Directive on Privacy Practices

Tools & Resources

Table of Contents Complete Text Alternate Formats Related Instruments Framework Policies Directives Standards Guidelines Related Links Legislation and Regulations Archives

1. Effective date

1.1 This directive takes effect on January 31, 2013.

1.2 It replaces the Directive on Privacy Practices dated April 1, 2010.

2. Application

2.1 This directive applies to the government institutions defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.

2.2 This directive does not apply to the Bank of Canada.

3. Context

3.1 The Privacy Act and Privacy Regulations provide the legal framework for the collection, retention, use, disclosure, disposition and accuracy of personal information in the administration of programs and activities by government institutions. The Privacy Act is modeled on internationally accepted standards, which are based on the principles that every individual retains ownership of his or her personal information and has the right to know what personal information is being collected about him or her, how it will be used, to whom it will be disclosed, and when and how it will be disposed of.

3.2 Under the Privacy Act, heads of all government institutions are required to identify, describe and publicly report their personal information banks (PIBs) and classes of personal information in the annual Treasury Board of Canada Secretariat series of publications entitled Info Source. The descriptions of PIBs and classes of personal information contained in Info Source are the vehicles through which the government institution informs the public and public service employees about the personal information it collects and how that information will be handled. Through these descriptions, individuals can also learn how their personal information is used and where it is retained and, consequently, can exercise their rights to access and correct their personal information.

3.3 Under the Policy on Privacy Protection, heads of government institutions are to establish practices for the management and protection of personal information under their control to ensure that the Privacy Act is administered in a consistent and fair manner. This directive supports the policy by setting out the requirements for sound privacy practices and management of personal information. Taken together, the Policy on Privacy Protection and its related directives and guidelines are the instruments upon which a sound privacy management strategy within government institutions is structured.

3.4 Under the Privacy Act, the President of the Treasury Board, as designated Minister, holds general responsibility for registering all PIBs and reviewing the manner in which they are maintained and managed in all government institutions. In addition to this general oversight role, the President of the Treasury Board is responsible for reviewing and approving new or substantially modified PIBs or establishing the terms and conditions for such approval for the departments defined in section 2 of the Financial Administration Act (FAA). Under subsection 71(6) of the Privacy Act, the President of the Treasury Board may choose to delegate this authority. In making this determination, the President of the Treasury Board will consider an institution's compliance with the Policy on Privacy Protection, with this and other directives as well as with any prescribed forms. The delegation for review and approval of PIBs can be given only to the departments defined in the FAA. Nevertheless, the President of the Treasury Board remains responsible for the ongoing review of PIBs for all government institutions that are subject to the Privacy Act.

3.5 This directive is issued pursuant to paragraph 71(1)(d) of the Privacy Act.

3.6 This directive is to be read in conjunction with the Privacy Act, the Privacy Regulations, the Policy on Privacy Protection, the Directive on Privacy Impact Assessment and the Directive on Social Insurance Number.

3.7 Additional mandatory requirements for the government institutions subject to the Privacy Act are set out in the Policy on Privacy Protection, the Directive on Privacy Impact Assessment, the Directive on Social Insurance Number and the Directive on Privacy Requests and Correction of Personal Information.

4. Definitions

4.1 Definitions to be used in the interpretation of this directive are attached in Appendix A. Additional definitions are provided in Appendix A of the Policy on Privacy Protection.

5. Directive statement

5.1 Objective

5.1.1 To facilitate the implementation and public reporting of consistent and sound privacy management practices for the creation, collection, retention, use, disclosure, disposition and accuracy of personal information under the control of government institutions.

5.2 Expected results

5.2.1 Personal information is only collected, retained, used, disclosed and disposed of in a manner that respects both the privacy of individuals and the provisions of the Privacy Act and Privacy Regulations.

5.2.2 Personal information holdings of government institutions are described in a manner that facilitates the process for individuals to request access to and correction of their personal information.

5.2.3 The purposes for which government institutions collect personal information and the privacy practices that support the administration of programs and activities are described in their PIBs and classes of personal information.

6. Requirements

6.1 Heads of government institutions or their delegates are responsible for the following:

6.1.1 Establishing effective privacy practices within their institution. These practices are to be followed when employees or executives are involved in activities related to the creation, collection, retention, accuracy, use, disclosure or disposition of personal information under the control of the government institution, including the personal information of employees of the institution.

6.1.2 Establishing a plan for addressing privacy breaches within their institution, which defines the following:

• Roles and responsibilities in the event of a privacy breach;
• Internal procedures and communications requirements; and
• Notification standards and procedures, including the timing of such notification, for informing the Office of the Privacy Commissioner and parties affected by privacy breaches.

Note: Government institutions that are subject to Treasury Board policies will align any plans developed for addressing privacy breaches with similar requirements under the Policy on Government Security and its related directives and standards. For additional guidance, government institutions can refer to the Guidelines for Privacy Breaches.

Personal information banks and classes of personal information

6.1.3 Ensuring that all personal information under the control of the government institution is identified and described in its PIBs or classes of personal information. This includes any personal information collected or created by the government institution.

6.1.4 Ensuring that the development process for new or substantially modified PIBs is aligned with the process for the development and approval of the core privacy impact assessment (PIA).

6.1.5 Submitting proposals for the registration of a new PIB or the modification or termination of an existing PIB. Proposals are to include the following:

• An indication of whether the proposal is to register, modify or terminate a PIB;
• In the case of a proposal to register or substantially modify an existing PIB, a description of the new or substantially modified PIB that is consistent with any standards or prescriptions established by the President of the Treasury Board under section 71 of the Privacy Act (note that for such proposals, a completed core PIA will be required); and
• In the case of a proposal to terminate an existing PIB, an explanation of why the PIB should be terminated and a confirmation that the files related to the PIB will no longer be under the control of the government institution.

6.1.6 Fulfilling, for the departments defined in section 2 of the FAA, any of the additional requirements for PIB proposals described in Appendix B.

Exempt banks

6.1.7 Consulting with the Treasury Board of Canada Secretariat on any proposal to establish or revoke an exempt bank and submitting for review a request to the Secretariat to designate a PIB as exempt. This request is to include the following:

• A description of the information to be included in the exempt bank and why such information should be included in an exempt bank;
• Confirmation that the files in the bank consist predominantly of personal information as described in sections 21 or 22 of the Privacy Act;
• The specific exemption provision under which the information requires protection and, for any injury test exemption, a statement of the expected detrimental effect; and
• A draft Order in Council along with a draft Regulatory Impact Analysis Statement.

Requests and disclosures to investigative bodies

6.1.8 Adhering to the policy requirements concerning requests from and disclosures to investigative bodies as outlined in Appendix C.

Recording new uses and disclosures

6.1.9 Establishing procedures to support the requirement for maintaining a record of new uses and disclosures as well as any consistent uses that are not reflected in a PIB. Such procedures will ensure that:

• A record is retained for any use, purpose or disclosure not reflected in the PIB description and that the record is stored with the personal information to which it relates (this does not apply to disclosures to investigative bodies); and
• Any new consistent uses are reflected in the relevant PIBs and that the Privacy Commissioner is notified of all new consistent uses.

Web analytics and privacy

6.1.10 Ensuring that the use of Web analytics for measuring and improving performance of Government of Canada websites is done in accordance with the Standard on Privacy and Web Analytics.

6.2 Executives and senior officials who manage programs or activities involving the creation, collection or handling of personal information are responsible for:

Privacy practices

6.2.1 Informing the individual who is responsible for the institution's PIBs of any new program or activity or any substantial modification to an existing program or activity where personal information is being collected or handled in a decision-making process that directly affects the individual.

6.2.2 Informing the individuals who are responsible for managing the institution's websites, as well as those functional specialists and Web content owners, of the need to ensure that the requirements of the Standard on Privacy and Web Analytics are being met.

6.2.3 Ensuring that privacy practices are consistent with and respect the provisions found in enabling legislation or other statutory instruments related to the government institution's mandate.

6.2.4 Informing employees of the legal and administrative consequences for any inappropriate or unauthorized access of personal information related to a particular program or activity.

Privacy breaches

6.2.5 Implementing the government institution's plan for addressing privacy breaches when necessary. See the Guidelines for Privacy Breaches issued by the Treasury Board of Canada Secretariat.

Review of exempt banks

6.2.6 Reviewing exempt bank files related to their programs or activities on an ongoing basis and, if some personal information is no longer relevant, disposing of it in accordance with appropriate disposition schedules.

Collection and creation of personal information

6.2.7 Establishing parliamentary authority for the government institution's program or activity before any collection of personal information. Obtaining an individual's consent to a collection does not replace or establish authority for the collection of personal information.

6.2.8 Establishing the elements to be included in a PIB before any new collection of personal information.

6.2.9 Limiting the collection of personal information to what is directly related to and demonstrably necessary for the government institution's programs or activities. Personal information that is created by the government institution is also considered a collection under the Privacy Act.

Privacy Notice

6.2.10 Notifying the individual whose personal information is collected directly of the following:

• The purpose and authority for the collection;
• Any uses or disclosures that are consistent with the original purpose;
• Any uses or disclosures that are not related to the original purpose;
• Any legal or administrative consequences for refusing to provide the personal information; and
• The rights of access to, correction of and protection of personal information under the Privacy Act.

6.2.11 Adapting the Privacy Notice for either written or verbal communication at the time of collection. Written notices are to include a reference to the PIB described in Info Source.

Note: Under the Privacy Act, Privacy Notices are not required if the notification would result in collecting inaccurate information, would defeat the purpose of the collection or would compromise the use of the information collected.

Consent

Note: Consent is not required if the personal information is to be used for the purpose for which it was obtained, for a use consistent with that purpose or for a purpose for which it may be disclosed to the institution under subsection 8(2) of the Privacy Act.

6.2.12 Obtaining consent from an individual for the following:

• The indirect collection of personal information, unless seeking consent would result in collecting inaccurate information, would defeat the purpose of collection or would compromise the use of the information collected;
• Uses or disclosures that are not consistent with the purposes for which the information was originally obtained or compiled, if such uses or purposes were not identified at the time of collection; and
• Any disposition of personal information before the two-year minimum retention standard established by the Privacy Regulations.

6.2.13 Including the following elements, as applicable, when seeking consent:

• The purpose of the consent and the specific personal information involved;
• The sources who will be asked to provide the information, in the case of indirect collections;
• Uses and disclosures that are not consistent with the original purpose of the collection and for which consent is being sought;
• Any consequences that may result from withholding consent; and
• Any alternatives to providing consent.

Note: The above is supplementary to the information in the Privacy Notice.

6.2.14 Ensuring that consent is obtained in writing or is otherwise adequately documented, including such information as the date and time of consent. A record is required to support verbal consent.

Accuracy

6.2.15 Ensuring through all reasonable measures that personal information to be used in a decision-making process is as accurate, up to date and complete as possible. Those measures will involve one or more of the following:

• Direct collection or validation with the individual;
• Indirect collection or validation when authorized or when consent was obtained, which may involve verifying the personal information against a reliable source (either public or private); and
• Technological means to identify errors and discrepancies.

Implementing, in cases when direct collection or obtaining consent is not feasible, measures to:

• Ensure that the personal information is obtained from a reliable source; or
• Verify or validate the accuracy of the personal information before use.

6.2.16 Documenting the source or technique used to validate the personal information and identifying, where appropriate, the source as well as any data matching in the relevant PIB description.

6.2.17 Ensuring that individuals are given the opportunity, whenever possible, to correct inaccurate personal information before any decision that could have an impact on them is made.

Safeguards for use and disclosure

6.2.18 Identifying the work positions, within the program or activity, that have a valid reason to access and handle personal information and limiting access to individuals occupying those positions.

6.2.19 Limiting access and use of personal information by administrative, technical and physical means to protect the information and an individual's privacy.

6.2.20 Employing appropriate measures to ensure that access, use and disclosure of personal information is monitored and documented. Such measures are to address the timely identification of inappropriate or unauthorized access or handling of personal information related to a particular program or activity.

6.2.21 Adhering to the following requirements when personal information is being disclosed to another public or private sector institution, including another government institution:

• The Privacy Notice reflects, as appropriate, the disclosure;
• An agreement or arrangement with appropriate safeguards has been established between the government institution and the public sector entity, whether that entity is international, federal, provincial or territorial, or municipal; and
• Contracts that are established with private sector entities outline measures and provisions to address the following:
  • Control over the personal information;
  • Limitations on collection and handling as well as any prohibitions regarding the personal information for the purposes of the contract;
  • Disposition of the personal information, where relevant;
  • Administrative, technical and physical safeguards; and
  • Obligations of other parties acting on behalf of the government institution.

Note: Government institutions subject to the Policy on Government Security are also to ensure that government security standards are respected, including industrial security requirements of the Department of Public Works and Government Services.

6.2.22 Ensuring, when personal information is being transferred out of the control of a government institution as a result of the devolution or privatization of a program or activity, that:

• Authority is established for the transfer;
• Rights of employees to access and correct their personal information are maintained and adequate privacy practices are in place;
• A records transfer agreement, which respects any existing records disposition authority, is in place to establish the terms and conditions for the records being transferred, including security considerations; and
• Consent is obtained from the Librarian and Archivist of Canada before the transfer of records (this is normally referred to as alienation).

Recording of new uses and disclosures

6.2.23 Communicating to the head or appropriate delegate any use, purpose or disclosure that is not reflected in the PIB description.

Retention and disposition of personal information

6.2.24 Applying the retention and disposal standards associated with the personal information and reporting the length of the retention period in the relevant PIB.

Note: Institutions are to consider the provisions of the Library and Archives of Canada Act when disposing of records containing personal information. Furthermore, those institutions subject to the Policy on Government Security are to dispose of records in accordance with government security standards.

Managing employee information

6.2.25 Implementing effective privacy practices, as described in this directive, to soundly manage the personal information of the government institution's employees.

6.3 Monitoring and reporting requirements

6.3.1 The monitoring and reporting requirements of the Policy on Privacy Protection apply to this directive.

7. Consequences

7.1 The consequences identified in the Policy on Privacy Protection apply to this directive.

8. Roles and responsibilities of government organizations

8.1 Further to the role described in Section 8 of the Policy on Privacy Protection, the Treasury Board of Canada Secretariat is responsible for:

• Ensuring that the PIBs of all government institutions subject to the Privacy Act are maintained and managed in compliance with the Act;
• Ensuring that the PIBs of all government institutions including the Bank of Canada are registered in compliance with the Act;
• Reviewing, which also involves making necessary recommendations, and approving the new or substantially modified PIBs of the government institutions defined as departments under the FAA; and
• Directing the terms and conditions for approval of PIBs as well as the terms and conditions for delegating the review and approval of PIBs to heads of departments.

8.2 The roles and responsibilities of other government organizations are described in section 8 of the Policy on Privacy Protection.

9. References

9.1 Relevant legislation and regulations

• Access to Information Act
• Access to Information Regulations
• Canadian Charter of Rights and Freedoms
• Financial Administration Act
• Library and Archives of Canada Act
• Official Languages Act
• Personal Information Protection and Electronic Documents Act
• Privacy Act
• Privacy Regulations

9.2 Related policy instruments and publications

• Communications Policy of the Government of Canada
• Directive on Privacy Impact Assessment
• Directive on Privacy Requests and Correction of Personal Information
• Directive on the Social Insurance Number
• Policy on Government Security
• Policy Framework for Information and Technology
• Policy on Access to Information
• Policy on Information Management
• Policy on Learning, Training and Development
• Policy on Management of Information Technology
• Policy on Privacy Protection
• Standard on Privacy and Web Analytics

10. Enquiries

10.1 Please direct enquiries about this directive to your institution's access to information and privacy (ATIP) coordinator. Should your institution require additional assistance in the interpretation of this directive, the ATIP coordinator is to contact TBS Public Enquiries.

Appendix A: Definitions

Administrative safeguard (Mesure de protection administrative)

Refers to the enforcement of a government institution's written policies, directives, rules, procedures and processes for the protection of personal information throughout the life cycle of both the personal information and the program or activity.

Classes of personal information (Catégories de renseignements personnels)

Refers to personal information that is not used administratively or not retrievable by personal identifier—for instance, unsolicited opinions or general correspondence may be categorized under classes of personal information.

Creation of personal information (Création de renseignements personnels)

Refers to any personal information element or sub-element that a government institution assigns to an identifiable individual regardless of whether the information is derived from existing personal information under the control of the government institution or the institution appends new information to the individual.

Delegate (Délégué)

Is the officer or employee that has been designated through a delegation order with the responsibilities of the head for the administration of the Privacy Act within the government institution. In cases where the responsibilities have not been delegated, an official or executive of the government institution will hold functional responsibility for the administration of the Privacy Act in the name of the head.

Disclosure (Divulgation)

Refers to the release of personal information by any method (e.g., transmission, provision of a copy, examination of a record) to any body or person.

Early disposition (Élimination précoce)

Refers to the disposition of personal information that was used for an administrative purpose before the two-year minimum retention standard established in subsection 4(1) of the Privacy Regulations. In accordance with section 12(1) of the Library and Archives of Canada Act, government records cannot be destroyed without the written consent of the Librarian and Archivist of Canada.

Handling (Traitement)

Refers to the retention, accuracy, use, disclosure and disposition of personal information. In the context of this directive, the term is used generically and for ease of reference and does not imply a lesser standard in terms of the above-mentioned concepts.

Indirect collection (Collecte indirecte)

Is a collection of personal information from a source other than the individual.

Original purpose (Raison d'être originale)

Is the purpose that was first identified when initiating the collection of personal information and is directly related to the parliamentary authority for the program or activity. A purpose that is not consistent with the original purpose is considered to be a secondary purpose.

Physical safeguard (Mesure de protection physique)

Refers to the facilities and equipment that protects the support system in which personal information is recorded and stored.

Predominantly (Principalement)

Means that a file's content contains a greater proportion of information that qualifies for exemption under section 21 or 22 of the Privacy Act, i.e., the more exemptible information found in a given file, the greater the likelihood that the file will qualify for inclusion in an exempt bank. Every file must be reviewed before it can be included in an exempt bank.

Privacy breach (Atteinte à la vie privée)

Involves improper or unauthorized creation, collection, use, disclosure, retention or disposal of personal information.

Privacy Notice (Avis de confidentialité)

Is a statement presented to an individual to communicate the purpose of a collection, including the authority of the government institution to collect, use and disclose the personal information for a given program or activity. It also states the rights of individuals to access their own personal information kept in the program's PIB and the consequences for refusing to provide their personal information.

Privacy practices (Pratiques relatives à la protection de la vie privée)

Refers to all practices related to the creation, collection, retention, accuracy, use, disclosure and disposition of personal information.

Privacy (Vie privée)

Is the right of an individual to be left alone, to be free of unwarranted intrusions. It is also the right of an individual to retain control over his or her personal information and to know the uses, disclosures and whereabouts of that information.

Regulatory Impact Analysis (RIA) (Étude d'impact de la réglementation)

Is a tool used for regulatory reform, which assesses the impact of regulation on the quality of the environment and the health, safety, security, and social and economic well-being of Canadians.

Reliable source (Source fiable)

Is a source of information or a data holding deemed to be accurate and up to date and, as such, can be trusted and relied on for the purposes of validating personal information.

Technical safeguard (Mesure de protection technique)

Refers to information technology measures used to protect the facility, the equipment, and the support system where personal information is recorded and stored.

Web analytics

Refers to the collection, analysis, measurement and reporting of data about Web traffic and user visits for purposes of understanding and optimizing Web usage.

Appendix B: Additional requirements under subsection 71(5) of the Privacy Act for the departments defined in section 2 of the Financial Administration Act (FAA)

In addition to registering and publishing PIBs in Info Source, subsections 71(3) and (4) of the Privacy Act require that the President of the Treasury Board approve each new personal information bank (PIB) or each substantial modification to or termination of an existing PIB submitted by the government institutions defined as departments under the FAA.

Unless this approval has been delegated by the President of the Treasury Board to the head of the department, pursuant to subsection 71(6) of the Privacy Act, the head or delegate responsible under section 10 of that Act is responsible for the following:

• Presenting all proposals for the creation of a new PIB or for the modification or termination of an existing PIB to the Treasury Board of Canada Secretariat for approval; and
• Providing justification or analysis in support of the proposal. In the case of a proposal to establish or substantially modify a PIB that involves administrative decisions, a completed core PIA will be required (see the Directive on Privacy Impact Assessment).

Appendix C: Requirements Related to Paragraph 8(2)(e) of the Privacy Act

Under paragraph 8(2)(e) of the Privacy Act, personal information may be disclosed to an investigative body specified in the Privacy Regulations, upon written request of that body, for the purpose of enforcing any Canadian or provincial law or carrying out a lawful investigation. This provision does not grant investigative bodies a right of access to personal information. It leaves the disclosure decision to the discretion of the institution that has control of the information once the relevant criteria have been satisfied.

8(2)(e) requests

Requests made under paragraph 8(2)(e) are to be in writing and contain the following:

• The name of the investigative body;
• The name of the individual who is the subject of the request or some other personal identifier;
• The purpose or the request and a description of the information to be disclosed;
• The section of the federal or provincial statute under which the investigative activity is being undertaken; and
• The name, title and signature of the member of the investigative body filing the request.

All copies of such requests received by an institution are to be retained.

Documenting 8(2)(e) disclosures

When such requests are received, the head of the institution or delegate responsible for decisions with respect to paragraph 8(2)(e) is to retain a record of disclosure for the personal information provided to the investigative body. The following information is to be documented in the record of disclosure:

• Clear indication on the request of whether it was granted or refused;
• The date the request was received;
• The PIBs in which the disclosed information is held;
• The specific personal information, record or file that was disclosed;
• The name, title and signature of the official who authorized the response; and
• The name of the institution.

A separate PIB is maintained for all records of disclosure to federal investigative bodies, including copies of the information that was disclosed to the requester. Pursuant to subsection 8(4) of the Privacy Act and section 7 of the Privacy Regulations, information contained in this PIB must be retained for a minimum of two years and must be made available to the Privacy Commissioner on request.