5.4 Network Use Policy

Status: Under review

Preface

It is Treasury Board policy to encourage authorised individuals to use electronic networks for approved purposes such as conducting the business of government, communicating with other authorised individuals and with the public, gathering information relevant to their duties, and developing expertise in using networks effectively and efficiently.

Statistics Canada's electronic networks have been put in place to facilitate communication within the Agency and between the Agency and its clients, respondents, and partners, to expedite the transfer of data and information, to automate administrative transactions, and generally to improve access by employees to the information they need to do their job.

The Treasury Board policy requires institutions to develop their own policies and procedures with respect to acceptable and lawful use, monitoring of use, and employee and managerial responsibilities in the use of electronic networks. In particular, it requires institutions to exercise discretion on whether and under what conditions its employees may use government computers and electronic networks for personal use.

Statistics Canada's existing security policies prescribe the safeguards and restrictions necessary to protect data confidentiality. Because individuals who use electronic networks may inadvertently or deliberately damage a positive work environment, disclose information in an unauthorised fashion, or engage in unacceptable or unlawful activities, the Treasury Board policy helps institutions and authorised individuals get the most benefit from electronic networks and provides guidance on conduct on such networks.

Policy

It is the policy of Statistics Canada:

To encourage the approved use of its electronic networks in carrying out the business of the Agency;

To permit personal use of its electronic networks only when such use:

  • is on personal time;
  • is not for financial gain; and
  • does not add to Statistics Canada's costs;

To deal quickly, fairly and decisively with any violations of this policy.

The following limitations apply to all use of Statistics Canada electronic networks:

Individuals must not conduct any unlawful or unacceptable activity (for examples see appendices A and B);

Individuals must not access or download Web sites or files or send or receive electronic mail messages or other types of communication that involve documents that incite hatred against identifiable groups; or whose main focus is pornography, nudity or sexual acts.

Individuals must be careful to ensure that any personal messages sent using a Statistics Canada network are not construed to represent the views of the Agency or the Government of Canada; and do not embarrass the Agency through such things as inappropriate language; policy advocacy or criticism; negative comment about third parties including clients and respondents of the Agency.

Responsibilities

Each authorised individual is responsible for ensuring that they access and use Statistics Canada electronic networks only for authorised purposes, in a responsible and informed way, respecting the law and government policies and guidelines as set out by the Treasury Board and Statistics Canada by:

  • being aware that all electronic messages sent via a Statistics Canada network automatically identify the Agency;
  • being aware of information technology security issues and privacy concerns;
  • taking reasonable measures to control the use of their password, user identification or computer accounts;
  • following Statistics Canada policy for ensuring the security of computer networks and electronic information; and using the information technology security features provided by Statistics Canada;
  • taking precautions to avoid transferring computer viruses into the network;
  • writing communications in a professional way, so that their use of electronic networks will not reflect badly on Statistics Canada or the Government of Canada;
  • taking reasonable steps to ensure their communications about policies, programs and service are accurate and clear, and that they comply with the Statistics Canada's policies concerning who may act as spokespersons and the procedures to follow in making public statements;
  • clarifying with the Director, Data Access and Control Services Division, when in doubt whether a planned use is acceptable and lawful according to this policy.

Directors are responsible for ensuring that all authorised individuals in their division are aware of this policy.

The Director-General, Informatics Branch is responsible for providing training or information on using electronic networks effectively and efficiently; and for approving the individuals who are authorised to monitor the use of electronic networks.

The Director, Data Access and Control Services Division is responsible for providing information on this policy; for providing information on the interpretation of acceptable and lawful uses; for reviewing suspected unacceptable or unlawful use; and for determining whether investigations should be carried out.

The Assistant Chief Statistician, Management Services, is responsible for authorising the analysis of the content of individual files or electronic mail in instances of suspected unacceptable or unlawful use and for identifying to whom those authorised may disclose information about identifiable individuals.

Definitions

Access means gaining entry to an electronic network that Statistics Canada has provided. Access may be from inside or outside government premises. It may support telework and remote access situations or where authorised individuals are using such electronic networks for personal use on personal time.

Authorised individuals include employees of the federal government, contractors and other persons who have been authorised by the Chief Statistician to access Statistics Canada networks.

Authorised uses of electronic networks include the conduct of government business, professional activities, career development and personal use on personal time.

Electronic networks include the Intranet, the Internet and any other public or private network external to and provided for Statistics Canada.

Monitoring of electronic networks means any action that involves the recording and subsequent analysis of activity on, or use of, a system or electronic network. Examples include recording user accounts, user activities, sites visited, information downloaded and computer resources used to perform a routine analysis of traffic flow on networks, use patterns and sites that work groups or individuals have visited. The information recorded and subjected to analysis does not normally involve the contents of individual electronic mail, files and transmissions.

Unacceptable activity is any activity that violates Treasury Board policy or Statistics Canada policy (for examples see Appendix B).

Unlawful activity includes criminal offences, contravention of non-criminal regulatory federal and provincial statutes, and actions that make an individual or Statistics Canada liable to a civil lawsuit (for examples see Appendix A).

Monitoring of electronic networks

Statistics Canada networks are routinely monitored for operational reasons to determine whether the networks are operating efficiently; to isolate and resolve problems; and to assess compliance with the policy. In addition, periodic and random checks of the network for specific operational purposes may be undertaken. In either case, the resulting information may be analysed. Those authorised to perform these activities are the Network Control Centre, the Infrastructure Support Section and the EDP Security Section of the Informatics Technology Services Division and the Departmental Security Services Section of the Data Access and Control Services Division. Everyone should be aware that visits to Web sites and electronic mail messages normally result in records identifying the computer from which the visit or message originated. The Statistics Canada firewalls, gateways and systems record which Web sites and which electronic mail addresses were contacted and which computer and user made the visit or sent the message can be determined. This information may be accessible under the Access to Information Act and the Privacy Act.

The information recorded and subject to analysis does not normally involve reading the content of individual electronic mail or files. However, if, through routine analysis or a complaint, it is reasonably suspected that an individual is misusing the network, the matter will be referred to the Director, Data Access and Control Services Division to determine whether further investigation and action is required. This may involve special monitoring and/or reading the contents of individual electronic mail and files without notice. However, such action and/or the linkage of recorded information to individuals requires the approval of the Assistant Chief Statistician, Management Services and such approval will be given only where there are reasonable grounds to believe that unacceptable or unlawful activity is involved. Moreover, those required to read the contents of electronic communications can only carry out this activity with the approval of the Director-General, Informatics Branch and must use the information obtained only for authorised purposes and keep it confidential within the bounds of the investigation.

Disciplinary measures

Statistics Canada will report suspected illegal activity to law-enforcement authorities, where it is deemed appropriate and may take disciplinary measures, even where a formal criminal charge or civil lawsuit is not pursued.

The disciplinary measures that may be used in instances of unacceptable or unlawful use will depend on the seriousness and circumstances of the incident and may include an oral reprimand, written reprimand, limiting electronic network access, suspension or termination of employment.

Inquiries
Inquiries concerning this policy are to be directed to the Director General, Informatics Branch, 951-7114.

Appendix A - Examples of unlawful activity

For the purposes of this policy, "unlawful activity" is interpreted broadly to include actions that could result in sanctions of different kinds in a court of law.

1. Criminal offences

The following are examples of criminal activity that could take place on electronic networks:

Child pornography: possessing, downloading or distributing any child pornography.

Copyright: infringing on another person's copyright.

Defamation: causing a statement to be read by others that is likely to injure the reputation of any person by exposing them to hatred, contempt or ridicule, or that is designed to insult them.

Destroying, altering or encrypting data without authorisation and with the intent of making it inaccessible to others with a lawful need to access it.

Gaining unauthorised access to a computer system.

Hacking and other crimes related to computer security.

Harassment: sending messages that cause people to fear for their safety or the safety of anyone known to them.

Hate propaganda: disseminating messages that promote hatred or incite violence against identifiable groups in statements outside of private conversations.

Intercepting private communications or electronic mail without authorisation.

Interfering with others' lawful use of data and computers.

Obscenity: distributing, publishing or possessing for the purpose of distributing or publicly displaying any obscene material.

Spreading viruses with intent to cause harm.

Trying to defeat the security features of the electronic networks.

Various other offences: the Criminal Code (and a few other statutes) define a range of other offences that can take place in whole or in part using electronic networks such as fraud, extortion, blackmail, bribery, illegal gambling, and dealing in illegal drugs.

2. Violations of federal and provincial statutes

The following are examples of unlawful (though not criminal) activity that could take place on electronic networks:

Copyright and intellectual property: violating another person's copyright and unauthorised use of trade-marks and patents.

Destroying data: unlawfully destroying, altering or falsifying electronic records.

Disclosing business trade secrets without authorisation: revealing confidential commercial information supplied in confidence by a third party and consistently treated as confidential by them.

Disclosing personal information without authorisation.

Disclosing sensitive information without authorisation.

Harassment: discriminating against an individual on the basis of race, national or ethic origin, colour, religion, age, sexual orientation, marital status, family status, disability or conviction for which a pardon has been granted. Displaying unwelcome sexist, pornographic, racist or homophobic images or text on a video screen at work can be harassment.

Privacy infractions: for example, reading someone else's electronic mail or other personal information without authorisation; listening in on someone's private conversations; or intercepting electronic mail while it is in transit.

Use of public money without proper authority.

3. Activity that can expose individuals or the employer to civil liability

The following are examples of civil wrongs that could take place on electronic networks:

Disclosing or collecting sensitive data without authorisation. In addition to the statutory provisions mentioned above, this can result in a civil action.

Defamation: spreading false allegations or rumours that would harm a person's reputation.

Inaccurate information: posting inaccurate information, whether negligently or intentionally.

Appendix B - Examples of unacceptable activity

A number of Treasury Board and Statistics Canada policies apply whether the unacceptable activity occurs on paper, by telephone, through computer networks, in oral conversation or through any other medium. These activities are not necessarily unlawful but they violate these policies. The following are examples with a reference to the applicable policy:

Accessing, without authorisation, sensitive information held by the government. (Government Security Policy).

Allowing public access to Network A. (Statistics Canada EDP Security Policy).

Attempting to defeat information technology security features, through such means as using anti-security programs; using someone else's password, user-identification or computer account; disclosing one's password, network configuration information or access codes to others; or disabling anti-virus programs. (Government Security Policy).

Causing congestion and disruption of networks and systems, through such means as sending chain letters and receiving list server electronic mail unrelated to a work purpose. (Government Security Policy).

Communicating information provided in confidence outside of Statistics Canada using Internet mail. (Statistics Canada EDP Security Policy).

Connecting a device to Network A and Network B simultaneously. (Statistics Canada EDP Security Policy).

Failing to revoke system access rights for personnel when they leave the institution or when they lose their reliability status or security clearance. (Government Security Policy).

Making excessive public criticisms of governmental policy. (Conflict of Interest and Post-Employment Code for the Public Service).

Processing, storing or communicating information provided in confidence on a network other than network A unless specific authorisation has been obtained from the Policy Committee. (Statistics Canada EDP Security Policy).

Providing personnel with access to systems, networks, or applications used to process sensitive information before they are properly security screened. (Government Security Policy).

Representing personal opinions as those of the institution, or otherwise failing to comply with institutional procedures concerning public statements about the government's positions. (Conflict of Interest and Post-Employment Code for the Public Service).

Sending abusive, sexist or racist messages to other employees and other authorised individuals. (Harassment in the Workplace Policy).

Sending classified or designated information on unsecured networks, unless it is sent in encrypted form. (Government Security Policy).

Unauthorised removal or installation of hardware or software on government owned informatics devices or electronic networks. (Government Security Policy).

Using the government's electronic networks for private business, personal gain or profit or political activity. (Conflict of Interest and Post-Employment Code for the Public Service).

 
 
Date modified: