PIA - Determining if a PIA is required

Notes for Question 1:

• If designing a new program or service, you may not initially know if there are privacy-related issues. If you don't know, then you'll need to further examine the project and perhaps conduct a PPIA. Be mindful of privacy-related issues even if they aren't initially apparent.
• Consult with your departmental ATIP coordinator, privacy personnel legal experts and privacy legislation.

Notes for Question 2:

• Some examples of 'significant changes' could include things like changing the systems architecture of a project or initiative, changing the way a service is delivered or collecting more personal information than was collected before.
• Consult with your departmental ATIP coordinator, privacy personnel, legal experts and privacy legislation.

Notes for Question 3:

• Even if the application is the same and the only change is delivery via the Internet, there will likely be privacy issues to consider.
• Consult with your departmental ATIP coordinator, privacy personnel, legal experts and privacy legislation.

Notes for Question 4:

• Although more personal information may be collected, used or disclosed, the requirement for a PIA will be based on the amount and sensitivity of the personal information and its intended use and disclosure. Consider these questions:
  • Does the amount of personal information collected raise any privacy issues?
  • Does the use or disclosure of personal information increase privacy risks?
• Consult with your departmental ATIP coordinator, privacy personnel, legal experts and privacy legislation.
• The authority to collect information might not expressly state a power to collect specific information. Instead, once you find the authority to carry out a particular program or activity, you may have a strong argument that collection of the information in question is necessary and implicitly authorized to achieve Parliament's direction that the program or activity be carried out.
• Sections 7 and 8 of the Privacy Act state that personal information may be used or disclosed by a government institution without the consent of the individual to whom it relates for a purpose directly related to the purpose(s) for which the information was obtained or compiled. Such related purposes are termed "consistent uses". For a use or disclosure to be consistent, it must have a reasonable and direct connection to the original purpose(s) for which the information was obtained or compiled.
• Although a corporation is not an individual and therefore does not have "personal information", many small businesses are unincorporated sole proprietorships and partnerships and many non-profit groups and associations are unincorporated as well. There is a substantial risk that information relating to sole proprietors, partnerships and unincorporated associations is "personal information". Therefore, any change that will significantly affect such individuals will likely require a PIA.

Notes for Question 5:

• No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution (section 4)
• Institutions must not collect any more personal information than is demonstrably necessary to carry out the program or activity
• Institutions must have Parliamentary authority for the program or activity that is usually contained in
  • an Act of Parliament or subsequent regulations, or
  • approval of expenditures proposed in the Estimates and authorized by an Appropriations Act
• Institutions must collect personal information to be used for an administrative purpose* directly from the individual (subsection 5(1))
• Institutions must inform the individual of the purpose for collecting the personal information (subsection 5(2)) unless
  • it would result in the collection of inaccurate information (paragraph 5(2)(a)), or
  • defeat the purpose or prejudice the use for which the information is collected (paragraph 5(2)(b))

  *administrative purpose means the use of personal information in a decision making process that directly affects that individual

• Institutions must not use personal information under their control, without the consent of the individual, except for
  • the purpose for which it was originally obtained or a use consistent* with that purpose (paragraph 7(a))
  • a purpose for which it may be disclosed under subsection 8(2) of the Act (paragraph 7(b)

  *Consistent use means that the use must have a reasonable and direct connection to the original purpose for which the personal information was collected and it must be reasonable for the individual who provided the personal information to expect that it would be used in the proposed manner

• Institutions may disclose personal information without the consent of the individual under circumstances specified in subsection 8(2)
• Examples of permissible disclosures
  • purpose for which it was originally obtained or a use consistent with that purpose
  • Act of Parliament or regulation
  • subpoena or warrant
  • federal investigative body scheduled in the regulations
  • agreement between the Government of Canada and another organization
  • member of Parliament to assist constituent
  • research or statistical purposes
  • "public interest"
• You may also want to consult with your departmental ATIP coordinator, legal experts and privacy legislation.
• Remember: even the additional collection, use or disclosure of one piece of personal information (e.g., an individual's address, phone number, credit card number) will constitute the collection of additional personal information. This alone though may not trigger the need for a PIA. The need for a PIA will have to be assessed by determining if the additional collection, use or disclosure of sensitive personal information is likely to raise privacy issues or result in the identification of a privacy risk.

Notes for Question 6:

1. The following sections of the Privacy Act deal with informed consent and indirect collection.
2. Review this information and if you have further questions, consult with your legal or ATIP experts for clarification.
3. Section 5 deals with direct collection, but includes specific exceptions that permit indirect collection: where the individual consents, where the information can be collected from another institution and the disclosure by the other institution complies with s. 8(2), where direct collection might result in the collection of inaccurate information, and where direct collection might defeat the purpose or prejudice the use for which the information is collected.
4. Section 8(1) Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section.
5. Section 8(2) Subject to any other Act of Parliament, personal under the control of a government institution may be disclosed
   1. for the purpose for which the information was obtained or complied by the institution or for a use consistent with that purpose;
   2. for any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure;
   3. for the purpose of complying with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information or for the purpose of complying with rules of court relating to the production of information;
   4. to the Attorney General of Canada for use in legal proceedings involving the Crown in right of Canada or the Government of Canada;
   5. to an investigative body specified in the regulations, on the written request of the body, for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation, if the request specifies the purpose and describes the information to be disclosed;
   6. under an agreement or arrangement between the Government of Canada or an institution thereof and the government of a province, the government of a foreign state, an international organization of states or an international organization established by the governments of states, or any institution of any such government or organization, for the purpose of administering or enforcing any law or carrying out a lawful investigation;
   7. to a member of Parliament for the purpose of assisting the individual to whom the information relates in resolving a problem;
   8. to officers or employees of the institution for internal audit purposes, or to the office of the Comptroller General, or any other person or body specified in the regulations for audit purposes;
   9. to the National Archives of Canada for archival purposes;
   10. to any person or body for research or statistical purposes if the head of the government institution
       1. is satisfied that the purpose for which the information is disclosed cannot reasonably be accomplished unless the information is provided in a form that would identify the individual to whom it relates, and
       2. obtains from the person or body a written undertaking that no subsequent disclosure of the information will be made in a form that could reasonably be expected to identify the individual to whom it relates;
   11. to any association or aboriginal people, Indian band, government institution or part thereof, or to any person acting on behalf of such association, band or institution or part thereof, for the purpose of researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada;
   12. to any government institution for the purpose of locating an individual in order to collect a debt owing to Her Majesty in right of Canada by that individual or make a payment owing to that individual by Her Majesty in right of Canada; andm) for any purpose where, in the opinion of the head of the institution,
       1. the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or
       2. the disclosure would clearly benefit the individual to whom the information relates.

Notes for Question 7:

• Ask yourself if there is a 'consent' aspect that needs to be considered.
• The Privacy Act (Section 5(2)) states that where an institution collects personal information directly from the individual concerned, a government institution shall inform any individual from whom the institution collects personal information about the individual of the purpose for which the information is being collected.
• If you are shifting to indirect collection of personal information, you will also need to consider the impact of data matching.
• Section 4 of the Privacy Act provides that no personal information shall be collected by a government institution unless it relates directly to a program or activity of the institution. Institutions should not be overly concerned with defining what is and is not a "program"—what is important is whether the personal information is needed for a specific activity of the institution and whether there is legal authority for that activity.
• There are no "government institutions" as that term is defined by the Privacy Act within any specific departments. Each department is a single "government institution". Some Ministers have responsibility for a number of separate government institutions. Note that the Privacy Act is intended to limit a specific collection of personal information to a specific activity within the institution. Just because one activity of the institution results in a collection of personal information, this does not allow that information to be shared with other activities within the institution. Any such sharing would have to comply with s. 8 of the Privacy Act.
• Consult with your departmental ATIP coordinator, privacy personnel, legal experts and privacy legislation.
• TBS's Data Matching Policy

Notes for Question 8:

• This may mean that you'll be involved in a cross-jurisdictional initiative (a collaborative arrangement between the federal government and one or several provinces). If this is case and you determine that you'll need to complete a PIA, you will need to complete Questionnaire B during the Privacy Analysis phase of your PIA project.
• It is also very important to consider whether there is any 'data matching' when disclosing information to other jurisdictions or government institutions.
• Where there is data-matching, there must be compliance with the Data-matching Policy, in addition to a PIA.
• Consult with your departmental ATIP coordinator, privacy personnel, legal experts and privacy legislation.

Notes for Question 9:

• Remember to consider the definition of 'administrative purpose' as defined in the Privacy Act.
• Also, don't forget to consider whether there is data matching.
• Consult with your departmental ATIP coordinator, privacy personnel, legal experts and privacy legislation.

Notes for Question 10:

• If personal information is only used for tracking visitors to a particular website and this information is used to enhance the website and not build any type of profile, then a PIA may not be required.
• Consult with your departmental ATIP coordinator, privacy personnel, legal experts and privacy legislation.

Notes for Question 11:

• Consider this question carefully because if information is to be shared in such a manner, it may contravene the Privacy Act unless there is authorization in s. 8(2) of the Privacy Act.
• If personal information is shared with other departments and it is used for purposes other than what it was originally collected for, a PIA may be required.
  • Where personal information in a personal information bank under the control of a government institution is used or disclosed for a use consistent with the purpose for which the information was obtained or compiled by the institution but the use is not included in the statement of consistent uses set forth pursuant to subparagraph 11(1) (a)(iv) in the index referred to in section 11, the head of the government institution shall
    1. forthwith notify the Privacy Commissioner of the use for which the information was used or disclosed; and
    2. ensure that the use is included in the next statement of consistent uses set forth in the index.
• Click here to link to the TBS Privacy and Data Protection Policy and the discussion of administrative purpose.
• Consult with your departmental ATIP coordinator, privacy personnel, legal experts and privacy legislation.

Notes for Question 12:

• A common client identifier can include any identifying number, symbol or other particular assigned to an individual.
• You can also check out the SIN Policy.
• Consult with your departmental ATIP coordinator, privacy personnel, legal experts and privacy legislation.

Notes for Question 13:

• Consider the following questions:
  • Have similar proposals raised public privacy concerns?
  • Has the Office of the Privacy Commissioner raised privacy concerns about the proposed program or service or similar services?
  • For example, you might remember the HRDC Longitudinal Labour Force File. HRDC maintained software that enabled HRDC to view the entire work history of specific individuals, and the public perceived that this was excessive. Although HRDC was not contravening the Privacy Act or any policy in anyway, there was a negative public perception about this issue.
  • Your departmental ATIP coordinator or legal experts may be able to provide you some further insight as to whether or not there may be any public concerns about your particular project.

Notes for Question 14:

• Consult with your departmental IT staff.