Operational Policy Revisited

In my last report, I noted that I had reviewed the operational policies in place at CSE to determine whether they provided adequate guidance to employees in the performance of their duties.
I also indicated my particular interest in policies related to privacy issues.

I concluded then that there was an appreciable amount of sound operational policy in place at CSE and that there were no policy gaps on matters of lawfulness or privacy. I did observe, however, that policy was not always at the right organizational level. While this is not always an easy call to make, a useful test is to examine whether the level of the individual with the authority to change a policy is appropriate to the importance of the policy. In other words, the most important policies should be alterable only at the highest levels of authority.

During this reporting year, CSE undertook to restructure its internal policy development process. With the approval and support of the senior management team, CSE adopted a new framework for policy authority, accountability and coordination. The framework, which was approved in late 1998, identifies the appropriate level of authority for various policies and provides a desirable level of operational flexibility in support of day-to-day activities.

This is a welcome initiative and, once it is fully in place, I plan to examine its effect on the policies and derivative practices that address issues of lawfulness.