Commissioner's Mandate and Review Work
Mandate
The Communications Security Establishment (CSE) Commissioner's mandate is set out under Part V.1 of the National Defence Act (NDA):
- to review activities of CSE to determine whether they comply with the law;
- to undertake any investigation the Commissioner considers necessary in response to a written complaint; and
- to inform the Minister of National Defence (who is accountable to Parliament for CSE) and the Attorney General of Canada of any CSE activity that the Commissioner believes may not be in compliance with the law.
Under section 15 of the Security of Information Act, the Commissioner also has a mandate to receive information from persons who are permanently bound to secrecy if they believe it is in the public interest to release special operational information of CSE.
The NDA requires that the CSE Commissioner be a supernumerary or retired judge of a superior court. The NDA provides the Commissioner with full independence, as well as full access to all CSE facilities and systems, and full access to CSE personnel, including the power of subpoena to compel individuals to answer questions. The Commissioner has a separate budget granted by Parliament.
The review process
The review process is the Commissioner's approach to examining CSE activities. CSE activities include collecting foreign intelligence on foreign targets located outside Canada, that is, information about the capabilities, intentions or activities of foreign targets relating to international affairs, defence or security. CSE is also Canada's lead technical agency for cyber defence and for the cryptography and other information technology security technologies needed to protect government computer systems and networks containing sensitive national and personal information. CSE also has a mandate to use its unique capabilities to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.
The purpose of the Commissioner's review mandate is:
- to determine whether CSE complies with the law and, if the Commissioner believes that it may not have complied, to report this to the Minister of National Defence and to the Attorney General of Canada;
- to determine whether the activities conducted by CSE under ministerial authorization are, in fact, those authorized by the Minister of National Defence, and to verify that the conditions for authorization required by the NDA are met;
- to verify that CSE does not direct its foreign signals intelligence and cyber defence activities at Canadians or any person in Canada; and
- to promote the development and effective application of satisfactory measures to protect the privacy of Canadians in all the operational activities CSE undertakes.
CSE's activities are distinct from security and criminal intelligence that is collected by other agencies, which is information on activities that could threaten the security of Canada or public safety and is usually acquired from targeting Canadians. CSE activities are specifically prohibited from being directed at Canadians or persons in Canada. Restricting intelligence gathering to foreign targets outside Canada is complicated by the interconnected and ever-evolving global information infrastructure, as well as by the foreign targets, who are themselves technologically savvy. CSE requires sophisticated technical capabilities to acquire and analyze information and to detect and mitigate malicious cyber activity. CSE's methods are effective only if they remain secret.
To understand the many technical, legal and privacy aspects of CSE activities, reviewers need specialized expertise. They also require security clearances at the level necessary to examine CSE records and systems. Reviewers are bound by the Security of Information Act and cannot divulge to unauthorized persons the sensitive information they access.
The office is continuously conducting reviews of:
- selected activities based on a risk analysis, to ensure compliance at a detailed level;
- electronic systems, tools and databases;
- a cross-section of activities to verify compliance in relation to broad issues, such as privacy or metadata; and
- the content of policies, procedures and controls to determine how they are applied by CSE employees, and to identify existing or potential systemic weaknesses.
Each review assesses CSE activities against the following standard set of criteria:
-
Legal requirements: the Commissioner expects CSE to conduct its activities in accordance with the Canadian Charter of Rights and Freedoms, the NDA, the Privacy Act, the Criminal Code, and any other relevant legislation.
-
Ministerial requirements: the Commissioner expects CSE to conduct its activities in accordance with ministerial direction, following all requirements and limitations set out in a ministerial authorization or directive.
-
Policies and procedures: the Commissioner expects CSE to have appropriate policies and procedures in place to guide its activities and to provide sufficient direction on legal and ministerial requirements including the protection of the privacy of Canadians. He expects CSE employees to be knowledgeable about and comply with policies and procedures. He also expects CSE to have an effective compliance validation framework to ensure the integrity of operational activities is maintained, including appropriately accounting for important decisions and information relating to compliance and the protection of the privacy of Canadians.
Reporting on findings
The results of individual reviews are produced as classified reports to the Minister that document CSE activities, contain findings relating to the standard criteria, and disclose the nature and significance of any deviations from the criteria. If necessary, the Commissioner makes recommendations to the Minister aimed at improving privacy protections or correcting problems with CSE operational activities raised during the course of review. Following the standard audit practice of disclosure, CSE is provided with draft versions of reports to confirm factual accuracy.
The Commissioner's annual report is a public document provided to the Minister, who by law must table it in Parliament. The Commissioner's office publishes the titles of all review reports submitted to the Minister — 97 to date — on its website.
In 2015–2016, the Commissioner was supported by 11 employees, together with a number of subject matter experts, as required. The office's expenditures were $2, 034,877, which is within the overall funding approved by Parliament. To learn more about the Commissioner's office and its expenditures, please visit the website.
How the office's work has changed over 20 years
The quantity and depth of reviews being performed has expanded considerably over the years, increasing the amount of information available to support ministerial accountability and for informed parliamentary debate and public scrutiny. Over the last five years, Commissioners submitted 36 comprehensive review reports to the Minister (seven in 2011–2012, six in 2012–2013, seven in 2013–2014, nine in 2014–2015 and seven this year).
Reviews carried out over the last 20 years have produced 161 recommendations intended to promote compliance. CSE has demonstrated its commitment to implementing recommendations relating to privacy protection; since 1996, CSE has accepted and implemented 100% of the recommendations relating to privacy. This means that measures to protect the privacy of Canadians are continually being refined to adapt to the ever-changing technological and operational environment in which CSE must work.
Commissioners have had a significant positive impact on accountability, transparency and compliance of CSE activities. The office's work has led to CSE strengthening a number of fundamental policies and practices relating to privacy protection.
Commissioners instituted annual reviews of disclosures of Canadian identity information and privacy incidents to assess their inherent risk to privacy. Because ministerial authorizations permit the unintentional interception of a private communication — another risk to privacy — the authorizations and private communications are also reviewed each year.
Recommendations from Commissioners' reviews have also encouraged CSE to make significant revisions to practices and guidelines with respect to information sharing with second party partners. This includes clarifying language in information exchanges, clearly setting out privacy protection expectations for Canadian information shared with partners, and disseminating guidance to formalize and strengthen practices for addressing potential privacy concerns.
- Date modified: