1.1 This policy takes effect on April 1, 2008.
1.2 It replaces the Policy on Privacy and Data Protection dated 1993, and all mandatory policy requirements contained in Implementation Reports issued up to the effective date of this policy.
2.1 This policy applies to government institutions as defined in section 3 of the Privacy Act (the Act), including parent Crown corporations and any wholly owned subsidiary of these corporations. It does not apply to the Bank of Canada.
2.2 This policy does not apply to information excluded under the Act.
3.1 Canadians value their privacy and the protection of their personal information. They expect government institutions to respect the spirit and requirements of the Privacy Act. The Government of Canada is committed to protecting the privacy of individuals with respect to the personal information that is under the control of government institutions. The government recognizes that this protection is an essential element in maintaining public trust in government.
3.2 The Supreme Court of Canada has characterized the Act as "quasi-constitutional" because of the role privacy plays in the preservation of a free and democratic society. Privacy protection in this sense means limiting government interventions into the private lives of Canadians to lawful and necessary purposes. It also means that government is to ensure a high standard of care for personal information under the control of government institutions. The government also has to respond to requests for access to personal information. Sound information management plays a key role in facilitating the exercise of access rights under the Act and ensuring privacy protection.
3.3 With the enactment of the Federal Accountability Act, the scope of the Privacy Act was broadened and now includes well over 200 government institutions. Under the Privacy Act, the Treasury Board President is the designated minister responsible for preparing policy instruments concerning the operation of the Privacy Act and its Regulations. The Privacy Act establishes that policy and guidelines are the appropriate vehicles for supporting its administration.
3.4 Heads of the government institutions are responsible for the effective, well-coordinated, and proactive management of the Privacy Act and Privacy Regulations within their institutions.
3.5 This policy is issued pursuant to paragraph 71(1)(d) of the Act. This policy also contains elements that relate to paragraphs 70(1)(b) and (e) of the Act.
3.7 Additional mandatory privacy-related requirements are set out in the:
3.8 The President of the Treasury Board will issue specific directives and standards to support this policy regarding privacy impact assessments, the Social Insurance Number, administration of the Privacy Act, privacy practices, privacy management, annual reports to Parliament, creation and registration of personal information banks (PIBs) and statistical reporting.
4.1 Definitions to be used in the interpretation of this policy are in Appendix A. Certain terms included are defined in the Privacy Act and provided in Appendix A for ease of reference. Some of these definitions contain additional information not included in the Act.
The objectives of this policy are:
5.1.1 To facilitate statutory and regulatory compliance, and to enhance effective application of the Privacy Act and its Regulations by government institutions.
5.1.2 To ensure consistency in practices and procedures in administering the Act and Regulations so that applicants receive assistance in filing requests for access to personal information.
5.1.3 To ensure effective protection and management of personal information by identifying, assessing, monitoring and mitigating privacy risks in government programs and activities involving the collection, retention, use, disclosure and disposal of personal information.
The expected results of this policy are:
5.2.1 Sound management practices with respect to the handling and protection of personal information, including identifying numbers;
5.2.2 Clear responsibilities in government institutions for decision-making and managing the operation of the Privacy Act and its Regulations, including complete, accurate and timely responses to Canadians and individuals who are present in Canada and who exercise their right of access to, and correction of, their personal information under the control of government institutions;
5.2.3 Consistent public reporting on the administration of the Act through the government institution's annual reports to Parliament, statistical reports and the annual publication of Info Source, produced by the Treasury Board Secretariat (TBS); and
5.2.4 Identification, assessment and mitigation of privacy impacts and risks for all new or modified programs and activities that involve the use of personal information.
6.1.1 Deciding whether to delegate, pursuant to section 73 of the Privacy Act, any of their powers, duties or functions under the Act. Careful consideration should be given as to whether a delegation should be made. The provisions of the Act containing the powers, duties or functions that may be delegated are represented in Appendix B.
6.1.2 Signing an order, if a decision is made to delegate, authorizing one or more officers or employees of the institution, who are at the appropriate level, to exercise or perform the powers, duties or functions of the head, specified in the order. Once an order is signed, the powers, duties or functions that have been delegated may only be exercised or performed by the head of the institution or by the named officer(s) or employee(s). Delegates are accountable for any decisions they make. Ultimate responsibility, however, still rests with the head of the government institution.
6.2.1 Exercising discretion under the Privacy Act in a fair, reasonable and impartial manner with respect to decisions made in the processing of requests and the resolution of complaints pursuant to the Act, subject to the conditions set out in the Regulations.
6.2.2 Making employees of the government institution aware of policies, procedures and legal responsibilities under the Act.
6.2.3 Ensuring that requestors' identities are protected and only disclosed when authorized by virtue of the Act and where there is a clear need to know in order to perform duties and functions related to the Act.
6.2.4 Directing employees of the government institution to provide accurate, timely and complete responses to requests made under the Act.
6.2.5 Implementing written procedures and practices for the government institution to ensure that every reasonable effort is made to help requestors receive complete, accurate and timely responses.
6.2.6 Establishing effective processes and systems to respond to requests for access to, and the correction of, personal information and to document deliberations and decisions made concerning requests received under the Act.
6.2.7 Establishing procedures to ensure that:
6.2.8 Consulting the Privy Council Office, in compliance with established procedures, prior to excluding Cabinet Confidences.
6.2.9 Acquiring in compliance with established procedures and upon the request of the Privacy Commissioner, assurances that excluded information is a Confidence of the Queen's Privy Council for Canada.
6.2.10 Establishing measures, when personal information is involved, to ensure that the government institution meets the requirements of the Privacy Act when contracting with private sector organizations, or when establishing agreements or arrangements with public sector organizations.
6.2.11 Ensuring that appropriate privacy protection clauses are included in contracts or agreements that may involve intergovernmental or transborder flows of personal information.
6.2.12 Notifying the Privacy Commissioner of any planned initiatives (legislation, regulations, policies, programs) that could relate to the Act or to any of its provisions, or that may have an impact on the privacy of Canadians. This notification is to take place at a sufficiently early stage to permit the Commissioner to review and discuss the issues involved.
6.2.13 Ensuring compliance with the specific terms and conditions related to the use of the Social Insurance Number and the specific restrictions with regard to its collection, use and disclosure.
6.2.14 Ensuring that, when applicable, privacy impact assessments (PIAs) and multi-institutional PIAs are developed, maintained and published.
6.2.15 Establishing a privacy protocol within the government institution for the collection, use or disclosure of personal information for non-administrative purposes, including research, statistical, audit and evaluation purposes.
6.2.16 Consulting with TBS on any proposal for the establishment or revocation of an exempt bank, and submitting a specific request to the President of the Treasury Board with regard to the proposal.
6.3.1 Heads or their delegates are responsible for monitoring compliance with this policy as it relates to the administration of the Privacy Act.
6.3.2 Under the Act, the head or the head's delegates are responsible for:
6.3.3 Treasury Board Secretariat will monitor compliance with all aspects of this policy by analyzing and reviewing public reporting documents required by the Privacy Act and other information, such as Treasury Board submissions, Departmental Performance Reports, results of audits, evaluations and studies, to assess the government institution's administration of the Act. For those government institutions subject to the Management Accountability Framework (MAF), information obtained from monitoring of compliance with this policy will be used in MAF assessments.
6.3.4 Treasury Board Secretariat will review the policy, its related directives, standards and guidelines, and their effectiveness, five years following the implementation of the policy. When substantiated by risk-analysis, TBS will also ensure that an evaluation is conducted.
7.1 For those government institutions that do not comply with this policy, its directives and standards, TBS will require them to provide additional information relating to the development and implementation of compliance strategies in their annual report to Parliament. This reporting will be in addition to other reporting requirements and will relate specifically to the compliance issues in question.
7.2 For those government institutions subject to the MAF, non-compliance, compliance and exemplary performance with respect to this policy, and related directives and standards will be reported in the assessment prepared as part of the MAF process.
7.3 On the basis of analysis of monitoring and information received, the designated minister may make recommendations to the head of the government institution. This could include prescribing any additional reporting requirements, as outlined in subsection 7.1 above.
7.4 The President of the Treasury Board, upon notification by TBS officials of a systemic compliance issue at a government institution, may review and revoke any delegation made under subsection 71(6) of the Privacy Act. This provision allows the President of Treasury Board to delegate to heads of government institutions that are departments as defined in section 2 of the Financial Administration Act, any of the powers, functions and duties of the designated minister with regard to the review and approval of new or modified personal information banks.
8.1 Treasury Board Secretariat is responsible for issuing direction and guidance to government institutions with respect to the administration of the Privacy Act and interpretation of this policy. As such, TBS:
8.2 The Clerk of the Privy Council Office is responsible for policies on the administration of Confidences of the Queen's Privy Council for Canada and determines what information constitutes a Confidence of the Queen's Privy Council for Canada.
8.3 The Privacy Commissioner of Canada is an Officer of Parliament who investigates complaints from individuals regarding the handling of personal information by federal government institutions. In addition, the Commissioner has the authority to conduct compliance reviews of the privacy practices of government institutions as the practices relate to the collection, retention, accuracy, use, disclosure and disposal of personal information by government institutions subject to the Act. The Commissioner has the powers of an ombudsman and can make recommendations with respect to any matter which has been investigated or reviewed. In addition, the Commissioner can report on institutional activities in annual or special reports to Parliament.
8.4 The Department of Justice supports the Minister of Justice in the role of designated minister for specific provisions of the Privacy Act. The Minister is responsible for:
Please direct enquiries about this policy to your institution's ATIP Coordinator. For interpretation of this policy, the ATIP Coordinator is to contact:
Chief Information Officer Branch
Treasury Board Secretariat
219 Laurier Avenue West, 14th Floor
Ottawa ON K1A 0R5
Telephone: 613- 946-4945
Note: Certain terms contain excerpts (in quotation marks, with the reference cited) from the Privacy Act (the Act).
Pursuant to section 73 of the Privacy Act, the head of a government institution may, by order, designate one or more officers or employees of that institution, who are at the appropriate level, to exercise or perform any of the powers, duties or functions that are to be exercised or performed by the institutional head under the following provisions of the Act and the Privacy Regulations.