|
|
|
| ATIP | Security | Info Source |
| No.: | 84 |
| DATE: | May 21, 2002 |
| TO: | Access to Information and Privacy (ATIP) Coordinators |
| SUBJECT: | Info Source Publications Requirements 2002-2003 |
Please read this Implementation Report with careful attention, as it contains new requirements for all institutions.
TBS is currently reviewing all Info Source publications and has established an Info Source Interdepartmental Committee. The Committee's main goal is to identify the problems that exist with the current Info Source publications and to seek solutions to the benefit of all institutions. To assist TBS in achieving this goal, we need your assistance. The Info Source review will be conducted in stages, and one of the new reporting requirements relates to the review. In addition, a survey on Info Source will soon be sent to all institutions asking users to identify problems and to seek suggestions from ATIP offices for improvements to the content and ease of use of the existing publications, eliminate duplication and, in the long term, reduce the burden on institutions.
There are two new requirements for this reporting period:
1. Under section 71(3) of the Privacy Act, it is a requirement that the designated Minister shall cause to be kept under review …existing (PIBs) and proposals for the creation of new banks…". As such, all ATIP offices are required this year to review with particular attention their institution's Chapter in one publication only: "Info Source – Sources of Federal Employee Information". The purpose of this exercise is for institutions to identify and correct any discrepancies in the French and English versions, to ensure that all Standard Banks in which personal information is held by the institution are properly identified and to eliminate any Particular Banks (Personal Information Banks about employees) that are duplicates of any of the 23 Standard Banks already listed on pages 31-37 of the 2001-2002 edition.
2. The decision on whether or not to conduct a Privacy Impact Assessment (PIA) under the PIA Policy rests with the Deputy Head of each institution. Most Privacy Coordinators have effective responsibility for sections 4 through 8 of the Privacy Act. If your institution is creating any new Personal Information Banks (PIBs) or submitting any changes to existing PIBs, you must consider whether or not a PIA was required to be conducted by officials of your institution prior to submitting the new or revised PIB information to TBS. Although a PIA may not be required in all cases, consideration of the requirements of the PIA Policy is essential.
Input to the 2002-2003 edition of Info Source: Sources of Federal Government Information and Sources of Federal Employee Information is due on August 30, 2002.
If there is no change to your material, please notify us in writing prior to August 1, 2002.
Enclosed is a diskette containing your institution's information, in Word or WordPerfect format, that appears in the 2001-2002 edition of Info Source. Please return the diskette once the updates are made to ensure that there is no loss of data and codes.
The President of the Treasury Board is the designated Minister for purposes of the Access to Information Act and the Privacy Act. In accordance with sections 5 and 70 of the Access to Information Act and sections 11 and 71 of the Privacy Act, the designated Minister is responsible for producing an annual publication, entitled Info Source, to facilitate requests made under these Acts. Excerpts from the legislation are included as Appendix A.
CONTENT
Submissions that do not comply with the instructions provided in this Implementation Report will not be accepted.
Institutions are responsible for ensuring that their entries are up-to-date and for editing them.
Addresses and telephone numbers located in the introduction and under the "Additional Information" section of your department's chapter should be verified. Additions of web site and electronic mail addresses are appropriate.
Material must be submitted in both official languages and must be consistent in both versions. Institutions must provide entries for all of their information holdings, including those in electronic format.
New Personal Information Banks (PIBs) must be registered in both
languages using the attached form, "Personal Information Bank
Registration" (Appendix D). The form is also available
electronically on the Internet at
http://www.tbs-sct.gc.ca/gos-sog/atip-aiprp/forms/PIB-FRP/TBS350-84_e.htm
or directly from Johanne Mongrain or Colette Dubois (see
below).
Note that existing PIBs which have been revised or substantially modified since the last registration must be re-registered. Modifications to any of the fields within the PIB are considered to be substantial if, for example:
- new sources of personal information are to be included in the "description"
- additional categories of people are to be incorporated under "classes of individuals"
- statements outlining new uses, especially administrative uses, are to be added under "purpose"
- new "consistent uses" requiring notification of the Privacy Commissioner are to be described, or
- changes have been made to the "retention and disposal standards".
PROCESS
If you need assistance or further information on this matter, please contact:
Colette
Dubois at (613) 957-2455 or Johanne
Mongrain at
(613) 954-3720, both of whom are employees of the
Information and Security Policy Division
Government Operations Sector
Treasury Board of Canada Secretariat
L'Esplanade Laurier, East Tower
140 O'Connor St., 8th Floor
Ottawa, Ontario K1A 0R5
Fax: (613) 952-7287
Anne Brennan
Director
Information and Security Policy Division
Government Operations Sector
Attachments
Excerpts from the Access to Information Act and the Privacy Act
ACCESS TO INFORMATION ACT
SECTION 5
Publication on government institutions
5.(1) The designated Minister shall cause to be published, on a periodic basis not less frequently than once each year, a publication containing:
(a) a description of the organization and responsibilities of each government institution, including details on the programs and functions of each division or branch of each government institution;
(b) a description of all classes of records under the control of each government institution in sufficient detail to facilitate the exercise of the right of access under this Act;
(c) a description of all manuals used by employees of each government institution in administering or carrying out any of the programs or activities of the government institution; and
(d) the title and address of the appropriate officer for each government institution to whom requests for access to records under this Act should be sent.
Publication and bulletin to be made available
5.(4) The designated Minister shall cause the publication referred to in subsection (1) and the bulletin referred to in subsection (2) to be made available throughout Canada in conformity with the principle that every person is entitled to reasonable access thereto.
SECTION 70
Duties and functions of designated Minister
70.(1) Subject to subsection (2), the designated Minister shall
(a) cause to be kept under review the manner in which records under the control of government institutions are maintained and managed to ensure compliance with the provisions of this Act and the regulations relating to access to records;
(b) prescribe such forms as may be required for the operation of this Act and the regulations;
(c) cause to be prepared and distributed to government institutions directives and guidelines concerning the operation of this Act and the regulations; and
(d) prescribe the form of, and what information is to be included in, reports made to Parliament under section 72.
PRIVACY ACT
SECTION 11
Index of personal information
11.(1) The designated Minister shall cause to be published on a periodic basis not less frequently than once each year, an index of
(a) all personal information banks setting forth, in respect of each bank,
(i) the identification and a description of the bank, the registration number assigned to it by the designated Minister pursuant to para. 71(1)(b) and a description of the class of individuals to whom personal information contained in the bank relates,
(ii) the name of the government institution that has control of the bank,
(iii) the title and address of the appropriate officer to whom requests relating to personal information contained in the bank should be sent,
(iv) a statement of the purposes for which personal information in the bank was obtained or compiled and a statement of the uses consistent with those purposes for which the information is used or disclosed,
(v) a statement of the retention and disposal standards applied to personal information in the bank, and
(vi) an indication, where applicable, that the bank was designated as an exempt bank by an order under section 18 and the provision of section 21 or 22 on the basis of which the order was made; and
(b) all classes of personal information under the control of a government institution that are not contained in personal information banks, setting forth in respect of each class
(i) a description of the class in sufficient detail to facilitate the right of access under this Act, and
(ii) the title and address of the appropriate officer for each government institution to whom requests relating to personal information within the class should be sent.
Statement of uses and purposes
11.(2) The designated Minister may set forth in the index referred to in subsection (1) a statement of any of the uses and purposes, not included in the statements made pursuant to subparagraph (1)(a)(iv), for which personal information contained in any of the personal information banks referred to in the index is used or disclosed on a regular basis.
Index to be made available
11.(3) The designated Minister shall cause the index referred to in subsection (1) to be made available throughout Canada in conformity with the principle that every person is entitled to reasonable access to the index.
SECTION 71
Duties and functions of designated Minister
71.(1) Subject to subsection (2), the designated Minister shall
(a) cause to be kept under review the manner in which personal information banks are maintained and managed to ensure compliance with the provisions of this Act and the regulations relating to access by individuals to personal information contained therein;
(b) assign or cause to be assigned a registration number to each personal information bank;
(c) prescribe such forms as may be required for the operation of this Act and the regulations;
(d) cause to be prepared and distributed to government institutions directives and guidelines concerning the operation of this Act and the regulations; and
(e) prescribe the form of, and what information is to be included in, reports made to Parliament under section 72.
Review of existing and proposed personal information banks
71.(3) Subject to subsection (5), the designated Minister shall cause to be kept under review the utilization of existing personal information banks and proposals for the creation of new banks, and shall make such recommendations as he considers appropriate to the heads of the appropriate government institutions with regard to personal information banks that, in the opinion of the designated Minister, are under-utilized or the existence of which can be terminated.
Establishment and modification of personal information banks
71.(4) Subject to subsection (5), no new personal information bank shall be established and no existing personal information banks shall be substantially modified without approval of the designated Minister or otherwise than in accordance with any term or condition on which such approval is given.
APPENDIX B
How to prepare information to be included in
Info Source
GENERAL INFORMATION
Background
Provide a concise description of the organization's history, including reference to its legislative foundation.
Responsibilities
Briefly describe the organization's major policy and program responsibilities.
Legislation
List, in point form and in alphabetical order, all the acts and regulations that the organization administers, or for which the organization has primary responsibility.
Organizational Structure
Summarize the functions of all major organizational units corresponding to the "program" and "activity" levels. It is generally not recommended that units lower than activity level be described. Addresses of institutions should be listed in the section called "Additional Information".
INFORMATION HOLDINGS
Program Records
Program Records were previously called "classes of records". To make them more descriptive of how they relate to the organization, their name was changed to Program Records. For the purposes of Info Source, it is not necessary to relate Program Records to any organizational unit lower than a program or an activity.
Standard Program Records
Many departments and agencies use Standard Program Records to list information about administrative subject areas which are common to many institutions, such as Accounts and Accounting, Budgets, Buildings, etc. Only the title of the Standard Program Records is shown in the institution's information for Info Source.
Personal Information Banks
Refer to Appendix "C", "How to complete the Personal Information Bank Registration Form."
Classes of Personal Information
Classes of Personal Information contain any personal information which is not used for administrative purposes or not retrievable by personal identifiers. Examples include unsolicited opinions, complaints or correspondence. This category ensures that government departments and agencies account for all personal information that they hold. Classes of Personal information are not subject to a registration process and do not have a TBS registration number or a PIB number.
Manuals
For the purposes of Info Source, manuals are listed under a sub-heading in the Information Holdings section. As required by the legislation, institutions must provide a listing in alphabetical order of the titles of all the manuals which they use in administering or carrying out policies, programs and activities that affect the public.
Additional Information
This section can be used to provide the address and telephone number of the organization's main points of access to obtain information informally. A "general information" number must be listed as opposed to that of the ATIP office. It can also include regional addresses.
APPENDIX C
How to complete the
Personal Information Bank Registration Form
INSTITUTION
Indicate the legal title of the department or agency.
PART 1
Title of Personal Information Bank
Provide a descriptive name for the bank. It should be relatively simple but descriptive enough to reflect the types of information contained in the bank. It is also helpful when the title gives a pointer to the program to which it belongs.
PART 2
Program and Activity to which this Personal Information Bank relates:
Program: State the name of the program to which this personal information bank relates. A program is an organizational unit set up to achieve departmental objectives as authorized by Parliament.
Activity: An activity is a specific component of a departmental program.
Related to Program Record(s) Number: Insert the number of any program records relating to the activity to which the bank is linked.
Note on Program Record Numbers: Whenever you are requested to indicate Program Record Numbers, please use up to a 12 digit alphanumeric identifier. (Departmental Code can now be from 2 to 6 characters in length). The three middle letters refer to the program to which the Program Record is linked.
National Archives of Canada (PAC) Number: This number is assigned by the National Archivist and is related to the retention and disposal period assigned to the bank. PAC numbers are generally available from each institution's information management professionals or National Archives.
PART 3
Does this bank contain information gathered either through
Public Opinion Research or other information collection activities?
The Government Communications Policy requires that
institutions register any public opinion research with the Public
Opinion Research Directorate at the Canada Information Office.
Number of individuals represented in the Personal Information
Bank:
An approximate number is acceptable. This provides an
indication of the size of the bank.
Does this bank contain personal information that is used for
data matching purposes?
It is important to identify any data matching activities being
conducted by the institution. It is also necessary to identify
the matching institutions and sources. Please refer to the TBS
Privacy and Data Protection manual for the policies on Data Matching
and control of the Social Insurance Number (SIN).
Is this bank an exempt bank?
The Governor-in-Council may, by order, designate as exempt banks
certain personal information banks that contain information described
in Section 21 or 22 of the Privacy Act. If the bank has
been exempted, indicate the Order-in-Council Number and date of
approval.
PART 4
Submission and Review
Submitted by:
After signing the form, the Coordinator submits it to TBS for
registration. Forms are to be forwarded to Colette
Dubois at:
Information and Security Policy Division
Government Operations Sector
Treasury Board of Canada Secretariat
L'Esplanade Laurier, East Tower
140 O'Connor Street, 8th Floor
Ottawa, Ontario K1A OR5Fax: (613) 952-7287
Review
After reviewing the information provided on the form to ensure
that the bank complies with the Privacy Act, a signed and dated
copy of the form is returned for your input to Info Source.
PART 5
Personal Information Bank Number and TBS Registration
There are two main categories of Personal Information Banks:
a) Information on the general public:
Public Banks (PPU):
If the bank includes information about any segment of the population
outside of the federal public service, it is a "public" bank.
Banks containing information about both the public and the federal
public service should be designated as "public" banks.
b) Information on federal employees:
Particular Banks (PPE):
These banks contain personal information about federal employees
that is specific to the requirements of each department or agency.
Central Banks (PCE):
These banks include information about employees from all or
several government institutions. They are maintained by central
agencies such as the Public Service Commission, the Treasury Board
Secretariat and Public Works and Government Services Canada.
Standard Banks (PSE):
These banks consist of administrative information which many
government institutions maintain about their employees. Types of
information include "Employee Personal Records", "Pay
and Benefits", "Training and Development", etc. Not
all government institutions require for each employee all the records
described in the Standard Banks. These banks must be
individually registered by each institution using them.
PART 6
Contents of Personal Information Bank - as it will appear in Info
Source
Characteristics
Personal information banks provide a summary of the type of information about individuals that is held by federal departments and agencies. The Privacy Act requires that Personal Information Banks include all personal information that is organized and retrievable by a person's name or by an identifying number, symbol or other particular assigned only to that person. These banks must also include personal information which has been or is being used or is available for use for an administrative purpose.
Contents
The specific requirements with regard to the contents of a Personal Information Bank are as follows:
Description: Provide a descriptive statement of the information that is contained in the bank. The description should indicate the types of personal information which the bank contains, i.e. names, addresses, telephone numbers, age of individuals, sex, marital status, country of birth, citizenship, social insurance numbers, employee numbers, race, fingerprints, blood types, etc.
Class of Individuals: Indicate the type of individual to whom the information relates. Examples are employees of the institution, recipients of Canada Pension Plan benefits, etc.
Consistent Uses: A consistent use is a related purpose which has a reasonable and direct connection to the original purpose for which the information was obtained or compiled. State all consistent uses of the information. Data matching activities and disclosures should be listed under this heading. Refer to the policy on Data Matching and Control of the Social Insurance Number (SIN) for guidance.
Note on Disclosure: There are circumstances under which personal information may be disclosed to third parties. If personal information is disclosed, state the third party involved.
Personal Information Bank Registration Form
