Mandate of the Communications Security Establishment Commissioner
My mandate under the National Defence Act consists of three important functions:
- reviewing CSEC activities to determine whether they comply with the law;
- undertaking any investigation I deem necessary in response to a written complaint (more information on the Commissioner's responsibilities for conducting investigations into complaints is available on the office's website); and
- informing the Minister of National Defence (who is accountable to Parliament for CSEC) and the Attorney General of Canada of any CSEC activities that I believe may not be in compliance with the law.
Legislative basis for CSEC activities
When the Anti-terrorism Act came into effect on December 24, 2001, it added Part V.1 to the National Defence Act, and set out CSEC's three-part mandate:
- part (a) authorizes CSEC to acquire and use foreign signals intelligence in accordance with the Government of Canada's intelligence priorities;
- part (b) authorizes CSEC to help protect electronic information and information infrastructures of importance to the Government of Canada; and
- part (c) authorizes CSEC to provide technical and operational assistance to federal law enforcement and security agencies, including helping them obtain and understand communications collected under those agencies' own lawful authorities.
(CSEC's website provides more information on CSEC's mandate)
With the emphasis on reviewing the lawfulness of CSEC activities and the protection of the privacy of Canadians, the legislation requires that the CSE Commissioner be a supernumerary or retired judge of a superior court.
The Commissioner's legislative mandate includes:
- full independence, at arm's length from government and a separate budget granted by Parliament;
- full access to all CSEC facilities, files and systems; and
- full access to CSEC personnel, including the power of subpoena to compel individuals to answer questions.
The Commissioner is an independent statutory officer and is not subject to general direction from the Prime Minister, the Minister of National Defence (who is accountable to Parliament for CSEC) or any other minister on how to carry out his mandate. The Commissioner assists the Government of Canada in its control of CSEC by providing advice to the Minister of National Defence to support the Minister's decision making and accountability for CSEC. The Commissioner's unclassified annual report for Parliament states whether CSEC has acted lawfully and the extent to which it protected the privacy of Canadians in the conduct of its activities, as do his classified reports to the Minister.
To be effective, reviewers need specialized expertise to be able to understand the technical, legal and privacy aspects of CSEC activities. They also need security clearances at the level required to examine CSEC records and systems. They are bound by the Security of Information Act and cannot divulge to unauthorized persons the specific information they access.
I also have a mandate under the Security of Information Act to receive information from persons who are permanently bound to secrecy if they believe it is in the public interest to release special operational information of CSEC. (More information on the Commissioner's responsibilities for public interest defence is available on the office's website.)
Annex A contains the text of the relevant sections of the National Defence Act and the Security of Information Act relating to my role and mandate as CSE Commissioner.
The purpose of my review mandate is:
- to determine whether CSEC complies with the law and, if I believe that it may not have complied, to report this to the Minister of National Defence and to the Attorney General of Canada;
- to determine whether the activities conducted by CSEC under ministerial authorization are, in fact, those authorized by the Minister of National Defence, and to verify that the conditions for authorization required by the National Defence Act are met;
- to verify that CSEC does not direct its foreign signals intelligence and information technology (IT) security activities at Canadians; and
- to promote the development and effective application of satisfactory measures to protect the privacy of Canadians in all the operational activities CSEC undertakes.
Protection of Canadians' privacy
CSEC is prohibited by law from directing its foreign signals intelligence collection and IT security activities at Canadians – wherever they might be in the world – or at any person in Canada. My review of CSEC activities includes determining whether CSEC takes satisfactory measures to protect every Canadian's reasonable expectation of privacy in CSEC use and retention of collected communications. I examine CSEC use, disclosure and retention of private communications. I verify that Canadian identity information is protected and only shared with authorized partners when needed for understanding the foreign signals intelligence or cyber defence information. I also verify that metadata is used to understand the global information infrastructure, obtain foreign intelligence or protect cyber systems, but not to obtain information about a Canadian. I am required under the National Defence Act to report to the Attorney General of Canada and to the Minister of National Defence any activities that I believe may not be in compliance with the law, with a particular emphasis on privacy.
Using a variety of methods, we are continuously conducting reviews of:
- selected activities based on a risk analysis, to ensure compliance at a detailed level;
- electronic systems, tools and databases;
- a cross-section of activities to verify compliance in relation to broad issues, such as privacy or metadata; and
- the content of policies, procedures and controls to identify existing or potential systemic weaknesses and to determine how they are applied by CSEC employees.
(More information on the Commissioner's risk-based and preventative approach to selecting and prioritizing reviews is available on the office's website).
Each review includes an assessment of CSEC activities against a standard set of criteria:
- Legal requirements: I expect CSEC to conduct its activities in accordance with the National Defence Act, the Canadian Charter of Rights and Freedoms, the Privacy Act, the Criminal Code, and any other relevant legislation, and in accordance with Justice Canada legal advice.
- Ministerial requirements: I expect CSEC to conduct its activities in accordance with ministerial direction, following all requirements and limitations set out in a ministerial authorization or directive.
- Policies and procedures: I expect CSEC to have appropriate policies and procedures in place to guide its activities and to provide sufficient direction on legal and ministerial requirements including the protection of the privacy of Canadians. I expect CSEC employees to be knowledgeable about and comply with policies and procedures. I also expect CSEC to have an effective compliance validation framework and activities to ensure the integrity of operational activities is maintained, including appropriately accounting for important decisions and information relating to compliance and the protection of the privacy of Canadians.
(More information on the Commissioner's review methodology and criteria is available on the office's website.)
My classified review reports document CSEC activities, contain findings relating to the review criteria, and disclose the nature and significance of any deviations from the criteria. Where and when appropriate, I make recommendations to the Minister of National Defence aimed at improving privacy protections or correcting discrepancies between CSEC activities and my expectations.
I determine the content of my reports, which are based on facts and conclusions drawn from those facts. The reports are free of any interference by CSEC or any Minister.
The results of individual reviews are the subject of classified reports to the Minister of National Defence. Following the standard audit practice of disclosure, draft versions of review reports are presented to CSEC for confirmation of factual accuracy. This is essential to the review process given that my recommendations are based on the facts as uncovered in my reviews.
The Commissioner's annual report for Parliament is a public document. CSEC reviews the draft to verify that it does not contain any classified information according to the Security of Information Act. In the interest of transparency and better public understanding, I push the limits to include as much information as possible in my report. The report is provided to the Minister of National Defence who must by law table it in Parliament.
In the interest of transparency within a stringent security framework, my office publishes on our website the titles of all review reports submitted to the Minister of National Defence (with any classified information removed) – 81 to date – to demonstrate the depth and breadth of Commissioners' reviews.
The logic model in Annex B provides a flow chart of the review program.
- Date modified: