We are currently moving our web services and information to Canada.ca.

The Treasury Board of Canada Secretariat website will remain available until this move is complete.

Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows

Archived information

Archived information is provided for reference, research or recordkeeping purposes. It is not subject à to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Appendix B: Existing Foundation Details

1. Transborder data flow goes back in time

In 1987, the House of Commons Standing Committee on Justice and Human Rights and the Solicitor General of Canada reported on a three-year review of Canada's Privacy Act.

The committee recommended a study be conducted on transborder data flows related to the personal information of Canadians. The government commissioned such a study, which was released in 1990. It confirmed that there were significant flows of personal information moving to other countries. Since that time transborder data flows have increased dramatically.

The study was the first official confirmation of a potential problem for Canada and, in the years that followed, the federal government introduced and applied a series of safeguards, which are today being reviewed and updated.

2. How personal information is kept

Some Canadians believe that the federal government has a single file of information about them or that it is all contained in one database. In fact, each federal institution that collects, stores, and uses personal information keeps its own separate files for each of the government programs and services for which the information is needed. There are a number of files depending on what type of contact individuals have had with the government.

Each institution is responsible for the information under its control and must not share that information with outside parties or even each other, unless so authorized under Canada's Privacy Act.

The Secretariat disseminates Info Source publications each year, two of which contain personal information bank (PIB) descriptions that provide a summary of the types of information about individuals that is held by each federal institution. One Info Source publication describes PIBs relating to information about federal employees. The second Info Source publication contains PIB descriptions relating to all other individuals about whom the federal government holds information.

The publications are available for viewing at Info Source Publications.

3. The Privacy Act

The Government of Canada's enactment of Part IV of the Canadian Human Rights Act in 1978, later replaced by the Privacy Act in 1983, illustrated its recognition of the importance of the protection of individual privacy and set the standard for similar privacy laws in the provinces.

Canada's Privacy Act imposes obligations on federal government institutions (all federal departments, most federal agencies, and some Crown corporations) to respect the privacy rights of Canadians by placing limits on the collection, use, disclosure, retention, and disposal of personal information.

Under the Privacy Act, Canadians have the right to access information that is being kept about them and to request corrections if they feel their personal information is out of date or inaccurate.

The Privacy Act is based upon internationally accepted principles for protecting personal information that state that every individual should have the right to know the following:

  • what personal information is being collected about him or her;
  • when and how the personal information will be disposed of;
  • how the personal information will be used;
  • under what circumstances the personal information can be disclosed; and
  • how to obtain access to correct personal information on file.

4. Other statutes

The Privacy Act is not the only statute protecting personal information under the control of the Government of Canada. Section 8 of the Canadian Charter of Rights and Freedoms can afford further protection with respect to the handling of personal information.

Many other laws that govern how the federal government handles personal information also contain privacy measures, many of which provide additional protection.

For example, certain categories of personal information receive additional protection under such statutes as the Income Tax Act, the Statistics Act, the Employment Insurance Act, the Old Age Security Act, and the Canada Pension Plan.

5. Privacy Impact Assessment Policy

In 2002, the Government of Canada became the first national government in the world to make privacy a mandatory consideration in the changing or creating of government programs and services that collect personal information.

The Privacy Impact Assessment Policy requires that federal institutions conduct a thorough analysis that identifies any actual or potential effects on privacy. The policy further requires that a plan be put into place explaining how any potential privacy risks will be reduced or eliminated.

A series of guidelines accompany the policy designed to help government institutions make their assessments for identifying and addressing privacy issues before they become actual problems.

In some cases, funding for a government program can be denied until a proper assessment is conducted and all institutions must make the results of their assessments public.

6. Secretariat policies and guidance

The Secretariat, in its capacity of providing recommendations and advice to the Treasury Board, oversees a range of policies, directives, guidelines, and regulations.

In addition to the Privacy Impact Assessment Policy, the Secretariat is responsible for the following:

  • Policy on Privacy and Data Protection
  • Contracting Policy
  • Risk Management Policy
  • Integrated Risk Management Framework;and
  • Government Security Policy.

7. Security measures

The existing federal foundation addresses not only privacy but also the security of data. Without a secure infrastructure in which to keep information, privacy is at risk. Both are therefore important and complement each other.

Canada's Government Security Policy and security provisions for government contracting work are designed to keep personal information secure.

All federal government institutions must adhere to the Government Security Policy when sharing Government of Canada information. This policy contains procedures for safeguarding and storing information, and the policy and related security standards must be followed when contracting out.

8. Public Works and Government Services Canada

Public Works and Government Services Canada (PWGSC) plays a major role in the security of government-held information.

PWGSC carries out physical on-site inspections of private company premises used to store information under government control. Such premises must receive a security clearance, and all employees with access to the information must be cleared to the level of reliability status.

If information leaves Canada, PWGSC ensures that the company (and its employees) in the other country meets the Government of Canada's security requirements.

PWGSC is responsible for the following contracting and security-related documents:

  • Standard Acquisition Clauses and Conditions Manual; and
  • Industrial Security Manual

9. The private sector and the Personal Information Protection and Electronic Documents Act

So far, this document has focussed on safeguards that apply only to information under the control of the federal government.

Millions of transactions also take place in the private sector daily.

Personal Information Protection and Electronic Documents Act

The federal law that protects personal information held by the private sector is called the Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA applies to all private organizations, including companies, associations, labour groups, and non-profit groups.

PIPEDA came into force in three stages. The first, in 2001, applied to federal undertakings or businesses, such as banks, airlines, and railways. In 2002, the Act was extended to cover personal health information. The final stage, in 2004, extended rules for the collection, use, and disclosure of personal information to any organization engaged in commercial activity.

Some of the major rules under PIPEDA include the following:

  • PIPEDA requires that organizations inform individuals about the purpose for which they are collecting, using, or disclosing their personal information, such as name, age, medical records, marital status, and income. Under PIPEDA, organizations are also obligated, upon request, to inform individuals of the information the organization holds about them and to comply with any request that inaccuracies be corrected.
  • Businesses must obtain the individual's consent when they collect, use, or disclose personal information, except in some circumstances, such as information needed for an investigation or an emergency where lives or safety are at risk.
  • In situations where an organization is outsourcing the processing of personal information to a third party, the organization is required to ensure, through contractual means, that the information is protected according to the requirements of PIPEDA. This obligation exists regardless of the geographical location of the third party, be it in Canada or abroad.
  • Organizations are required to establish security safeguards to ensure that the personal information that is in their custody is protected from unauthorized access, use, or disclosures, as well as copying or modifications.
  • Under PIPEDA, individuals may complain to the Privacy Commissioner of Canada about how organizations handle their personal information.

Alberta, B.C., and Quebec have privacy laws that are substantially similar to PIPEDA. Organizations subject to these laws have been exempted from PIPEDA for transactions that occur within those provinces. PIPEDA continues to apply to the cross-border movement of information that takes place in the course of commercial activity. PIPEDA also continues to apply to federally regulated organizations, such as telecommunications companies, radio-broadcasters, banks, and airlines.

10. Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is an officer of Parliament who reports directly to the House of Commons and the Senate.

The Commissioner is an advocate for the privacy rights of Canadians with powers that include the following:

  • investigating complaints and conducting audits and compliance reviews under two federal laws the Privacy Act and the PIPEDA;
  • publishing information about personal information-handling practices in the public and private sector;
  • conducting research into privacy issues; and
  • under PIPEDA, promoting awareness and understanding of privacy issues by the Canadian public.

The Privacy Commissioner of Canada works independently from any other part of the government to investigate complaints from individuals with respect to the federal public sector and the private sector.

11. Federal government on-line experience

In addition to the existing framework of privacy safeguards mentioned previously, the Government of Canada also has a great deal of experience in protecting on-line information. In fact, Canada has been recognized as a world leader in making government programs and services available over the Internet.

Government On-Line

Canada's Government On-Line (GOL) Initiative started in 1999, and today 34 federal government departments and agencies provide citizens and businesses with access to a wide range of quality, seamless electronic government services.

The Government of Canada understands that seeking and maintaining the trust of Canadians is paramount to the successful delivery of on-line services. Levels of confidence in terms of security and privacy have a significant effect on Canadians' adoption and use of government services provided through the Internet channel.

In a December 2004 public opinion study on government service and satisfaction, 75 per cent of respondents said the security and confidentiality of personal information was the most important aspect of conducting business on-line.

Other survey results show that GOL has earned the trust of Canadians. The following data are taken from a study conducted by EKOS Research Associates Inc. in 2003 entitled Rethinking the Information Highway.

  • 53 per cent of Canadians expect they will do most of their transactions with the Government of Canada over the Internet or using e-mail in the next five years;
  • 70 per cent of Internet users have used a Government of Canada Web site in the past 12 months;
  • 1.2 million Canadians visit the Canada Site every month;
  • 34 per cent of Canadians say their most recent contact with the Government of Canada was over the Internet; and
  • users of Government of Canada services on the Internet report an 80-per-cent satisfaction rating of these services.

Secure Channel and epass

Secure Channel is a portfolio of infrastructure services that forms the foundation of GOL. Its primary goals are to provide citizens and businesses with secure, private on-line access to all federal government services.

Secure Channel allows

  • cross-departmental and cross-jurisdictional service delivery;
  • protection of government information technology services from Internet-based security attacks; and
  • a suite of value-added services to support delivery of on-line services.

Within the Secure Channel is epass, a system that confirms Internet users are who they say they are and assures users that they are dealing with the government organization with which they want to deal.

To get an epass, clients validate their identity using shared secrets (information that only they and the department or agency in question know); then they choose a user identification and password.

Using an epass, clients can send personal information through the Internet, knowing that only the intended recipients will receive it. They can even electronically sign documents, making it unnecessary to go to an office to complete a transaction. An epass also makes it easier for clients to navigate between various on-line services because they do not have to register more than once with each program or remember multiple passwords if they choose to use the same epass for all programs.

The Government of Canada has issued over 900,000 epasses to Canadians.

Privacy notices

Canadians are kept informed about the privacy policies of each government institution through privacy notices, which are mandatory on every government Web site.

In addition to general notices, a privacy notice statement appears before every request for personal information. This statement notifies the Web site user why the information is needed, how it will be collected, stored, and disclosed, and then asks for the user's consent before the transaction is completed.

The statements appear as a first step in filling out any application form on a Government of Canada Web site providing information necessary to make an informed decision about whether to apply for a government program or service over the Internet, choose another communication channel, such as the telephone, or to opt out entirely if the program or service is voluntary.

1 "USA PATRIOT" stands for "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism."

2 "USA PATRIOT" stands for "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism."

Date modified: