OTTAWA—A federal watchdog is looking into claims that Canada’s spy agency had only one serious privacy violation in 2015, the Star has learned.

The Canadian Security Intelligence Service (CSIS) reported just one privacy breach in 2015, and only after the spy agency was urged to by an independent review body.

Privacy commissioner Daniel Therrien said he’ll be contacting CSIS to ensure they’re following government-wide rules to report all serious breaches to his office.

“It is certainly something to investigate with CSIS,” Therrien said in an interview Friday.

“I will follow up with CSIS to inquire as to whether they think they’re bound by (the reporting requirement), (and) whether truly there was only one incident to be reported.”

Documents recently tabled in Parliament revealed federal departments and agencies logged 5,853 privacy and data breaches in 2015. Taken together, the breaches involved 45,892 individual Canadians.

CSIS did not disclose their one reported incident in the parliamentary documents, citing national security concerns, but confirmed it when contacted by the Star.

In 2014, the federal government created a new rule that all “material” privacy breaches — those that could cause serious damage to Canadians, or affect a large number of individuals — must be reported to Therrien’s office and the Treasury Board.

Material privacy breaches can range from the relatively minor — misdirected mail or electronic files mistakenly accessed — to serious incidents, such as stolen hard drives or improper snooping.

But the parliamentary documents reveal that in 2015, only 304 breaches were disclosed to the commissioner — 5.2 per cent of the total.

CSIS was asked to report one incident by the Security Intelligence Review Committee, an independent body that looks into the agency’s operations. The agency had been accessing taxpayer information at the Canada Revenue Agency without a warrant — a practice that CSIS itself reported to the SIRC and asked them to investigate. It’s not clear how many people were affected by the breach.

In a statement, CSIS said it was bound by the policy to disclose material breaches. But when asked if the agency proactively reports breaches, or only does so at the SIRC’s direction, a spokesperson said only that the agency respects Canadian law and ministerial directive.

“The (SIRC) reports to Parliament on the operations of CSIS,” spokeswoman Roxanne Ouellette wrote in a statement. “SIRC ensures that powers given to CSIS are used legally and appropriately, in order to protect Canadians’ rights and freedoms.

In response to an official request to detail the number of privacy and information breaches from NDP MP Alexandre Boulerice, CSIS said they have “robust” protections in place for private information.

“CSIS maintains robust policies and procedures in regards to its collection activities and in its information management polices and procedures,” the agency wrote. “For reasons of national security, CSIS does not disclose information related to data, information, or privacy breaches.”

The agency declined to provide a global number of breaches in 2015, as requested. Other departments on the national security file, such as Public Safety (two breaches), the Canadian Border Services Agency (35), and the RCMP (52) were more forthcoming.

Loading... Loading... Loading... Loading... Loading... Loading...

RCMP Const. Annie Delisle said the force reviews potential privacy breaches before reporting them to both the privacy commissioner and Treasury Board.

“While the RCMP would not disclose specific details of a privacy breach that could compromise national security, or ongoing operations and investigations, it is still obligated to report that a breach has occurred,” Delisle wrote in a statement.

Therrien said some national security agencies seem to be concerned that reporting to his office as well as their own review bodies would create duplication. He said he is open to discussing how the privacy office could work with review bodies like the SIRC to provide efficient and effective oversight on privacy files.

“We’re only two or three years after the Snowden revelations,” Therrien said, referring to U.S. whistleblower Edward Snowden. “I don’t think it’s the time now to reduce the jurisdiction of review bodies ... I think it is more time to facilitate the sharing of information between oversight bodies so that we can do our job as efficiently as possible.”

In a recent submission to a parliamentary committee, Therrien recommended that the duty to report privacy breaches to his office be enshrined in law.

The Star spoke with Therrien on Friday. The interview has been edited and condensed for clarity.

The Star: Has the situation improved at all since your 2014-15 annual report, which stated only 10 per cent of departments and agencies have reported privacy breaches, as required?

Daniel Therrien: Since the last annual report we have seen a change. And since then, we also saw the report (to Parliament). We may not be talking about the same types of breaches reported to me or in response to Mr. Boulerice. He wasn’t necessarily concerned with privacy breaches, it might be other technological breaches ... but it’s clear there’s a big gap between the numbers reported in answer to his question, and the number reported to our office ... And that is something we intend to inquire into.

Q: There is a huge gap. But we’re talking about every federal department and agency here. How do you go about bringing them on side?

DT: Well, I want to have discussions in the short term. And I also made recommendations to amend the Privacy Act about a month ago in a submission to a parliamentary committee. And among the changes recommended is that this obligation to report privacy breaches, which is now the subject of a policy or directive, be elevated to a legal obligation. Private companies … (will soon) have an obligation, a legal obligation, to report privacy breaches when the relevant regulations are adopted. There’s no reason why government agencies and departments should have less of an obligation to report privacy breaches than private companies.

Q: What’s the danger if departments and agencies don’t report breaches to you? Practically speaking, for Canadians, what’s the danger?

DT: One of the reasons for privacy breach notifications is to determine whether to advise the affected people so they can remedy the situation themselves, or that the institution, public or private, (can) take measures to remedy the situation. If breaches are not reported, that set of considerations does not come to play and people do not know that there’s a risk for them. So that’s at the individual level, (for) people affected by these breaches. If we don’t get a privacy breach notification, we’re also missing a big part of the picture to determine, on a more general perspective, what are the types of breaches that companies and departments face so that we can analyze trends and give proper advise to these departments or companies on how to remedy the situation. So there’s a risk for individuals directly affected, and there’s a risk that generally speaking the right measures may not be adopted by (private) sectors or (government) departments.

Q: Were you surprised at the number of breaches recently reported to Parliament through Mr. Boulerice’s question? (There were 5,854 breaches involving the personal information of 45,892 Canadians in 2015).

DT: All I would say is that they’re clearly higher, much higher, than the number of breaches reported to us. So that means there’s reasons for us to investigate what’s behind that difference. The number is high. We know, because we see in the media that again private organizations and departments are the victims of breaches. We hear about that frequently. To quantify this is difficult. I’m certainly concerned that there’s a huge gap between what is reported to us, and what was reported to Mr. Boulerice. There is a significant issue. How significant and how do you quantify it, I’m not sure I have the most accurate figures based on what was given to Mr. Boulerice.