Skip to content Skip to institutional links

Common menu bar links

Institutional links

Chief Information Officer Branch

Information and Privacy Policy

Access to Information and Privacy

Versions:
Print Version

Guidance on Preparing Information Sharing Agreements Involving Personal Information

6. Detailed Explanatory Notes

6.1 Purpose of sharing

An organization requesting personal information should be able to clearly identify the purpose for which the information is needed. For example, the information may be needed for a non-administrative purpose (where the information will not be used in a decision-making process that could affect the individuals involved) such as may be the case for:

program evaluation;
audit;
research, or
statistical analysis.

Conversely, the information may be needed for an administrative purpose where the information will be used in a decision-making process that will affect the individuals involved, such as for:

Authentication and verification: where personal information is compared and positively confirmed to identify individuals prior to granting access to programs and services, physical areas or information;
Administration of a program or service: where personal information is used for determining or verifying eligibility for programs, administering program payments or overpayments, issuing or denying permits/licences, processing appeals, etc.;
Compliance/regulatory activities: for example, where the information is used for detecting fraud or possible abuses of programs or services, harassment, etc., (where the consequences are administrative in nature – e.g. fine, discontinuation of benefits, audit of personal files or claims, etc.);
Criminal investigations and enforcement/national security: where the information is used for purposes related to investigations and enforcement in a criminal context or associated with national security or anti-terrorism activities (e.g. to investigate and prosecute offences, to facilitate the secure flow of people to Canada, to respond to the threat of terrorism, etc.).

6.2 Definition of "personal information"

Personal information is defined under section 3 of the Privacy Act as "information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing,

information relating to the race, national or ethnic origin, color, religion, age or marital status of the individual,
information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
any identifying number, symbol or other particular assigned to the individual.

The list of examples included in paragraphs 3(a) to (m) of the Act is not exhaustive.

Personal information also includes any information that can remotely be linked to a person, such as an account number; a certificate or license number, an Internet Protocol (IP) address, a biometric identifier, a photographic image; and any other number, characteristic, or code that could lead to the identification of an individual. The person's name is not always the determining factor since personal information includes any recorded information that permits or leads to the possible identification ^[1] of an individual whether alone or when combined with information from sources "otherwise available", including public sources.

The use and disclosure of some types of personal information is not restricted by the Privacy Act. These exceptions are outlined in section 3, paragraphs j) to m) and include certain information about public servant positions, functions, and business coordinates; certain information about individuals performing services under contract with a government institution; information about discretionary financial benefits; and information about individuals who have been dead for more than 20 years. (The information is excluded from the definition for the purposes of sections 7, 8 and 26 of the Privacy Act and section 19 of the Access to Information Act.) ^[2]

Other types of personal information, as defined in sections 69, 69.1 and 70 of the Privacy Act, are also excluded from the scope of the Act. Such information would not, therefore, be disclosed in response to a formal request made under the Privacy Act. Sections 69 and 70 state that the Act does not apply to:

library or museum material preserved solely for public reference or exhibition purposes;
material placed in the Library and Archives of Canada, the National Gallery of Canada, the Canadian Museum of Civilization, the Canadian Museum of Nature or the National Museum of Science and Technology by or on behalf of persons or organizations other than government institutions;
personal information that the Canadian Broadcasting Corporation collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose;
Confidences of the Queen's Privy Council for Canada.

When in doubt about whether information is considered "personal" and what restrictions apply to that information, you should consult with your institution's Access to Information and Privacy Coordinator.

Note: Personal information is defined differently between jurisdictions and it could have an impact on the ISA. Some professional/employee information is not considered personal information in some jurisdictions while it is in other jurisdictions. Most privacy legislation applies to recorded personal information but some privacy legislation applies to recorded and non-recorded personal information. Personal health information is not treated equally by all jurisdictions. Some jurisdictions may have different requirements applicable to publicly available personal information.

It is recommended that the parties consider the implications of any jurisdictional differences in the definition of "personal information" before making a determination to share information.

6.3 Alternatives to sharing personal information with other institutions

Sharing personal information means that one or both parties may be disclosing to, or collecting personal information from, one another. Given the privacy implications involved, institutions should consider whether there are alternative approaches to sharing personal information with other institutions. For example, the following methods may be considered:

Sharing depersonalized information (removing all personal identifiers)
Personal information that has been modified so that the identity of the subject individual can no longer be determined is referred to as de-personalized information. This may be accomplished by removing identifiers such as a person's name, date of birth and other personal data that can be linked to the individual. Whatever the means used to de-personalize the data, re-identification should be rendered impossible, i.e. the remaining data, even when combined with other sources, should not permit any link to the individual(s).
Sharing aggregated data (such as a range of ages instead of specific ages)
Information that has been generalized in such a way that it cannot be linked to an individual, such as using a range of ages rather than specific ages of individuals, is known as aggregated data.

NOTE: Whenever one of the above-mentioned approaches is used, there should remain no possibility of re-linking any of the information to identifiable individuals. For example, to minimize the possibility of re-identification, it may be necessary to:

delete table data that contains information on fewer than five people (and other table data as necessary to prevent identification based on row and column totals);
combine categories;
review charts and graphs to ensure that they do not display information on identifiable individuals; and
thoroughly review "indirect identifiers" to ensure that they cannot subsequently be linked with other information to re-identify individuals (e.g., - indirect identifiers such as population, age group, sex and marital status).

It is a good practice to seek advice from statistical experts, such as officials at Statistics Canada. Such consultations would provide assurance that the information to be disclosed would not result in the re-identification of individuals.

If the objective cannot be achieved by using non-identifiable personal information, institutions should explore alternative approaches to reduce or eliminate privacy risks.

Sharing information available within the institution:

Of course, rather than sharing with other institutions, consideration should first be given to using personal information that exists within the institution, but is held by another branch or program area. The information may be shared between the programs:

with the consent of the individual to whom the information relates;
if the purpose of the sharing is consistent with the purpose for which the information was originally obtained or compiled; or
for another purpose if one of the conditions set out in sections 7 or 8 of the Privacy Act is met.

Even within the institution, legal authority (usually legislation) must exist to permit sharing personal information among its programs. That said, although information sharing agreements are sometimes used when sharing personal information between programs of the same institution, written agreements are not required. However, the sharing of such information must be in compliance with the Privacy Act, and must be accounted for in the institution's Personal Information Banks in the TBS Info Source publication.

In some cases, other legislation can take precedence over the Privacy Act (e.g., enabling legislation) and thus permit uses or disclosures, within or outside the institution. For example, the Income Tax Act, Statistics Act, and the Department of Human Resources and Skills Development Act contain specific authorities for the use or disclosure of personal information and thus override the application of use and disclosure provisions (sections 7 and 8) of the Privacy Act.

The program area that has control of the personal information to be shared can determine whether sharing is appropriate, with the advice of the departmental privacy and legal experts.

There may be other alternatives, but the benefits and privacy risks associated with a particular option should be compared and assessed before making a decision.

It is recommended that government officials document alternative approaches considered and the rationale for the option chosen.

6.4 Determining the need

A federal government institution may need to share or exchange personal information for a variety of reasons with one of the following government organizations or agencies:

another federal government institution;
the government of a province or territory in Canada;
a municipal or regional government in Canada;
the government of a foreign state;
an international organization of states or an international organization established by the governments of states; and
other organizations when required, e.g. the council of a First Nation.

There are particular circumstances, such as a health epidemic, when the provision of personal information to another jurisdiction is mandatory. For example, section 40.2 of the Quarantine Act (2005) is an example of federal legislation that requires personal health information to be disclosed in certain situations. However, most disclosures of personal information from one government institution to another are discretionary.

Institutions should consider discretionary disclosures only in circumstances where it is authorized by a federal law and there is a clear and justifiable purpose. In this context, the recipient's need to obtain the information should not be confused with administrative convenience. The "collecting government institution" should be able to demonstrate that it has the necessary authority to collect the personal information in the circumstances. Likewise, the "disclosing government institution" should be able to demonstrate that the personal information can be disclosed for a lawful purpose.

Arguments of public interest or benefit to the individual may also be invoked to justify disclosure. In all cases, the disclosure should be limited to the minimum amount of information necessary for the legally authorized purpose.

6.5 Defining the scope of the agreement

Institutions should always strive to ensure that they only disclose the minimum amount of personal information required for the stated purpose of an ISA, and that the disclosure is duly authorized under section 8 of the Privacy Act. The ISA should include a list of the personal data elements that will be exchanged along with the purpose for each and specific restrictions that may apply to any of the elements (i.e. the parties may wish to require that more sensitive data elements be encrypted, or impose more stringent conditions on subsequent use or disclosure, for example, if the Social Insurance Number is shared).

Institutions should also make every reasonable effort to ensure that all data elements disclosed are relevant and as accurate, up-to-date, and complete as possible in relation to the lawful purpose for which they are being shared with the receiving organization. The type, extent, quality and reliability of the personal information to be shared, as well as the method of transmitting the data, need to be clearly established by the parties before information is shared.

NOTE: Some organizations may hold a lot of personal information on individuals but not all of this information may be relevant to the purpose for which the other party requests the information, so it would not be appropriate to disclose it all. This is not only a matter for consideration by the organization holding the information but also by the one receiving it. Disclosing too much personal information or collecting more personal information than is necessary to fulfill a particular purpose is contrary to the Privacy Act and also contradicts universally recognized privacy principles and standards that govern the collection, use and disclosure of personal information.

An issue that should be resolved when sharing personal information is what quality of personal data is required by the recipient. For example, are the data to be shared relevant, accurate, complete, and up-to-date enough given the intended purpose(s) for which the recipient needs them? Because of the diverse environments in which data are collected for various purposes by government organizations, they may not always be suitable or reliable. Their accuracy, completeness, and quality may vary considerably. Thus, the data quality issue or the steps that may be required to render the data appropriate for the intended use may need to be addressed by the parties before entering into any agreement to share personal data.

This is of particular importance when the information to be shared consists of intelligence that has been gathered by the disclosing institution about organized crime, extremism, and other threats. In those cases, it is recommended that the disclosing organization indicate the reliability of the personal information to be exchanged by giving the background of the information, such as if it was something the organization observed, heard from a source or obtained by electronic intercept and the source of the information. Rating the reliability of the information and what should be done to corroborate it may need to be clearly articulated in the agreement. This would also require the use of caveats when sharing information to address any concerns about the reliability, relevance, and accuracy of information.

In addition, the process by which personal information will be exchanged between the parties e.g. postal mail, fax machine, telephone, electronic file transfer, or Internet access - whether this is a "push" (given to the other party) or a "pull" (taken by the other party), as well as the frequency under which it will be supplied - in real time, batch process or ad hoc requests - will also need to be agreed by the parties. This also includes any security measures that are appropriate to ensure the security of the data during and after transmission, such as encryption, password protection, or authentication. Such measures will have to be fully documented in the agreement. Often, these measures are included in a separate schedule attached to the agreement to allow for flexible amendment whenever the measures are changed.

Whenever possible, personal information provided by a government organization to another party should be pushed rather than pulled. This means that rather than giving access to the database in which personal information is stored, the institution would transfer the information or data to the other jurisdiction in the manner, and at the times and dates provided for in the agreement.

It is also a best practice for the institution to clearly identify upfront all purposes for which the personal information may be used or disclosed, including secondary uses. Any prohibitions on secondary use(s) or further disclosure(s) of the information may also have to be carefully scrutinized and agreed upon by the parties to the agreement to avoid any conflicts or misunderstandings with the applicable legislation of each jurisdiction, including access and privacy laws and other relevant laws.

Note: It is important that any prohibitions on secondary use(s) or further disclosure(s) that may be imposed on the recipient by the originator of the information, such as "caveats" or "third party rules" that prohibit further dissemination of the information without the originator's approval, be resolved between the parties through agreed-upon procedures prior to entering into any agreement to share personal information. Failure to include caveats increases the risk that information will be distributed by the recipient to unanticipated parties and that it could be used for unintended and possibly unacceptable purposes. These procedures should take into account applicable legislation of each jurisdiction, including access and privacy laws and other relevant laws.

Pursuant to the Access to Information Act and Privacy Act, information provided in confidence by other governments is subject to a mandatory exemption that gives the discretionary power to disclose with consent or if the government from which the information was obtained makes the information public. It is therefore strongly suggested that the agreement establish a consultation procedure to respond to Access to Information Act or Privacy Act requests. For example, the agreement could include a provision requiring the parties to consult with each other when in receipt of a request for access from the individual to whom the information relates to determine whether the party that furnished the information would consent to its disclosure.

To prevent the unauthorized disclosure, copying, use, or modification of information provided under the agreement, recipients are to restrict access to such information on a need-to-know basis, and use recognized security mechanisms such as passwords, encryption, audit trails, or other reasonable safeguards to prevent and deter unauthorized access.

It is recommended that information exchanges be adequately recorded or logged on the subject's file by the disclosing institution, so that recipients of any incorrect information can be informed and provided with accurate revised information.

Tagging or watermarking the information shared, especially when it is sensitive information, is one way of ensuring that the information will be treated in a manner that respects the terms and conditions of the agreement. For example, prior to being shared, all personal information could be headed or watermarked "Received in confidence pursuant to the agreement (title of the agreement)" or something that reflects the agreement between the parties. This would also assist in identifying the source of any unauthorized dissemination.

6.6 Ensuring Legal Compliance

When first considering a data sharing initiative, institutions should satisfy themselves that it is lawful. This means that once an organization has defined what, how, why and with whom it wants to share personal information, it should then conduct an analysis of all applicable federal laws, including regulations, to ensure that it has the legal authority to do so. The recipient would also be required to ensure that it has its own statutory authority to carry out the proposed data sharing activity.

The sharing of personal information can bring into play the Canadian Charter of Rights and Freedoms. The fact that a disclosure is specifically authorized under the Privacy Act or another Act of Parliament does not automatically ensure compliance with the Canadian Charter of Rights and Freedoms. Consideration of these laws, the Canadian Charter of Rights and Freedoms and the ancillary jurisprudence establish the legal framework that should be reviewed to determine whether there are any statutory restrictions on the data sharing activity proposed. It is recognized that the interrelationship between these areas of law is quite complex and specialist legal advice will often be necessary.

The following provides a general overview of the legal context within which an institution's decision to share personal information should be made.

6.6.1 Canadian Charter of Rights and Freedoms

The federal government is subject to the Canadian Charter of Rights and Freedoms and must ensure that its legislation, policies, and actions do not offend its protections.

Canadian courts have clearly established that sections 7 and 8 of the Canadian Charter of Rights and Freedoms protect the right to privacy under certain circumstances. The Supreme Court of Canada has determined that section 8 of the Canadian Charter of Rights and Freedoms guarantees the right to enjoy a reasonable expectation of privacy and protects individuals from arbitrary intrusion by the government into their private lives. This extends to the collection, use or disclosure of personal information. The closer the information is to one's "biographical core"- such as information about one's health, genetic characteristics, sexual orientation, employment, social or religious views, friendships and associations—the greater is the obligation on government to respect and protect the individual's privacy.

In addition to the privacy rights under sections 7 and 8 of the Canadian Charter of Rights and Freedoms, section 7 rights to life, liberty and security of the person may be engaged when information is shared with other countries. For more information in that regard, see sections 6.9.1 and 6.9.4.

It is recommended that government institutions consult their legal services to determine whether or not the proposed information sharing initiative may contravene the Canadian Charter of Rights and Freedoms.

The Canadian Charter of Rights and Freedoms compliance is contextual and needs to be reviewed on a case-by-case basis. The Legal Services units, as well as specialized groups within the Department of Justice, provide advice on constitutional law, administrative law, the Canadian Charter of Rights and Freedoms, international law, and criminal law in relation to national security and intelligence.

6.6.2 Other Acts of Parliament

The Privacy Act is not the single source of law that regulates the powers that a federal government institution has to collect, use and disclose personal information. There are other Acts of Parliament that contain statutory provisions that specifically authorize, prohibit or regulate the sharing of personal information. For example, the Statistics Act authorizes Statistics Canada to enter into agreements with provincial statistical agencies, federal, provincial or municipal government institutions or other corporations. The Department of Human Resources and Skills Development Act and the Income Tax Act
are other examples of such legislation.

Note: The Proceeds of Crime (Money Laundering) and Terrorist Financing Act, as amended, is another example of an Act that authorizes the collection and disclosure of personal information. The goal of the legislation is to detect and deter money laundering and the financing of terrorist activities. To achieve that result, the Act requires that financial institutions and other identified entities and individuals provide reports to the Financial Transactions and Reports Analysis Centre (FINTRAC) regarding suspicious and certain prescribed transactions. FINTRAC must undertake an analysis of these reports for the purpose of detecting and deterring money laundering and terrorist activity financing. To further its analytic capacity, FINTRAC is also authorized to receive voluntary information from police and other agencies and to access databases maintained by the federal or provincial governments for purposes related to law enforcement and national security.

FINTRAC is prohibited from disclosing any personal information reported to it or provided as voluntary information unless it has met one or more of the thresholds for disclosure set out in the Act. If following its analysis, FINTRAC meets one or more of the disclosure thresholds, FINTRAC must disclose what the Act calls "designated information" to police and other Canadian law enforcement and security agencies identified in the Act. With ministerial approval, FINTRAC may also enter into agreements with foreign counterpart agencies. If following its analysis, FINTRAC meets its statutory threshold in respect of disclosure to a foreign agency, it may disclose "designated information" to that agency for the purposes of investigating or prosecuting money laundering or terrorist financing offences.

Another example of legislation authorizing the transfer of personal information outside Canada is the Department of Immigration and Citizenship Act. The Act permits the Minister of Citizenship and Immigration to enter into agreements with foreign governments and international organizations for the purpose of facilitating the formulation, coordination and implementation, including the collection, use and disclosure of information, of policies and programs for which the Minister is responsible. The Canadian Security Intelligence Service Act permits the Service (known as CSIS), if it has the approval of the appropriate Minister and after consultation with the Minister of Foreign Affairs, to enter into arrangements or cooperate with the government of a foreign state, an institution of that state, or an international organization of states. Clearly, this cooperation could involve the transfer of personal information held by government institutions about Canadians or other foreign nationals.

There are also other federal acts that have provisions protecting the privacy of individuals or prohibiting the disclosure of specific types of personal information. For example, the Criminal Records Act stipulates that no information may be released concerning an individual's criminal convictions for which a pardon has been granted unless the permission of the Minister of Public Safety has been obtained – or with the written consent of the individual concerned. Similarly, the Youth Criminal Justice Act stipulates that, subject to specific exceptions, no person shall be given information that may identify a young person dealt with under that Act.

Other Acts, such as the Canada Pension Plan Act, Old Age Security Act, and DNA Identification Act, to name a few, also contain restrictions or prohibitions regarding the disclosure of personal information.

The decision to disclose personal information must be exercised by the designated decision maker in conformity with the lawful authority provided in the particular statute authorizing the disclosure.

The disclosures provided under subsection 8(2) of the Privacy Act are "Subject to other Acts of Parliament." The subsection 8(2) disclosures generally do not apply where a statute specifically forbids disclosure of information except in the circumstances provided for by that statute.

6.6.3 Privacy Act

Assuming the Canadian Charter of Rights and Freedoms and other Acts of Parliament do not prohibit the proposed information-sharing project, an institution should then ensure that the proposed disclosure and/or collection of personal information are in compliance with the Privacy Act.

The Privacy Act and associated TBS policies imposes the following standards relating to collection, accuracy, use, disclosure, retention, and disposition of personal information.

6.6.3.1 Collection of personal information

The collection of personal information plays an essential role in the administration of government programs and activities. The general approach of the Privacy Act is to create silos of personal information between federal government programs, and between federal institutions and other jurisdictions, to protect the informational privacy of individuals. This means that the personal information holdings of each government institution are segregated on a program or activity basis.

The collection of personal information by federal government institutions subject to the Privacy Act is limited by certain criteria imposed by sections 4 and 5 of the Privacy Act. They are prohibited from collecting personal information unless "directly related to a program or activity of the government institution." Government institutions must collect personal information to be used for an administrative purpose directly from the individual unless an exception in subsections 5(1) and (3) of the Act apply. Where the personal information is collected directly from the individual, the institution must generally inform the individual of the purpose of the collection (subsection 5 (2).

Subsections 5(1) and (3) of the Act allow for indirect collection of personal information to be used for an administrative purpose but only in specific and limited circumstances. The exceptions include where:

the individual authorizes the indirect collection of personal information;
direct collection is not possible;
a government institution can collect personal information from another government organization that is authorized to disclose the personal information to the institution under subsection 8(2); and
direct collection might result in the collection of inaccurate information or defeat the purpose, or prejudice the use, for which the personal information is collected.

Note: It is important to remember that for the most part, exceptions under subsection 5(3) of the Privacy Act are primarily intended for use by investigating bodies in those circumstances where notification and direct collection would jeopardize the investigation. For example, in the process of collecting personal information for law enforcement purposes or for carrying out a lawful investigation, it is often inappropriate or impractical to inform the person who is the subject of the personal information being collected of the purpose for which the personal information is required.

Indirect collection may be justified in other circumstances, but these must comply with the requirements of section 5 of the Privacy Act.

Though the principle of "minimal collection" is not expressly referred to in the legislation, it is a tenet of the Privacy Act that an institution should collect only the minimum amount of personal information necessary for the intended program or activity. Institutions should have administrative controls in place to ensure that they do not collect any more personal information than is necessary for the related programs or activities. They must have parliamentary authority for the relevant program or activity, and a demonstrable need for each piece of personal information collected in order to carry out the program or activity.

Parliamentary authority will usually be found in an Act of Parliament or subsequent regulations.

Note: In certain cases, the authority to collect personal information will be clearly articulated in law. The Income Tax Act offers a good example of this. In most cases, however, the institution's enabling statute will simply refer to an operating program or activity. In still other cases, the institution's enabling statute may make no specific reference to a particular program or activity, but a strong case can be made that the program or activity under examination is consistent with, and in furtherance of, the institution's statutory mandate.

In the absence of clear statutory authority to collect personal information, institutions should consult their legal services. It is important to remember that "consent" of the individual concerned is not sufficient to allow a government institution to collect personal information, in the absence of an authority to collect personal information.

6.6.3.2 Determining the need for consent or notification

Although not the case for the collection of personal information, obtaining the individual's consent for the sharing of personal information is an option that should be considered, where possible. Many of the privacy issues surrounding disclosure can be avoided if the consent of the individual is obtained beforehand. This is because consent allows government institutions to use or disclose personal information for any purpose consented to by the individual. In other words, it removes the need to rely on a specific disclosure provision.

In some cases, consent may not be needed, for example, under many federal-provincial social programs, it may be necessary that personal information be shared between jurisdictions to determine eligibility to particular program benefits. In such circumstances, it is appropriate to notify the program participants upfront about the sharing as a condition of program enrolment.

Several factors may need to be weighed before making a determination to seek consent or to notify an individual before disclosing his/her personal information to another organization. Consent should generally only be sought when there is a genuine opportunity to refuse and there is no legitimate and compelling reason for disclosing without consent. Moreover, if there are reasonable grounds to suspect that seeking consent or notifying the individual could undermine the legitimate purpose for which the information is being sought, it might be inappropriate to seek consent or to notify the individual in question about the disclosure. Legal advice should be sought in any case of doubt.

Note: Consent allows government institutions to use or disclose personal information for any purpose consented to by the individual. In other words, the consent of the individual removes the need to rely on a specific exemption or disclosure provision. Consent by an individual to the use or disclosure of personal information can be sought either at the time of collection of the information (for an authorized program or activity of the institution) or subsequently, when a specific need arises.

If consent for additional use or disclosure is sought at the time that the personal information is collected, government institutions should generally provide sufficient information concerning the intended use or disclosure to allow the individual to make an informed decision to consent or refuse. Such information should typically include a description of the specific information involved, the use or disclosure for which consent is being sought, and a statement that refusal to consent to such use or disclosure will not prejudice the individual in any way or result in any adverse consequences for the individual in connection with the primary administrative purpose being served by the information collection.

Consent for use or disclosure subsequent to collection is usually obtained in writing. This normally takes the form of a signed consent from the individual or authorized representative, specifying the permitted use or disclosure.

Disclosure without consent must only be made in accordance with subsection 8(2) of the Privacy Act. It is recommended that the following factors, which are based on the invasion-of-privacy test found in the Treasury Board Manual on Privacy and Data Protection, be considered when making a determination to disclose without consent.

1) Expectations of the individual: The conditions which governed the original collection of the personal information and the expectations of the individual to whom it relates are important criteria to consider before making a decision to disclose the information. Was the information compiled or obtained under guarantees which preclude some or all types of disclosures? Or, on the other hand, can the information be considered to have been unsolicited or given freely or voluntarily with little expectation of it being maintained in total confidence? Has the individual made a version of the information generally available to the public and thus waived the right to privacy in these circumstances?

2) Sensitivity of the information: It should be determined what type of information is involved in the information-sharing project. Is it obviously of a highly sensitive personal nature or does it appear to be fairly innocuous information? Is the information very current and for that reason more sensitive, or has the passage of time possibly reduced that sensitivity so that disclosure under specific circumstances would lead to no measurable injury to the individual's privacy? On the other hand, could disclosure of the information after a passage of time simply re-open old wounds?

3) Probability of injury: If the information is considered sensitive, can it be surmised that the particular disclosure carries with it the probability of causing measurable injury? Injury should be interpreted as any harm or embarrassment that will have direct negative effects on an individual's career, reputation, financial position, safety, health or well-being. As well, the organization may wish to take into account whether the intended disclosure would make the personal information available for a decision-making process by a government institution beyond that for which it is being disclosed.

It is a good practice to adequately document in the agreement the justification for not seeking consent or the procedures for obtaining consent, or for notifying individuals of a disclosure.

NOTE: If it is determined that consent will be requested or notification given for the collection, use or disclosure of personal information, a common approach on providing appropriate notice will have to be agreed to by all of the parties to the agreement, taking into consideration their respective legislation and authority.

The circumstances for obtaining consent or notifying individuals should generally be articulated within the agreement. For example, the agreement could mention that when providing notice, the data subject should be informed of the purpose for which the information is being collected, of any statutory authority for the collection, how it will be used and with whom it will be shared and for what purpose. If consent is sought and refused, objections must be recorded appropriately and each organization must abide by the refusal. The agreement could also stipulate that any withdrawal of consent will be immediately communicated to all parties.

In those cases where it may not be appropriate or reasonably practical to obtain the individual's consent, the Canadian government institution may wish to conduct a risk assessment or an invasion-of-privacy test to weigh the expectations of the individual, the nature of the particular personal information involved and the possible consequences of disclosure for the individual against the public interest in disclosure.

6.6.3.3 Accuracy of personal information

Subsection 6(2) of the Privacy Act requires a government institution to take all reasonable steps to ensure that the personal information it collects for an administrative purpose is as accurate, up-to-date, and as complete as possible. This is to minimize the possibility that a decision affecting an individual, for example determining clients' eligibility for benefits, would be made on the basis of inaccurate, obsolete, or incomplete information

Note: Government institutions should make every reasonable effort to ensure the accuracy, completeness or reliability of the personal information they intend to disclose to another level of government, especially where they know the other government institution may use the personal information for an administrative purpose. This is an important factor to consider in deciding whether to exercise the discretion to disclose personal information to another organization.

Providing unreliable, inaccurate or incomplete information to other agencies is in no one's best interests and can create potentially serious problems for those who rely on it and possibly those who are the subjects of the inaccuracies. Indeed, sharing such information may be worse than not sharing information at all. As a rule, if there are any reasonable doubts about the value of the information for the recipient, it may not be appropriate to share it.

As indicated by Justice O'Connor in recommendation # 6 of his September 2006 Report on the Events relating to Maher Arar: Analysis and Recommendations, information sharing is vital, but it must take place in a reliable and responsible fashion.

It is important that parties to an agreement base administrative actions on current personal information. To this end, the agreement could contain a provision that imposes an obligation that each party notify the other without delay, if it becomes aware personal information shared is not accurate, complete, and up-to-date. This is especially important where the impact on individuals might be high. In this regard, the agreement could contain a provision whereby the parties consent to review any administrative actions taken on the basis of the incorrect information provided.

Note: Paragraph 12(2)(a) of the Privacy Act gives individuals the right to request access to their personal information, which has been used, is being used, or is available for use for an administrative purpose. Paragraphs 12(2) (b) and (c) give individuals the rights: to request correction of their personal information where they believe there is an error or omission; to have notations of their requests for correction added to the files where the requests are refused; and to have anyone to whom the information was disclosed in the past two years notified of the correction or that a request to have the information corrected was made.

Where such notification is made to a federal government institution subject to the Privacy Act, the institution is legally required under the Act to make the correction or notation on any copy of the information under its control. Although the Act requires a federal government institution to notify other recipients of the information about the correction or the notation, the Act does not impose an obligation to recipients, who are not subject to the Privacy Act, to correct or amend the information in their records.

Given that situation, the agreement should specify that where an institution discloses personal information to another government organization for an administrative purpose and that information is later identified to be incorrect, the institution has a duty to notify the receiving parties to permit them to correct their records and if necessary, also amend any incorrect administrative actions taken on the basis of the incorrect information provided.

In practical terms, this means that the parties to the agreement must know what personal information was disclosed and to whom. This underscores the need for tracking and recording information shared. For this reason, the disclosing institution may require the recipient to keep a record of any subsequent disclosure of the personal information that was supplied under the agreement. Such a record of disclosure could contain the following information:

a brief description of the information disclosed;
the name of the entity or person to whom the information was disclosed;
the date of the disclosure;
a brief statement of the purpose for such a disclosure;
the format of the record (e.g. paper, electronic);
the method of transmission; and
the name of the person who made the disclosure.

If there is no record of the personal information that was disclosed, the parties to the agreement would not be able to notify third parties to whom the information was disclosed that the information has been corrected or that a request to have the information corrected has been made by the individual to whom the information relates.

6.6.3.4 Use of personal information

Once collected, section 7 of the Privacy Act permits personal information to be used by a federal government institution:

with the consent of the individual to whom the information relates;
for the purpose for which it was collected or consistent use; or
for another purpose if section 8 (2) of the Privacy Act is met.

For example, if an organization collected personal information from another organization for a particular purpose (i.e. program "A"), it should not use it for another purpose (i.e. program "B") without the individual's consent or evidence that it is for the same purpose, a consistent use (discussed below) or the other purpose comes within the terms of subsection 8(2) of the Privacy Act.

Note: An agreement should generally identify how the personal information shared or exchanged under the agreement is to be used. Secondary uses should be limited to those that are in accordance with section 7 of the Privacy Act.

Any prohibitions or limitations against subsequent or secondary use of the information would have to be clearly addressed in the agreement, taking into consideration relevant laws, regulations or policies of the parties to the agreement.

Subject to applicable legislation of each jurisdiction, including access and privacy laws and any other relevant law, the parties could agree not to disclose the information for a different purpose than originally intended without the prior consent of the other party,.

6.6.3.5 Disclosure of personal information

Section 8 of the Privacy Act states that subject to other Acts of Parliament, personal information under the control of a government institution cannot be disclosed without the consent of the individual to whom the information relates, unless the disclosure is permitted under subsection 8(2). This subsection of the Act outlines thirteen circumstances where personal information may be disclosed without consent. All subsection 8(2) disclosure provisions are discretionary.

Although a number of responsibilities under the Privacy Act may be delegated, such delegation must be approved by the head of the government institution. An institution's Designation Order should list the positions of the officials within the institution who have been delegated such responsibilities.

As for those sections of the Privacy Act that authorize disclosure and which do not specify who must make the decision, the Interpretation Act provides that the decision must be made by an "appropriate" official. Although there is no particular rule about who the appropriate official should be, it is important that an appropriate official be identified as having made the decision to authorize the disclosure, for the purposes of accountability and transparency.

Note: Some of the decisions regarding disclosure of personal information under subsection 8(2) of the
Privacy Act are more complex than others. Examples include: complying with subpoenas, warrants, court orders and rules of court to disclose information (8(2)(c)) and providing information required by the Attorney General for use in legal proceedings (8(2)(d)). Institutions should consult their legal services experts before making disclosures under paragraphs 8(2) (c) or (d) of the Privacy Act. Other disclosure under subsection 8(2) may be more routine; for example, providing the information to authorized auditors (8(2)(h)), or transferring information to the Library and Archives of Canada for archival purposes (8(2)(i)).

For more information, refer to chapter 2-4 of the Treasury Board Manual on Privacy and Data Protection.

Where a government institution or the appropriate designated official has decided to make a disclosure, it should respect the security policy principle that only persons with a need to know the information are permitted to have access to the information.

The following describes the most commonly cited provisions of subsection 8(2) that are used by government institutions to share personal information with another level of government without the consent of the individual concerned.

Paragraph 8(2) (a) – Original purpose and consistent use: This paragraph gives government institutions the discretion to disclose personal information where it is necessary to accomplish the purpose for which the information was obtained or compiled or for a use consistent with that purpose.

A test of whether a proposed use or disclosure is consistent is whether it would be reasonable for the individual who provided the information to expect that it would be used in the proposed manner. This means that the original purpose and the proposed purpose are so closely related that the individual would expect that the information would be used for the consistent purpose, even if the use is not spelled out.

Note: The test to determine whether a proposed use or disclosure of personal information is a "consistent use" has both an objective element – the reasonable and direct connection with the original purpose for which the information was collected – and a subjective element – a reasonable individual would foresee the institution using the information in that way.

Even where a disclosure would be a "consistent use", nothing in law requires the government institution that holds the information to provide it to the requesting government organization. The decision to disclose is discretionary and only the appropriate designated government official can decide whether to exercise discretion to disclose the information.

Section 11 of the Privacy Act requires that the description of personal information banks contained in Info Source include a statement of the consistent uses for which the information may be used or disclosed. Subsection 9(4) of the Act requires that institutions notify the federal Privacy Commissioner whenever personal information is used or disclosed in a manner consistent with the purpose(s) for which the information was obtained or compiled, but which is not included in Info Source. This subsection also requires that the institution ensure the consistent use is added to the relevant personal information bank description in Info Source.

Note: Federal government institutions should check the Info source publication to determine if the disclosure to the other government institution is listed as an existing use or a consistent use in the relevant Personal Information Bank (PIB). If the disclosure is not an existing use or a consistent use already cited in the PIB, then the personal information cannot be disclosed to the other government institution unless the individual either consents to the disclosure, the disclosure is in accordance with another paragraph of subsection 8(2) of the Privacy Act, or the government institution determines that it is a new consistent use. If it is a new consistent use, the institution should also take the necessary steps to notify the Privacy Commissioner and add the new consistent use to the relevant PIB in Info Source.

Paragraph 8(2)(b) – Act of Parliament or regulations: This paragraph provides that personal information may be disclosed for any purpose in accordance with any Act of Parliament or any regulations made thereunder that authorizes the disclosure. This paragraph encompasses all other authorities for the disclosure of personal information contained in federal statutes. For example, the Bankruptcy and Insolvency Act allows the Superintendent of Bankruptcy to maintain a public record of bankruptcies and to provide the information upon request and payment of the prescribed fee. Where personal information has been disclosed under a statutory authority, it is recommended that the description of the relevant PIB in Info Source include or be amended to include:

a reference to the statutory authority and/or regulations governing disclosure;
a brief description of the type of information disclosed;
the purpose of the disclosure;
who has received the information; and
any conditions respecting the use of the information.

Paragraph 8(2)(f) – Provinces, foreign states and international bodies: This paragraph allows personal information to be shared with provincial and foreign governments and international bodies for administering or enforcing any law or carrying out any lawful investigation, when the sharing is carried out under the terms of an agreement or arrangement.

For example, this provision may accommodate practices whereby personal information is exchanged between police forces, security and investigative bodies and their counterparts, both domestically and internationally, for law-enforcement purposes. The provision also aids in administering laws.

Where an institution will regularly exchange personal information under this provision, it is recommended that a written agreement be established.

There are other discretionary disclosures provisions under subsection 8(2) that may be used to disclose personal information to another government organization. These types of disclosure may be handled and documented on a case-by-case basis:

Paragraph 8(2)(c) - Subpoenas, warrants, court orders and rules of procedure of the courts of law: This paragraph permits a federal government institution to disclose personal information "for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body with jurisdiction to compel the production of information." Government institutions should consult with legal advisors to ensure the validity of the subpoena and the proper form of compliance. When such records do not become part of the court's records, the government institution should request their return, either for proper disposition or re-integration into its filing system.
Paragraph 8(2)(j) – Research and statistical purpose: This paragraph authorizes the head of a government institution to disclose personal information to any person or body for research or statistical purposes, if the head of the government institution having control of the records is satisfied that it is essential for the purpose of the research project. The researcher, in turn, is required to sign a written undertaking that the information will not subsequently be disclosed in a form that could reasonably be expected to identify the individuals to whom it relates. ^[3]

When considering the discretion to disclose personal information under paragraph 8(2)(j), it is recommended that government institutions take into account the sensitivity of the information and other factors set out in the invasion-of-privacy test found in chapter 2-4 of the Treasury Board Manual on Privacy and Data Protection

The Treasury Board Manual on Privacy and Data Protection (refer to chapter2-4)recommends that research privileges be withdrawn from any person or body discovered to be improperly disclosing personal information obtained or produced as a result of a disclosure under the research and statistical purposes provision in paragraph 8(2)(j) of the Privacy Act. This may mean taking immediate steps to prevent further disclosure of the personal information.

Note: If the personal information to be disclosed to the recipient for an administrative purpose will be used for research and statistical purposes (e.g., program evaluation, trend analysis, policy development, or statistical purpose, etc.), such secondary use of the information should comply with each party's laws and policies and be clearly identified in the agreement.

Paragraph 8(2(k) – Native claims research: This paragraph provides that personal information may be disclosed to any aboriginal government, association of aboriginal people, Indian band, government institution or part thereof, or to any person acting on behalf of such government, association, band, institution or part thereof, for the purpose of researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada.

This permits the disclosure of personal information to researchers acting on behalf of the entities listed where they are involved in the process of settling native claims. Researchers must be accredited to undertake such research and must sign a written agreement holding them formally accountable for the protection of individual privacy. The Research Application and Undertaking Form may be used as an ISA for that purpose.

In exercising discretion to disclose personal information under the native claim research provision, it is recommended that government institutions take into account the sensitivity of the information and other factors set out in the invasion-of-privacy test. A version of the test is available in chapter 2-4 of the Treasury Board Manual on Privacy and Data Protection.

Note: It is recommended that researchers involved in researching native claims provide identification, a Band Council Resolution or a letter authorizing them to conduct such research and to have access to files pertaining to the First Nation's or Inuit Association's claims research. The resolution or the letter would normally identify:

the researcher's name and organization;
the reserve, the band and the province or territory;
the requested subjects, clearly specifying the nature of the research; and
the signature of the Chief and Council (in a quorum).

Only the information necessary to complete the objective of the research should generally be made available. Thus, it is very important that the researcher's request be specific about the information being requested and the time frame involved.

Relevant information about native claims research may be found at Indian and Northern Affairs Canada and from historical records held at Library and Archives Canada.

Sub-paragraph 8(2)(m)(i) – Public Interest, or 8(2)(m)(ii) – Individual Benefit: As a supplement to the specific disclosure provisions described above, personal information may be disclosed for any purpose where, in the opinion of the head of an institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure (sub-paragraph 8(2)(m)(i)), or the disclosure would clearly benefit the individual to whom the information relates (sub-paragraph 8(2)(m)(ii)).

These disclosure provisions should be used with a good deal of restraint and their use should be recorded carefully.

Heads of a federal government institution who receive requests for disclosure of personal information under this provision should consider the matter by weighing the public interest in disclosure against any invasion of privacy that could result from the disclosure. The decision whether or not to disclose information should balance the public interest in disclosure against the threat to an individual's privacy. This balancing should be based on an invasion-of-privacy test. A version of the test is available in chapter 2-4 of the Treasury Board Manual on Privacy and Data Protection.

Under subsection 8(5) of the Privacy Act, the institution must notify the Privacy Commissioner that it will be disclosing personal information in the public interest. The Commissioner may express concerns with the proposed disclosure and may, if the Commissioner thinks it appropriate, notify the individual whose information will be disclosed. However, the decision to release the information in the public interest, and how much to release, rests solely with the head of the institution (or the designate under section 73). The Privacy Commissioner has no authority to prevent the disclosure.

Additional guidance about this provision, including some examples of limited and specific situations where it might be used, is available in chapter 2-4 of the Treasury Board Manual on Privacy and Data Protection.

6.6.3.6 Retention and disposition of personal information

Retention of personal information: In accordance with subsection 6(1) of the
Privacy Act and subsection 4(1) of the Regulations, personal information that has been used by a government institution for an administrative purpose shall be retained by that government institution for at least two years following the last use of the information, unless the subject individual consents to its earlier disposition. The Act also requires that where a request for access to personal information has been received, the institution should retain the information until such time as the individual has had the opportunity to exercise all rights under the law (e.g. rights to complain, to apply for judicial review, etc.). The obligation to retain personal records would equally apply where the records are relevant to an Access to Information Act request.

Similarly, where a request for disclosure of personal information to federal investigative bodies specified in the Privacy Regulations has been made under paragraph 8(2) (e) of the Privacy Act, subsection 8(4) of the Act and section 7 of the Regulations require that any information disclosed in response to the request be retained for a minimum of two years following the date the request was received by the disclosing institution. A separate PIB in Info Source must be maintained for all such records of disclosure and the records must be made available to the Privacy Commissioner on request.

There are exceptions to the principle of retention. For example, where an emergency exists at a diplomatic or consular mission abroad, the officer in charge could be authorized to order the destruction of personal information to prevent the removal of the information from the control of the institution. As well, the disposition of personal information prior to the expiration of the minimum retention period could be allowed with the written consent of the individual to whom the information relates. This might occur, for example, if the information were determined to be incorrect and if the most appropriate means of correction were disposition, or if the information were no longer required.

In accordance with the Library and Archives of Canada Act, the Librarian and Archivist of Canada authorizes the disposition of government records by issuing one of the following types of Records Disposition Authorities (RDAs):

Multi-Institutional Disposition Authorities (MIDA) relate to records managed by all or a multiple number of government institutions, and allow the institutions to dispose of records under certain terms and conditions;
Institution-Specific Disposition Authorities (ISDAs) relate to records managed by a single government institution, and allow the institution to dispose of their records under certain terms and conditions.

The Records Disposition Authorities Control System (RDACS) is an information system that contains summary descriptions of Records Disposition Authorities granted by the Librarian and Archivist to federal institutions, as well as online copies of relevant documentation. It includes descriptions of more than 2,200 authorities. RDACS is available to federal institutions at http://rdacs-syscad.lac-bac.gc.ca/index_en.html.

The Librarian and Archivist of Canada may determine that records containing personal information have archival or historical value. In such cases, procedures should be established to ensure the retention and transfer of those records to Library and Archives Canada.

Disposition of personal information: The disposition of personal information is regulated by subsection 6(3) of the Privacy Act and the Library and Archives of Canada Act.

Subsection 6(3) provides that a government institution shall dispose of personal information "in accordance with the regulations and in accordance with any directives or guidelines issued by the designated minister in relation to the disposition of such information."

Note: Under the Library and Archives of Canada Act, government records cannot be destroyed or disposed of without the consent of the Librarian and Archivist of Canada. Subsection 12(1) of the Act provides that:

"No government or ministerial record, whether or not it is surplus property of a government institution, shall be disposed of, including by being destroyed, without the written consent of the Librarian and Archivist or of a person to whom the Librarian and Archivist has, in writing, delegated the power to give such consents."

Library and Archives Canada consents to the disposition of government records through "records disposition authorities". These authorities can apply to multiple institutions (multi-institutional disposition authority) where the records in question are of a type that many institutions hold, or through institution-specific disposition authorities.

Government institutions should contact Library and Archives Canada in order to arrange for a disposition authority, a document identifying which records will eventually be transferred to them and which records the institution may destroy.

In addition to the requirements of the Library and Archives of Canada Act and the Privacy Act regarding the retention and disposition of records containing personal information, the Access to Information Act makes it an offence to destroy or conceal a record with intent to deny a right of access under this Act. Under subsection 67.1(1) of the Act "No person shall, with intent to deny a right of access under this Act,

destroy, mutilate or alter a record;
falsify a record or make a false record;
conceal a record; or
direct, propose, counsel or cause any person in any manner to do anything mentioned in any of paragraphs (a) to (c)."

The Privacy Regulations require that personal information used for an administrative purpose be retained for a minimum of two years. There may be other retention obligations, for example, if a person files a request for information either under the Access to Information Act or the Privacy Act, the information cannot be disposed of until such time as the person has had the opportunity to exercise all of his/her rights under that Act.

The disposition methods chosen will depend on factors such as the sensitivity of the information, how much information is to be destroyed, and the form in which it is recorded.

Note: It is a best practice to specify in the agreement how long the shared personal information is to be kept and whether the information is to be returned to the source or destroyed by the recipient, and the disposition standards expected. It is important that retention and disposition of personal information be in accordance with each party's records management legislation and policies.

Depending on the sensitivity of the personal information shared, federal government institutions may also require to be notified by the recipient when destruction has taken place. This would require the recipient to maintain a record of destruction or a log of the disposition of any shared personal data. Such record of destruction or log could contain the following information and be made available to the other party immediately upon its request:

details of the records that were disposed of (e.g. file name, file number, date(s) of the records);
the method of destruction (paper copy shredded or electronic copy deleted from all files);
the date of destruction (day, month, year); and
the name and position title of the person who carried out the destruction of the records.

6.6.4 Protection of personal information

In accordance with the Privacy Act ^[4] and Regulations and related Treasury Board Secretariat policies, a federal government institution must take every reasonable precaution to protect the security and confidentiality of personal information under its control by ensuring that organizational, physical and technological safeguards and controls have been put in place and are maintained.

The nature of the safeguards used to protect personal information from both external and internal sources will vary depending on the sensitivity of the information that has been collected; the amount, distribution and format of the information; the method of storage; and the harm or injury that would arise from a breach of security. More sensitive information will be safeguarded by a higher level of protection. To this end, government institutions should follow the requirements of the Policy on Government Security and other associated standards and directives, if applicable. Other institutions should refer to their own internal security policies and procedures.

For example, the methods of protection could include the following:

Administrative measures: policies and procedures to protect the privacy and security of personal information, staff training on privacy, limiting access to information on a "need-to-know" basis, and the reliability of employees having access to the information.
Technical measures: passwords, audit trails, encryption, firewalls and other technical security safeguards to minimize the risk of unauthorized individuals accessing personal information.
Physical measures: such as locked files, restricted access to offices and other areas where personal information is stored.

Moreover, the safeguards should take into account actions that may need to be taken to respond to security or privacy breaches, including the notification of affected parties. For more information in that regard, please consult the TBS Guidelines for Privacy Breaches.

Note: It is recommended that each party to the agreement be required to treat personal information
received from the other party in confidence and to take all reasonable measures to preserve its confidentiality and integrity and to safeguard the information against accidental or unauthorized access, use or disclosure. A schedule setting out the security measures and safeguards to be taken by the parties to protect the information could be annexed to the agreement. For example, it could include details about any security requirements concerning the locations of databases, storage methods, and methods of transmission, use of technology or personnel assigned.

If the proposal involves the sharing of particularly sensitive information, the parties may even require the conduct of a threat and risk assessment or similar security assessment in order to identify potential risks associated with the sharing activity, and to develop strategies for mitigating them, as a pre-condition for sharing.

The agreement could also require that each party designate a senior individual (or individuals) within the organization who would be responsible for monitoring the implementation of the agreement's terms and conditions. In such a case, a list of designated officers, who will assume responsibility for privacy, security and confidentiality issues and/or compliance with legislation within their respective organizations, would be annexed to the agreement or made available to the participants upon request.

The agreement could require that in the event of accidental or unauthorized access, disclosure, use, modification, and deletion, the party responsible for the security of the personal information will promptly take all reasonable steps to prevent a recurrence of the event and will promptly notify the other party of the occurrence.

In the event of a breach of privacy or security, the agreement may allow the disclosing party, upon receiving notice of accidental or unauthorized access, disclosure, use, modification and deletion, to, at its discretion, terminate the agreement immediately and may request the return of personal information already disclosed. The agreement should include a plan to notify the individuals whose information was disclosed.

Government institutions may wish to consult with their security personnel and, if necessary, with systems or information technology personnel, to determine which safeguards or security measures should be put in place to meet the institution's security standards. They may also need the expertise of information management staff.

6.7 Ensuring policy compliance

6.7.1 TBS Policy on Privacy Protection

The TBS Policy on Privacy Protection states that heads of government institutions, or their delegates, are responsible for:

establishing measures, when personal information is involved, to ensure that the government institution meets the requirements of the Privacy Act when contracting with private sector organizations, or when establishing agreements or arrangements with public sector organizations; and
ensuring that appropriate privacy protection clauses are included in contracts or agreements that may involve intergovernmental or transborder flows of personal information.

The Policy also requires that institutions establish a privacy protocol for the collection, use or disclosure of personal information for non-administrative purposes, including research, statistical, audit, and evaluation purposes. Such a protocol could be used in information sharing initiatives for non-administrative purposes, between federal government institutions or programs of the same institution, as well as other government jurisdictions, within and outside of Canada.

6.7.2 TBS Directive on Privacy Impact Assessment

The TBS Directive on Privacy Impact Assessment supports the President of the Treasury Board's responsibilities by ensuring that privacy implications will be appropriately identified, assessed and resolved before a new or substantially modified program or activity involving personal information is implemented.

The Directive requires that an institution conduct a Privacy Impact Assessment (PIA):

when personal information is used for or is intended to be used as part of a decision-making process that directly affects the individual;
upon substantial modifications to existing programs or activities where personal information is used or intended to be used for an administrative purpose; and
when contracting out or transferring a program or activities to another level of government or the private sector results in substantial modifications to the program or activities.

The sharing of personal information with other organizations will trigger the requirement for a PIA unless the sharing is intended for a non-administrative purpose, in which case the institution could follow an internal protocol for the collection, use or disclosure of personal information for non-administrative purposes.

Government institutions must submit their final PIA reports to the Office of the Privacy Commissioner (OPC). The OPC may provide comments and recommendations to the institution. However, the final decision on whether or not to implement any OPC recommendations rests with the institution.

6.7.3 TBS Directive on the Social Insurance Number (SIN)

The Privacy Act does not expressly refer to the Social Insurance Number and does not create special rules for its collection, use and disclosure compared with other types of personal information. However, like any other identifying number, the Social Insurance Number falls within the definition of personal information under the Privacy Act.

If the Social Insurance Number is to be used to permit the exchange of personal information between parties, such a use must be lawful and in compliance with the TBS Directive on the Social Insurance Number, which outlines specific restrictions on the collection, use, and disclosure of the Social Insurance Number by government institutions and specifies the processes for establishing policy authorization for a new collection or use.

6.7.4 TBS Directive on Privacy Practices

Under the Policy on Privacy Protection, heads of government institutions are to establish practices for the management and protection of personal information under their control to ensure that the Privacy Act is administered in a consistent and fair manner. The TBS Directive on Privacy Practices supports the policy by setting out the requirements for sound privacy practices and management of personal information. Taken together, the Policy on Privacy Protection and its related directives and guidelines are the instruments upon which a sound privacy management strategy within government institutions is structured.

The Directive specifies that institutions adhere to the following requirements when personal information is being disclosed to another public or private sector institution, including another government institution:

The privacy notice reflects, as appropriate, the disclosure;
An agreement or arrangement with appropriate safeguards has been established between the government institution and the public sector entity, whether that entity is international, federal, provincial or territorial, or municipal.

6.7.5 Government's Treaty Policy

In February 2008, the Government announced its Treaty Policy, which can be found at http://www.treaty-accord.gc.ca/procedure.asp. The objective of the policy is to ensure that all instruments governed by public international law, between Canada and other states or international organizations, are tabled in the House of Commons following their signature or adoption by other procedure and prior to Canada formally notifying that it is bound by the Instrument.

The policy makes all departments responsible 'for informing the Treaty Section of the Department of Foreign Affairs and International Trade before beginning any negotiations with another State, whether with its government as such or with one of its agencies, or with an international organization. In this way a proper distinction between treaties and other international instruments that are not binding in public international law can be maintained. If a treaty is to be negotiated, a Memorandum to Cabinet to obtain a negotiating mandate will be required. Departments are responsible for ensuring the Treaty Division has sufficient lead time to verify the texts in all languages and to ensure that proper government authority is obtained before Canada signs the treaty or expresses its consent to be bound by it.

The Legal Branch of the Department of Foreign Affairs and International Trade provides advice on international law, including treaty law, and is responsible for ensuring compliance with the Government's Tabling of Treaties in Parliament Policy. Departments are responsible for ensuring that legal advice is sought.

6.8 Assessing the risks

In addition to ensuring that they have the legal authority to carry out their proposed information-sharing projects, federal government institutions should also ensure that any privacy and security risks that may be associated with such initiatives are addressed, mitigated, or eliminated before entering into any agreements to share personal information.

Assessing privacy and security risks can be done in a systemic and consistent manner though the completion of a Privacy Impact Assessment (PIA) or a Threat and Risk Assessment (TRA) where applicable. These risk management tools, which are described hereunder, have proven to be effective in ensuring this is achieved.

Privacy Impact Assessment (PIAs):

A PIA is first and foremost a tool that provides decision makers with a logical framework to:

identify potential privacy issues relating to a given proposal by assessing the proposal's compliance with privacy protection legislation, policies and principles;
forecast the probable impacts associated with issues or non-compliance; and
identify actions and strategies to eliminate or reduce privacy risks.

As previously indicated, under the TBS Directive on Privacy Impact Assessment, institutions are required to conduct a PIA under certain circumstances, including when personal information is shared between programs, institutions or jurisdictions. The Privacy Impact Assessment will help to ensure that the information-sharing activity is compliant with the Privacy Act and that measures are implemented to mitigate potential privacy risks, including the establishment of an ISA, which contains clauses to that end.

Threat and Risk Assessment (TRA):

When sharing personal data, the parties should strive to maintain administrative, technical and physical safeguards to protect the privacy of individuals and the confidentiality of their personal information. The conduct of a TRA is a recognized process used by federal government institutions to determine any potential threat or hazard that may endanger the confidentiality, security, or integrity of the personal data to be shared. TRAs can be short and simple or far more detailed and rigorous, depending on the sensitivity, criticality, and complexity of the program, system or service being assessed. When warranted, the other parties involved in the information-sharing project could also be required to conduct a similar risk assessment process to evaluate the potential threats and risks to the information, as a pre-condition of sharing.

Once a threat and risk assessment has been completed, the parties to the agreement should normally take the necessary steps to develop or adopt, implement, or maintain the administrative, technical, and physical safeguards necessary to protect the personal data to be shared. As a best practice, these measures should be implemented before any information is shared. To this end, organizations may wish to require confirmation that such safeguards are implemented and periodically reviewed to ensure protection of the information.

NOTE: The Royal Canadian Mounted Police (RCMP) has been offering guidance and training for years on how to carry out TRAs.

In 2001, TBS published the Integrated Risk Management Framework to provide departments with guidance on how to take a systematic approach to risk management. Over the last few years, Communications Security Establishment Canada (CSEC) has also developed methodology and guidance for doing comprehensive assessments. Government institutions may wish to take full advantage of this support to ensure their IT resources are well protected in a cost-effective manner.

6.9 Trans-border considerations

6.9.1 Increased privacy risks

Personal information is well protected in the public sector in Canada. The federal government and all of Canada's provinces and territories have respective privacy legislation that applies to the collection, use and disclosure of personal information under their control. Most municipalities are subject to provincial or territorial privacy legislation. These various acts are largely based on common privacy principles and standards. Although not all regimes within provinces and territories have equivalent privacy provisions to those given under the federal Privacy Act, all offer privacy protection when exchanging personal information with federal, provincial, territorial, and municipal government institutions in Canada.

However, Canadian privacy laws do not apply to personal information once it has been disclosed to a foreign government organization (referred to as trans-border data flows). It is understood that this will involve negotiation but it is crucial that written agreements with international partners take into consideration the protection of personal information. Privacy risks associated with the sharing of personal information with foreign countries are generally considered higher risks than when sharing personal information with a Canadian party. Such risks are particularly significant when the foreign organization is not bound by privacy legislation or a binding scheme that is substantially similar to the federal Privacy Act.

Before disclosing personal data, federal institutions may wish to satisfy themselves that the receiving country will provide an adequate level of protection. The adequacy of the level of privacy protection afforded by the other country may be determined by an examination of a number of factors including, the nature and sensitivity of the data, the purpose of the disclosure, the rules of law, and security measures which will be used to protect the information in the other country.

Since there may be laws in the other jurisdiction that have legal implications on trans-border data flows, it is recommended that federal government institutions consult with their legal services to ensure that the type of ISA to be entered into with a foreign country conforms to Canadian law and practices. In addition, the Department of Foreign Affairs and International Trade must be consulted prior to beginning any negotiations with another State, whether with its government as such or with one of its agencies, or with an international organization, in order to ensure any agreement or arrangement is consistent with Canadian foreign policy objectives and with Canada's obligations under international law, including international human rights law, as well as to ensure a proper distinction between treaties and other international instruments that are not binding in public international law.

Similarly, Canadian Charter of Rights and Freedoms implications may be involved. Although the Canadian Charter of Rights and Freedoms does not generally apply extraterritorially (i.e. its protections are lost in respect of subsequent uses of the information by foreign officials), it does apply to constrain the actions of Canadian officials involved in the information sharing process. The reasonably foreseeable consequences of sharing information with foreign officials may raise Canadian Charter of Rights and Freedoms issues in respect of the actions of the Canadian officials involved if, for example, the sharing could result in potential human rights violations such as torture, unlawful detention, or unwarranted additions to no-fly lists. It is therefore recommended that Canadian Charter of Rights and Freedoms experts also be consulted before entering into ISAs with foreign countries.

6.9.2 Existing international agreements

Canada is a signatory to numerous bila teral or multilateral international treaties with other countries, dealing with such subjects as extradition, mutual legal assistance in criminal matters, taxation, pensions, and immigration. These treaties often involve the exchange of personal information between the respective governments.

The Treaty Section of the Department of Foreign Affairs and International Trade provides an on-line resource for researching treaties for which Canada is a signatory. The on-line resource also provides detailed information on the Government's Treaty Policy, including the steps Departments need to take to obtain an appropriate mandate to negotiate an agreement or arrangement with a foreign state.

As an example, the Canadian Security Intelligence Service Act permits the Service (known as CSIS), if it has the approval of the appropriate Minister and after consultation with the Minister of Foreign Affairs, to enter arrangements or cooperate with the government of a foreign state, an institution of that state, or an international organization of states. Clearly, this cooperation could involve the transfer of personal information about Canadians.

In addition, many foreign government authorities use mutual legal assistance treaties and other trans-national information sharing mechanisms in order to obtain the information from a federal government institution. A Mutual Legal Assistance Treaty (MLAT) permits law enforcement authorities of one country to request assistance from another to obtain records and other evidence relating to an investigation or the prosecution of offences. Canada's Mutual Legal Assistance in Criminal Matters Act (MLACMA) came into force in 1990.

Under the Canada-US MLAT, US authorities might, for example, request information held by provincial, territorial, or federal governments, by individuals in Canada, or by companies in Canada, in relation to a broad range of offences. If U.S. authorities want to obtain personal information held by a federal government institution, the usual course of action is to make a request under the Canada-US MLAT. Canada's federal Department of Justice may then apply to a court in Canada for a search warrant to compel the disclosure of the information from the other government institution. Once the information is obtained, the Department of Justice transmits the information to the U.S. government. Paragraph 8(2)(c) of the Privacy Act permits federal government institutions to disclose personal information that is required to comply with a subpoena or warrant issued by a court, or to comply with a court order.

In addition to the other terms and conditions of an ISA between a federal institution and a foreign government organization, parties may specify that certain provisions of existing MLATs or other international agreements will be respected.

Entering into an ISA with a foreign country will also almost certainly impose obligations on a federal institution or the Government of Canada to protect the privacy and confidentiality of information received by Canada. This may impose resource requirements on federal institutions to meet obligations to appropriately protect the information.

6.9.3 Potential privacy risks posed by anti-terrorism legislation

Another issue arising out of international ISAs is that there may be potential privacy risks posed by anti-terrorism legislation in the foreign country. This could mean, for example, that a foreign law could circumvent restrictions or caveats imposed by the disclosing organization on further use or disclosure of personal information. Many foreign countries have anti-terrorism laws and security measures that contain powers similar to those of the USA PATRIOT Act. In such cases, a federal institution may wish to impose added conditions on the recipient, such as segregating the shared data from its other records or advising Canada whenever the information is to be disclosed under foreign law, if that is possible.

On the other hand, there is more benefit in having a formal ISA than no agreement at all. When the foreign government uses the ISA to obtain Canadians' personal information, the Canadian government can disclose the information under clear terms and conditions. Having in place an agreement may also prevent the foreign government from seeking a court order.

6.9.4 Human rights considerations

There is no doubt that federal government institutions must share or exchange personal information with other countries on law enforcement and national security matters. However, this does not mean that the collection, use and disclosure of such information have to affect individuals unfairly or put them at risk. Canada must consider whether information received from a foreign country is the result of human rights violations under domestic or international law and whether personal information disclosed to that country results in such abuses. If such questions arise, institutions should contact their departmental legal services unit.

The relevance of domestic and international laws affecting personal information and human rights may need to be taken into account when sharing personal information with a foreign country. For example, prior to collecting any information from a foreign country, federal government institutions may wish to ascertain whether the personal data to be collected has been obtained and processed by that organization in a manner consistent with Canada's domestic and international human rights obligations and values and with adequate notice or consent.

Moreover, although the primary Canadian Charter of Rights and Freedoms issues that arise out of ISAs relate to privacy rights under section 8, where information is shared with states that have weaker human rights protections in place than Canada, the rights to life, liberty and security of the person under section 7 may also be triggered. The Canadian Charter of Rights and Freedoms does not generally apply extraterritorially (i.e. its protections are lost in respect of subsequent uses of the information by foreign officials); however, it does apply to constrain the actions of Canadian officials involved in the information sharing process. The reasonably foreseeable consequences of sharing information with foreign officials may raise Canadian Charter of Rights and Freedoms issues in respect of the actions of the Canadian officials involved if, for example, the sharing could result in potential human rights violations such as torture, unlawful detention or unwarranted additions to no-fly lists. It is therefore recommended that Canadian Charter of Rights and Freedoms experts be consulted in such cases. Further, information sharing may give rise to considerations under international human rights law. The Department of Foreign Affairs and International Trade should be consulted with respect to Canada's international human rights obligations in this regard.

Information sharing with foreign countries has been one of the topics studied in depth by the Commission of Inquiry into the Actions of Canadian Officials in Relation to
Maher Arar. Some of the issues described by the Commission may be worth considering both in determining whether to share personal information and what possible restrictions to include in an ISA with a foreign country.

In Chapter IX of his September 2006 Report on the Events relating to Maher Arar: Analysis and Recommendations, Justice O'Connor made several recommendations respecting the process to be followed when Canadian officials deal with countries with questionable human rights practices. For example, he recommended that decisions to receive information from such a country be made on a case-by-case basis, in a manner that allows for accountability. Canadian officials should always exercise caution to avoid taking action that appears to condone or encourage human rights abuses.

In its report entitled Main Report of the Special Senate Committee on the Anti-Terrorism Act released in February 2007, the Special Senate Committee on the Anti-Terrorism Act recommended that the government put ISAs in relation to national security investigations in writing; ensure that Canadian law enforcement and security agencies attach written caveats regarding the use of shared information; require Canadian agencies to make formal complaints to foreign agencies regarding the misuse of shared information; and produce annual reports assessing the human rights records of various countries (recommendation #25).

More specifically, the Committee would like the government to implement recommendations 2, 9, 12 and 13 of Justice O'Connor's September 2006 report, not only with respect to information sharing by the Royal Canadian Mounted Police, but with respect to information sharing by any Canadian agency involved in protecting national security. These recommendations are paraphrased hereunder.

Recommendation 2 of Justice O'Connor's September 2006 report suggests that co-operative or integrated arrangements in relation to national security investigations be reduced to writing.
Recommendation 9 states that the Royal Canadian Mounted Police should never share information in a national security investigation without attaching written caveats respecting who can have access to the information and how the information is to be used.
Recommendation 12 states that where Canadian agencies become aware that foreign agencies have made improper use of information provided by Canadian agencies, they should file a formal objection.
Finally, Recommendation 13 states that the Department of Foreign Affairs and International Trade should provide annual reports to the Royal Canadian Mounted Police and Canadian Security Intelligence Service assessing the human rights records of various countries, to assist these organizations in evaluating whether, and on what basis, they should continue to share information with agencies of these countries.

Once personal information has been shared or exchanged with a country that does not have any laws that protect privacy, human rights or civil liberties, it may become difficult, if not impossible, to ensure treatment of that information in a manner consistent with Canadian constitutional rights and values. The legal power of Canadian courts and the federal government to require respect of constitutional rights and freedoms under the Canadian Charter of Rights and Freedoms can only be legally exercised within Canada's territorial borders.

6.10 Audit provisions

Auditing processes help ensure that parties to an agreement adhere to the terms and conditions of the agreements. While it may be impractical for the Canadian government to perform audits of another country's personal information management practices, it is not unreasonable to request that the other country provide information to the other detailing the internal controls adopted for protecting personal information and/orperform privacy and security audits and provide copies of its audit reports at fixed regular intervals. Some institutions may even wish to request specific audits, according to a pre-determined schedule.

6.11 Other provisions

The agreement may include other provisions that are not directly related to privacy issues but should nevertheless be addressed / considered. The following items are meant as examples only.

6.11.1 Conflict resolution

In the event of questions, challenges or disagreements related to any issue connected to an agreement, it is recommended that clauses be included to provide a mechanism for conflict resolution.

For example, the agreement may also include a clause that allows for the appointment of a conciliator to resolve disputes. Additional clauses may be used if the parties wish to have a legally-binding agreement that is enforceable in a court of law. In such a case, the institution should consult its legal services.

Of course, before using a formal mechanism, it is recommended that the parties involved try to resolve issues between senior officials of their respective organizations.

6.11.2 Signatures

An agreement should include the date, names, titles, and signatures of the authorized officials of all parties involved in the sharing initiative.