Archived [2021-04-01] - Interim Directive on Privacy Practices

1.1 This directive is in effect from March 13, 2020 to March 31, 2021.

1.2 It replaces the Directive on Privacy Practices dated May 6, 2014.

2.1 This directive applies to government institutions as defined in section 3 of the Privacy Act, including parent Crown corporations and their wholly owned subsidiaries, if any.

2.2 This directive does not apply to the Bank of Canada.

3.1 The Privacy Act (Act) and the Privacy Regulations (Regulations) provide the legal framework for the creation, collection, retention, use, disclosure, accuracy and disposition of personal information in the administration of programs and activities by government institutions.

3.2 Under the Act, heads of all government institutions are required to identify, describe and publicly report their institutions' personal information banks (PIBs) and classes of personal information in the Treasury Board of Canada Secretariat's (TBS) annual publication entitled Info Source. The descriptions of PIBs and classes of personal information contained in Info Source describe how government institutions inform the public and their employees about the personal information they collect and how that information is handled, used, retained and disposed of. Info Source assists individuals in exercising their rights under the Act. 

3.3 Under the Interim Policy on Privacy Protection, heads of government institutions are to establish practices for the protection and management of personal information under their respective institution's control to ensure that the Act is administered in a consistent and fair manner. This directive supports the policy by setting out the requirements for sound privacy practices and management of personal information.

3.4 The President of the Treasury Board (President), as designated Minister for the purposes of  paragraphs 71(1)(a) and (b) of the Act, holds general responsibility for registering all PIBs and for reviewing the manner in which they are maintained and managed in all government institutions. In addition to this general oversight role, the President is responsible for reviewing and approving new or substantially modified PIBs for the government institutions that are departments, as defined in section 2 of the Financial Administration Act (FAA), or may exercise his or her discretion to delegate this authority, subject to terms and conditions, under subsection 71(6) of the Act.  In exercising this discretion, the President will consider an institution's compliance with the Interim Policy on Privacy Protection, with this and other directives, as well as with any prescribed forms. Even if the President delegates his or her authority, the President remains responsible for the ongoing review of PIBs for all government institutions that are subject to the Act.

3.5 This directive is issued pursuant to paragraph 71(1)(d) of the Act.

3.6 This directive is to be read in conjunction with the Act, the Regulations, other applicable legislation, including the institution's enabling legislation, the Interim Policy on Privacy Protection, the Interim Directive on Privacy Impact Assessment, the Directive on Social Insurance Number, the Directive on Privacy Requests and Correction of Personal Information and the Standard on Privacy and Web Analytics.

4.1 The definitions to be used in the interpretation of this directive are listed in Appendix A. Additional definitions are listed in Appendix A of the Interim Policy on Privacy Protection.

6.1 Heads of government institutions or their delegates are responsible for the following:

6.1.1 Establishing effective privacy practices in their institution, as set out below. These practices are to be followed when officers or employees are involved in activities related to the creation, collection, retention, accuracy, use, disclosure or disposition of personal information under the control of the government institution, including the personal information of officers or employees of the institution.

Privacy breaches

6.1.2 Establishing plans and procedures for addressing privacy breaches in their institution, which include the following:

• Roles and responsibilities in the event of a privacy breach;
• Internal procedures and communications, including timing, for notifying the Office of the Privacy Commissioner of Canada (OPC), TBS and parties affected by the privacy breaches; and
• Notification requirements which must include a process for the mandatory reporting of material privacy breaches to the OPC and to TBS.  These procedures must also align with the Policy on Government Security and its related directives and standards.

Personal information banks and classes of personal information

6.1.3 Ensuring that the development process for new or substantially modified PIBs is aligned with the process for the development and approval of the core privacy impact assessment, as required by the Interim Directive on Privacy Impact Assessment.

6.1.4 Submitting a request to TBS for the registration of each new PIB, or the termination of an existing PIB, and ensuring that requests are accompanied by the following information:

• In the case of a request to register a new PIB, all elements of the PIB as described in subparagraphs 11(1)(a)(i) through (vi) of the Act, accompanied by a completed and approved core privacy impact assessment; In the case of an urgent COVID-19-related initiative, the deputy head or assistant deputy minister level delegate may exercise discretion to defer the submission of the request to register a new or modified PIB. The request to register the new or modified PIB must be submitted to TBS by September 30, 2021.
• In the case of a request to terminate an existing PIB, an explanation of why the PIB should be terminated and a confirmation that the records and personal information contained therein have been disposed of in accordance with the institution's Retention Disposition Authority and are no longer under the institution's control.

6.1.5 Satisfying, for the institutions that are departments as defined in section 2 of the FAA, the additional requirements, as set out in Appendix B, for approvals by the President in relation to PIBs, unless this approval authority has been delegated to the head of the institution by the President, subject to terms and conditions.

6.1.6 Notifying TBS of changes to PIBs and, where these changes are substantial, ensuring that TBS receives a core privacy impact assessment as required by the Interim Directive on Privacy Impact Assessment; except if the deputy head or assistant deputy minister level delegate has exercised discretion to complete a Privacy Compliance Evaluation in place of conducting a full Privacy Impact Assessment for new or substantially modified programs, and to defer the registration of a PIB in relation to urgent COVID-19-related initiatives.

Exempt banks

6.1.7 Ensuring that proposals submitted to TBS to establish or revoke an exempt bank include the following:

• A description of the information to be included in the exempt bank and why that information should be included in an exempt bank;
• Confirmation that the files in the bank consist predominantly of personal information as described in sections 21 or 22 of the Act ;
• The specific exemption provision in the Act being relied on and, for any injury test exemption, a statement of the expected detrimental effect; and
• A draft Order in Council, along with a draft Regulatory Impact Analysis Statement.

Requests and disclosures to investigative bodies

6.1.8 Adhering to the requirements concerning requests from and disclosures to investigative bodies outlined in Appendix C.

Recording new uses and disclosures

6.1.9 Establishing procedures for maintaining a record of new uses and disclosures, as well as any consistent uses that are not reflected in a PIB. Such procedures will ensure that:

• Descriptions of use, purpose of collection and disclosure recorded in all PIBs are kept up-to-date (this does not apply to disclosures to investigative bodies);
• Any new consistent uses are reflected in the relevant PIBs; and
• The Privacy Commissioner of Canada is notified of all new consistent uses.

Web analytics and privacy

6.1.10 Ensuring that the use of Web analytics for measuring and improving performance of Government of Canada websites complies with the Standard on Privacy and Web Analytics.

6.2 Executives and senior officials who manage programs or activities involving the creation, collection or handling of personal information are responsible for:

Privacy practices

6.2.1 Informing the individual who is responsible for the institution's PIBs of any new program or activity or of any substantial modification to an existing program or activity where personal information is collected or handled in a decision-making process that directly affects the individual.

6.2.2 Informing the individuals who are responsible for managing the institution's websites, as well as functional specialists and Web content owners, of the need to comply with the requirements of the Standard on Privacy and Web Analytics.

6.2.3 Ensuring that privacy practices are consistent with and respect the provisions found in the Act, the Regulations and other applicable legislation, including the institution's enabling legislation.

6.2.4 Informing employees of the legal and administrative consequences of any inappropriate or unauthorized access to, or use, disclosure, modification, retention and disposition of, personal information related to a particular program or activity.

Privacy breaches

6.2.5 Implementing the institution's plan for addressing privacy breaches. See Guidelines for Privacy Breaches issued by TBS.

Collection and creation of personal information

6.2.6 Ensuring, before collecting personal information, that the institution has parliamentary authority for the program or activity for which the information is being collected.  Obtaining an individual's consent to a collection of personal information does not replace or establish authority for the collection of that information.

6.2.7 Identifying the elements to be included in a PIB before there is any new collection of personal information.

6.2.8 Limiting the collection of personal information to what is directly related to and demonstrably necessary for the government institution's programs or activities. Personal information that is created by the government institution is also considered a collection under the Act.

Privacy notice

6.2.9 Notifying the individual whose personal information is collected directly of the following:

• The purpose and authority for the collection;
• Any uses or disclosures that are consistent with the original purpose;
• Any legal or administrative consequences for refusing to provide the personal information;
• The rights of access to, correction and protection of personal information under the Act; and
• The right to file a complaint to the Privacy Commissioner of Canada regarding the institution's handling of the individual's personal information.    

6.2.10 Adapting the privacy notice for either written or verbal communication at the time of collection. Notices are to include a reference to the PIB described in Info Source; but in the case of an urgent COVID-19-related initiative for which a PIB has not yet been registered, privacy notices need not refer to a PIB until the PIB has been registered with TBS.

Consent regarding collection, use and disclosure

6.2.11 Consent is not required if the personal information is to be used for the authorized purpose for which it was obtained, for a use consistent with that purpose or for a purpose for which it may be disclosed to the institution under subsection 8(2) of the Act.

6.2.12 Obtaining consent from an individual for the following:

• The indirect collection of personal information, unless seeking consent would result in collecting inaccurate information, would defeat the purpose of collection or would prejudice the use of the information collected;
• Uses or disclosures that are not consistent with the purposes for which the information was originally obtained or compiled; and
• Any disposition of personal information before the two-year minimum retention standard established by the Regulations unless such disposition is expressly authorized by legislation.

6.2.13 Including the following elements, as applicable, when seeking consent:

• The purpose of the consent and the specific personal information involved;
• The sources who will be asked to provide the information, in the case of indirect collections, as well as the reason for making the collection indirectly;
• Uses or disclosures that are not consistent with the original purpose of the collection and for which consent is being sought;
• Any consequences that may result from withholding consent; and
• Any alternatives to providing consent.

6.2.14 Ensuring that consent is obtained in writing or is otherwise adequately documented, including such information as the date and time of consent. A record is required to support verbal consent.

Accuracy

6.2.15 Ensuring, through all reasonable measures, that personal information to be used in a decision-making process, is as accurate, up‑to‑date and complete as possible. Those measures will involve one or more of the following:

• Direct collection or validation from the individual;
• Indirect collection or validation when authorized or when consent was obtained, which may involve verifying the personal information against a reliable source (either public or private); and
• Technological means to identify errors and discrepancies.

6.2.16 Implementing, in cases when direct collection or obtaining consent is not feasible, measures to:

• Ensure that the personal information is obtained from a reliable source; or
• Verify or validate the accuracy of the personal information before use.

6.2.17 Documenting the source or technique used to validate the personal information and identifying, where appropriate, the source, as well as any data matching in the relevant PIB description.

6.2.18 Ensuring that individuals are given the opportunity, whenever possible, to correct inaccurate personal information before any decision is made that could have an impact on them.

Safeguards for use and disclosure

6.2.19 Identifying which positions or functions in the program or activity have a valid reason to access and handle personal information and limiting access to individuals occupying those positions.

6.2.20 Limiting access to, and use of, personal information by administrative, technical and physical means, to protect that information.

6.2.21 Adopting appropriate measures to ensure that access to, as well as use and disclosure of, personal information are monitored and documented in order to address the timely identification of inappropriate or unauthorized access to, or handling of, personal information.

6.2.22 Following the requirements set out below when personal information is disclosed to another institution, to a public or private sector entity, or to an individual:

• The privacy notice reflects, as appropriate, the disclosure;
• An agreement or arrangement with appropriate safeguards has been established between the government institution and the public sector entity, whether that entity is international, federal, provincial or territorial, or municipal, before the information is shared; and
• Contracts that are established with private sector entities or with individuals outline measures and provisions to address the following:
  • Control over the personal information;
  • Limitations on collection, use, subsequent disclosure and retention of personal information for the purposes of the contract;
  • Prohibitions regarding the personal information;
  • Disposition of the personal information, where relevant;
  • Administrative, technical and physical safeguards; and
  • Obligations of other parties acting on behalf of the government institution.
• Government institutions subject to the Policy on Government Security are also to ensure that government security standards are respected and that all guidance issued by lead security agencies as set out in Appendix B of that policy is followed.

6.2.23 Ensuring, when personal information is transferred out of the control of a government institution as a result of the devolution or privatization of a program or activity, that:

• Authority is established for the transfer;
• Adequate privacy practices are in place prior to transfer;
• The rights of employees to access and correct their personal information will be maintained after the transfer;
• A records transfer agreement, which respects any existing records disposition authority, is in place to establish the terms and conditions for the records being transferred, including security considerations; and
• Consent is obtained from the Librarian and Archivist of Canada before the transfer of records.

Recording of new uses and disclosures

6.2.24 Notifying the head or appropriate delegate of any use, purpose or disclosure of personal information that is not reflected in the PIB description and updating the PIB accordingly.

Retention and disposition of personal information

6.2.25 Applying the institution's standards for the retention of personal information, as well as the disposition standards as established by Library and Archives Canada, and reporting them in the relevant PIB.

6.2.26 Ensuring that personal information of an individual that has been used for an administrative purpose is retained by the institution in accordance with subsections 6(1) of the Act and paragraphs 4(1)(a) and (b) of the Regulations.

6.2.27 Reviewing files described within PIBs, including those of exempt banks, on a regular basis and disposing of records containing personal information in accordance with direction from Library and Archives Canada, as stipulated in sections 12 through 14 of the Library and Archives of Canada Act.

6.2.28 Institutions that are subject to the Policy on Government Security are to dispose of records in accordance with government security standards.

6.3 Monitoring and reporting requirements

6.3.1 The monitoring and reporting requirements of the Interim Policy on Privacy Protection apply to this directive.

7.1 The consequences identified in the Policy on Privacy Protection apply to this directive.

8.1 Further to the roles described in section 8 of the Interim Policy on Privacy Protection and subsection 3.4 of this Directive, the President, with the support of TBS, is responsible for:

• Setting the terms and conditions for the approval of PIBs, as well as the terms and conditions for delegating this approval to heads of departments;
• Revoking any delegation order made under subsection 71(6) of the Act if there is a systemic compliance issue at a government institution.

8.2 The roles and responsibilities of other government organizations are described in section 8 of the Interim Policy on Privacy Protection.

10.1 Please direct enquiries about this directive to your institution's access to information and privacy (ATIP) coordinator. For interpretation of this directive, the ATIP coordinator is to contact:

Information and Privacy Policy Division
Chief Information Officer Branch
Treasury Board Secretariat
219 Laurier Avenue West
Ottawa, Ontario K1A 0R5
E-mail: ippd-dpiprp@tbs-sct.gc.ca
Telephone: 613-946-4945
Fax: 613-957-8020