Commissioner's Office

I am supported in my work by a staff of eight, together with a number of subject-matter experts, under contract, as required. In 2010–2011, my office's expenditures were $1,605,422, which is within the allocated appropriation from Parliament.

Annex D provides the 2010-2011 Statement of Expenditures for the Office of the Communications Security Establishment Commissioner.

Objective of Review

The objective of my office's rigorous review process is to enable me to provide to the Minister of National Defence, and indeed to all Canadians, assurance that CSEC is complying with the law and protecting the privacy of Canadians. If I find an instance where CSEC has not complied with the law, I am obliged to inform the Minister of National Defence and the Attorney General of Canada.

Selection of activities for review

CSEC activities are selected for review and prioritized using a set of detailed criteria to help determine where risk is greatest for potential non-compliance with the law and for risks to privacy.

Selection and prioritization of subjects for review are documented in my three-year work plan, which is updated regularly as part of an ongoing process of assessing risk.

Risk is assessed by considering, among other factors:

• the controls placed on the activity to ensure compliance with legal, ministerial and policy requirements;
• whether the activity involves private communications or information about Canadians;
• whether the activity is new or how much time has passed since the last in-depth review of an activity;
• whether there have been significant changes to the authorities or technologies relating to the activity;
• whether Commissioners have made findings or recommendations relating to the activity which require follow-up; and
• issues arising in the public domain.

Review methodology and criteria

In conducting a review, my staff examine CSEC's written and electronic records, including CSEC's policies and procedures and legal advice received from Justice Canada. My staff request briefings and demonstrations of specific activities, interview managers and employees and observe firsthand CSECoperators and analysts to verify how they conduct their work. My staff test information obtained against the contents of systems and databases. The work of CSEC's internal auditors and evaluators may also inform reviews.

Each review includes an assessment of CSEC's activities against a standard set of criteria, described below, consisting of legal requirements, ministerial requirements, and policies and procedures. Other criteria may be added, as appropriate.

Legal requirements: I expect CSEC to conduct its activities in accordance with the National Defence Act, the Privacy Act, the Criminal Code, the Canadian Charter of Rights and Freedoms and any other relevant legislation, and in accordance with Justice Canada advice.

Ministerial requirements: I expect CSEC to conduct its activities in accordance with ministerial direction, following all requirements and limitations set out in a ministerial authorization or directive.

Policies and procedures: I expect CSEC to have appropriate policies and procedures in place to guide its activities and to provide sufficient direction on legal and ministerial requirements and the protection of Canadians' privacy. I expect employees to be knowledgeable about and comply with policies and procedures. I also expect CSEC to employ an effective management control framework to ensure that the integrity and lawful compliance of its activities is maintained. This includes appropriate accounting for decisions taken and for information relating to compliance and the protection of the privacy of Canadians.

My review reports contain findings that confirm whether the above-noted criteria have been satisfactorily met by CSEC. These reports may also disclose the nature and significance of deviations from these criteria. In some cases, I make recommendations to the Minister which are aimed at correcting discrepancies between CSEC's activities and the expectations established by the review criteria. I monitor CSEC's efforts to address recommendations and respond to negative findings. As well, I monitor areas for follow-up identified in past reviews.

The Logic Model in Annex E provides a flow chart of our comprehensive review program.

Recommendations

Since 1997, my predecessors and I have submitted to the Minister of National Defence a total of 61 classified review reports and studies. In total, the reports contain 133 recommendations. CSEC has accepted and implemented or is working to address 95 percent (122 out of 129) of these recommendations. I am awaiting the Minister's response to the four recommendations I made in 2010-2011. This past year, CSEC completed work in response to three past recommendations and I am monitoring 18 recommendations that CSEC is working to address.

On occasion, CSEC may reject one of my recommendations. In this instance, I assess the reasons provided, in order to determine whether to accept them or to pursue the issue. 

See Annex F for a complete list of the 61 classified review reports and studies submitted to the Minister of National Defence.