Appendix C: Mandatory Procedures for Privacy and Monitoring of Network and Device Use Information Notices
Date modified: 2022-05-06
Hierarchy
Appendix C. Mandatory Procedures for Privacy and Monitoring of Network and Device Use Information Notices
C.1 Effective Date
- C.1.1These mandatory procedures takes effect on April 1, 2020.
- C.1.2These mandatory procedures replace Appendix D: Privacy of the Policy on Acceptable Network and Device Use (October 1, 2013)
C.2 Mandatory Procedures
- C.2.1These mandatory procedures provide details on requirement 4.4.3.15.2 of the Directive on Service and Digital.
- C.2.2Procedures are as follows:
- C.2.2.1Authorized individuals must be informed of departmental monitoring practices via a privacy notice, prior to their implementation, by communicating at a minimum, the following information:
- C.2.2.1.1A statement explaining the regular monitoring practices of electronic networks—for example, operational analysis of logs indicating the Internet sites employees and other authorized individuals have visited, the files downloaded or uploaded, or the key-word searches of files on network servers or on computer storage devices of Government of Canada employees or other authorized individuals' computers;
- C.2.2.1.2A statement that electronic networks will be monitored for work-related purposes—for example, to assess system or network performance, protect government resources or ensure compliance with government policies; and
- C.2.2.1.3A statement that special monitoring may be permitted without notice in instances where illegal or other unacceptable use is suspected.
- C.2.2.1Authorized individuals must be informed of departmental monitoring practices via a privacy notice, prior to their implementation, by communicating at a minimum, the following information:
- C.2.2.2Departmental Considerations for Privacy
- C.2.2.2.1While the organization is required by law to protect personal information gathered with appropriate authority for business purposes, information and technology assets are assigned to individuals for authorized use only. If users choose to store their own personal information on the network or any other equipment, it is at their own risk.
- C.2.2.2.2Whenever individuals involved in an investigation are obliged to read the content of electronic communications, they must keep the information confidential and use it only for authorized purposes. The investigation must be conducted in accordance with the Canadian Charter of Rights and Freedoms, the Criminal Code and, for those institutions for which it applies, the Privacy Act.
- C.2.2.2.3Under the Access to Information Act and the Privacy Act, the public may request access to the Government of Canada's information or electronic records, as well as their own personal information, subject to applicable exemptions under those Acts. These records include electronic mail that Government of Canada employees or other authorized individuals have sent or received that is stored on government computers and records showing which websites Government of Canada employees or other authorized individuals have visited.