No.: |
95 |
DATE: |
November
26,
2004 |
TO: |
Access
to
Information
and
Privacy
Coordinators |
SUBJECT: |
Registration
of
Personal
Information
Banks
(PIB) |
Summary
The Privacy Act (Section 11(a)) requires that institutions
identify personal information that is under their control and describe
this information as Personal Information Banks (PIB), which are
subsequently published within Info Source.
A PIB describes a collection or grouping of individual's personal
information held by federal departments and agencies, subject to the Privacy
Act. PIBs describe personal information that is:
- under the control of a
government
institution
- captured in the
institution's
record
keeping
system;
and
- collected or maintained in
support
of
an
institutional
program
or
activity.
PIBs are used to describe personal information if it is retrievable
by a person's name or by an identifying number, symbol or other
particular assigned only to that person or personal information that
has been or is being used, or is available for use for an
administrative purpose.
Personal Information Banks (PIBs) describe:
- the personal information
elements
that
are
contained
within
the
official
records
keeping
system
of
the
federal
institution;
- why this personal
information
is
being
collected;
- how this information may
be
used;
- how this information is
held
and
then
disposed
of;
and
- about whom the information
relates
(class
of
individuals).
Note: PIBs are used only to describe personal information
– not to actually collect and manage personal information. The
information itself is captured and managed within the records and
related record keeping system of the federal institution.
Info Source is a key source for individuals to exercise
their right to access their personal information and correct errors.
Incomplete or inaccurate listings within Info Source indicates
institutions subject to the Privacy Act are not meeting their
legal obligations under the Act, specifically to list what information
it collects and how the data is used and disclosed.
PIB Checklist
Before registering the PIB, you should ask the following questions:
- Is the personal
information
retrievable
by
name
or
identifying
particular?
(Please note that most electronic systems now have full text search capabilities which allows this type of information retrieval.)
Is
the
personal
information
used
or
available
for
use
for
an
administrative
purpose?
- Does a PIB already exist
that
comprises
this
information?
- Should a reference be made
to
another
bank?
- Should it be registered as
a
standard
bank?
- Did your institution
consider
whether
or
not
a
privacy
impact
assessment
(PIA)
should
be
conducted?
The Personal Information Bank (PIB) Registration Process
The formal PIB registration process requires that institutions
complete the PIB
Registration Form (in both official languages) and forward these
forms to the Information, Privacy and Security Policy Division (IPSPD)
of Treasury Board to the attention of Laura Simmermon.
Please note: Due to the consultative approach now being used by
IPSPD for the development of new and revised PIBs, institutions may
prefer to use the Personal Information Bank Development Template
(Appendix D) and submit their proposed PIB (it is not necessary to
provide translated versions at this time) via e-mail to Laura
Simmermon at Simmermon.Laura@tbs-sct.gc.ca.
- Content of proposed PIB is
reviewed
by
a
Senior
Policy
Analyst.
- The proposed PIB is
developed
through
a
consultative
process
between
IPSPD
and
the
institution.
- Final version of the
proposed
PIB
is
formally
submitted
(in
both
official
languages)
to
IPSPD.
Please note: the PIB
Registration form must be
signed by the institutional
ATIP Coordinator.
- Proposed PIB is approved
by
IPSPD.
- PIB receives unique TBS
Registration
number.
- A copy of the completed
PIB
form
is
returned
to
the
institution.
- The institution must
include
the
Registered
PIB
in
their
next
update
to
Info
Source.
It should be noted:
- The review and approval
process
for
new
PIB
registrations
is
a
time-consuming
and
iterative
process.
- New PIB registrations
should
be
submitted
to
the
Information,
Privacy
and
Security
Policy
Division
(IPSPD)
of
the
Treasury
Board
Secretariat
throughout
the
year
–
on
an
ongoing
basis.
- New PIB Registrations that
are
submitted
to
IPSPD
with
an
institution's
Info
Source
update
will
not
be
reviewed
and
approved
in
time
to
be
included
in
that
year's
Info
Source.
Info
Source
updates
submitted
with
PIBs
that
have
not
been
approved
and
registered
by
TBS
will
be
revised
and
the
unregistered
PIBs
removed.
- To ensure that New PIB
Registrations
are
reviewed
and
approved
in
time
for
inclusion
with
an
institution's
Info
Source
update,
the
following
timelines
must
be
respected:
- All
new
institution-specific
PIBs
must
be
submitted
to
TBS
by
April
30th.
- All
new
standard
PIBs
must
be
submitted
to
TBS
by
May
31st.
Donald Lemieux
Acting Senior Director
Information, Privacy and Security Policy Division
Chief Information Officer Branch
Attachments:
Appendix A
Appendix B
Appendix C
Appendix D
Appendix A
How to complete the Personal Information Bank Registration Form
INSTITUTION
Indicate the legal title of the department or agency.
PART 1
Title of Personal Information Bank
Provide a descriptive name for the bank. It should be relatively
simple but descriptive enough to reflect the types of information
contained in the bank. It is also helpful when the title gives a
pointer to the program to which it belongs.
PART 2
Program and Activity to which this Personal Information Bank
relates:
Program: State the name of the program to which this
personal information bank relates.
Programs are the largest unit of business activity in an
institution – a unit set up to achieve institutional objectives as
authorized by Parliament. A program represents the major
responsibilities that are managed by the organization to fulfil
its goals.
Activity: Activities are the major tasks performed by the
organization to accomplish each of its programs. Several activities
may be associated with an institutional program.
Related to Program Record(s) Number:
Include the program record number(s assigned by the institution to
the program records supporting the activity to which this PIB is
linked.
Program records are distinct pieces of recorded information,
regardless of physical form or medium, that are collected, created or
received through the initiation, conduct or completion of a
departmental activity or individual activity on behalf of the
Department. Program records are comprised of either operational or
administrative records.
Note on Program Record Numbers:
Personal Information may only be collected and used by an
institution in support of a mandated activity. The records supporting
that mandated activity are identified, organized and managed in an
official record keeping system the source of this reference number.
Library and Archives Canada (PAC) Number: This number is now
called the Records
Disposition Authority (RDA) and is assigned by the Library and
Archives Canada. In accordance with the provisions of the Library and
Archives of Canada Act, the RDA is the instrument that the National
Archivist issues to government institutions for enabling the
disposition of records which no longer have operational utility.
RDAs are generally available from each institution's information
management professionals.
PART 3
Does this bank contain information gathered either through Public
Opinion Research or other information collection activities?
The Government Communications Policy requires that
institutions register any public opinion research with the Public
Opinion Research Directorate at the Canada Information Office.
Number of individuals represented in the Personal Information
Bank:
An approximate number is acceptable. This provides an indication of
the size of the bank.
Does this bank contain personal information that is used for
data matching purposes?
It is important to identify any data matching activities being
conducted by the institution. It is also necessary to identify both
the matching institutions and sources. Please refer to the TBS Privacy
and Data Protection manual for the policies on Data
Matching and control of the Social
Insurance Number (SIN).
Is this bank an exempt bank?
The Governor-in-Council may, by order, designate as exempt banks
certain personal information banks that contain information described
in Section 21 or 22 of the Privacy Act. If the bank has been
exempted, indicate the Order-in-Council Number and date of approval.
PART 4
Submission and Review
Submitted by:
After signing the form, the Coordinator submits it to TBS for
registration. Forms are to be forwarded to Laura Simmermon at:
Information, Privacy and Security Policy Division
Chief Information Officer Branch
Treasury Board of Canada Secretariat
2745 Iris Street, 4th Floor
Ottawa, Ontario K1A OR5
Fax: (613) 957-8020
E-mail: Simmermon.Laura@tbs-sct.gc.ca
Review
After reviewing the information provided on the form to ensure
that the bank complies with the Privacy Act, a signed and dated
copy of the form is returned for your input to Info Source.
PART 5
Personal Information Bank Number and TBS Registration
Bank Number:
This is a unique number generated and assigned by the institution
as a finding aid. The Bank number is comprised of the following three
elements:
1) The institutional acronym. This should be the FIP-approved
acronym if one exists. If not, then the acronym utilized by the
institution is acceptable.
2) The three-letter acronym that identifies the type of PIB (see
Glossary of Terms for a description of the PIB types):
- PSE – Employee Standard
Bank
- PSU– Public Standard
Bank
3) A unique number generated by the institution to either link the
PIB to specific program records or to the operational area within the
institution or other related purposes.
TBS Registration:
A unique number assigned by TBS once the PIB has been reviewed and
approved by TBS.
PART 6
Contents of Personal Information Bank - as it will appear in Info
Source
Characteristics
Personal information banks provide a summary of the type of
information about individuals that is held by federal departments and
agencies. The Privacy Act requires that Personal Information
Banks include all personal information that is organized and
retrievable by a person's name or by an identifying number, symbol or
other particular assigned only to that person. These banks must also
include personal information that has been or is being used or is
available for use for an administrative purpose.
Contents
The specific requirements with regard to the contents of a Personal
Information Bank are as follows:
Description: Provide an explanatory statement of the information
described by the bank.
The description should indicate the types of personal information
which the bank contains, i.e. names, addresses, telephone numbers, age
of individuals, sex, marital status, country of birth, citizenship,
social insurance numbers, employee numbers, race, fingerprints, blood
types, etc.
Class of Individuals: Indicate the type(s) of individual to
whom the information relates. Examples are employees of the
institution, recipients of Canada Pension Plan benefits, etc.
Purpose: Provide a clear and concise explanation of the
reason for which the personal information was obtained or compiled.
The reason must be directly related to a government program or
activity. The purpose may be stated in terms of the kinds of decisions
that are made based on the information or the use of the bank.
Consistent Uses: A consistent use is a related purpose that
has a reasonable and direct connection to the original purpose for
which the information was obtained or compiled. State all consistent
uses of the information and potential or related uses for which the
personal information may be used or disclosed.
Data matching activities and disclosures should be listed under
this heading. Refer to the policy on Data
Matching and Control of the Social Insurance Number (SIN) for
guidance.
If there are no Consistent Uses, please include a statement to that
effect.
Note on Disclosure: There are circumstances under which
personal information may be disclosed to third parties. If personal
information is disclosed, state the third party involved.
Retention and Disposal standards: A timetable for the length
of time records are maintained within the institution, (when the
records are no longer required to meet operational, legal or other
requirements) & when the RDA can be applied to the record holdings
for final disposition.
It is not necessary to identify where the records are located, i.e.
at the Federal Records Centre – the retention period merely
identifies how long the records are to be retained by the controlling
institution before the final disposition action.
It is necessary to identify the final disposition action when the
end of the retention period has been reached, i.e. destruction,
transfer to Library and Archives Canada as historical records,
alienation from the custody and control of the federal government due
to a transfer to a provincial body or other special operating agency.
Appendix B
Revised PIB Registration Process
Until further notice, the entire PIB will be reviewed to ensure a
holistic application of the quality assurance processes recently
implemented by IPSPD during the review and approval of PIBs.
The formal registration process requires that institutions include
on the following elements on the PIB
Registration Form (in both official languages) and forward these
forms to the Information, Privacy and Security Policy Division (IPSPD)
of Treasury Board to the attention of Laura Simmermon.
Elements to be completed on PIB Registration Form:
- The TBS Registration
Number
- The proposed revised
text
for
the
component
being
revised
Please note: Due to the consultative approach now being used
by IPSPD for the development of new and revised PIBs, institutions may
prefer to use the attached template (Appendix D) and
informally submit their proposed PIB (it is not necessary to provide
translated versions at this time) via e-mail to Laura Simmermon at Simmermon.Laura@tbs-sct.gc.ca.
- Proposed revision is
reviewed
by
a
Senior
Policy
Analyst.
- Final text for revised PIB
is
developed
through
a
consultative
process
between
IPSPD
and
the
institution.
- Final revised PIB is
formally
submitted
(in
both
official
languages)
to
IPSPD.
Please note: the PIB
Registration form must be
signed by the institutional
ATIP Coordinator.
- Final revised PIB is
approved
by
IPSPD.
Please note: The
Privacy Commissioner's Office
must be notified of new
consistent uses.
- A new TBS Registration
Number
will
not
be
assigned
to
the
revised
PIB
unless
substantial
changes
are
made
to
the
existing
PIB.
- A copy of the approved PIB
form
is
returned
to
the
institution.
- The institution must
include
the
updated
PIB
in
their
next
update
to
Info
Source.
It should be noted:
- The review and approval
process
for
revised
PIB
registrations
is
a
time-consuming
and
iterative
process.
- Revised PIB registrations
should
be
submitted
to
the
Information,
Privacy
and
Security
Policy
Division
(IPSPD)
of
the
Treasury
Board
Secretariat
throughout
the
year
–
on
an
ongoing
basis.
- Revised PIB Registrations
that
are
submitted
to
IPSPD
with
an
institution's
Info
Source
update
will
not
be
reviewed
and
approved
in
time
to
be
included
in
that
year's
Info
Source.
- To ensure that revised PIB
Registrations
are
reviewed
and
approved
in
time
for
inclusion
with
an
institution's
Info
Source
update,
they
must
be
submitted
to
TBS
by
April
30th.
Appendix C
Appendix D
Template for Development of New PIBs
Name
of
Institution: |
|
Contact
Name: |
|
Phone
Number: |
|
Email
Address: |
|
Title:
- Must
be
descriptive
and
reflect
information
being
described
by
PIB.
- It
is
helpful
when
the
title
gives
a
pointer
to
the
program
to
which
the
PIB
relates.
|
|
Description:
- An
explanatory
statement
of
the
information
described
by
the
bank.
- It
should
indicate
the
specific
personal
information
elements
contained
in
the
records
to
which
the
bank
relates,
i.e.
names,
addresses,
telephone
numbers,
age,
sex,
marital
status,
country
of
birth,
citizenship,
social
insurance
numbers,
employee
numbers,
race,
fingerprints,
blood
types,
etc.
|
|
Note:
This
is
the
only
optional
field.
- May
contain
information
about
how
to
access
the
information
described
by
the
PIB,
i.e.
please
provide
Surname,
given
name
and
telephone
number.
- Should
not
contain
"contact"
information
within
the
institution
creating
the
PIB
|
|
Class
of
Individuals:
Identifies
the
group
or
category
of
individuals
about
whom
the
information
relates,
i.e.
current
and
former
employees,
contractors,
program
applicants,
etc.
|
|
Purpose:
- Provides
a
clear
and
concise
explanation
of
the
reason
for
which
the
personal
information
was
obtained
or
compiled.
- The
reason
must
be
directly
related
to
a
government
program
or
activity.
- The
purpose
may
be
stated
in
terms
of
the
kinds
of
decisions
that
are
made,
based
on
the
information
|
|
Consistent
Uses:
- Itemizes
the
potential
or
related
uses
for
which
the
personal
information
may
be
used
or
disclosed.
- Uses
must
conform
with
the
original
purpose
for
which
the
information
was
collected
-
which
might
reasonably
be
considered
to
be
related.
- Must
have
a
reasonable
and
direct
connection
to
the
original
purpose(s)
- State
all
consistent
uses
of
the
information.
Data
matching
activities
and
disclosures
should
be
listed
under
this
heading.
- If
there
are
no
Consistent
Uses,
please
include
a
statement
to
that
effect.
- Note
on
Disclosure:
There
are
circumstances
under
which
personal
information
may
be
disclosed
to
third
parties.
If
personal
information
is
disclosed,
state
the
third
party
involved.
|
|
Retention
and
Disposal
Standards:
- A
timetable
for
the
length
of
time
records
are
maintained
within
the
institution,
(when
the
records
are
no
longer
required
to
meet
operational,
legal
or
other
requirements)
&
when
the
RDA
can
be
applied
to
the
record
holdings
for
final
disposition)
- Include
the
disposition
action
applied
to
the
records
when
the
retention
period
is
reached,
i.e.
destroyed,
alienated
or
transferred
to
National
Archives
of
Canada
as
historical
record.
|
|
RDA
Number:
- Records
Disposition
Authority
number
assigned
by
the
National
Archives
of
Canada.
- RDA
enables
government
institutions
to
dispose
of
records
which
no
longer
have
operational
utility.
|
|
Related
Program
Number:
Personal
Information
Banks
must
be
cross-referenced
to
institutional
Program
Records
(which
are
also
described
in
Info
Source:
Sources
of
Federal
Government
Information).
|
|
TBS
Registration
A
unique
number
assigned
by
TBS
once
the
PIB
has
been
reviewed
and
approved
by
TBS.
|
|
Bank
Number:
Unique
number
created
by
institution
using:
- institution's
FIP
acronym;
- Personal
Information
Bank
Code
(PPU
-
general
public,
etc.);
- institutional
assigned
reference
number
|
|
|