Canada’s spy service continues to collect – and keep – too much data about ordinary citizens and there is evidence some of this material is being “retained unlawfully,” a new watchdog report has found.

The findings by the Security Intelligence Review Committee (SIRC) build on past warnings about data-dredging by the Canadian Security Intelligence Service (CSIS), and come as new national-security legislation will likely soon place such data-collection practices on sounder legal footing.

The watchdog’s concerns focus on the collection of “bulk datasets” – a practice in the global intelligence world that involves constantly collecting large volumes of records about ordinary citizens – not just national-security targets – in the hope the information can help contextualize potential security threats.

Story continues below advertisement

Related: CSIS purging years of communications data collected on Canadians

Canada’s spy agencies casting wider net on citizens’ electronic data, parliamentary report say

It is a distinct issue from SIRC’s previously stated concerns over CSIS practices of retaining communications “metadata,” such as the phone numbers and e-mail addresses of Canadians who were previously seen to be connected to terrorism suspects, even though they were not considered threats themselves.

SIRC does not provide examples of the specific bulk datasets CSIS is using in its work. The spy agency is amassing volumes of such data even though it “had difficulty in demonstrating to SIRC the utility of the [bulk] datasets,” the report reads.

SIRC’s latest annual report to Parliament was tabled on Wednesday, just before the summer recess and one day after MPs approved Bill C-59, the national-security legislation.

The government bill, which now heads to the Senate, broadly affirms the right for federal intelligence agencies to gather volumes of data about Canadians, while placing such activities under a series of checks and balances.

It also overhauls the civilian oversight regime, folding SIRC into a new National Security and Intelligence Review Agency.

Story continues below advertisement

While details about the specific bulk datasets held by CSIS are scant, Canada’s closest intelligence allies have said publicly they constantly gather and keep all manner of disparate datasets because such material, if analyzed together, can point to terrorist threats.

In Britain, for example, forms of financial records, telephone directories, travel logs, passport data and similar material are all in play, according to an intelligence operative who stated in a 2016 lawsuit affidavit that “without the haystack one cannot find the needle.”

About all that is known of CSIS’s forays in this realm is that since 2006, the agency has been putting different data into its Operational Data Analysis Centre (ODAC). The existence of this centre was highlighted two years ago, when Federal Court judges issued a stern public warning about CSIS’s growing designs on data.

In a 2016 ruling, the judges who oversee CSIS’s wiretap warrants said that they were kept in the dark about ODAC until SIRC urged them to look into the centre and its holdings. When they did so, they found what they considered to be illegally retained “metadata” records relating to the phone numbers and e-mail addresses of ordinary Canadians.

The findings were a major black eye for CSIS. As The Globe and Mail reported earlier this week, the spy agency is now in the midst of an effort to purge its databases of this tainted material.

But in the report released Wednesday, SIRC says CSIS’s purging efforts are not going nearly far enough. For example, the report alleges that CSIS has held on to a dataset, first gathered in 2008, that it should have destroyed in the wake of the 2016 federal ruling.

Story continues below advertisement

“In SIRC’s view, [this data] was retained unlawfully,” the report says.

The watchdog also writes that the metadata ruling should have forced CSIS to have a broader reckoning about how and why it is gathering data about innocent people. Yet it found “no evidence that CSIS had changed its policies and procedures with respect to the collection of bulk datasets.”

Responding to these complaints in the body of the SIRC report, CSIS officials vow to do better. But they also point out they are in the midst of a rapidly changing legal and technical environment involving high-stakes national-security investigations.

Public Safety Minister Ralph Goodale, who is responsible for CSIS, told The Globe that the government bill will address some of SIRC’s long-standing concerns related to the collection of data.

“They offer a number of criticisms and suggestions for improvements,” he said in response to the SIRC report. “I’m pleased to note that CSIS has by and large accepted those recommendations and in many cases has already implemented them.”