CSE has robust internal mechanisms to make sure our activities are carried out correctly.
On this page:
Operational compliance
Defending Canada from complex threats demands constant innovation. As techniques and technologies change, we constantly review our activities to make sure they remain compliant with CSE's legislation and policies.
Compliance activities
CSE's operational compliance team helps to ensure our activities:
- fall within CSE's mandate
- follow Canadian laws and international norms
- protect Canadian privacy
- keep sensitive information secure
- comply with CSE policies
They do this by:
- assessing activities for compliance issues
- monitoring and tracking compliance incidents
- advising teams on how to mitigate compliance incidents
- recommending policy updates as needed
- training employees
CSE's internal compliance activities do not replace or duplicate the work of the external oversight and review bodies which scrutinize CSE's activities on behalf of Canadians.
Compliance incidents
CSE has detailed operational policies that dictate how we acquire, use, retain and destroy information while carrying out our mandate. If an incident occurs that does not conform with those procedures, it is recorded as a compliance incident. Thanks to these policies and a rigorous compliance regime, most compliance incidents are minor and easily fixed.
In the event of a compliance incident, CSE stops and immediately takes corrective action. The operational compliance team provides advice on how to mitigate the impact of the incident as quickly as possible. The team then draws up an action plan to reduce the risk of it happening again.
Examples of compliance incidents include:
- data that has been mislabelled
- data that has been kept beyond its deletion date
- any scenario that is not covered by existing policies
A compliance incident that involves information relating to a Canadian or to a person in Canada is called a privacy incident. A privacy incident is not the same as a material privacy breach, which has a greater privacy impact. CSE's policies operate in layers so that a single privacy incident is highly unlikely to result in a material privacy breach.
An example of a privacy incident would be inadvertently failing to suppress Canadian identifying information in a foreign intelligence report. This scenario is a privacy incident, and the report would be immediately recalled, to mitigate the privacy impact.
CSE reports its annual total of privacy incidents to the National Security and Intelligence Review Agency (NSIRA). We also share this information with Canadians in our CSE annual reports. CSE reports material privacy breaches in its Privacy Act reports.
Compliance training
CSE promotes a culture of integrity by encouraging employees to report any potential compliance issue without fear of reprisal. As a result, most compliance incidents are self-reported by employees.
Employees who need to access sensitive data must pass compliance training at least once a year.
In addition to the mandatory training, the operational compliance team hosts an "Operational Compliance Week" each year. This includes a mix of formal and informal activities to raise employees' awareness of compliance issues and to promote best practices. The compliance team also engages daily with operational areas to provide advice and guidance on how to ensure their activities remain compliant.
Audit and evaluation
CSE conducts audits and evaluations to make sure its programs, policies and services are working effectively and using public funds in a responsible manner. This is a requirement for every Government of Canada department and agency.
The Chief Audit Executive in charge of audit and evaluation reports directly to the Chief of CSE; the teams are independent from the rest of CSE. This enables them to give neutral and objective advice to improve CSE's work on behalf of Canadians.
Internal audit
The overall purpose of the internal audit team is to ensure CSE's programs and processes are operating as they should.
The internal audit team considers questions such as:
- is CSE meeting its Government of Canada policy obligations?
- does CSE have the right governance structures in place to deliver its goals?
- do proposals for new programs or activities comply with CSE's mandate?
- what factors pose the greatest risk to CSE's operational objectives?
- does CSE have appropriate controls in place to offset those risks?
- how can CSE's management practices be improved?
CSE internal audits are carried out by Certified Internal Auditors and in accordance with the Institute of Internal Auditors' International Professional Practices Framework. Every 5 years, their work is reviewed by an external auditor to make sure it is independent and up to standard. This is Government of Canada policy managed by the Comptroller General of Canada.
CSE is occasionally subject to audits by Government of Canada review bodies such as the Office of the Auditor General and Office of the Comptroller General of Canada. Horizontal audits commissioned by these review bodies can involve multiple Government of Canada departments, including CSE.
Internal evaluation
The internal evaluation team makes sure that CSE is using its resources wisely and that program officials can report on their performance.
The internal evaluation process considers three main factors:
- relevance:
- is this program or policy worthwhile?
- what need does it address?
- is it a government priority?
- effectiveness:
- is this program or policy meeting its goals?
- how can we best measure the results?
- efficiency:
- does this program or policy represent good value for money?
- what has changed as a result of the program and at what cost?
- could the same outcome be gained with fewer resources?
- could better outcomes be gained with the same resources?
Internal evaluations inform decision making, improvements, innovation and accountability. They help CSE to allocate our resources as efficiently as possible, while delivering our mandate effectively for Canadians.