Mandate of the Communications Security Establishment Commissioner

My mandate under the National Defence Act consists of three key functions:

1. reviewing CSEC activities to determine whether they comply with the law;
2. conducting investigations I deem necessary in response to complaints about CSEC; and
3. informing the Minister of National Defence (who is accountable to Parliament for CSEC) and the Attorney General of Canada of any CSEC activities that I believe may not be in compliance with the law.

Under the Security of Information Act, I also have a mandate to receive information from persons who are permanently bound to secrecy if they believe it is in the public interest to release special operational information of CSEC. (More information on the Commissioner's responsibilities for public interest defence is available on the office's website.)

CSEC's mandate

When the Anti-terrorism Act came into effect on December 24, 2001, it added Part V.1 to the National Defence Act, and set out CSEC's three-part mandate:

• part (a) authorizes CSEC to acquire and use foreign signals intelligence in accordance with the Government of Canada's intelligence priorities;
• part (b) authorizes CSEC to help protect electronic information and information infrastructures of importance to the Government of Canada; and
• part (c) authorizes CSEC to provide technical and operational assistance to federal law enforcement and security agencies, including helping them obtain and understand communications collected under those agencies' own lawful authorities.

Reviewing CSEC activities

My mandate to review CSEC activities relates to CSEC collecting foreign signals intelligence, protecting electronic information and information infrastructures of importance to the Government of Canada, and assisting federal law enforcement and security agencies.

The purpose of my review mandate is:

• to determine whether the activities conducted by CSEC under ministerial authorization are, in fact, those authorized by the Minister of National Defence, and to verify that the conditions for authorization required by the National Defence Act are met;
• to determine whether CSEC complies with the law and, if I believe that it may not be complying, to report this to the Minister of National Defence and to the Attorney General of Canada;
• to verify that CSEC does not direct its foreign signals intelligence and IT security activities at Canadians; and
• to promote the development and effective application of satisfactory measures to protect the privacy of Canadians in all the activities CSEC undertakes.

Protection of Canadians

CSEC is prohibited by law from directing its foreign signals intelligence collection and IT security activities at Canadians — wherever they might be in the world — or at any person in Canada.

Ministerial authorizations

The National Defence Act allows the Minister of National Defence to give CSEC written ministerial authorization to unintentionally intercept private communications while collecting foreign signals intelligence or while protecting computer systems of the Government of Canada from mischief, unauthorized use or interference. In each case, the law specifies the conditions under which a ministerial authorization can be issued. Ministerial authorizations relate to an activity or class of activities specified in the authorizations — that is, to a specific method of acquiring foreign signals intelligence or of protecting computer systems (the how); however the authorizations do not relate to a specific individual or subject (the whom or the what). The law also directs the CSE Commissioner to review activities carried out under a ministerial authorization and to report annually to the Minister on the review. (More information on ministerial authorizations as well as on the authorities for and limitations on CSEC activities are available on the office's website.)

Selection of activities for review

I use a risk-based and preventative approach to my reviews. I prioritize CSEC activities where risk is greatest for potential non-compliance with the law, including for risks to the privacy of Canadians, by considering, among other factors:

• the controls placed by CSEC on the activity to ensure compliance with legal, ministerial and policy requirements;
• whether the activity does, or has the potential to, involve private communications or information about Canadians;
• whether the activity is new, has changed significantly, or has had a lengthy period elapse since its last in-depth review;
• whether there have been significant changes to the authorities or technologies relating to the activity;
• whether Commissioners have made findings or recommendations relating to the activity that require follow-up; and
• issues arising in the public domain.

Information about Canadians: any personal information (as described in the Privacy Act) about a Canadian, or business information about a Canadian corporation.

Review methodology and criteria

My reviews of activities are ex post, that is, of activities that have occurred in the past.  However, reviews always include an examination of CSEC's ex ante reasons for conducting the activities — to confirm that CSEC's justifications for the activities are lawful and within CSEC's mandate. In conducting a review, my office examines CSEC's hard-copy and electronic information and records, as well as CSEC's policies and procedures and legal advice received from Justice Canada. My employees request briefings and demonstrations of specific activities, interview CSEC managers and employees, and observe CSEC operators and analysts first hand to verify how they conduct their work. My employees test information obtained against the contents of CSEC's systems and databases.

Each review includes an assessment of CSEC activities against a standard set of criteria, described below, consisting of legal requirements, ministerial requirements, and policies and procedures. Each review may have additional criteria added, as appropriate.

Legal requirements: I expect CSEC to conduct its activities in accordance with the National Defence Act, the Canadian Charter of Rights and Freedoms, the Privacy Act, the Criminal Code, and any other relevant legislation, and in accordance with Justice Canada advice.

Ministerial requirements: I expect CSEC to conduct its activities in accordance with ministerial direction, following all requirements and limitations set out in a ministerial authorization or directive.

Policies and procedures: I expect CSEC to have appropriate policies and procedures in place to guide its activities and to provide sufficient direction on legal and ministerial requirements including the protection of the privacy of Canadians. I expect CSEC employees to be knowledgeable about and comply with policies and procedures. I also expect CSEC to have an effective compliance validation framework and activities to ensure the integrity of operational activities is maintained, including appropriately accounting for important decisions and information relating to compliance and the protection of the privacy of Canadians.

My classified review reports document CSEC activities and practices and contain findings relating to the above-noted criteria. These reports may also disclose the nature and significance of deviations from the criteria. In some cases, I make recommendations to the Minister that are aimed at correcting discrepancies between CSEC activities and the expectations established by the review criteria.

The logic model in Annex A provides a flow chart of the review program.

Horizontal reviews

Horizontal reviews examine processes common to all CSEC foreign signals intelligence collection methods or to IT security. For example, the processes by which CSEC:

• identifies, selects and directs its activities at foreign entities of intelligence interest located outside Canada or at threats to Government of Canada computer systems;
• uses, shares, reports, retains or disposes of intercepted information; or
• takes measures to protect private communications intercepted unintentionally and to protect information about Canadians.

Conducting investigations

My mandate includes undertaking any investigation I deem necessary in response to a written complaint — for example to determine whether CSEC has engaged, or is engaging, in unlawful activity or is not taking sufficient measures to protect the privacy of Canadians. (More information on the Commissioner's responsibilities for conducting investigations into complaints is available on the office's website.)

Informing the Minister

Under my mandate to keep the Minister of National Defence informed, I:

• forward the results of my reviews, in classified reports, to the Minister; and
• submit an unclassified report to the Minister on my activities each year, which the Minister must then table in Parliament. This is the 17^th annual report.

While it is my primary duty to report any non-compliance by CSEC, a necessary element of my mandate also includes informing the Minister of any activities that I believe might present, or have the potential to present, a risk of non-compliance, such as an unlawful interception of a private communication or other invasion of the privacy of a Canadian. A number of my reports have included recommendations aimed at prevention. It is a goal of the Commissioner's office to strengthen CSEC practices that contribute to compliance and incorporate measures that protect the privacy of Canadians.

Independence

While I submit my reports to the Minister of National Defence, who is responsible for CSEC, my office is completely independent and receives its own funding from Parliament. My mandate is supported by the powers I have under the Inquiries Act, including the power of subpoena, to ensure access to all CSEC information and employees.

CSE Commissioner

The Commissioner is an independent statutory officer and is not subject to general direction from the Prime Minister, the Minister of National Defence or any other ministers on how to carry out his mandate. The Commissioner assists the Government of Canada in its control of CSEC by providing advice to the Minister to support the Minister's decision making and accountability for CSEC. The Commissioner's classified reports to the Minister and unclassified annual report, through the Minister to Parliament and the public, state whether CSEC has acted lawfully and the extent to which it protected the privacy of Canadians in the conduct of its activities.

Annex B contains the text of the relevant sections of the National Defence Act and the Security of Information Act relating to my role and mandate as CSE Commissioner(Information on the history of the Office of the CSE Commissioner is available on the office's website.)