Opening Statement to the Legislative Committee on Bill C-17

National Security—Information Systems and Interagency Co-operation

13 February 2003

Sheila Fraser, FCA
Auditor General of Canada

Mr. Chairman, thank you for the opportunity to appear before your Committee to discuss my Office's work on national security. With me is Richard Flageole the Assistant Auditor General responsible for Transport and who formerly was responsible for the Immigration portfolio; and Peter Kasurak, the Principal responsible for the Solicitor General portfolio and national security audits.

I will briefly describe our previous reports on this subject and then give an overview of our current projects.

Completed audits

National security involves no fewer than 17 departments and agencies of the federal government and several provincial and municipal organizations. Their functions include policy development and planning, intelligence, policing, border control, and consequence management. Since 1996 we have completed 9 audits that touched on national security information systems and on inter-agency co-operation. The list of these audits is provided as an appendix.

Information systems

We have found a pattern of inadequate information to support front-line officials and limited ability of national security information systems to inter-operate.

Key police information systems are very old and need to be replaced. An example is the Canadian Police Information Centre or CPIC. CPIC is used by police across Canada to check vehicle and driver's licenses, criminal records, reports on stolen vehicles and boats, and lists of wanted persons. Customs officials also use the system to check on people entering Canada. The RCMP began a $114.7 million project in 1999 to renew CPIC. Completing this project and continuing to monitor the CPIC's performance should be a priority.

The fingerprint database also needs renewal. The time it took to enter fingerprints into the RCMP's database grew from about 10 days in 1997 to 25 days in 1999 and was continuing to increase. We are now monitoring the RCMP's efforts to replace its fingerprint information system.

The government has an umbrella project to overcome systemic, cultural, and technological barriers to sharing criminal justice information. In October 2001, 9 of the 21 elements in this project had been completed or were on track, 6 needed monitoring, and 5 were at risk. One project for fingerprinting had no resources earmarked for it. Among the elements at risk were the governance framework, the offender tracking identifier, and the integrated police information reporting system.

We have also found problems with border control information systems. In April 2000 we published two reports that dealt with the movement of people. The first looked at how the Canada Customs and Revenue Agency manages risks at ports of entry, including airports. We found that Customs officers did not have adequate information to assess the risk that travellers pose to Canada. Many long-service officers had not received needed refresher training.

Specific findings of our 2000 audit included the following:

• The Primary Automated Lookout System, or PALS, used to screen air travelers, was outdated and Customs inspectors used it infrequently.
• The information for targeting air passengers was poor. Customs had a limited capacity to receive advance information from airlines on travellers to Canada; it had to depend on data provided by the airlines at their own discretion.

Since our report, Customs has replaced PALS-Air with an updated system. We will be reporting on the new system this spring. Members of this Committee are no doubt already aware of the government's effort to improve advance passenger information, and our Spring report will comment on this as well.

In 2000 we also presented our audit findings on the economic component of the Immigration program, managed by Citizenship and Immigration Canada. We found that visa officers had little information and support to ensure that applicants were unlikely to engage in criminal activities or endanger the safety of Canadians. The primary information system—the Computer Assisted Immigration Processing System or CAIPS—dates from the 1980s and does not provide all the information that Immigration officials need. Additional information must be sought in other legacy systems. Data matching and completeness are far from assured. Numerous attempts to upgrade CAIPS have failed. The department is now in the middle of a $194 million project over five years to replace the system.

The lack of computer systems that can inter-operate impedes the systematic exchange of criminal intelligence between Citizenship and Immigration offices and headquarters and between the Department and the RCMP and the Canadian Security Intelligence Service (CSIS).

In addition to examining the "people side" of border control, we have audited the control of commercial shipments entering Canada. In December 2001, we reported on an audit that included 147 land border crossings, 13 major airports, and 3 seaports. We questioned the effectiveness of efforts to target high-risk shipments. At the time of our audit, the Canada Customs and Revenue Agency was not collecting the information it needed to tell whether its targeting activities were leading to more enforcement actions. In other words, it did not know whether its approach to managing risk was working.

We have also reported the limitations of the national health surveillance system—a system that would detect a biological attack, for example. We first audited health surveillance in 1999 and completed a status report on progress in September 2002. Here, the problem is the number of jurisdictions involved and the lack of standards for data. Although Health Canada is working on a national framework, it has yet to set a timetable for completing the framework. It has also made only limited progress since 1999 on developing standards for surveillance data.

Interagency co-operation

Our work has also touched on interagency co-operation. We have not looked at the intelligence community since 1996, when we completed a study on control and accountability. We noted opportunities to strengthen leadership and co-ordination. We pointed to the benefit of increased senior-level guidance to, and review of, intelligence plans and products and continued efforts to integrate the contribution of agencies such as Citizenship and Immigration, Customs, and the RCMP. We also saw the need for a rigorous evaluation of the adequacy of intelligence products and the extent of duplication among products and agencies.

In our audits of border control we have noted the need for better co-ordination. Customs carries out the responsibilities of several federal departments, and it needs to have formal agreements to ensure that all the players understand their roles. One major improvement in response to our recommendations was the drafting of a memorandum of understanding between Health Canada and the Canada Customs and Revenue Agency to provide front-line Customs officers with the formal training to handle situations that involve the importation of illness. However, in September 2002, that MOU had not been signed.

The largest problems stem from jurisdictions where not only the federal government but the provinces and territories are involved. In the criminal justice area there is an array of legislation, regulations, polices, and practices that govern the privacy and security of information. For example, there are 6 federal statutes that deal with information management and 10 provincial freedom-of-information and protection-of-privacy acts. There are 11 police acts. Information needed for disease surveillance is the property of the provinces and territories. There is no generic agreement on information sharing.

Future work

We have continued to work on this file and have three projects under way now. Two of them follow up on audits of border security and will be reported in the spring of 2003. They will look at problems we have identified in the past with information systems and the co-ordination of work between Citizenship and Immigration Canada and the Canada Customs and Revenue Agency.

We are also working on a government-wide audit of the $7.7 billion initiative announced in the 2001 Budget to improve national security. This audit is in the early planning phase and it is difficult to say to what extent the final report will discuss any particular subject. However, we have identified six top-level issues: strategic resource allocation (where is the money going and why?); air travel security; human resource capacity; information technology and physical infrastructure; consequence management; and reporting to Parliament on the use of new powers.

Conclusion

Mr. Chairman, that completes my opening statement. We would be pleased to answer the Committee's questions. We would particularly appreciate of any comments on areas of interest or concern that we might include in our future work.

Appendix

List of Relevant Audits

1. 1996, Chapter 27 — The Canadian Intelligence Community—Control and Accountability

2. 1997, Chapter 25 — Citizenship and Immigration Canada and Immigration and Refugee Board—The Processing of Refugee Claims

3. 1999, Chapter 14 — National Health Surveillance: Diseases and Injuries

4. 2000, Chapter 3 — Citizenship and Immigration Canada—The Economic Component of the Canadian Immigration Program

5. 2000, Chapter 5 — Canada Customs and Revenue Agency—Travellers to Canada: Managing the Risks at Ports of Entry

6. 2000, Chapter 7 — Royal Canadian Mounted Police—Services for Canada's Law Enforcement Community

7. 2001, Chapter 8 — Canada Customs and Revenue Agency—Managing the Risks of Non-Compliance for Commercial Shipments Entering Canada

8. 2002, April, Chapter 4 — The Criminal Justice System: Significant Challenges

9. 2002, Status Report, Chapter 2 — Health Canada—National Health Surveillance