Policy on Privacy Protection
- Privacy Impact Assessment, Directive on
- Privacy Practices, Directive on
- Privacy Requests and Correction of Personal Information, Directive on
- Social Insurance Number, Directive on
Legislation And Regulations:
This policy replaces:
1. Effective date
1.1 This policy takes effect on August 20, 2014.
1.2 It replaces the Policy on Privacy Protection dated April 1, 2008.
2.1 This policy applies to government institutions as defined in section 3 of the Privacy Act (the Act), including parent Crown corporations and any wholly owned subsidiary of these corporations. It does not apply to the Bank of Canada.
2.2 This policy does not apply to information excluded under the Act.
3.1 Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act. The Government of Canada is committed to protecting the privacy of individuals with respect to the personal information that is under the control of government institutions. The government recognizes that this protection is an essential element in maintaining public trust in government.
3.2 The Supreme Court of Canada has characterized the Act as "quasi-constitutional" because of the role privacy plays in the preservation of a free and democratic society. Privacy protection in this sense means limiting government interventions into the private lives of Canadians to lawful and necessary purposes. It also means that government is to ensure a high standard of care for personal information under the control of government institutions. The government also has to respond to requests for access to personal information. Sound information management plays a key role in facilitating the exercise of access rights under the Act and ensuring privacy protection.
3.3 With the enactment of the Federal Accountability Act, the scope of the Privacy Act was broadened and now includes well over 200 government institutions. Under the Privacy Act, the Treasury Board President is the designated minister responsible for preparing policy instruments concerning the operation of the Privacy Act and its Regulations. The Privacy Act establishes that policy and guidelines are the appropriate vehicles for supporting its administration.
3.4 Heads of the government institutions are responsible for the effective, well-coordinated, and proactive management of the Privacy Act and Privacy Regulations within their institutions.
3.5 This policy is issued pursuant to paragraph 71(1)(d) of the Act. This policy also contains elements that relate to paragraphs 70(1)(b) and (e) of the Act.
3.7 Additional mandatory privacy-related requirements are set out in the:
3.8 The President of the Treasury Board will issue specific directives and standards to support this policy regarding privacy impact assessments, the Social Insurance Number, administration of the Privacy Act, privacy practices, privacy management, annual reports to Parliament, creation and registration of personal information banks (PIBs) and statistical reporting.
4.1 Definitions to be used in the interpretation of this policy are in Appendix A. Certain terms included are defined in the Privacy Act and provided in Appendix A for ease of reference. Some of these definitions contain additional information not included in the Act.
5. Policy statement
The objectives of this policy are:
5.1.1 To facilitate statutory and regulatory compliance, and to enhance effective application of the Privacy Act and its Regulations by government institutions.
5.1.2 To ensure consistency in practices and procedures in administering the Act and Regulations so that applicants receive assistance in filing requests for access to personal information.
5.1.3 To ensure effective protection and management of personal information by identifying, assessing, monitoring and mitigating privacy risks in government programs and activities involving the collection, retention, use, disclosure and disposal of personal information.
5.2 Expected results
The expected results of this policy are:
5.2.1 Sound management practices with respect to the handling and protection of personal information, including identifying numbers;
5.2.2 Clear responsibilities in government institutions for decision-making and managing the operation of the Privacy Act and its Regulations, including complete, accurate and timely responses to Canadians and individuals who are present in Canada and who exercise their right of access to, and correction of, their personal information under the control of government institutions;
5.2.3 Consistent public reporting on the administration of the Act through the government institution's annual reports to Parliament, statistical reports and the annual publication of Info Source, produced by the Treasury Board Secretariat (TBS); and
5.2.4 Identification, assessment and mitigation of privacy impacts and risks for all new or modified programs and activities that involve the use of personal information.
6. Policy requirement
6.1 Heads of government institutions are responsible for:
Delegation under the Privacy Act
6.1.1 Deciding whether to delegate, pursuant to section 73 of the Privacy Act, any of their powers, duties or functions under the Act. Careful consideration should be given as to whether a delegation should be made. The provisions of the Act containing the powers, duties or functions that may be delegated are represented in Appendix B.
6.1.2 Signing an order, if a decision is made to delegate, authorizing one or more officers or employees of the institution, who are at the appropriate level, to exercise or perform the powers, duties or functions of the head, specified in the order. Once an order is signed, the powers, duties or functions that have been delegated may only be exercised or performed by the head of the institution or by the named officer(s) or employee(s). Delegates are accountable for any decisions they make. Ultimate responsibility, however, still rests with the head of the government institution.
6.2 Heads of government institutions or their delegates are responsible for:
6.2.1 Exercising discretion under the Privacy Act in a fair, reasonable and impartial manner with respect to decisions made in the processing of requests and the resolution of complaints pursuant to the Act, subject to the conditions set out in the Regulations.
6.2.2 Making employees of the government institution aware of policies, procedures and legal responsibilities under the Act.
Protecting the identity of the requestor
6.2.3 Ensuring that requestors' identities are protected and only disclosed when authorized by virtue of the Act and where there is a clear need to know in order to perform duties and functions related to the Act.
6.2.4 Directing employees of the government institution to provide accurate, timely and complete responses to requests made under the Act.
6.2.5 Implementing written procedures and practices for the government institution to ensure that every reasonable effort is made to help requestors receive complete, accurate and timely responses.
6.2.6 Establishing effective processes and systems to respond to requests for access to, and the correction of, personal information and to document deliberations and decisions made concerning requests received under the Act.
6.2.7 Establishing procedures to ensure that:
- The requested personal information is reviewed to determine whether it is subject to the Act. If subject to the Act, then determine whether any exemptions apply; and
- Any consultations necessary for the processing of requests made pursuant to the Act are undertaken.
6.2.8 Consulting departmental legal counsel, in compliance with established procedures, prior to excluding confidences of the Queen’s Privy Council for Canada.
6.2.9 Acquiring in compliance with established procedures and upon the request of the Privacy Commissioner, assurances that excluded information is a Confidence of the Queen's Privy Council for Canada.
Contracts and agreements
6.2.10 Establishing measures, when personal information is involved, to ensure that the government institution meets the requirements of the Privacy Act when contracting with private sector organizations, or when establishing agreements or arrangements with public sector organizations.
6.2.11 Ensuring that appropriate privacy protection clauses are included in contracts or agreements that may involve intergovernmental or transborder flows of personal information.
Notifying the Privacy Commissioner
6.2.12 Notifying the Privacy Commissioner of any planned initiatives (legislation, regulations, policies, programs) that could relate to the Act or to any of its provisions, or that may have an impact on the privacy of Canadians. This notification is to take place at a sufficiently early stage to permit the Commissioner to review and discuss the issues involved.
Use of the Social Insurance Number
6.2.13 Ensuring compliance with the specific terms and conditions related to the use of the Social Insurance Number and the specific restrictions with regard to its collection, use and disclosure.
Privacy impact assessment
6.2.14 Ensuring that, when applicable, privacy impact assessments (PIAs) and multi-institutional PIAs are developed, maintained and published.
Privacy protocol for non-administrative purposes
6.2.15 Establishing a privacy protocol within the government institution for the collection, use or disclosure of personal information for non-administrative purposes, including research, statistical, audit and evaluation purposes.
6.2.16 Consulting with TBS on any proposal for the establishment or revocation of an exempt bank, and submitting a specific request to the President of the Treasury Board with regard to the proposal.
6.3 Monitoring and reporting requirements
Within government institutions
6.3.1 Heads or their delegates are responsible for monitoring compliance with this policy as it relates to the administration of the Privacy Act.
By government institutions
6.3.2 Under the Act, the head or the head's delegates are responsible for:
- Preparing and tabling in each House of Parliament an annual report on the administration of the Act;
- Preparing new or modified PIB descriptions; and
- Providing TBS with:
- A copy of the annual report;
- An update to its chapter in Info Source, including proposed new or modified PIBs; and
- A statistical report on the administration of the Privacy Act within the institution.
6.3.3 Treasury Board Secretariat will monitor compliance with all aspects of this policy by analyzing and reviewing public reporting documents required by the Privacy Act and other information, such as Treasury Board submissions, Departmental Performance Reports, results of audits, evaluations and studies, to assess the government institution's administration of the Act. For those government institutions subject to the Management Accountability Framework (MAF), information obtained from monitoring of compliance with this policy will be used in MAF assessments.
6.3.4 Treasury Board Secretariat will review the policy, its related directives, standards and guidelines, and their effectiveness, five years following the implementation of the policy. When substantiated by risk-analysis, TBS will also ensure that an evaluation is conducted.
7.1 For those government institutions that do not comply with this policy, its directives and standards, TBS will require them to provide additional information relating to the development and implementation of compliance strategies in their annual report to Parliament. This reporting will be in addition to other reporting requirements and will relate specifically to the compliance issues in question.
7.2 For those government institutions subject to the MAF, non-compliance, compliance and exemplary performance with respect to this policy, and related directives and standards will be reported in the assessment prepared as part of the MAF process.
7.3 On the basis of analysis of monitoring and information received, the designated minister may make recommendations to the head of the government institution. This could include prescribing any additional reporting requirements, as outlined in subsection 7.1 above.
7.4 The President of the Treasury Board, upon notification by TBS officials of a systemic compliance issue at a government institution, may review and revoke any delegation made under subsection 71(6) of the Privacy Act. This provision allows the President of Treasury Board to delegate to heads of government institutions that are departments as defined in section 2 of the Financial Administration Act, any of the powers, functions and duties of the designated minister with regard to the review and approval of new or modified personal information banks.
8. Roles and responsibilities of government organizations
8.1 Treasury Board Secretariat is responsible for issuing direction and guidance to government institutions with respect to the administration of the Privacy Act and interpretation of this policy. As such, TBS:
- Publishes an annual index of personal information under the control of government institutions;
- Reviews new and modified PIBs, assigns a registration number to new PIBs, and prescribes forms to be used in the administration of the Act, as well as the format and content of the annual report to Parliament;
- Advises all members of the Access to Information and Privacy community of any updates to the policy instruments; and
- Works closely with the Canada School of Public Service to determine the extent to which knowledge elements related to the Policy on Privacy Protection will be integrated into the required training courses, programs and knowledge assessment instruments.
8.2 The Clerk of the Privy Council Office is responsible for policies on the administration of Confidences of the Queen's Privy Council for Canada and determines what information constitutes a Confidence of the Queen's Privy Council for Canada.
8.3 The Privacy Commissioner of Canada is an Officer of Parliament who investigates complaints from individuals regarding the handling of personal information by federal government institutions. In addition, the Commissioner has the authority to conduct compliance reviews of the privacy practices of government institutions as the practices relate to the collection, retention, accuracy, use, disclosure and disposal of personal information by government institutions subject to the Act. The Commissioner has the powers of an ombudsman and can make recommendations with respect to any matter which has been investigated or reviewed. In addition, the Commissioner can report on institutional activities in annual or special reports to Parliament.
8.4 The Department of Justice supports the Minister of Justice in the role of designated minister for specific provisions of the Privacy Act. The Minister is responsible for:
- Designating, by order-in-council, the head of a government institution for the purposes of the Act;
- Extending the right of access by order;
- Specifying in regulations the government institutions or part of a government institution for the purposes of subsection 3(e) of the Act;
- Specifying investigative bodies;
- Specifying persons or bodies for the purposes of paragraph 8(2)(h);
- Specifying classes of investigations; and
- Amending the Schedule of the Act.
Other relevant legislation and regulations:
- Canadian Charter of Rights and Freedoms
- Access to Information Act
- Access to Information Regulations
- Personal Information Protection and Electronic Documents Act
- Official Languages Act
- Financial Administration Act
- Canada Evidence Act
- Library and Archives of Canada Act
Related policies and guidelines:
- Privacy Impact Assessment Policy
- Directive on the Social Insurance Number
- Policy on Access to Information
- Guidelines on Privacy
- Guidelines on Access to Information
- Communications Policy
- Policy Framework for Information and Technology
- Policy on Information Management
- Policy on Management of Information Technology
- Government Security Policy
- Policy on Learning, Training and Development
Please direct enquiries about this policy to your institution's ATIP Coordinator. For interpretation of this policy, the ATIP Coordinator is to contact:
Chief Information Officer Branch
Treasury Board Secretariat
219 Laurier Avenue West, 14th Floor
Ottawa ON K1A 0R5
Telephone: 613- 946-4945
Appendix A – Definitions
Note: Certain terms contain excerpts (in quotation marks, with the reference cited) from the Privacy Act (the Act).
- Administrative purpose (fins administratives)
- Is the use of personal information about an individual "in a decision making process that directly affects that individual" (section 3). This includes all uses of personal information for confirming identity (i.e. authentication and verification purposes) and for determining eligibility of individuals for government programs.
- Annual report (rapport annuel)
- Is a report submitted by the head of a government institution to Parliament on the administration of the Act during the financial year.
- Complainant (plaignant(e))
- Is an individual who files a complaint with the Privacy Commissioner on any of the grounds set out in subsection 29(1) of the Act.
- Consistent use (usage compatible)
- Is a use that has a reasonable and direct connection to the original purpose(s) for which the information was obtained or compiled. This means that the original purpose and the proposed purpose are so closely related that the individual would expect that the information would be used for the consistent purpose, even if the use is not spelled out.
- Data Matching (couplage des données)
- Is an activity involving the comparison of personal information from different sources, including sources within the same government institution, for administrative or non-administrative purposes. The data-matching activity that is established can be systematic or recurring. The data-matching activity can also be conducted on a periodic basis when deemed necessary. Under this policy, data matching includes the disclosure or sharing of personal information with another organization for data-matching purposes.
- Delegate (délégué)
- Is an officer or employee of a government institution who has been delegated to exercise or perform the powers, duties and functions of the head of the institution under the Act.
- Designated Minister (ministre désigné)
- Is a person who is designated as the Minister under subsection 3.1(1). For the purposes of this policy, the designated minister is the President of the Treasury Board.
- Excluded information (renseignements exclus)
- Is the information to which the Act does not apply as described in sections 69, 69.1, 70 and 70.1.
- Exempt bank (fichier inconsultable)
- Is a personal information bank that describes files, all of which consist predominantly of personal information that relates to international affairs, defence, law enforcement and investigation, as outlined in sections 21 and 22 of the Act. The head of a government institution can refuse to disclose any personal information requested that is contained in an exempt bank.
- Exemption (exception)
- Is a mandatory or discretionary provision under the Act that authorizes the head of the government institution to refuse to disclose information in response to a request received under the Act.
- Government institution (institution fédérale)
- Is "any department or ministry of state of the Government of Canada, or any body or office, listed in the schedule; and, any parent Crown corporation, and any wholly-owned subsidiary of such a corporation, within the meaning of section 83 of the Financial Administration Act" (section 3). The term "government institution" does not include Ministers' Offices.
- Head (responsable)
- Is the Minister, in the case of a department or ministry of state. In any other case, it is the person designated by the Privacy Act Heads of Government Institutions Designation Order. If no such person is designated, the chief executive officer of the government institution, whatever their title, is the head.
- Info Source (Info Source)
- Is a series of annual Treasury Board Secretariat publications in which government institutions are required to describe their institutions, program responsibilities and information holdings, including PIBs and classes of personal information. The descriptions are to contain sufficient clarity and detail to facilitate the exercise of the right of access under the Privacy Act. Data-matching activities, use of the SIN and all activities for which privacy impact assessments were conducted have to be cited in Info Source PIBs, as applicable. The Info Source publications also provide contact information for government institutions as well as summaries of court cases and statistics on access requests.
- Implementation report (rapport de mise en oeuvre)
- Is a notice issued by Treasury Board Secretariat to provide guidance on the interpretation and application of the Privacy Act and its related policy, directives, standards and guidelines.
- Multi-institutional privacy impact assessments (évaluations des facteurs relatifs à la vie privée multi-institutionnelles)
- Is a privacy impact assessment that involves more than one government institution. (See definition of privacy impact assessment, below.)
- New Consistent Use (nouvel usage compatible)
- Is a consistent use that was not originally identified in the appropriate Personal Information Bank (PIB) description in the government institution's chapter in Info Source.
- Non-administrative purpose (fins non-administratives)
- Is the use of personal information for a purpose that is not related to any decision-making process that directly affects the individual. This includes the use of personal information for research, statistical, audit and evaluation purposes.
- Personal information (renseignements personnels)
- Is "information about an identifiable individual that is recorded in any form" (section 3). See section 3 of the Act for additional information.
- Personal information bank (fichier de renseignements personnels)
- Is a description of personal information that is organized and retrievable by a person's name or by an identifying number, symbol or other particular assigned only to that person. The personal information described in the personal information bank has been used, is being used, or is available for an administrative purpose and is under the control of a government institution.
- Privacy impact assessment (évaluation des facteurs relatifs à la vie privée)
- Is a policy process for identifying, assessing and mitigating privacy risks. Government institutions are to develop and maintain privacy impact assessments for all new or modified programs and activities that involve the use of personal information for an administrative purpose.
- Privacy Commissioner (commissaire à la protection de la vie privée)
- Is an Officer of Parliament appointed by Governor in Council.
- Privacy protocol (protocol relatif à la protection des renseignements personnels)
- Is a set of documented procedures to be followed when using personal information for non-administrative purposes including research, statistical, audit and evaluation purposes. These procedures are to ensure that the individual's personal information is handled in a manner that is consistent with the principles of the Act.
- Privacy request (demande de renseignements personnels)
- Is a request for access to personal information under the Act.
- Program or activity (programme ou activité)
- Is, for the purposes of the appropriate collection, use or disclosure of personal information by government institutions subject to this policy, a program or activity that is authorized or approved by Parliament. Parliamentary authority is usually contained in an Act of Parliament or subsequent Regulations. Parliamentary authority can also be in the form of approval of expenditures proposed in the Estimates and as authorized by an appropriation Act. Also included in this definition are any activities conducted as part of the administration of the program.
- Requestor (requérant)
- Is a person who is requesting access to personal information about himself or herself or who has requested that a correction be made or a notation attached to his or her personal information.
- Social Insurance Number (SIN) (numéro d'assurance sociale (NAS))
- Is a number suitable for use as a file number or account number or for data-processing purposes, as defined in subsection 138(3) of the Employment Insurance Act. For purposes of paragraph 3(c) of the Privacy Act, the SIN is an identifying number, and is therefore considered to be personal information.
- Statistical report (rapport statistique)
- Is intended to provide up-to-date statistics on the operation of the legislation. The reports allow the government to monitor trends and to respond to enquiries from Members of Parliament, the public and the media. The reports also form the statistical portion of government institutions annual reports to Parliament. The forms used for preparing the report are prescribed by the designated minister, as provided under paragraphs 71(1)(c) and (e) of the Privacy Act.
Appendix B – Powers that can be delegated
Pursuant to section 73 of the Privacy Act, the head of a government institution may, by order, designate one or more officers or employees of that institution, who are at the appropriate level, to exercise or perform any of the powers, duties or functions that are to be exercised or performed by the institutional head under the following provisions of the Act and the Privacy Regulations.
- 8(2)(j) Disclosure for research purposes
- 8(2)(m) Disclosure in the public interest or in the interest of the individual
- 8(4) Copies of requests under 8(2)(e) to be retained
- 8(5) Notice of disclosure under 8(2)(m)
- 9(1) Record of disclosures to be retained
- 9(4) Consistent uses
- 10 Personal information to be included in personal information banks
- 14 Notice where access requested
- 15 Extension of time limits
- 17(2)(b) Language of access
- 17(3)(b) Access to personal information in alternative format
- 18(2) Exemption (exempt bank) – Disclosure may be refused
- 19(1) Exemption – Personal information obtained in confidence
- 19(2) Exemption – Where authorized to disclose
- 20 Exemption – Federal-provincial affairs
- 21 Exemption – International affairs and defence
- 22 Exemption – Law enforcement and investigation
- 22.3 Exemption – Public Servants Disclosure Protection Act
- 23 Exemption – Security clearances
- 24 Exemption – Individuals sentenced for an offence
- 25 Exemption – Safety of individuals
- 26 Exemption – Information about another individual
- 27 Exemption – Solicitor-client privilege
- 28 Exemption – Medical record
- 31 Notice of intention to investigate
- 33(2) Right to make representation
- 35(1) Findings and recommendations of Privacy Commissioner (complaints)
- 35(4) Access to be given
- 36(3) Report of findings and recommendations (exempt banks)
- 37(3) Report of findings and recommendations (compliance review)
- 51(2)(b) Special rules for hearings
- 51(3) Ex parte representations
- 72(1) Report to Parliament
- 9 Reasonable facilities and time provided to examine personal information
- 11(2) Notification that correction to personal information has been made
- 11(4) Notification that correction to personal information has been refused
- 13(1) Disclosure of personal information relating to physical or mental health may be made to a qualified medical practitioner or psychologist for an opinion on whether to release information to the requestor
- 14 Disclosure of personal information relating to physical or mental health may be made to a requestor in the presence of a qualified medical practitioner or psychologist