OTTAWA—The federal privacy watchdog is pressing for changes to security screening procedures for public servants.
An internal memo prepared by the privacy commissioner’s office says the government has “not demonstrated the need” for several intrusive measures—from credit checks to polygraph tests.
The memo says the watchdog will continue to press the Treasury Board Secretariat to justify provisions of its security-screening standard, but also that the Treasury Board has largely proceeded without taking the privacy commissioner’s advicemover the years.
The Canadian Press used the Access to Information Act to recently obtain a copy of the November 2019 memo.
The Standard on Security Screening, introduced in October 2014, allows for screening of federal personnel ranging from the basic category of “reliability status” to “enhanced top secret” clearance.
Federal officials are reviewing the standard, as they are required to do every five years—an examination the Treasury Board says will include privacy considerations.
The internal memo says the privacy commissioner’s office planned in late 2019 to emphasize its view the Treasury Board Secretariat had not made a compelling case for the screening procedures.
“We have stressed that TBS has provided insufficient analysis to demonstrate that each measure mandated by the standard is necessary, effective, and the least privacy-intrusive measure available,” the memo says.
“Where TBS has provided evidence towards the effectiveness of these measures, the evidence has been general in nature, and the link to effectiveness has not always been strong.”
For example, with respect to checks of credit records, Treasury Board pointed to a single British study that found many data breaches are motivated by desire for money, the privacy watchdog’s memo says.
“We do not feel that this provides an actual link between poor credit and financial gain.”
Among the office’s other concerns:
— Use of police record checks, to see if someone might be associated with criminal activity, can turn up non−conviction−related information about things like mental-health incidents and domestic disputes;
— Examination of open-source information, for instance through internet searches, can still yield personal data, some of which might be inaccurate;
— Polygraph testing, which is expanded under the standard, does not directly measure trustworthiness and is known to produce both false negatives and false positives.
Mandatory security-screening requirements set out in the federal standard are applied by departments and agencies commensurate with the risk related to the duties the subject is to perform and the sensitivity of information, assets or facilities he or she will have access to, said Martin Potvin, a Treasury Board spokesman.
The government “takes the privacy rights of Canadians seriously” and continuously adopts measures to safeguard personal information held by government institutions, including in its security screening practices, he added.
The privacy commissioner’s office says Treasury Board has emphasized the need to align Canada’s screening practices with those of the other Five Eyes nations—members of an intelligence-sharing alliance that includes Australia, Britain, New Zealand and the United States.
In 2016, the watchdog acknowledged the importance of being considered “a viable, security-focused partner,” but added the federal standard raised Canada to “a level that exceeded” the other Five Eyes nations, with the exception of the U.S., says a background document included with the memo.
Vito Pilieci, a spokesman for the privacy commissioner, said the office corresponded with Treasury Board on the screening standard in February, and continues to engage with the department on the matter.
While the office’s concerns could be addressed as part of the Treasury Board review, confidentiality requirements mean the ongoing process cannot be discussed in further detail, he added.
By Jim Bronskill