Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Privacy and Data Protection - December 1, 1993 - Archived

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.



Author/Information: 

Financial and Information Management Branch
Treasury Board Secretariat
Telephone: (613) 957-2409  

Last Revision: December 1, 1993

Alternative Formats: This publication is available in alternative formats.



Table of Contents

Policy objectives

Policy statement

Application

Policy requirements

Monitoring

References

Enquiries




Policy objectives

To ensure the effective and consistent application of the provisions of the Privacy Act and the Privacy Regulations by government institutions.

To ensure that data-matching and data linkage of personal information for administrative purposes meet the requirements of that legislation.

To limit collection and use of the Social Insurance Number (SIN) for administrative purposes to those permitted by specific acts, regulations and programs and to establish conditions for its collection.


Policy statement

It is the policy of the government:

  • to recognize the rights of individuals to control over their personal information, and to support those rights through the effective and consistent application of the principles of the code of fair information practices embodied in the Privacy Act and the Privacy Regulations;
  • to ensure that Canadians and individuals present in Canada have access to all of their personal information which is held by federal government institutions, subject only to the exceptions contained in the Privacy Act;
  • to account for and give public notice of data-matching carried out by or on behalf of the government; and
  • to prevent the SIN from becoming a universal identifier by:
  • limiting collection and use of the SIN by institutions to specific acts, regulations and programs; and
  • notifying individuals clearly as to the purposes for collecting the SIN and whether any right, benefit or privilege could be withheld or any penalty imposed if the number is not disclosed to a federal institution requesting it.

The Privacy Act and Regulations (see Chapters 4-1 and 4-2) provide the legal framework for carrying out the government's policies in regard to protection of personal information, access to such information, data-matching and control of the Social Insurance Number.

An interpretation of the provisions of the Privacy Act and Regulations needed to implement this policy is set out in the guidelines.


Application

This policy applies to all institutions listed in the Schedule to the Privacy Act, except the Bank of Canada.


Policy requirements

Organization

1. Government institutions must have in place a current Delegation Order signed by the head of the institution which lists responsibilities delegated under section 73 of the Privacy Act, if any, and specifies the officials to whom each responsibility is delegated. A list of responsibilities which may be delegated by the head of the institution is contained in Chapter 3-1.

2. Government institutions must appoint an official, known as the Privacy Co-ordinator, who will generally co-ordinate activities relating to the Privacy Act for the institution.

Collection

3. Government institutions must have appropriate administrative controls in place to ensure that they do not collect any more personal information than is required for their programs or activities.

4. Government institutions must inform individuals from whom personal information is to be collected:

4.1 of the purpose of the collection;

4.2 whether response is voluntary or is required by law;

4.3 of the possible consequences of refusing to respond;

4.4 that the individual to whom the information pertains has rights of access to and protection of the personal information under the Privacy Act; and

4.5 of the registration number of the personal information bank in which the information to be collected is to be contained.

Note: This requirement may not apply in a limited number of situations where notifying an individual would result in the collection of inaccurate or misleading information. These situations are discussed in the guidelines in Part 2.

Use and Disclosure

5. Government institutions, in addition to the requirements of the Privacy Act, must ensure:

5.1 that appropriate administrative controls are in place to ensure against the disclosure of personal information to anyone who is not permitted access to it under the Privacy Act;

5.2 that the right to protection of privacy is fully considered where the Privacy Act allows discretion to disclose personal information;

5.3 that authority to disclose personal information to federal investigative bodies under paragraph 8(2)(e) of the Privacy Act is restricted to senior officials and that requests for such disclosures meet all the conditions set out in Chapter 3-6;

5.4 that a separate personal information bank is maintained for records of disclosures to federal investigative bodies. The bank must include a copy of the request and a copy of the personal information disclosed;

5.5 that any agreements made for the disclosure of information to other governments or international organizations under paragraph 8(2)(f) of the Privacy Act meet the minimum requirements set out in Chapter 3-6. These agreements must be indicated in all appropriate personal information bank descriptions in Info Source; and

5.6 that research privileges are withdrawn from any person or body discovered to be improperly disclosing personal information under the research and statistical purposes provision in paragraph 8(2)(j) of the Privacy Act, and that immediate steps are taken to prevent further disclosure of the personal information.

Accounting for personal information

6. Government institutions must account for and describe their holdings of personal information in accordance with the government-wide standards periodically issued by Treasury Board Secretariat.

Right of access

7. Government institutions must:

7.1 endeavour to assist individuals in obtaining access to their personal information and in exercising their rights under the Privacy Act (as set out in Chapter 3-2);

7.2 satisfy themselves as to the identity of an individual requesting access to personal information under the Privacy Act and their qualification for rights under the Act. They must also satisfy themselves as to the identity and rights of anyone who purports to represent another individual for the purposes of the Act; and

7.3 record all administrative actions taken in processing requests for access, correction or notation under the Privacy Act, where such actions are required by the Act or regulations. Administrative actions taken must be recorded in such a manner as to account for all deliberations and decisions regarding the processing of such requests.

8. Where the personal information to be disclosed to an individual with a sensory disability already exists in more than one alternative format which is acceptable to that individual, access shall be given in the alternative format they prefer.

When determining the necessity of conversion to an alternative format under paragraph 17(3)(b), among other factors that may be considered, the institution must consider the requestor's certification of their disability.

When determining whether the conversion of requested information to an alternative format is reasonable under paragraph 17(3)(b), among other factors that may be considered, government institutions shall consider:

  • the volume of the material to be converted
  • the likely utility of the converted format of the material to the individual
  • the cost of conversion (including the relative costs of conversion to other alternative formats).

Confidences of the Queen's Privy Council

9. Government institutions must consult through their institutional legal counsel with the Legal Counsel, Privy Council Office when information which may be considered to be Confidences of the Queen's Privy Council for Canada has been identified in response to a request for access to personal information under the Privacy Act, and must provide all the necessary related documents to the Privy Council Office.

Exemptions

10. Government institutions must:

10.1 review all requested personal information for the purpose of identifying and severing any portions of the information which are excluded from the provisions of the Act or which must be exempted, and making a decision concerning disclosure of any information which may be exempted. They must release everything which is neither excluded nor exempted;

10.2 ensure that due regard is given to the injury or detrimental effect on the interest specified in the exemption when discretion to exempt information is provided;

10.3 ensure that any decision to give or refuse access is made by an official with properly delegated authority and that the written exemption notification to the applicant is signed by someone to whom this authority has been properly delegated;

10.4 specify in their response to the applicant the subsection or paragraph of the Act upon which each exemption is based, except where to do so would reveal exempted information or cause the injury which forms the basis for the exemption; and

10.5 indicate the exemptions in a manner which allows the applicant to relate the particular exemptions to specific documents or portions of documents which have been withheld, except where to do so would reveal exempted information or cause the injury which forms the basis for the exemption.

Co-ordination of requests

11. Government institutions must consult with:

11.1 External Affairs Canada before determining to exempt or disclose any personal information that could reasonably be expected to be injurious to the conduct of international affairs;

11.2 National Defence before determining to exempt or disclose any personal information that could reasonably be expected to be injurious to the defence of Canada or any state allied or associated with Canada;

11.3 the government institution having the primary interest (i.e. the Department of the Solicitor General, the R.C.M.P., the Canadian Security Intelligence Service, National Defence or External Affairs) before determining to exempt or disclose any personal information that could reasonably be expected to be injurious to the detection, prevention, or suppression of crime or of activities suspected of constituting threats to the security of Canada within the meaning of the CSIS Act;

11.4 the investigative body or other government institution with primary interest in the law being enforced or investigation being undertaken before determining to exempt or disclose personal information on the basis of injury to the enforcement of a law of Canada or a province or the conduct of lawful investigations, or, in the case of the security of penal institutions, with the Correctional Service of Canada;

11.5 the investigative body that provided the information before determining to exempt or disclose personal information regarding a security clearance; and

11.6 the supplying institution before determining to exempt or disclose personal information the disclosure of which could affect the safety of individuals.

12. These consultations must be undertaken with or initiated through either the Privacy Co-ordinator or the official in that institution with delegated authority to exempt or disclose the information.

Exempt banks

13. Government institutions must consult with Treasury Board on any proposal for the establishment or revocation of an exempt bank.

14. Government institutions must submit to the Designated Minister any requests to designate exempt personal information banks. Requests for exempt banks submitted to the Designated Minister must include:

14.1 a description of the information to be included in the exempt bank;

14.2 the specific exemption provision under which the information requires protection, including, for exemption provision 22(1)(a)(ii), the law concerned (e.g. the Income Tax Act) and, for any injury test exemption, a statement of the expected detrimental effect;

14.3 an explanation, including cost implications, of why the information should be placed in an exempt bank rather than being subject to review on a case-by-case basis;

14.4 certification that all the files in the bank consist predominantly of personal information of the type described in Sections 21 or 22 of the Privacy Act and that procedures are in place to ensure that files are reviewed on an ongoing basis;

14.5 a draft Order in Council; and

14.6 a draft Regulatory Impact Analysis Statement.

Employee Privacy Code

15. Government institutions must conform to the principles of the Employee Privacy Code set out in Chapter 3-3.

Consultation with the Privacy Commissioner

16. Government institutions must notify the Privacy Commissioner of any planned initiatives (legislation, regulations, policies, programs) that may relate to the Privacy Act or any of its provisions, or that may have an impact on the privacy of CanadiansThis notification must take place at a sufficiently early stage to permit the Commissioner to review and discuss the issues involved.

Use of the Social Insurance Number

17. Government institutions must:

17.1 limit their uses of the Social Insurance Number (SIN) for administrative purposes to those authorized by statute or regulation and for administering pensions, income tax, health and social programs (as listed in Chapter 3-4);

17.2 not withhold any right, benefit or privilege nor impose any penalty by reason of an individual's refusal to disclose the SIN to a government institution except for the purposes set out in Chapter 3-4 or as otherwise authorized by Parliament;

17.3 when collecting the SIN, inform the individual of the purpose for which the number is being collected; the authority under which the number is required; and whether any right, benefit or privilege can be withheld or penalty imposed if the number is not disclosed; and

17.4 when the SIN is included in any personal information bank, so indicate in the description of the bank provided for Info Source and cite the authority under which the number is collected and the purposes for which it is used.

Data-matching

Data-matching is defined as the comparison of personal data obtained from different sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains. Data-matching is therefore a specialized activity involving the collection, use and disclosure of personal information. Included in the definition of data-matching is data linkage, also known as data profiling.

18. Prior to initiating a matching program, government institutions must assess the feasibility of the proposed match. They must analyse the potential impact on the privacy of individuals and the costs and benefits of the data-matching program.

19. Government institutions must notify the Privacy Commissioner of a new matching program by providing him with a copy of their assessment of the program at least 60 days before it is to begin.

20. A data-matching program must be approved only by the head of the government institution or an official specifically delegated this authority by the head.

21. Government institutions must account for all matching activities in Info Source.

22. Government institutions must subject information generated by a matching program to verification with original or additional authoritative sources before that information is used for an administrative purpose.


Monitoring

The annual reports to Parliament required by the Privacy Act will be used to monitor compliance with this policy. Compliance with the SIN and data-matching provisions of this policy will be monitored through the advance notification and public accounting requirements. The Office of the Privacy Commissioner and internal audit groups within institutions will examine the institution's success in meeting the requirements for privacy and data protection.


References

This policy is issued under the authority of the Designated Minister (President of the Treasury Board) provided in Section 71 of the Privacy Act.

Chapters of the Treasury Board Manual that relate to this policy are:

  • Management of Government Information Holdings
  • Access to Information
  • Security Policy of the Government of Canada
  • Government Communications Policy

This policy replaces directives in:

  • Circular 1983-35, Interim policy guide: Access to Information and Privacy Acts, Parts III and IV;
  • Circular 1985-89, Access to Information and Privacy Glossary;
  • Circular 1986-4, Amendments to Privacy Regulations and to the Interim Policy Guide: Access to Information and Privacy Acts;
  • Circular 1987-11, New Requirements for Access Register Entries and Increased Financial Responsibility;
  • Circular 1989-12, Data-matching and Control of the Social Insurance Number.

Enquiries

All enquiries about this policy should be directed to the Privacy Co-ordinator of the institution concerned.

For policy interpretation, the Privacy Co-ordinator should contact the Information, Communications and Security Policy Division, Administrative Policy Branch, Treasury Board Secretariat.