Every institution which is subject to the Privacy Act must ensure that each collection of personal information conforms to the requirements of that Act. The requirements apply equally to electronic collections as they do to paper-based collections. Any time personal information is collected electronically, the individual must be properly informed of their rights, in the same way as if the collection was done via more traditional means.

One of the differences between electronic communications and paper-based communications is that it may not be obvious to the individuals involved whether or not personal information is being collected in the course of any specific interaction. For these reasons, every web site must include a privacy policy, even if no personal information is collected through that site.

Each institution's web site privacy policy should be developed as a co-operative effort of the areas responsible for information technology, computer security, privacy and protection of personal information, communications, legal services and information management.

Location:

A link to the privacy policy should be clearly displayed on all home pages and site maps, and must be displayed on any page which requests personal information or provides a link for sending a message to the institution. Any variation from the institutional web site privacy policy must be highlighted wherever it occurs, and clear, informed consent must be obtained for any use of personal information beyond what is stated in the privacy policy. In addition, a full privacy statement must be included at any location which requests personal information. That statement must inform individuals how the personal information will be used, which parts of the form are discretionary or mandatory, how long the personal information will be kept, where it will be kept (which Personal Information Bank) and how they can obtain access to their information.

Content Description:

Every institution's web privacy policy must include:

- Identification of the organization and how it can be contacted, including the name or position title of the person to contact with any web site privacy concerns (normally the Privacy Co-ordinator);

- A clear description of any personal information which is collected automatically, a statement that such information is protected under the Privacy Act, the purpose for which it is collected, who will have access to it, how long it is kept, where it is kept and how an individual can access and correct their own personal information;

- A statement explaining that should the user choose to provide personal information through e-mail or other means, such information is protected under the Privacy Act and will only be used for the specific purposes for which it has been provided (e.g. to respond to a specific request) or where required by law, how long it is kept, where it is kept and how to obtain access and request corrections;

- A statement that non-identifiable or statistical information may be collected for audit purposes, for use in maximising effectiveness, or for another purpose specified here, if this is the case;

- An explanation of any security use of information for purposes such as tracking suspected intrusions or the source of a computer virus, or controlling access to the system;

- A statement concerning whether cookies, or any other data, are placed on the user's machine, and how they are used;

- A description of any privacy enhancing technologies in use or available for use (such as the Public Key Infrastructure (PKI) or Secure Socket Layer (SSL)); and

- A statement that individuals may contact the Office of the Privacy Commissioner if they are dissatisfied with the response they receive from the institution privacy contact on a privacy concern with the web site.

An institution's web site privacy policy should include a statement concerning links to other sites not covered by this privacy policy or any specific institutional policy on collecting information from children online. Institutions should also remind users that, unless specifically noted otherwise, neither electronic systems nor e-mail are secure information transmission methods, and that it is not recommended that sensitive personal information be transmitted electronically. In some circumstances institutions may use an outside service provider as a webmaster, and may provide a link for sending a message to the webmaster. In those circumstances, the outside service provider should be under a contractual obligation to treat any personal information as though it were covered by the Privacy Act. In addition, the institution must make it clear to users that they are sending information outside the institution.

The policy statement must provide enough detail to allow users to understand what information will be collected and when, and to make an informed decision concerning whether to remain at the site.

Questions on this directive may be directed to your institution's Privacy Co-ordinator, who may in turn direct questions to your institution's portfolio officer in the Information and Security Policy Division of the Government Operations Sector of the Treasury Board Secretariat.

Example A: (This example is for a best-case institution that does not automatically collect any personal information; that does not use "cookies" or an outside webmaster; that uses security monitoring software; and that participates in PKI.)

The Government of Canada and Department X are committed to providing visitors with web sites that respect their privacy. This page summarizes the privacy policy and practices on Department X web sites.

- Department X web sites do not automatically gather any specific personal information from you, such as your name, phone number or e-mail address. We would only obtain this type of information if you supply it by sending us an e-mail or registering in a secure portion of the site.

- All personal information created, held or collected by this department is protected under the federal Privacy Act. This means that at any point of collection you will be asked for consent collect your information, and you will be informed of the purpose for which it is being collected and how to exercise your right of access to that information.

- Department X employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. This software receives and records the Internet Protocol (IP) address of the computer that has contacted our web site, the date and time of the visit and the pages visited. We make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage the site has been detected.

- Department X does not normally use "cookies" to track how our visitors use this site or to determine sites previously visited. The system will notify you before any cookies are used so that you may refuse them. (A "cookie" is a file that may be placed on your hard drive without your knowledge by a web site to allow it to monitor your use of the site.)

- Information on individual visitors is used by Department X employees who need to know the information in order to respond to your request or to ensure the security of this system. We only share the information you give us with another government department if your inquiry relates to that department. We do not use the information to create individual profiles, nor do we disclose this information to anyone outside the federal government.

- Department X is a participant in the Government of Canada Public Key Infrastructure (PKI), which gives you the opportunity to communicate with the Department in a confidential manner. You may find additional information on PKI and how to use it here.

Questions or comments regarding this policy, or the administration of the Privacy Act in Department X may be directed to the Privacy Co-ordinator by e-mail to (link) or by calling (XXX) XXX-XXXX or writing to XXXX. If you are not satisfied with our response to your privacy concern, you may wish to contact the Office of the Privacy Commissioner (link).

Example B: (This example is for an institution that does not automatically collect any personal information; that uses "cookies" in some places; that uses an outside webmaster; that uses security monitoring software; and that does not participate in PKI.)

The Government of Canada and Department Y are committed to providing visitors with web sites that respect their privacy. This page summarizes the privacy policy and practices on Department Y web sites.

- Department Y web sites do not automatically gather any specific personal information from you, such as your name, phone number or e-mail address. We would only obtain this type of information if you supply it by sending us an e-mail or registering in a secure portion of the site.

- All personal information held or collected by this department is protected under the federal Privacy Act. This means that at any point of collection you will be asked for consent to collect your information, and you will be informed of the purpose for which it is being collected and how to exercise your right of access to that information.

- Department Y employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. This software receives and records the Internet Protocol (IP) address of the computer that has contacted our web site, the date and time of the visit and the pages visited. We make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage the site has been detected.

- Department Y occasionally uses "cookies" to track how our visitors use this site or to determine sites previously visited. The cookies we use do not allow us to identify individuals.

They are compiled into statistical information on traffic patterns and are used to assess site efficiency. The system will notify you before any cookies are used so that you may refuse them, and the refusal of cookies will not affect the site performance or restrict your ability to access information from this site. (A "cookie" is a file that may be placed on your hard drive without your knowledge by a web site to allow it to monitor your use of the site.)

- Information on individual visitors is used by Department Y employees who need to know the information in order to respond to your request or to ensure the security of this system. We only share the information you give us with another government department if your inquiry relates to that department. We do not use the information to create individually identifiable profiles, nor do we disclose this information to anyone outside the federal government.

- Any message which you may send to the webmaster for this site will go to Webmasters-R-Us, a corporation which is not part of the federal government. Information concerning the functioning of the site is provided to the webmaster so that they can propose adjustments to the site to maximize its effectiveness. Webmasters-R-Us is bound by a contract with Department Y to treat any personal information they receive in relation to this web site as though it is covered by the provisions of the Privacy Act. Any questions, concerns or complaints you may have about how Webmasters-R-Us is handling personal information from this site should be directed to the Department Y Privacy Co-ordinator as listed below.

Questions or comments regarding this policy, or the administration of the Privacy Act in Department Y may be directed to the Privacy Co-ordinator by e-mail to (link) or by calling (XXX) XXX-XXXX or writing to XXXX. If you are not satisfied with our response to your privacy concern, you may wish to contact the Office of the Privacy Commissioner (link).

Important Notices