Ministerial Requirements and Policies to Protect the Privacy of Canadians

CSEC's foreign signals intelligence and IT security activities are subject to measures, in addition to the limitations in the National Defence Act, that protect the privacy of Canadians in the use and retention of intercepted information.

Both CSEC's foreign signals intelligence and IT security program areas have dedicated sections responsible for day-to-day compliance and oversight. These two sections are important components of CSEC's management monitoring and accountability frameworks, and I examine their effectiveness as part of my reviews.

Handling of intercepted private communications

CSEC should use available means to reduce, to the extent possible, the unintentional interception of the private communications of Canadians. But what happens when CSEC's foreign signals intelligence and IT security activities result in unintentionally intercepted private communications? If such unintentional interception does occur, these communications and information must be destroyed unless:

• they consist of foreign intelligence as defined in the National Defence Act and in accordance with the Government of Canada intelligence priorities;
• are essential to protect the lives or safety of individuals of any nationality;
• contain information on serious criminal activity relating to the security of Canada; or
• are essential to identify, isolate or prevent harm to Government of Canada computer systems or networks.

When ministerial authorizations expire, the Chief of CSEC must report to the Minister of National Defence information on the private communications unintentionally intercepted. These reports must state how many private communications were used or retained — on the basis, as required by law, that they are essential to international affairs, defence or security, or essential to identify, isolate or prevent harm to Government of Canada computer systems or networks. These reports must also include the number and value of any foreign intelligence reports produced from the intelligence derived from the private communications.

I examine the Chief's reports to the Minister, monitor the number of private communications unintentionally intercepted, and verify how CSEC treated and used these communications. I am able to review all of the private communications that CSEC uses and retains.

Directives and policies

Ministerial directives contain written direction to the Chief of CSEC on the Chief's duties and CSEC's activities. The June 2001 Ministerial Directive on Communications Security Establishment Accountability Framework sets out the accountability regime for CSEC, including a requirement for CSEC to report annually to the Minister of National Defence on CSEC's priorities and initiatives as well as legal, policy and management issues of significance. The Chief's reports are one way I keep abreast of CSEC's activities. They also inform the development of my review work plan.

One ministerial directive in particular, the June 2001 Ministerial Directive on Privacy of Canadians, reinforces the requirements in the National Defence Act and ministerial authorizations. It requires CSEC to adopt measures to minimize the unintentional interception of private communications. It states that CSEC may retain and report information on or of Canadians, subject to specific criteria and appropriate measures in place for the handling, retention and destruction of this information. The treatment of this information must be consistent with the Canadian Charter of Rights and Freedoms and the Privacy Act. Other ministerial directives provide guidance on specific CSEC activities.

CSEC's operational policy, Protecting the Privacy of Canadians and Ensuring Legal Compliance in the Conduct of CSEC Activities, applies to anyone conducting activities under CSEC authority, including CSEC employees and military personnel. It contains detailed measures for legal compliance and to safeguard the privacy of Canadians in the use and retention of intercepted information. Many other policies and procedures contain detailed requirements and provide instructions on specific CSEC activities and on measures to protect privacy. I review CSEC's activities to ensure compliance with ministerial directives and policies and procedures.

Information about Canadians: any personal information (as described in the Privacy Act) about a Canadian, including a Canadian corporation.

Canadian identity information

CSEC's reports may contain Canadian identity information, if that information is deemed essential to understand the reports. However, the reference to an identified Canadian must be suppressed and replaced by a generic reference such as "a named Canadian" person or company. When receiving a subsequent request for disclosure of the details of the suppressed information, CSEC must verify that the requesting government department or agency has both the authority and the operational justification for obtaining the Canadian identity information. Only then may CSEC provide this information. Annually, I select and review a sample of these disclosures to verify that CSEC complies with the law and maintains measures to protect the privacy of Canadians.

International collaboration

CSEC and its closest international partners — the United States' National Security Agency, the United Kingdom's Government Communications Headquarters, the Australian Defence Signals Directorate, and the New Zealand Government Communications Security Bureau — respect each other's laws by pledging not to target one another's citizens' communications. CSEC is prohibited from requesting an international partner to undertake activities that CSEC itself is legally prohibited from conducting. My reviews examine CSEC's cooperation with its allies to ensure compliance with the law.

CSEC training

CSEC's training program helps to ensure staff awareness of requirements and policies relating to lawfulness and the protection of the privacy of Canadians. Every new CSEC employee attends a foundational learning course, the curriculum of which includes information on legal and policy requirements and mandatory measures to protect privacy. For certain operational activities, CSEC's employees are required to participate in briefings on legal requirements prior to conducting the activities and at least yearly thereafter. During my reviews, I determine the extent to which this training is effective by questioning CSEC employees about their understanding of the requirements.

Annex C contains text of relevant sections of the National Defence Act relating to the role and mandate of CSEC.