The Canadian Security Intelligence Service has failed to ensure it doesn’t illegally hold on to sensitive information about innocent people, a federal spy watchdog says.
In a report made public Wednesday, the Security Intelligence Review Committee also expresses concern that CSIS lacks the ability to make the necessary changes, two years after a scathing court ruling about its practices.
An October 2016 Federal Court decision said CSIS broke the law by keeping and analyzing electronic data about people who were not actually under investigation.
WATCH: Google, Goodale react to possible CSIS breach
The pointed ruling said the spy service shouldn’t have retained the data trails because they were not directly related to threats to the security of Canada.
CSIS processed the metadata beginning in 2006 through its Operational Data Analysis Centre to produce intelligence that can disclose intimate details about individuals.
Metadata is information associated with a communication, such as a telephone number or email address, but not the message itself.
The intelligence review committee report, tabled in Parliament, found the spy service was “still dealing with the implications” of the court decision when it comes to handling information about third parties.
WATCH: Exclusive: Did Google Street View breach security at CSIS?
The committee found that CSIS’s definitions, guidelines and training related to assessment and reporting of third-party data were “clearly insufficient.”
“In addition, (the review committee) is concerned with respect to CSIS’s capacity to deliver policy development commitments.”
The committee also looked at how the spy service was handling bulk datasets – electronic information collected in bulk that may include information about security threats.
The committee “saw no evidence” that CSIS had changed its policies and procedures concerning the collection of bulk datasets following the 2016 court decision, creating a risk the spy service could again stray beyond the law.
The findings come as a Liberal national security bill, currently before Parliament, proposes new authorities for CSIS to crunch and analyze data.
The committee report says the powers would “require rigorous governance, procedures and training to be in place from the beginning,” given its findings on how CSIS handles data.
It recommends the spy service come up with a “robust process” for assessing the privacy and legal risks to Canadians associated with datasets.
In a response included in the report, CSIS says the dataset framework in the Liberal legislation effectively addresses those concerns. “New processes, systems and policies are being developed to ensure CSIS is prepared to implement the bill.”
A modern intelligence agency requires the lawful authority to collect and analyse a broad range of data to detect threats and identify previously unknown trends and patterns, CSIS director David Vigneault said in a statement.
“Datasets are important building blocks that could lead not only to initiating an investigation, but to unfolding investigations.”
However, Vigneault acknowledged CSIS must do a better job of demonstrating the usefulness of data analysis.