The expected results of this directive are as follows:
Heads of government institutions or their delegates are responsible for the following:
Ensuring plans for addressing privacy breaches that affect personal information under the control of the institution, including those that occur within or as a result of third-party entities, meet the following requirements:
Ensuring that PIB termination requests include:
Ensuring that proposals submitted to TBS to establish or revoke an exempt bank include:
Establishing procedures for maintaining a record of new uses and disclosures, as well as any consistent uses that are not reflected in a PIB. Such procedures will ensure that:
Executives and senior officials who manage programs or activities involving the creation, collection or handling of personal information are responsible for the following:
Notifying the individual whose personal information is collected directly of:
Obtaining consent from an individual for the following:
Including the following elements, as applicable, when seeking consent:
Implementing, in cases where personal information is collected indirectly without consent having been obtained, measures to:
Ensuring appropriate safeguards for contracts, information sharing agreements and information sharing arrangements subject to 4.2.23 that take effect or are substantively modified after the effective date of this directive include provisions that address the following elements:
Ensuring, when personal information is transferred out of the control of a government institution as a result of the devolution or privatization of a program or activity, that:
Employees of government institutions are responsible for the following:
TBS is responsible for supporting the President of the Treasury Board in:
Legislation
Related policy instruments
Related guidance instruments
The definitions listed below, in addition to those listed in Appendix A of the Policy on Privacy Protection, are to be used in the interpretation of this directive.
Employees of government institutions must:
Once any containment measures have been taken, immediately notify the head of the institution or their delegate of the potential or confirmed privacy breach. The notification is to include:
Executives and senior officials who manage programs or activities involving the creation, collection or handling of personal information must:
Heads of government institutions or their delegates must:
In the event of a privacy breach, determine the need for a full assessment. A full assessment identifies and documents, at a minimum:
Include, at a minimum and where known, the following information when reporting a material privacy breach to the OPC and to TBS:
When reporting a material privacy breach to the OPC and TBS, use the following means:
Maintain a record of all privacy breaches for a period of five years after the date the institution became aware of the breach. The record must include, at a minimum:
Unless the President of the Treasury Board has delegated this approval to the head of the department, pursuant to subsection 71(6) of the Act, the head or delegate responsible under section 10 of the Act is responsible for the following:
Requirements related to Paragraph 8(2)(e) of theAct are as follows:
Requests made under paragraph 8(2)(e) of the Act are to be in writing and are to contain:
When such requests are received, the head of the institution or the delegate responsible for decisions with respect to paragraph 8(2)(e) of the Act is to retain a record of disclosure for the personal information provided to the investigative body. The record of disclosure is to contain:
Heads of government institutions or their delegates are responsible for the following standards:
A privacy notice is provided on the institution’s website that includes the following elements:
Any contract put in place for the purpose of web analytics must contain, in addition to the requirements outlined in section 4.2.24 of the Directive on Privacy Practices, at a minimum, the following provisions:
Those authorized to perform web analytics on institutional servers or on servers hosted by third parties are responsible for the following standards:
Personal information collected for the purpose of web analytics is not used for the following: