1.1 This directive takes effect on January 31, 2013.
1.2 It replaces the Directive on Privacy Practices dated April 1, 2010.
2.1 This directive applies to the government institutions defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.
2.2 This directive does not apply to the Bank of Canada.
3.1 The Privacy Act and Privacy Regulations provide the legal framework for the collection, retention, use, disclosure, disposition and accuracy of personal information in the administration of programs and activities by government institutions. The Privacy Act is modeled on internationally accepted standards, which are based on the principles that every individual retains ownership of his or her personal information and has the right to know what personal information is being collected about him or her, how it will be used, to whom it will be disclosed, and when and how it will be disposed of.
3.2 Under the Privacy Act, heads of all government institutions are required to identify, describe and publicly report their personal information banks (PIBs) and classes of personal information in the annual Treasury Board of Canada Secretariat series of publications entitled Info Source. The descriptions of PIBs and classes of personal information contained in Info Source are the vehicles through which the government institution informs the public and public service employees about the personal information it collects and how that information will be handled. Through these descriptions, individuals can also learn how their personal information is used and where it is retained and, consequently, can exercise their rights to access and correct their personal information.
3.3 Under the Policy on Privacy Protection, heads of government institutions are to establish practices for the management and protection of personal information under their control to ensure that the Privacy Act is administered in a consistent and fair manner. This directive supports the policy by setting out the requirements for sound privacy practices and management of personal information. Taken together, the Policy on Privacy Protection and its related directives and guidelines are the instruments upon which a sound privacy management strategy within government institutions is structured.
3.4 Under the Privacy Act, the President of the Treasury Board, as designated Minister, holds general responsibility for registering all PIBs and reviewing the manner in which they are maintained and managed in all government institutions. In addition to this general oversight role, the President of the Treasury Board is responsible for reviewing and approving new or substantially modified PIBs or establishing the terms and conditions for such approval for the departments defined in section 2 of the Financial Administration Act (FAA). Under subsection 71(6) of the Privacy Act, the President of the Treasury Board may choose to delegate this authority. In making this determination, the President of the Treasury Board will consider an institution's compliance with the Policy on Privacy Protection, with this and other directives as well as with any prescribed forms. The delegation for review and approval of PIBs can be given only to the departments defined in the FAA. Nevertheless, the President of the Treasury Board remains responsible for the ongoing review of PIBs for all government institutions that are subject to the Privacy Act.
3.5 This directive is issued pursuant to paragraph 71(1)(d) of the Privacy Act.
3.6 This directive is to be read in conjunction with the Privacy Act, the Privacy Regulations, the Policy on Privacy Protection, the Directive on Privacy Impact Assessment and the Directive on Social Insurance Number.
3.7 Additional mandatory requirements for the government institutions subject to the Privacy Act are set out in the Policy on Privacy Protection, the Directive on Privacy Impact Assessment, the Directive on Social Insurance Number and the Directive on Privacy Requests and Correction of Personal Information.
5.1.1 To facilitate the implementation and public reporting of consistent and sound privacy management practices for the creation, collection, retention, use, disclosure, disposition and accuracy of personal information under the control of government institutions.
5.2.1 Personal information is only collected, retained, used, disclosed and disposed of in a manner that respects both the privacy of individuals and the provisions of the Privacy Act and Privacy Regulations.
5.2.2 Personal information holdings of government institutions are described in a manner that facilitates the process for individuals to request access to and correction of their personal information.
5.2.3 The purposes for which government institutions collect personal information and the privacy practices that support the administration of programs and activities are described in their PIBs and classes of personal information.
6.1.1 Establishing effective privacy practices within their institution. These practices are to be followed when employees or executives are involved in activities related to the creation, collection, retention, accuracy, use, disclosure or disposition of personal information under the control of the government institution, including the personal information of employees of the institution.
6.1.2 Establishing a plan for addressing privacy breaches within their institution, which defines the following:
Note: Government institutions that are subject to Treasury Board policies will align any plans developed for addressing privacy breaches with similar requirements under the Policy on Government Security and its related directives and standards. For additional guidance, government institutions can refer to the Guidelines for Privacy Breaches.
6.1.3 Ensuring that all personal information under the control of the government institution is identified and described in its PIBs or classes of personal information. This includes any personal information collected or created by the government institution.
6.1.4 Ensuring that the development process for new or substantially modified PIBs is aligned with the process for the development and approval of the core privacy impact assessment (PIA).
6.1.5 Submitting proposals for the registration of a new PIB or the modification or termination of an existing PIB. Proposals are to include the following:
6.1.6 Fulfilling, for the departments defined in section 2 of the FAA, any of the additional requirements for PIB proposals described in Appendix B.
6.1.7 Consulting with the Treasury Board of Canada Secretariat on any proposal to establish or revoke an exempt bank and submitting for review a request to the Secretariat to designate a PIB as exempt. This request is to include the following:
6.1.8 Adhering to the policy requirements concerning requests from and disclosures to investigative bodies as outlined in Appendix C.
6.1.9 Establishing procedures to support the requirement for maintaining a record of new uses and disclosures as well as any consistent uses that are not reflected in a PIB. Such procedures will ensure that:
6.1.10 Ensuring that the use of Web analytics for measuring and improving performance of Government of Canada websites is done in accordance with the Standard on Privacy and Web Analytics.
6.2.1 Informing the individual who is responsible for the institution's PIBs of any new program or activity or any substantial modification to an existing program or activity where personal information is being collected or handled in a decision-making process that directly affects the individual.
6.2.2 Informing the individuals who are responsible for managing the institution's websites, as well as those functional specialists and Web content owners, of the need to ensure that the requirements of the Standard on Privacy and Web Analytics are being met.
6.2.3 Ensuring that privacy practices are consistent with and respect the provisions found in enabling legislation or other statutory instruments related to the government institution's mandate.
6.2.4 Informing employees of the legal and administrative consequences for any inappropriate or unauthorized access of personal information related to a particular program or activity.
6.2.5 Implementing the government institution's plan for addressing privacy breaches when necessary. See the Guidelines for Privacy Breaches issued by the Treasury Board of Canada Secretariat.
6.2.6 Reviewing exempt bank files related to their programs or activities on an ongoing basis and, if some personal information is no longer relevant, disposing of it in accordance with appropriate disposition schedules.
6.2.7 Establishing parliamentary authority for the government institution's program or activity before any collection of personal information. Obtaining an individual's consent to a collection does not replace or establish authority for the collection of personal information.
6.2.8 Establishing the elements to be included in a PIB before any new collection of personal information.
6.2.9 Limiting the collection of personal information to what is directly related to and demonstrably necessary for the government institution's programs or activities. Personal information that is created by the government institution is also considered a collection under the Privacy Act.
6.2.10 Notifying the individual whose personal information is collected directly of the following:
6.2.11 Adapting the Privacy Notice for either written or verbal communication at the time of collection. Written notices are to include a reference to the PIB described in Info Source.
Note: Under the Privacy Act, Privacy Notices are not required if the notification would result in collecting inaccurate information, would defeat the purpose of the collection or would compromise the use of the information collected.
Note: Consent is not required if the personal information is to be used for the purpose for which it was obtained, for a use consistent with that purpose or for a purpose for which it may be disclosed to the institution under subsection 8(2) of the Privacy Act.
6.2.12 Obtaining consent from an individual for the following:
6.2.13 Including the following elements, as applicable, when seeking consent:
Note: The above is supplementary to the information in the Privacy Notice.
6.2.14 Ensuring that consent is obtained in writing or is otherwise adequately documented, including such information as the date and time of consent. A record is required to support verbal consent.
6.2.15 Ensuring through all reasonable measures that personal information to be used in a decision-making process is as accurate, up to date and complete as possible. Those measures will involve one or more of the following:
Implementing, in cases when direct collection or obtaining consent is not feasible, measures to:
6.2.16 Documenting the source or technique used to validate the personal information and identifying, where appropriate, the source as well as any data matching in the relevant PIB description.
6.2.17 Ensuring that individuals are given the opportunity, whenever possible, to correct inaccurate personal information before any decision that could have an impact on them is made.
6.2.18 Identifying the work positions, within the program or activity, that have a valid reason to access and handle personal information and limiting access to individuals occupying those positions.
6.2.19 Limiting access and use of personal information by administrative, technical and physical means to protect the information and an individual's privacy.
6.2.20 Employing appropriate measures to ensure that access, use and disclosure of personal information is monitored and documented. Such measures are to address the timely identification of inappropriate or unauthorized access or handling of personal information related to a particular program or activity.
6.2.21 Adhering to the following requirements when personal information is being disclosed to another public or private sector institution, including another government institution:
Note: Government institutions subject to the Policy on Government Security are also to ensure that government security standards are respected, including industrial security requirements of the Department of Public Works and Government Services.
6.2.22 Ensuring, when personal information is being transferred out of the control of a government institution as a result of the devolution or privatization of a program or activity, that:
6.2.23 Communicating to the head or appropriate delegate any use, purpose or disclosure that is not reflected in the PIB description.
6.2.24 Applying the retention and disposal standards associated with the personal information and reporting the length of the retention period in the relevant PIB.
Note: Institutions are to consider the provisions of the Library and Archives of Canada Act when disposing of records containing personal information. Furthermore, those institutions subject to the Policy on Government Security are to dispose of records in accordance with government security standards.
6.2.25 Implementing effective privacy practices, as described in this directive, to soundly manage the personal information of the government institution's employees.
6.3.1 The monitoring and reporting requirements of the Policy on Privacy Protection apply to this directive.
7.1 The consequences identified in the Policy on Privacy Protection apply to this directive.
8.1 Further to the role described in Section 8 of the Policy on Privacy Protection, the Treasury Board of Canada Secretariat is responsible for:
8.2 The roles and responsibilities of other government organizations are described in section 8 of the Policy on Privacy Protection.
10.1 Please direct enquiries about this directive to your institution's access to information and privacy (ATIP) coordinator. Should your institution require additional assistance in the interpretation of this directive, the ATIP coordinator is to contact TBS Public Enquiries.
Refers to the enforcement of a government institution's written policies, directives, rules, procedures and processes for the protection of personal information throughout the life cycle of both the personal information and the program or activity.
Refers to personal information that is not used administratively or not retrievable by personal identifier—for instance, unsolicited opinions or general correspondence may be categorized under classes of personal information.
Refers to any personal information element or sub-element that a government institution assigns to an identifiable individual regardless of whether the information is derived from existing personal information under the control of the government institution or the institution appends new information to the individual.
Is the officer or employee that has been designated through a delegation order with the responsibilities of the head for the administration of the Privacy Act within the government institution. In cases where the responsibilities have not been delegated, an official or executive of the government institution will hold functional responsibility for the administration of the Privacy Act in the name of the head.
Refers to the release of personal information by any method (e.g., transmission, provision of a copy, examination of a record) to any body or person.
Refers to the disposition of personal information that was used for an administrative purpose before the two-year minimum retention standard established in subsection 4(1) of the Privacy Regulations. In accordance with section 12(1) of the Library and Archives of Canada Act, government records cannot be destroyed without the written consent of the Librarian and Archivist of Canada.
Refers to the retention, accuracy, use, disclosure and disposition of personal information. In the context of this directive, the term is used generically and for ease of reference and does not imply a lesser standard in terms of the above-mentioned concepts.
Is a collection of personal information from a source other than the individual.
Is the purpose that was first identified when initiating the collection of personal information and is directly related to the parliamentary authority for the program or activity. A purpose that is not consistent with the original purpose is considered to be a secondary purpose.
Refers to the facilities and equipment that protects the support system in which personal information is recorded and stored.
Means that a file's content contains a greater proportion of information that qualifies for exemption under section 21 or 22 of the Privacy Act, i.e., the more exemptible information found in a given file, the greater the likelihood that the file will qualify for inclusion in an exempt bank. Every file must be reviewed before it can be included in an exempt bank.
Involves improper or unauthorized creation, collection, use, disclosure, retention or disposal of personal information.
Is a statement presented to an individual to communicate the purpose of a collection, including the authority of the government institution to collect, use and disclose the personal information for a given program or activity. It also states the rights of individuals to access their own personal information kept in the program's PIB and the consequences for refusing to provide their personal information.
Refers to all practices related to the creation, collection, retention, accuracy, use, disclosure and disposition of personal information.
Is the right of an individual to be left alone, to be free of unwarranted intrusions. It is also the right of an individual to retain control over his or her personal information and to know the uses, disclosures and whereabouts of that information.
Is a tool used for regulatory reform, which assesses the impact of regulation on the quality of the environment and the health, safety, security, and social and economic well-being of Canadians.
Is a source of information or a data holding deemed to be accurate and up to date and, as such, can be trusted and relied on for the purposes of validating personal information.
Refers to information technology measures used to protect the facility, the equipment, and the support system where personal information is recorded and stored.
Refers to the collection, analysis, measurement and reporting of data about Web traffic and user visits for purposes of understanding and optimizing Web usage.
In addition to registering and publishing PIBs in Info Source, subsections 71(3) and (4) of the Privacy Act require that the President of the Treasury Board approve each new personal information bank (PIB) or each substantial modification to or termination of an existing PIB submitted by the government institutions defined as departments under the FAA.
Unless this approval has been delegated by the President of the Treasury Board to the head of the department, pursuant to subsection 71(6) of the Privacy Act, the head or delegate responsible under section 10 of that Act is responsible for the following:
Under paragraph 8(2)(e) of the Privacy Act, personal information may be disclosed to an investigative body specified in the Privacy Regulations, upon written request of that body, for the purpose of enforcing any Canadian or provincial law or carrying out a lawful investigation. This provision does not grant investigative bodies a right of access to personal information. It leaves the disclosure decision to the discretion of the institution that has control of the information once the relevant criteria have been satisfied.
Requests made under paragraph 8(2)(e) are to be in writing and contain the following:
All copies of such requests received by an institution are to be retained.
When such requests are received, the head of the institution or delegate responsible for decisions with respect to paragraph 8(2)(e) is to retain a record of disclosure for the personal information provided to the investigative body. The following information is to be documented in the record of disclosure:
A separate PIB is maintained for all records of disclosure to federal investigative bodies, including copies of the information that was disclosed to the requester. Pursuant to subsection 8(4) of the Privacy Act and section 7 of the Privacy Regulations, information contained in this PIB must be retained for a minimum of two years and must be made available to the Privacy Commissioner on request.