Guide on Handling Protected and Classified Information and Asset
1. Objective
The purpose of this guide is to outline and explain office procedures when handling information or assets designated above Protected ‘A’ or ‘B’, i.e. Protected ‘C;’ or classified ‘Confidential’, ‘Secret’, ‘Top Secret’, as well as information or assets with unique warnings or caveats that require special handling procedures.
In the course of an assurance engagement, either a performance audit, a special examination or a financial audit, it may become necessary to review information that is designated above Protected ‘A’ or ‘B’; i.e. Protected ‘C’ or classified Confidential, Secret or Top Secret. Some information or assets may also be accompanied with unique warnings or caveats such as ‘Canadian Eyes Only’. In addition to any security classification, information or assets because of their nature (e.g. that a person is a known associate of a convicted criminal) may also be considered sensitive. Distribution of information that is considered sensitive should be restricted to persons who have a legitimate need to see such information.
Depending on the type of information and its level of classification, handling requirements will necessitate additional safeguards. It is the responsibility of the auditor to know and follow these handling requirements.
This guidance is provided to elaborate on OAG expectations with respect to the handling of classified or sensitive documents. It is based on the OAG Security Policy.
2. Prerequisites
Auditors must never remove Top Secret information or information requiring special handling procedures from the audited entity.
Sensitive information regarding national security or police matters is provided on a “need to know” basis. Auditors need to understand the nature of classified and sensitive information before requesting access to it. Auditors should be familiar with the entity and the types of information that they may need to access during the course of an audit. In dealing with a department or agency that is primarily involved in matters of national security or public safety, auditors should seek advice from Security Team.
Auditors must have the appropriate security clearance relative to the information they need to access.
Finally, auditors should be familiar with the Security of Information Act (SOIA), the Policy on Government Security and the OAG Security Policy. This guidance has been developed pursuant to those documents.
3. Important
The deliberate or inadvertent release of classified information may be a contravention of the Security of Information Act (SOIA) and in breach of the OAG Security Policy. It could seriously harm the reputation of the Office and most importantly cause damage to Canada’s national interest.
4. Definitions
Classified information. The Policy on Government Security (PGS) states: “Departments must identify information and other assets when their unauthorized disclosure, with reference to specific provisions of the Access to Information Act and the Privacy Act, could reasonably be expected to cause injury to:
- the national interest. Such information is classified and must be categorized and marked based on the degree of potential injury (injury: “Confidential”; serious injury: “Secret”; exceptionally grave injury: “Top Secret”); and
- private and other non-national interests. Such information is protected and must be categorized and marked based on the degree of potential injury (low: “Protected A”; medium: “Protected B”, high: “Protected C”).
The OAG Security Policy defines classified information as: “information related to the national interest that may qualify for an exemption or exclusion under the Access to Information Act or Privacy Act, and the compromise of which would reasonably be expected to cause injury to the national interest.”
The Treasury Board Secretariat’s “Operational Standard for Physical Security” explains:
The injury to the national interest or to private/non-national interests increases with the sensitivity of the disclosed information. Injury may include damage to the defence and maintenance of the economic, social or political stability of Canada, compromise of other governments' interests, breach of privacy, liability or financial loss, loss of confidence in the Government of Canada, or decrease of government efficiency. Unauthorized disclosure of Secret or Protected C information will create more injury than unauthorized disclosure of Protected A or B information.
Sensitive information: Some classified or protected information, due to its unique nature, may warrant special safeguards.
Caveats: Auditors may also encounter classified information including documents that carry a caveat or warning. Caveats indicate that the information must be handled with additional security measures. These caveats must be respected. They can include
- Canadian Eyes Only;
- Originator Controlled (ORCON); do not copy or share;
- Handle Via COMINT Channels Only. This caveat requires that the reader has been indoctrinated for COMINT (Communications Intelligence);
- compartmented information such as “Extremely Compartmented Information (ECI)” are used for highly sensitive operational information and require special indoctrinations; and
- other caveats or code words (usually appears above the title of the document) may indicate clearance for special or sensitive information.
Auditors who encounter classified information with a caveat or codeword and are not familiar with them should verify with the audit entity that they are authorized to handle such information.
Need-to-know: In order for someone to access the information, the information must be necessary to conduct his or her official duties. The “Need to know” concept is fundamental to the operation of security and intelligence agencies.
“Need to know” is the principle whereby employees/consultants/contractors are provided with access to classified or designated information to properly carry out their current duties or responsibilities. Employees must be satisfied of their legitimate “need to know” before seeking access to classified or designated information. Before providing another person with access to classified or designated information, employees must be satisfied of that person’s legitimate need to know.
5. Access to entity information
The Auditor General Act and the Financial Administration Act provide for access to information needed to conduct our audit work. These acts entitle the Auditor General to free access at all convenient times to this information. The Auditor General is also entitled to receive from members of the public service and Crown corporations, where he is appointed auditor or special examiner, such information, reports and explanations, as he deems necessary. The Auditor General decides the nature and type of information needed to fulfill the responsibilities set out in legislation. Auditors are entitled to information that would not necessarily be accessible under the Access to Information Act. However, at the same time, the Office also has an obligation to ensure that it does not disclose or act in a manner that unintentionally results in the disclosure of entity information that would not otherwise be accessible. Section 13 (3) of the Auditor General Act directs audit staff “to comply with any security requirements applicable to any persons employed in that department or Crown corporation.”
The OAG Security Policy states that “The OAG shall limit access to classified and protected information and other assets to those persons who have:
- the appropriate security screening and clearance level; and
- a need to know the information, or a need to access the assets.”
Further guidance on access to information can be obtained from the Internal Specialist for Access to Entity Information; for classified information and assets you should contact the Security team.
The OAG Security Policy, the Access Communiqué, the Guidance to Deputy Heads, departmental and entity legal counsel and OAG audit liaisons on providing the Auditor General access to information in certain confidences in the Queen’s Privy Council provide additional details on this subject.
When dealing with classified information from an audit entity, it is the originator (entity) who classifies the information.
In certain instances, the auditor may be of the opinion that classifications are set at inappropriate levels by the audited entity—either too high or too low. In such cases, it is not our role to change the classification. However, the inappropriate classification may in itself become an audit issue if the team wishes to pursue it. The level can also be questioned if the team feels that the audited entity is trying to use an inappropriate classification level to prevent the team from gaining access to information.
6. Security of information
The Audit Manuals state that the Office meets the highest standards of professionalism and integrity and seeks to develop a relationship of respect and trust with those it audits. An important part of those standards and principles is ensuring the security and confidentiality of both client and internal information.
The Code of Values, Ethics and Professional Conduct requires that all staff be familiar with the security aspects of their work, accept security as an important individual responsibility, and follow the principles set out in the OAG Security Policy.
Furthermore, auditors dealing with classified information and assets must not share (show, copy, discuss, etc.) to persons who are not cleared to the appropriate level. It is the responsibility of the auditor to verify the security clearance of an individual before sharing any information. Similarly, such information should not be shown to persons who do not have a need to know, notwithstanding their security clearance.
The OAG Security Policy indicates that audit principals are responsible for:
- acquiring an understanding of the security classification system in their audit entities,
- communicating the requirements to team members, and
- ensuring that the safeguards for the storage of and access to information are equal to or higher than those required by the audit entity.
7. Security of Information Act
The Security of Information Act (SOIA) replaces the Official Secrets Act.
Auditors who use classified information should review the SOIA. It lists the responsibility to safeguard classified information as well as the potential penalties for breaches of the Act.
The Act introduces the idea of a person permanently bound to secrecy. This notion centres on persons who have access to what is termed as “special operational information”. Such information would include any discussion of methods, sources or targets. Audit staff who handles special operational information may be designated as “person permanently bound to secrecy”.
Such a designation of our employees is made by the Auditor General.
Being permanently bound to secrecy is not something audit staff is likely to be faced with. If this issue is raised by an audited entity, the auditor should consult the Departmental Security Officer (DSO).
8. Required clearances
The Policy on Government Security (PGS) requires that departments must limit access to classified and protected information and other assets to those individuals who have a need to know the information, and who have the appropriate security screening level. To the extent necessary, they must also limit access to other assets requiring additional safeguarding for availability, integrity or value purposes.
The Government of Canada must ensure that individuals with access to government information and assets are reliable and trustworthy. For national security, it must also ensure the individual's loyalty to Canada in order to protect itself from foreign intelligence gathering and terrorism. Special care must be taken to ensure the continued reliability and loyalty of individuals, and prevent malicious activity and unauthorized disclosure of classified and protected information by a disaffected individual in a position of trust.
Departments must ensure that, prior to the commencement of duties, individuals who require access to classified information and assets have a valid reliability status, undergo a security assessment and are granted a security clearance at the appropriate level.
When requesting classified information from an agency, auditors may be questioned to determine that they have a legitimate need for the information. Auditors should not request classified information unless they have a clear requirement for that information.
9. Protocols
As a general rule, we do not want to enter into protocols governing our access to documents since they can have a tendency to go beyond procedures to the extent that we may be accepting limitations on our right of access. It is important to remember that the only limits to our right of access are those that are set out in legislation referring specifically to section 13 of the Auditor General Act.
In rare cases we may agree to a protocol, this would be necessitated by unusual circumstance. The issues of how documents would be accessed, used in reporting, stored, and the report clearance process are matters that we determine, and should therefore, not be limited in any way. Prior to beginning any discussions about such a protocol, the entity PX should consult Legal Services and Security.
However, we must ensure that, as provided in our Act, we comply with all of the security requirements of the audit entity, including clearances.
10. OAG practices for handling classified and sensitive information
Only audit staff or contractors with the appropriate security clearance may have access to classified or sensitive information and assets.
The transporting and storing of information and assets at the Secret level should follow the OAG Security Policy.
Information and assets classified Top Secret, or that have a caveat, must not be brought back to OAG premises. All work must be done at the entity’s site. If auditors determine that they need to keep a copy of a classified document, the audited entity should be informed and appropriate storage at the entity’s site obtained.
At the end of the audit, any classified information no longer required should be returned to the audited entity. If such information needs to be retained, it should be sent to the Records Office. In addition, the Records Office must be made aware of the classification and sensitive nature of the information.
Disposal of classified documents must be in accordance with the OAG Security Policy.
Any questions regarding the long-term retention or disposal of classified and/or sensitive documents should be discussed with the Records Office’s staff.
11. Communications
Protected ‘A’ and ‘B’ information may be faxed according to the procedures set out in the OAG Security Policy. Confidential and Secret information may be faxed only if the information is encrypted. Top Secret must not be faxed to or from the OAG.
The OAG has a Secure Telephone (STE) capable of operation at the Secret level. There is also a compatible FAX machine connected to the STE. This equipment is located in the COMSEC (Communications Security) room. Access to this room is restricted to authorized personnel only.
Use of the STE is controlled by the COMSEC custodian. The COMSEC custodian is a member of the Departmental Security Officer’s (DSO) team and is responsible for communications security and custody of the STE. The COMSEC Custodian will ensure that users of the STE are familiar with the STE protocol (see appendix “A”). Access to the COMSEC room is controlled by the COMSEC Custodian. The use of the STE is limited and is not intended for general use by audit teams.
The Revenue Canada team has the capacity to send faxes designated Protected ‘C’ to Revenue Canada. The use of this fax is restricted to the Revenue Canada team only and is not intended for general use.
12. Use of computers
Information that is classified above ‘Protected B’ cannot be processed (i.e. stored, emailed, read, looked at, printed, etc.) on standard OAG computer equipment.
Top Secret information must not be processed or stored on any OAG computer.
Classified information at the Confidential and Secret level may be used electronically (i.e. on computer) only if that computer has been certified for such use by Security. A computer that has been configured to contain Confidential and Secret information must not be able to be connected to the OAG network, to a telephone line, or in fact to any outside connection. The network card and the modem must be removed. The computer must be stored in accordance with OAG policy for the secure storage of such classified information and assets.
If an audit team has an authorized need for a computer that may contain Confidential or Secret information they should contact Security Team or IT Services.
When a computer containing Confidential of Secret information is no longer required, Security should be contacted to ensure proper disposal.
13. Role of Security
Security can provide advice and guidance to audit teams in understanding the concerns of the security and intelligence community. Furthermore Security can provide clarifications and explanations of security requirements for handling classified documents and/or sensitive information and assets.
Appendix “A”
Protocol COMSEC Room and Associated Equipment
Objective
The objective of this Protocol is to provide guidance to staff for the use and care of the COMSEC room, its contents, and associated equipment.
Background
Access to the COMSEC room is restricted to authorized personnel only.
Several teams have established a need to transmit classified documents. Based on this need, the OAG obtained a Secure Telephone (STE) and a compatible FAX. Communications Security Regulations (COMSEC) require that such equipment be located in a controlled space. The COMSEC room was created to fulfill this need.
Access to the COMSEC room is controlled by the COMSEC Custodian.
Purpose of the COMSEC room
The COMSEC room provides a secure environment to the SECRET level for the use of secure computers, a STE and a compatible FAX. However, the room is not soundproof or shielded.
Staffs using the COMSEC room for work on classified documents have precedence over all other uses.
Security requirements
All unescorted persons using this room must have at least a Secret clearance. It is the responsibility of the COMSEC Custodian and the DSO to authorize staff to use the equipment in the COMSEC room.
No document or information classified above Secret can be retained, discussed or prepared in this room.
The door should be closed and locked when the room is not occupied.
Computers
The room contains a stand-alone computer. This computer can be used to work on documents classified at the secret level or less. The computer should not be connected to any Office systems (phone, network, etc.); documents should be printed in the room only. Record of documents should be retained on individual OAG-approved encrypted portable media and stored accordingly. After use, the computer must be stored in the DASCO cabinet.
STE and FAX
The room contains a Secure Telephone Unit (STE) that can operate in an encrypted mode. The STE is connected to a stand-alone FAX machine that is capable of handling the signal from a STE. Neither the STE nor the FAX should be connected to any Office system except the STE line.
The STE shall be operated in accordance with the Government of Canada COMSEC protocol and applicable PGS regulations.
The COMSEC custodian for the OAG reports to the DSO.