Language selection

Government of Canada / Gouvernement du Canada

Search

DAOD 6500-1, Data Access

Table of Contents

  1. Introduction
  2. Definitions
  3. Overview
  4. Management
  5. Compliance and Consequences
  6. Responsibilities
  7. References

1. Introduction

Date of Issue: 2023-01-26

Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).

Approval Authority: Assistant Deputy Minister (Data, Innovation and Analytics) (ADM(DIA))

Enquiries: Director Data Policy and Digital Innovation (DDPDI)

2. Definitions

access by default (accès par défaut)

The principle by which access to data or information is made available unless a significant risk associated with such access can be demonstrated. (Defence Terminology Bank record number to be assigned)

big data (mégadonnées)

Data produced in high volume, at high speed and in various formats, and which is too complex to be handled with traditional data-processing software. (Defence Terminology Bank record number 695863)

data (données)

Set of values of subjects with respect to qualitative or quantitative variables representing facts, statistics, or items of information in a formalized manner suitable for communication, reinterpretation, or processing. (Policy on Service and Digital, Treasury Board)

Note: In the DND and the CAF, data is created, collected and used both in military operations and exercises, and in corporate administrative processes.

data asset (ressource des données)

An entity comprised of data from any source that can be governed and managed and that has potential to provide value or produce benefit. This can include data sets, databases, big data, and system and application output files. (Defence Terminology Bank record number 696417)

data domain (domaine des données)

A functional grouping of data assets governed by a shared set of principles, processes, standards and best practices.

Notes:

  1. There are three categories of data domains in the DND and the CAF: corporate, common and operational.
  2. A data domain can impact several level one advisor organizations. (Defence Terminology Bank record number to be assigned)

data governance (gouvernance des données)

A system of decision rights and accountabilities applicable to data-related processes.

Note: This system describes which action can be taken on which data asset, by whom, under which circumstances and using which methods. (Defence Terminology Bank record number 695865)

data management (gestion des données)

The development, execution and supervision of plans, policies, programs and practices that deliver, control, protect and enhance the value of data and information assets throughout their lifecycles. (Defence Terminology Bank record number 27521)

data quality (qualité des données)

A degree or level of confidence that the data provided meets requirements of the data user in terms of characteristics such as accuracy, completeness and reliability. (Defence Terminology Bank record number 33436)

data steward (responsable des normes de données)

The individual responsible for the life cycle of the data in a specific system or functional area. (Defence Terminology Bank record number 33440)

domain (domaine)

A specific field of knowledge or expertise. (Defence Terminology Bank record number 21857)

information (information)

The representation that a human or a machine assigns to data, facts or knowledge by means of known conventions such as reports, events, processes, decisions, ideas or opinions in any medium or form. (Defence Terminology Bank record number 696374)

information technology (technologie de l’information)

Involves both technology infrastructure and information technology applications. Technology infrastructure includes any equipment or system that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data or information. Information technology applications include all matters concerned with the design, development, installation and implementation of information systems and applications to meet business requirements. (Defence Terminology Bank record number 3161)

interoperability (interopérabilité)

The ability of different types of electronic devices, networks, operating systems, and applications to work together effectively, without prior communication, to exchange information in a useful and meaningful manner. (Policy on Service and Digital, Treasury Board)

reference data (données de référence)

Data that defines a set of permissible values that are used by other data fields and do not generally change, for example, units of measurement and country codes. (Defence Terminology Bank Record number 696420)

3. Overview

Context

3.1 The CDS/DM Joint Directive on Data Management (the Joint Directive):

  1. provides that ensuring access to data to increase operational efficiency is a strategic objective for defence data management;
  2. directs ADM(DIA), as functional authority for data management and data governance, to introduce new policy instruments, standards and guidance to advance the strategic objectives of the Joint Directive;
  3. provides that level one (L1) organizations are expected to adopt a posture of data access by default within the DND and the CAF, withholding data only if they can articulate a specific operational risk to disclosure;
  4. provides that, with increased access to data across the DND and the CAF, comes the expectation that there will be increased vigilance and monitoring for unauthorized access or disclosure; and
  5. directs that Assistant Deputy Minister (Information Management) (ADM(IM)) will work with ADM(DIA) to develop and implement a risk-based data security approach to ensure that data can be easily accessible.

3.2 The Treasury Board Policy on Service and Digital:

  1. outlines the responsibility of departments to maximize the release of their information and data as open resources, while respecting information security, privacy and legal requirements; and
  2. applies to all data created, collected, held, used, shared or managed in any repository or system, in any format, and at any point in the data life cycle, regardless of origin.

Objective

3.3 The objective of this DAOD is to establish the roles, responsibilities and processes to facilitate timely access to data for planning, operations, decision support, and research and development, in the DND and the CAF.

Expected Results

3.4 The expected results of this DAOD in the DND and the CAF are:

  1. improved governance and management of data as a shared and strategic asset through a data stewardship model;
  2. the implementation of an access-by-default approach to data; and
  3. the implementation of a flexible, risk-based security approach to protect data from unauthorized access, use, sharing, disclosure, alteration or deletion.

4. Management

General

4.1 The DND and the CAF must establish accurate, consistent, integrated and authoritative data that is managed as a shared and strategic asset to support the DND and CAF mandate.

Process

4.2 L1s must ensure that DND and CAF data in their organizations is:

  1. searchable and findable across DND and CAF platforms, through unique identifiers, accessible indices, catalogues, tools, knowledge and support, to enable data users to locate data;
  2. interoperable across different data domains and systems using shared terminology, metadata and reference data that allow for data content, context and meaning to be preserved;
  3. accessible to authorized users based on standardized processes for authentication and authorization;
  4. trusted by the use of enterprise-wide data quality and data governance frameworks, standards, platforms and tools;
  5. able to be securely shared to enhance operations and improve performance;
  6. usable for the purposes for which it is collected and capable of subsequent reuse in other contexts;
  7. secured from risks and threats such as unauthorized access, use, sharing, disclosure, alteration or deletion, using a flexible risk-based approach; and
  8. disposed of in accordance with established retention periods applicable to DND and CAF data.

Data Access

4.3 The DND and the CAF must promote timely data access and sharing through the development of policies, directives, instructions and standards.

4.4 The DND and the CAF must protect security and privacy as required through role-based data access, appropriate authentication, authorization, encryption and an audit trail.

4.5 Decisions on data access must be taken through the data governance structure established in the Data Governance Framework.

4.6 Decisions about data access must be timely, transparent, documented and auditable.

Monitoring

4.7 ADM(DIA) must monitor the effectiveness of this DAOD.

Disputes and Conflicts

4.8 Any dispute over data access, or any conflict between the instructions in this DAOD and those in other instruments, should be referred to the Chief Data Officer, who will determine a process for resolution. The Defence Data Management Board (DDMB) has final decision-making authority on data access.

4.9 Those with responsibility for data under the Data Governance Framework may withhold access only if a specific operational risk, such as security, privacy, confidentiality and intellectual property concern, can be articulated.

5. Compliance and Consequences

Compliance

5.1 DND employees and CAF members must comply with this DAOD. Should clarification of the policies or instructions set out in this DAOD be required, DND employees and CAF members may seek direction through their channel of communication or chain of command, as appropriate. Managers and military supervisors have the primary responsibility for and means of ensuring the compliance of their DND employees and CAF members with this DAOD.

Consequences of Non-Compliance

5.2 DND employees and CAF members are accountable to their respective managers and military supervisors for any failure to comply with the direction set out in this DAOD. Non-compliance with this DAOD may result in administrative action, including the imposition of disciplinary measures, for a DND employee, and administrative or disciplinary action, or both, for a CAF member. Non-compliance may also result in the imposition of liability on the part of Her Majesty in right of Canada, DND employees and CAF members.

Note – In respect to the compliance of DND employees, see the Treasury Board Framework for the Management of Compliance for additional information.

6. Responsibilities

Responsibility Table

6.1 The following table identifies the responsibilities associated with this DAOD:

The, a or an … is or are responsible for …
ADM(IM)
  • providing an enabling information technology environment for the access, use and sharing of data as a strategic asset;
  • selecting, in collaboration with ADM(DIA), appropriate security classifications for data in order to facilitate its access, use and sharing;
  • developing technical requirements for the design, procurement and operation of information technology that enables data sharing;
  • developing and implementing, in collaboration with ADM(DIA), a risk-based data security approach to maximize data access while maintaining appropriate safeguards against unauthorized data access, use or disclosure; and
  • validating DND and CAF approaches for identity assurance and accepting trusted digital identities in support of data access and interoperability by using approved frameworks.
Assistant Deputy Minister (Defence Research and Development Canada)
  • providing advice on requirements for the design, procurement and operation of technology necessary to share scientific data.
ADM(DIA)
  • promoting a culture of data access by default through the provision of training and other initiatives to increase the capability for secure data access and sharing;
  • developing an authoritative source of data to support interoperability and data exchange;
  • supporting L1s in ensuring that data, and products derived from data, are accessible, shared and managed as strategic assets;
  • developing protocols and service standards for data access requests and decisions;
  • developing data quality, and data security and privacy frameworks, for the DND and the CAF;
  • providing guidance to the DND and the CAF on data sharing agreements and other arrangements;
  • providing advice to ADM(IM) on the development and implementation of a risk-based data security approach to maximize data access while maintaining safeguards against unauthorized data access, use or disclosure;
  • supporting ADM(IM) with appropriate security classifications for data in order to facilitate its access, use and sharing;
  • assisting ADM(IM) with requirements for the design, procurement and operation of information technology that enables data sharing;
  • ensuring that mechanisms, processes and procedures are in place to resolve disputes about data access;
  • developing key performance indicators for data access and sharing for the DND and the CAF; and
  • determining processes to resolve any dispute over data access or any conflict between the instructions in this DAOD and those in other instruments.
L1s
  • implementing a posture of data access by default, and withholding data only if there is a specific operational risk posed by the disclosure or aggregation;
  • ensuring that methodologies, mechanisms and tools are implemented to support data access;
  • developing processes for data access requests and decisions for data assets for which they are responsible;
  • safeguarding data with access controls appropriate to the level of sensitivity, and monitoring for any unauthorized data access or disclosure;
  • protecting privacy during data access and sharing in accordance with applicable legislation, regulations, policies, directives, instructions, standards and agreements, and ensuring appropriate consent is obtained when required under the Privacy Act for use, disclosure or both of any data that is personal information under that Act;
  • evaluating any third-party services considered for the collection, storage or processing of data to ensure their compliance with the requirements established by ADM(IM) and ADM(DIA), and documenting this evaluation for auditing purposes;
  • ensuring data access and sharing is in support of strategic objectives and is consistent with all applicable standards of ethics, transparency, excellence and conduct relevant to those activities;
  • ensuring that data activities are transparent, explainable, documented and available for audit; and
  • communicating decisions and activities that affect DND and CAF data management practices to DND employees and CAF members.
data users
  • complying with all applicable legislation, regulations, policies, directives, instructions, standards and agreements, including applicable information security, privacy and legal requirements, for data access and sharing;
  • understanding their roles as described in the Data Governance Framework;
  • ensuring that their data access and sharing is in support of strategic objectives; and
  • reporting any data security incidents through their channel of communication or chain of command, as appropriate.
DND employees and CAF members
  • understanding and respecting the management, stewardship, access, security and ethical use of data under their control.

References

Acts, Regulations, Central Agency Policies and Policy DAOD

Other References

 

Page details

Date modified: