Backgrounder
A redacted version of the National Security and Intelligence Review Agency’s (NSIRA) annual review, Departmental Implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA) for 2023: Mitigation and Armed Conflict, was recently released under the Access to Information Act.
The NSIRA Act requires NSIRA to annually review the implementation of all directions issued under the ACA.
NSIRA’s 2023 review examined how departments assessed the risk of mistreatment when sharing information with foreign entities. The review examined several instances of information sharing, including situations involving complex security environments and armed conflicts.
NSIRA identified areas where departments can improve their risk assessments, record-keeping, and use of safeguards before sharing information. The review also identified examples where departments determined that information should not be shared because the risks could not be addressed.
Protecting against mistreatment
Under the ACA, departments cannot share information with, or use information from, a foreign entity when doing so would create a substantial risk that an individual could be mistreated.
Before sharing information, departments must assess potential risks and take steps to address them. If the risk cannot be mitigated, the information cannot be shared.
Departments must also maintain records showing how these requirements were considered when making information-sharing decisions.
Key findings
NSIRA identified several areas where departments can strengthen their implementation of the ACA, including:
- improving risk assessments before information sharing;
- documenting decisions and safeguards;
- monitoring mitigation measures; and
- maintaining records that demonstrate compliance.
NSIRA also noted that operational needs or relationships with foreign entities do not replace the requirement to address the risk of mistreatment.
Examples
NSIRA reviewed information-sharing activities involving several federal departments and agencies.
The review identified concerns related to the assessment and documentation of risks by the Canadian Security Intelligence Service (CSIS), the Royal Canadian Mounted Police (RCMP), Immigration, Refugees and Citizenship Canada (IRCC), and Global Affairs Canada (GAC).
NSIRA also identified an example where the Department of National Defence (DND) and the Canadian Armed Forces (CAF) determined that information should not be shared because the risks could not be addressed.
Recommendations and next steps
NSIRA made two recommendations to strengthen compliance with the ACA, including improvements to risk assessments, documentation, and information-sharing practices.
Using its authority under section 31 of the NSIRA Act, NSIRA also required CSIS, DND/CAF, GAC, IRCC, and the RCMP to conduct a study of information sharing with foreign entities from countries engaged in armed conflict.
The study examined challenges in applying the Ministerial Directions and identified potential gaps in the ACA framework. The departments provided a report on the study to the appropriate Minister and submitted a copy to NSIRA in 2026, as required under the Act.
