1.1 This directive takes effect on April 1, 2010.
1.2 This directive replaces the following:
1.3 Government institutions will have until September 1, 2010, to implement the requirements of this directive except for those described in Subsections 6.3.9, 6.3.10, 6.3.11, 6.3.16, 6.3.17 and Appendix C, which institutions will have until April 1, 2011, to implement.
2.1 This directive applies to government institutions as defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.
2.2 This directive does not apply to the Bank of Canada.
2.4 The directive does not apply to the development of new legislation.
3.1 The Government of Canada is committed to ensuring that privacy protection is a core consideration in the initial framing and subsequent administration of programs and activities involving personal information. In recent years, Canadians and parliamentarians have been concerned with the complex and sensitive privacy issues that stem from proactive anti-terrorism measures, use of surveillance and privacy-intrusive technology, sharing of personal information across borders and threats to privacy posed by security breaches. Canadians want to be informed of how their personal information is handled and assured of its protection.
3.2 Under the Privacy Act, a collection or grouping of personal information is referred to as a personal information bank (PIB). Under the Privacy Act, heads of government institutions are required to identify, describe and publicly report their PIBs. The President of the Treasury Board, as designated Minister, holds general responsibility for registering all PIBs and reviewing the manner in which they are maintained and managed in all government institutions defined in section 3 of the Privacy Act. In addition to this general oversight role, the President of the Treasury Board is responsible for reviewing and approving new or substantially modified PIBs or establishing the terms and conditions for such approval for the departments defined in section 2 of the Financial Administration Act (FAA). Under subsection 71(6) of the Privacy Act, the President of the Treasury Board may choose to delegate this authority to the departments defined in section 2 of the FAA. In making this determination, the President of the Treasury Board will consider a department's compliance with the Policy on Privacy Protection, with this and other directives as well as with any prescribed forms. The delegation for review and approval of PIBs can only be given to the departments defined in section 2 of the FAA. Regardless of any such delegation, the President of the Treasury Board remains responsible for the ongoing review of PIBs for all government institutions that are subject to the Privacy Act.
3.3 The Directive on Privacy Impact Assessment (PIA) supports the President of the Treasury Board's responsibilities by ensuring that privacy implications will be appropriately identified, assessed and resolved before a new or substantially modified program or activity involving personal information is implemented. Government institutions routinely perform broad risk management activities and develop risk profiles related to their programs and activities. The PIA is the component of risk management that focuses on ensuring compliance with the Privacy Act requirements and assessing the privacy implications of new or substantially modified programs and activities involving personal information. However, if not properly framed within an institution's broader risk management framework, conducting a PIA can be a resource-intensive exercise. As such, the government is committed to ensuring that a PIA is conducted in a manner that is commensurate with the privacy risk identified and respects the operating environment of the government institution.
3.4 This directive is issued pursuant to paragraph 71(1)(d) and subsections 71(3), 71(4), 71(5) and 71(6) of the Privacy Act.
3.5 This directive is to be read in conjunction with the Privacy Act, the Privacy Regulations, the Policy on Privacy Protection, Directive on Privacy Practices and Directive on Privacy Requests and Correction of Personal Information and the Directive on Social Insurance Number.
5.1.1 To provide direction to government institutions with respect to the administration of PIAs for new or substantially modified programs and activities involving the creation, collection and handling of personal information; and
5.1.2 To ensure, through the conduct of PIAs, sound management and decision making as well as careful consideration of privacy risks with respect to the creation, collection and handling of personal information as part of government programs or activities.
5.2.1 PIAs are conducted in a manner that is commensurate with the level of privacy risk identified prior to establishing any new or substantially modified program or activity involving personal information.
5.2.2 Privacy practices that comply with legal and policy requirements related to the administration of the Privacy Act are implemented.
5.2.3 The public reporting of personal information under the control of government institutions is complete, accurate and up to date.
6.1.1 Establishing a PIA development and approval process that:
6.2.1 Establishing or modifying PIBs in collaboration with the senior official or executive holding functional responsibility for the new or substantially modified program or activity;
6.2.2 Obtaining approval of the designated Minister for any new or substantially modified PIB before implementing the new or modified program or activity, unless otherwise specified in the terms and conditions of a delegation under subsection 71(6) of the Privacy Act-this requirement only applies to the departments defined in section 2 of the FAA;
6.2.3 Adhering to the specific obligations related to PIAs and the Treasury Board submission process outlined in Appendix B; and
6.2.4 Collaborating with the appropriate senior official or executive to ensure that PIAs are completed and respect the process outlined in section 6.3.
6.3.1 Initiating a PIA for a program or activity in the following circumstances:
6.3.2 Determining, in consultation with the official responsible for section 10 of the Privacy Act, whether:
6.3.3 Documenting decisions adequately with respect to requirement 6.3.2.
6.3.4 Identifying the lead government institution in cases of multi-institutional PIAs. Unless otherwise established by an arrangement or agreement, the lead government institution will be the institution that has primary control over the personal information or holds the authority for initiating the program or activity.
6.3.5 Ensuring, in cases where the above factors are not relevant because the program or activity is common to all government institutions, that the lead will be, unless otherwise established by an arrangement or agreement, the government institution that either:
6.3.6 Coordinating, as appropriate, an interdepartmental committee made up of key stakeholders, including legal and policy authorities when a new program or activity involves government-wide consideration.
6.3.7 Determining and documenting the most appropriate approach for the completion and approval of the PIA in support of the program or activity. In cases of joint programs or activities, an overarching or a multi-institutional PIA is favoured. At a minimum, the approach will take into consideration the approval process of the institutions involved and will cover the full scope of the program or activity.
6.3.8 Overseeing the initial collection as well as any disclosures to government institutions involved in the program or activity.
6.3.9 Completing the core PIA elements as outlined in Appendix C.
6.3.11 Determining, in consultation with the official responsible for section 10 of the Privacy Act and based on the completed core PIA, if additional documentation or analysis is required and whether further elaboration on specific risk mitigation is warranted. When high level risks are identified, additional documentation, including mitigation plans or strategies, will be required.
6.3.12 Obtaining, prior to seeking formal approval, endorsement or sign-off from:
6.3.13 Obtaining internal approval of the completed core PIA in accordance with the process established within the government institution.
6.3.14 Ensuring that the approved core PIA is provided to Treasury Board Secretariat (TBS) along with the proposed new or substantially modified PIB description, unless otherwise specified in the terms and conditions of a delegation under subsection 71(6) of the Privacy Act. TBS will only confirm that mandatory requirements of the core PIA have been completed for the purpose of establishing or revising a PIB. Because no additional documentation will be reviewed, none is to be provided to TBS for the purpose of reviewing and approving PIBs.
6.3.15 Ensuring that the approved core PIA provided to TBS is simultaneously provided to the Office of the Privacy Commissioner, along with any additional documentation that may be requested by that office.
6.3.18 Sharing copies of the approved PIA and other relevant documentation with partners or other government institutions as required and in a manner that respects security requirements as well as any other confidentiality or legal consideration.
6.4.1 The monitoring and reporting requirements of the Policy on Privacy Protection apply to this directive.
7.1 The consequences outlined in the Policy on Privacy Protection apply to this directive.
8.1 In addition to the roles and responsibilities of government organizations identified in the Policy on Privacy Protection, the Treasury Board Secretariat will:
8.1.1 Review the content of the approved core PIA in a timely manner to ensure that the assessment is complete. TBS does not approve PIAs and will only review the core PIA to fulfill its obligation with respect to the review and approval of PIBs.
8.1.2 Review, approve and register PIBs for the departments defined in section 2 of the FAA.
8.1.3 Review and register the PIBs of all government institutions including the Bank of Canada in compliance with the Act;
8.1.4 Review Appendix C-Core privacy impact assessment on an annual basis to ensure that the core PIA remains relevant and propose amendments if required.
8.2 In addition to the roles and responsibilities of government organizations identified in the Policy on Privacy Protection, the Office of the Privacy Commissioner can:
8.2.1 Decide whether analysis or additional information is necessary for the purpose of its review or investigation under the Privacy Act.
As an Officer of Parliament charged with the oversight of the Privacy Act, the Privacy Commissioner has broad powers of investigation and review and can request additional project documentation related to the planning, assessment or implementation of new or substantially modified programs or activities that involve personal information or have an impact on the privacy of Canadians and of those individuals present in Canada.
10.1 Please direct enquiries about this directive to your institution's access to information and privacy (ATIP) coordinator. For interpretation of this directive, the ATIP coordinator is to contact:
Chief Information Officer Branch
Treasury Board Secretariat
219 Laurier Avenue West
Ottawa ON K1A 0R5
Telephone: 613- 946-4945
Government institutions seeking Treasury Board approval for programs or activities that involve personal information are responsible for:
Unless otherwise specified in the terms and conditions of a delegation under subsection 71(6) of the Privacy Act, government institutions defined as departments in section 2 of the FAA and referenced in subsection 71(5) of the Privacy Act are responsible for:
Note: Under the Policy on Privacy Protection, heads of government institutions are required to notify the Privacy Commissioner of any planned initiatives (legislation, regulations, policies, programs) that could relate to the Privacy Act or to any of its provisions or that could have an impact on the privacy of Canadians. This notification is to take place at a sufficiently early stage to permit the Commissioner to review and discuss the issues involved.
The following sections and their information requirements make up the minimum content of the core PIA. In the case of a multi-institutional PIA, each government institution involved will be responsible for contributing to or completing the core PIA in a manner that is consistent with the approach outlined by the lead government institution.
The core PIA must include a completed risk identification and categorization section as outlined below. To have consistent risk categories and risk measurement across government institutions, standardized risk areas (itemized below) and a common risk scale are to be maintained as the basis for risk analysis.
The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area.
The initial step of the analysis consists of evaluating each risk area independently. The second step consists of grouping the individual results to determine if a more in depth analysis is required. The greater the number of risk areas identified as level 3 or 4, the more likely it is that specific risk areas will need to be addressed in a more comprehensive manner.
|a) Type of program or activity||Risk scale|
|- Program or activity that does NOT involve a decision about an identifiable individual||1|
|- Administration of program or activity and services||2|
|- Compliance or regulatory investigations and enforcement||3|
|- Criminal investigation and enforcement or national security||4|
|b) Type of personal information involved and context||Risk scale|
|- Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.||1|
|- Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.||2|
|- Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual.||3|
|- Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive.||4|
|c) Program or activity partners and private sector involvement||Risk scale|
|- Within the institution (among one or more programs within the same institution)||1|
|- With other government institutions||2|
|- With other institutions or a combination of federal, provincial or territorial, and municipal governments||3|
|- Private sector organizations, international organizations or foreign governments||4|
|d) Duration of the program or activity||Risk scale|
|- One-time program or activity||1|
|- Short-term program or activity||2|
|- Long-term program or activity||3|
|e) Program population||Risk scale|
|- The program's use of personal information for internal administrative purposes affects certain employees.||1|
|- The program's use of personal information for internal administrative purposes affects all employees.||2|
|- The program's use of personal information for external administrative purposes affects certain individuals.||3|
|- The program's use of personal information for external administrative purposes affects all individuals.||4|
|f) Technology and privacy|
|- Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information?|
|- Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems?|
|Specific technological issues and privacy
- Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:
|A YES response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation.|
|g) Personal information transmission||Risk scale|
|- The personal information is used within a closed system (i.e., no connections to the Internet, Intranet or any other system and the circulation of hardcopy documents is controlled).||1|
|- The personal information is used in a system that has connections to at least one other system.||2|
|- The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium or is printed.||3|
|- The personal information is transmitted using wireless technologies.||4|
h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee.
i) Potential risk that
in the event of a privacy breach, there will be an impact on the institution.
Note: For additional guidance on items h) and i), government institutions can refer to the Guidelines for Privacy Breaches.
In the case of a multi-institutional PIA, each government institution involved is, at a minimum, responsible for completing items b), c), f), g), h) and i), whereas the lead government institution is responsible for completing items a), d) and e).
In the case of a multi-institutional PIA, each government institution involved is, at a minimum, responsible for identifying the elements of personal information collected or disclosed in relation to their involvement in the multi-institutional program or activity.
The government institution is to determine the format for representing the flow of personal information.
In the case of a multi-institutional PIA, each government institution involved is, at a minimum, responsible for outlining the flow of personal information under its control. The lead government institution will be responsible for outlining the flow of personal information between or among government institutions.
In the case of a multi-institutional PIA, each government institution involved is, at a minimum, responsible for outlining the privacy practices for the personal information under its control.
Completion of the above sections with the information requested fulfills the minimum content requirements of the core PIA.