case Defence Minister Peter MacKay -- must list a body's personal information banks at least once annually.
In addition, the listing must include a description of the sort of information in the banks, how long the data will be kept, and where a member of the public can send a request under the Privacy Act for any files about themselves in the banks.
CSEC has three personal information banks, one containing foreign intelligence files, one on cyber-protection and another dealing with employee mentoring, Foreman said.
Past listings indicate the bank containing foreign intelligence files on "the general public" relates to "sensitive aspects of Canada's international relations, security and defence."
Information in the bank "is held indefinitely."
CSEC is forbidden from directing its activities at Canadians, and is supposed to guard their privacy when sharing material with domestic and international partners.
Attaran wonders whether any information about Canadians is stored in the CSEC's personal information banks.
"Personally I want to know what they have. And I intend -- just for my own sake -- to file a Privacy Act request to see what CSE has got on me."