Mandate of the Communications Security Establishment Commissioner
My mandate under the National Defence Act is:
- to review activities of CSE to determine whether they comply with the law;
- to undertake any investigation I deem necessary in response to a written complaint; and
- to inform the Minister of National Defence (who is accountable to Parliament for CSE) and the Attorney General of Canada of any CSE activities that I believe may not be in compliance with the law.
Under the Security of Information Act, I also have a mandate to receive information from persons who are permanently bound to secrecy if they believe it is in the public interest to release special operational information of CSE.
CSE's mandate
When the Anti-terrorism Act, 2001 came into effect on December 24, 2001, it added Part V.1 to the National Defence Act, and set out CSE's three-part mandate:
- part (a) authorizes CSE to acquire and use foreign signals intelligence in accordance with the Government of Canada's intelligence priorities;
- part (b) authorizes CSE to help protect electronic information and information infrastructures of importance to the Government of Canada; and
- part (c) authorizes CSE to provide technical and operational assistance to federal law enforcement and security agencies, including helping them obtain and understand communications collected under those agencies' own lawful authorities.
With the emphasis on reviewing the lawfulness of CSE activities and the protection of the privacy of Canadians, the National Defence Act requires that the CSE Commissioner be a supernumerary or retired judge of a superior court.
To carry out my mandate, the National Defence Act provides me:
- full independence – at arm's length from government – and a separate budget granted by Parliament;
- full access to all CSE facilities, files, systems and databases; and
- full access to CSE personnel, including the power of subpoena to compel individuals to answer questions.
To be effective, reviewers need specialized expertise to be able to understand the technical, legal and privacy aspects of CSE activities. They also need security clearances at the level required to examine CSE records and systems. They are bound by the Security of Information Act and cannot divulge to unauthorized persons the specific information they access.
Annex A contains the text of the relevant sections of the National Defence Act and the Security of Information Act relating to my role and mandate as CSE Commissioner.
Our approach
The purpose of my review mandate is:
- to determine whether CSE complies with the law and, if I believe that it may not have complied, to report this to the Minister of National Defence and to the Attorney General of Canada;
- to determine whether the activities conducted by CSE under ministerial authorization are, in fact, those authorized by the Minister of National Defence, and to verify that the conditions for authorization required by the National Defence Act are met;
- to verify that CSE does not direct its foreign signals intelligence and information technology (IT) security activities at Canadians; and
- to promote the development and effective application of satisfactory measures to protect the privacy of Canadians in all the operational activities CSE undertakes.
Protection of Canadians' privacy
By law, CSE is prohibited from directing its foreign signals intelligence collection and IT security activities at Canadians – wherever they might be in the world – or at any person in Canada. My review of CSE activities includes determining whether CSE, in its use and retention of collected information, takes satisfactory measures to protect every Canadian's reasonable expectation of privacy. I examine CSE use, disclosure and retention of private communications. I verify that Canadian identity information is protected and only shared with authorized partners when needed for understanding foreign signals intelligence or IT security information. I also verify that metadata is used only to understand the global information infrastructure, to obtain foreign intelligence or to protect cyber systems, but not to obtain information about a Canadian.
Using a variety of methods, we are continuously conducting reviews of:
- selected activities based on a risk analysis, to ensure compliance at a detailed level;
- electronic systems, tools and databases;
- a cross-section of activities to verify compliance in relation to broad issues, such as privacy or metadata; and
- the content of policies, procedures and controls to determine how they are applied by CSE employees and to identify existing or potential systemic weaknesses.
Each review includes an assessment of CSE activities against a standard set of criteria:
- Legal requirements: I expect CSE to conduct its activities in accordance with the National Defence Act, the Canadian Charter of Rights and Freedoms, the Privacy Act, the Criminal Code, and any other relevant legislation.
- Ministerial requirements: I expect CSE to conduct its activities in accordance with ministerial direction, following all requirements and limitations set out in a ministerial authorization or directive.
- Policies and procedures: I expect CSE to have appropriate policies and procedures in place to guide its activities and to provide sufficient direction on legal and ministerial requirements including the protection of the privacy of Canadians. I expect CSE employees to be knowledgeable about and comply with policies and procedures. I also expect CSE to have an effective compliance validation framework to ensure the integrity of operational activities is maintained, including appropriately accounting for important decisions and information relating to compliance and the protection of the privacy of Canadians.
Reporting on findings
The results of individual reviews are the subject of classified reports to the Minister of National Defence. My classified review reports document CSE activities, contain findings relating to the review criteria, and disclose the nature and significance of any deviations from the criteria. Where and when appropriate, I make recommendations to the Minister of National Defence aimed at improving privacy protections or correcting discrepancies between CSE activities and my expectations, based on standard criteria.
The reports are free of any interference by CSE or any Minister. I determine the content of my reports, which are based on facts and conclusions drawn from those facts. Following the standard audit practice of disclosure, I present draft versions of review reports to CSE for confirmation of factual accuracy. This is essential to the review process given that my recommendations are based on the facts as uncovered in my reviews.
The Commissioner's annual report for Parliament is a public document. CSE reviews the draft to verify that it does not contain any classified information that may contravene the Security of Information Act. In the interest of transparency and better public understanding, I push the limits to include as much information as possible in my report. The report is provided to the Minister of National Defence who must by law table it in Parliament.
As a further step toward openness within a stringent security framework, my office publishes on our website the titles of all review reports submitted to the Minister of National Defence (with any classified information removed) – 90 to date – to demonstrate the depth and breadth of Commissioners' reviews.
The logic model in Annex B provides a flow chart of the review program.
- Date modified: