The effective date of the policy is February 12, 1998.
The Treasury Board encourages authorized individuals to use electronic
networks to conduct the business of government, to communicate with other
authorized individuals and with the public, to gather information relevant to
their duties, and to develop expertise in using such networks. Because
electronic networks permit individuals who use them, to inadvertently or
deliberately damage a positive work environment, to disclose classified or
designated information in an unauthorized fashion, or for unlawful activities,
the Treasury Board is instituting this policy to help authorized individuals get
the most benefit from electronic networks and to provide guidance regarding
unacceptable conduct on such networks. This policy also gives guidance to
institutions on privacy issues relating to monitoring employee use of electronic
networks, and especially the importance of institutions understanding and
respecting the privacy rights of their employees when contemplating any of the
monitoring practices discussed in this policy.
Access means gaining entry to an electronic network that the
federal government has provided to authorized individuals. Access to such
networks may be from inside or outside government premises. Access may support
telework and remote access situations or where authorized individuals are using
electronic networks provided by the federal government on their own time for
personal use.
Authorized individuals include employees of the federal
government as well as contractors and other persons who have been authorized by
the deputy head to access electronic networks.
Electronic networks are groups of computers and computer
systems that can communicate with each other. Without restricting the generality
of the foregoing, these networks include the Internet, networks internal to an
institution and public and private networks external to an institution.
Monitoring of electronic networks means any action that
involves the recording and subsequent analysis of activity on, or use of, a
system or electronic network. Examples include recording user accounts, user
activities, sites visited, information downloaded and computer resources used to
perform a routine analysis of traffic flow on networks, use patterns and sites
that certain work groups or individuals have visited. The information recorded
and subjected to analysis does not normally involve the contents of individual
electronic mail, files and transmissions.
Unacceptable activity is any activity that violates
institutional or Treasury Board policy (for examples of Treasury Board policy,
see Appendix B), or that violates the limitations on personal use set out in
Appendix C to this policy.
Unlawful activity includes criminal offences, contraventions
of non-criminal regulatory federal and provincial statutes, and actions that
make an authorized individual or an institution liable to a civil lawsuit. For
examples, refer to Appendix A.
To ensure that anyone authorized to access electronic networks by a federal
government institution uses those electronic networks appropriately.
It is Treasury Board policy that authorized individuals use electronic
networks to conduct the business of government, to communicate with public
service employees and with the public, to gather information relevant to their
duties, and to develop expertise in using such networks. Deputy heads have an
obligation to promote the use of electronic networks in a working environment
where unacceptable or unlawful activity is not permitted. They also have an
obligation to deal quickly, fairly and decisively with any violations of policy
or law.
Pursuant to the authority of the Treasury Board under s. 7 of the Financial
Administration Act, this policy applies to all institutions and other
portions of the Public Service listed in Schedule 1, Parts I and II of the Public
Service Staff Relations Act, to the Canadian Forces and to the Royal
Canadian Mounted Police.
Deputy heads have a responsibility to put in place policies and practices
that promote the appropriate use of electronic networks. Those policies must be
consistent with the operational needs of the workplace, the Privacy Act,
the Access to Information Act and the Charter of Rights and
Freedoms (especially reasonable privacy and freedom of expression
interests).
When an institution authorizes individuals to access electronic networks for
approved uses, it must develop and implement policies and procedures for the
appropriate use of such networks that include the following:
- A statement indicating the authorized uses of electronic networks - which
may include the conduct of government business, professional activities,
career development or personal use.
- A statement indicating that unlawful activity is not permitted and
providing information about the kinds of activities that are unlawful on
electronic networks (see Appendix A for a non-exhaustive list).
- A statement indicating the kinds of activity that are legal but
nonetheless unacceptable and not permitted on electronic networks (see
Appendices B and C for a non-exhaustive list).
- A statement identifying the responsibilities of authorized individuals
when they are using electronic networks (see Appendix D for a non-exhaustive
list).
- A statement designating an institutional official to investigate reports
of unlawful or unacceptable use by authorized individuals.
- A statement indicating which groups of employees are authorized to analyze
logs that show the use of electronic networks by individuals; which groups
of employees, if any, are authorized to analyze the content of authorized
individuals' files or electronic mail; and to whom such authorized employees
may disclose information about identifiable individuals and for what
purposes.
- A statement telling authorized individuals where they can obtain
information on the interpretation of unlawful and unacceptable uses.
- A statement telling authorized individuals where they can obtain training
or information on using electronic networks.
- A statement notifying authorized individuals, of policies and procedures
related to the use of electronic networks.
- A statement indicating that the institution will report suspected illegal
activity to law-enforcement authorities, unless legal advisors consider the
matter too minor. It should also indicate that the institution may take
disciplinary measures, even where a formal criminal charge or civil lawsuit
is not pursued.
- A statement indicating the range of disciplinary measures that the
institution may use in instances of unlawful or unacceptable use, depending
on the seriousness and circumstances of the incident. These may include an
oral reprimand, written reprimand, limiting electronic network access,
suspension or termination of employment.
Electronic networks may be monitored for operational reasons to determine
whether the networks are operating efficiently; to isolate and resolve problems;
and to assess compliance with the policy. In addition, institutions can conduct
periodic and random checks of the network for specific operational purposes. In
any case, the resulting information may be analyzed.
Normal routine analysis does not involve reading the content of electronic
mail or files. However, if due to routine analysis or a complaint, the
institution reasonably suspects that an authorized individual is misusing the
network, it must refer the matter to the appropriate institutional official for
further investigation and action that may involve special monitoring and/or
reading the contents of individual electronic mail and files. Whenever employees
are obliged to read the contents of electronic communications, they must keep
the information confidential and use it only for authorized purposes. This
investigation must be conducted in accordance with the Charter of Rights and
Freedoms, the Privacy Act, and the Criminal Code.
Institutions must take privacy concerns into account when designing their
monitoring initiatives and inform authorized individuals of their monitoring
practices, prior to implementation, by communicating at a minimum, the following
information:
- a statement explaining the regular monitoring practices of electronic
networks - for example, operational analysis of logs indicating the Internet
sites authorized individuals have visited, or key-word searches of files on
network servers or on computer storage devices of authorized individuals'
computers;
- a statement that electronic networks will be monitored only for
work-related purposes - for example, to assess system or network
performance, protect government resources or ensure compliance with
government policies;
- a statement that special monitoring may be permitted without notice in
instances where it is reasonable to suspect unlawful or unacceptable
activity.
For guidance on the legal issues related to privacy, refer to Appendix E.
Institutions must conduct internal audits of their compliance with the policy
and the effectiveness of its implementation.
The Secretariat will assess the effectiveness and application of the policy
through institutional internal audits.
The Financial Administration Act; the Access to Information Act;
thePrivacy Act; the Charter of Rights and Freedoms; the National
Archives of Canada Act; the Official Secrets Act; the Criminal
Code; the Export and Imports Act; the Crown Liability and
Proceedings Act; the Copyright Act; the Trade-Marks Act;
the Patents Act; the Canadian Human Rights Act.
The Conflict of Interest and Post-Employment Code for the Public Service;
the Harassment in the Workplace Policy; the Government Security Policy; the
Government Communications Policy; the Government of Canada Internet Guide;
the Management of Government Information Holdings Policy; the Access to
Information Policy; the Privacy and Data Protection Policy; the Telework Policy;
the Policy on Losses of Money and Offences and Other Illegal Acts against the
Crown.
Please direct enquiries about this policy to the responsible officers in
institutional headquarters who, in turn, may seek interpretation from the
following:
Chief Information Officer Branch
Treasury Board of Canada, Secretariat
Facsimile: (613) 957-8020
The term "unlawful activity" can have a number of meanings. For the
purposes of this policy, "unlawful activity" is interpreted broadly to
include actions that could result in sanctions of different kinds in a court of
law.
Some activity gives rise to criminal offences, but unlawful activity includes
more than just what is criminal. It also includes activity that violates
non-criminal, regulatory statutes (only a small proportion of statutes provides
for criminal offences). Some regulatory statutes state that anyone who violates
their provisions has committed an offence, but other statutes do not create
specific offences. However, whether or not an offence is set out in a specific
regulatory statute, it is still unlawful to fail to observe statutory
requirements.
Further, s. 126 of the Criminal Code states that anyone who wilfully
violates an Act of Parliament for which no offence is specified has committed an
offence. Provincial laws have similar provisions.
Finally, some activities are neither criminal nor violations of specific
regulatory statutes, but they can result in lawsuits brought by persons who are
harmed by those acts. In such cases, the courts can find that a defendant is in
breach of the laws applicable in a province and can penalize the person with an
enforceable monetary award of damages to be paid to the plaintiff. These are
known as civil actions. Where there is civil liability of an employee, and when
the employee's activity falls within the scope of his or her duties, the
employer can also be liable for monetary damages.
Note that government institutions are required to report suspected illegal
activity to the appropriate law enforcement agency (unless their legal advisor
advises that the matter is too minor), under the following policies and
guidelines:
- Chapter 2-1, article 16.5 of the Government Security Policy (article 16.4
states that security breaches must be reported to the deputy head of the
institution);
- Chapter 4-7 of the Policy on Losses of Money and Offences and Other
Illegal Acts against the Crown.
Also, under paragraph 80(e) of the Financial Administration Act, a
person is guilty of an offence if he or she
- collects, manages or disburses public money; and
- knows or suspects that any other person has committed fraud against Her
Majesty or has contravened the Financial Administration Act, its
regulations, or any revenue law of Canada; and
- fails to report, in writing, that knowledge or suspicion to a superior
officer.
The following are examples of criminal activity that could take place on
electronic networks:
Child pornography: possessing, downloading or distributing
any child pornography (see s. 163.1 of the Criminal Code).
Copyright: infringing on another person's copyright without
lawful excuse - the Copyright Act provides for criminal prosecutions
and civil actions in such cases (see also "copyright" under violations
of federal and provincial statutes).
Defamation: causing a statement to be read by others that is
likely to injure the reputation of any person by exposing that person to hatred,
contempt or ridicule, or that is designed to insult the person (see ss. 296-317
of the Criminal Code). There are a number of defences for this offence.
For instance, the maker of the statement may believe, on reasonable grounds,
that the statement is true and that the statement is relevant to a subject of
public interest whose public discussion benefits the public.
Hacking and other crimes related to computer security
- Gaining unauthorized access to a computer system: using
someone else's password or encryption keys to engage in fraud or obtaining
money, goods or services through false representations made on a computer
system. See the following Criminal Code provisions: s. 122 (breach
of trust by public officer); s. 380 (fraud); s. 361 (false pretences); s.
403 (fraudulent personation); s. 342.1 (unauthorized use of computer systems
and obtaining computer services).
-
- Trying to defeat the security features of the electronic networks.
See the following Criminal Code provisions: s. 342.1 (unauthorized
use of computer systems and obtaining computer services); s. 342.1(d)
(using, possessing or trafficking in stolen computer passwords or stolen
credit card information); s. 342.2 (making, possessing or distributing
computer programs that are designed to assist in obtaining unlawful access
to computer systems); ss. 429 and 430 (mischief in relation to data).
-
- Spreading viruses with intent to cause harm.
See the following Criminal Code provisions: ss. 429 and 430
(mischief in relation to data); s. 342.1 (unauthorized use of computer
systems and obtaining computer services).
-
- Destroying, altering or encrypting data without authorization and
with the intent of making it inaccessible to others with a lawful need to
access it. See the following Criminal Code provisions ss.
429 and 430 (mischief in relation to data); s. 342.1 (unauthorized use of
computer systems and obtaining computer services); ss. 129 and 139(2)
(destroying or falsifying evidence to obstruct a criminal investigation).
-
- Interfering with others' lawful use of data and computers.
See the following Criminal Code provisions: ss. 429 and 430
(mischief in relation to data); s. 326 (theft of telecommunication
services); s. 322 (theft of computer equipment); s. 342.1 (unauthorized use
of computer systems and obtaining computer services).
Harassment: sending electronic messages, without lawful
authority, that cause people to fear for their safety or the safety of anyone
known to them (see s. 264 of the Criminal Code). Section 264.1 of the Criminal
Code makes it an offence to send threats to cause serious bodily harm,
damage personal property or injure a person's animal.
Hate propaganda: disseminating messages that promote hatred
or incite violence against identifiable groups in statements outside of private
conversations (see s. 319 of the Criminal Code).
Interception of private communications or electronic mail (in
transit): unlawfully intercepting someone's private communications or
unlawfully intercepting someone's electronic mail (see s. 184 and s. 342.1 of
the Criminal Code, respectively).
Obscenity: distributing, publishing or possessing for the
purpose of distributing or publicly displaying any obscene material (e.g.
material showing explicit sex where there is undue exploitation of sex, where
violence or children are present, or where the sex is degrading or dehumanizing
and there is a substantial risk that the material could lead others to engage in
anti-social acts). See s. 163 of the Criminal Code.
Various other offences: the Criminal Code (and a
few other statutes) provide for a range of other offences that can take place in
whole or in part using electronic networks. For example, fraud, extortion,
blackmail, bribery, illegal gambling, and dealing in illegal drugs can all
occur, at least in part, over electronic networks and are criminal acts.
The following are examples of unlawful (though not criminal)
activity that can take place on electronic networks.
Copyright and intellectual property: violating another
person's copyright (the Copyright Act provides for criminal
prosecutions and civil actions in such cases). Unauthorized use of trade-marks
and patents can also occur on electronic networks and these acts are proscribed
in the Trade-marks Act.
Defamation: spreading false allegations or rumours that
would harm a person's reputation. In addition to criminal libel, defamation is
contrary to provincial statutes dealing with this subject.
Destroying or altering data without authorization:
unlawfully destroying, altering or falsifying electronic records. See the
following provisions: s. 5 of the National Archives of Canada Act; ss.
6 and 12 of the Privacy Act; s. 4 of the Access to Information Act;
s. 5 of the Official Secrets Act.
Disclosing sensitive information without authorization
- Disclosing personal information: failing to respect the
privacy and dignity of every person. The obligation to respect a person's
privacy is expressed in a number of statutory provisions, such as ss. 4, 5,
7 and 8 of the Privacy Act and s. 19(1) of the Access to
Information Act. Many federal statutes have non-disclosure provisions,
often designed to protect the privacy of citizens who provide information to
the government (see list of provisions in Schedule II of the Access to
Information Act). In addition, Quebec has a number of privacy
provisions in its Civil Code (see articles 3, 35-41) and in its Human
Rights Charter (see articles 4, 5 and 49). British Columbia,
Saskatchewan, Manitoba and Newfoundland also have statutes that provide for
civil actions where there is an undue invasion of privacy.
-
- Disclosing business trade secrets: revealing business
trade secrets without authorization or in response to a formal request under
the Access to Information Act, business trade secrets or
confidential commercial information supplied in confidence by a third party
and consistently treated as confidential by the third party. See s. 20(1)(a)
and (b) of the Access to Information Act.
-
- Disclosing sensitive government information: revealing
sensitive government information without authorization. See ss. 3 and 4 of
the Official Secrets Act. As well, when responding to formal
requests under the Access to Information Act, institutions must not
disclose information obtained in confidence from other governments (see s.
13 of the Access to Information Act; the other exemptions in the
Act relating to government information are discretionary).
Note that employees and other authorized individuals and the government are
immune from legal actions with respect to disclosures made in good faith under
either the Privacy Act or Access to Information Act.
Harassment: It is a discriminatory practice "(a) in the
provision of ...services... available to the general public...or (c) in matters
related to employment to harass an individual on a prohibited ground of
discrimination". The prohibited grounds are race, national or ethnic
origin, colour, religion, age, sexual orientation, marital status, family
status, disability and conviction for which a pardon has been granted. Thus, in
some circumstances, displaying unwelcome sexist, pornographic, racist or
homophobic images or text on a screen at work can be unlawful harassment. See s.
14 of the Canadian Human Rights Act.
Privacy infractions: reading someone else's electronic mail
or other personal information without authorization, listening in on someone's
private conversationsor intercepting electronic mail while it is in transit, for
example.
When an employee or other person has a reasonable expectation of privacy in
his or her electronic mail or other personal documents, an institution may be
guilty of an unreasonable search or seizure under s. 8 of the Charter of
Rights and Freedoms if it infringes on that reasonable expectation without
a lawful authority. This is true whether the institution is acting as employer
or otherwise.
The institution may also be deemed to have collected or used data unlawfully,
contrary to ss. 4, 5, 7 and 8 of the Privacy Act. The government may be
liable for damages when private communications are intercepted unlawfully. See
ss. 16-20 of the Crown Liability and Proceedings Act concerning
electronic surveillance activities carried out by Crown servants in the course
of their employment; s. 20 specifically provides that the Crown servant will be
accountable to the Crown for the amount of the damages awarded by a court). The
government may also be liable for damages when an unlawful disclosure of
personal information occurs contrary to provisions in various statutes (see the
list of such provisions in Schedule II of the Access to Information Act).
For more information on these issues, refer to Appendix E and the discussion of
reasonable expectations of privacy.
Use of public money without proper authority: See the
following provisions of the Financial Administration Act: s. 33 (making
a requisition without authority); s. 34 (certifying receipt of goods or services
without authority); s. 78 (liability for losses caused by malfeasance or
negligence); and s. 80 (taking bribes or participating in corrupt practices).
Various kinds of conduct can expose a person or an employer to civil
liability. The employer's liability will be triggered when a Public Service
employee performs the unlawful activity in the course of his or her employment.
The Public Service employee remains personally liable for these actions, even
when the federal government is also liable. (The government's policy on
indemnifying authorized individuals - Policy on the Indemnification of Servants
of the Crown - is relevant to such actions.) The following are examples of civil
wrongs that can take place on electronic networks.
Disclosing or collection of sensitive data: revealing or
obtaining such information without authorization. In addition to the statutory
provisions mentioned above, an unauthorized disclosure or collection of personal
information can result, in some circumstances, in a civil action for invasion of
privacy, nuisance or trespass under common law, and similar actions under the Civil
Code of Quebec (articles 3, 15-41); for breach of contract and for breach
of trust or breach of confidence (e.g.: if confidential commercial information
is disclosed).
Defamation: spreading false allegations or rumours that
would harm a person's reputation. In addition to criminal libel, publishing
defamatory statements without a lawful defence can result in a civil action.
Inaccurate information: posting inaccurate information,
whether negligently or intentionally. This can lead to civil lawsuits for
negligent misrepresentation if it can be shown that (a) the posting caused harm
and resulted in damages to the person who (b) reasonably relied on the
information, that (c) the person or institution that made the posting owed a
duty of care to the person who was harmed by inaccurate information; and (d) the
inaccuracy was due to negligence (conduct that falls below what is reasonable in
the circumstances).
|