Standard on Privacy and Web Analytics
Frequently asked questions:
1. Effective date
1.1 This standard takes effect on January 31, 2013.
1.2 Government institutions using Web analytics externally on servers hosted by third parties must comply with the requirements of Appendix A of this standard as of January 31, 2013, with the exception of those requirements in section 3 of Appendix A, which must be complied with no later than June 30, 2014.
2.1 This standard applies to the government institutions defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.
2.2 This standard does not apply to the Bank of Canada.
2.3 This standard applies to the collection, use, disclosure, retention and disposal of personal information for the purpose of carrying out Web analytics on external public-facing Government of Canada websites in a manner consistent with the provisions in Appendix A of this standard.
2.4 This standard applies regardless of which tracking technologies or services are being used for purposes of Web analytics.
3.1 Web analytics can be described as the collection, analysis, measurement and reporting of data about Web traffic and user visits for purposes of understanding and optimizing Web usage.
3.2 Many government institutions are using Web analytics to obtain information about visitors to their websites for two main purposes: (i) to better meet the needs of website visitors; and (ii) to assist in delivering effective online services.
3.3 Web analytics tools operate through the collection of information to record a visitor's online interactions with one or more Web pages. That information includes, as an example, the Internet Protocol address assigned by an Internet service provider to the visitor's computer.
3.4 The Privacy Act defines the term "personal information" as meaning "information about an identifiable individual recorded in any form." If information collected for Web analytics can be used to distinguish or trace an individual's identity, either alone or when combined with other identifying information that is linked or linkable to a specific individual, then that information will be personal information that must be safeguarded in accordance with the requirements of the Privacy Act.
3.5 The Internet Protocol address may, in some circumstances, be linked with an identifiable individual whose computer is using that address at any given time. For this reason, the Government of Canada considers the Internet Protocol address to be personal information that must, in all cases, be dealt with in accordance with the requirements of the Privacy Act.
3.6 Specific requirements for safeguarding the Internet Protocol address, and any other personal information collected by government institutions in relation to Web analytics, are set out in Appendix A of this standard.
3.7 If government institutions wish to use Web analytics tools on institutional servers or on servers hosted by third parties, they must do so in accordance with the requirements of this standard and any other applicable policy instruments and legislation.
3.8 Government institutions must include a Privacy Notice on their websites that meets the requirements described in Appendix B of this standard. Such Privacy Notices must also meet the requirements in sections 6.2.9 and 6.2.10 of the Directive on Privacy Practices and also the relevant Terms and Conditions for Privacy Notices in Appendix C of the Standard on Web Usability, applicable to departments listed in Schedules I, I.1 and II of the Financial Administration Act.
3.10 This standard is to be read in conjunction with the Privacy Act, the Privacy Regulations, the Policy on Privacy Protection, the Directive on Privacy Practices, the Directive on Privacy Impact Assessment, the Library and Archives of Canada Act and the Standard on Web Usability.
5. Standard statement
5.1.1 To facilitate the use of Web analytics in accordance with sound privacy practices that safeguard the privacy of visitors to Government of Canada websites.
5.2 Expected results
5.2.1 Government institutions respect privacy principles when using Web analytics.
6.1 Heads of government institutions or their delegates are responsible for the following:
6.1.1 Ensuring, as required by section 6.1.10 of the Directive on Privacy Practices, that the use of Web analytics for measuring and improving performance of institutional websites is done in accordance with the requirements to protect privacy as set out in Appendix A of this standard, and of ensuring that appropriate remedial action is taken to address any deficiencies within their institutions.
6.2 Executives and senior officials who manage programs or activities involving the creation, collection or handling of personal information are responsible for:
6.2.1 Informing, as required by section 6.2.2 of the Directive on Privacy Practices, the individuals who are responsible for managing the institution's websites, as well as those functional specialists and content owners, of the need to ensure that the requirements of this standard are being met.
6.3 Web managers, functional specialists, Web content owners and equivalents are responsible for:
6.3.1 Ensuring that Web analytics operate in accordance with the requirements of the standard.
6.4 The Treasury Board of Canada Secretariat, Chief Information Officer Branch, is responsible for:
6.4.1 Developing, in consultation with other departments, guidelines, tools, interpretive advice and guidance on this standard.
6.4.2 Communicating and engaging the government-wide access to information and privacy community as well as the Web community on the challenges associated with implementing this standard and its supporting instruments.
6.4.3 Approving depersonalization technologies, other than that of truncating the last octet of the Internet Protocol address, that a third-party service provider may wish to use for purposes of Web analytics on servers hosted externally by the third party.
6.5 Monitoring and reporting requirements
6.5.1 The monitoring and reporting requirements of the Policy on Privacy Protection apply to this standard.
7.1 The consequences identified in the Policy on Privacy Protection apply to this standard.
8. Roles and responsibilities of government organizations
8.1 The roles and responsibilities of other government organizations are described in section 8 of the Policy on Privacy Protection.
8.2 The roles and responsibilities of Library and Archives Canada are described in section 9.2 of the Directive on Information Management Roles and Responsibilities.
9.1 Relevant legislation and regulations
9.2 Related policy instruments and publications
- Communications Policy of the Government of Canada
- Directive on Management of Information Technology
- Directive on Privacy Impact Assessment
- Directive on Privacy Practices
- Directive on Recordkeeping
- Policy on Government Security
- Policy on Management of Information Technology
- Policy on Privacy Protection
- Standard on Web Usability
- Guidance Document: Taking Privacy into Account Before Making Contracting Decisions
10.1 Please direct enquiries about this standard to your institution's access to information and privacy (ATIP) coordinator. Should your institution require additional assistance in the interpretation of this standard, the ATIP coordinator is to contact TBS Public Enquiries.
Appendix A: Requirements Related to the Collection, Use, Disclosure, Retention and Disposal of Personal Information for Web Analytics
1. Collection, use and retention of personal information by government institutions for Web analytics
If your institution is or will be collecting the Internet Protocol (IP) address, or any other information considered to be personal information under the Privacy Act, for the purpose of carrying out Web analytics, your institution must meet the following requirements:
1.1 Personal information must be used only for: i) the purpose of Web analytics; ii) a use consistent with that purpose such as for statistical purposes; or iii) a purpose for which the information may be disclosed by the institution under subsection 8(2) of the Privacy Act.
1.2 Personal information collected for the purpose of Web analytics may not be used for an administrative purpose, as defined in the Privacy Act, except where required to do so by law.
1.3 Institutions are prohibited from using information collected in relation to Web analytics for profiling of identifiable individuals.
1.4 The IP address, and any other personal information including, but not limited to, information in digital markers used in relation to Web analytics must be safeguarded by institutions in accordance with principles as set out in the Directive on Recordkeeping and may be retained for a maximum period of only 18 months, after which time the information must be disposed of in accordance with section 6.2.23 of the Directive on Privacy Practices and as authorized by the Librarian and Archivist of Canada.
2. De-Identification of Information Prior to Storage
2.1 Institutions disclosing or transmitting information considered to be personal information, or causing such information to be disclosed, including the full IP address, to a third-party service provider (third party) that is not an organization of the Government of Canada, must do so only after the anonymization feature of the third-party tool has been activated whereby the third party depersonalizes the IP address.
3. Disclosure or transmittal of personal information for purposes of Web analytics to a third-party service provider
If your institution is disclosing or transmitting personal information, or causing personal information to be disclosed, including the IP address, to a third party that is not an organization of the Government of Canada, then the following requirements must be met regardless of which technology or application might be used to disclose or transmit the information:
3.1 Your institution must ensure that a contract is in place with the third party that conveys the appropriate privacy protection as required pursuant to section 6.2.20 of the Directive on Privacy Practices and sections 6.2.10 and 6.2.11 of the Policy on Privacy Protection.
3.2 That contract must, at a minimum, contain provisions meeting the requirements as set out below.
- A definition of "personal information" as meaning information collected or generated in the performance of the contract about an individual, including the types of information specifically described in the Privacy Act and also including information that may be linked or is linkable to an individual such as the website visitor's IP address.
- A requirement that the third party appoint an officer within the organization to act as representative for all matters related to personal information and that the name and contact information for this third-party contact be provided to the government institution within 10 days of the awarding of the contract.
- A requirement that the third party provide all of its employees, contractors and subcontractors with information on their privacy obligations when dealing with personal information disclosed or transmitted in relation to the work being performed under the contract or subcontract (the "work").
- A requirement that the third party depersonalize the IP address prior to its storage in order that the full IP address cannot be reconstituted. This must be done through irrevocable truncation of the last octet of the IP address or through some other methodology that offers comparable privacy protection and has been approved by the Chief Information Officer Branch of the Treasury Board of Canada Secretariat.
- A requirement that the third party not link, or attempt to link, the IP address or some unique identifier associated with a digital marker with the identity of the individual computer user.
- A requirement that the depersonalized IP address, along with other data disclosed to the third party for Web analytics, be used only in accordance with the work, and that no subsequent uses or reuses of such data for any other purpose be allowed without the institution's express prior written authorization.
- A requirement that the third party not disclose or transfer the depersonalized IP address or any other data disclosed to it except in accordance with the work, with the express prior written authorization of the institution, or if required to do so by law.
- A requirement that the third party use only first-party cookies.
- A requirement that the third party be prohibited from using techniques such as, but not limited to, interlinking, cross-referencing, data mining or data matching from multiple sources on the personal information collected in relation to the work, unless expressly pre-authorized to do so, in writing, by the government institution.
- A requirement that the third party have security in place for the personal and depersonalized information that is at least commensurate with the Policy on Government Security.
- A requirement that the third party safeguard the depersonalized IP address and other information disclosed in relation to the work, and that this information be retained for a maximum period of 6 months, after which time that information, including any backup copies, must be destroyed.
- An audit provision whereby the third party may be audited at least once annually, at a date to be determined by the Government of Canada, to ensure compliance with these requirements.
Appendix B: Requirements for Privacy Notices
The Privacy Notice must be clear and must provide enough detail to allow website visitors to understand the following: what personal information will be collected for Web analytics; how that information will be used by the government institution; how that information will be shared/transmitted should the institution be using a third-party service provider that is not an organization of the Government of Canada; and how long the information is being retained and the method of disposal as authorized by the Librarian and Archivist of Canada. Reference must also be made to the measures being taken to protect the privacy of individuals.
Specific requirements are set out below.
- A statement setting out the legislative authority for the collection of this information.
- An explanation of what Web analytics is and the purposes for use of Web analytics tools by the institution.
- A statement as to what specific personal information, including the IP address, is being automatically collected from visitors by the government institution.
- A statement advising visitors as to whether the Internet Protocol (IP) address and other data in digital markers is being collected and used internally by the institution for the purpose of Web analytics or is being disclosed or transmitted externally to a third party for that purpose.
- In cases where the IP address and other data in digital markers is disclosed or transmitted to a third party, an explanation of how the privacy of visitors to Government of Canada websites is being safeguarded through, at a minimum, the activation of the third-party anonymization feature whereby the third party depersonalizes the IP address.
- If data disclosed or transmitted for Web analytics is going outside of Canada, for example to the United States, a statement to that effect along with reference to any governing legislation that the information might be subject to, for example the USA Patriot Act.
- A statement as to the maximum retention period for any personal information collected in relation to Web analytics.
Appendix C: Definitions
- digital markers
Mechanisms used to remember a visitor's online interactions with a website(s). These mechanisms may be used to record a visitor's online interactions within a single session or visit, or to record a visitor's online interactions through multiple sessions or visits.
- first-party cookies
A cookie is a data file sent by a Web server to the Web browser on a visitor's computer that the Web server uses to track or record visitor information. First-party cookies are those cookies set by the website the visitor is visiting.
- Internet Protocol address
A numerical label assigned by the Internet service provider to each computer and is how the computer user communicates on the Internet. An Internet Protocol (IP) address may be associated with an identifiable individual whose computer is using that address at any given time and thus may, from time to time, constitute personal information within the meaning of section 3 of the Privacy Act. Versions of IP may change from time to time.
- Internet service provider
An organization that provides access to the Internet.
- third-party cookie
Third-party cookies are those set by a different domain than the website that the visitor is currently visiting.
- Web analytics
The collection, analysis, measurement and reporting of data about Web traffic and user visits for purposes of understanding and optimizing Web usage.