Standard on Privacy and Web Analytics:
Frequently Asked Questions
I. Authority of Policy Instruments
Q1: Why has the Treasury Board of Canada Secretariat (TBS) developed the new Standard on Privacy and Web Analytics?
A1: The Government of Canada takes the privacy of Canadians very seriously. The Standard on Privacy and Web Analytics (Standard) addresses privacy issues associated with the use of Web analytics by government institutions and responds to concerns raised by the Privacy Commissioner of Canada. In June 2011, the Commissioner wrote to the President of the Treasury Board expressing concern over the lack of formal guidance from TBS to institutions on how to use Web analytics in a privacy-sensitive manner. The President of the Treasury Board shared the Commissioner's concerns and has issued the Standard, which provides this guidance.
Q3: Does the Standard apply to Crown corporations and their wholly owned subsidiaries?
A3: Yes. All institutions that are subject to the Privacy Act are subject to the Standard, including Crown Corporations and their wholly owned subsidiaries.
Q4: What is the effective date of the Standard?
A4: The effective date is January 31, 2013.
II. Information Covered by the Standard
Q5: What does the Standard do?
A5: The Government of Canada is committed to informing Canadians and others visiting its websites of its online activities. The Standard sets out mandatory requirements such as clear Privacy Notices on institutional websites, maximum retention periods for personal information and, for those institutions that use third-party Web analytics tools, a requirement for contracts to be in place that have strict privacy protective language (see Q19 for greater detail).
Q6: What information does the Standard apply to?
A6: The Standard applies to “personal information” that is collected, used, retained and disposed of for the purpose of Web analytics. The Privacy Act defines personal information broadly to mean information about an identifiable individual recorded in any form.
Q7: What information is not covered by the Standard?
A7: The Standard does not apply to the following information:
- Personal information that is collected for a purpose other than Web analytics e.g. information that an identifiable individual voluntarily provides to an institution for the purpose of accessing a particular on-line service such as a passport application or purchasing a ticket on-line; and
- Information about users who choose to interact with government institutions via social media.
Q8: Does the Standard apply to the Intranet?
A8: The Standard applies only to external public facing Government of Canada websites and is not intended to apply to the Intranet.
Q9: Does the Standard apply to social media?
A9: No, the Standard does not apply.
Q10: Does the Standard apply to any other e-tools such as SurveyMonkey (an online survey service)?
A10: No, the Standard does not apply.
Q11: Does the Standard apply if an institution does not use Web analytics?
A11: No, the Standard does not apply. The institution should, however, ensure that its Privacy Notice dealing with privacy and the internet explains that the institution does not use Web analytics to assess website performance. The sample Privacy Notice prepared by TBS may be used and the section on Web analytics should simply reflect that no Web analytics are being performed.
III. Privacy and Web Analytics
Q12: What is Web analytics?
A12: Web analytics involves the collection, analysis, measurement and reporting of data about Web traffic and user visits for the purposes of understanding and optimizing Web usage.
Q13: Which types of Web analytics tools are currently being used?
A13: Government institutions currently use a variety of Web analytics tools, some hosted internally on institutional servers and some hosted externally on third-party servers, to perform Web analytics. In some cases, personal information is being shared with third parties outside of the Government of Canada without sufficient privacy protections. The Government of Canada takes this very seriously, and the requirements in the Standard aim to bolster privacy practices for this activity.
Q14: What are the privacy risks associated with the use of Web analytics?
A14: Information that can lead to the identification of an individual, either alone or when combined with other identifying information, is considered personal information within the meaning of section 3 of the Privacy Act. In the case of Web analytics, the Internet Protocol (IP) addresses of visitors to Government of Canada websites are collected and may, in certain circumstances, be considered personal information within the meaning of the Privacy Act.
Q15: What information collected for the purpose of Web analytics is considered to be personal information?
A15: Examples of information considered to be personal are the user’s IP address and other information about the Web browsing behaviour of the user collected through the mechanism of a digital marker such as a cookie.
Q16: How serious are the privacy risks associated with Web analytics?
A16: The risks, for example those associated with identity theft or privacy breaches, are greatest when the IP address and other information collected during website visits about Web browsing behaviour are disclosed to a third party who is carrying out Web analytics on third party servers, often located outside Canada.
Q17: When is information about an identifiable individual?
A17: Information is generally considered to be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.
Q18: How can the IP address be tied to an identifiable individual?
A18. In a remote community with few households and few computers, the IP address could, on its own, identify an individual. Some IP addresses are also static which means that they are assigned to one person’s computer on an ongoing basis. In addition, the IP address could, through the Internet Service Provider, be linked to an identifiable individual. An Internet Service Provider can identify the individual associated with a computer to which it has assigned an IP address at any given time, and through the IP address, link that individual with his or her Web browsing behaviour.
IV. Requirements under the Standard
Q19: What are the requirements in the Standard and when do they come into effect?
A19: The requirements in the Standard include the following:
- (1) Privacy Notices: Clear Privacy Notices must be posted on institutional websites advising visitors that information that is considered to be personal in nature is being used to perform Web analytics. The notices must be posted as soon as the Standard comes into effect.
- (2) Retention periods: The Standard imposes maximum retention periods for personal information. For institutions that use internally hosted Web analytics tools, the retention period is 18 months, at which time personal information must be disposed of, as authorized by the Librarian and Archivist of Canada. Because the personal information is not used for an administrative purpose, the two-year retention requirement under subparagraph 4(1)(a) of the Privacy Regulations does not apply. The retention period is binding once the Standard comes into effect.
- (3) Contracts: Institutions that use third-party service providers must enter into contracts that have strict privacy protective language and that meet the requirements of the Standard. Moreover, third parties will be required to safeguard depersonalized IP addresses and other information disclosed in relation to the contract and may retain that information for a maximum period of 6 months. The contracts will be required by June 30, 2014.
Q20: Are there additional requirements for institutions that use externally hosted Web analytics tools?
A20: Yes. As a mitigation measure, institutions that use externally hosted Web analytics tools must activate the depersonalization or anonymization function available with those tools. In the case where this functionality does not exist, the institution should deploy a different Web analytics tool in order to be compliant with Appendix A, section 2.1 of the Standard.
Q21: What does it mean to activate the depersonalization or anonymization functionality, and how can it be activated?
Q22: How will this affect Web analytics and the metrics produced?
A22: Depersonalization will not affect an institution's aggregated data in relation with Web analytics; however, geographic-specific analytics may be affected by the removal of the final octet.
Q23: Given that the Standard requires the IP address to be truncated by the third party, doesn't this address any privacy risks associated with disclosure of Web analytics information to third parties?
A23: While truncation of the IP address prior to its storage reduces the risks, risks remain. To ensure that the truncation requirement is enforceable and also to address additional risks including, for instance, the ability for third parties to subsequently use or re-use the Web analytics information for other purposes, the Standard has an added requirement for a contract to be in place containing due diligence provisions to safeguard privacy. Institutions have been given until June 30th, 2014 to meet this requirement.
Q24: Once the anonymization function is turned on and the IP address is depersonalized, why does the Standard require additional protection through a third-party contract?
A24: The Government of Canada values the privacy of citizens. Depersonalizing the IP address when information is disclosed to third parties reduces privacy risks. The additional requirement in the Standard for a contract that has stringent provisions for protecting privacy further safeguards privacy. An example of this is the requirement for an audit provision in the contract whereby the third party may be audited at least once annually to ensure compliance with the requirements of the Standard.
Q25: Do institutions have to depersonalize or anonymize the Internet Protocol address when Web analytics is deployed internally on institutional servers?
A25: No. This requirement only applies when personal information is being disclosed to a third party service provider as the privacy risks are greater in that situation.
Q26: Does the Standard and, more specifically, the retention and disposition periods, apply to server logs?
A26: No. The Standard applies only to Web analytics and the personal information collected and used for that purpose.
Q27: Does the Standard and, more specifically, the retention and disposition periods, apply to the results of Web analytics?
A27: The retention and disposition requirements do not apply to the performance indicators and metrics produced by Web analytics tools because these are aggregated data that are fully anonymized.
Q28: Why was the 18 month retention period chosen when Web analytics is internally deployed on institutional servers?
A28: A retention period of 18 months allows institutions to do trend analysis beyond the one year period while at the same time affording privacy protection for personal information collected for the purpose of Web analytics.
Q29: Why was the 6 month retention period chosen when Web analytics is externally deployed on third party servers?
A29: This shorter period addresses the greater privacy risks, including the risks of privacy breaches and secondary uses of data, associated with externally deployed Web analytics.
Q30: If an institution uses information from its server logs to carry out its Web analytics, does the information in the server logs have to be disposed of after 18 months?
A30: No, the Standard does not apply to server logs. What must be disposed of after 18 months is the personal information that has been replicated elsewhere by the institution for the purpose of carrying out internally deployed Web analytics.
Q31: How does the 18 month retention period for internally deployed Web analytics work with the retention schedules from Library and Archives Canada (LAC)?
A31: LAC does not set retention periods. Institutions develop their own retention schedules, and in so doing they may seek advice from LAC. LAC makes retention recommendations based on legislation and best practices. In this particular case, the retention period for personal information in relation to internally hosted Web analytics is set out in Appendix A, section 1.4 of the Standard.
Q32: Has LAC given authority for the disposal of information in relation to Web analytics?
A32: LAC has issued a Multi-Institutional Disposition Authority, aligned with the Standard, permitting the disposal of information.
Q33: Is the preparation of a Privacy Impact Assessment (PIA) necessary?
A33: Section 3.3 of the Directive on Privacy Impact Assessment states that privacy implications must be appropriately identified, assessed and resolved before a new or substantially modified program or activity that involves personal information is implemented. The PIA is the component of risk management that focuses on ensuring compliance with Privacy Act requirements. TBS has prepared the Web Analytics Privacy Impact Assessment Report that can be used by other institutions.
Q34: Is the creation of a Personal Information Bank (PIB) required for Web analytics?
A34: No. Subsection 10(1) of the Privacy Act states that a PIB is required when an institution collects personal information that is used for an administrative purpose. An administrative purpose is defined in the Privacy Act as information being used in a decision-making process that directly affects the individual. In the case of Web analytics, the IP address and other data are not collected for an administrative purpose.
Q35: Is there a long-term solution for government-wide Web analytics?
A35: TBS, in collaboration with Public Works and Government Services Canada, is currently exploring potential enterprise-wide Web analytics solutions for the Government of Canada through a procurement vehicle. Once a solution has been procured, Crown corporations may choose to leverage the same solution as chosen by the Government of Canada.
V. Compliance and Target Dates
Q36: What are the timelines for compliance under the Standard?
A36. January 31, 2013: As a mitigation measure, institutions that have deployed Web analytics tools externally are required to activate the depersonalization function available in the Web analytics tools.
January 31, 2013: As of this date, all requirements under the Standard are in effect, e.g., Privacy Notices and fixed retention periods, with the exception of requirements that deal with need for contracts with third-party vendors (see Standard on Privacy and Web Analytics, Appendix A, sections 1 and 2, and Standard on Privacy and Web Anlytics, Appendix B).
June 30, 2014: Contracts that have strict privacy protective language with third-party vendors will be required by this date (see Standard on Privacy and Web Analytics, Appendix A, section 3).
Q37: What are the monitoring and reporting requirements in relation to the Standard?
A37: The monitoring and reporting requirements of the Policy on Privacy Protection apply to this Standard. On a government-wide basis, for those institutions subject to the Management Accountability Framework (MAF), the MAF may be used to monitor policy compliance. The consequences outlined in the Policy on Privacy Protection apply to this Standard. That is, if found to be non-compliant, institutions (regardless of whether or not the institution is subject to the MAF) may be required by the Treasury Board Secretariat to provide additional information relating to the development and implementation of compliance strategies in their annual report to Parliament.
- Date modified: