When intelligence-agency analysts reported to federal privacy officials about their budding data-mining efforts, they argued these activities presented only a minimal risk to Canadians' confidential data.
But the Canadian Security Intelligence Service also conceded this might very well change. Because the scale and scope of the early efforts would surely snowball over time, they vowed to give formal, written updates to the Office of the Privacy Commissioner of Canada.
Yet, this has not happened in the seven years since CSIS submitted its first Privacy Impact Assessment (PIA), a 2010 document that appears to have predated a period of significantly stepped-up data spying.
"It's the only PIA that we have received," Privacy Commissioner Daniel Therrien said in an interview with The Globe and Mail on Thursday.
He argued it is imperative that watchdogs such as him are kept current by CSIS. "National-security agencies are collecting information about many people, including law-abiding citizens, innocent people, with a view to identifying security threats," he said. "I've stated concerns that collecting and sharing may be excessive and may unduly impact innocent Canadians."
Like all federal officials who were apprised of classified CSIS programs, he would not speak to specific details.
In 2006, CSIS launched an initiative known as the Operational Data Analysis Centre. Details have lately emerged about failed followups and curious omissions related to ODAC that the spy service has had with judges, ministers and federal watchdog bodies.
These are the people allowed to know things about CSIS that the wider public cannot. While briefings, memos and reports about ODAC did intermittently happen, many appear to have glossed over potential legal and privacy risks.
Until recently, Federal Court of Canada judges were looped in less than the other bodies. They exposed ODAC's operations to the public last fall in a scathing ruling. In it, the judges wrote CSIS had unlawfully retained data about ordinary Canadians as they castigated the spy service for keeping their court in the dark about the very existence of ODAC.
In 2006, CSIS had promised its minister in a written memo that it would voluntarily brief the judges about ODAC. By 2015, a watchdog body released a report to Parliament urging CSIS to come clean with the judges. But the spy service initially resisted the advice, saying that it "was both inappropriate and unwarranted."
The Privacy Impact Assessment about ODAC was less contentious. A legal requirement for federal agencies, it still came to the Privacy Commissioner with a caveat that it was off limits to others. "Due to the extreme sensitivity of the Service's activities in general, and the highly sensitive investigative techniques/data sources used by the ODAC, the PIA will not be available to the general public."
A redacted version has been released to The Globe under Access to Information laws and the takeaway is that ODAC posed no real problems. "The assessment process has identified no high-privacy risk," CSIS argued.
However, the spy service pointed out that ODAC was still then in a "capacity-building phase." The report "is a snapshot in time and scope," it said. "Because the design of the ODAC solution continues to evolve and will never be complete, it is necessary to ensure that the PIA process continues iteratively so that any new privacy issues are appropriately identified, analyzed and resolved.
"The Service will refresh the PIA process and update the report periodically," CSIS wrote.
That was seven years ago. No subsequent reports are in yet, according to Mr. Therrien.
The Privacy Commissioner said he expressed concerns to CSIS after the 2010 report was filed, but he is not at liberty to discuss them.
Following the Federal Court ruling, he added, CSIS Director Michel Coulombe invited his office to renew the dialogue. The conversation is now ongoing.
The Globe recently reported that, in 2012, CSIS analysts circulated a PowerPoint where they mulled how much could they enhance the efficacy of ODAC by obtaining "bulk datasets."
What CSIS considers a bulk dataset, and how it gets them, has never been disclosed. But a watchdog body last year urged that CSIS halt "ingesting" them pending new rules.