Treasury Board of Canada Secretariat - Government of Canada
Skip to Side MenuSkip to Content Area
Français Contact Us Help Search Canada Site
What's New About Us Policies Site Map Home

Office of Public Service Values and Ethics
Effective date
Preface
Definitions
Policy objective
Policy statement
Application
Policy requirements
Monitoring
References
Enquiries
Appendix A
Appendix B
Appendix C
Appendix D
Appendix E

Other Related Documents
Alternate Format(s)
InstructionsRTF (66 Kb)
Printable Version

Policy on the Use of Electronic Networks

Previous Table of Contents Next


Effective date

The effective date of the policy is February 12, 1998.

Preface

The Treasury Board encourages authorized individuals to use electronic networks to conduct the business of government, to communicate with other authorized individuals and with the public, to gather information relevant to their duties, and to develop expertise in using such networks. Because electronic networks permit individuals who use them, to inadvertently or deliberately damage a positive work environment, to disclose classified or designated information in an unauthorized fashion, or for unlawful activities, the Treasury Board is instituting this policy to help authorized individuals get the most benefit from electronic networks and to provide guidance regarding unacceptable conduct on such networks. This policy also gives guidance to institutions on privacy issues relating to monitoring employee use of electronic networks, and especially the importance of institutions understanding and respecting the privacy rights of their employees when contemplating any of the monitoring practices discussed in this policy.

Definitions

Access means gaining entry to an electronic network that the federal government has provided to authorized individuals. Access to such networks may be from inside or outside government premises. Access may support telework and remote access situations or where authorized individuals are using electronic networks provided by the federal government on their own time for personal use.

Authorized individuals include employees of the federal government as well as contractors and other persons who have been authorized by the deputy head to access electronic networks.

Electronic networks are groups of computers and computer systems that can communicate with each other. Without restricting the generality of the foregoing, these networks include the Internet, networks internal to an institution and public and private networks external to an institution.

Monitoring of electronic networks means any action that involves the recording and subsequent analysis of activity on, or use of, a system or electronic network. Examples include recording user accounts, user activities, sites visited, information downloaded and computer resources used to perform a routine analysis of traffic flow on networks, use patterns and sites that certain work groups or individuals have visited. The information recorded and subjected to analysis does not normally involve the contents of individual electronic mail, files and transmissions.

Unacceptable activity is any activity that violates institutional or Treasury Board policy (for examples of Treasury Board policy, see Appendix B), or that violates the limitations on personal use set out in Appendix C to this policy.

Unlawful activity includes criminal offences, contraventions of non-criminal regulatory federal and provincial statutes, and actions that make an authorized individual or an institution liable to a civil lawsuit. For examples, refer to Appendix A.

Policy objective

To ensure that anyone authorized to access electronic networks by a federal government institution uses those electronic networks appropriately.

Policy statement

It is Treasury Board policy that authorized individuals use electronic networks to conduct the business of government, to communicate with public service employees and with the public, to gather information relevant to their duties, and to develop expertise in using such networks. Deputy heads have an obligation to promote the use of electronic networks in a working environment where unacceptable or unlawful activity is not permitted. They also have an obligation to deal quickly, fairly and decisively with any violations of policy or law.

Application

Pursuant to the authority of the Treasury Board under s. 7 of the Financial Administration Act, this policy applies to all institutions and other portions of the Public Service listed in Schedule 1, Parts I and II of the Public Service Staff Relations Act, to the Canadian Forces and to the Royal Canadian Mounted Police.

Policy requirements

Deputy heads have a responsibility to put in place policies and practices that promote the appropriate use of electronic networks. Those policies must be consistent with the operational needs of the workplace, the Privacy Act, the Access to Information Act and the Charter of Rights and Freedoms (especially reasonable privacy and freedom of expression interests).

When an institution authorizes individuals to access electronic networks for approved uses, it must develop and implement policies and procedures for the appropriate use of such networks that include the following:

Authorized uses of electronic networks

  • A statement indicating the authorized uses of electronic networks - which may include the conduct of government business, professional activities, career development or personal use.

Unlawful and unacceptable conduct

  • A statement indicating that unlawful activity is not permitted and providing information about the kinds of activities that are unlawful on electronic networks (see Appendix A for a non-exhaustive list).
  • A statement indicating the kinds of activity that are legal but nonetheless unacceptable and not permitted on electronic networks (see Appendices B and C for a non-exhaustive list).

Employee responsibilities

  • A statement identifying the responsibilities of authorized individuals when they are using electronic networks (see Appendix D for a non-exhaustive list).

Management responsibilities

  • A statement designating an institutional official to investigate reports of unlawful or unacceptable use by authorized individuals.
  • A statement indicating which groups of employees are authorized to analyze logs that show the use of electronic networks by individuals; which groups of employees, if any, are authorized to analyze the content of authorized individuals' files or electronic mail; and to whom such authorized employees may disclose information about identifiable individuals and for what purposes.
  • A statement telling authorized individuals where they can obtain information on the interpretation of unlawful and unacceptable uses.
  • A statement telling authorized individuals where they can obtain training or information on using electronic networks.
  • A statement notifying authorized individuals, of policies and procedures related to the use of electronic networks.

Disciplinary measures

  • A statement indicating that the institution will report suspected illegal activity to law-enforcement authorities, unless legal advisors consider the matter too minor. It should also indicate that the institution may take disciplinary measures, even where a formal criminal charge or civil lawsuit is not pursued.
  • A statement indicating the range of disciplinary measures that the institution may use in instances of unlawful or unacceptable use, depending on the seriousness and circumstances of the incident. These may include an oral reprimand, written reprimand, limiting electronic network access, suspension or termination of employment.

Monitoring of electronic networks

Electronic networks may be monitored for operational reasons to determine whether the networks are operating efficiently; to isolate and resolve problems; and to assess compliance with the policy. In addition, institutions can conduct periodic and random checks of the network for specific operational purposes. In any case, the resulting information may be analyzed.

Normal routine analysis does not involve reading the content of electronic mail or files. However, if due to routine analysis or a complaint, the institution reasonably suspects that an authorized individual is misusing the network, it must refer the matter to the appropriate institutional official for further investigation and action that may involve special monitoring and/or reading the contents of individual electronic mail and files. Whenever employees are obliged to read the contents of electronic communications, they must keep the information confidential and use it only for authorized purposes. This investigation must be conducted in accordance with the Charter of Rights and Freedoms, the Privacy Act, and the Criminal Code.

Institutions must take privacy concerns into account when designing their monitoring initiatives and inform authorized individuals of their monitoring practices, prior to implementation, by communicating at a minimum, the following information:

  • a statement explaining the regular monitoring practices of electronic networks - for example, operational analysis of logs indicating the Internet sites authorized individuals have visited, or key-word searches of files on network servers or on computer storage devices of authorized individuals' computers;
  • a statement that electronic networks will be monitored only for work-related purposes - for example, to assess system or network performance, protect government resources or ensure compliance with government policies;
  • a statement that special monitoring may be permitted without notice in instances where it is reasonable to suspect unlawful or unacceptable activity.

For guidance on the legal issues related to privacy, refer to Appendix E.

Monitoring

Institutions must conduct internal audits of their compliance with the policy and the effectiveness of its implementation.

The Secretariat will assess the effectiveness and application of the policy through institutional internal audits.

References

Relevant legislation

The Financial Administration Act; the Access to Information Act; thePrivacy Act; the Charter of Rights and Freedoms; the National Archives of Canada Act; the Official Secrets Act; the Criminal Code; the Export and Imports Act; the Crown Liability and Proceedings Act; the Copyright Act; the Trade-Marks Act; the Patents Act; the Canadian Human Rights Act.

Treasury Board policy and publications

The Conflict of Interest and Post-Employment Code for the Public Service; the Harassment in the Workplace Policy; the Government Security Policy; the Government Communications Policy; the Government of Canada Internet Guide; the Management of Government Information Holdings Policy; the Access to Information Policy; the Privacy and Data Protection Policy; the Telework Policy; the Policy on Losses of Money and Offences and Other Illegal Acts against the Crown.

Enquiries

Please direct enquiries about this policy to the responsible officers in institutional headquarters who, in turn, may seek interpretation from the following:

Chief Information Officer Branch
Treasury Board of Canada, Secretariat
Facsimile: (613) 957-8020

Appendix A - Unlawful activity (non-exhaustive list of examples)

The term "unlawful activity" can have a number of meanings. For the purposes of this policy, "unlawful activity" is interpreted broadly to include actions that could result in sanctions of different kinds in a court of law.

Some activity gives rise to criminal offences, but unlawful activity includes more than just what is criminal. It also includes activity that violates non-criminal, regulatory statutes (only a small proportion of statutes provides for criminal offences). Some regulatory statutes state that anyone who violates their provisions has committed an offence, but other statutes do not create specific offences. However, whether or not an offence is set out in a specific regulatory statute, it is still unlawful to fail to observe statutory requirements.

Further, s. 126 of the Criminal Code states that anyone who wilfully violates an Act of Parliament for which no offence is specified has committed an offence. Provincial laws have similar provisions.

Finally, some activities are neither criminal nor violations of specific regulatory statutes, but they can result in lawsuits brought by persons who are harmed by those acts. In such cases, the courts can find that a defendant is in breach of the laws applicable in a province and can penalize the person with an enforceable monetary award of damages to be paid to the plaintiff. These are known as civil actions. Where there is civil liability of an employee, and when the employee's activity falls within the scope of his or her duties, the employer can also be liable for monetary damages.

Reporting requirements

Note that government institutions are required to report suspected illegal activity to the appropriate law enforcement agency (unless their legal advisor advises that the matter is too minor), under the following policies and guidelines:

  • Chapter 2-1, article 16.5 of the Government Security Policy (article 16.4 states that security breaches must be reported to the deputy head of the institution);
  • Chapter 4-7 of the Policy on Losses of Money and Offences and Other Illegal Acts against the Crown.

Also, under paragraph 80(e) of the Financial Administration Act, a person is guilty of an offence if he or she

  • collects, manages or disburses public money; and
  • knows or suspects that any other person has committed fraud against Her Majesty or has contravened the Financial Administration Act, its regulations, or any revenue law of Canada; and
  • fails to report, in writing, that knowledge or suspicion to a superior officer.

Criminal offences

The following are examples of criminal activity that could take place on electronic networks:

Child pornography: possessing, downloading or distributing any child pornography (see s. 163.1 of the Criminal Code).

Copyright: infringing on another person's copyright without lawful excuse - the Copyright Act provides for criminal prosecutions and civil actions in such cases (see also "copyright" under violations of federal and provincial statutes).

Defamation: causing a statement to be read by others that is likely to injure the reputation of any person by exposing that person to hatred, contempt or ridicule, or that is designed to insult the person (see ss. 296-317 of the Criminal Code). There are a number of defences for this offence. For instance, the maker of the statement may believe, on reasonable grounds, that the statement is true and that the statement is relevant to a subject of public interest whose public discussion benefits the public.

Hacking and other crimes related to computer security

  • Gaining unauthorized access to a computer system: using someone else's password or encryption keys to engage in fraud or obtaining money, goods or services through false representations made on a computer system. See the following Criminal Code provisions: s. 122 (breach of trust by public officer); s. 380 (fraud); s. 361 (false pretences); s. 403 (fraudulent personation); s. 342.1 (unauthorized use of computer systems and obtaining computer services).
  •  
  • Trying to defeat the security features of the electronic networks. See the following Criminal Code provisions: s. 342.1 (unauthorized use of computer systems and obtaining computer services); s. 342.1(d) (using, possessing or trafficking in stolen computer passwords or stolen credit card information); s. 342.2 (making, possessing or distributing computer programs that are designed to assist in obtaining unlawful access to computer systems); ss. 429 and 430 (mischief in relation to data).
  •  
  • Spreading viruses with intent to cause harm. See the following Criminal Code provisions: ss. 429 and 430 (mischief in relation to data); s. 342.1 (unauthorized use of computer systems and obtaining computer services).
  •  
  • Destroying, altering or encrypting data without authorization and with the intent of making it inaccessible to others with a lawful need to access it. See the following Criminal Code provisions ss. 429 and 430 (mischief in relation to data); s. 342.1 (unauthorized use of computer systems and obtaining computer services); ss. 129 and 139(2) (destroying or falsifying evidence to obstruct a criminal investigation).
  •  
  • Interfering with others' lawful use of data and computers. See the following Criminal Code provisions: ss. 429 and 430 (mischief in relation to data); s. 326 (theft of telecommunication services); s. 322 (theft of computer equipment); s. 342.1 (unauthorized use of computer systems and obtaining computer services).

Harassment: sending electronic messages, without lawful authority, that cause people to fear for their safety or the safety of anyone known to them (see s. 264 of the Criminal Code). Section 264.1 of the Criminal Code makes it an offence to send threats to cause serious bodily harm, damage personal property or injure a person's animal.

Hate propaganda: disseminating messages that promote hatred or incite violence against identifiable groups in statements outside of private conversations (see s. 319 of the Criminal Code).

Interception of private communications or electronic mail (in transit): unlawfully intercepting someone's private communications or unlawfully intercepting someone's electronic mail (see s. 184 and s. 342.1 of the Criminal Code, respectively).

Obscenity: distributing, publishing or possessing for the purpose of distributing or publicly displaying any obscene material (e.g. material showing explicit sex where there is undue exploitation of sex, where violence or children are present, or where the sex is degrading or dehumanizing and there is a substantial risk that the material could lead others to engage in anti-social acts). See s. 163 of the Criminal Code.

Various other offences: the Criminal Code (and a few other statutes) provide for a range of other offences that can take place in whole or in part using electronic networks. For example, fraud, extortion, blackmail, bribery, illegal gambling, and dealing in illegal drugs can all occur, at least in part, over electronic networks and are criminal acts.

Violations of federal and provincial statutes

The following are examples of unlawful (though not criminal) activity that can take place on electronic networks.

Copyright and intellectual property: violating another person's copyright (the Copyright Act provides for criminal prosecutions and civil actions in such cases). Unauthorized use of trade-marks and patents can also occur on electronic networks and these acts are proscribed in the Trade-marks Act.

Defamation: spreading false allegations or rumours that would harm a person's reputation. In addition to criminal libel, defamation is contrary to provincial statutes dealing with this subject.

Destroying or altering data without authorization: unlawfully destroying, altering or falsifying electronic records. See the following provisions: s. 5 of the National Archives of Canada Act; ss. 6 and 12 of the Privacy Act; s. 4 of the Access to Information Act; s. 5 of the Official Secrets Act.

Disclosing sensitive information without authorization

  • Disclosing personal information: failing to respect the privacy and dignity of every person. The obligation to respect a person's privacy is expressed in a number of statutory provisions, such as ss. 4, 5, 7 and 8 of the Privacy Act and s. 19(1) of the Access to Information Act. Many federal statutes have non-disclosure provisions, often designed to protect the privacy of citizens who provide information to the government (see list of provisions in Schedule II of the Access to Information Act). In addition, Quebec has a number of privacy provisions in its Civil Code (see articles 3, 35-41) and in its Human Rights Charter (see articles 4, 5 and 49). British Columbia, Saskatchewan, Manitoba and Newfoundland also have statutes that provide for civil actions where there is an undue invasion of privacy.
  •  
  • Disclosing business trade secrets: revealing business trade secrets without authorization or in response to a formal request under the Access to Information Act, business trade secrets or confidential commercial information supplied in confidence by a third party and consistently treated as confidential by the third party. See s. 20(1)(a) and (b) of the Access to Information Act.
  •  
  • Disclosing sensitive government information: revealing sensitive government information without authorization. See ss. 3 and 4 of the Official Secrets Act. As well, when responding to formal requests under the Access to Information Act, institutions must not disclose information obtained in confidence from other governments (see s. 13 of the Access to Information Act; the other exemptions in the Act relating to government information are discretionary).

Note that employees and other authorized individuals and the government are immune from legal actions with respect to disclosures made in good faith under either the Privacy Act or Access to Information Act.

Harassment: It is a discriminatory practice "(a) in the provision of ...services... available to the general public...or (c) in matters related to employment to harass an individual on a prohibited ground of discrimination". The prohibited grounds are race, national or ethnic origin, colour, religion, age, sexual orientation, marital status, family status, disability and conviction for which a pardon has been granted. Thus, in some circumstances, displaying unwelcome sexist, pornographic, racist or homophobic images or text on a screen at work can be unlawful harassment. See s. 14 of the Canadian Human Rights Act.

Privacy infractions: reading someone else's electronic mail or other personal information without authorization, listening in on someone's private conversationsor intercepting electronic mail while it is in transit, for example.

When an employee or other person has a reasonable expectation of privacy in his or her electronic mail or other personal documents, an institution may be guilty of an unreasonable search or seizure under s. 8 of the Charter of Rights and Freedoms if it infringes on that reasonable expectation without a lawful authority. This is true whether the institution is acting as employer or otherwise.

The institution may also be deemed to have collected or used data unlawfully, contrary to ss. 4, 5, 7 and 8 of the Privacy Act. The government may be liable for damages when private communications are intercepted unlawfully. See ss. 16-20 of the Crown Liability and Proceedings Act concerning electronic surveillance activities carried out by Crown servants in the course of their employment; s. 20 specifically provides that the Crown servant will be accountable to the Crown for the amount of the damages awarded by a court). The government may also be liable for damages when an unlawful disclosure of personal information occurs contrary to provisions in various statutes (see the list of such provisions in Schedule II of the Access to Information Act). For more information on these issues, refer to Appendix E and the discussion of reasonable expectations of privacy.

Use of public money without proper authority: See the following provisions of the Financial Administration Act: s. 33 (making a requisition without authority); s. 34 (certifying receipt of goods or services without authority); s. 78 (liability for losses caused by malfeasance or negligence); and s. 80 (taking bribes or participating in corrupt practices).

Activity that can expose authorized individuals or the employer to civil liability

Various kinds of conduct can expose a person or an employer to civil liability. The employer's liability will be triggered when a Public Service employee performs the unlawful activity in the course of his or her employment. The Public Service employee remains personally liable for these actions, even when the federal government is also liable. (The government's policy on indemnifying authorized individuals - Policy on the Indemnification of Servants of the Crown - is relevant to such actions.) The following are examples of civil wrongs that can take place on electronic networks.

Disclosing or collection of sensitive data: revealing or obtaining such information without authorization. In addition to the statutory provisions mentioned above, an unauthorized disclosure or collection of personal information can result, in some circumstances, in a civil action for invasion of privacy, nuisance or trespass under common law, and similar actions under the Civil Code of Quebec (articles 3, 15-41); for breach of contract and for breach of trust or breach of confidence (e.g.: if confidential commercial information is disclosed).

Defamation: spreading false allegations or rumours that would harm a person's reputation. In addition to criminal libel, publishing defamatory statements without a lawful defence can result in a civil action.

Inaccurate information: posting inaccurate information, whether negligently or intentionally. This can lead to civil lawsuits for negligent misrepresentation if it can be shown that (a) the posting caused harm and resulted in damages to the person who (b) reasonably relied on the information, that (c) the person or institution that made the posting owed a duty of care to the person who was harmed by inaccurate information; and (d) the inaccuracy was due to negligence (conduct that falls below what is reasonable in the circumstances).

 
 
Previous Table of Contents Next
Date Modified:  1998-02-24 Top of Page Important Notices