Rescinded - Policy on the Use of Electronic Networks
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
This policy is replaced by:
The effective date of the policy is February 12, 1998.
The Treasury Board encourages authorized individuals to use electronic networks to conduct the business of government, to communicate with other authorized individuals and with the public, to gather information relevant to their duties, and to develop expertise in using such networks. Because electronic networks permit individuals who use them, to inadvertently or deliberately damage a positive work environment, to disclose classified or designated information in an unauthorized fashion, or for unlawful activities, the Treasury Board is instituting this policy to help authorized individuals get the most benefit from electronic networks and to provide guidance regarding unacceptable conduct on such networks. This policy also gives guidance to institutions on privacy issues relating to monitoring employee use of electronic networks, and especially the importance of institutions understanding and respecting the privacy rights of their employees when contemplating any of the monitoring practices discussed in this policy.
- means gaining entry to an electronic network that the federal government has provided to authorized individuals. Access to such networks may be from inside or outside government premises. Access may support telework and remote access situations or where authorized individuals are using electronic networks provided by the federal government on their own time for personal use.
- Authorized individuals
- include employees of the federal government as well as contractors and other persons who have been authorized by the deputy head to access electronic networks.
- Electronic networks
- are groups of computers and computer systems that can communicate with each other. Without restricting the generality of the foregoing, these networks include the Internet, networks internal to an institution and public and private networks external to an institution.
- Monitoring of electronic networks
- means any action that involves the recording and subsequent analysis of activity on, or use of, a system or electronic network. Examples include recording user accounts, user activities, sites visited, information downloaded and computer resources used to perform a routine analysis of traffic flow on networks, use patterns and sites that certain work groups or individuals have visited. The information recorded and subjected to analysis does not normally involve the contents of individual electronic mail, files and transmissions.
- Unacceptable activity
- is any activity that violates institutional or Treasury Board policy (for examples of Treasury Board policy, see Appendix B), or that violates the limitations on personal use set out in Appendix C to this policy.
- Unlawful activity
- includes criminal offences, contraventions of non-criminal regulatory federal and provincial statutes, and actions that make an authorized individual or an institution liable to a civil lawsuit. For examples, refer to Appendix A.
To ensure that anyone authorized to access electronic networks by a federal government institution uses those electronic networks appropriately.
It is Treasury Board policy that authorized individuals use electronic networks to conduct the business of government, to communicate with public service employees and with the public, to gather information relevant to their duties, and to develop expertise in using such networks. Deputy heads have an obligation to promote the use of electronic networks in a working environment where unacceptable or unlawful activity is not permitted. They also have an obligation to deal quickly, fairly and decisively with any violations of policy or law.
Pursuant to the authority of the Treasury Board under s. 7 of the Financial Administration Act, this policy applies to all institutions and other portions of the Public Service listed in Schedule 1, Parts I and II of the Public Service Staff Relations Act, to the Canadian Forces and to the Royal Canadian Mounted Police.
Deputy heads have a responsibility to put in place policies and practices that promote the appropriate use of electronic networks. Those policies must be consistent with the operational needs of the workplace, the Privacy Act, the Access to Information Act and the Charter of Rights and Freedoms (especially reasonable privacy and freedom of expression interests).
When an institution authorizes individuals to access electronic networks for approved uses, it must develop and implement policies and procedures for the appropriate use of such networks that include the following:
Authorized uses of electronic networks
- A statement indicating the authorized uses of electronic networks - which may include the conduct of government business, professional activities, career development or personal use.
Unlawful and unacceptable conduct
- A statement indicating that unlawful activity is not permitted and providing information about the kinds of activities that are unlawful on electronic networks (see Appendix A for a non-exhaustive list).
- A statement indicating the kinds of activity that are legal but nonetheless unacceptable and not permitted on electronic networks (see Appendices B and C for a non-exhaustive list).
- A statement identifying the responsibilities of authorized individuals when they are using electronic networks (see Appendix D for a non-exhaustive list).
- A statement designating an institutional official to investigate reports of unlawful or unacceptable use by authorized individuals.
- A statement indicating which groups of employees are authorized to analyze logs that show the use of electronic networks by individuals; which groups of employees, if any, are authorized to analyze the content of authorized individuals' files or electronic mail; and to whom such authorized employees may disclose information about identifiable individuals and for what purposes.
- A statement telling authorized individuals where they can obtain information on the interpretation of unlawful and unacceptable uses.
- A statement telling authorized individuals where they can obtain training or information on using electronic networks.
- A statement notifying authorized individuals, of policies and procedures related to the use of electronic networks.
- A statement indicating that the institution will report suspected illegal activity to law-enforcement authorities, unless legal advisors consider the matter too minor. It should also indicate that the institution may take disciplinary measures, even where a formal criminal charge or civil lawsuit is not pursued.
- A statement indicating the range of disciplinary measures that the institution may use in instances of unlawful or unacceptable use, depending on the seriousness and circumstances of the incident. These may include an oral reprimand, written reprimand, limiting electronic network access, suspension or termination of employment.
Monitoring of electronic networks
Electronic networks may be monitored for operational reasons to determine whether the networks are operating efficiently; to isolate and resolve problems; and to assess compliance with the policy. In addition, institutions can conduct periodic and random checks of the network for specific operational purposes. In any case, the resulting information may be analyzed.
Normal routine analysis does not involve reading the content of electronic mail or files. However, if due to routine analysis or a complaint, the institution reasonably suspects that an authorized individual is misusing the network, it must refer the matter to the appropriate institutional official for further investigation and action that may involve special monitoring and/or reading the contents of individual electronic mail and files. Whenever employees are obliged to read the contents of electronic communications, they must keep the information confidential and use it only for authorized purposes. This investigation must be conducted in accordance with the Charter of Rights and Freedoms, the Privacy Act, and the Criminal Code.
Institutions must take privacy concerns into account when designing their monitoring initiatives and inform authorized individuals of their monitoring practices, prior to implementation, by communicating at a minimum, the following information:
- a statement explaining the regular monitoring practices of electronic networks - for example, operational analysis of logs indicating the Internet sites authorized individuals have visited, or key-word searches of files on network servers or on computer storage devices of authorized individuals' computers;
- a statement that electronic networks will be monitored only for work-related purposes - for example, to assess system or network performance, protect government resources or ensure compliance with government policies;
- a statement that special monitoring may be permitted without notice in instances where it is reasonable to suspect unlawful or unacceptable activity.
For guidance on the legal issues related to privacy, refer to Appendix E.
Institutions must conduct internal audits of their compliance with the policy and the effectiveness of its implementation.
The Secretariat will assess the effectiveness and application of the policy through institutional internal audits.
The Financial Administration Act; the Access to Information Act; the Privacy Act; the Charter of Rights and Freedoms; the National Archives of Canada Act; the Official Secrets Act; the Criminal Code; the Export and Imports Act; the Crown Liability and Proceedings Act; the Copyright Act; the Trade-Marks Act; the Patents Act; the Canadian Human Rights Act.
Treasury Board policy and publications
The Conflict of Interest and Post-Employment Code for the Public Service; the Harassment in the Workplace Policy; the Government Security Policy; the Government Communications Policy; the Government of Canada Internet Guide; the Management of Government Information Holdings Policy; the Access to Information Policy; the Privacy and Data Protection Policy; the Telework Policy; the Policy on Losses of Money and Offences and Other Illegal Acts against the Crown.
Please direct enquiries about this policy to the responsible officers in institutional headquarters who, in turn, may seek interpretation from the following:
Chief Information Officer Branch
Treasury Board of Canada, Secretariat
Facsimile: (613) 957-8020
Appendix A - Unlawful activity (non-exhaustive list of examples)
The term "unlawful activity" can have a number of meanings. For the purposes of this policy, "unlawful activity" is interpreted broadly to include actions that could result in sanctions of different kinds in a court of law.
Some activity gives rise to criminal offences, but unlawful activity includes more than just what is criminal. It also includes activity that violates non-criminal, regulatory statutes (only a small proportion of statutes provides for criminal offences). Some regulatory statutes state that anyone who violates their provisions has committed an offence, but other statutes do not create specific offences. However, whether or not an offence is set out in a specific regulatory statute, it is still unlawful to fail to observe statutory requirements.
Further, s. 126 of the Criminal Code states that anyone who wilfully violates an Act of Parliament for which no offence is specified has committed an offence. Provincial laws have similar provisions.
Finally, some activities are neither criminal nor violations of specific regulatory statutes, but they can result in lawsuits brought by persons who are harmed by those acts. In such cases, the courts can find that a defendant is in breach of the laws applicable in a province and can penalize the person with an enforceable monetary award of damages to be paid to the plaintiff. These are known as civil actions. Where there is civil liability of an employee, and when the employee's activity falls within the scope of his or her duties, the employer can also be liable for monetary damages.
Note that government institutions are required to report suspected illegal activity to the appropriate law enforcement agency (unless their legal advisor advises that the matter is too minor), under the following policies and guidelines:
- Chapter 2-1, article 16.5 of the Government Security Policy (article 16.4 states that security breaches must be reported to the deputy head of the institution);
- Chapter 4-7 of the Policy on Losses of Money and Offences and Other Illegal Acts against the Crown.
Also, under paragraph 80(e) of the Financial Administration Act, a person is guilty of an offence if he or she
- collects, manages or disburses public money; and
- knows or suspects that any other person has committed fraud against Her Majesty or has contravened the Financial Administration Act, its regulations, or any revenue law of Canada; and
- fails to report, in writing, that knowledge or suspicion to a superior officer.
The following are examples of criminal activity that could take place on electronic networks:
- Child pornography:
- possessing, downloading or distributing any child pornography (see s. 163.1 of the Criminal Code).
- infringing on another person's copyright without lawful excuse - the Copyright Act provides for criminal prosecutions and civil actions in such cases (see also "copyright" under violations of federal and provincial statutes).
- causing a statement to be read by others that is likely to injure the reputation of any person by exposing that person to hatred, contempt or ridicule, or that is designed to insult the person (see ss. 296-317 of the Criminal Code). There are a number of defences for this offence. For instance, the maker of the statement may believe, on reasonable grounds, that the statement is true and that the statement is relevant to a subject of public interest whose public discussion benefits the public.
- Hacking and other crimes related to computer security
- Gaining unauthorized access to a computer system: using someone else's password or encryption keys to engage in fraud or obtaining money, goods or services through false representations made on a computer system. See the following Criminal Code provisions: s. 122 (breach of trust by public officer); s. 380 (fraud); s. 361 (false pretences); s. 403 (fraudulent personation); s. 342.1 (unauthorized use of computer systems and obtaining computer services).
- Trying to defeat the security features of the electronic networks. See the following Criminal Code provisions: s. 342.1 (unauthorized use of computer systems and obtaining computer services); s. 342.1(d) (using, possessing or trafficking in stolen computer passwords or stolen credit card information); s. 342.2 (making, possessing or distributing computer programs that are designed to assist in obtaining unlawful access to computer systems); ss. 429 and 430 (mischief in relation to data).
- Spreading viruses with intent to cause harm. See the following Criminal Code provisions: ss. 429 and 430 (mischief in relation to data); s. 342.1 (unauthorized use of computer systems and obtaining computer services).
- Destroying, altering or encrypting data without authorization and with the intent of making it inaccessible to others with a lawful need to access it. See the following Criminal Code provisions ss. 429 and 430 (mischief in relation to data); s. 342.1 (unauthorized use of computer systems and obtaining computer services); ss. 129 and 139(2) (destroying or falsifying evidence to obstruct a criminal investigation).
- Interfering with others' lawful use of data and computers. See the following Criminal Code provisions: ss. 429 and 430 (mischief in relation to data); s. 326 (theft of telecommunication services); s. 322 (theft of computer equipment); s. 342.1 (unauthorized use of computer systems and obtaining computer services).
- sending electronic messages, without lawful authority, that cause people to fear for their safety or the safety of anyone known to them (see s. 264 of the Criminal Code). Section 264.1 of the Criminal Code makes it an offence to send threats to cause serious bodily harm, damage personal property or injure a person's animal.
- Hate propaganda:
- disseminating messages that promote hatred or incite violence against identifiable groups in statements outside of private conversations (see s. 319 of the Criminal Code).
- Interception of private communications or electronic mail (in transit):
- unlawfully intercepting someone's private communications or unlawfully intercepting someone's electronic mail (see s. 184 and s. 342.1 of the Criminal Code, respectively).
- distributing, publishing or possessing for the purpose of distributing or publicly displaying any obscene material (e.g. material showing explicit sex where there is undue exploitation of sex, where violence or children are present, or where the sex is degrading or dehumanizing and there is a substantial risk that the material could lead others to engage in anti-social acts). See s. 163 of the Criminal Code.
- Various other offences:
- the Criminal Code (and a few other statutes) provide for a range of other offences that can take place in whole or in part using electronic networks. For example, fraud, extortion, blackmail, bribery, illegal gambling, and dealing in illegal drugs can all occur, at least in part, over electronic networks and are criminal acts.
Violations of federal and provincial statutes
The following are examples of unlawful (though not criminal) activity that can take place on electronic networks.
- Copyright and intellectual property:
- violating another person's copyright (the Copyright Act provides for criminal prosecutions and civil actions in such cases). Unauthorized use of trade-marks and patents can also occur on electronic networks and these acts are proscribed in the Trade-marks Act.
- spreading false allegations or rumours that would harm a person's reputation. In addition to criminal libel, defamation is contrary to provincial statutes dealing with this subject.
- Destroying or altering data without authorization:
- unlawfully destroying, altering or falsifying electronic records. See the following provisions: s. 5 of the National Archives of Canada Act; ss. 6 and 12 of the Privacy Act; s. 4 of the Access to Information Act; s. 5 of the Official Secrets Act.
- Disclosing sensitive information without authorization
- Disclosing personal information: failing to respect the privacy and dignity of every person. The obligation to respect a person's privacy is expressed in a number of statutory provisions, such as ss. 4, 5, 7 and 8 of the Privacy Act and s. 19(1) of the Access to Information Act. Many federal statutes have non-disclosure provisions, often designed to protect the privacy of citizens who provide information to the government (see list of provisions in Schedule II of the Access to Information Act). In addition, Quebec has a number of privacy provisions in its Civil Code (see articles 3, 35-41) and in its Human Rights Charter (see articles 4, 5 and 49). British Columbia, Saskatchewan, Manitoba and Newfoundland also have statutes that provide for civil actions where there is an undue invasion of privacy.
- Disclosing business trade secrets: revealing business trade secrets without authorization or in response to a formal request under the Access to Information Act, business trade secrets or confidential commercial information supplied in confidence by a third party and consistently treated as confidential by the third party. See s. 20(1)(a) and (b) of the Access to Information Act.
- Disclosing sensitive government information: revealing sensitive government information without authorization. See ss. 3 and 4 of the Official Secrets Act. As well, when responding to formal requests under the Access to Information Act, institutions must not disclose information obtained in confidence from other governments (see s. 13 of the Access to Information Act; the other exemptions in the Act relating to government information are discretionary).
Note that employees and other authorized individuals and the government are immune from legal actions with respect to disclosures made in good faith under either the Privacy Act or Access to Information Act.
- It is a discriminatory practice "(a) in the provision of ...services... available to the general public...or (c) in matters related to employment to harass an individual on a prohibited ground of discrimination". The prohibited grounds are race, national or ethnic origin, colour, religion, age, sexual orientation, marital status, family status, disability and conviction for which a pardon has been granted. Thus, in some circumstances, displaying unwelcome sexist, pornographic, racist or homophobic images or text on a screen at work can be unlawful harassment. See s. 14 of the Canadian Human Rights Act.
- Privacy infractions:
reading someone else's electronic mail or other personal information without authorization, listening in on someone's private conversationsor intercepting electronic mail while it is in transit, for example.
When an employee or other person has a reasonable expectation of privacy in his or her electronic mail or other personal documents, an institution may be guilty of an unreasonable search or seizure under s. 8 of the Charter of Rights and Freedoms if it infringes on that reasonable expectation without a lawful authority. This is true whether the institution is acting as employer or otherwise.
The institution may also be deemed to have collected or used data unlawfully, contrary to ss. 4, 5, 7 and 8 of the Privacy Act. The government may be liable for damages when private communications are intercepted unlawfully. See ss. 16-20 of the Crown Liability and Proceedings Act concerning electronic surveillance activities carried out by Crown servants in the course of their employment; s. 20 specifically provides that the Crown servant will be accountable to the Crown for the amount of the damages awarded by a court). The government may also be liable for damages when an unlawful disclosure of personal information occurs contrary to provisions in various statutes (see the list of such provisions in Schedule II of the Access to Information Act). For more information on these issues, refer to Appendix E and the discussion of reasonable expectations of privacy.
- Use of public money without proper authority:
- See the following provisions of the Financial Administration Act: s. 33 (making a requisition without authority); s. 34 (certifying receipt of goods or services without authority); s. 78 (liability for losses caused by malfeasance or negligence); and s. 80 (taking bribes or participating in corrupt practices).
Activity that can expose authorized individuals or the employer to civil liability
Various kinds of conduct can expose a person or an employer to civil liability. The employer's liability will be triggered when a Public Service employee performs the unlawful activity in the course of his or her employment. The Public Service employee remains personally liable for these actions, even when the federal government is also liable. (The government's policy on indemnifying authorized individuals - Policy on the Indemnification of Servants of the Crown - is relevant to such actions.) The following are examples of civil wrongs that can take place on electronic networks.
- Disclosing or collection of sensitive data:
- revealing or obtaining such information without authorization. In addition to the statutory provisions mentioned above, an unauthorized disclosure or collection of personal information can result, in some circumstances, in a civil action for invasion of privacy, nuisance or trespass under common law, and similar actions under the Civil Code of Quebec (articles 3, 15-41); for breach of contract and for breach of trust or breach of confidence (e.g.: if confidential commercial information is disclosed).
- spreading false allegations or rumours that would harm a person's reputation. In addition to criminal libel, publishing defamatory statements without a lawful defence can result in a civil action.
- Inaccurate information:
- posting inaccurate information, whether negligently or intentionally. This can lead to civil lawsuits for negligent misrepresentation if it can be shown that (a) the posting caused harm and resulted in damages to the person who (b) reasonably relied on the information, that (c) the person or institution that made the posting owed a duty of care to the person who was harmed by inaccurate information; and (d) the inaccuracy was due to negligence (conduct that falls below what is reasonable in the circumstances).
Appendix B - Unacceptable activity that is not necessarily unlawful but which violates Treasury Board policies (non-exhaustive list of examples)
A number of Treasury Board policies are not media-specific - that is, they apply whether the unacceptable activity occurs on paper, by telephone, through computer networks, in oral conversation or through any other medium. It is unacceptable to violate Treasury Board policies including institutional policies. The following policies are important in the context of the use of electronic networks: the Government Security Policy (in relation to standards including the Technical Security Standards for Information Technology); the Harassment in the Workplace Policy; the Privacy and Data Protection Policy, including the Employee Privacy Code; the Government Communications Policy; and the Conflict of Interest and Post-Employment Code for the Public Service. These policies relate to various activities, as described below.
- Sending classified or designated information on unsecured networks, unless it is sent in encrypted form. (Government Security Policy).
- Accessing, without authorization, sensitive information held by the government. (Government Security Policy).
- Attempting to defeat information technology security features, through such means as using anti-security programs; using someone else's password, user-identification or computer account; disclosing one's password, network configuration information or access codes to others; or disabling anti-virus programs. (Government Security Policy).
- Causing congestion and disruption of networks and systems, through such means as sending chain letters and receiving list server electronic mail unrelated to a work purpose. These are examples of excessive use of resources for non-work related purposes. (Government Security Policy).
- Sending abusive, sexist or racist messages to employees and other individuals (Harassment in the Workplace Policy).
- Using the government's electronic networks for private business, personal gain or profit or political activity. (Conflict of Interest and Post-Employment Code for the Public Service).
- Making excessive public criticisms of governmental policy. (Conflict of Interest and Post-Employment Code for the Public Service).
- Representing personal opinions as those of the institution, or otherwise failing to comply with institutional procedures concerning public statements about the government's positions. (Conflict of Interest and Post-Employment Code for the Public Service).
- Failing to provide employees and other authorized individuals with notice of electronic monitoring and auditing practices. (Government Security Policy and the Employee Privacy Code).
- Providing personnel with access to systems, networks, or applications used to process sensitive information before such personnel are properly security screened. (Government Security Policy).
- Failing to revoke system access rights of personnel, when they leave the institution, due to the end of employment or the termination of a contract, or when they lose their reliability status or security clearance. (Government Security Policy).
- Unauthorized removal or installation of hardware or software on government owned informatics devices or electronic networks. (Government Security Policy)
Appendix C - Unacceptable activities relating to access to electronic networks provided by the government
Authorized individuals must be made aware that the employer is not obliged to permit them to use government computers, electronic networks and Internet access for personal objectives. If an institution chooses to permit personal use, authorized individuals must not abuse such access. Authorized individuals should also be aware that visits to World Wide Web sites and electronic mail messages often leave records identifying the computer from which the visit or message originated. The institution's firewalls, gateways and systems record which Web sites and electronic mail addresses were contacted and which computer within the institution made the visit or sent the message. The public could get access to these records under the Access to Information Act and the Privacy Act. This access could embarrass both the individual and the institution, depending on the nature of the site visited. In addition, authorized individuals must ensure that others do not think that statements they express in personal messages are related to their employment duties or approved by the government.
Where government institutions permit personal use of government electronic networks on personal time, they should specify what, if any, limitations apply. Notwithstanding that, authorized individuals are prohibited from conducting any of the unlawful or unacceptable activities listed in appendices A and B. Doing so exposes them to disciplinary measures and possible revoking of electronic network access. Furthermore, authorized individuals cannot use government electronic networks to access or download Web sites or files, or send or receive electronic mail messages or other types of communication, that fall into the following categories:
- documents that incite hatred against identifiable groups contained in personal messages (the Criminal Code prohibits incitement of hatred against identifiable groups in public conversations);
- documents whose main focus is pornography, nudity and sexual acts (however, authorized individuals may access such information for valid work-related purposes, and may visit sites whose main focus is serious discussions of sexual education and sexual orientation issues).
If government institutions are considering limiting other kinds of personal expression from their computers or through government electronic networks, they should first consider whether their objective is work-related; whether a specific limitation is necessary to achieve their objective; whether they have carefully tailored the limit to curtail only the specific expression they seek to prevent; and whether they have expressed the limit in specific terms that give authorized individuals reasonable guidance as to what is permitted. Institutions should also consider whether the objectionable activity is serious enough to warrant revoking network access or devoting institutional resources to enforcing the policy.
Appendix D - Responsibilities of authorized individuals
All authorized individuals are responsible for ensuring that they use their access to government electronic networks only for government business and for purposes authorized by the deputy head, such as professional activities, career development, and personal use. Authorized individuals are responsible for using their access to electronic networks in a responsible and informed way. They must respect the law and government policies and guidelines as set out by the Treasury Board and their institution. Examples of responsibilities of authorized individuals include the following:
- taking reasonable measures to control the use of their password, user identification or computer accounts, which includes being responsible for any actions or costs arising from the unauthorized use of electronic networks;
- following their institution's instructions for ensuring the security of computer networks and electronic information;
- being aware of information technology security issues and privacy concerns, using the information technology security features provided by the institution, and taking precautions to avoid transferring computer viruses into the network;
- writing communications in a professional way, so that their use of electronic networks will not reflect badly on their institution or the Government of Canada (this includes refraining from using objectionable language in work-related communications);
- taking reasonable steps to ensure their communications about policies, programs and service are accurate and clear, and that these communications comply with the institution's policies concerning who may act as spokespersons for the institution and the procedures to follow in making public statements for the institution; and
- when in doubt about the intended use of the electronic networks, asking the person designated by the institution, to clarify whether the intended use is unlawful or unacceptable within the terms of this policy or the institutional policy.
Appendix E - Guidelines on monitoring of electronic networks
Institutional policies and procedures for the use of electronic networks should establish operating and management requirements that:
- reflect this policy;
- give direction to senior management, program managers and employees and other authorized individuals, and
- provide detailed guidance concerning the monitoring of electronic networks.
Expectation of privacy
The Security Policy states that "The Charter of Rights and Freedoms guarantees that government authorized individuals have a right to a reasonable expectation of privacy; and this right extends to the workplace. They also have protection under the Privacy Act." Unlike the private sector, the government is subject to the Charter of Rights and Freedoms, and thus faces more limits on its ability to search authorized individuals and their effects than the private sector does. Further, the Charter protects the privacy of persons, not property. Thus, authorized individuals have expectations of privacy, even though they are dealing with government property. This is especially true when an institution permits personal use of government property.
Government managers must respect these rights and design their monitoring policies to ensure a reasonable balance between authorized individuals' expectations of privacy and the government's duty to protect sensitive information, to protect government assets (including computers and networks), and to ensure that the government conducts its activities efficiently and in conformity with law.
Government institutions may monitor how government assets and information are used, as long as individuals have no reasonable expectations of privacy regarding what is being monitored. For example, authorized individuals may have a reasonable expectation of privacy where their employer has notified them that electronic mail communications or personal documents will not be monitored. Should the employer decide to implement practices of monitoring electronic mail and electronic documents, individuals must be notified of the new monitoring practices before they are implemented. This will inform the individuals of their reasonable expectation of privacy.
To ensure that government monitoring practices conform with the Charter of Rights and Freedoms, government institutions must define their monitoring practices, so that authorized individuals can make informed decisions about whether or not they have a reasonable expectation of privacy and, consequently, about where to keep their personal information. To ensure that government statements about its monitoring practices do influence authorized individuals' reasonable expectations of privacy, institutions should ensure that they accurately define their monitoring practices and communicate this information effectively to authorized individuals.
If a government institution plans to monitor and analyze identifiable use of electronic networks, it should help authorized individuals understand the degree of privacy they may have by giving them the following information.
- The institution will record the identity of users and computers for all electronic transactions. This includes visits to World Wide Web sites, where the institution's firewalls, gateways or systems record the identity of the computer and the site visited (it is possible to identify which authorized employee used that computer). In addition, the Web site visited often records similar information. Further, when someone using a government network exchanges electronic mail with a person outside the institution's firewalls, gateways or systems, these record both the sender's and the recipient's electronic address. In addition, the actual electronic mail is stored on government file servers, even after the originator or recipient has "deleted" the electronic mail message. Further, once electronic mail is outside a government's firewalls, gateways or systems, it is not secure from interception or alteration, unless encrypted.
- Under the Access to Information Act and Privacy Act, the public and authorized individuals may have access to individuals' electronic records, subject to applicable exemptions under those Acts. These records include electronic mail that authorized individuals have sent or received that is stored on government computers, and records showing which World Wide Web sites the authorized individuals' computers have visited (which are kept on a departmental log).
- Institutions monitor electronic networks in a variety of ways. For instance, they may analyze statistics relating to the aggregate use of electronic networks, in such a way that they do not analyze individual use. However, if an institution detects a problem in the operation of the network, it will take steps to identify the source of the problem. Identifying the source of the problem could involve analyzing individual use of networks. It would not involve reading the content of authorized individuals' files or electronic mail, but it could involve inspecting the size and type of file(s) suspected of causing the problem, and testing files for viruses. Once managers have identified the source of the problem, they will take appropriate follow-up action, which may include speaking to the individual, to his or her manager, or to information technology security personnel, depending on the nature of the problem.
- Informatics personnel are permitted to upgrade software applications and verify hard disk configurations on the hard drives of computers located in the offices of authorized individuals. However, in compliance with the Government Security Policy, informatics personnel are not allowed to access the content of electronic mail or other files unless they need to know the information in those files to perform their assigned tasks.
- If monitoring or a complaint reveals evidence of suspected unacceptable activity that is not criminal, or that the institution has decided not to pursue as a criminal matter, then the institution should refer the matter to the appropriate institutional official for further investigation.
To verify whether classified documents are properly secured, or to ensure compliance with this policy, specifically authorized personnel may read subject lines of electronic mail, file names on network file servers and lists of World Wide Web sites visited by employees and other authorized individuals. For the same reasons, they may also do key word searches to identify classified documents that are not properly secured, and read documents that they suspect are unsecured classified documents. In all of the above cases, such personnel must use an objective method to randomly select whose electronic mail and Web visits and networks files they will monitor.
- Institutions that collect personal information about visitors to their World Wide Web sites should post a statement on their World Wide Web site setting out what information they collect and why, and informing visitors that they have a right to get access to that information under the Privacy Act.
To communicate the above information effectively, institutions can use a variety of methods. These include recurring messages on each individual's computer screen; on-line registration for computer privileges; security clearances and screening processes; signed statements by authorized individuals that they understand their obligations and that monitoring may take place; and placement of electronic versions of the monitoring policy on the institution's intranet or other locations where policies are made available to authorized individuals. In addition, institutions could provide a printed version of the policy to all authorized individuals, provide the information as part of all computer-related training, and including it with employee orientation and training materials.
Government institutions can undertake monitoring beyond its ordinary network performance monitoring activities even with respect to information in which the authorized individuals have a reasonable expectation of privacy, as long as the monitoring is reasonable. That is, it must be (a) authorized by law; (b) the lawful authority must be reasonable; and (c) the search must be carried out in a reasonable manner. When institutions are in doubt as to whether a particular fact situation or monitoring practice interferes with a reasonable expectation of privacy, or whether a monitoring practice is reasonable, they should consult their legal services. If they suspect criminal activity, they will need a judicial warrant. This is why they must contact law enforcement agencies when the purpose of monitoring changes from routine monitoring to investigating criminal behaviour.
As well as complying with the requirements of the Charter of Rights and Freedoms, institutions must ensure that their monitoring practices comply with the National Archives of Canada Act, the Privacy Act and the Access to Information Act. These requirements include describing in InfoSource the kinds of records created by automated logs and audit trails and describing how they will use the information they collect through monitoring.
Institutions, if they decide to undertake the monitoring of electronic networks, should informally consult with the office of the Privacy Commissioner, through their institutional Privacy Coordinator, for review and comment.
In addition, institutions must retain collected personal information used for an administrative purpose for two years from the date of the last administrative use, unless the individual concerned consents to earlier disposal. This is a requirement under the Privacy Act. It is separate from and additional to the requirement in the National Archives of Canada Act that records not be destroyed without the consent of the National Archivist. An administrative use would occur when an institution uses information to make a decision that affects the individual. When an institution does not use automated logs and audit trails to make any decisions about identifiable individuals, the Privacy Act does not require it to retain such records; it may treat the records as transitory records for the purposes of the National Archives of Canada Act.