Correctional Service Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links

Home > Policy and Legislation > Commissioner's Directives

Institutional links

Commissioner's Directive

Date:
2000-05-01

Number - Numéro:
226

USE OF ELECTRONIC NETWORKS

Issued under the authority of the Commissioner of the Correctional Service of Canada

PDF

Policy Bulletin 92

Policy Objectives |  Authority |  Scope |  Approved Uses Of Electronic Networks  |  Unlawful And Unacceptable Conduct  |  Responsibilities Of Individuals Authorized To Use CSC Electronic Network  |  Disciplinary Measure And Sanctions |  Management Responsibilities  |  Monitoring |  Audit |  Related Legislation And Policies |  Cross-References ]

Annex A - Unlawful Activity - (Non-Exhaustive List of Examples)

Annex B - Unacceptable Activity That Is Not Necessarily Unlawful But Which Violates Treasury Board Policies - (Non-Exhaustive List of Examples)

Annex C - Unacceptable Activities Relating to Access to Electronic Networks Provided By the Government

 

POLICY OBJECTIVES

1. To promote the lawful and appropriate use of Correctional Service Canada (CSC) electronic network.

2. To encourage authorized individuals to use the electronic network to carry out the legal mandate and Mission of the CSC in accordance with Treasury Board policy.

AUTHORITY

3. This policy is issued pursuant to Treasury Board Policy on the Use of Electronic Networks, February 12, 1998.

SCOPE

4. Authorized users are CSC employees and those contractors, consultants or third parties who are granted access to CSC's electronic network.

5. Offenders shall not be authorized to access CSC's electronic network.

6. This policy applies to activities and conduct performed by individuals authorized to use CSC's electronic network. Use of networks includes, but is not limited to:

  1. creating and transmitting electronic mail messages (e-mail);
  2. creating, transferring, accessing and manipulating electronic records;
  3. accessing information contained on the Infonet or the Internet (World Wide Web);
  4. posting information on the Internet.

APPROVED USES OF ELECTRONIC NETWORKS

7. Electronic networks shall be used for official business.

8. The personal use of CSC's electronic network by authorized individuals is permitted only when such use:

  1. occurs on the individual's personal time within normal working hours;
  2. does not incur any direct cost to the CSC;
  3. observes the prohibitions against unlawful and unacceptable conduct outlined elsewhere in this policy;
  4. employs authorized applications installed by CSC authorized IM/IT personnel.

9. Electronic networks shall not be used to operate games or other entertainment software under any circumstances.

UNLAWFUL AND UNACCEPTABLE CONDUCT

10. CSC's electronic network shall not be used to conduct any unlawful activity, including criminal offences. A non-comprehensive list of unlawful activities is included in Annex "A".

11. CSC's electronic network shall not be used to conduct any activity that, while legal, is unacceptable. A non-comprehensive list of unacceptable activities is included in Annexes "B" and "C".

RESPONSIBILITIES OF INDIVIDUALS AUTHORIZED TO USE CSC ELECTRONIC NETWORK

12. Individuals authorized to use CSC's electronic network are responsible for abiding by the law and government policies as set out by Treasury Board (Use of Electronic Networks) and the CSC by:

  1. taking reasonable measures to control the use of their password, user identification or computer accounts;
  2. being aware of information technology security issues as published from time to time by the Manager of Information Technology Security;
  3. using information technology security features (encryption, virus protection) provided by the CSC;
  4. communicating in a manner that reflects positively on the standards of the CSC;
  5. obtaining clarification from the Director, Information Management/Information Technology Strategic Support when in doubt whether a planned use is acceptable and lawful according to this policy.

DISCIPLINARY MEASURE AND SANCTIONS

13. CSC will report suspected unlawful use of its electronic network to law enforcement authorities following consultation with its legal advisors.

14. CSC may take disciplinary measures or sanctions in cases of unlawful and/or unacceptable use of its network. Disciplinary measures will be commensurate with the seriousness and circumstances of the incident.

15. Disciplinary measures may include:

  1. an oral or written reprimand;
  2. limitations on access to the electronic network;
  3. suspension or termination of employment.

16. Sanctions to be taken against contractors or other individuals authorized to use CSC's network shall be specified in a conditions of use agreement.

MANAGEMENT RESPONSIBILITIES

17. Managers are responsible for reporting instances of suspected unlawful or unacceptable uses of CSC's electronic network to the Manager of Information Technology Security or equivalent.

18. The Manager of Information Technology Security or equivalent shall investigate reports of suspected unlawful or unacceptable uses of CSC's electronic network in accordance with Chapter 2-1, Section 16 of the Government Security Policy.

19. The Assistant Commissioner, Corporate Services or Regional Deputy Commissioner is responsible for seeking legal advice in cases of suspected unlawful or unacceptable uses of CSC's electronic network.

20. The Director General, Information Management Services is responsible for:

  1. providing training or information on using networks effectively and efficiently;
  2. establishing procedures for granting access to CSC's electronic network;
  3. establishing procedures for granting access to the Internet via CSC's electronic network;
  4. approving the individuals who are authorized to monitor the use of electronic networks.

21. The Director, Information Management/ Information Technology Strategic Support is responsible for:

  1. providing information on this policy;
  2. providing information on the interpretation of lawful and acceptable use of CSC's electronic network.

22. Directors and Managers (at National and Regional Headquarters) and heads of operational units are responsible for endorsing individual applications for access to the global Internet (World Wide Web). Applications shall be supported by a business case.

MONITORING

23. Electronic networks may be monitored for operational reasons to determine whether the networks are operating efficiently, to isolate and resolve problems, and to assess compliance with government policy. In addition, periodic and random checks of the networks for specific operational purposes can occur and the resulting information can be analyzed.

24. Normal routine analysis does not involve reading the content of electronic mail or files. However, if due to routine analysis or a complaint, there are reasonable grounds to believe that an authorized individual is misusing the network, the matter shall be referred for further investigation and action that may involve special monitoring and/or reading the content of individual electronic mail and files.

25. Whenever individuals involved in an investigation are obliged to read the content of electronic communications, they must keep the information confidential and use it only for authorized purposes. This investigation must be conducted in accordance with the Charter of Rights and Freedoms, the Privacy Act, and the Criminal Code.

Regular Monitoring

26. Regular monitoring will occur for work-related reasons only to assess network performance, to protect government resources and to ensure compliance with government policies.

27. Regular monitoring may involve:

  1. identifying the size and type(s) of file(s) suspected of causing problems;
  2. identifying patterns of usage;
  3. determining the originator, intended recipient and subject line of e-mail messages;
  4. testing for viruses;
  5. key word searches of files on network servers or on computer storage devices.

Incidental Monitoring

28. CSC's electronic network automatically logs the identity of individuals and their activities while on the network.

29. Copies of files and e-mail records (including "deleted" records) are automatically backed up and retained on a daily basis. This information may be accessible under the Access to Information Act and Privacy Act, subject to exemptions under those Acts.

Monitoring for Unlawful Activity/Unacceptable Conduct

30. If there are reasonable grounds to believe that an authorized individual is misusing the network, monitoring without notice, including viewing the content of individual electronic mail records or other files, may occur.

AUDIT

31. Compliance with this policy shall be subject to regular internal audits.

RELATED LEGISLATION AND POLICIES

32. - Financial Administration Act;
- Access to Information Act;
- Privacy Act;
- Charter of Rights and Freedoms;
- National Archives of Canada Act;
- Official Secrets Act;
- Criminal Code;
- Export and Import Permits Act;
- Crown Liability and Proceedings Act;
- Copyright Act;
- Trade-Marks Act;
- Patent Act;
- Canadian Human Rights Act;
- Official Languages Act.

CROSS-REFERENCES

33. Treasury Board Policy and Publications

- Conflict of Interest and Post-Employment Code for the Public Service;
- Harassment in the Workplace Policy;
- Government Security Policy;
- Government Communications Policy;
- Government of Canada Internet Guide;
- Management of Government Information Holdings Policy;
- Access to Information Policy;
- Privacy and Data Protection Policy;
- Policy on the Use of Electronic Networks;
- Telework Policy;
- Policy on Losses of Money and Offences and Other Illegal Acts Against the Crown.

34. CSC Policy

- Security Manual - Information Technology Security;
- Information Classification and Scheduling Plan;
- Code of Discipline;
- Standards of Professional Conduct.

Commissioner,

Original signed by
Ole Ingstrup

Annex A

UNLAWFUL ACTIVITY (Non-Exhaustive List of Examples)

1. For the purposes of this policy, "unlawful activity" is interpreted broadly to include actions that could result in sanctions of different kinds in a court of law.

2. Some activity gives rise to criminal offences, but unlawful activity includes more than just what is criminal. It also includes activity that violates non-criminal, regulatory statutes (only a small proportion of statutes provides for criminal offences). Some regulatory statutes state that anyone who violates their provisions has committed an offence, but other statutes do not create specific offences. However, whether or not an offence is set out in a specific regulatory statute, it is still unlawful to fail to observe statutory requirements.

3. Further, s. 126 of the Criminal Code states that anyone who wilfully violates an Act of Parliament for which no offence is specified has committed an offence. Provincial laws have similar provisions.

4. Finally, some activities are neither criminal nor violations of specific regulatory statutes, but they can result in lawsuits brought by persons who are harmed by those acts. In such cases, the courts can find that a defendant is in breach of the laws applicable in a province and can penalize the person with an enforceable monetary award of damages to be paid to the plaintiff. These are known as civil actions. Where there is civil liability of an employee, and when the employee's activity falls within the scope of his or her duties, the employer can also be liable for monetary damages.

Reporting Requirements

5. Note that government institutions are required to report suspected illegal activity to the appropriate law enforcement agency (unless their legal advisor advises that the matter is too minor), under the following policies and guidelines:

  1. Chapter 2-1, article 16.5 of the Government Security Policy (article 16.4 states that security breaches must be reported to the deputy head of the institution);
  2. Chapter 4-7 of the Policy on Losses of Money and Offences and Other Illegal Acts Against the Crown.

6. Also, under paragraph 80(e) of the Financial Administration Act, a person is guilty of an offence if he or she collects, manages or disburses public money; and knows or suspects that any other person has committed fraud against Her Majesty or has contravened the Financial Administration Act, its regulations, or any revenue law of Canada; and fails to report, in writing, that knowledge or suspicion to a superior officer.

Criminal Offences

7. The following are examples of criminal activity that could take place on electronic networks.

  1. Child pornography: possessing, downloading or distributing any child pornography (see s. 163.1 of the Criminal Code).
  2. Copyright: infringing on another person's copyright without lawful excuse - the Copyright Act provides for criminal prosecutions and civil actions in such cases (see also "copyright" under violations of federal and provincial statutes).
  3. Defamation: causing a statement to be read by others that is likely to injure the reputation of any person by exposing that person to hatred, contempt or ridicule, or that is designed to insult the person (see ss. 296-317 of the Criminal Code). There are a number of defences for this offence. For instance, the maker of the statement may believe, on reasonable grounds, that the statement is true and that the statement is relevant to a subject of public interest whose public discussion benefits the public.
  4. Hacking and other crimes related to computer security - Gaining unauthorized access to a computer system: using someone else's password or encryption keys to engage in fraud or obtaining money, goods or services through false representations made on a computer system. See the following Criminal Code provisions: s. 122 (breach of trust by public officer); s. 380 (fraud); s. 361 (false pretences); s. 403 (fraudulent personation); s. 342.1 (unauthorized use of computer systems and obtaining computer services).
  5. Trying to defeat the security features of the electronic networks. See the following Criminal Code provisions: s. 342.1 (unauthorized use of computer systems and obtaining computer services); s. 342.1(d) (using, possessing or trafficking in stolen computer passwords or stolen credit card information); s. 342.2 (making, possessing or distributing computer programs that are designed to assist in obtaining unlawful access to computer systems); ss. 429 and 430 (mischief in relation to data).
  6. Spreading viruses with intent to cause harm. See the following Criminal Code provisions: ss. 429 and 430 (mischief in relation to data); s. 342.1 (unauthorized use of computer systems and obtaining computer services).
  7. Destroying, altering or encrypting data without authorization and with the intent of making it inaccessible to others with a lawful need to access it. See the following Criminal Code provisions: ss. 429 and 430 (mischief in relation to data); s. 342.1 (unauthorized use of computer systems and obtaining computer services); ss. 129 and 139(2) (destroying or falsifying evidence to obstruct a criminal investigation).
  8. Interfering with others' lawful use of data and computers. See the following Criminal Code provisions: ss. 429 and 430 (mischief in relation to data); s. 326 (theft of telecommunication services); s. 322 (theft of computer equipment); s. 342.1 (unauthorized use of computer systems and obtaining computer services).
  9. Harassment: sending electronic messages, without lawful authority, that cause people to fear for their safety or the safety of anyone known to them (see s. 264 of the Criminal Code). Section 264.1 of the Criminal Code makes it an offence to send threats to cause serious bodily harm, damage personal property or injure a person's animal.
  10. Hate propaganda: disseminating messages that promote hatred or incite violence against identifiable groups in statements outside of private conversations (see s. 319 of the Criminal Code).
  11. Interception of private communications or electronic mail (in transit): unlawfully intercepting someone's private communications or unlawfully intercepting someone's electronic mail (see s. 184 and s. 342.1 of the Criminal Code, respectively).
  12. Obscenity: distributing, publishing or possessing for the purpose of distributing or publicly displaying any obscene material (e.g. material showing explicit sex where there is undue exploitation of sex, where violence or children are present, or where the sex is degrading or dehumanizing and there is a substantial risk that the material could lead others to engage in anti-social acts). See s. 163 of the Criminal Code.
  13. Various other offences: the Criminal Code (and a few other statutes) provide for a range of other offences that can take place in whole or in part using electronic networks. For example, fraud, extortion, blackmail, bribery, illegal gambling, and dealing in illegal drugs can all occur, at least in part, over electronic networks and are criminal acts.

Violations of Federal and Provincial Statutes

8. The following are examples of unlawful (though not criminal) activity that can take place on electronic networks.

  1. Copyright and intellectual property: violating another person's copyright (the Copyright Act provides for criminal prosecutions and civil actions in such cases). Unauthorized use of trade-marks and patents can also occur on electronic networks and these acts are proscribed in the Trade-Marks Act.

  2. Defamation: spreading false allegations or rumours that would harm a person's reputation. In addition to criminal libel, defamation is contrary to provincial statutes dealing with this subject.

  3. Destroying or altering data without authorization: unlawfully destroying, altering or falsifying electronic records. See the following provisions: s. 5 of the National Archives of Canada Act; ss. 6 and 12 of the Privacy Act; s. 4 of the Access to Information Act; s. 5 of the Official Secrets Act.

  4. Disclosing sensitive information without authorization - Disclosing personal information: failing to respect the privacy and dignity of every person. The obligation to respect a person's privacy is expressed in a number of statutory provisions, such as ss. 4, 5, 7 and 8 of the Privacy Act and s. 19(1) of the Access to Information Act. Many federal statutes have non-disclosure provisions, often designed to protect the privacy of citizens who provide information to the government (see list of provisions in Schedule II of the Access to Information Act). In addition, Quebec has a number of privacy provisions in its Civil Code (see articles 3, 35-41) and in its Human Rights Charter (see articles 4, 5 and 49). British Columbia, Saskatchewan, Manitoba and Newfoundland also have statutes that provide for civil actions where there is an undue invasion of privacy.

  5. Disclosing business trade secrets: revealing business trade secrets without authorization or in response to a formal request under the Access to Information Act, business trade secrets or confidential commercial information supplied in confidence by a third party and consistently treated as confidential by the third party. See s. 20(1)(a) and (b) of the Access to Information Act.

  6. Disclosing sensitive government information: revealing sensitive government information without authorization. See ss. 3 and 4 of the Official Secrets Act. As well, when responding to formal requests under the Access to Information Act, institutions must not disclose information obtained in confidence from other governments (see s. 13 of the Access to Information Act. The other exemptions in the Act relating to government information are discretionary.
    Note that employees and other authorized individuals and the government are immune from legal actions with respect to disclosures made in good faith under either the Privacy Act or Access to Information Act.

  7. Harassment: It is a discriminatory practice "(a) in the provision of […] services […] available to the general public […] or (c) in matters related to employment to harass an individual on a prohibited ground of discrimination". The prohibited grounds are race, national or ethnic origin, colour, religion, age, sexual orientation, marital status, family status, disability and conviction for which a pardon has been granted. Thus, in some circumstances, displaying unwelcome sexist, pornographic, racist or homophobic images or text on a screen at work can be unlawful harassment. See s. 14 of the Canadian Human Rights Act.

  8. Privacy infractions: reading someone else's electronic mail or other personal information without authorization, listening in on someone's private conversations or intercepting electronic mail while it is in transit, for example.

    When an employee or other person has a reasonable expectation of privacy in his or her electronic mail or other personal documents, an institution may be guilty of an unreasonable search or seizure under s. 8 of the Charter of Rights and Freedoms if it infringes on that reasonable expectation without a lawful authority. This is true whether the institution is acting as employer or otherwise.

    The institution may also be deemed to have collected or used data unlawfully, contrary to ss. 4, 5, 7 and 8 of the Privacy Act. The government may be liable for damages when private communications are intercepted unlawfully. See ss. 16-20 of the Crown Liability and Proceedings Act concerning electronic surveillance activities carried out by Crown servants in the course of their employment; s. 20 specifically provides that the Crown servant will be accountable to the Crown for the amount of the damages awarded by a court. The government may also be liable for damages when an unlawful disclosure of personal information occurs contrary to provisions in various statutes (see the list of such provisions in Schedule II of the Access to Information Act). For more information on these issues, refer to Appendix E of the Treasury Board Policy on the Use of Electronic Networks, which discusses reasonable expectations of privacy.

  9. Use of public money without proper authority. See the following provisions of the Financial Administration Act: s. 33 (making a requisition without authority); s. 34 (certifying receipt of goods or services without authority); s. 78 (liability for losses caused by malfeasance or negligence); and s. 80 (taking bribes or participating in corrupt practices).

Activity That Can Expose Authorized Individuals or the Employer to Civil Liability

9. Various kinds of conduct can expose a person or an employer to civil liability. The employer's liability will be triggered when a Public Service employee performs the unlawful activity in the course of his or her employment. The Public Service employee remains personally liable for these actions, even when the federal government is also liable. (The government's policy on indemnifying authorized individuals - Policy on the Indemnification of and Legal Assistance for Crown Servants - is relevant to such actions.) The following are examples of civil wrongs that can take place on electronic networks.

  1. Disclosing or collection of sensitive data: revealing or obtaining such information without authorization. In addition to the statutory provisions mentioned above, an unauthorized disclosure or collection of personal information can result, in some circumstances, in a civil action for invasion of privacy, nuisance or trespass under common law, and similar actions under the Civil Code of Quebec (articles 3, 15-41); for breach of contract and for breach of trust or breach of confidence (e.g. if confidential commercial information is disclosed).
  2. Defamation: spreading false allegations or rumours that would harm a person's reputation. In addition to criminal libel, publishing defamatory statements without a lawful defence can result in a civil action.
  3. Inaccurate information: posting inaccurate information, whether negligently or intentionally. Thiscan lead to civil lawsuits for negligent misrepresentation if it can be shown that (a) the posting caused harm and resulted in damages to the person who (b) reasonably relied on the information, that (c) the person or institution that made the posting owed a duty of care to the person who was harmed by inaccurate information; and (d) the inaccuracy was due to negligence (conduct that falls below what is reasonable in the circumstances).

Annex B

UNACCEPTABLE ACTIVITY THAT IS NOT NECESSARILY UNLAWFUL BUT WHICH VIOLATES TREASURY BOARD POLICIES
(Non-Exhaustive List of Examples)

1. A number of Treasury Board policies are not media-specific - that is, they apply whether the unacceptable activity occurs on paper, by telephone, through computer networks, in oral conversation or through any other medium. It is unacceptable to violate Treasury Board policies including institutional policies. The following policies are important in the context of the use of electronic networks: the Government Security Policy (in relation to standards including the Technical Security Standards for Information Technology); the Harassment in the Workplace Policy; the Privacy and Data Protection Policy, including the Employee Privacy Code; the Government Communications Policy; and the Conflict of Interest and Post-Employment Code for the Public Service. These policies relate to various activities, as described below.

  1. Sending classified or designated information on unsecured networks, unless it is sent in encrypted form. (Government Security Policy)
  2. Accessing, without authorization, sensitive information held by the government. (Government Security Policy)
  3. Attempting to defeat information technology security features, through such means as using anti-security programs; using someone else's password, user identification or computer account; disclosing one's password, network configuration information or access codes to others; or disabling anti-virus programs. (Government Security Policy)
  4. Causing congestion and disruption of networks and systems, through such means as sending chain letters and receiving list server electronic mail unrelated to a work purpose. These are examples of excessive use of resources for non-work related purposes. (Government Security Policy)
  5. Sending abusive, sexist or racist messages to employees and other individuals. (Harassment in the Workplace Policy)
  6. Using the government's electronic networks for private business, personal gain or profit or political activity. (Conflict of Interest and Post-Employment Code for the Public Service)
  7. Making excessive public criticisms of governmental policy. (Conflict of Interest and Post-Employment Code for the Public Service)
  8. Representing personal opinions as those of the institution, or otherwise failing to comply with institutional procedures concerning public statements about the government's positions. (Conflict of Interest and Post-Employment Code for the Public Service)
  9. Failing to provide employees and other authorized individuals with notice of electronic monitoring and auditing practices. (Government Security Policy and the Employee Privacy Code)
  10. Providing personnel with access to systems, networks, or applications used to process sensitive information before such personnel are properly security screened. (Government Security Policy)
  11. Failing to revoke system access rights of personnel, when they leave the institution, due to the end of employment or the termination of a contract, or when they lose their reliability status or security clearance. (Government Security Policy)
  12. Unauthorized removal or installation of hardware or software on government owned informatics devices or electronic networks. (Government Security Policy)

Annex C

UNACCEPTABLE ACTIVITIES RELATING TO ACCESS TO ELECTRONIC NETWORKS PROVIDED BY THE GOVERNMENT

1. Authorized individuals shall not use CSC's network to access or download Web sites or files, or send or receive electronic mail messages or other types of communication, that fall into the following categories:

  1. documents that incite hatred against identifiable groups contained in personal messages (the Criminal Code prohibits incitement of hatred against identifiable groups in public conversations);
  2. documents whose main focus is pornography, nudity and sexual acts (however, authorized individuals may access such information for valid work-related purposes, and may visit sites whose main focus is serious discussions of sexual education and sexual orientation issues).

 

Date Modified: 2011-06-29

Top of Page
Important Notices