Français | Contact Us | Help | Search | Canada Site | |
What's New | About Us | Policies | Site Map | Home |
Alternate Format(s)
|
Designated Particularly Sensitive Personal InformationAs with other sensitive data, personal information should be collected only as required to meet mandates, business, policy and legislative requirements. Particularly sensitive personal information offers a high risk of theft or loss and thus must be properly identified and appropriately safeguarded. As a manager, you should be aware that certain information about government employees is also sensitive and must receive special protection. Such information includes:
Bear in mind that you must protect any advice given in making decisions that directly affect individuals. Designated Cabinet ConfidencesCabinet confidences not classified in the national interest are to be designated. This includes Treasury Board papers:
General ConsiderationsTreat information given in confidence by other governments according to any agreements or understandings negotiated with them. If you receive this type of information, check with your security officer for any special procedures. Information derived from records that are already classified or designated should normally be classified or designated to match the original information. Do not classify or designate to conceal violations of law, inefficiency or administrative error, to avoid embarrassment or to restrain competition. Each organization has a classification and designation guide that specifies types of information (for example, briefing notes to the Minister) and the way in which they should be marked (and therefore protected). Managers should familiarize themselves with this document. The Security policy stipulates that departments must ensure, through written agreements, the appropriate safeguarding of sensitive information they share with other governments and organizations. Refer to your security office for advice if you are considering sharing information. Protecting PersonnelThe Canada Labour Code makes departments responsible for the safety and health of employees at work. As their manager, you must ensure that employees, especially those whose role may subject them to security threats, are provided with adequate protection. Examples of such roles include front-desk jobs where employees may encounter hostile or emotionally upset members of the public, and high-profile positions where employees may be threatened by severely disturbed persons or publicity seekers. Refer to your security officer for advice regarding appropriate physical protection for employees at work. Assets other than informationValuable assets (for example, cash, laptop computers, items of historic or cultural value) or systems critical to a government operation (for example, utilities) are to be designated and safeguarded appropriately. As a manager, you are responsible for having a complete, up-to-date inventory of assets. Guidance on their designation, classification and safeguarding is available from your security office. Information Technology SystemsThe security of computer and telecommunications equipment and systems requires special consideration. This is due in part to the need to protect sensitive information. It is also due to the significant extent to which many government operations and services are dependent on such information technology. In addition to protecting the confidentiality of the information on these systems, you must also define the importance that accuracy, completeness and availability play in the management of your information technology systems. If you have access to a public network such as the Internet, refer to your security office to clarify security requirements related to the Information Highway. Also, a TBS guidance document entitled "The Internet: A Guide to Internet Use in the Federal Government" released in July 1995, is available on the Internet at the following address: http://www.tbs-sct.gc.ca It is your responsibility to ensure employees are aware that sensitive information must not be transmitted on a public network unless it is protected in accordance with departmental directives. Before sharing information systems, you must be aware of and comply with the requirements of the Access to Information and the Privacy Acts, the Management of Government Information Holdings Policy as well as your departmental Security Policy. The responsibilities and accountabilities set out in these acts, related regulations and policies are applicable whether you are the owner, the delivery agent or simply the user of the information on the system. Performance clauses included in contractual agreements must specify these responsibilities and accountabilities to delivery agents within or outside government when sharing information on systems. Refer to your information technology, contracting or security officials for more guidance on shared information systems. Defining the importance of the availability of information and services is the first step in making plans to resume business within acceptable time and resource limits in the event of loss of data, systems or programs. Contingency planning is a basic responsibility for any manager of operations dependent on computer or telecommunications systems. Also important is the identification of potentially vulnerable communications systems. The risk of someone overhearing sensitive information on the telephone cannot be ignored in view of the ease with which this can be done. Conversations over cellular telephones are notoriously easy to intercept. Facsimile machines warrant special attention because of the chance of misdirecting sensitive information through an error in transmission. Help in identifying the security requirements of computer and electronic communication systems is available from your security office, IT security coordinator and communications security coordinator. What Safeguards are Required?Managers should review security needs for the information and assets under their control by assessing related threats and risks:
Your security officer will help you carry out this assessment. Administrative, Physical and Technical SafeguardsSome examples are:
Telework SecurityThe government Telework policy enables employees to work at locations other than their official workplace. However, it does not diminish responsibilities for the security of sensitive information and assets. Managers must ensure that employees who telework are briefed on the safe custody and control of sensitive information and assets. They should also know that because of the higher risks, telework should not involve information designated as extremely sensitive or classified as top secret. Consult your security officer for advice and assistance in minimizing the risks inherent to working with sensitive information away from the official workplace. Personnel SecurityGood personnel management requires the examination of the trustworthiness and suitability of all employees to protect the employer's interests. This process usually involves reference enquiries, verification of qualifications and, often, credit and criminal history checks. Until the proper checks or clearances on an individual are complete, a person cannot be appointed to a position or have access to classified or designated information or assets. Limited access and screening apply whether a person is in an indeterminate position, term position, seconded, on contract or assignment or from an agency. Types of Personnel ScreeningBasic reliability status is the minimum type of personnel screening required for all individuals appointed or assigned to a position for six months or more. It is optional for periods of less than six months. An individual granted this status may have access only to unclassified or undesignated information and assets. Basic reliability checks are done by verifying personal data, educational and professional qualifications, data on previous employment and references. As well, a name check of criminal records may be required. In cases where a criminal records name check is not conducted, a declaration concerning criminal convictions will be necessary. Enhanced reliability status is the type of personnel screening required when the duties or tasks of a position demand access to designated information or assets. This applies regardless of the duration of an assignment or appointment. An individual granted this status may have access to, on a need-to-know basis, designated information and assets. In addition to the basic reliability checks, enhanced reliability status includes a criminal records name check and may require a fingerprint check and a credit check. It is your responsibility to see that the proper reliability checks are done. Security clearances are required for anyone who will need access to classified information or assets, regardless of the type of assignment or appointment involved. Assessments to determine security clearances are carried out in addition to a basic or enhanced reliability check. There are three levels of security clearance. They parallel the three levels of classification: Level I - access to CONFIDENTIAL Level II - access to SECRET Level III - access to TOP SECRET. Your organization's security office requests security assessments from the Canadian Security Intelligence Service. (The Department of National Defense and the Royal Canadian Mounted Police conduct their own assessments.) General Considerations for Personnel ScreeningThe purpose of the security screening is to assess reliability and loyalty, not to verify professional or technical competence. Personnel screening may be done only with the written consent of the individual concerned. Personal information is protected under the Privacy Act and cannot be used for security screening without the written consent of the person to be screened. The individual must be advised of the results of the checks and informed of the right of review or redress if the request for clearance is turned down. Your security office has forms and procedures designed to ensure that these requirements are met. Security screening must be updated regularly - every ten years for enhanced reliability checks and security clearances for access to confidential and secret information; every five years for security clearances for access to top secret information. An individual's screening status may be updated at any time for cause. When the needs of the position change and the security screening level is no longer needed, the incumbent must be informed that the requirements of the position have changed and that this does not reflect on the person's loyalty or reliability. If requirements change again, reliability status or a security clearance can be reactivated through your security office. An individual's security screening level may be transferred when moving from one position or contract to another, between contracts or between departments. Security Awareness and TrainingPeople are the key to a good security program. To play an effective part, however, people must understand and appreciate what is expected of them and what their responsibilities are. This is best achieve where management sets the standard by acting according to their departmental security policy and procedures in their own office and work. You should ensure that your personnel know how to classify and designate information and assets properly and how to apply the proper security measures. They should be alert to reporting security problems and know how to do this. It is also helpful if they are encouraged to suggest improvements to the system. Your security officer will be able to help you with written materials, briefings and training. Security and Contingency ManagementThere are three aspects of managing security and contingencies: Business Resumption Planning; Contingency Planning; and, Planning for security during emergencies. Business Resumption Planning concerns restoring business operations following an interruption and aims at ensuring the availability of services, programs and operations, including all resources involved, that are essential to your Department's mission. It is your responsibility as a manager to develop and test business resumption plans for the assets under your responsibility, as warranted by a threat and risk assessment (TRA). Information technology systems warrant attention in business resumption plans if the information processed is considered essential, or if the value of the systems themselves is high. If you are not sure that your area is covered by adequate plans, contact your security office or your emergency planning office for assistance. Contingency Planning concerns restoring computer operations following an interruption. The purpose is to recover computer operations more easily through such means as backup data and systems, within a period of maximum acceptable downtime. Contingency planning is related to business resumption planning, but is narrower in focus. Departments are required to develop and test contingency plans, as warranted by a TRA. Planning for security during emergencies may form part of other departmental emergency plans or be included in the departmental security policy and procedures; in either case, you should ensure that your employees are aware of them and are trained to carry them out. You should also ensure they are instructed on their responsibilities for the security of sensitive information and assets in the event of an emergency. Consult your security office for advice. Breaches and Violations of SecurityA security breach refers to the unauthorized disclosure of classified or designated information, or the loss, theft or deliberate damage of designated or classified equipment or material. Security breaches must be reported to the deputy minister or head of agency using your organization's procedures. Security violations are events that could have led to a security breach but did not. A security violation occurs for instance, when a person:
Sanctions, Review and RedressThe deputy minister or head of agency has the discretion to apply administrative or disciplinary sanctions, or both, for security breaches or violations. Sanctions, depending on the circumstances and the record of the employee, may include the removal of their screening status and loss of access to sensitive material, verbal or written reprimand, suspension without pay, and dismissal. One of the principal objectives of the Security Policy is to ensure the fair and equitable treatment of individuals who have consented to security screening or who are subject to disciplinary action related to security. It is your responsibility, with advice from the security office to ensure that this important objective is met. Before a negative decision on a reliability check or security clearance is made, the individual must be made aware of the information obtained and be given an opportunity to correct or explain it. Your security office has procedures to follow in such an event. When a security clearance or reliability status has been denied or when any disciplinary action related to security is taken, affected individuals must be officially informed that they may personally seek a review of their case as follows: Denial of reliability status:
Denial of security clearance:
Disciplinary action:
Security in ContractingThe Security Policy applies to members of the private sector working under contract to the government as well as to government employees. For contracts for which you are responsible, you must determine the security requirements, including physical and technical measures and personnel screening. Contracts must state these requirements and they must be met before access to classified or designated information or assets is allowed. Some points to note regarding personnel screening are:
Your Role as ManagerThe following checklist may assist you in reviewing your security responsibilities as a manager.
|
|
||||