Language selection

Government of Canada / Gouvernement du Canada

Search

Direction on the Use of Voice and Audio Communication Technology

From: Treasury Board of Canada Secretariat

SPIN No.: 2021-01
Date: August 12, 2021

On this page

Purpose

The purpose of this SPIN is to clarify for departments the existing Treasury Board of Canada Secretariat (TBS) Security policy requirements in the context of using communication technology when delivering services to the public, specifically through voice and audio.

Scope

This SPIN is specific to the use of voice and audio devices or services in communicating with the public, and applies to Government of Canada (GC) information that has a security category of Protected A or Protected B or is unclassified.

Effective date

This SPIN is effective as of August 12, 2021.

Application

This SPIN applies to departments as defined in section 2 and entities included in Schedules IV and V of the Financial Administration Act unless excluded by specific acts, regulations or orders-in-council.

Context

Communication technology, including telephones and mobile devices, play a significant role in the day-to-day operations of GC departments. Such devices can have both a voice and data component capable of processing or communicating information and can be used to access enterprise networks and systems to process sensitive data. In addition to being used for exchanging information within the GC, they are also used to communicate with citizens and businesses in the delivery of programs and services.

To reduce risk to sensitive data and systems, GC organizations need to implement appropriate measures to manage and secure communication technologies.

Direction

Assessing injury

Before using communication technology to support departmental programs and services, departments must assign a security category (see Appendix J: Standard on Security Categorization, Directive on Security Management) to departmental information resources commensurate with the degree of injury that could reasonably be expected as a result of its compromise.Footnote 1 It is expected that a department’s assessment of injury considers several factors, including, for example, its operating context, the effects of a privacy breach, or information aggregation and inference.

Applying safeguards

The Directive on Security Management aims to achieve effective management of security within departments. Its Mandatory Procedures for the Information Technology Security Control provides details on the requirements to support the deputy head’s accountabilities under the Policy on Government Security.

Subsection B.2.3.6 of the Directive on Security Management sets out requirements for system and communications protection: “Implement measures to protect information systems and their components, as well as the information they process and transmit, from internal and external network-based threats, such as threats related to the use of public networks, wireless communications and remote access.” More specifically, subsection B.2.3.6.3 states, “Use encryption and network safeguards to protect the confidentiality of sensitive data transmitted across public networks, wireless networks or any other network where the data may be at risk of unauthorized access.”

For further clarity, the requirement to use encryption to protect sensitive information (that is, up to Protected B) does not apply when transmitting beyond the GC through voice and audio only (that is, GC to a citizen or business), as the GC has no control over the external communications networks and personal devices used by the public.

The requirements set out in the Directive on Security Management continue to apply to communications within the GC via the use of any communication technology (that is, either within a department or between departments). This includes requirements in respect of physical security that may impact the location of use. The Considerations for Government of Canada Communication Technologies is available as a starting point for departments to clarify which technologies are appropriate for sensitive communications within the GC. When processing and transmitting sensitive GC information, employees should maintain awareness of their physical environment and apply protections commensurate with the information’s security category (for example, taking care to ensure information is not observed nor conversations overheard).

Delivering service

The Directive on Service and Digital defines how departments manage service delivery, information and data, information technology, privacy, and cyber security in the digital era, including how to leverage technology appropriately for different service delivery scenarios. For situations where services to the public are delivered via telephony (voice and audio), departments are responsible for implementing appropriate measures to mitigate risks and protect sensitive and personal information to the maximum extent possible. This includes applying the profiles and provisions set out in the following:

For additional guidance on leveraging technology to support the delivery of innovative and accessible programs and services, see the Guideline on Service and Digital.

Enquiries

Individuals in departments should contact their departmental Security group for information about this SPIN.

Individuals in a departmental Security group may contact the Security Policy Division at TBS by email at SEC@tbs-sct.gc.ca for interpretation of any aspect of this SPIN.

References

Legislation

Related policy instruments

Related guidance

Page details

Date modified: