Archived - Privacy and Data Protection Guidelines - Roles and Responsibilities

Parliament is responsible for reviewing the administration of the Act on a permanent basis (section 75). This responsibility is fulfilled by the Standing Committee on Justice and Solicitor General.

The Privacy Commissioner is an agent of Parliament who investigates complaints in respect of the handling of personal information by federal government institutions. The Commissioner may also initiate complaints, investigate personal information banks which have been designated as exempt under section 18, and examine compliance with sections 4 to 8 of the Act. The Commissioner has the power to make recommendations concerning any matter which has been investigated, but cannot order the head of an institution to implement any recommendation. (A more detailed discussion of the role, responsibilities and powers of the Privacy Commissioner is contained in Chapter 2-10).

The Federal Court - Trial Division is the second level of review for denials of access to personal information under the Act. The Privacy Commissioner may also apply to the Court for a review of any file contained in a personal information bank designated as exempt under section 18. These are the only matters which may be reviewed by the Court. The Court may order the head of an institution to disclose personal information or to remove a file from an exempt bank.

The Department of Justice maintains a broad overview of the application of the Act in relation to the intentions of the government and the expectations of the public. It also provides legal interpretation and advice respecting the provisions and operation of the Act.

The President of the Treasury Board is the Designated Minister under the Act responsible for issuing policies governing the operation of the Act and Regulations; causing the publications required by the Act to be produced; prescribing forms; and prescribing the content of annual reports to Parliament by subject institutions. The Treasury Board Secretariat supports the President in these responsibilities.

The Head of a government institution is the minister for departments or the head as designated by Order in Council for other institutions. The head of each institution is responsible for ensuring that the institution complies with the Act, Regulations and policy in its day-to-day activities and for decisions made under the Act.

Delegation: Section 73 of the Privacy Act allows the head of an institution to delegate any of his or her powers, duties or functions under the Act. In order to properly delegate responsibilities under the Act, the institution must have a current Delegation Order, signed by the head of the institution, which stipulates which responsibilities are delegated and the particular officials to whom they are delegated. The powers, duties and functions which may be delegated are listed in Chapter 3-1.

The Privacy Co-ordinator generally acts on behalf of the head and deputy head of the institution to ensure compliance with the Act, Regulations and policy. Each institution is required to designate an official as the Privacy Co-ordinator. This official should be no more than two levels removed from the deputy head at most, and may be the same official as the one designated as the Access to Information Co-ordinator.

The duties of the Privacy Co-ordinator normally include:

• developing, implementing and monitoring institutional policies, procedures and practices for administering the Act. This includes processing and tracking requests, ensuring adherence to legislative requirements and reporting to Parliament and the Designated Minister;
• establishing procedures to facilitate accurate and timely response to requests;
• training and development of all institutional employees in the Act and its requirements, especially the requirements concerning the collection, use, disclosure, handling, retention and disposal of personal information;
• consulting with program managers, senior managers, legal counsel, the Treasury Board Secretariat, the Department of Justice and the Privy Council Office, as necessary, for the proper application of all provisions of the legislation and policy;
• producing the institution's input to the publications required by the legislation;
• making decisions concerning particular requests where there is delegated authority to do so;
• explaining institutional decisions under the Act during investigations by the Privacy Commissioner, and decisions on refusal of access before the Federal Court;
• preparing annual reports to Parliament in accordance with section 72 and paragraph 71(1)(e) of the Act; and
• aiding in the review of recommendations on issues related to the legislation.

Section 11 of the Act requires that the Designated Minister produce an index of personal information which will serve to keep the public informed of how the government handles personal information and will facilitate the public's ability to exercise the right of access to their information. It is the responsibility of each institution to ensure that their entries in Info Source are comprehensive, accurate descriptions of their information holdings.

In addition to fulfilling the requirements of section 11 of the Act, Info Source contains additional information on the Privacy Act, the Access to Information Act and sources of federal government information in general. Info Source is available as a computer database as well as in print form, and is distributed to libraries, constituency offices and federal government offices across Canada. The Info Source publications, "Sources of Federal Government Information" and "Sources of Federal Employee Information", have replaced both the Index to Personal Information and the Access Register.

Sections 4 to 8 of the Privacy Act deal with the collection, accuracy, use, disclosure, retention and disposal of personal information. These sections are based on the internationally accepted standards for the handling of personal information which are contained in the "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data" adopted by the Organization for Economic Co-operation and Development (OECD) and accepted by Canada in 1984. Taken together, these sections of the Act constitute a "Code of Fair Information Practices", based on the principle that every individual should have the right to know what information is being collected about him or her; how the information will be used, or to whom it will be disclosed; when and how the information will be disposed of; and how to get access to, and/or correct, personal information already on file.