Department of Justice Guidelines on Security for Domestic Legal Agents: Protected Information and Assets

6. Physical Security and Document Safeguarding

6.1 General

A legal agent must hold a Government of Canada-granted Document Safeguarding Capability (DSC) to access, produce and safeguard Protected information and assets on its premises, pursuant to a legal agent appointment.  In order to be eligible to obtain a DSC, the firm must first obtain a DOS and have in place a system of security controls and procedures that meets the physical security requirements described below.

6.2 Physical Security Components

Physical security pertains to the location and design of a legal agent’s premises and measures to prevent, detect and respond to unauthorized access. The legal agent must implement specific measures to maintain effective control and safeguarding. This includes progressively restricted security zones, access control systems and procedures, secure storage cabinets, approved destruction equipment, and handling and safeguarding procedures as described below.

6.2.1 Security Zones

Legal agents are expected to maintain the appropriate security zoning within their premises. The typical security zones required for Protected information and assets are:

  • The Public Zone is the area to which the public has unimpeded access and generally surrounds or forms part of a firm’s premises – e.g., the grounds surrounding a building, or public corridors and elevator lobbies in multiple occupancy buildings.
  • The Reception Zone is the area of transition from a public area to a restricted-access area, and is typically located at the entry to the premises where initial contact between the public and the firm occurs.
  • The Operation Zone is the area where Protected government information and assets is accessed and stored, and to which access to all points of entry is controlled and limited at all times.

The organization and hierarchy of Security Zones as per Government of Canada standards, is depicted in Annex C.

6.2.2 Control of Access to Protected Information and Assets

6.2.2.1 General

The CSO is responsible for controlling access to Protected information and assets on the firm’s premises at all times, and limiting access to those individuals having the appropriate security screening and a need to know. 

6.2.2.2 Access Control Systems

The CSO must maintain an access control system to record all external visitors accessing the Operation Zone during normal working hours (e.g., electronic calendar, visitor control log) and ensure that such visitors are properly escorted when accessing the Operation Zone.

The CSO must also ensure that individuals accessing the Operation Zone outside of normal working hours (e.g., night-time cleaning staff) are screened to Reliability Status, or are properly escorted and that a record of all after-hours access is maintained. 

6.2.2.3 Key Control and Access Cards

The CSO must maintain systematic control over all locks, keys, combination settings and access cards that are used on the premises to safeguard Protected information and assets.

6.2.2.4 Lock-up Procedures

The CSO must ensure that all perimeter doors, and doors to operation zones, are locked at the end of the work day. Any individual remaining on the premises after hours must ensure that all doors are properly secured when leaving. 

6.2.2.5 Storage Cabinets

All Protected information and assets must be secured in a locked cabinet when not in use, and after normal working hours.

All storage cabinets used to store Protected information and assets, must have a locking mechanism and must be located within the Operation Zone.

6.2.2.6 Destruction of Information and Assets

Protected information and assets, including removable media (e.g., USB sticks, CDs, etc.) containing Protected information, must only be destroyed further to written permission or instruction received from the Department, and must be destroyed in such a way that the contents are not retrievable.

The firm must use only destruction equipment that meets Government of Canada standards (i.e., Type 111A shredder 2mm x 15mm or Type 111B 6mm x 50mm) or a document shredding company authorized or approved by the Department. All destruction equipment must be located within the firm’s Operation Zone.

6.3 Handling and Safeguarding of Information and Assets

6.3.1 Procedures

The Department expects legal agents to establish and implement procedures and methods that ensure the appropriate handling and safeguarding of all Protected information and assets while on their premises. 

6.3.2 Identification of Protected Information

Legal agents must give consideration to whether documents originating within their firm need to be marked as Protected A or B, and ensure the document is marked accordingly in the upper right corner of the face of the document.

6.3.3 Transport and Transmittal

The CSO must ensure that all Protected information and assets are appropriately secured when being transported or transmitted within or outside an Operation Zone. The Government of Canada’s minimum safeguards for transporting or transmitting information or assets within Canada are outlined in Annex D

6.4 Document Safeguarding Capability (DSC)

6.4.1 Process to Obtain a DSC

To enable the Department to fully assess a legal agent’s eligibility to be granted a DSC at a specific worksite, the CSO must certify that the firm’s premises meets the described physical security requirements and that the Protected information and assets in the firm’s possession are being appropriately safeguarded.

To facilitate the DSC assessment process, the CSO must complete a Request for Document Safeguarding Capability (DSC) Form – Protected B (DOJ-LASEC 03), certifying that:

  • a Designated Organization Screening (DOS) has been obtained;
  • appropriate security zoning is established and maintained by the firm;  
  • access control procedures and systems are maintained;
  • locked cabinets are used to store Protected information and assets, and cabinets are located within Operation Zone;
  • approved destruction equipment, or an authorized document shredding company, is used to destroy Protected information and Assets and all destruction equipment is located within Operation Zone; and,
  • procedures and methods are implemented to ensure appropriate handling and safeguarding of Protected information and assets.

The certifications provided in the form are subject to verification by the Department, and compliance with the certifications is a condition of the granting of a DSC.

The Department may require additional supporting documentation (e.g., a detailed floor plan of the firm’s premises, pictures of the Reception and Operation Zones and points of entry) to conduct the assessment, and will instruct the legal agent accordingly.

The Department may conduct an inspection of the legal agent’s premises, records and safeguarding procedures and methods, prior to granting a DSC. Where required, the inspection will involve verifying whether the premises meets the security requirements stipulated by the Department. Legal agents are required to provide the Department with full access to their premises, and to provide assistance and any information required for the purposes of an inspection.

As a result of an inspection, the Department may make recommendations to enhance the way a firm is safeguarding information and assets. Should the Department determine that a legal agent does not meet the physical security requirements, the granting of a DSC may be postponed or denied.

The Department notifies the firm in writing, once a DSC has been granted.

6.4.2 Validation of an Existing DSC

Where a legal agent firm holds a valid DSC granted by PSPC, the Department may validate and accept it, and issue the DSC as a Department of Justice-granted DSC, rather than redo the process.

To facilitate the validation of an existing DSC, the Department will require a copy of the letter granting the DSC and may require other documentation.  These requirements will be communicated to the legal agent as required.

6.4.3 Maintaining Compliance

A Department of Justice-granted DSC remains valid on the condition that the legal agent maintains compliance with the physical security requirements throughout the tenure of a legal agent appointment. The Department may require the CSO to conduct periodic physical security inspections of the firm’s premises and safeguarding procedures and to retain records of these inspections for review by the Department if required. As well, the Department may conduct an inspection of the firm’s premises at any time. Should the Department determine that a legal agent does not meet the physical security requirements, the DSC may be revoked.

The CSO must immediately notify the Department of any modification to the legal agent’s physical status, such as site relocation or renovations to its premises that could affect the safeguarding of Protected information and assets, prior to implementing the modification.

The CSO must maintain on file, all documentation related to the granting and maintenance of a DSC.

6.4.4 DSC Renewal Cycle

A DSC granted by the Department, is subject to renewal every five (5) years from the date of issuance. The onus is on the legal agent to notify the Department of its interest in renewing its DSC.

To request a renewal, the CSO must submit a completed Request for Document Safeguarding Capability (DSC) Form – Protected B, prior to the renewal date.

The Department notifies the firm in writing, once the DSC renewal has been granted.

Date modified: