Commissioner's Office and Review Process

I am supported in my work by a staff of eight, together with a number of subject-matter experts, under contract, as required. In 2011–2012, my office's expenditures were $1,942,429, which is within the budget provided by Parliament. An expansion to the physical space of my office is under way, which will allow me to hire additional employees.

Annex D provides the 2011–2012 Statement of Expenditures for the Office of the Communications Security Establishment Commissioner.

Objective of review

The objective of my review is to enable me to provide to the Minister of National Defence, and indeed to all Canadians, assurance that CSEC is complying with the law and protecting the privacy of Canadians. If I were to find an instance where I believe CSEC may not have complied with the law, it would be my duty to inform the Minister of National Defence and the Attorney General of Canada.

Selection of activities for review

I use a risk-based and preventative approach to my reviews. I have a three-year work plan, which is updated twice per year. I draw on many sources to develop my work plan. My employees and I receive regular briefings from CSEC on new activities and on changes to existing activities of CSEC. I also go over the Chief of CSEC's annual report to the Minister of National Defence on CSEC's priorities and initiatives as well as legal, policy and management issues of significance. I then use a set of criteria to help select and prioritize CSEC activities based on where risk is greatest for potential non-compliance with the law including for risks to the privacy of Canadians.

Risk is assessed by considering, among other factors:

• the controls placed by CSEC on the activity to ensure compliance with legal, ministerial and policy requirements;
• whether the activity has the potential to involve private communications or information about Canadians;
• whether the activity is new, has changed significantly, or has had a lengthy period elapse since its last in-depth review;
• whether there have been significant changes to the authorities or technologies relating to the activity;
• whether Commissioners have made findings or recommendations relating to the activity that require follow-up; and
• issues arising in the public domain.

Review methodology and criteria

In conducting a review, my office examines CSEC's hard-copy and electronic information and records, as well as CSEC's policies and procedures and legal advice received from Justice Canada. My staff request briefings and demonstrations of specific activities, interview managers and employees and observe CSEC operators and analysts first hand to verify how they conduct their work. My staff test information obtained against the contents of systems and databases. The work of CSEC's internal auditors and evaluators may also inform reviews.

Each review includes an assessment of CSEC's activities against a standard set of criteria, described below, consisting of legal requirements, ministerial requirements, and policies and procedures. Each review may have additional criteria added, as appropriate.

Legal requirements: I expect CSEC to conduct its activities in accordance with the National Defence Act, the Privacy Act, the Criminal Code, the Canadian Charter of Rights and Freedoms and any other relevant legislation, and in accordance with Justice Canada advice.

Ministerial requirements: I expect CSEC to conduct its activities in accordance with ministerial direction, following all requirements and limitations set out in a ministerial authorization or directive.

Policies and procedures: I expect CSEC to have appropriate policies and procedures in place to guide its activities and to provide sufficient direction on legal and ministerial requirements including the protection of the privacy of Canadians. I expect employees to be knowledgeable about and comply with policies and procedures. I also expect CSEC to employ an effective management control framework for maintaining the integrity and lawful compliance of its activities. This includes appropriate accounting for decisions taken and for information relating to compliance and the protection of the privacy of Canadians.

My review reports document CSEC's activities and practices and contain findings relating to the above-noted criteria. These reports may also disclose the nature and significance of deviations from the criteria. In some cases, I make recommendations to the Minister that are aimed at correcting discrepancies between CSEC's activities and the expectations established by the review criteria. I monitor how CSEC addresses recommendations and responds to negative findings. As well, I monitor areas for follow-up identified in past reviews.

The process of review is cumulative. Since my office was established in 1996, it has built up specific expertise in CSEC's unique mandate and activities. With each review my office adds to its knowledge of CSEC's activities and of how we can improve our own methodology. One such change implemented in recent years by my office was the introduction of horizontal reviews — that is, review of the processes by which CSEC selects foreign intelligence targets and uses, shares, reports, retains or disposes of intercepted information that are common to each of the activities or class of activities. This approach has provided for greater depth of review. My office examines each of these common processes to determine whether CSEC complies with the law and the extent to which CSEC takes measures to protect the privacy of Canadians.

The Logic Model in Annex E provides a flow chart of our comprehensive review program.

Horizontal reviews examine processes common to all CSEC foreign signals intelligence collection methods or IT security activities under ministerial authorization. For example, the processes by which CSEC:

• identifies, selects and directs its activities at entities of foreign intelligence interest;
• uses, shares, reports, retains or disposes of intercepted information; and
• takes measures to protect private communications intercepted unintentionally and Canadian identity information.

Recommendations

Since 1997, my predecessors and I have submitted to the Minister of National Defence 68 classified review reports. In total, the reports contained 133 recommendations. CSEC has accepted and implemented or is working to address 93 percent (124 out of 133) of these recommendations. Recommendations have contributed to CSEC suspending certain activities to re-examine how the activities are conducted and to restructure the processes and practices supporting the activities. This past year, CSEC completed work in response to one past recommendation and I am monitoring 15 recommendations that CSEC is working to address. I continue to await the Minister's response to one privacy-related recommendation I made in 2010–2011.

My website provides a complete list of the 68 classified review reports submitted to the Minister of National Defence.