1.1 This directive takes effect on May 6, 2014.
1.2 It replaces the Directive on Privacy Practices dated January 31, 2013.
2.1 This directive applies to government institutions as defined in section 3 of the Privacy Act, including parent Crown corporations and their wholly owned subsidiaries, if any.
2.2 This directive does not apply to the Bank of Canada.
3.1 The Privacy Act (Act) and the Privacy Regulations (Regulations) provide the legal framework for the creation, collection, retention, use, disclosure, accuracy and disposition of personal information in the administration of programs and activities by government institutions.
3.2 Under the Act, heads of all government institutions are required to identify, describe and publicly report their institutions' personal information banks (PIBs) and classes of personal information in the Treasury Board of Canada Secretariat's (TBS) annual publication entitled Info Source. The descriptions of PIBs and classes of personal information contained in Info Source describe how government institutions inform the public and their employees about the personal information they collect and how that information is handled, used, retained and disposed of. Info Source assists individuals in exercising their rights under the Act.
3.3 Under the Policy on Privacy Protection, heads of government institutions are to establish practices for the protection and management of personal information under their respective institution's control to ensure that the Act is administered in a consistent and fair manner. This directive supports the policy by setting out the requirements for sound privacy practices and management of personal information.
3.4 The President of the Treasury Board (President), as designated Minister for the purposes of paragraphs 71(1)(a) and (b) of the Act, holds general responsibility for registering all PIBs and for reviewing the manner in which they are maintained and managed in all government institutions. In addition to this general oversight role, the President is responsible for reviewing and approving new or substantially modified PIBs for the government institutions that are departments, as defined in section 2 of the Financial Administration Act (FAA), or may exercise his or her discretion to delegate this authority, subject to terms and conditions, under subsection 71(6) of the Act. In exercising this discretion, the President will consider an institution's compliance with the Policy on Privacy Protection, with this and other directives, as well as with any prescribed forms. Even if the President delegates his or her authority, the President remains responsible for the ongoing review of PIBs for all government institutions that are subject to the Act.
3.5 This directive is issued pursuant to paragraph 71(1)(d) of the Act.
3.6 This directive is to be read in conjunction with the Act, the Regulations, other applicable legislation, including the institution's enabling legislation, the Policy on Privacy Protection, the Directive on Privacy Impact Assessment, the Directive on Social Insurance Number, the Directive on Privacy Requests and Correction of Personal Information and the Standard on Privacy and Web Analytics.
5.1.1 To facilitate the implementation and public reporting of consistent and sound privacy management practices for the creation, collection, retention, use, disclosure, accuracy and disposition of personal information under the control of government institutions.
5.2.1 Personal information is only created, collected, retained, used, disclosed and disposed of in a manner that respects the provisions of the Act and the Regulations.
5.2.2 PIBs and classes of personal information of government institutions are described in a manner that facilitates the process for individuals to request access to and correction of personal information.
5.2.3 The purposes for which government institutions collect personal information and the privacy practices that support the administration of programs and activities are described in the PIBs and classes of personal information.
6.1.1 Establishing effective privacy practices in their institution, as set out below. These practices are to be followed when officers or employees are involved in activities related to the creation, collection, retention, accuracy, use, disclosure or disposition of personal information under the control of the government institution, including the personal information of officers or employees of the institution.
6.1.2 Establishing plans and procedures for addressing privacy breaches in their institution, which include the following:
6.1.3 Ensuring that the development process for new or substantially modified PIBs is aligned with the process for the development and approval of the core privacy impact assessment, as required by the Directive on Privacy Impact Assessment.
6.1.4 Submitting a request to TBS for the registration of each new PIB, or the termination of an existing PIB, and ensuring that requests are accompanied by the following information:
6.1.5 Satisfying, for the institutions that are departments as defined in section 2 of the FAA, the additional requirements, as set out in Appendix B, for approvals by the President in relation to PIBs, unless this approval authority has been delegated to the head of the institution by the President, subject to terms and conditions.
6.1.6 Notifying TBS of changes to PIBs and, where these changes are substantial, ensuring that TBS receives a core privacy impact assessment as required by the Directive on Privacy Impact Assessment.
6.1.7 Ensuring that proposals submitted to TBS to establish or revoke an exempt bank include the following:
6.1.8 Adhering to the requirements concerning requests from and disclosures to investigative bodies outlined in Appendix C.
6.1.9 Establishing procedures for maintaining a record of new uses and disclosures, as well as any consistent uses that are not reflected in a PIB. Such procedures will ensure that:
6.1.10 Ensuring that the use of Web analytics for measuring and improving performance of Government of Canada websites complies with the Standard on Privacy and Web Analytics.
6.2.1 Informing the individual who is responsible for the institution's PIBs of any new program or activity or of any substantial modification to an existing program or activity where personal information is collected or handled in a decision-making process that directly affects the individual.
6.2.2 Informing the individuals who are responsible for managing the institution's websites, as well as functional specialists and Web content owners, of the need to comply with the requirements of the Standard on Privacy and Web Analytics.
6.2.3 Ensuring that privacy practices are consistent with and respect the provisions found in the Act, the Regulations and other applicable legislation, including the institution's enabling legislation.
6.2.4 Informing employees of the legal and administrative consequences of any inappropriate or unauthorized access to, or use, disclosure, modification, retention and disposition of, personal information related to a particular program or activity.
6.2.5 Implementing the institution's plan for addressing privacy breaches. See Guidelines for Privacy Breaches issued by TBS.
6.2.6 Ensuring, before collecting personal information, that the institution has parliamentary authority for the program or activity for which the information is being collected. Obtaining an individual's consent to a collection of personal information does not replace or establish authority for the collection of that information.
6.2.7 Identifying the elements to be included in a PIB before there is any new collection of personal information.
6.2.8 Limiting the collection of personal information to what is directly related to and demonstrably necessary for the government institution's programs or activities. Personal information that is created by the government institution is also considered a collection under the Act.
6.2.9 Notifying the individual whose personal information is collected directly of the following:
6.2.10 Adapting the privacy notice for either written or verbal communication at the time of collection. Notices are to include a reference to the PIB described in Info Source.
6.2.11 Consent is not required if the personal information is to be used for the authorized purpose for which it was obtained, for a use consistent with that purpose or for a purpose for which it may be disclosed to the institution under subsection 8(2) of the Act.
6.2.12 Obtaining consent from an individual for the following:
6.2.13 Including the following elements, as applicable, when seeking consent:
6.2.14 Ensuring that consent is obtained in writing or is otherwise adequately documented, including such information as the date and time of consent. A record is required to support verbal consent.
6.2.15 Ensuring, through all reasonable measures, that personal information to be used in a decision-making process, is as accurate, up-to-date and complete as possible. Those measures will involve one or more of the following:
6.2.16 Implementing, in cases when direct collection or obtaining consent is not feasible, measures to:
6.2.17 Documenting the source or technique used to validate the personal information and identifying, where appropriate, the source, as well as any data matching in the relevant PIB description.
6.2.18 Ensuring that individuals are given the opportunity, whenever possible, to correct inaccurate personal information before any decision is made that could have an impact on them.
6.2.19 Identifying which positions or functions in the program or activity have a valid reason to access and handle personal information and limiting access to individuals occupying those positions.
6.2.20 Limiting access to, and use of, personal information by administrative, technical and physical means, to protect that information.
6.2.21 Adopting appropriate measures to ensure that access to, as well as use and disclosure of, personal information are monitored and documented in order to address the timely identification of inappropriate or unauthorized access to, or handling of, personal information.
6.2.22 Following the requirements set out below when personal information is disclosed to another institution, to a public or private sector entity, or to an individual:
6.2.23 Ensuring, when personal information is transferred out of the control of a government institution as a result of the devolution or privatization of a program or activity, that:
6.2.24 Notifying the head or appropriate delegate of any use, purpose or disclosure of personal information that is not reflected in the PIB description and updating the PIB accordingly.
6.2.25 Applying the institution's standards for the retention of personal information, as well as the disposition standards as established by Library and Archives Canada, and reporting them in the relevant PIB.
6.2.26 Ensuring that personal information of an individual that has been used for an administrative purpose is retained by the institution in accordance with subsections 6(1) of the Act and paragraphs 4(1)(a) and (b) of the Regulations.
6.2.27 Reviewing files described within PIBs, including those of exempt banks, on a regular basis and disposing of records containing personal information in accordance with direction from Library and Archives Canada, as stipulated in sections 12 through 14 of the Library and Archives of Canada Act.
6.2.28 Institutions that are subject to the Policy on Government Security are to dispose of records in accordance with government security standards.
6.3.1 The monitoring and reporting requirements of the Policy on Privacy Protection apply to this directive.
7.1 The consequences identified in the Policy on Privacy Protection apply to this directive.
8.2 The roles and responsibilities of other government organizations are described in section 8 of the Policy on Privacy Protection.
10.1 Please direct enquiries about this directive to your institution's access to information and privacy (ATIP) coordinator. For interpretation of this directive, the ATIP coordinator is to contact:
Chief Information Officer Branch
Treasury Board Secretariat
219 Laurier Avenue West
Ottawa, Ontario K1A 0R5
In addition to requiring the registration and publication of personal information banks (PIBs) in Info Source, subsections 71(3) and (4) of the Act require that the President approve each new PIB or each substantial modification to or termination of an existing PIB submitted by the government institutions defined as departments under section 2 of the FAA.
Unless the President has delegated this approval to the head of the department, pursuant to subsection 71(6) of the Act, the head or delegate responsible under section 10 of the Act is responsible for the following:
Under paragraph 8(2)(e)of the Act, personal information may be disclosed to an investigative body specified in the Regulations, upon written request of that body, for the purpose of enforcing any Canadian or provincial law or carrying out a lawful investigation. This provision does not grant investigative bodies a right of access to personal information. It leaves the disclosure decision to the discretion of the institution that has control of the information once the relevant criteria have been satisfied.
Requests made under paragraph 8(2)(e) of the Act are to be in writing and are to contain the following:
All copies of such requests received by an institution are to be retained.
When such requests are received, the head of the institution or the delegate responsible for decisions with respect to paragraph 8(2)(e) of the Act is to retain a record of disclosure for the personal information provided to the investigative body. The record of disclosure is to contain the following:
A separate PIB is maintained for all records of disclosure to federal investigative bodies, including copies of the information that was disclosed to the requester. Pursuant to subsection 8(4) of the Act and section 7 of the Regulations, information contained in this PIB must be retained for a minimum of two years and must be made available to the Privacy Commissioner on request.