Archived - Privacy and Data Protection Guidelines - Collection of Personal Information
We will be updating our design to align with Canada.ca. The policies, directives, standards and guidelines will remain available during and after this update is complete.
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Information not to be collected unless relevant to programs
The legislation states that government institutions shall not collect personal information unless it relates directly to an operating program or activity. The policy requires that institutions have administrative controls in place to ensure that they do not collect any more personal information than is necessary for the related programs or activities. This means that institutions must have parliamentary authority for the relevant program or activity, and a demonstrable need for each piece of personal information collected in order to carry out the program or activity. Parliamentary authority is usually contained in an Act of Parliament or subsequent regulations, or approval of expenditures proposed in the Estimates and authorized by an Appropriations Act.
Direct collection where information to be used for an administrative purpose
The Act requires that, with very limited exceptions, institutions collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates wherever possible. This requirement promotes individuals' control over their personal information as well as the collection of accurate, up-to-date and complete information. The phrase "wherever possible" is expected to allow for collection of personal information from another source where the individual is deceased or incapacitated, or cannot be located despite a reasonable effort. This phrase does not permit the collection of personal information from another source simply because it would be easier or less costly than direct collection. In circumstances where the personal information is not intended to be used for an administrative purpose, such as the collection of statistical information, institutions should still endeavour to collect the information directly from the individual to whom it relates, whenever possible.
Exceptions: Subsection 5(1) of the Act sets out two exceptions to the requirement for direct collection. Collection from another source is allowed where the subject individual has so authorized. When seeking such authorization, institutions should inform the individual of what information will be collected, how the information will be used and what source will be asked to provide the information. Individuals should also be informed of any consequences which may result from their refusal to authorize the indirect collection. The institution should obtain the individual's written authorization for indirect collection.
The second exception to direct collection contained in subsection 5(1) pertains to information previously collected from the individual by another institution which is permitted to disclose the information by virtue of subsection 8(2) of the Act. This exception is designed to avoid placing an unnecessary response burden on individuals when different institutions require the same information. Additional guidance on the application of this exception may be found in the section of these guidelines which deals with permissible disclosures under subsection 8(2).
Subsection 5(3) of the Act contains a third exception to the requirement for direct collection. This further exception permits collection of personal information from another source where direct collection might:
- result in the collection of inaccurate information; or
- defeat the purpose or prejudice the use for which the information is collected.
This exception should be used sparingly. It is primarily intended for use by investigative bodies in those circumstances where direct collection would jeopardize the investigation.
Informing individual of purpose of collection
Subsection 5(2) of the Privacy Act requires that a government institution inform any individual from whom the institution collects information about the individual of the purpose for which the information is being collected. An exception is contained in subsection 5(3) for circumstances where informing the individual would result in the collection of inaccurate or misleading information. This provision recognizes the individual's right to know and understand the purpose for which their information is being collected, and how it will be used. In circumstances where the individual is not required to supply the information, such knowledge and understanding permit the individual to make an informed decision as to whether or not to respond.
- of the purpose of the collection;
- whether response is voluntary or required by law;
- of any possible consequences of refusing to respond;
- that the individual to whom the information pertains has rights of access to and protection of the personal information under the Privacy Act; and
- of the registration number of the personal information bank in which the information will be retained,
An exception is where so informing the respondent might result in the collection of inaccurate information, or defeat the purpose or prejudice the use for which the information is collected. Once again, this exception is primarily intended for use by investigative bodies in those circumstances where informing the respondent would jeopardize the investigation. This exception may also apply when a survey is being conducted and informing the respondents of its purpose would jeopardize the validity of the survey results. The application of this exception under these circumstances may be approved during the collection approval process.
The Policy on Privacy and Data Protection encompasses the previous policy on the use of the Social Insurance Number, and therefore pays particular attention to the collection, use and disclosure of the SIN for administrative purposes. Under the policy, when collecting the Social Insurance Number (SIN), government institutions must inform the individual of the purpose for which the number is being collected; the authority under which the number is required; and whether any right, benefit or privilege can be withheld or penalty imposed if the number is not disclosed.
Security of collected personal information
Institutions should refer to section B.4.1 of the Security volume for guidance on the security standards for collected personal information.
Accuracy of personal information used for an administrative purpose
Subsection 6(2) of the Privacy Act requires government institutions to take all reasonable steps to ensure that personal information that they use for an administrative purpose is as accurate, up-to-date and complete as possible. This requirement is intended to minimize the possibility that a decision affecting an individual will be made on the basis of inaccurate, obsolete or incomplete information.