Protection of Information: Memorandum of Understanding with the Canadian Security Intelligence Service
Internal Audit Report
Corporate Audit and Evaluation Branch
In the Canada Revenue Agency (CRA), the Charities Directorate (the Directorate) of the Legislative Policy and Regulatory Affairs Branch (LPRAB) is responsible for registering charities and ensuring their compliance with the Income Tax Act (ITA).
The CRA also has a national security mandate relating to the registration of charities. In December 2001, the enactment of the Charities Registration (Security Information) Act (CRSIA), under Part 6 of The Anti-terrorism Act, re-defined the role and importance of protecting the integrity of Canada's registration system for charities in support of Canada's anti-terrorism objectives. The Charities Directorate role is to ensure that organizations suspected of links with terrorist activities are denied or lose charitable status under the ITA.
In delivering this mandate, the Directorate uses intelligence and classified information obtained from partner organizations. It must ensure that this information is appropriately safeguarded. Unauthorized access to this information would constitute an offence under the Security of Information Act.
To better support the exchange of information described above, the CRA and the Canadian Security Intelligence Service (CSIS) entered into a memorandum of understanding (MOU) on May 31, 2005. The purpose of the MOU is “to acknowledge the respective mandates of the CRA and CSIS and to set out the terms and conditions for exchange of information between the parties as they relate to the administration of the Charities Registration (Security Information) Act, the Canadian Security Intelligence Service Act and the Income Tax Act.”
The MOU requires both parties to ensure that procedures are in place to safeguard the information and protect it from any further disclosure. The CRA is required to ensure that all information received under this MOU will be safeguarded according to general conditions and procedures that comply with the Government Security Policy and the related operational standards of each agency. Further, the terms of the MOU require the CRA to conduct periodic internal audits of the protection of the information.
The protection of classified information is established in this MOU, and in a number of key documents, including the Security of Information Act, the Government Security Policy (GSP) and CRA's Finance and Administration Manual (FAM). The GSP established by the Treasury Board of Canada Secretariat prescribes the application of safeguards to reduce the risk of injury and preserve the confidentiality of assets, including information. The CRA's FAM also provides policy and guidance on the protection of assets, including security awareness, security screening, physical security, and IT security. It also provides policies and guidelines on the handling, storage, transmission and destruction of sensitive information.
Focus of the Audit
The objective of the audit was to determine whether the CRA is in compliance with the conditions governing the receipt, use, protection, storage, and destruction of information received from the CSIS and in accordance with the MOU signed on May 31, 2005.
The audit was conducted in the Charities Directorate, Legislative Policy and Regulatory Affairs Branch of the CRA. Interviews were also held with representatives from the Finance and Administration Branch, Information Technology Branch and the Corporate Strategies and Business Development Branch. The examination phase was conducted from June to December 2007. Information received from the CSIS for the period from January 2006 to April 2007 was included in the examination.
The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.
The audit confirmed that information received from the CSIS was adequately safeguarded. The program area complied with the relevant policies, procedures, laws and regulations related to the protection of information received from the CSIS. The audit identified a high level of awareness and understanding of legislation, policies, procedures, and best practices among employees of the program. There was no evidence that the information was used for any purpose other than for the enforcement and administration of the CRSIA and the ITA, or disclosed to any other entity. Further, the audit confirmed that necessary preventive controls have been implemented for the storage and protection of the information received.
Interviews held with officials within the Charities Directorate, the Security Directorate of the Finance and Administration Branch and IT Security Services indicated a high level of knowledge of security protocols and standards. The Directorate has invested considerably in a secure facility and IT infrastructure for the program operations. Employees and managers interviewed in the program area had appropriate and valid security clearances; a need to know; and had received security awareness training.
A senior IT security specialist with extensive security experience was contracted to provide services related to the identification, development, documentation, maintenance, and implementation of all security aspects pertaining to the program area's IT and operational environment, including Standard Operating Procedures on security protocols.
Site visits, review of supporting documentation and interviews demonstrated that controls are in place to ensure a secure and approved environment. These controls are in compliance with the GSP, relevant security standards and CRA's FAM. For example, to fulfill the prerequisite of storing classified information in appropriate secured zones, the Directorate completed appropriate and documented threat and risk assessments of its facilities. The RCMP conducted its own review of the facilities. Internal audit site visits and testing confirmed that physical access to classified information was restricted through controlled points of entry. Information was stored according to CSIS security standards and located in appropriate security zones. In addition to a secure environment, the audit team noted that employees were provided with clear guidance on the protection of information and complied with operating procedures.
The information received from the CSIS for the review period was appropriately identified, logged, stored and tracked. A 100 per cent file review of information received for the January 2006-April 2007 period was conducted. Files containing classified information were tightly controlled and appropriately tracked. Security standards require that classified information is stored in a security-approved locked filing cabinet or safe listed in the RCMP Security Equipment Guide and located in a Security or High Security Zone. Site visits confirmed that storage of information from the CSIS was appropriate. Furthermore, any classified information within the program area was stored on the secure classified network.
The MOU states that information provided under the MOU “will be retained for the minimum period that is required by subsection 6(1) of the Privacy Act and the administrative policies of the government of Canada. Thereafter, it must be immediately destroyed or returned to the other party”. To date, none of the classified information received from the CSIS has been authorized for destruction.
However, the audit team noted one area with regards to the wording in the MOU that should be clarified. The “Confidentiality and Security of Information “ section of the MOU, clause 15, states that information received by the CRA from the CSIS “will be treated as confidential”. Since the information received from the CSIS is designated “Classified”, this statement does not provide the appropriate guidance and could create confusion on the appropriate level of safeguarding of the information received from the CSIS.
In the next updating of the MOU, clause 15 should be revised to indicate that the information received from CSIS should be treated as classified. The MOU should also provide specific guidance on the protection of classified information. It should be noted that this guidance is currently available both in the FAM and the “Information Classification Security Standard Guide” available on the Information Policy and Governance Division InfoZone site. This would provide certainty for all parties that the information received from the CSIS is protected according to guidelines for safeguarding classified information.
1. Charities Directorate will work with the Federal and Provincial/Territorial Relations Division, Client Relations Directorate, Corporate Strategies and Business Development Branch to establish a time-frame for revising the existing MOUs.
2. In preparation for the re-drafting of these MOUs, the Charities Directorate, LPRAB, will undertake, by September 30, 2008, to have:
- initiated discussions with the CSIS to obtain their formal concurrence and input with regard to these specific changes;
- drawn up a proposed list of issues to be addressed when the MOUs are assigned for revision;
- discussed those issues with the CSIS to obtain their input and concurrence; and
- based on those discussions, prepared an initial draft of proposed amendments to the MOUs.
The CRA has appropriate security controls in place for safeguarding the information received from the CSIS. This audit found the CRA to be in compliance with the conditions governing the receipt, use, protection, and storage of information received from the CSIS, and in accordance with the MOU signed on May 31, 2005. Information received was handled in compliance with relevant legislation, policies and procedures.
Report a problem or mistake on this page
- Date modified: