TBS summary comments
TBS disagrees with Recommendation 1 and disagrees with findings 15, 16, and 17.
NSIRA is proposing to remove a security measure that has been in successful use for almost four decades, and that is applied to only a small fraction of the public service for protection of only the most sensitive information, with no consideration or mention of the current threat environment facing the Government of Canada or the proven record of that security measure in uncovering adverse information.
The 2014 Standard on Security Screening was the first whole-of-government policy on security screening of employees and contractors and constituted a substantial improvement in consistency, transparency, and accountability. Extensive consultations and analysis with Government of Canada partners informed the production of the Standard and the governance approval process to ensure that all legal and policy requirements were met, including compliance with the Privacy Act and the Canadian Charter of Rights and Freedoms.
TBS remains confident that the polygraph is an important and effective security screening tool and that its proper use is consistent with Canadian law and values.
CSE summary comments
CSE partially agrees with Recommendation 2, agrees with finding 8, partially disagrees with findings 2-4,10,11,14 and disagrees with findings 1,5-7,9,12,13.
The polygraph is a diagnostic tool that is part of a global security assessment that is consistent with the Treasury Board Standard on Security Screening. It is a testing measure that helps in establishing loyalty to Canada and reliability as it relates to loyalty. The polygraph is a small portion of the screening apparatus at CSE.
CSE will undertake a more thorough assessment of the privacy risks involved in the security screening program, building on the existing Privacy Assessment developed in 2014 by TBS for the Standard on Security Screening, to strengthen privacy practices when collecting and handling personal information during security screening.
CSE is confident that it has complied with section 7 of the Privacy Act and will review the polygraph consent form to ensure transparency regarding the use of information. CSE will also update and improve the implementation of standardized processes and questionnaires governing the disclosure of medical information.
Before a polygraph exam, CSE provides information concerning the general process of the polygraph to every examinee. The examinee is told that the polygraph instrument is not infallible and that errors do occur. They are also told that withholding any information may have a negative impact on the individual’s eligibility to obtain or maintain a security clearance.
There were some issues apparent with the quality control of polygraph exams discovered during this review. CSE will implement new and improved practices to ensure the quality control of polygraph exams.
TBS detailed response to NSIRA’s findings and recommendations
Recommendation 1
NSIRA recommends that the Treasury Board of Canada urgently remedy the issues identified by this review related to the legality, reasonableness and necessity of the use of the polygraph for security screening in Canada, or remove it from the Standard on Security Screening.
Government response
TBS disagrees with Recommendation 1
Explanation
R1: NSIRA’s report does not include any discussion of the utility or efficacy of polygraph examinations in uncovering adverse information and helping inform security screening decisions, even though such information was available to NSIRA. NSIRA is proposing to remove a security measure that has been in successful use for almost four decades, and that is applied to only a small fraction of the public service for protection of only the most sensitive information, with no consideration or mention of the current threat environment facing the Government of Canada. TBS remains confident that the polygraph is an important and effective security screening tool and that its proper use is consistent with Canadian law and values.
Related finding(s)
Finding 15: NSIRA found that TBS did not adequately consider privacy or Charter implications when it included the polygraph as a security screening activity under the Standard on Security Screening.
Government response
TBS disagrees with Finding 15
Explanation
F15: The 2014 Standard on Security Screening was the first whole-of-government policy on security screening of employees and contractors and constituted a substantial improvement in consistency, transparency, and accountability. Extensive consultations and analysis with Government of Canada partners including the government-wide departmental security community, privacy experts, and security and intelligence agencies, as well as international comparisons, informed the production of the Standard and the governance approval process to ensure that all legal and policy requirements were met, including compliance with the Privacy Act and the Canadian Charter of Rights and Freedoms.
At the time the Standard was approved, the use of the polygraph for security screening purposes was informed by consultations with Government of Canada partners and subject matter experts. The polygraph had been in use by the Government of Canada for security screening purposes for almost four decades with a proven record of uncovering adverse information. TBS completed a Privacy Assessment on the Standard as part of the implementation phase post 2014. The assessment includes the tools and techniques used to collect the needed information as well as other privacy considerations such as the four-part test examining necessity, effectiveness, proportionality and minimal intrusiveness, and how sections 4 to 8 of the Privacy Act and related privacy policy are respected.
Related finding(s)
Finding 16: NSIRA found that the Standard on Security Screening insufficiently addresses Charter and privacy implications related to the use of the polygraph.
Government response
TBS disagrees with Finding 16
Explanation
F16: The 2014 Standard was approved following several years of development and analysis representing substantial due diligence and governance approvals. All aspects of the Standard were reviewed from the perspective of Charter compliance and the protection of privacy. TBS completed a Privacy Assessment on the Standard as part of the implementation phase post 2014. The assessment includes the tools and techniques used to collect the needed information as well as other privacy considerations such as the four-part test and how sections 4 to 8 of the Privacy Act and related privacy policy are respected.
Related finding(s)
Finding 17: NSIRA found that the Government of Canada’s current use of the polygraph for security screening in the manner described in this review may raise serious concerns in relation to the Canadian Charter of Rights and Freedoms.
Government response
TBS disagrees with Finding 17
F17: At the time the Standard was approved, the use of the polygraph for security screening purposes was informed by consultations with Government of Canada partners and subject matter experts. The polygraph had been in use by the Government of Canada for security screening purposes for almost four decades with a proven record of uncovering adverse information relevant to security screening decisions. TBS is confident that the polygraph is an important and effective security screening tool and that its proper use is consistent with Canadian law and values.
CSE detailed response to NSIRA’s findings and recommendations
Recommendation 2
NSIRA recommends that CSE urgently remedy the issues identified by this review, including Charter and Privacy Act compliance, or cease conducting polygraph exams for security screening.
Government response
CSE partially agrees with Recommendation 2
Explanation
R2: While CSE has already created new processes and teams to refine its practices, CSE will continue to improve and refine its governance surrounding the security screening process in order to ensure consistency and standardization.
CSE will continue to conduct polygraph examinations as it remains confident that the polygraph is an important security screening tool that is particularly necessary in light of the current national security and intelligence landscape. Furthermore, CSE is confident that the proper use of the polygraph is consistent with Canadian law and with the intended use identified at the time of the signing of the forms by the applicant.
Related finding(s)
Finding 1: NSIRA found that CSE’s governance of the use of the polygraph for security screening inadequately addresses privacy issues.
Government response
CSE partially agrees with Finding 1
Explanation
F1: This is not a standalone finding. Finding 1 simply points to the subsequent 4 findings for evidence of insufficient governance of polygraphs at CSE without offering any detail or further information to support this specific finding.
Related finding(s)
Finding 2: NSIRA found that CSE did not conduct a Privacy Impact Assessment related to its use of the polygraph for security screening.
Government response
CSE partially agrees with Finding 2
Explanation
F2: In 2014, TBS developed a Privacy Assessment for the Standard on Security Screening. This assessment addresses some privacy risks associated with the activities proposed under the Standard, including some considerations pertaining to the polygraph evaluation.
CSE will undertake a more thorough privacy impact assessment of its security screening program to strengthen the organization’s privacy practices when collecting and handling personal information during these activities.
Related finding(s)
Finding 3: NSIRA found that CSE may not have considered whether all information collected during the polygraph is directly related or necessary to the assessment of loyalty to Canada or criminality, as required by the Privacy Act and the Directive on Privacy Practices.
Government response
CSE partially agrees with Finding 3
Explanation
F3: As indicated above, CSE will undertake an assessment to identify all elements of personal information collected and determine their necessity.
The only privacy concerns raised over the course of the review were those of CSE’s employees that did not want NSIRA to have access to polygraph records and personal information that they had entrusted to CSE security professionals. Many CSE employees were unaware that NSIRA had the legal authority to demand access to records containing their personal information without their consent. CSE is of the view that the statements in NSIRA’s report misrepresent the privacy concerns expressed by CSE employees during the course of the review. NSIRA disregarded CSE’s attempts to correct this factual inaccuracy at the draft report consultation stage of this review.
All personal information collected throughout the security screening process, regardless of which specific security activity is relied on for the collection, is for the purpose of supporting decisions related to an individual’s security clearance; therefore, to comply with section 4 of the Privacy Act, the collection of personal information during the polygraph evaluation must be directly related to security screening as a program, not to the narrow purpose of the specific security activity where the collection occurs, such as the polygraph evaluation.
Related finding(s)
Finding 4: NSIRA found that polygraph examiners applied an ad hoc approach as they assessed medical information collected during the polygraph.
Government response
CSE partially agrees with Finding 4
Explanation
F4: Medical information collected during the polygraph evaluation is for the sole purpose of applying mitigating factors in order to ensure a good evaluation and positive outcome. As CSE polygraphists progress through the evaluation, they use this information to adjust the equipment and questions, if necessary, based on the particular circumstances of each examinee. CSE will update and improve the implementation of standardized processes and questionnaires governing the disclosure of medical information.
Related finding(s)
Finding 5: NSIRA found that CSE may not have complied with section 7 of the Privacy Act by using information collected during polygraph exams for suitability and hiring decisions without the consent of the subject.
Government response
CSE disagrees with Finding 5
Explanation
F5: As per s.4 of the Privacy Act, CSE and other government institutions can collect personal information that relates directly to an operating program or activity of the institution, such as security screening. Section 7(a) of the Privacy Act further provides that the personal information under the control of a government institution shall not be used by the institution without the consent of the individual except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with the purpose. Such use is not based on consent.
The use of the information collected by CSE during the security screening process, which includes the polygraph examination, is accounted for in the Standard Personal Information Bank (PIB) PSU 917, the standard bank associated with Government of Canada security screening. PIB PSU 917 also provides for recognized consistent use of the personal information collected by an institution during the security screening process, which includes sharing information within the institution, such as CSE, for staffing purposes (PIB PSE 902), which would include for the purpose of making hiring decisions based on the suitability of a candidate, as per the particular hiring process at issue.
Nonetheless, CSE will review the consent form to determine if improvements may be made to ensure transparency regarding the use of the information collected during polygraph exams.
Related finding(s)
Finding 6: NSIRA found that CSE provides subjects with information that overstates the reliability and validity of the polygraph prior to obtaining consent.
Government response
CSE disagrees with Finding 6
Explanation
F6: CSE provides information concerning the general process of the polygraph to every examinee. It is stipulated in the document that the polygraph instrument is not infallible and that errors do occur. Each polygraph examiner is open to any questions examinees may have.
Related finding(s)
Finding 7: NSIRA found that, in some instances, the way in which CSE conducted polygraph exams risked prompting subjects to fabricate information in an effort to clear themselves when faced with an unfavorable polygraph assessment.
Government response
CSE disagrees with Finding 7
Explanation
F7: Security personnel remind individuals that withholding or fabricating any information could negatively impact their security clearance. Per the instructions, the individual must provide all information relevant to the security screening process – in other words, withholding any information which may have a negative impact on the individual’s eligibility to obtain or maintain a security clearance is discouraged.
Related finding(s)
Finding 8: NSIRA found instances where CSE’s quality control practices for polygraph exams were not always consistent with CSE policy.
Government response
CSE agrees with Finding 8
Explanation
F8: While the majority of the polygraph tests were reviewed by management as required by policy, CSE agrees that the timeliness of the review was delayed and quality control practices were conducted in an inconsistent manner. CSE will implement new and improved mechanisms/practices to ensure polygraph test reviews and their associated quality control practices are completed in a timely, rigorous and standardized process.
Related finding(s)
Finding 9: NSIRA found that approximately 20% of security files from the sample reviewed were missing audiovisual recordings of polygraph exams.
Government response
CSE disagrees with Finding 9
Explanation
F9: NSIRA’s overall review sample consisted of less than 3% of polygraph examinations processed during the period under review. NSIRA reviewed polygraph recordings for approximately 15% of that sample, representing less than 0.5% of the total. CSE informed NSIRA at the early stages of the review that it was aware of technical problems with some recordings during the review period. CSE has since taken steps to procure backup cameras to ensure the video and audio recordings are also recorded on a standalone device.
Related finding(s)
Finding 10: NSIRA found that in all cases, when initial polygraph exam results indicated deception or were inconclusive, CSE’s practice was to conduct multiple polygraph exams rather than a resolution of doubt process as provided for under the Standard.
Government response
CSE partially agrees with Finding 10
Explanation
F10: The Standard stipulates that a security interview can be used as a means to resolve doubt. The polygraph evaluation is part of the overall security screening process and as such is considered a security interview. In some cases, when adverse information is disclosed as a result of a polygraph test, the file is returned to the Personnel Security Officer (PSO) for further clarification. In cases of tests resulting in Deception indicated or Inconclusive, if the situation can be resolved with another polygraph evaluation for clarity, efficiency and less intrusiveness, then this assessment will be used.
For context, it is important to note that NSIRA specifically requested to see a sub-list of all files that had two or more polygraph examinations performed during the same screening period. From this list they chose 33% of the recordings they would ultimately review, which represented less than 0.2% of the total polygraph examinations during the period of review.
Related finding(s)
Finding 11: NSIRA found that the polygraph had an inordinate importance in security screening decision-making at CSE and other less-intrusive security screening activities were under-used or not used at all.
Government response
CSE partially agrees with Finding 11
Explanation
F11: CSE complied with the Treasury Board Standard on Security Screening in using all the assessments available at the time of the review period. The entirety of the information gathered during the security screening process (Security interview, fingerprint records, finances, polygraph assessment, open-source searches) is assessed in order to achieve a final security decision on whether to grant a status or a clearance.
Law Enforcement Records Checks (LERCs) were not available until recently when an MOU with the RCMP was implemented (post review period).
Furthermore, CSE's Open-Source check was in its infancy when the review process started. Since then, CSE has sent employees on Open-Source training in order to have a more consistent and complete process.
CSE utilizes all the tools available to ensure a comprehensive and standardized security screening process is conducted for each candidate.
Related finding(s)
Finding 12: NSIRA found that the polygraph was de facto determinative in security screening decisions at CSE.
Government response
CSE disagrees with Finding 12
Explanation
F12: It is important to note that the polygraph is a small portion of the screening apparatus at CSE. The polygraph is a diagnostic tool that is part of a global security assessment that is compliant with the Treasury Board Standard on Security Screening. It is a testing measure that helps in establishing loyalty to Canada and reliability as it relates to loyalty.
Related finding(s)
Finding 13: NSIRA found that CSE’s security screening decision-making may not comply with record-keeping requirements of the Standard on Security Screening.
Government response
CSE disagrees with Finding 13
Explanation
F13: All security screening information and decisions are kept in CSE's case management tool. While NSIRA did not have direct access to the tool, CSE security personnel provided NSIRA with a step-by-step demonstration of how the decision is made to either continue or not with the screening process and next stages. The final decision is based on the cumulation of all these steps and is recorded in CSE's case management tool.
Related finding(s)
Finding 14: NSIRA found that CSE’s use of the polygraph in security screening decisions makes more uncertain the opportunity to challenge denials of security clearances pursuant to the NSIRA Act and the Standard.
Government response
CSE partially agrees with Finding 14
Explanation
F14: CSE has undertaken changes to its processes that now ensures clarity around security clearance decision making.