Commissioner's Mandate and Review Work
The Office of the Communications Security Establishment (CSE) Commissioner is an independent review body.
The CSE Commissioner's mandate is set out under Part V.1 of the National Defence Act:
- to review activities of CSE – which includes foreign signals intelligence and information technology (IT) security activities to support the Government of Canada – to determine whether they comply with the law;
- to undertake any investigation the Commissioner considers necessary in response to a written complaint; and
- to inform the Minister of National Defence (who is accountable to Parliament for CSE) and the Attorney General of Canada of any CSE activity that the Commissioner believes may not be in compliance with the law.
Under section 15 of the Security of Information Act, the Commissioner also has a mandate to receive information from persons who are permanently bound to secrecy if they believe it is in the public interest to release special operational information of CSE.
The National Defence Act requires that the CSE Commissioner be a supernumerary or retired judge of a superior court. The Act also provides the Commissioner with full independence, as well as full access to all CSE facilities and systems, and full access to CSE personnel, including the power of subpoena to compel individuals to answer questions. The budget for the Commissioner's office is granted by Parliament.
Considerations in a Review
The Commissioner's approach to reviews is both purposive – based on his mandate – and preventive. CSE activities include collecting foreign signals intelligence on foreign targets located outside Canada, that is, information about the capabilities, intentions or activities of foreign targets relating to international affairs, defence or security.
CSE is also Canada's lead technical agency for cyber defence and for cryptography and other technologies needed to protect government computer systems and networks containing sensitive national and personal information. However, this part of CSE's mandate changed significantly with the creation in October 2018 of the Canadian Centre for Cyber Security. This unit brings under the authority of CSE components of CSE, the Canadian Cyber Incident Response Centre of Public Safety Canada, and an IT security component of Shared Services Canada.
CSE also has a mandate to use its unique capabilities to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.
CSE's activities are distinct from security and criminal intelligence that is collected by other agencies, which is information on activities that could threaten the security of Canada or public safety and is usually acquired from targeting Canadians under various lawful authorities. CSE activities are specifically prohibited from being directed at Canadians or persons in Canada. Restricting intelligence gathering to foreign targets outside Canada is complicated by the interconnected and ever-evolving global information infrastructure, as well as by the foreign targets, who are themselves technologically astute. CSE requires sophisticated technical capabilities to acquire and analyze information and to detect and mitigate malicious cyber activity. CSE's methods are effective only if they remain secret.
In this challenging environment, reviewers need specialized knowledge and expertise to understand the many technical, legal and privacy aspects of CSE activities. They also require security clearances at the level necessary to examine CSE records and systems. Reviewers are bound by the Security of Information Act and cannot divulge to unauthorized persons the sensitive information they access.
After an activity is selected for review, the activity is assessed against the following standard set of criteria:
- Legal requirements: the Commissioner expects CSE to conduct its activities in accordance with the Canadian Charter of Rights and Freedoms, the National Defence Act, the Privacy Act, the Criminal Code, and any other relevant legislation.
- Ministerial requirements: the Commissioner expects CSE to conduct its activities in accordance with ministerial direction, following all requirements and limitations set out in a ministerial authorization or directive.
- Policies and procedures: the Commissioner expects CSE to have appropriate policies and procedures in place to guide its activities and to provide sufficient direction on legal and ministerial requirements including the protection of the privacy of Canadians. He expects CSE employees to be knowledgeable about and comply with policies and procedures. He also expects CSE to have an effective compliance validation framework to ensure the integrity of operational activities is maintained, including records that document important decisions and activities relating to compliance and the protection of the privacy of Canadians.
Reporting on Findings
Classified report on each review to the Minister responsible for CSE: The results of individual reviews are produced as classified reports to the Minister of National Defence that document CSE activities, contain findings relating to the standard criteria, and disclose the nature and significance of any deviations from the criteria. If necessary, the Commissioner makes recommendations to the Minister aimed at improving privacy protections or correcting problems with CSE operational activities raised during the course of review. Following the standard audit practice of disclosure, CSE is provided with draft versions of reports to confirm factual accuracy. The findings and conclusions are free of any interference by CSE or any Minister.
Public reports annually to Parliament: The Commissioner's annual report is a public document provided to the Minister, who by law must table it in Parliament. The Commissioner's office publishes the titles of all review reports submitted to the Minister – 122 to date – on its website.
In 2018–2019, the Commissioner was supported by 10 full-time positions, together with a number of subject matter experts, as required. The office's expenditures were $2,123,396, which is within the overall funding approved by Parliament. The office provides more detail on its expenditures on its website.
- Date modified: