To ensure the effective and consistent application of the provisions of the Privacy
Act and the Privacy Regulations by government institutions.
To ensure that data-matching and data linkage of personal information for
administrative purposes meet the requirements of that legislation.
To limit collection and use of the Social Insurance Number (SIN) for
administrative purposes to those permitted by specific acts, regulations and
programs and to establish conditions for its collection.
It is the policy of the government:
- to recognize the rights of individuals to control over their personal
information, and to support those rights through the effective and
consistent application of the principles of the code of fair information
practices embodied in the Privacy Act and the Privacy
Regulations;
- to ensure that Canadians and individuals present in Canada have access to
all of their personal information which is held by federal government
institutions, subject only to the exceptions contained in the Privacy
Act;
- to account for and give public notice of data-matching carried out by or
on behalf of the government; and
- to prevent the SIN from becoming a universal identifier by:
- limiting collection and use of the SIN by institutions to specific acts,
regulations and programs; and
- notifying individuals clearly as to the purposes for collecting the SIN
and whether any right, benefit or privilege could be withheld or any penalty
imposed if the number is not disclosed to a federal institution requesting
it.
The Privacy Act and Regulations (see Chapters 4-1 and 4-2) provide
the legal framework for carrying out the government's policies in regard to
protection of personal information, access to such information, data-matching
and control of the Social Insurance Number.
An interpretation of the provisions of the Privacy Act and
Regulations needed to implement this policy is set out in the guidelines.
This policy applies to all institutions listed in the Schedule to the Privacy
Act, except the Bank of Canada.
Organization
1. Government institutions must have in place a current Delegation Order
signed by the head of the institution which lists responsibilities delegated
under section 73 of the Privacy Act, if any, and specifies the
officials to whom each responsibility is delegated. A list of responsibilities
which may be delegated by the head of the institution is contained in Chapter
3-1.
2. Government institutions must appoint an official, known as the Privacy
Co-ordinator, who will generally co-ordinate activities relating to the Privacy
Act for the institution.
Collection
3. Government institutions must have appropriate administrative controls in
place to ensure that they do not collect any more personal information than is
required for their programs or activities.
4. Government institutions must inform individuals from whom personal
information is to be collected:
4.1 of the purpose of the collection;
4.2 whether response is voluntary or is required by law;
4.3 of the possible consequences of refusing to respond;
4.4 that the individual to whom the information pertains has rights of
access to and protection of the personal information under the Privacy Act;
and
4.5 of the registration number of the personal information bank in which
the information to be collected is to be contained.
Note: This requirement may not apply in a limited number of
situations where notifying an individual would result in the collection of
inaccurate or misleading information. These situations are discussed in the
guidelines in Part 2.
Use and Disclosure
5. Government institutions, in addition to the requirements of the Privacy
Act, must ensure:
5.1 that appropriate administrative controls are in place to ensure against
the disclosure of personal information to anyone who is not permitted access
to it under the Privacy Act;
5.2 that the right to protection of privacy is fully considered where the Privacy
Act allows discretion to disclose personal information;
5.3 that authority to disclose personal information to federal
investigative bodies under paragraph 8(2)(e) of the Privacy Act is
restricted to senior officials and that requests for such disclosures meet all
the conditions set out in Chapter 3-6;
5.4 that a separate personal information bank is maintained for records of
disclosures to federal investigative bodies. The bank must include a copy of
the request and a copy of the personal information disclosed;
5.5 that any agreements made for the disclosure of information to other
governments or international organizations under paragraph 8(2)(f) of the Privacy
Act meet the minimum requirements set out in Chapter 3-6. These
agreements must be indicated in all appropriate personal information bank
descriptions in Info Source; and
5.6 that research privileges are withdrawn from any person or body
discovered to be improperly disclosing personal information under the research
and statistical purposes provision in paragraph 8(2)(j) of the Privacy Act,
and that immediate steps are taken to prevent further disclosure of the
personal information.
Accounting for personal information
6. Government institutions must account for and describe their holdings of
personal information in accordance with the government-wide standards
periodically issued by Treasury Board Secretariat.
Right of access
7. Government institutions must:
7.1 endeavour to assist individuals in obtaining access to their personal
information and in exercising their rights under the Privacy Act (as
set out in Chapter 3-2);
7.2 satisfy themselves as to the identity of an individual requesting
access to personal information under the Privacy Act and their
qualification for rights under the Act. They must also satisfy themselves as
to the identity and rights of anyone who purports to represent another
individual for the purposes of the Act; and
7.3 record all administrative actions taken in processing requests for
access, correction or notation under the Privacy Act, where such
actions are required by the Act or regulations. Administrative actions taken
must be recorded in such a manner as to account for all deliberations and
decisions regarding the processing of such requests.
8. Where the personal information to be disclosed to an individual with a
sensory disability already exists in more than one alternative format which is
acceptable to that individual, access shall be given in the alternative format
they prefer.
When determining the necessity of conversion to an alternative format under
paragraph 17(3)(b), among other factors that may be considered, the institution
must consider the requestor's certification of their disability.
When determining whether the conversion of requested information to an
alternative format is reasonable under paragraph 17(3)(b), among other factors
that may be considered, government institutions shall consider:
- the volume of the material to be converted
- the likely utility of the converted format of the material to the
individual
- the cost of conversion (including the relative costs of conversion to
other alternative formats).
Confidences of the Queen's Privy Council
9. Government institutions must consult through their institutional legal
counsel with the Legal Counsel, Privy Council Office when information which may
be considered to be Confidences of the Queen's Privy Council for Canada has been
identified in response to a request for access to personal information under the
Privacy Act, and must provide all the necessary related documents to
the Privy Council Office.
Exemptions
10. Government institutions must:
10.1 review all requested personal information for the purpose of
identifying and severing any portions of the information which are excluded
from the provisions of the Act or which must be exempted, and making a
decision concerning disclosure of any information which may be exempted. They
must release everything which is neither excluded nor exempted;
10.2 ensure that due regard is given to the injury or detrimental effect on
the interest specified in the exemption when discretion to exempt information
is provided;
10.3 ensure that any decision to give or refuse access is made by an
official with properly delegated authority and that the written exemption
notification to the applicant is signed by someone to whom this authority has
been properly delegated;
10.4 specify in their response to the applicant the subsection or paragraph
of the Act upon which each exemption is based, except where to do so would
reveal exempted information or cause the injury which forms the basis for the
exemption; and
10.5 indicate the exemptions in a manner which allows the applicant to
relate the particular exemptions to specific documents or portions of
documents which have been withheld, except where to do so would reveal
exempted information or cause the injury which forms the basis for the
exemption.
Co-ordination of requests
11. Government institutions must consult with:
11.1 External Affairs Canada before determining to exempt or disclose any
personal information that could reasonably be expected to be injurious to the
conduct of international affairs;
11.2 National Defence before determining to exempt or disclose any personal
information that could reasonably be expected to be injurious to the defence
of Canada or any state allied or associated with Canada;
11.3 the government institution having the primary interest (i.e. the
Department of the Solicitor General, the R.C.M.P., the Canadian Security
Intelligence Service, National Defence or External Affairs) before determining
to exempt or disclose any personal information that could reasonably be
expected to be injurious to the detection, prevention, or suppression of crime
or of activities suspected of constituting threats to the security of Canada
within the meaning of the CSIS Act;
11.4 the investigative body or other government institution with primary
interest in the law being enforced or investigation being undertaken before
determining to exempt or disclose personal information on the basis of injury
to the enforcement of a law of Canada or a province or the conduct of lawful
investigations, or, in the case of the security of penal institutions, with
the Correctional Service of Canada;
11.5 the investigative body that provided the information before
determining to exempt or disclose personal information regarding a security
clearance; and
11.6 the supplying institution before determining to exempt or disclose
personal information the disclosure of which could affect the safety of
individuals.
12. These consultations must be undertaken with or initiated through either
the Privacy Co-ordinator or the official in that institution with delegated
authority to exempt or disclose the information.
Exempt banks
13. Government institutions must consult with Treasury Board on any proposal
for the establishment or revocation of an exempt bank.
14. Government institutions must submit to the Designated Minister any
requests to designate exempt personal information banks. Requests for exempt
banks submitted to the Designated Minister must include:
14.1 a description of the information to be included in the exempt bank;
14.2 the specific exemption provision under which the information requires
protection, including, for exemption provision 22(1)(a)(ii), the law concerned
(e.g. the Income Tax Act) and, for any injury test exemption, a
statement of the expected detrimental effect;
14.3 an explanation, including cost implications, of why the information
should be placed in an exempt bank rather than being subject to review on a
case-by-case basis;
14.4 certification that all the files in the bank consist predominantly of
personal information of the type described in Sections 21 or 22 of the Privacy
Act and that procedures are in place to ensure that files are reviewed on
an ongoing basis;
14.5 a draft Order in Council; and
14.6 a draft Regulatory Impact Analysis Statement.
Employee Privacy Code
15. Government institutions must conform to the principles of the Employee
Privacy Code set out in Chapter 3-3.
Consultation with the Privacy Commissioner
16. Government institutions must notify the Privacy Commissioner of any
planned initiatives (legislation, regulations, policies, programs) that may
relate to the Privacy Act or any of its provisions, or that may have an
impact on the privacy of CanadiansThis notification must take place at a
sufficiently early stage to permit the Commissioner to review and discuss the
issues involved.
Use of the Social Insurance Number
17. Government institutions must:
17.1 limit their uses of the Social Insurance Number (SIN) for
administrative purposes to those authorized by statute or regulation and for
administering pensions, income tax, health and social programs (as listed in
Chapter 3-4);
17.2 not withhold any right, benefit or privilege nor impose any penalty by
reason of an individual's refusal to disclose the SIN to a government
institution except for the purposes set out in Chapter 3-4 or as otherwise
authorized by Parliament;
17.3 when collecting the SIN, inform the individual of the purpose for
which the number is being collected; the authority under which the number is
required; and whether any right, benefit or privilege can be withheld or
penalty imposed if the number is not disclosed; and
17.4 when the SIN is included in any personal information bank, so indicate
in the description of the bank provided for Info Source and cite the
authority under which the number is collected and the purposes for which it is
used.
Data-matching
Data-matching is defined as the comparison of personal data obtained from
different sources, including personal information banks, for the purpose of
making decisions about the individuals to whom the data pertains. Data-matching
is therefore a specialized activity involving the collection, use and disclosure
of personal information. Included in the definition of data-matching is data
linkage, also known as data profiling.
18. Prior to initiating a matching program, government institutions must
assess the feasibility of the proposed match. They must analyse the potential
impact on the privacy of individuals and the costs and benefits of the
data-matching program.
19. Government institutions must notify the Privacy Commissioner of a new
matching program by providing him with a copy of their assessment of the program
at least 60 days before it is to begin.
20. A data-matching program must be approved only by the head of the
government institution or an official specifically delegated this authority by
the head.
21. Government institutions must account for all matching activities in Info
Source.
22. Government institutions must subject information generated by a matching
program to verification with original or additional authoritative sources before
that information is used for an administrative purpose.
The annual reports to Parliament required by the Privacy Act will be
used to monitor compliance with this policy. Compliance with the SIN and
data-matching provisions of this policy will be monitored through the advance
notification and public accounting requirements. The Office of the Privacy
Commissioner and internal audit groups within institutions will examine the
institution's success in meeting the requirements for privacy and data
protection.
This policy is issued under the authority of the Designated Minister
(President of the Treasury Board) provided in Section 71 of the Privacy Act.
Chapters of the Treasury Board Manual that relate to this policy
are:
- Management of Government Information Holdings
- Access to Information
- Security Policy of the Government of Canada
- Government Communications Policy
This policy replaces directives in:
- Circular 1983-35, Interim policy guide: Access to Information and Privacy
Acts, Parts III and IV;
- Circular 1985-89, Access to Information and Privacy Glossary;
- Circular 1986-4, Amendments to Privacy Regulations and to the Interim
Policy Guide: Access to Information and Privacy Acts;
- Circular 1987-11, New Requirements for Access Register Entries and
Increased Financial Responsibility;
- Circular 1989-12, Data-matching and Control of the Social Insurance
Number.
All enquiries about this policy should be directed to the Privacy
Co-ordinator of the institution concerned.
For policy interpretation, the Privacy Co-ordinator should contact the
Information, Communications and Security Policy Division, Administrative Policy
Branch, Treasury Board Secretariat.
|