Commissioner's Directive

Use of Electronic Resources

Responsibilities

1. The Chief Information Officer will:
   1. establish procedures for authorizing individuals to access CSC's electronic resources
   2. establish a process for ensuring that authorized individuals receive appropriate training and information on the proper use of these resources
   3. establish monitoring procedures and designate individuals who will monitor the use of electronic resources.
2. The Information Technology (IT) Security Coordinator will:
   1. provide direction and information on the interpretation of lawful and acceptable use of CSC's electronic resources
   2. ensure that reports of suspected unlawful or unacceptable activity pertaining to the use of CSC's electronic resources are investigated, pursuant to section 6.1.8 of the Treasury Board Policy on Government Security.
3. Managers will report all instances of suspected unlawful or unacceptable activities or IT-related incidents pertaining to the use of CSC's electronic resources to the IT Security Coordinator or the Regional Manager, IT Security, at the regional level. The Departmental Security Officer and designated personnel having responsibilities for the departmental security activities at the regional level will be advised.
4. On the recommendation of the IT Security Coordinator and the Departmental Security Officer, managers will seek legal advice in cases of suspected unlawful or unacceptable uses of CSC's electronic resources.
5. Authorized individuals using CSC's electronic resources will:
   1. abide by the laws, government policies, directives and any other instructions published by CSC on the use of electronic resources
   2. take reasonable measures to control the use of their password, user identification or computer accounts. This includes assuming responsibility for any actions or costs arising from the unauthorized use of electronic resources
   3. use IT security features (e.g. encryption, virus and data protection) provided by the CSC
   4. ensure that their communications using CSC's electronic resources do not reflect badly on CSC or the Government of Canada and comply with any policies pertaining to professional conduct and the use of Web 2.0 technology (see CD 227 - Use of Web 2.0 Technology)
   5. report suspected unlawful or unacceptable activities or IT-related incidents to their manager(s)
   6. seek clarification from the IT Security Coordinator when in doubt as to whether a planned use is acceptable and lawful
   7. use only IT products authorized and installed by CSC-authorized Information Management/ Information Technology personnel
   8. leave CSC electronic resources with the department upon departure.

AUTHORIZED USES OF ELECTRONIC RESOURCES

Use for Official Business

6. Electronic resources must be used for official business. This includes, but is not limited to, creating, accessing, manipulating, storing and transmitting:
   1. electronic mail messages (email)
   2. electronic records or information on CSC-managed electronic resources
   3. information on the CSC Intranet
   4. information on the Internet.

Personal Use

7. Limited personal use of CSC's electronic resources by authorized individuals is permitted only when such use:
   1. occurs on the individual's personal time withinnormal working hours
   2. does not incur any unauthorized additional cost to the CSC
   3. observes rules governing professional conductand prohibitions related to unlawful and unacceptable conduct as outlined in this policy and elsewhere
   4. does not require CSC to provide additional privacy protection for personal information stored, transmitted or processed beyond that which is already provided
   5. allows CSC to read the contents of communications and files and access personal information pursuant to the section entitled "Monitoring" in this directive.

PROHIBITED USES OF ELECTRONIC RESOURCES

8. Authorized individuals are prohibited from using government electronic resources to:
   1. operate, transmit or store games or other entertainment software
   2. maintain or support a personal private business or to assist relatives, friends, or other persons in such activities, or
   3. conduct any unlawful or unacceptable activityor to store or transmit information relating thereto, except where specifically authorized as part of an official investigation.
9. Offender access to CSC's electronic resources is prohibited except where specifically authorized by CSC policy for approved purposes such as an educational or work program, in compliance with applicable rules related to the protection of personal information (see CD 730 - Offender Program Assignments and Inmate Payments).

MONITORING

Routine Monitoring

10. Routine monitoring of electronic resources will be performed by staff designated by the Chief Information Officer and Shared Services Canada to assess performance, to protect the availability, integrity, confidentiality, value and intent of use of government assets and to ensure compliance with government policy. Routine monitoring may involve:
    1. identifying the size and type(s) of file(s) suspected of causing problems
    2. identifying patterns of usage
    3. determining the originator, intended recipient and subject line of email messages
    4. testing for viruses
    5. keyword searches on networks, computer systems and electronic storage devices.
11. CSC's electronic resources automatically log the identity of individuals and their activities while on the resource(s).
12. Copies of files and email records (including "draft" records) are automatically backed up and retained on a daily basis.

Incidental Monitoring

13. To the greatest extent possible, the CSC seeks to preserveindividual privacy; however, users should be aware that their use of CSC's electronic resources is not private. While CSC does not routinely read email or file content, under certain circumstances, CSC may monitor the activity and accounts of individual users including, but not limited to, individual login sessions, communications, email and file content.
14. All cases of individual monitoring must be authorized in advance by either the IT Security Coordinator, the Director General, Security, or the Assistant Commissioner, Human Resource Management, except:
    1. for the cases specified in paragraph 15a
    2. for the cases required by law, or
    3. when this type of monitoring is necessary to respond to legitimate emergency situations.

Monitoring for Unlawful Activity and Unacceptable Conduct

15. If there are reasonable grounds to suspect that an authorized individual is misusing electronic resources, including during personal use, monitoring without notice, including viewing the content of individual email records or files, may occur under the following circumstances:
    1. the authorized individual has voluntarily made electronic files or email accessible to CSC or to the public
    2. it is necessary to do so to protect the integrity, ensure the security and/or the liability exposure of CSC
    3. there are reasonable grounds to suspect that the authorized individual has utilized CSC's electronic resources in the commission of a violation of CSC or other government policy
    4. there are reasonable grounds to suspect that the authorized individual is using electronic resources for an unlawful or unacceptable activity
    5. an account appears to be engaged in unusual or unusually excessive activity, as indicated by the routine monitoring of general activity and usage patterns, or
    6. upon the receipt of a warrant or other legal instrument from a law enforcement agency.
16. Individuals who are obliged to read the content of electronic communications as part of an investigation must keep the information confidential and use it only for the purposes authorized.

DISCIPLINARY MEASURES AND SANCTIONS

17. CSC may pursue disciplinary measures or sanctions in cases of unlawful and/or unacceptable activity related to the use of its electronic resources. Disciplinary measures will be commensurate with the seriousness and circumstances of the unlawful and/or unacceptable activity. In cases where disciplinary measures are required, Labour Relations must be consulted to ensure that the application of disciplinary measures is consistent across CSC.
18. Disciplinary measures may include:
    1. a verbal or written reprimand
    2. restrictions on access to the electronic resources
    3. review of an individual's reliability status or security clearance
    4. suspension or termination of employment.
19. Following consultation with Legal Services, CSC will report suspected unlawful activities related to the use of its electronic resources to law enforcement authorities.

Commissioner,

Original Signed by:

Don Head

ANNEX A

CROSS-REFERENCES AND DEFINITIONS

CROSS-REFERENCES

Related Legislation

• Access to Information Act
• Copyright Act
• Corrections and Conditional Release Act
• Corrections and Conditional Release Regulations
• Criminal Code
• Crown Liability and Proceedings Act
• Library and Archives of Canada Act
• Privacy Act
• Security of Information Act

Treasury Board Policies and Publications

• Directive on Losses of Money or Property
• Guide to the Review of Management of Government Information Holdings
• Policy on Acceptable Network and Device Use
• Policy on Access to Information
• Policy on Communications and Federal Identity
• Policy on Government Security
• Policy on Harassment Prevention and Resolution
• Policy on Privacy Protection
• Secure use of portable data storage devices within the Government of Canada
• Telework Policy
• Values and Ethics Code for the Public Sector

CSC Policies and Guides

• CD 041 - Incident Investigations
• CD 060 - Code of Discipline
• CD 225 - Information Technology Security
• CD 227 - Use of Web 2.0 Technology
• CD 568 - Management of Security Information and Intelligence
• CD 568-1 - Recording and Reporting of Security Incidents
• CD 730 - Offender Program Assignments and Inmate Payments
• Guide to Information Security
• Mobile Devices - Safeguards to Remember
• Departmental Security Procedures Manual - Security of Information and Assets
• Standards of Professional Conduct in the Correctional Service of Canada

DEFINITIONS

Authorized individuals: CSC employees as well as contractors and any other individuals who have been authorized by a CSC authority to access CSC's electronic resources.

Electronic resource: any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. Within the context of this document, electronic resources refer to all electronic resources owned or operated by CSC or services to which CSC has subscribed (e.g. routers, computers, USB devices, smart phones, etc.).

Personal use: an activity that is conducted for purposes other than accomplishing official or otherwise authorized activity.

Unacceptable activity: any activity that violates CSC, Treasury Board or other government policy (for examples, see Appendix C of the Treasury Board Policy on Acceptable Network and Device Use), or that violates the limitations on personal use as set out in this policy and in Appendix C of the above-mentioned Treasury Board policy.

Unlawful activity: criminal offences, contraventions of non-criminal regulatory federal and provincial statutes, and actions that make an authorized individual or an institution liable to a civil lawsuit. For examples, refer to Appendix A of the Treasury Board Policy on Acceptable Network and Device Use.

Web 2.0 technology: includes Internet-based tools and services that allow for participatory multi-way information sharing, dialogue, syndication, and user-generated content. This can include social media and collaborative technologies (e.g. Facebook, Twitter and Wikis).