The government hasn't done enough to protect the privacy of "law-abiding Canadians" from new information-sharing powers in the omnibus security legislation known as C-51, says a federal watchdog.
Privacy commissioner Daniel Therrien said Tuesday he was surprised that many federal agencies did not examine the effect the powers in the controversial Conservative bill would have on people's personal information.
In his annual report, Therrien recommended agencies carry out formal privacy impact assessments — a key tool required under government policy when departments set up any new program or activity involving personal information.
The Security of Canada Sharing Information Act, part of C-51, expanded the exchange of federally held information about activity that "undermines the security of Canada."
The former Conservative government, which brought in the legislation, argued the measures were needed because some federal agencies lacked or had unclear legal authority to share information related to national security.
In his report, Therrien said the law is broadly worded and leaves much discretion to agencies to define what sort of activities undermine security. The scale of information-sharing that could occur "is unprecedented," he added.
Legal standards for information sharing should ensure that "law-abiding Canadians, ordinary Canadians who should have nothing to fear from surveillance activities of the state, are not caught by the information-sharing regime," Therrien told a news conference.
In the first six months the law was in force — August 1, 2015, to Jan. 31 of this year — five agencies reported to Therrien's office that collectively they received information through the law on 52 occasions.
Of the five agencies, three had developed policy and guidance documents, but these "lacked specificity and detail to provide meaningful assistance to employees" to help them determine whether thresholds for sharing had been met.
In addition to formal privacy assessments, Therrien says there should be information-sharing agreements that contain core privacy protections and safeguards against accidental disclosure of personal data.
Public Safety Canada has agreed with the recommendations.
Therrien also called Tuesday for amendment of the National Defence Act to clarify the powers of Canada's cyberspy agency, the Communications Security Establishment, along with specific legal safeguards to protect the privacy of Canadians.
The Ottawa-based CSE uses highly advanced technology to intercept, sort and analyze foreign communications for material of intelligence interest to the federal government. It is a member of the Five Eyes intelligence alliance that also includes the United States, Britain, Australia and New Zealand.
The CSE watchdog declared earlier this year that the spy agency broke privacy law by sharing information about Canadians with foreign partners. Certain types of metadata containing Canadian identity information were not being properly "minimized" — stripped of potentially revealing details — before being passed to the CSE's four key foreign partners.
Metadata is information associated with a communication — such as a telephone number or email address — but not the message itself. Still, privacy advocates, including Therrien, argue it can be quite revealing.
In the House of Commons, New Democrat MP Randall Garrison urged the government to support all of Therrien's recommendations.
Public Safety Minister Ralph Goodale called Therrien an "exceedingly important" watchdog. "His views matter. I welcome his scrutiny on specific issues."
The Liberal government recently issued a discussion paper to kick off a public review of national security policy, including how best to keep an eye on intelligence services.
The paper seems more concerned with the dilemmas of security officials than issues of personal privacy, Therrien said Tuesday. "I'm concerned with the tone of the document."
Goodale insisted the privacy commissioner's advice would be invaluable to the government.