Accountability and Privacy
CSE conducts all of our activities, including protections for the privacy of Canadians, within a robust system of accountability.
There are three main elements that drive our accountability and privacy protection regimes:
- The authorities in the Communications Security Establishment (CSE) Act, along with Directives, Orders and Authorizations from the Minister of National Defence. This includes independent oversight by the Intelligence Commissioner.
- CSE’s comprehensive suite of policies, procedures, and practices to guide operations while protecting privacy.
- Independent review of CSE’s activities by the National Security and Intelligence Review Agency (NSIRA) and the National Security and Intelligence Committee of Parliamentarians (NSICOP).
The CSE Act, and Ministerial Directives, Authorizations and Orders
The CSE Act establishes and defines our mandate and authorities. The Act requires that CSE’s activities do not target Canadians anywhere in the world, or any person in Canada. It also requires that CSE protect the privacy of Canadians and persons in Canada.
From there, the scope and nature of CSE’s activities are further defined through Ministerial Directives, Authorizations and Ministerial Orders.
The Chief of CSE receives instructions on the organization’s activities from the Minister of National Defence through Ministerial Directives. These Directives set out direction and guidance, operating parameters or the Minister’s expectations for CSE on a range of issues.
CSE’s activities must always fall within its mandate and authorities, and must be consistent with those Directives. Ministerial Directives cannot grant CSE any power that doesn’t already exist in Canadian law, nor can these Directives change or enhance any existing authority.
CSE must seek an Authorization from the Minister of National Defence when:
- CSE’s acquisition activity may contravene an act of Parliament; or
- CSE’s acquisition activity may interfere with a reasonable expectation of privacy.
For example, when conducting foreign intelligence or cybersecurity operations that may risk incidentally intercepting a Canadian private communication (as defined in the Criminal Code), CSE can do so only with an Authorization issued by the Minister of National Defence.
The Minister may only issue an Authorization for foreign intelligence, cyber security, or active or defensive cyber operations if he or she concludes that, based on the application submitted by the Chief of CSE, the activities proposed are reasonable and proportionate, and that there are measures in place to protect Canadians’ privacy.
To provide independent oversight, the Intelligence Commissioner must review and approve foreign intelligence or cybersecurity Authorizations.
In the case of Active Cyber Operations, in addition to Authorizations by the Minister of National Defence, the Minister of Foreign Affairs must also consent, and in the case of Defensive Cyber Operations, must be consulted. The CSE Act sets out additional conditions for these Authorizations, including that activities must not cause, intentionally or by criminal negligence, death or bodily harm to an individual; or willfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy.
An Authorization may be valid for up to one year.
Ministerial Orders are an instrument under the CSE Act that allow the Minister of National Defence to designate the entities with whom CSE can work and share information as part of CSE’s foreign intelligence or cyber defence activities.
The Minister may issue three different Ministerial Orders:
- Designating the cyber systems of importance outside the Government of Canada (e.g. critical infrastructure). Once designated, CSE can provide advice, guidance and services to these system owners and operators.
- Designating the persons or classes of persons with whom CSE may share Canadian identifying information (CII), if CSE concludes that the disclosure of the information is essential to international affairs, defence, security or cybersecurity.
- Designating the persons or classes of persons with whom CSE may share information related to a Canadian or person in Canada for cyber security purposes, if the disclosure is necessary to help protect the electronic information and information infrastructures of federal institutions or systems of importance to the Government of Canada.
Privacy Measures for CSE Operations and Activities
CSE takes the laws, the Ministerial Authorizations, Orders, and Directives, that govern our work, and translates them into a very detailed set of operational policies. These policies also establish specific measures to protect the privacy of Canadians and persons in Canada in the acquisition, use and retention of information.
To ensure our staff fully understand and abide by our operational policies, we regularly train, test and verify their knowledge and compliance. An annual review and test are mandatory in order to access operational information. Any employee not passing the mandatory tests is denied access to CSE’s operational systems. Employees are also required to participate in mandatory legal briefings provided by the Department of Justice.
CSE’s operational practices are designed to protect Canadian privacy. For example, in the case where CSE targets and collects the communication of a foreign terrorist abroad who happens to be exchanging information with someone in Canada, CSE’s operational practices require that the intercepted communication first be assessed to determine whether the exchange qualifies as foreign intelligence. If it is, CSE analysts annotate the information and handle the Canadian information in accordance with the suite of privacy measures in place. If it is not considered foreign intelligence, the intercept is deleted.
In addition, access to CSE operational systems and databases that contain such information is limited only to those within CSE who require it to perform their job, and who are specifically trained and regularly tested on CSE policies and procedures.
When an incidentally acquired private communication is marked for retention, CSE must document and closely monitor the use of this information. Strict retention limits and automated destruction schedules are in place as additional protections.
These are just some examples of the measures that combine to form a robust suite of privacy protections that are an integrated part of CSE’s foreign intelligence and cyber defence activities.
CSE’s activities are subject to review by the National Security and Intelligence Review Agency (NSIRA), and the National Security and Intelligence Committee of Parliamentarians (NSICOP).
NSIRA provides independent review of national security and intelligence activities across the Government of Canada, including CSE, to determine whether they were lawful, reasonable and necessary. NSIRA may also investigate complaints against CSE’s activities or the denial or revocation of a security clearance.
NSIRA is led by a committee of up to seven members, appointed on the advice of the Prime Minister, in consultation with the leaders in the House of Commons and Senate. It is entitled to have access to information required to review national security or intelligence activities across the federal government. NSIRA provides classified reports of its findings and recommendations to relevant ministers and produces an annual unclassified public report to Parliament summarizing these findings and recommendations.
NSICOP: NSICOP is a Top Secret security-cleared Committee of Parliamentarians that can review and report on any aspect of CSE’s activities. The committee is mandated to review:
- the legislative, regulatory, policy, administrative and financial framework for national security and intelligence;
- any activity carried out by a department that relates to national security or intelligence, unless the activity is an ongoing operation and the appropriate Minister determines that the review would be injurious to national security;
- any matter relating to national security or intelligence that a Minister of the Crown refers to the Committee.
The Committee does not receive or deal with public complaints against national security and intelligence organizations.
Other accountability mechanisms
CSE has a comprehensive internal Audit and Evaluation program that examines our activities and operations, and makes recommendations for improvement.
CSE’s activities are also subject to review by various federal bodies, similar to other federal departments or agencies. These include the Privacy Commissioner, the Auditor General, the Information Commissioner, the Canadian Human Rights Commission, and the Commissioner of Official Languages.