Guideline on Controlled Goods Program registration

On this page

1. Registration

Registration in the Controlled Goods Program is mandatory for any person examining, possessing or transferring controlled goods in Canada. The program derives its mandate from the Defence Production Act (called the act in this guideline) and the Controlled Goods Regulations (called the regulations in this guideline). Part 2 of the act gives authority to the Minister of Public Services and Procurement to regulate the examination, possession and transfer of controlled goods in Canada. Registration in the program is also a prerequisite for certain import and export permits issued by Global Affairs. Failure to register may constitute an offence under federal laws that could lead to prosecution and substantial sanctions against the offender.

A person who is eligible may apply for registration by completing an application for registration form. It is important that all sections of the form be completed. Partially completed application forms will be returned to the applicant for completion.

1.1 Eligibility for registration

Individuals are eligible to register in the program provided they carry on business in Canada, give their consent to a security assessment and are a Canadian citizen or a permanent resident ordinarily residing in Canada.

Businesses are eligible to register in the program provided they are incorporated under federal, provincial or territorial laws or are authorized by federal, provincial or territorial laws to carry on business in Canada.

1.2 Exemptions

To be exempted from registration in the program, one must be a visitor, a temporary worker or international student of a person registered in the program, or an officer, director or employee of a person registered under the United States’ International Traffic in Arms Regulations (ITAR).

1.2.1 Exemptions requiring an application

Visitors require a certificate of exemption from registration prior to examining, possessing or transferring controlled goods. The designated official of the registered person (called the registrant in this guideline) must determine the visitor’s eligibility and then verify the completeness of the visitor application for security assessment and exemption from registration form and submit to the program. Visitors are not permitted to examine, possess or transfer a controlled good until a certificate of exemption from registration is issued by the program.

Temporary workers require a certificate of exemption from registration prior to examining, possessing or transferring controlled goods. The designated official of the registrant must determine the temporary worker’s eligibility, and then complete and submit an application for exemption from registration—temporary worker/international student form and a security assessment application—temporary worker/international student form to the program. A temporary worker or an international student is not permitted to examine, possess, or transfer controlled goods until a certificate of exemption from registration is issued by the program.

International students who have a requirement to examine, possess or transfer controlled goods over the course of their studies must apply for exemption from registration in the same manner as a temporary worker, as defined in section 17 of the regulations. A security assessment will be conducted by the program in accordance with section 15 of the regulations and section 19 of the regulations.

1.2.2 Exemptions not requiring an application

An individual is exempt from registration if they are a director, an officer or an employee of a person registered to access controlled goods under the International Traffic in Arms Regulations (ITAR), as per section 16 of the regulations. No application needs to be submitted to the program for anyone listed above.

These individuals are exempt from registration from the day on which they provide the registrant with all of the following:

In this case, eligibility is defined as not being debarred or suspended under the ITAR.

1.3 Persons excluded from registration

Part 2 of the act does not apply to a person who either:

In accordance with the regulations, the following classes of persons are excluded from registration:

1.4 Security assessments

In addition to submitting a complete application for registration form as outlined in section 3 of the regulations, applicants must also submit security assessment applications for the authorized individual, all owners of 20% or more of the voting shares or interests of the business and designated officials.

1.5 Justification for registration

As part of the registration process, applicants will be asked to provide a description of their business activities relating to controlled goods and a description of the controlled goods they intend to possess, examine or transfer. Applicants are encouraged to ensure that there is a need to be registered before submitting an application. Information regarding contractual or work commitments involving controlled goods may be requested.

1.6 Registration scope

The registration of a person extends to each officer, director or employee of the registrant who has been security assessed and authorized by the designated official to examine, possess or transfer controlled goods. Such extension of registration only applies when the security assessed individual acts in the course of their duties with the registrant.

Once security assessed, the individual has a significant level of responsibility in regards to safeguarding controlled goods at the registrant’s place of business and is subject to the requirements of subsection 37(2) of the act. For example, it is an offence to knowingly transfer a controlled good to an individual or business that is not registered or to an individual who is not exempt from registration. A business or an individual may be prosecuted under the act.

1.7 Period of registration validity

The maximum period of validity of a certificate of registration is five years. Registration is valid until the expiry date indicated on the certificate of registration. If an extension has been provided, the expiry date is indicated in that organization’s entry in the program’s registration search. An extension to the certificate of registration cannot exceed the maximum period of validity of five years. The certificate of registration is not transferable.

1.8 Registration renewals

The standard processing time for the program to renew a certificate of registration is 32 business days once the application validation is completed. An application for registration form (select renewal in section B—type of application) must be submitted no less than 90 calendar days prior to the expiry date indicated on the certificate of registration. This is to allow sufficient time for processing.

The application for registration for renewal must include the following additional information:

A renewal of registration does not automatically require the renewal of the security assessments for key personnel (the authorized individual, the designated official and owners of 20% or more of the voting shares or interests of the business). Security assessments of individuals are valid for a period of up to five years as long as the individual remains employed with the same business. Therefore, it is not necessary to renew individual security assessments if they have not reached their five-year expiry date.

2. Conditions of registration

The conditions of registration applicable to all registrants are set out in section 10 of the regulations as outlined below:

Details relating to these conditions are provided below. Specific additional conditions may be applied to a registrant. The program will communicate these conditions of registration clearly to the registrant when granting the certificate of registration.

2.1 Report any change in the application for registration form

The applicant has an obligation to report any and all changes to the information provided in the application for registration form within 10 business days, be it a phone number change, a civic address change or other information, as per section 9 of the regulations. This section also includes the requirement to inform the Controlled Goods Program of the name and address of any person that will, as a result of an acquisition, own 20% or more of the outstanding voting shares or interests of the business by the later of 32 business days before the date of an acquisition or one business day after the day on which they become aware of an acquisition.

2.2 Maintain records

A recordkeeping system must be established, implemented and effectively applied over the period of registration, and kept for five years after the person ceases to be a registrant. The recordkeeping system in place at the registrant’s place of business must only be accessed by individuals who are authorized to do so by the registrant. Records may be kept electronically or in paper format. Registrants must ensure that records are legible, that all changes are tracked and documented and that they are safe from modification by unauthorized persons. The registrant should review their recordkeeping system periodically to ensure it continues to meet the security needs for safeguarding controlled goods and reflects any regulatory or legislative changes.

The recordkeeping system implemented and established at the registrant's place of business is subject to inspection by the program at any time over the period of registration and for five years after the person ceases to be registered in the program.

The regulations identify three recordkeeping requirements:

2.2.1 Records of controlled goods

The registrant must keep and maintain records of controlled goods received, transferred or disposed of during the period of registration and retain these records for a period of five years after the day on which the person ceases to be a registrant, as per section 10(a) of the regulations.

The records must contain:

2.2.2 Records of security assessments

The registrant must keep records of the most recent security assessments and supporting documentation of each officer, director, employee, temporary worker, international student and visitor who examines, possesses or transfers controlled goods during the period of registration and for a period of two years after the day on which the individual ceases to be an officer, director, employee, temporary worker, international student or visitor of the registrant.

2.2.2.1 Records of officers, directors and employees

The records must include, but are not limited to, the following supporting documents:

2.2.2.2 Records of exempt individuals: Temporary workers and international students

The records must include, but are not limited to, the following supporting documents:

2.2.2.3 Records of exempt individuals: Visitors

The records may include, but are not limited to, the following supporting documents:

2.2.3 Records of International Traffic in Arms Regulations-exempt individuals

An individual who is a director, officer or an employee of a person registered to access controlled goods under the ITAR is exempt from registration under the program. The registrant must keep a copy of the evidence listed below for a period of two years after the day on which the individual who is exempt ceases to have access to the controlled goods of the registrant.

The records must include, but are not limited to, the following:

2.3 Appointing a designated official

Either a company or an individual can be registered in the Controlled Goods Program. As a condition of registration in the program, the applicant must appoint at least one designated official.

The designated official must be either a Canadian citizen ordinarily living in Canada or a permanent resident ordinarily living in Canada. If an applicant is an individual and does not have employees, that individual is considered the designated official, and will undergo a security assessment by the program and is not required to complete the Designated Official Certification Program, as this individual will not be performing security assessments of employees.

If a company is applying for registration, the proposed designated official must be an employee who consents to undergo a security assessment and completes the Designated Official Certification Program. The Controlled Goods Program will not approve the registration of the company unless their designated official(s) have successfully completed the certification program.

Learn about mandatory training for designated officials through the Designated Official Certification Program.

2.3.1 Number of designated officials per registrant

As a general rule, a designated official should be responsible for no more than 150 employees accessing controlled goods. A second designated official is always recommended. This will ensure ongoing compliance with program requirements and representation during holidays, staff changes or illness.

For example:

However, there may be instances where the number of employees does not warrant additional designated officials.

It is also recommended that the security plan of a registrant include a designated official at any site where controlled goods are being examined, possessed or transferred.

2.4 Ensure the designated official fulfills their duties

Every registrant shall ensure that the designated official carries out their duties as stipulated under section 13 of the regulations.

The key responsibility of a designated official is to perform security assessments of officers, directors, employees including domestic students of the registrant every 5 years. As an on-site representative of the registrant, a designated official is well-positioned to evaluate these individuals having access to controlled goods, and to make a determination as to the extent to which each may pose a risk of transferring a controlled good to an unauthorized person (business or individual).

2.5 Establishing and maintaining a security plan

Registrants must develop, implement and maintain a security plan. An effective security plan ensures that adequate measures are in place to protect against the unauthorized examination, possession or transfer of controlled goods by persons not registered or exempt from registration in the program.

There must be a security plan for each place of business (site) in Canada where controlled goods are kept. If the registrant operates a business at more than one geographical location or site, each location or site must be treated as a separate place of business and requires its own security plan.

The security plan for each place of business of a registrant must set out the:

A security plan not only has to be implemented and maintained, it also has to be effectively applied over the period of registration. The security plan must be handwritten or electronic and in a format that can be easily understood by the individuals who are subject to it. Electronic versions must be protected against unauthorized access or amendments. Each registrant is uniquely placed to determine the security plan they require in light of the nature of the controlled goods they examine, possess or transfer. Controlled goods are to be afforded a sufficient level of protection to prevent their unauthorized examination, possession or transfer.

2.6 Provide training to officers, directors, employees, temporary workers and international students

A registrant must provide training programs for the secure handling of controlled goods to officers, directors, employees, temporary workers and international students who are authorized to examine, possess, or transfer those goods.

Every officer, director, employee temporary worker and international student authorized to examine or possess controlled goods must undergo the mandatory training program which has to be established, implemented and effectively applied over the period of registration. Training programs must specifically set out the criteria for the secure handling of controlled goods. Each registrant is uniquely placed to determine the content of their training programs in light of the nature of controlled goods that they examine, possess or transfer.

A training program should be more extensive than a security briefing because it applies to those authorized persons who will examine, possess or transfer controlled goods on a regular basis (employees, officers, directors, temporary workers and international students of the registrant).

The training program must:

The frequency of training sessions will depend on the size of the organization, the rate of turnover, updates to the registrant’s security plan or changes to the program’s legislation or regulations. The training should be ongoing and performed periodically for those persons authorized to examine, possess or transfer controlled goods. Periodic refresher training should reinforce the information provided during the initial training and inform of any changes in the security plan.

The effectiveness of the training program in ensuring the secure handling of controlled goods by those authorized to possess, examine or transfer those goods, is subject to inspection by the program.

2.7 Provide security briefings to visitors

All visitors must receive a security briefing prior to examining controlled goods. Security briefings may vary depending on whether or not the program has placed any conditions on the visit. If conditions have been placed on the visit, then the standard security briefing will also include any conditions specific to that visit.

The standard security briefing should be updated to reflect any changes to the registrant’s security plan or to the program legislation or regulations.

The security briefing must:

The program will ensure, by site inspection if necessary, that the security briefings meet the regulatory criteria and are effective in ensuring the secure handling of controlled goods by those authorized to possess, examine or transfer those goods. Registrants should review their security briefings periodically to ensure that they continue to meet the security needs for safeguarding controlled goods and reflect any regulatory or legislative changes to the program.

2.8 Report confirmed and potential security breaches

Registrants must contact the Controlled Goods Program within three days upon discovering a potential security breach. Security breaches must be properly investigated by the registrant’s security organization and corrective action must be taken to prevent any re-occurrence. The registrant is best placed to determine the nature of a security incident and whether it constitutes a breach. Security breaches can be categorized as loss, destruction, modification, removal or disclosure, of a controlled good. For example, a security breach can be a known theft or disappearance, appearance of willful damage to or tampering with a controlled good and/or the witnessing of unauthorized persons examining controlled goods.

Any breach of a criminal nature that can be subject to conviction under the Criminal Code must be reported immediately to the authorities having jurisdiction, and in turn, within three days upon discovery to the program.

The security breach report must include at minimum the information listed below:

The program will use the information provided to track the incident and take corrective action as required.

2.9 Make available all records to the Controlled Goods Program

The regulations stipulate that all records and documents maintained by the registrant must be made available, at any reasonable time, to the Controlled Goods Program for examination.

2.10 Report a change in a security assessed individual’s criminal history

Section 15(5) of the regulations stipulates that an individual subject to a security assessment must inform the Controlled Goods Program or the designated official, as the case may be, of any changes concerning their criminal history within five business days.

2.11 Report any change in an application for exemption

Section 19(3) of the regulations stipulates that registrants must inform the Controlled Goods Program within five business days of any changes in an application for exemption.

2.12 Provide a list of security assessed employees to the Controlled Goods Program

In accordance with section 10(j) of the regulations, registrants must complete and submit to the Controlled Goods Program, every six months, the “Security assessed individuals list” template that states:

If no security assessments are carried out during that time period, the registrant must complete the template by checking the box “No security assessments were conducted during the last six months” and submit it the template to the Controlled Goods Program.

To submit or request the template, send an email to TPSGC.SSIDMCESP-ISSCGDISA.PWGSC@tpsgc-pwgsc.gc.ca.

2.13 Consider recommendations provided by the Controlled Goods Program in regards to high-risk employees

The Controlled Goods Program, on behalf of the Minister, will make a recommendation to the designated official in instances where a security assessment of a high-risk individual is referred by the designated official for further verifications. The designated official must consider this recommendation in their assessment. The final decision, of whether or not to grant access to an employee, director, or officer, remains with the designated official.

3. Third-party contractual workers

3.1 Contractual workers who are registrants

A contractual worker who is a registrant must provide his or her certificate of registration to the client. The registrant client must then confirm the identity of the contractual worker and the validity of the certificate of registration. The registrant client can do a registration search, if a company does not come up in the search result, you should contact the company directly for further verification.

3.2 Contractual workers who are employees of a registrant

If a contractual worker is the employee of a registrant company, the registrant client must then confirm the:

The registrant can do a registration search, if a company does not come up in the search result, you should contact the company directly for further verification. The individual’s identity and employment can be confirmed by communicating with the contractual worker’s own designated official.

Date modified: