Backgrounder
The National Security and Intelligence Review Agency (NSIRA) recently completed its annual review of Government of Canada institutions’ disclosures under the Security of Canada Information Disclosure Act (SCIDA) for 2024. SCIDA allows federal institutions to share information to safeguard national security, including sensitive personal data like immigration and travel details. Under section 39 of the NSIRA Act, NSIRA is required to review these disclosures annually and publicly report on their compliance with legal standards, including necessity, proportionality, and privacy protection.
Why This Matters
Information sharing under SCIDA can have significant implications for individuals’ privacy and Charter rights.
NSIRA’s review highlights both improvements in how institutions apply the Act and areas where further clarification and safeguards are needed to ensure disclosures remain lawful, proportionate, and privacy compliant.
This oversight helps protect Canadians’ rights while supporting effective national security operations.
Purpose of the Review
NSIRA’s review assessed whether federal institutions:
- Complied with SCIDA’s disclosure and record-keeping requirements
- Applied the Act’s contribution and proportionality thresholds appropriately
- Managed personal information in a manner consistent with privacy and Charter obligations
The review examined disclosures made in 2024 by the Canada Border Services Agency (CBSA), Communications Security Establishment (CSE), Canadian Security Intelligence Service (CSIS), Global Affairs Canada (GAC), Immigration, Refugees and Citizenship Canada (IRCC), and the Royal Canadian Mounted Police (RCMP). Due to a substantial increase in disclosures from IRCC to CSIS, NSIRA focused its review primarily on information sharing between those two organizations.
What NSIRA Found
Context and Key Trends
- Significant increase in disclosures: In 2024, Government of Canada institutions made 900 disclosures under SCIDA.Disclosures from IRCC to CSIS increased by nearly 300%, rising from 194 in 2023 to 770 in 2024. This increase reflects a shift toward using SCIDA as the primary mechanism for sharing immigration-related information.
- Changes to disclosure practices: NSIRA found that, in spring 2024, IRCC and CSIS implemented a tiered request and disclosure process, distinguishing between basic and advanced disclosures and introducing standardized templates. NSIRA found that this approach reduced the disclosure of unnecessary personal and third-party information and contributed to improved compliance with SCIDA’s privacy requirements.
Findings
- Record-keeping compliance: NSIRA found that institutions generally complied with SCIDA’s record-keeping obligations for disclosures made in 2024.
- Limits in request justifications: In some cases, NSIRA found that the information provided by CSIS in its requests to IRCC was limited. This constrained IRCC’s ability, as the disclosing institution, to fully assess whether the requested disclosures met SCIDA’s contribution and proportionality requirements.
- Disclosures involving minors: NSIRA found that IRCC did not have a formal policy governing disclosures involving minors, which resulted in inconsistent handling of their personal information.
- Retention of unnecessary information: NSIRA found that, in one instance, CSIS retained personal information that was not necessary for exercising its national security mandate, contrary to SCIDA’s requirements.
What NSIRA Recommends
NSIRA made a number of recommendations to strengthen compliance with SCIDA:
- Ensuring that requesting institutions provide sufficient information to allow disclosing institutions to assess necessity and proportionality
- Developing a policy to guide disclosures involving minors and recognize their distinct privacy interests
- Limiting the sharing and retention of personal information to what is necessary for national security purposes
