Feds have not ‘demonstrated need’ for security-screening measures: privacy watchdog
The federal privacy watchdog is pressing for changes to security screening procedures for public servants.
An internal memo prepared by the privacy commissioner’s office says the government has “not demonstrated the need” for several intrusive measures — from credit checks to polygraph tests.
The memo says the watchdog will continue to press the Treasury Board Secretariat to justify provisions of its security-screening standard, but also that the Treasury Board has largely proceeded without taking the privacy commissioner’s advice-mover the years.
The Canadian Press used the Access to Information Act to recently obtain a copy of the November 2019 memo.
The Standard on Security Screening, introduced in October 2014, allows for screening of federal personnel ranging from the basic category of “reliability status” to “enhanced top secret” clearance.
Federal officials are reviewing the standard, as they are required to do every five years - an examination the Treasury Board says will include privacy considerations.
The internal memo says the privacy commissioner’s office planned in late 2019 to emphasize its view the Treasury Board Secretariat had not made a compelling case for the screening procedures.
“We have stressed that TBS has provided insufficient analysis to demonstrate that each measure mandated by the standard is necessary, effective, and the least privacy-intrusive measure available,” the memo says.
“Where TBS has provided evidence towards the effectiveness of these measures, the evidence has been general in nature, and the link to effectiveness has not always been strong.”
For example, with respect to checks of credit records, Treasury Board pointed to a single British study that found many data breaches are motivated by desire for money, the privacy watchdog’s memo says.
“We do not feel that this provides an actual link between poor credit and financial gain.”
Among the office’s other concerns:
— Use of police record checks, to see if someone might be associated with criminal activity, can turn up non-conviction-related information about things like mental-health incidents and domestic disputes;
— Examination of opensource information, for instance through internet searches, can still yield personal data, some of which might be inaccurate;
— Polygraph testing, which is expanded under the standard, does not directly measure trustworthiness and is known to produce both false negatives and false positives.
Mandatory security-screening requirements set out in the federal standard are applied by departments and agencies commensurate with the risk related to the duties the subject is to perform and the sensitivity of information, assets or facilities he or she will have access to, said Martin Potvin, a Treasury Board spokesman.