CLF for the Internet - Important Notices

Rationale

The Privacy Notice assures end-users that information automatically acquired through a visit to any GoC site will not be used other than for the express purposes of Web maintenance and security.

Interpretation

Each institution's Web site Privacy Notice should be developed as a co-operative effort of the areas responsible for information technology, computer security, privacy and protection of personal information, communications, legal services and information management.

Every institution's Privacy Notice must include the following elements:

• Identification of the organization and how it can be contacted, including the name or position title of the person to contact with any Web site privacy concerns (normally the Privacy Co-ordinator)
• A clear description of any personal information which is collected automatically, a statement that such information is protected under the Privacy Act, the purpose for which it is collected, who will have access to it, how long it is kept, where it is kept and how an individual can access and correct their own personal information
• A statement explaining that should the user choose to provide personal information through e-mail or other means, such information is protected under the Privacy Act and will only be used for the specific purposes for which it has been provided (e.g. to respond to a specific request), or where required by law, how long it is kept, where it is kept and how to obtain access and request corrections
• A statement that non-identifiable or statistical information may be collected for audit purposes, for use in maximising effectiveness, or for another purpose specified here, if this is the case
• An explanation of any security use of information for purposes such as tracking suspected intrusions or the source of a computer virus, or controlling access to the system
• A statement concerning whether cookies, or any other data, are placed on the user's machine, and how they are used
• A description of any privacy-enhancing technologies in use or available for use such as the Public Key Infrastructure (PKI) or Secure Socket layer (SSL)
• A statement that individuals may contact the Office of the Privacy Commissioner if they are dissatisfied with the response they receive from the institution privacy contact on a privacy concern with the Web site.

The Privacy Notice must provide enough detail to allow users to understand what information will be collected and when, and to make an informed decision concerning whether to remain at the site.

Two examples of Privacy Notices have been provided see www.tbs-sct.gc.ca/clf-nsi/5/5ex2_e.asp. Use the appropriate bullets from the 2 examples to build your own Privacy Notice.

Guidelines for Cookies on Government of Canada Web Sites (August 19, 2002)

5.3 Best Practices

An institution's Web site Privacy Notice should include a statement concerning:

• Links to other sites not covered by this privacy policy
• Any specific institutional policy on collecting information from children online

Institutions should also remind users that, unless specifically noted otherwise, neither electronic systems or e-mail are secure information transmission methods, and that it is not recommended that sensitive personal information be transmitted electronically.

In some circumstances institutions may use an outside service provider as a Webmaster, and may provide a link for sending a message to the Webmaster. In those circumstances, the outside service provider should be under a contractual obligation to treat any personal information as though it were covered by the Privacy Act. In addition, the institution must make it clear to users that they are sending information outside the institution.