NRCan Policy on Access to Electronic Information

Table of Contents

1. Effective Date

This policy takes effect on July 3, 2007 and will be subject to review one year from the date of its implementation.

2. Preface

Departmental electronic networks (IT equipment and systems) are provided to NRCan employees for work and NRCan business purposes. However, as stated in the NRCan Policy on the Use of Electronic Networks, limited personal use is permitted.

NRCan employees should be aware of the following items with respect to privacy expectations:

Internet activity is recorded and monitored on usage logs and all NRCan networks are randomly audited for compliance with the NRCan Policy on the Use of Electronic Networks and for network performance purposes

The identity of computers used to visit Internet sites is often recorded at the site visited and the user is easily identifiable as a government employee because of the computer’s Internet address

Activities conducted on Internet sites, chat groups, newsgroups, instant messaging, etc., accessed from departmental networks, may be read and reported on by the public or the media

Electronic information created or received in the conduct of departmental business may be accessible to the public under the Access to Information Act and/or the Privacy Act

Electronic information produced in the conduct of departmental business is a government record. In an employee’s absence, this information, such as electronic documents and e-mail messages stored on Departmental electronic networks, may be accessed electronically as outlined in Section 6, Policy Requirements

If employees choose to store their own personal/private information on the departmental electronic networks and/or IT equipment, such as on hard drives, network directories or in the e-mail system, this will be at their own risk.


Top of Page

3. Policy Objective

The purpose is to establish NRCan’s policy with respect to access to electronic information and to clearly communicate this policy to NRCan employees, as defined in Section 5, Application, and to provide guidance as included in Annex D, Guidelines.

4. Policy Statement

Electronic information, including usage logs, electronic documents and e-mail messages, created and/or received in the conduct of departmental business is a government record. This electronic information must be managed in accordance with the Government of Canada Management of Government Information Policy and legislative requirements, and must be accessible to meet departmental business requirements. It is the Department’s policy to permit access to electronic information under the circumstances described in Section 6, Policy Requirements for situations where employees are not available to provide access, for investigations of suspected employee misuse of the departmental electronic networks or e-mail system, for formal requests made under the Access to Information Act and Privacy Act, and for situations of legal dispute.

The NRCan Policy on the Use of Electronic Networks permits limited personal use of departmental electronic networks and IT equipment. Employees are expected to store personal/private electronic information, such as electronic documents and/or e-mail messages, separately from departmental records. For guidance, refer to Annex D, Section 6.


Top of Page

5. Application

The policy applies to all NRCan employees (including specified period employees and students) who have been provided access to the departmental electronic networks and IT equipment. It extends to situations away from the workplace such as telework or remote access during or outside working hours, where the departmental electronic networks and IT equipment are used. This includes home PCs and laptops.


Top of Page

6. Policy Requirements

It is the Department’s policy to permit access to electronic information under the following circumstances:

6.1 When an employee is away from the office or unavailable, and the information is otherwise inaccessible and is required immediately.

A Network or E-mail Administrator will retrieve specific business-related electronic documents and/or e-mail messages for the manager upon his/her written request. The employee will be copied on all relevant correspondence and notified which information was accessed.

6.2 When an employee leaves the Department, such as a permanent departure or secondment, and where the employee has not taken action to manage the electronic documents and e-mail messages in their network accounts prior to departure.

Upon the written request of the manager, a Network or E-mail Administrator will provide access to all electronic documents and/or e-mail messages to the Access to Information and Privacy Secretariat. In this situation, the departmental records will be transferred to the relevant organization, as appropriate. Effort will be made by the manager to contact the employee to obtain his/her agreement in writing to access their electronic information.

Upon the written request of the employee who has left the Department, the Access to Information and Privacy Secretariat may assume the responsibility of separating and transferring to them their personal/private electronic information.

6.3 When an employee is unable to make a request.

Upon the written request of the legal representative of the employee, the Access to Information and Privacy Secretariat will assume the responsibility of separating and transferring to him/her the employee’s personal/private electronic information.

6.4 During an investigation of suspected employee misuse of the departmental electronic networks or e-mail system.

A security incident review will be undertaken which can involve specialized monitoring and/or the reading of the contents of user’s electronic mail and files without notice. Any investigation will be conducted in accordance with relevant legislation including the Canadian Charter of Rights and Freedom, the Privacy Act, and the Criminal Code. (Refer to the NRCan Policy on the Use of Electronic Networks.)

6.5 Upon receipt of a formal request made under the Access to Information Act or the Privacy Act from a member(s) of the Canadian public.

All electronic information pertinent to the request must be provided and this will apply to usage logs, electronic documents and e-mail messages. If some of the electronic documents and e-mail messages contain information pertinent to the request as well as some non-business related information, each document and e-mail message must be submitted to the Departmental Access to Information and Privacy Secretariat in their entirety for review. The content of the electronic documents and e-mail messages will be reviewed and, exemptions will be applied in accordance with the Access to Information Act and the Privacy Act and the Treasury Board Secretariat’s Access to Information Policies and Guidelines.

6.6 In the event of a legal dispute, access will be provided to legal representatives and the courts.

Electronic information that contains evidence of business decisions, actions, and transactions are a legitimate source of evidence. Rules of disclosure are the same as for paper records and the Department can be obliged to supply usage logs, electronic documents and/or e-mail messages in the event of a legal dispute.


Top of Page

7. Accountability

The Deputy Minister is accountable to ensure accessibility and availability of departmental business information.

8. Monitoring

(Refer to the NRCan Policy on the Use of Electronic Networks.)

9. Enquiries

Direct enquiries about this policy and the appended guidelines to the NRCan Access to Information and Privacy Coordinator.


Top of Page

Annex A – Responsibilities

Deputy Minister
The Deputy Minister is responsible for ensuring implementation of this policy to ensure accessibility and availability of departmental business information.

Assistant Deputy Minister, Corporate Management Sector
The Assistant Deputy Minister, Corporate Management Sector, is responsible for ensuring employees are informed about this policy and that departmental practices are established and maintained to verify adherence to the policy.

Director General, Information Management Branch
As the owner of this policy, the DG of IMB is responsible for maintaining and updating the policy, and for ensuring that the appropriate mechanisms are in place for the implementation of this policy in NRCan.

Senior Managers
Senior managers are responsible for supporting implementation of this policy and for ensuring the dissemination of prepared communications on the issuance of the policy and subsequent updates.

Managers
Managers must ensure that all employees, as identified in Section 5, Application, under their supervision with access to the departmental electronic networks have read and comply with this policy.

Before an employee leaves the Department, such as a permanent departure or secondment, managers are responsible for ensuring the employee's electronic information is processed. Prior to the deletion of an employee’s electronic information from network drives, e-mail systems, etc. by Network and/or E-mail Administrators, managers must provide direction in writing that they and/or the employee have processed the information to ensure the retention of official records. This can be an e-mail message to the Help Desk.

Employees
Employees, as identified in Section 5, Application, are responsible for compliance with the terms of access to and the management of electronic information as set out in this policy. Employees should also refer to the Management of Government Information Policy and the departmental Managing Information web site for managing information responsibilities.

Employees are expected to store personal/private electronic information, such as electronic documents and/or e-mail messages, separately from departmental records. Employees should create and maintain a folder marked ‘private’ for storing personal/private e-mail messages in the e-mail system and/or a folder marked ‘private’ for storing personal/private electronic documents on network drives.

Access to Information and Privacy Coordinator
The Access to Information and Privacy (ATIP) Coordinator at NRCan has delegated authority for the administration of the Access to Information Act and Privacy Act and is responsible for overseeing the protection and disclosure of personal and commercial information. The ATIP Coordinator regularly provides direction to managers and employees on the collection, use, handling, retention and disposal of, and access to personal information and can on occasion review documents to remove personal information.

Audit and Evaluation Branch
The Audit and Evaluation Branch as part of its annual planning process will assess the need to review and report on compliance with this policy and the effectiveness of its implementation.

Network and E-mail Administrators
Network and E-mail Administrators are responsible for ensuring that electronic information is preserved and protected from destruction or unauthorized access.

Network or E-mail Administrators will provide access to business-related electronic documents and/or e-mail messages as required in Sections 6.1, 6.2 and 6.3 of this policy.

Information Management Personnel
Information management personnel are responsible for coordinating and facilitating the development, implementation and communication of department-wide IM policies and for providing expert advice and guidance on the management of government information. This includes the identification, filing, retention and disposal of electronic documents and e-mail messages.


Top of Page

Annex B – Glossary

Business information is information collected and created in the conduct of departmental business.

Employees are persons employed in the federal government on an indeterminate, specified period (term), casual or seasonal basis; a person employed under a student employment program or a person employed under the Part-time Exclusion Approval Order.

Non-NRCan employees are persons hired to provide services under a contract, which includes but is not limited to, bargaining agents, contract workers, temporary help, volunteers, emeritus scientists and visiting scientists.

Manager includes supervisors, managers and executives who have the responsibility for supervision of other employees, e.g. assign work, set priorities, assess performance and approve or recommend approval of leave.

Personal/Private information is information that does not relate to departmental business.

Records are information in any form, such as data in computer systems, paper or electronic documents, web pages, correspondence, memoranda, plans, maps, drawings, sound recordings, e-mail messages, electronic images, and any other documentary material created or received by an organization or person in the conduct of official business.


Top of Page

Annex C – References

Relevant Legislation
Access to Information Act; Privacy Act; National Archives of Canada Act; Security of Information Act; Official Languages Act; Copyright Act; the Charter of Rights and Freedoms; the Criminal Code of Canada; Canada Evidence Act.

Relevant Treasury Board Policies and Publications
Management of Government Information Policy; Government Security Policy; Policy on the Use of Electronic Networks; Management of Information Technology Policy; Access to Information Policy and Guidelines; Privacy and Data Protection Policy; Telework Policy; Government Communications Policy; Policy for Public Key Infrastructure (PKI) Management in the Government of Canada; Information Management PKI Guidance

Relevant NRCan Policies and Publications
Policy on the Use of Electronic Networks; Departmental Security Policy; Security Classification Standard; Managing Information – On the Agenda Handbook


Top of Page

Annex D – Guidelines

1. Gaining Access to Electronic Information

Before asking the Network or E-Mail Administrator to retrieve an employee’s electronic information, the following steps should be followed:

  • Determine if it is urgent or if it can wait until the employee’s return.
  • Determine if the document can be retrieved from a shared folder, an electronic document management system (if in place), the records office, from another employee or any other source.
  • Try to communicate with the employee, for example, by phone or e-mail.

In a situation where the employee has left the Department, try to contact the employee to obtain his/her agreement in writing. Refer to Policy Requirements, Section 6.2.

2. Safeguarding Sensitive Information

Sensitive information – paper and electronic – must remain secure at all times. Refer to the departmental Security Classification Standard.

NRCan networks are secured for Protected A information only. You must not store or transmit sensitive information higher than Protected A on these networks.

  • Information that is classified as Protected B or higher must not be stored on the departmental network. It should be securely stored on paper or on disk, CD or magnetic tape.
  • Information that is classified as Protected B or higher should not be transmitted using e-mail or the Internet unless you use approved security features, such as encryption technologies.

3. Providing Access to Business Information

Managers and employees need to put a plan in place to ensure that business information in electronic format can be accessed, as appropriate:

  • In the work unit
  • With other individuals, as required
  • When individuals are away from the office (others may require access to business information)

This includes electronic records, such as e-mail and electronic documents. The following are some options for providing access:

  • Shared network directories and/or public folders
  • Electronic document management system, if one is used in the organization
  • The delegate function in the e-mail system to give access rights to others for specific mailbox folders (do not share passwords)
  • The departmental network to automatically forward e-mail to another individual
  • Through a network or e-mail administrator, full access from individual’s e-mail or electronic records to another individual (do not share passwords, and make sure the ‘send' function in e-mail is disabled)

4. Providing Access to Business Information of Departing Employees

Managers and departing employees must ensure the processing of departmental records prior to departure. This includes ensuring the retention and access to official records in:

  • E-mail messages
  • Network drives, local hard drives
  • Diskettes, CDs
  • Laptops, Blackberries, home PCs, etc.

In keeping with their organization’s practices, employees may transfer official records to a ‘designated individual’ or their organization’s records office, or may use a shared network drive.

Employees should remove personal/private information from hard drives or in network drives. This information could be inadvertently turned over to their manager and/or accessed by an individual who takes over the computer equipment.

5. Confidentiality of E-mail Messages

Employees should be aware that:

  • In general, the confidentiality of e-mail messages can be compared to that of a post card. Always assume that messages may be read or intercepted by someone other than the intended recipient.
  • With the click of a button, individuals can instantaneously send e-mail to numerous recipients. Recipients can easily forward messages to others or a message could even be delivered to a wrong address.
  • Without protection such as encryption, others can compromise e-mail messages through casual eavesdropping or deliberate monitoring of the circuit.
  • E-mail messages can be around for a long time in the in-box or other people’s in-boxes, sent items and/or e-mail folders; multiple print copies; stored on back-up tapes and/or on network drives; etc.

Employees should:

  • Seriously consider alternate methods to communicate personal information and do not put anything in an e-mail message that they do not want others to see.
  • Ensure they follow the Departmental Security Policy and the Security Classification Standard requirements for transmitting sensitive information and under no circumstances, should classified information (confidential, secret or top secret) or Protected B or C information be sent via e-mail.
  • Know they are accountable for the e-mail sent under their name. If they share their password with another individual and that individual subsequently uses the account inappropriately they may be held liable.
  • Not leave their computer unsecured. When away from the office, employees should use the password option on their screensaver so that others cannot access their computer.

6. Creating Folders Marked ‘Private’

Employees can organize personal/private e-mail messages and/or electronic documents by creating folders marked ‘Private’ in their electronic mailbox and/or in their personal network directory. For assistance in establishing these folders, contact the ‘Help Desk’.

Access to employees' electronic folders marked 'private' will only be conducted in warranted circumstances as indicated in Sections 6.4 and 6.5.

7. Identifying and Filing Electronic Records

7.1 Subject Classification

As a rule, departmental organizations use a subject classification structure to identify and file records. Employees should:

  • Follow their organization's classification structure, filing paper and electronic information by subject category.
  • Use the same subject classification structure in electronic systems and hard-copy records. This makes it easier to find information stored on paper and electronically.

Employees should verify their organization's subject classification practices with their manager or supervisor. If in need of expertise and best practices, consult the sector's IM professionals.

7.2 Filing Electronic Records

Methods for filing electronic records vary across the Department. Until there is a department-wide solution in place, there is no standard way to file these records.

What are the options?

  • Shared directories and files in electronic networks (preferred for official records)
  • Public folders in e-mail
  • Personal folders in e-mail
  • Personal directories and files in electronic networks
  • CDs, diskettes (for sensitive and classified information stored under lock and key)
  • EDMS (where implemented), and
  • Paper format (print and file)

Employees should verify their organization's electronic filing practices with their manager or supervisor, keeping in mind that information that is classified as Protected B or higher must not be stored on the departmental network. If in need of expertise and best practices, consult the sector's IM professionals.