In his annual report tabled Thursday, privacy commissioner Daniel Therrien said shortcomings in the RCMP's information management systems meant he was unable to tell whether proper controls were in place.
As a result, it was impossible to determine how often the Mounties collected subscriber data without a warrant, Therrien said. And therefore his office could not assess whether such requests were justified.
Privacy and civil liberties advocates have raised concerns about the ability of police and intelligence agencies to gain access to details of the public's online activities — particularly given revelations about widespread surveillance by government agencies to help fight terrorism.
In April, aggregate data supplied to the privacy commissioner by a law firm acting on behalf of nine telecom companies indicated that 1.2 million requests for subscriber data without a warrant had been filed by investigators in 2011 — an average of more than 3,200 a day.
"The purpose of our review was to try to validate these numbers, and we were not able to do that," Therrien said in an interview.
Canadians understand that law-enforcement and national security agencies have legitimate need to collect personal details, Therrien said.
"Transparency is critical to accountability and will help to increase trust," he said in a statement. "Canadians want and deserve to have a clearer picture of how, when and why federal institutions are collecting personal information."
The Mounties have agreed to bring in a system to monitor and report on warrantless requests for information.
Therrien wants other federal agencies that ask telecommunications firms for customer data to do the same.
In addition, he underscored the need for federal departments to ensure all requests for subscriber data respect a recent landmark Supreme Court of Canada decision.
Therrien says the high court clearly stated that government agencies must have a judge's approval to obtain subscriber data linked to anonymous online activities — unless there are emergency circumstances or legislation permitting access.
But there is "still some confusion" as to the scope of the Supreme Court decision and the degree to which the online information of Canadians is constitutionally protected, he said in the interview.
Translating the judgment into plain language would provide objective rules, he added. "It's a difficult task, but I think it would be useful to try to do that."
Muddying the waters further is federal legislation — ostensibly to deal with cyberbullying — that would lower the barrier for police access to some personal data.
Therrien is concerned about the new powers, which would make sensitive information accessible to authorities based on a "reasonable suspicion" of wrongdoing, a lesser standard than the constitutional default of "reasonable and probable grounds" to believe an offence has taken place.
Other findings in the commissioner's report:
— Metadata, the digital trail documenting when and how a message or call occurred, can be highly revealing, meaning organizations must be careful about collecting and disclosing such information.
— The commissioner has concerns about federal plans to share data it will begin collecting from Canadians when they leave the country via the land border or by air.
— For the third consecutive year, the number of data breaches voluntarily reported to the commissioner by federal institutions reached a record high. "Accidental disclosure" was behind more than two-thirds of the 228 breaches.
Follow @JimBronskill on TwitterSuggest a correction