Rescinded [2019-06-28] - Security Organization and Administration Standard

This document establishes the operational standard for the organization and administration of security as required by the Security policy. The standard contains both requirements, indicated by use of the word "must" in sentences appearing in italics, and recommended safeguards, indicated by use of the word "should."

Departments are responsible for protecting sensitive information and assets under their control in accordance with the Security policy and its operational standards.

The contracting authority is responsible for ensuring that the Security policy is complied with and that contract documentation includes the necessary clauses.

It can be useful to the management of the departmental security function to view security as a sub-system within the overall administrative and management system.

Inputs to the security system include:

• Policy support from the deputy head.
• The services and support of related administrative functions.
• Information on both departmental needs and security threats.
• Support in carrying out individual security responsibilities from all employees.

Within the security system there are policies, procedures and practices to support the co-ordination of physical security, personnel security and information technology security.

Outputs of the security system include:

• Application of safeguards to information and assets throughout their life cycle.
• Education of staff on their security responsibilities.
• Evaluation of the continued relevance of safeguards.

The systems concept of security offers flexibility within a standard approach. Threat and risk assessments should identify security factors unique to specific departments and locations. These factors should then be reflected in the specific safeguards chosen. For example, if required, an asset may receive more than the minimum protection for its classification level or designation.

Another feature of the systems concept is that, should any part of a system become inoperative or suspect, another part can be substituted, a temporary alternative installed, or another part of the system upgraded, to maintain integrity.

For advice and assistance regarding this standard contact the organizations listed in Appendix A.

A thorough review of information holdings and assets, to identify material that requires either classification or designation, should precede the application of all security standards.

Departments must apply the information classification and designation system either by means of a corporate guide or by naming officials to do so or both.

This guide is the corporate policy about what information a department wishes its safeguards to cover. The guide shows:

• What types of information are considered sensitive.
• What types of information are not considered sensitive.
• How to mark information to show the minimum security standards to apply.

The guide should also identify officials to classify or designate information not governed by the guide. Departments should restrict the number of delegated authorities for this function and ensure that those exercising this authority have a demonstrable and continuing need to exercise it.

Information that is publicly available is not to be classified or designated.

To develop a classification and designation guide, departments should follow the following process:

• Systematically review information holdings against the criteria set out in the guidelines in Appendix A to the Security policy.
• Assign the proper classification level to information sensitive in the national interest.
• Assign the proper designation level to information sensitive in other than the national interest.
• Whenever possible, determine the duration of classification or designation by showing the date or event that triggers declassification or downgrading.
• On a periodic basis, review with the departmental access to information and privacy coordinator decisions made to exempt information as a result of requests under the Access to Information Act and the Privacy Act. This is to ensure that departmental classification criteria remain relevant and effective.

Most government information is adequately protected through good, basic information management and physical and materiel management procedures, without classification or designation. The Security policy requires departments to identify the relatively limited amount of government information that is sensitive and therefore merits additional protection. Identifying sensitive information relates directly to the exemption and exclusion criteria of the Access to Information Act and Privacy Act, which establish the legal authority for the information departments may refuse to the public.

Parliament has determined the information described in the exemption criteria to be important either to preserving the national interest or to protecting other interests for which the government assumes an obligation.

Cabinet confidences are excluded from the application of both Acts and qualify either for classification or designation.

In identifying information in need of additional safeguards, departments are not required to determine definitively whether specific items would actually be exempt under these Acts. A situation may change with circumstances and the passage of time. Rather, departments should be satisfied that various types of information could reasonably be expected to qualify for exemption. This judgment is to be based on a determination of potential injury and should be expressed in a departmental classification and designation guide.

The present security system is based on the notion that the government should not be using human and financial resources on additional safeguards for information unless it falls within the exemption or exclusion criteria of the Access to Information Act and the Privacy Act. The goal is to identify accurately the information the department has an obligation to protect, and then to determine the proper minimum safeguards.

Departments should examine carefully the guidelines in Appendix A to the Security policy, the specific provisions of the Access to Information Act and the Privacy Act, and the "Access to Information" and the "Privacy and Data Protection" volumes of the Treasury Board Manual to determine what information may qualify as classified or designated information and may therefore warrant safeguarding. Also, see Appendix C to this standard for additional guidance on classifying information affecting the national interest.

Some special types of designated information are described below.

(a) Information received in confidence from other governments and organizations

This refers to unclassified information obtained in confidence from other governments or international organizations of states, as described in Section 13 of the Access to Information Act and Section 19 of the Privacy Act, and Chapter 2-8 of the "Access to Information" volume and Chapter 2-9 of the "Privacy and Data Protection" volume, Treasury Board Manual. This information may be marked "PROTECTED - other government." It is to be marked as received in confidence, with an indication of the source, before distribution to other departments. See articles 8.5 and 12.9 of this chapter for further information on this subject.

(b) Information obtained or prepared by a federal investigative body

This refers to law enforcement information obtained or prepared by specific investigative bodies named in the regulations pursuant to the Access to Information Act and the Privacy Act. (See para. 16(1)(a), ATIA, and para. 22(1)(a), Privacy Act). This information pertains to detection, prevention or suppression of crime or the enforcement of a law of Canada or a province. The specific federal investigative body involved will assign the level of protection. Departments receiving this information should give it equivalent protection, after consultation with the investigative body.

(c) Personal information

Personal information, as defined in Section 3 of the Privacy Act, qualifies for a mandatory exemption under the Access to Information Act. The Privacy Act refers only to personal information and imposes legal controls on its collection, use, retention, disclosure and disposal.

Personal information is found throughout the holdings of most departments. The formal reference for identifying personal information holdings is Info Source. This document responds to the requirement in the Privacy Act that makes each department responsible for listing each bank and class of personal information under its control.

Personal information includes information about public servants such as pay data, appraisals and medical information. Care should be taken not to confuse this type of sensitive information with information described in paragraph 3(j) of the Privacy Act (for example, classification level and salary range of public servants). This paragraph places certain limitations on the definition of personal information.

(d) Business information

Paragraphs 20(1)(a) and (b) of the Access to Information Act establish exemptions for the following types of information:

• Trade secrets of a third party.
• Financial, commercial, scientific or technical information that is confidential information supplied to a department by a third party and treated by it consistently as confidential.
• Information that could reasonably be expected to result in financial loss or gain to, or to prejudice the competitive position of a third party.
• Information the disclosure of which might reasonably be expected to interfere with contractual or other negotiations of a third party.
• Businesses or other organizations provide much of this information. There is an expectation on the part of the third party, and an obligation on the part of government departments, to protect this type of information adequately. It should therefore be designated as other sensitive information and marked PROTECTED.
• In some instances, third parties will mark such information confidential, confidential business information, or given in confidence. Departments should treat this information as if it bears the marking PROTECTED, regardless of the marking put on it by the third party.

(e) Advice

Section 21 of the Access to Information Act sets out exemptions for certain classes of information relating to the internal decision-making processes of government the disclosure of which would interfere with departmental operations.

Determination of injury or harm within the advice exemption should be judged on the basis of the impact disclosure will have on the department's and the government's ability to carry on similar internal decision-making processes, and to consult and deliberate in a confidential manner and to give candid advice.

The scope of information covered by this exemption is strictly limited. There is considerable difference between advice, recommendation, consultation or deliberation about a major government initiative and the purchase of office equipment. The best guide to exercising the discretion needed is common sense and good judgment.

It is also essential to bear in mind that, even though there is no exemption for advice in the Privacy Act, it is extremely important to protect advice given in deciding about individuals.

When information is classified in the national interest, a further judgment is needed to determine the classification level. The level depends on the gravity of the detrimental effects that might reasonably be expected to occur from compromise. The levels of classification are as follows:

• Top secret: applies to the very limited amount of information that, if compromised, could reasonably be expected to cause exceptionally grave injury to the national interest.
• Secret: applies to information that, if compromised, could reasonably be expected to cause serious injury to the national interest.
• Confidential: applies when compromise could reasonably be expected to cause injury to the national interest.

Most classified information will be at the confidential level.

In light of the broad concept of national interest and certain assumptions that can be made about generic threats, these classification levels call for the application of minimum standard safeguards, as well as additional safeguards based on departmental threat and risk assessments. Minimum standards are also required as a result of international agreements and arrangements concerning shared classified information.

There are three levels of designation:

• Extremely sensitive: applies to the very limited amount of information that, if compromised, could reasonably be expected to cause extremely grave injury outside the national interest, for example, loss of life.
• Particularly sensitive: applies to information that, if compromised, could reasonable be expected to cause serious injury outside the national interest, for example, loss of reputation or competitive advantage.
• Low-sensitive: applies to information that, if compromised, could reasonably be expected to cause injury outside the national interest, for example, disclosure of an exact salary figure.

Minimum standard safeguards also apply to the different levels of designated information. These safeguards differ from those that apply to classified information, based on differences in generic threat assessments. Also, owing to its unique nature in each department, extremely sensitive, designated information warrants special safeguards based on case-by-case threat and risk assessment.

A number of examples of personal information that may qualify as particularly sensitive are provided below. The listing should be treated as illustrative or supportive but not conclusive.

• Information containing medical, psychiatric or psychological descriptions.
• Information compiled and identifiable as part of an investigation into a possible violation of law.
• Information on the eligibility for social benefits or the determination of benefit levels (this would not include cheques or other such payment documents).
• Information on a completed income tax return.
• Information describing an individual's finances, that is, income, assets, liabilities, net worth, bank balances, financial history or activities, or creditworthiness.
• Information containing personal recommendations or evaluations, character references or personnel evaluations.
• Information concerning an individual's racial or ethnic origin or religious or political beliefs and associations or lifestyle.

Particularly sensitive, personal information exists in both large quantities throughout government and in large concentrations within certain departments. The high risk of theft or loss of this type of information means departments should take special care to properly identify it and to apply appropriate safeguards.

For identifying particularly sensitive, personal information, the injury test is that the information's compromise could reasonably be presumed to cause an unwarranted invasion of privacy. Factors that should be taken into account in any invasion-of-privacy test include:

• Expectations of the individual.

Have certain conditions been placed on the collection of the personal information that would lead the individual to believe that special protective measures would be taken? Is the information of a nature such that the individual would expect the government to take very special protective measures without actually being informed that this would occur?

• Currency of the information.

Is the information very current and for that reason more sensitive, or has the passage of time possibly reduced that sensitivity so that disclosure under specific circumstances would lead to no measurable injury to the individual's privacy?

• Gravity of injury.

Can it be surmised that compromise of the information carries with it the chance of causing serious injury? Serious injury is to be interpreted as lasting harm or embarrassment that will have direct negative effects on an individual's career, reputation, financial position, safety, health or well-being.

There may be other factors unique to certain institutions that should be added to invasion-of-privacy considerations.

Personal information collected by departments requires protection throughout its life cycle. Examples of this type of information include interviews, reports, application forms, and questionnaires.

When a statistical study or survey involves processing personal information, the code that correlates data to an individual respondent must be destroyed as soon as possible, under a schedule approved by the National Archivist.

Contracts for the collection of personal information should include the following points:

• An undertaking to protect the information, to refrain from disclosure to any other person or organization and to use the information only for the purpose specified in the agreement.
• An undertaking to make the information available only to employees of the contractor who have undergone proper screening and have a need to know the information.
• That each employee to whom the information is made available shall sign a statement showing that he or she undertakes, as a condition of employment, to respect the sensitive nature of the information and to observe the requirements of the Privacy Act and any other conditions specified by the department governing the use of this information.
• That the department may terminate the contract if the contractor breaches confidentiality obligations.

See Chapter 2-5 for further information on contracting security.

Departments must apply safeguards on the basis of threat and risk assessments, as well as security standards. This is to ensure consideration of the specific security problems in any given situation.

The risk management approach described below falls within the framework provided in the government Risk Management policy. For more information on this policy, see Part III of the "Materiel, Services and Risk Management" volume of the Treasury Board Manual.

The threat to classified information and assets may be greater in some situations or locations. Therefore, along with implementing minimum standards, steps must be taken to ensure adequate security. A threat and risk assessment is required to determine if and what additional safeguards are needed; these are to be implemented if it is cost-effective to do so.

Use of the markings "CONFIDENTIAL", "SECRET", and "TOP SECRET" signals the application of minimum standards.

In the absence of cost-effective safeguard options, the movement of sensitive information and assets to another, more secure site should be considered.

Minimum standard physical and information technology safeguards are used to protect information and assets that have been designated as being of low sensitivity or value. These safeguards protect against such threats as human error, inattention to proper procedures and mischief. An assessment is needed to be sure that the threat and risk are in fact minimal.

Use of the marking PROTECTED signals the application of minimum standards. Departments may use additional markings after PROTECTED to specify the requirement for minimum standards. Some departments add the letter A for this purpose.

To counter additional threats that may apply, more stringent safeguards are recommended for the protection of designated information that is particularly sensitive.

Departments have the option of adding the letter B to the marking PROTECTED to signal the need for additional safeguards. It cannot, however, be assumed from this mark that the application of safeguards will be identical from one department to another. The varying nature of particularly sensitive designated information and related threats will dictate safeguards appropriate to each situation.

Therefore, an assessment of security risks should be made when sharing particularly sensitive information on a regular basis. The department that collected or created the information is responsible for identifying the safeguards to be applied by the receiving department. If warranted, a written agreement should be developed with the DSO of the receiving department and should apply to third-party recipients of the information as well.

Furthermore, a very few departments hold designated information that if compromised may cause extremely serious injury such as loss of life or significant financial loss. Such information and assets could well be threatened by highly motivated and skilled individuals or organizations and, therefore, additional safeguards may be in order.

Departments have the option of adding the letter C to the marking PROTECTED to signal the need for special, stringent safeguards. Again, it cannot be assumed that the application of safeguards from one department to the next will be the same. The originating or collecting department should identify necessary safeguards and these should be agreed upon in writing. The written agreement should extend to third-party sharing of the information.

Limited examples of minimum safeguards for designated and classified information are provided in the following charts.

More comprehensive guidance is available in operational and technical standards. Threat and risk assessments should be used to determine the need for more stringent safeguards.

More comprehensive guidance is available in operational and technical standards.
Threat and risk assessments should be used to determine the need for more stringent safeguards.

Departments must treat sensitive information received from other governments or from international organizations in accordance with the security markings on it or with agreements or understandings between the parties concerned.

"Other governments" include provincial, municipal or regional governments and those of other nations.

Risk management is a logical, analytical process to protect, and consequently minimize risks to, the government's property, interests and employees. The Risk Management policy requires departments to identify, analyze and assess risks, select risk-avoidance options, and design and implement cost-effective prevention and control measures. Departments are also required to design and implement contingency plans, as appropriate. For further information on this policy, see the "Materiel, Services and Risk Management" volume of the Treasury Board Manual.

In the security context, the risk management process offers the following options:

• Reduce risk, for example by improving security.
• Avoid risk, for example by changing operations.
• Remove or reduce safeguards that are not required.
• Contain risk by preparing business resumption plans.
• Accept risk on an informed basis, as appropriate.

The Security policy requires departments to complete threat and risk assessments (TRA) for sensitive information and assets as part of the risk management approach to security. The threat and risk assessment process is a part of risk management concerned with defining what requires protection, analyzing and assessing threats, analyzing and assessing risks, and making recommendations for the management of risk. Other aspects of risk management are management decision, implementation and effectiveness review.

The system to manage a security risk should be compatible with those for managing other risk in the same area, for example, fire.

It is the nature of threats that provides the main design criteria for security systems and equipment. Furthermore, security systems and equipment have useful life spans often dictated by the technological advances available to the potential adversary. A complete and current assessment of the threat to information and assets is therefore needed to determine the adequacy of existing or proposed safeguards.

Inappropriate safeguards may leave the information or asset to be protected vulnerable to identified threats or, conversely, it may be overprotected. It is the role of security officials to assess the chance of vulnerabilities being exploited by a threat (that is, the risk). They should then recommend ways of managing risks by means such as risk acceptance, moving the information or asset, eliminating the threat, increasing protection, upgrading detection and response mechanisms, and preparing contingency plans.

A threat and risk assessment should be completed for the entire department, as well as for specific facilities, areas, systems or functions. Depending on the structure of the department, the general departmental assessment should combine and analyze specific assessments. Additionally, the general assessment should address those threats that may affect the department as a whole, or pose a threat to its facilities, areas, systems or functions. This process will result in a comprehensive and complete assessment suitable for briefing the deputy head, as required.

Information on a general threat should be made available in a timely fashion to those responsible for specific assessments. An example of such a general threat is events that might occur as the result of planned changes in the legislation affecting the department's programs.

Specific assessments should be detailed enough to serve as the basis for recommendations to the responsible manager. Safety and emergency considerations must be taken into account in such assessments.

Threat and risk assessments should be reviewed on a regular basis and revised when there are circumstances that could result in a changed threat. Examples of changes in circumstance include the introduction of new policies or new technology, relocation, or reorganization.

The process that follows is not intended to limit a department's own security operation nor to restrict its access to sources of threat and risk information.

See article 2.3 of Chapter 2-3 for information on the threat and risk assessment process for information technology.

The development of a threat and risk assessment includes four broad steps:

• Preparation: determining what to protect and defining the scope of the assessment.
• Threat assessment: determining what to protect against.
• Risk assessment: determining if existing or proposed safeguards are appropriate.
• Recommendations: identifying what should be done to provide appropriate protection.

An outline of each of these steps is provided below.

Preparation

The first step is to identify the types of information and assets that may require safeguarding and the scope of the assessment.

A statement of the nature of the business carried out by the organization will assist in the identification of information or asset sensitivity, importance and value.

Threat assessment

Threats specific to classified information and assets should be examined to verify if conditions of minimum threat apply. Where minimum threat conditions apply, the next step is to assess the implementation of the minimum safeguards prescribed in the standards. Special conditions that could warrant additional or different safeguards apply where, for example, classified information and assets are targeted or located in a hostile environment.

Threats specific to designated information and assets, personnel, information systems or services should be described in detail. Use of the standard investigative questions who, what, when, where, why, and how is recommended. Departmental security records should be consulted for information on security infractions and violations. Also information regarding the experience at similar or neighbouring facilities or systems should be obtained.

Close attention should be paid to times or handling processes during which the information or asset is most vulnerable (for example, during periods between public access and restricted access hours or while in transit).

If possible, the specific threat assessment should include any threat information that pertains to the department as a whole and should be reviewed by a regional or departmental security official.

Advice on threats is available from several sources, including the following:

• CSIS, for assessments of espionage, sabotage or terrorism threats, as specified in Section 2 of the CSIS Act, to departmental information and assets.
• The RCMP, for threat information and advice on threat and risk assessments related to criminal matters, physical security, computer security and other relevant aspects of information technology security.
• CSE, for technical threat information relating to COMSEC and other relevant aspects of information technology security.

See Appendix A for the addresses of these organizations.

Departments with facilities abroad containing sensitive information and assets should maintain liaison with the Department of Foreign Affairs and International Trade through their security office. The managers responsible for health, safety and emergency preparedness should be consulted regarding threats that are also a security concern, such as fire.

Next, the likelihood and consequences of a threat occurring should be assessed.

Likelihood

The likelihood of the threat occurring should be evaluated in terms of "low", "medium" or "high." Low means there is no history and the threat is considered unlikely to occur. Medium means there is some history and an assessment that the threat may occur. High means there is a significant history and an assessment that the threat is quite likely to occur. The term "not applicable" may be used to indicate that a threat is considered not to be relevant to the situation under review.

There are various methods for assigning numerical values for estimated levels of threat. Often, however, these methods can easily become complicated and they may require interpretation to become meaningful. Therefore, the use of descriptive terms is recommended.

Consequences

Having considered the likelihood of a threat occurring, it can then be useful to state what consequences would result. This is a restatement of the assessment made when classifying and designating information and assets regarding the potential injury compromise might cause.

In the case of classified information and assets, the consequences of compromise are expressed in terms that relate to the classification level: serious injury, very serious injury or exceptionally grave injury.

For designated information and assets, personnel and services, consequences should be expressed in terms such as "loss of trust", "loss of privacy", "loss of asset", or "loss of service."

Risk assessment

The next step is to evaluate vulnerabilities that may permit a threat to cause harm. Assess existing and proposed safeguards as completely satisfactory; satisfactory in most aspects; or unsatisfactory.

Use of a departmental checklist of standard safeguards is recommended. If some aspects of the security system remain unassessed, this should be recorded.

Help in assessing safeguards may be obtained from the lead agencies. Ideally, before requesting help with this step, the threat assessment will have been completed. Where this has not been possible, assistance with the entire process should be requested.

Recommendations

The threat and risk assessment should result in a report to management. The report should provide recommendations in order of priority to reduce or eliminate security risks. It should also indicate resource implications, including finances, personnel, equipment and time.

A useful threat and risk assessment is one that provides the manager with an appreciation of the security status of the area or system concerned. The TRA should enable the manager to make an informed decision on safeguards to be applied or removed.

To illustrate the use of the threat and risk assessment terminology, an example of an outline is provided on the following page.

Sample Threat and Risk Assessment Summary

Facility: District Office. Business: Administration of benefit program. Clients are interviewed in an operations zone.

Information/Assets: Particularly sensitive, personal information on both paper and electronic files.

Location of Assets: Approved containers within a security zone. Office is in downtown area; a move is planned.Threats:

RISK: Generally low risk since existing security measures are satisfactory. Exceptions:

• Medium risk of loss due to computer failure in view of unsatisfactory computer backup procedures.
• Medium risk of loss during planned move due to lack of procedures for secure transfer of files to new location.

Recommendations:

• Develop and implement computer backup procedures.
• Develop and implement procedures for security of paper files during the planned move.

Note: Greater detail on the nature of threats and on security measures should be available in supporting documentation

Information must be classified or designated only for the time it requires protection, after which it is to be declassified or downgraded.

This requirement recognizes that classified or designated information will lose its sensitivity with the passage of time or the occurrence of specific events. When releasing such information is unlikely to pose injury to the particular interest involved, as described in the appropriate provisions of the Access to Information Act and the Privacy Act, it must be declassified. This process contributes to the overall integrity of the security system, and ensures that information is made available quickly and informally to interested members of the public.

The departmental classification and designation guide should confer authority to declassify or downgrade information.

Departments should provide, whenever possible, for automatic declassification or downgrading of information by selecting a specific date or event for its declassification or downgrading at the time the information is created or collected.

Along with date or event-specific triggers for declassification, an automatic expiry date of 10 years should apply to secret, confidential and low-sensitive designated information. However, an automatic expiry date would not apply to information classified as top secret nor to information designated as particularly sensitive (e.g., medical records) or extremely sensitive (e.g., witness protection information).

The risks associated with the use of an automatic expiry date are acceptable because removing material from the classification scheme is not synonymous with making it publicly available. The normal access application review process would still apply.

The requirement to declassify or downgrade sensitive information applies also to that provided from one department to another. Where possible, before declassifying or downgrading any information orginating from another department, the originator must be consulted. The originator can be represented by the office of origin.

Information may be transferred to the department or government that originated it for declassification or downgrading. In most circumstances, however, it will be more practical, especially with a large volume of information simply to consult the other department or government about whether it is appropriate to declassify or downgrade the information.

When it is not possible to consult with the originator, departments should develop alternative procedures and include these in their classification and designation guides. This will be necessary, for example, when the originating department has been disbanded or reorganized in such a way as to make it impossible to consult effectively or efficiently with the originator.

A decision to declassify a document from another department should not be taken lightly. Where consultation with the originator is impractical or not possible, and there is doubt regarding the continued need for protection, procedures should require consultation with the appropriate officials. For example, the Access to Information Co-ordinator will be able to advise on whether exemptions or exclusions may still apply.

Requests under the Acts for records that have been classified or designated should involve careful review of the information by the departmental access and privacy coordinator in conjunction with the appropriate areas. The review should determine whether any exemptions should be invoked and whether there is a need for interdepartmental consultation.

A decision to deny access to a record, or any part of it, must be based solely on the exemption provisions of the Acts as they apply at the time of the request. A decision to deny access must not be based on security classification or designation, however recently it may have been assigned.

The principle of severability applies to information requested under both Acts. It may happen that classified or designated information is severed from a document as a result of review when responding to an access request. The original document, of which a severed copy has been released, remains classified or designated. When no severance occurs and a whole document is released, it must be declassified before its release and marked accordingly.

Personal information disclosed under the Privacy Act is to be reviewedCsuch information may keep its designation as sensitive information within the information holdings of the department.

In light of decisions made as a result of requests made under the Acts, a periodic review should be made of the departmental information classification guide.

Where sensitive information moves with a transfer of functions, the receiving department is deemed to be the originating department.

Departments are expected to transfer to the control of National Archives of Canada sensitive information for which the retention period has expired and which the National Archivist has identified as having enduring historical or archival value.

Departments must develop with the National Archives of Canada agreements to declassify or downgrade sensitive information transferred to the control of the Archives. These agreements are to take into account guidance provided by the originating departments, that will indicate where consultation between the Archives and the department is necessary.

The above does not apply to dormant records stored in the records centres of the National Archives. Control of such records remains with the department storing the information.

In situations where a department ceases to exist and its functions are not transferred to a successor department, records of the defunct organization must be transferred to the National Archives of Canada for eventual declassification or downgrading.

For information that originated with a defunct department, each department in control of copies of such information is deemed to be the originating department. Such information may be declassified or downgraded by the department that controls it, after consultation with any other department that has an interest in the information.

Departments should encourage users or originators of sensitive information to review its sensitivity on a continuing basis. Where appropriate, the information is to be declassified or downgraded and marked accordingly.

Classified information received from provincial, municipal or regional governments, from governments of other nations, or from international organizations must be declassified or downgraded under agreements or understandings with such governments or organizations. For example, the convention governing classified information of the British government received by the Government of Canada is that such information is not considered for declassification until 30 years after its creation.

When consulting on declassification or downgrading with a foreign government or international organization, government departments should normally coordinate such consultations through the Security Services Division, Department of Foreign Affairs and International Trade. Direct consultation should take place only when an established and acceptable system of liaison and consultation exists. The Department of Foreign Affairs and International Trade should be kept informed of these consultations.

The Communications Security Establishment is responsible for establishing, in consultation with affected departments, procedures for systematically reviewing classified cryptographic information for declassification or downgrading. Departments must consult CSE before downgrading or releasing to the public COMSEC information or materiel that CSE has produced, issued or released. This includes information or materiel from before 1975 when CSE was the Communications Branch of the National Research Council (CBNRC).

The Canadian Security Intelligence Service is responsible for establishing, in consultation with affected departments, special guidelines, procedures and practices for systematically reviewing for declassification or downgrading classified information about intelligence activities, as defined in the Canadian Security Intelligence Service Act, as well as information about intelligence sources or methods. Where appropriate, the Communications Security Establishment, the Department of National Defence, Privy Council Office and the Department of Foreign Affairs and International Trade are responsible for establishing such guidelines, procedures and practices for classified information that they have originated or have under their control.

Confidences of the Queen's Privy Council for Canada that are classified and records that are administered under the Cabinet Papers System remain classified if they have been in existence for less than 20 years. Only in very rare instances will such records be declassified or downgraded before they have been in existence for 20 years. After 20 years, these records can be declassified or downgraded pursuant to this section of the security standards.

Changes to a security marking should be made in ink, dated and initialed by the authority responsible for the change. Where there is documented authority for a change in security marking, this should be noted on the record. This applies particularly to records originating with other governments, other departments or international organizations.

For information stored in non-textual forms (such as computer data), revisions to security markings should be adapted to the particular application. Usually this will involve marking the container holding the information. Wherever technically possible, however, departments should mark the information itself in a non-erasable format.

Ensuring compliance with safeguards should be part of normal administrative and supervisory duties, complemented by periodic or regular inspections of sites or systems where sensitive information and assets are processed or stored. Inspections might also be carried out as part of controlling access at transition points. Characteristically, security inspections are routine and random in nature; they are not directed at specific employees, on the other hand, security investigations are related to specific events and therefore may focus on certain employees. Examples of inspection activities include checking office areas during limited-access hours, keystroke monitoring of information systems, auditing of user access to systems and the use of closed-circuit television. Security breaches and violations should be investigated as a basis for remedial action and for reporting to the appropriate authorities, as required.

Inspections should be conducted by personnel or security guards (where employed) at the end of normal working hours and by persons assigned to the organizational unit workplaces at the beginning and end of work periods.

Suspected violations or breaches of security should be reported without delay and remedial action should be taken to avoid having a continuation of the problem.

The Canadian Charter of Rights and Freedoms guarantees that government employees have a right to a reasonable expectation of personal privacy; and this right extends to the workplace. They also have protection under the Privacy Act. A security inspection or investigation in the workplace , including any search or seizure, must respect this right and be balanced with the department's need for supervision, control and efficient operation of the workplace. If a proper balance is not struck, and a search or seizure is found to be unreasonable, any evidence obtained may not be admissible in court. Moreover, the department may be liable for any damages, civil or criminal, that result.

What is "reasonable" will depend on the circumstances in each case, and may vary from department to department, depending inter alia on specific responsibilities and activities, the nature of the work site and the purpose of the inspection or investigation. If challenged, the onus will be on the department to show that a particular search or seizure was reasonable. A departmental security policy that clearly sets out the conditions under which searches or seizures will be carried out, would be important evidence in such a case.

Departments conducting security inspections and investigations must have policies that establish the conditions under which these will be carried out. Security inspection policies and procedures must be clear, unequivocal and comprehensive; reasonable in the circumstances; and brought to the attention of employees before being implemented. They must also conform with the collective bargaining regime or any collective agreement in force.

Informing employees of inspection and investigation policies and procedures before they are implemented means giving reasonable notice to existing employees and advice on application or commencement for new employees. Where appropriate, the consent of the affected individuals should be obtained.

There is a need for prudence where inspections begin to merge with criminal investigations. That is, inspections are to be confined to the conditions set out in departmental policies; they are not to be deliberately used to by-pass the procedural requirements of the criminal law. In particular, inspections should not be used as a pretext for carrying out a search for or to gather evidence of criminal wrong-doing without reasonable grounds.

Policies should require that security breaches and violations be reported promptly and procedures should explain how and to whom such reports should be made.

Employees should also be informed of the reasons for inspection and investigation policies and procedures and their cooperation in implementing them should be encouraged.

Departmental inspection and investigation policies should be reviewed by departmental legal services before implementation.

Departments must establish policies and procedures for dealing with breaches of security. These policies and procedures should cover the following points:

• The immediate reporting to the deputy head of possible breaches of security.
• The immediate reporting to CSIS of probable breaches of security involving classified information or assets.
• Reporting to the appropriate law enforcement authority breaches suspected of constituting criminal offences.
• Where applicable, informing the department that originated the information or other assets involved that a breach of security has occurred.
• Informing other departments that have information or assets involved in a breach of security of the circumstances and findings that affect them.
• Assessing injury as soon as possible whenever it is probable that a breach of security has occurred and reporting this to the deputy head.

Clearly minor incidents need not be reported to CSIS; the potential injury to the national interest should be taken into account in such cases. Reports should be made through the DSO. To report probable breaches to CSIS, use the address and telephone number listed in Appendix A.

Suspected cases of theft, fraud, defalcation or any other offence or illegal act that involves employees and that do not require an immediate response by a police agency may be referred to departmental legal services for an opinion on the seriousness of the incident before taking further action. Otherwise, government policy requires that all losses of money and suspected cases of fraud, defalcation or any other offence or illegal act against the Crown must be reported to law-enforcement authorities. For further information, see Chapter 8 of the "Financial Management" volume of the Treasury Board Manual.

All search requirements connected with an investigation into a suspected or potential criminal offence must be reviewed by a departmental security officer in consultation with departmental legal services and local police. A warrant is to be obtained where and when legally required.

Occasionally, circumstances surrounding a search might expose sensitive information to investigators and other persons who are not authorized to have access to sensitive information. In these cases, the departmental security officer, in consultation with the manager, should review the sensitivity of the information and take action consistent with the requirements of the investigation and the intent of the Security policy.

The above circumstances involve difficulties that might require special screening status, legal consultation and executive authority to resolve.

In all instances where sensitive information might fall under public scrutiny as a result of judicial action, the departmental security officer must consult with departmental legal services.

Departmental personnel who might be required to testify or give evidence in a legal proceeding connected with a criminal offence should document such matters to support any testimony required from them.

It is often necessary for departments, police and other agencies to cooperate to achieve a thorough inquiry. Where appropriate, protocols should be established to regulate these cooperative requirements and departments should incorporate them into their policies and procedures. However, such protocols, policies and procedures are not to be used as substitutes for or means of bypassing warrant or other constitutional requirements.

Periodic tests of security procedures, plans and equipment should be undertaken, but only with due regard to the possible negative consequences of inappropriate responses. Such tests might include entering an alarmed controlled area or security zone to test an electronic detection device.

Supervisory personnel should be advised of planned tests and evaluations that will affect security measures.

Developmental exercises designed and employed to assess security capabilities and the levels of knowledge and awareness of employees should be considered when incidents suggest that weaknesses exist, or to strengthen the effectiveness of the security program.