How does CSE protect the privacy of Canadians?
Lawfulness and privacy: Our most important principles
The principles of lawfulness and privacy are critical to the work of the Communications Security Establishment (CSE). As a result, they are ingrained in everything we do – our systems, our processes, and our people. Here we describe laws that govern us, the directives, authorizations and policies that guide us as well as the processes and procedures we have in place to protect Canadians’ privacyi. We also detail the review and reporting measures that we are subject to as a Government of Canada (GC) agency.
Why it’s important
Canadian law reflects the importance of protecting the security of Canada and Canadians while at the same time protecting Canadian privacy. So like security, protecting Canadian privacy is not an afterthought for CSE. It is a fundamental part of our organizational culture and is embedded within our operational structures, policies and processes. Respect for the law and the requirement to protect the privacy of Canadians and persons in Canada are among the first things we teach new employees who enter the organization. These points remain a concern and a preoccupation for all of our employees throughout their careers. We know that we have a responsibility to protect the privacy of Canadians and persons in Canada, and we take that responsibility seriously.
In all of our foreign signals intelligence activities, our cyber defence activities, as well as technical and operational assistance provided to federal law enforcement and security agencies in the performance of their lawful duties, CSE incorporates measures – detailed below – to protect privacy, while working hard to fulfil our mission.
By law, CSE can only undertake activities that fall within its mandate. For example, under our foreign signals intelligence mandate, CSE can only collect foreign intelligence in response to the Government of Canada’s intelligence priorities related to international affairs, defence or security. Privacy protections are built into the laws and policies governing CSE’s activities, in particular:
- The Canadian Charter of Rights and Freedoms (Charter), specifically Section 8, which protects Canadians and persons in Canada from unreasonable search and seizure. The Charter applies to all Canadian legislation, including the section of the National Defence Act that governs CSE.
- The National Defence Act, which specifically states that CSE shall not direct its activities under its foreign intelligence and cyber defence mandates at Canadians or any person in Canada, and that those activities shall be subject to measures to protect the privacy of those individuals in the use and retention of intercepted information.
- The Privacy Act, which imposes obligations on all federal departments and agencies, including CSE, to limit the collection, use and disclosure of personal information. Specifically, the Act stipulates that: collection is to be limited to personal information directly related to operating programs or activities; justified by demonstrable need; limited to the purpose for which it was obtained; and lastly, that disclosure occurs with consent, or if without consent, strictly according to the provided exceptions.
In November 2011, CSE became a stand-alone agency in the National Defence portfolio. In April 2013, CSE assumed sole responsibility as a stand-alone agency for responding to requests under the Privacy Act. Previously these requests had been managed under the Department of National Defence. Since then, CSE has undertaken a number of key initiatives, including:
- publishing information about CSE’s Personal Information Banks on our website, in accordance with Treasury Board Secretariat guidelines;
- enhancing training and employee awareness on their rights and responsibilities under the Act;
- refining the tools and processes we use to conduct Privacy Impact Assessments; and
- designating a Chief Privacy Officer to lead our work in effectively meeting our obligations under the Act.
Measures in place to protect Canadian Privacy
So how does CSE protect Canadian privacy? It starts with a strong privacy framework – a combination of Ministerial Directives, Ministerial Authorizations, policies and procedures, as well as internal review and independent external review. These measures contribute to ensuring that CSE’s activities are conducted in a way that protects Canadian privacy interests. Each of these mechanisms are described below.
A Ministerial Directive (MD) is a set of directions from the Minister of National Defence to the Chief of CSE. An MD cannot expand CSE’s authorities beyond those contained in the National Defence Act, but is often used to constrain or otherwise limit CSE’s authorities, or to require measures for accountability such as the reporting of specific information to the Minister. The MD on Privacy stipulates that we will take measures to protect the privacy of Canadians, ensure that appropriate policies and procedures are in place for the handling, retention, use and destruction of information about Canadians. The MD further stipulates that just as global technology and expertise evolve, so too must CSE policies, to ensure that they provide the required protection for the privacy of Canadians. The MD on Privacy also provides clear instructions on how we must cooperate fully with the CSE Commissioner and the Privacy Commissioner of Canada in the performance of their duties.
Our foreign signals intelligence collection efforts target foreign entities outside Canada. However, because of the complexity of global telecommunications, it is impossible to know if a foreign target will send or receive communications to or from a person in Canada. Thus, there is a risk that CSE could incidentally intercept a private communicationii. The National Defence Actacknowledges that this may happen and requires the Minister of National Defence to authorize activities that risk incidental interception of private communications. The Minister may issue an authorization only if the following conditions are met:
- the interception will be directed at foreign entities located outside Canada;
- the information to be obtained could not reasonably be obtained by other means;
- the expected foreign intelligence value of the information that would be derived from the interception justifies it; and
- satisfactory measures (further detailed below in the section: Additional Measures to Protect Privacy) are in place to protect the privacy of Canadians and to ensure that private communications will only be used or retained if they are essential to international affairs, defence or security.
Likewise, the Minister may also authorize CSE activities to protect Government of Canada computer systems or networks where these activities risk the interception of private communications. For example, a foreign hacker sends a malicious email (e.g., one that contains a virus or a link to a malicious website) to a Government of Canada department. To protect the Government of Canada computer system from harm, that email may be accessed if the following conditions apply:
- the interception is necessary to identify, isolate or prevent harm to Government of Canada computer systems or networks;
- the information to be obtained could not reasonably be obtained by other means;
- the consent of persons whose private communications may be intercepted cannot reasonably be obtained;
- satisfactory measures are in place to ensure that only information that is essential to identify, isolate or prevent harm to Government of Canada computer systems or networks will be used or retained; and
- satisfactory measures (further detailed below in the section: Additional Measures to Protect Privacy) are in place to protect the privacy of Canadians in the use or retention of that information.
Authorizations contain conditions that the Minister considers necessary to protect the privacy of Canadians or persons in Canada, including additional measures to restrict the use, retention, and disclosure of information obtained from private communications. Authorizations from the Minister are valid for a specific period, up to one year.
Privacy and CSE’s Assistance Mandate
CSE is legally mandated to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties. Under such circumstances CSE acts under the legal authority of the requesting agency and is subject to any restrictions on or conditions of that authority. Under this mandate, CSE will only share information in compliance with the conditions of the requesting agency’s legal authority, such as the terms of a court-issued warrant.
Privacy and Metadata
In order to fulfill our mandate, CSE collects and analyzes various types of metadata. Metadata is information about communications used by computer systems to identify, describe, manage or route communications over global networks or within computer systems. It does not include the content of any communications. Our use of metadata is limited to: understanding complex global communications networks; discovering and analyzing foreign targets; and defending information and networks of importance to the Government.
Some types of metadata, while not containing the content of a communication, may have a privacy interest. Therefore, as with all of our activities, measures are in place to protect the privacy of Canadians when dealing with metadata that is the subject of a reasonable expectation of privacy.
Additional Measures to Protect Privacy
- Detailed Operational Policy and Procedures
CSE takes the laws, the Ministerial Directives and Ministerial Authorizations that govern our work, and translates them into a very detailed set of operational policies. These policies establish specific measures to protect the privacy of Canadians and persons in Canada in the use and retention of intercepted information.
To ensure our staff fully understand and abide by our operational policies, we regularly train, test and verify their operational policy knowledge and compliance. An annual review and test are mandatory for operational staff involved in the analysis and production of foreign intelligence data acquired by CSE. Any employee not passing the mandatory tests is denied access to CSE’s operational systems. Employees are also required to attend mandatory legal briefings provided by the Department of Justice.
- Operational Practices
When collecting foreign intelligence, CSE may incidentally collect information about Canadians including a private communication, e.g., a foreign terrorist target is communicating with someone in Canada. As a result, CSE puts in place a number of operational practices to carefully manage the data and intercepted communications we may retain in order to protect the privacy interests of Canadians and persons in Canada. These practices are regularly reviewed by both CSE and the CSE Commissioner’s Office to ensure that we are operating in accordance with the law and continuously improving privacy protections. Such practices include:
- CSE may choose to retain a private communication only if it is: i) essential to the understanding of foreign intelligence related to international affairs, defence or security or, ii) essential to identify, isolate or prevent harm to the Government of Canada systems or networks. (The CSE Commissioner reviewed all of the private communications collected by CSE, used and retained under the 2012-13 foreign intelligence Ministerial Authorizations.)
- Information about Canadians included in the intelligence reports we write is suppressed and is only included when it is essential to the understanding of the foreign intelligence contained in the report; for example, a name would be replaced by a generic reference such as “a Canadian person”. If we receive a subsequent request for disclosure of the Canadian identifying information, CSE requires departments and agencies to demonstrate they possess the legal authority to request and use this information and to provide an operational justification for their need to know. All requests are assessed and documented. (The Commissioner has been conducting an annual review of identity information released, and in 2012-13 concluded that our activities conformed to Canadian laws, including the Privacy Act,and that such requests were authorized, justified and well documented.).
- Access to the systems and databases that contain such information is limited only to those within CSE who require it to perform their job, and who are specifically trained and regularly tested on CSE policies and procedures. (As part of his annual review, the CSE Commissioner assessed whether such policies and practices were in place and remain adequate. He also assessed the knowledge and awareness of policies and practices by CSE operational staff).
- CSE proactively identifies and reports any incidents that may run counter to our operational policies and centrally documents them to facilitate reporting and review by the CSE commissioner. (The CSE Commissioner annually reviews these and includes his findings and recommendations in his annual report to the Minister and to Parliament).
- CSE’s information sharing practices (with Government of Canada clients and with allies) comply with all Canadian laws, including the Privacy Act.
- The collection, management, retention and use of private communications incidentally collected by CSE are closely monitored and reviewed regularly by managers. When an analyst identifies a private communication, they tag it for tracking in our systems to ensure that its subsequent use and retention meets the requirements of the CSE legislation. If an incidentally collected private communication does not meet the essentiality conditions listed above, it is marked for deletion. Private communications used by CSE are subject to strict retention limits.
- CSE practices for the collection, management, retention and use of incidentally collected private communications have been reviewed by CSE Commissioners and reported on publicly by Commissioners in their annual reports which are tabled in Parliament.
- Internal CSE Examination and Review
In addition to management oversight, CSE has other mechanisms to monitor and assess activities and/or provide advice on operations and privacy measures. These include:
- Compliance groups who verify that data is collected, used and retained within the scope of our policy directives; and
- An Audit, Evaluation and Ethics team that has the mandate to review any of CSE’s activities, and provides a mechanism for employees to discuss or report serious ethical issues, including a perceived or suspected wrongdoing, without fear of reprisal.
- Reporting to the Minister
CSE must report to the Minister annually on the retention or use of recognized intercepted private communications.
- External Independent Review
An external independent CSE Commissioner is mandated to review CSE’s activities. The Commissioner’s reviews determine whether CSE’s activities are compliant with all Canadian laws – including verifying that CSE is not directing its activities at Canadians or any person in Canada when it conducts activities under its foreign intelligence or cyber defence mandates. The reviews also determine if CSE is following its policies and procedures on the handling of information collected, including measures to protect the privacy of Canadians and persons in Canada.
The Commissioner verifies that we are following any additional restrictions or requirements established by the Minister through Ministerial Directives, Ministerial Authorizations and operational policies, and must report to the Minister as well as the Attorney General of Canada if he believes that CSE may not be acting lawfully.
The Commissioner also makes recommendations which aim to strengthen compliance and privacy protection measures in all of CSE’s activities. This preventative approach has further strengthened CSE’s privacy protection and legal compliance frameworks. Finally, the Commissioner is mandated to receive and investigate any complaints about the lawfulness of CSE’s activities.
The Commissioner is also available to employees wishing to disclose information under the Security of Information Act(SOIA). The Act assigns specific duties to the CSE Commissioner in the event that an individual who would otherwise be bound by secrecy seeks to defend his or her actions in releasing classified information about CSE on the grounds that it is in the public interest. This is known as the 'public interest defence' provision of the Act.
Commitment to protecting privacy
Protecting privacy is vital in our free and democratic society. We understand that given our work, we have special responsibilities to protect Canadian privacy. We take those responsibilities very seriously. From the laws that govern us, to the directives, authorizations and policies that guide us, to the procedures and protocols that all CSE employees follow – legal compliance and protecting privacy are primary principles in fulfilling our mandate.
i Canadians’ privacy also refers to the privacy of Canadians anywhere in the world and any persons in Canada.
iiWhat is a private communication? According to the Criminal Code, “private communication” means any oral communication, or any telecommunication, that is made by an originator who is in Canada or is intended by the originator to be received by a person who is in Canada and that is made under circumstances in which it is reasonable for the originator to expect that it will not be intercepted by any person other than the person intended by the originator to receive it, and includes any radio-based telephone communication that is treated electronically or otherwise for the purpose of preventing intelligible reception by any person other than the person intended by the originator to receive it.