RCMP inappropriately shares personal information on thousands of individuals with other federal agencies

The findings come from a joint review by the National Security and Intelligence Review Agency and the Office of the Privacy Commissioner

The RCMP disclosed the personal information of thousands of foreign individuals based on incomplete information to the Department of Defence – Canadian Armed Forces (DND-CAF).

This was revealed after the National Security and Intelligence Review Agency (NSIRA) and the Office of the Privacy Commissioner (OPC) took part in a joint review examining disclosures federal institutions made under the Security of Canada Information Disclosure Act (SCIDA).

Approved in 2019, SCIDA allows 17 federal institutions to share information with each other to protect security. This includes sharing personal information.

A two-part test, known as the disclosure test, must be satisfied before any information can be shared under this act. The first is the institution sharing the information is satisfied the information they’re sharing will help the institution that’s receiving the information. The second is personal privacy won’t be impacted “more than is reasonably necessary.”

The review examined 215 disclosures from 2020, 212 of which passed both parts of the test. The three that didn’t were all disclosure made by the RCMP.

The specifics

The first part of the test was not satisfied in two of the disclosures. Made on a proactive basis, one went to Global Affairs Canada (GAC) and the other to Immigration, Refugees and Citizenship Canada (IRCC). The review notes the RCMP failed to show they considered how each disclosure would help the recipient deliver on national security.

The information was shared “based on a mistaken belief that disclosed information fell within the recipient’s jurisdiction.” The review notes the RCMP acknowledged to the NSIRA the information they shared was not compliant under SCIDA. The RCMP said it was also in the process of updating its SCIDA policy.

In its third disclosure, the RCMP failed to meet the second part of the disclosure test.

According to the review, the RCMP received information on thousands of men, women, and children who an unknown third party detained for their alleged involvement in terrorist organizations. The information was sent by a “trusted foreign partner,” along with detailed notes indicating how the information was obtained.

The RCMP shared the initial data set with the DND – CAF because of its counter-terrorism mandate and their operations in the regions where the named individuals were detained. But the RCMP failed to share the additional detailed information on how the information was collected. It also didn’t have any record of receiving this information.

DND – CAF said the information was not integrated into its system but the information has to be held onto for “force protection and to rapidly identify threats.”


The review led to two recommendations relevant to this case. The first asks the RCMP to finish updating its SCIDA policy, update decision-makers on the requirements of the disclosure test, and make sure all information is appropriately documented.

The second is that the RCMP provides the remaining information to the armed forces, and DND-CAF assesses whether or not keeping the personal information they have on hand is necessary.

Update 24/02/22 3:16pm EST: In a response to MobileSyrup, the RCMP says they welcome the review through which they remained open and transparent. “The RCMP is committed to implementing process-related improvements recommended by NSIRA-OPC, and much of this work is already underway. However, the RCMP stands firmly behind its actions in relation to our disclosure to DND-CAF and believes Canadians would expect nothing less.”

Image credit: Shutterstock

Source: National Security and Intelligence Review Agency/Office of the Privacy Commissioner of Canada