|
A number of Treasury Board policies are not media-specific
- that is, they apply whether the unacceptable activity
occurs on paper, by telephone, through computer networks, in oral
conversation or through any other medium. It is unacceptable to
violate Treasury Board policies including institutional policies.
The following policies are important in the context of the use of
electronic networks: the Government Security Policy (in relation
to standards including the Technical Security Standards for
Information Technology); the Harassment in the Workplace Policy;
the Privacy and Data Protection Policy, including the Employee
Privacy Code; the Government Communications Policy; and the
Conflict of Interest and Post-Employment Code for the Public
Service. These policies relate to various activities, as
described below.
-
- Sending classified or designated information on unsecured
networks, unless it is sent in encrypted form. (Government
Security Policy).
-
- Accessing, without authorization, sensitive
information held by the government. (Government Security
Policy).
-
- Attempting to defeat information technology security
features, through such means as using anti-security programs;
using someone else's password, user-identification or
computer account; disclosing one's password, network
configuration information or access codes to others; or disabling
anti-virus programs. (Government Security Policy).
-
- Causing congestion and disruption of networks and
systems, through such means as sending chain letters and
receiving list server electronic mail unrelated to a work
purpose. These are examples of excessive use of resources for
non-work related purposes. (Government Security Policy).
-
- Sending abusive, sexist or racist messages to employees
and other individuals (Harassment in the Workplace
Policy).
-
- Using the government's electronic networks for
private business, personal gain or profit or political
activity. (Conflict of Interest and Post-Employment Code
for the Public Service).
-
- Making excessive public criticisms of governmental
policy. (Conflict of Interest and Post-Employment Code for
the Public Service).
-
- Representing personal opinions as those of the
institution, or otherwise failing to comply with institutional
procedures concerning public statements about the
government's positions. (Conflict of Interest and
Post-Employment Code for the Public Service).
-
- Failing to provide employees and other authorized
individuals with notice of electronic monitoring and auditing
practices. (Government Security Policy and the Employee
Privacy Code).
-
- Providing personnel with access to systems, networks, or
applications used to process sensitive information before such
personnel are properly security screened. (Government
Security Policy).
-
- Failing to revoke system access rights of personnel, when
they leave the institution, due to the end of employment or the
termination of a contract, or when they lose their reliability
status or security clearance. (Government Security
Policy).
-
- Unauthorized removal or installation of hardware or
software on government owned informatics devices or electronic
networks. (Government Security Policy)
Authorized individuals must be made aware that the employer is
not obliged to permit them to use government computers,
electronic networks and Internet access for personal objectives.
If an institution chooses to permit personal use, authorized
individuals must not abuse such access. Authorized individuals
should also be aware that visits to World Wide Web sites and
electronic mail messages often leave records identifying the
computer from which the visit or message originated. The
institution's firewalls, gateways and systems record which
Web sites and electronic mail addresses were contacted and which
computer within the institution made the visit or sent the
message. The public could get access to these records under the
Access to Information Act and thePrivacy
Act. This access could embarrass both the individual and the
institution, depending on the nature of the site visited. In
addition, authorized individuals must ensure that others do not
think that statements they express in personal messages are
related to their employment duties or approved by the
government.
Where government institutions permit personal use of
government electronic networks on personal time, they should
specify what, if any, limitations apply. Notwithstanding that,
authorized individuals are prohibited from conducting any of the
unlawful or unacceptable activities listed in appendices A and B.
Doing so exposes them to disciplinary measures and possible
revoking of electronic network access. Furthermore, authorized
individuals cannot use government electronic networks to access
or download Web sites or files, or send or receive electronic
mail messages or other types of communication, that fall into the
following categories:
- documents that incite hatred against identifiable groups
contained in personal messages (the Criminal Code
prohibits incitement of hatred against identifiable groups in
public conversations);
- documents whose main focus is pornography, nudity and sexual
acts (however, authorized individuals may access such information
for valid work-related purposes, and may visit sites whose main
focus is serious discussions of sexual education and sexual
orientation issues).
If government institutions are considering limiting other
kinds of personal expression from their computers or through
government electronic networks, they should first consider
whether their objective is work-related; whether a specific
limitation is necessary to achieve their objective; whether they
have carefully tailored the limit to curtail only the specific
expression they seek to prevent; and whether they have expressed
the limit in specific terms that give authorized individuals
reasonable guidance as to what is permitted. Institutions should
also consider whether the objectionable activity is serious
enough to warrant revoking network access or devoting
institutional resources to enforcing the policy.
All authorized individuals are responsible for ensuring that
they use their access to government electronic networks only for
government business and for purposes authorized by the deputy
head, such as professional activities, career development, and
personal use. Authorized individuals are responsible for using
their access to electronic networks in a responsible and informed
way. They must respect the law and government policies and
guidelines as set out by the Treasury Board and their
institution. Examples of responsibilities of authorized
individuals include the following:
- taking reasonable measures to control the use of their
password, user identification or computer accounts, which
includes being responsible for any actions or costs arising from
the unauthorized use of electronic networks;
- following their institution's instructions for ensuring
the security of computer networks and electronic
information;
- being aware of information technology security issues and
privacy concerns, using the information technology security
features provided by the institution, and taking precautions to
avoid transferring computer viruses into the network;
- writing communications in a professional way, so that their
use of electronic networks will not reflect badly on their
institution or the Government of Canada (this includes refraining
from using objectionable language in work-related
communications);
- taking reasonable steps to ensure their communications about
policies, programs and service are accurate and clear, and that
these communications comply with the institution's policies
concerning who may act as spokespersons for the institution and
the procedures to follow in making public statements for the
institution; and
- when in doubt about the intended use of the electronic
networks, asking the person designated by the institution, to
clarify whether the intended use is unlawful or unacceptable
within the terms of this policy or the institutional policy.
Institutional policies and procedures for the use of
electronic networks should establish operating and management
requirements that:
- reflect this policy;
- give direction to senior management, program managers and
employees and other authorized individuals, and
- provide detailed guidance concerning the monitoring of
electronic networks.
The Security Policy states that "The Charter of Rights and
Freedoms guarantees that government authorized individuals
have a right to a reasonable expectation of privacy; and this
right extends to the workplace. They also have protection under
the Privacy Act." Unlike the private sector, the
government is subject to the Charter of Rights and
Freedoms, and thus faces more limits on its ability to search
authorized individuals and their effects than the private sector
does. Further, the Charter protects the privacy of
persons, not property. Thus, authorized individuals have
expectations of privacy, even though they are dealing with
government property. This is especially true when an institution
permits personal use of government property.
Government managers must respect these rights and design their
monitoring policies to ensure a reasonable balance between
authorized individuals' expectations of privacy and the
government's duty to protect sensitive information, to
protect government assets (including computers and networks), and
to ensure that the government conducts its activities efficiently
and in conformity with law.
Government institutions may monitor how government assets and
information are used, as long as individuals have no reasonable
expectations of privacy regarding what is being monitored. For
example, authorized individuals may have a reasonable expectation
of privacy where their employer has notified them that electronic
mail communications or personal documents will not be monitored.
Should the employer decide to implement practices of monitoring
electronic mail and electronic documents, individuals must be
notified of the new monitoring practices before they are
implemented. This will inform the individuals of their reasonable
expectation of privacy.
To ensure that government monitoring practices conform with
the Charter of Rights and Freedoms, government
institutions must define their monitoring practices, so that
authorized individuals can make informed decisions about whether
or not they have a reasonable expectation of privacy and,
consequently, about where to keep their personal information. To
ensure that government statements about its monitoring practices
do influence authorized individuals' reasonable expectations
of privacy, institutions should ensure that they accurately
define their monitoring practices and communicate this
information effectively to authorized individuals.
If a government institution plans to monitor and analyze
identifiable use of electronic networks, it should help
authorized individuals understand the degree of privacy they may
have by giving them the following information.
- The institution will record the identity of users and
computers for all electronic transactions. This includes visits
to World Wide Web sites, where the institution's firewalls,
gateways or systems record the identity of the computer and the
site visited (it is possible to identify which authorized
employee used that computer). In addition, the Web site visited
often records similar information. Further, when someone using a
government network exchanges electronic mail with a person
outside the institution's firewalls, gateways or systems,
these record both the sender's and the recipient's
electronic address. In addition, the actual electronic mail is
stored on government file servers, even after the originator or
recipient has "deleted" the electronic mail message. Further,
once electronic mail is outside a government's firewalls,
gateways or systems, it is not secure from interception or
alteration, unless encrypted.
- Under the Access to Information Act and Privacy
Act, the public and authorized individuals may have access to
individuals' electronic records, subject to applicable
exemptions under those Acts. These records include electronic
mail that authorized individuals have sent or received that is
stored on government computers, and records showing which World
Wide Web sites the authorized individuals' computers have
visited (which are kept on a departmental log).
- Institutions monitor electronic networks in a variety of
ways. For instance, they may analyze statistics relating to the
aggregate use of electronic networks, in such a way that they do
not analyze individual use. However, if an institution detects a
problem in the operation of the network, it will take steps to
identify the source of the problem. Identifying the source of the
problem could involve analyzing individual use of networks. It
would not involve reading the content of authorized
individuals' files or electronic mail, but it could involve
inspecting the size and type of file(s) suspected of causing the
problem, and testing files for viruses. Once managers have
identified the source of the problem, they will take appropriate
follow-up action, which may include speaking to the individual,
to his or her manager, or to information technology security
personnel, depending on the nature of the problem.
- Informatics personnel are permitted to upgrade software
applications and verify hard disk configurations on the hard
drives of computers located in the offices of authorized
individuals. However, in compliance with the Government Security
Policy, informatics personnel are not allowed to access the
content of electronic mail or other files unless they need to
know the information in those files to perform their assigned
tasks.
- If monitoring or a complaint reveals evidence of suspected
unacceptable activity that is not criminal, or that the
institution has decided not to pursue as a criminal matter, then
the institution should refer the matter to the appropriate
institutional official for further investigation.
To verify whether classified documents are properly secured,
or to ensure compliance with this policy, specifically authorized
personnel may read subject lines of electronic mail, file names
on network file servers and lists of World Wide Web sites visited
by employees and other authorized individuals. For the same
reasons, they may also do key word searches to identify
classified documents that are not properly secured, and read
documents that they suspect are unsecured classified documents.
In all of the above cases, such personnel must use an objective
method to randomly select whose electronic mail and Web visits
and networks files they will monitor.
- Institutions that collect personal information about visitors
to their World Wide Web sites should post a statement on their
World Wide Web site setting out what information they collect and
why, and informing visitors that they have a right to get access
to that information under the Privacy Act.
To communicate the above information effectively, institutions
can use a variety of methods. These include recurring messages on
each individual's computer screen; on-line registration for
computer privileges; security clearances and screening processes;
signed statements by authorized individuals that they understand
their obligations and that monitoring may take place; and
placement of electronic versions of the monitoring policy on the
institution's intranet or other locations where policies are
made available to authorized individuals. In addition,
institutions could provide a printed version of the policy to all
authorized individuals, provide the information as part of all
computer-related training, and including it with employee
orientation and training materials.
Government institutions can undertake monitoring beyond its
ordinary network performance monitoring activities even with
respect to information in which the authorized individuals have a
reasonable expectation of privacy, as long as the monitoring is
reasonable. That is, it must be (a) authorized by law; (b) the
lawful authority must be reasonable; and (c) the search must be
carried out in a reasonable manner. When institutions are in
doubt as to whether a particular fact situation or monitoring
practice interferes with a reasonable expectation of privacy, or
whether a monitoring practice is reasonable, they should consult
their legal services. If they suspect criminal activity, they
will need a judicial warrant. This is why they must contact law
enforcement agencies when the purpose of monitoring changes from
routine monitoring to investigating criminal behaviour.
As well as complying with the requirements of the Charter
of Rights and Freedoms, institutions must ensure that their
monitoring practices comply with the National Archives of
Canada Act, the Privacy Act and the Access to Information
Act. These requirements include describing in
InfoSource the kinds of records created by automated logs
and audit trails and describing how they will use the information
they collect through monitoring.
Institutions, if they decide to undertake the monitoring of
electronic networks, should informally consult with the office of
the Privacy Commissioner, through their institutional Privacy
Coordinator, for review and comment.
In addition, institutions must retain collected personal
information used for an administrative purpose for two years from
the date of the last administrative use, unless the individual
concerned consents to earlier disposal. This is a requirement
under the Privacy Act. It is separate from and additional
to the requirement in the National Archives of Canada Act
that records not be destroyed without the consent of the National
Archivist. An administrative use would occur when an institution
uses information to make a decision that affects the individual.
When an institution does not use automated logs and audit trails
to make any decisions about identifiable individuals, the
Privacy Act does not require it to retain such records; it
may treat the records as transitory records for the purposes of
the National Archives of Canada Act.
|
