The controversial data-crunching centre run by Canada's spy agency has long been using personal details gleaned from security clearance forms to help with national security probes — a practice that worries the federal privacy watchdog, newly disclosed letters show.
Privacy and security experts said Friday the revelation about the Canadian Security Intelligence Service's Operational Data Analysis Centre underscores the need for new safeguards in an age of sophisticated digital sleuthing.
The freshly released correspondence exposes the fact that for at least five years the CSIS data analysis centre has drawn upon private information — provided during security assessments for employment and immigration purposes — to assist with terrorism and espionage investigations.
The Canadian Press used the Access to Information Act to obtain heavily censored copies of the letters between CSIS and the federal privacy commissioner.
The exchange paints a fuller picture of how CSIS's secretive analysis centre exploits information collected by the spy service to detect patterns and corroborate leads.
The virtually unknown analysis centre became a focus of intense public concern last November when Federal Court Justice Simon Noel said CSIS violated the law by keeping electronic data trails about people who were not actually under investigation.
CSIS set up the centre in 2006 to more rigorously exploit and analyze data.
The spy service cited only low risks to personal information in an August 2010 assessment of the centre it submitted to the privacy commissioner.
In a newly released November 2011 reply to CSIS, the privacy commissioner's office expressed concern about possible use of security assessment information for purposes other than immigration or job clearances.
CSIS's security screening program helps the government prevent newcomers who pose a threat from entering Canada and acquiring legal status. It is also intended to ensure people of security concern do not gain access to classified information, sensitive sites or major events.
The privacy commissioner's letter recommended that people be told the information they provide to CSIS may be used "for purposes beyond the provision of security assessment services, such as general law enforcement, national security, or within the context of an investigation."
CSIS took almost a year to respond, but in November 2012 the spy service told the commissioner's office that while the data analysis centre was indeed using assessment information to help with security probes, existing measures addressed the privacy watchdog's concerns.
The intelligence service noted that people who need a federal security clearance must complete a screening, consent and authorization form that advises applicants their personal information will be stored in a CSIS personal information bank.
A publicly available description of that bank says the information may be used for data-matching or for the purpose of conducting lawful investigations, the CSIS letter added.
CSIS spokeswoman Tahera Mufti said the data analysis centre continues to use security assessment information in support of national security investigations — for instance, to corroborate a name or address.
"CSIS takes very seriously all potential privacy considerations related to its work and is committed to ensuring that its activities are transparent, accountable and in compliance with privacy legislation, guidelines and best practices," Mufti said.
An independent judge or tribunal should look over CSIS's shoulder before the spy service searches through a huge database of pooled information to match up bits of data, said University of Ottawa law professor Craig Forcese, a specialist in national security.
It would be ridiculous to suggest CSIS should stop exploiting data through advanced analytics, he said. "I think the question is whether there are sufficient safeguards on how they do it."
Ann Cavoukian, executive director of the Privacy and Big Data Institute at Ryerson University, called for an "exhaustive examination" of the spy service's information processing by an independent body such as the privacy commissioner.
"I really think that's essential, and I'm not going to take CSIS's word on this stuff."
Tobi Cohen, a spokeswoman for the privacy commissioner, said she could provide few additional details given the classified nature of the file.
However, Cohen said, the spy service has been talking with the commissioner's office about the data analysis centre as a result of the November court ruling.
In addition, CSIS is working on a new privacy impact assessment concerning use of security assessment information in national security probes, she said. It will help the commissioner's office gauge whether use of the information "is appropriate and complies with privacy law."