|
|
No.: |
71 |
DATE: |
August 18,2000 |
TO: |
Access to Information and Privacy Co-ordinators |
SUBJECT: |
Directive on Government of Canada Web
Site privacy policies
|
Attached is the Directive on Government of Canada Web Site
privacy policies. In brief, it reminds institutions that the provisions of the
Privacy Act apply
equally to any electronic collection or use of personal information as to any
collection or use of personal information in conventional formats. The
Directive also describes how to ensure that your web site satisfies the
requirements of the Act.
The people who are responsible
for your web sites may already be familiar with these requirements, which have
been mirrored in the Common Look and Feel initiative. You may wish to contact
them to offer your assistance in the interpretation and application of the Privacy
Act in specific situations.
Any questions on the directive
may be directed to your portfolio officer in the Information and Security
Policy Division.
Original signed by
Mary Anne Stevens
Senior Policy Officer
Information and Security Policy Division
Government Operations Sector
Attach.
Every institution which is subject to the Privacy
Act must ensure that each collection
of personal information conforms to the requirements of that Act. The
requirements apply equally to electronic collections as they do to paper-based collections. Any time
personal information is collected electronically, the individual must be properly informed of
their rights, in the same way as if the collection was done via more traditional means.
One of the differences between electronic communications and paper-based communications is that it
may not be obvious to the individuals involved whether or not
personal information is being collected in the course of any specific interaction. For these reasons,
every web site must include a privacy policy, even if no personal information is collected through that
site.
Each institution's web site privacy policy should be
developed as a co-operative effort of the areas responsible for information technology, computer security,
privacy and protection of personal information, communications, legal services and information
management.
Location:
A link to the privacy policy should be clearly displayed on
all home pages and site maps, and must be displayed on any page which requests personal information or
provides a link for sending a message to the institution. Any variation from the institutional web site
privacy policy must be highlighted wherever it occurs, and clear, informed consent must be obtained for
any use of personal information beyond what is stated in the privacy policy. In addition, a full privacy
statement must be included at any location which requests personal information. That statement must
inform individuals how the personal information will be used, which parts of the form are
discretionary or mandatory, how long the personal information will be kept, where it will be kept (which
Personal Information Bank) and how they can obtain access to their information.
Content Description:
Every institution's web privacy policy must include:
- Identification of the
organization and how it can be contacted, including the name or position title
of the person to contact with any web site privacy concerns
(normally the Privacy Co-ordinator);
- A clear description of
any personal information which is collected automatically, a statement that
such information is protected under the Privacy
Act, the purpose for which it is
collected, who will have access to it, how long it is kept, where it is kept and how an
individual can access and correct their own personal information;
- A statement explaining
that should the user choose to provide personal information through e-mail or other means, such information is protected under the
Privacy
Act and will only be used for the
specific purposes for which it has been provided (e.g. to respond to a
specific request) or where required by law, how long it is kept, where it is kept and how to obtain
access and request corrections;
- A statement that
non-identifiable or statistical information may be collected for audit
purposes, for use in maximising effectiveness, or for another purpose specified
here, if this is the case;
- An explanation of any
security use of information for purposes such as tracking suspected intrusions
or the source of a computer virus, or controlling access to
the system;
- A statement concerning
whether cookies, or any other data, are placed on the user's machine, and
how they are used;
- A description of any
privacy enhancing technologies in use or available for use (such as the Public
Key Infrastructure (PKI) or Secure Socket Layer (SSL)); and
- A statement that
individuals may contact the Office of the Privacy Commissioner if they are dissatisfied with the response they receive from the
institution privacy contact on a privacy concern with the web site.
An institution's web site privacy policy should include a
statement concerning links to other sites not covered by this privacy policy or any specific institutional
policy on collecting information from children online. Institutions should also remind users that, unless
specifically noted otherwise, neither electronic systems nor e-mail are secure information transmission
methods, and that it is not recommended that sensitive personal information be transmitted electronically.
In some circumstances institutions may use an outside service provider as a webmaster, and may provide a
link for sending a message to the webmaster. In those circumstances, the outside service
provider should be under a contractual obligation to treat any personal information as though it were covered by
the Privacy Act.
In addition, the institution must make it clear to users that they are sending information
outside the institution.
The policy statement must provide enough detail to allow users
to understand what information will be collected and when, and to make an informed decision
concerning whether to remain at the site.
Questions on this directive may be directed to your
institution's Privacy Co-ordinator, who may in turn direct questions to your institution's portfolio officer in
the Information and Security Policy Division of the Government Operations Sector of the Treasury Board
Secretariat.
Example A: (This
example is for a best-case institution that does not automatically collect any
personal information; that does not use "cookies" or an
outside webmaster; that uses security monitoring software; and that participates in PKI.)
The Government of Canada and Department X are committed to
providing visitors with web sites that respect their privacy. This page summarizes the privacy policy
and practices on Department X web sites.
- Department X web sites
do not automatically gather any specific personal information from you, such as your name, phone number or e-mail address. We
would only obtain this type of information if you supply it by sending us an e-mail or
registering in a secure portion of the site.
- All personal information
created, held or collected by this department is protected under the federal Privacy Act.
This means that at any point of collection you will be asked for consent collect your information, and you will be informed of the
purpose for which it is being collected and how to exercise your right of access to that
information.
- Department X employs
software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause
damage. This software receives and records the Internet Protocol (IP) address of the computer
that has contacted our web site, the date and time of the visit and the pages visited. We make
no attempt to link these addresses with the identity of individuals visiting our site
unless an attempt to damage the site has been detected.
- Department X does not
normally use "cookies" to track how our visitors use this site or to
determine sites previously visited. The system will notify you
before any cookies are used so that you may refuse them. (A "cookie" is a file that
may be placed on your hard drive without your knowledge by a web site to allow it to monitor your use
of the site.)
- Information on
individual visitors is used by Department X employees who need to know the information in order to respond to your request or to ensure
the security of this system. We only share the information you give us with another government
department if your inquiry relates to that department. We do not use the information to
create individual profiles, nor do we disclose this information to anyone outside the federal
government.
- Department X is a
participant in the Government of Canada Public Key Infrastructure (PKI), which gives you the opportunity to communicate with the
Department in a confidential manner. You may find additional information on PKI and how to
use it here.
Questions or comments regarding this policy, or the
administration of the Privacy Act in
Department X may be directed to the Privacy Co-ordinator by e-mail to (link)
or by calling (XXX) XXX-XXXX or writing to XXXX. If you are not satisfied with our response to
your privacy concern, you may wish to contact the Office of the Privacy Commissioner (link).
Example B: (This
example is for an institution that does not automatically collect any personal
information; that uses "cookies" in some places;
that uses an outside webmaster; that uses security monitoring software; and that does not participate in PKI.)
The Government of Canada and Department Y are committed to
providing visitors with web sites that respect their privacy. This page summarizes the privacy policy
and practices on Department Y web sites.
- Department Y web sites
do not automatically gather any specific personal information from you, such as your name, phone number or e-mail address. We
would only obtain this type of information if you supply it by sending us an e-mail or
registering in a secure portion of the site.
- All personal information
held or collected by this department is protected under the federal Privacy Act. This
means that at any point of collection you will be asked for consent to collect
your information, and you will be informed of the purpose for
which it is being collected and how to exercise your right of access to that information.
- Department Y employs
software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause
damage. This software receives and records the Internet Protocol (IP) address of the computer
that has contacted our web site, the date and time of the visit and the pages visited. We make
no attempt to link these addresses with the identity of individuals visiting our site
unless an attempt to damage the site has been detected.
- Department Y
occasionally uses "cookies" to track how our visitors use this site
or to determine sites previously visited. The cookies we use do not
allow us to identify individuals.
They are compiled into statistical information on traffic
patterns and are used to assess site efficiency. The system will notify you before any cookies are
used so that you may refuse them, and the refusal of cookies will not affect the site
performance or restrict your ability to access information from this site. (A "cookie" is a
file that may be placed on your hard drive without your knowledge by a web site to allow it to monitor
your use of the site.)
- Information on
individual visitors is used by Department Y employees who need to know the information in order to respond to your request or to ensure
the security of this system. We only share the information you give us with another government
department if your inquiry relates to that department. We do not use the information to
create individually identifiable profiles, nor do we disclose this information to anyone
outside the federal government.
- Any message which you
may send to the webmaster for this site will go to Webmasters-R-Us, a corporation which is not part of the federal government.
Information concerning the functioning of the site is provided to the webmaster so that
they can propose adjustments to the site to maximize its effectiveness. Webmasters-R-Us is bound
by a contract with Department Y to treat any personal information they receive in relation
to this web site as though it is covered by the provisions of the Privacy
Act. Any questions, concerns or
complaints you may have about how Webmasters-R-Us is handling personal
information from this site should be directed to the Department Y Privacy Co-ordinator as listed
below.
Questions or comments regarding this policy, or the
administration of the Privacy Act in
Department Y may be directed to the Privacy Co-ordinator by e-mail to (link)
or by calling (XXX) XXX-XXXX or writing to XXXX. If you are not satisfied with our response to
your privacy concern, you may wish to contact the Office of the Privacy Commissioner (link).
|