1.1 This standard takes effect on January 31, 2013.
1.2 Government institutions using Web analytics externally on servers hosted by third parties must comply with the requirements of Appendix A of this standard as of January 31, 2013, with the exception of those requirements in section 3 of Appendix A, which must be complied with no later than June 30, 2014.
2.1 This standard applies to the government institutions defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.
2.2 This standard does not apply to the Bank of Canada.
2.3 This standard applies to the collection, use, disclosure, retention and disposal of personal information for the purpose of carrying out Web analytics on external public-facing Government of Canada websites in a manner consistent with the provisions in Appendix A of this standard.
2.4 This standard applies regardless of which tracking technologies or services are being used for purposes of Web analytics.
3.1 Web analytics can be described as the collection, analysis, measurement and reporting of data about Web traffic and user visits for purposes of understanding and optimizing Web usage.
3.2 Many government institutions are using Web analytics to obtain information about visitors to their websites for two main purposes: (i) to better meet the needs of website visitors; and (ii) to assist in delivering effective online services.
3.3 Web analytics tools operate through the collection of information to record a visitor's online interactions with one or more Web pages. That information includes, as an example, the Internet Protocol address assigned by an Internet service provider to the visitor's computer.
3.4 The Privacy Act defines the term "personal information" as meaning "information about an identifiable individual recorded in any form." If information collected for Web analytics can be used to distinguish or trace an individual's identity, either alone or when combined with other identifying information that is linked or linkable to a specific individual, then that information will be personal information that must be safeguarded in accordance with the requirements of the Privacy Act.
3.5 The Internet Protocol address may, in some circumstances, be linked with an identifiable individual whose computer is using that address at any given time. For this reason, the Government of Canada considers the Internet Protocol address to be personal information that must, in all cases, be dealt with in accordance with the requirements of the Privacy Act.
3.6 Specific requirements for safeguarding the Internet Protocol address, and any other personal information collected by government institutions in relation to Web analytics, are set out in Appendix A of this standard.
3.7 If government institutions wish to use Web analytics tools on institutional servers or on servers hosted by third parties, they must do so in accordance with the requirements of this standard and any other applicable policy instruments and legislation.
3.8 Government institutions must include a Privacy Notice on their websites that meets the requirements described in Appendix B of this standard. Such Privacy Notices must also meet the requirements in sections 6.2.9 and 6.2.10 of the Directive on Privacy Practices and also the relevant Terms and Conditions for Privacy Notices in Appendix C of the Standard on Web Usability, applicable to departments listed in Schedules I, I.1 and II of the Financial Administration Act.
3.9 This standard is issued by the President of the Treasury Board pursuant to paragraph 71(1)(d) of the Privacy Act and section 3.8 of the Policy on Privacy Protection.
3.10 This standard is to be read in conjunction with the Privacy Act, the Privacy Regulations, the Policy on Privacy Protection, the Directive on Privacy Practices, the Directive on Privacy Impact Assessment, the Library and Archives of Canada Act and the Standard on Web Usability.
4.1 Definitions to be used in the interpretation of this standard are attached in Appendix C. Additional definitions are provided in Appendix A of the Policy on Privacy Protection and of the Directive on Privacy Practices.
5.1.1 To facilitate the use of Web analytics in accordance with sound privacy practices that safeguard the privacy of visitors to Government of Canada websites.
5.2.1 Government institutions respect privacy principles when using Web analytics.
6.1.1 Ensuring, as required by section 6.1.10 of the Directive on Privacy Practices, that the use of Web analytics for measuring and improving performance of institutional websites is done in accordance with the requirements to protect privacy as set out in Appendix A of this standard, and of ensuring that appropriate remedial action is taken to address any deficiencies within their institutions.
6.2.1 Informing, as required by section 6.2.2 of the Directive on Privacy Practices, the individuals who are responsible for managing the institution's websites, as well as those functional specialists and content owners, of the need to ensure that the requirements of this standard are being met.
6.3.1 Ensuring that Web analytics operate in accordance with the requirements of the standard.
6.4.1 Developing, in consultation with other departments, guidelines, tools, interpretive advice and guidance on this standard.
6.4.2 Communicating and engaging the government-wide access to information and privacy community as well as the Web community on the challenges associated with implementing this standard and its supporting instruments.
6.4.3 Approving depersonalization technologies, other than that of truncating the last octet of the Internet Protocol address, that a third-party service provider may wish to use for purposes of Web analytics on servers hosted externally by the third party.
6.5.1 The monitoring and reporting requirements of the Policy on Privacy Protection apply to this standard.
7.1 The consequences identified in the Policy on Privacy Protection apply to this standard.
8.1 The roles and responsibilities of other government organizations are described in section 8 of the Policy on Privacy Protection.
8.2 The roles and responsibilities of Library and Archives Canada are described in section 9.2 of the Directive on Information Management Roles and Responsibilities.
10.1 Please direct enquiries about this standard to your institution's access to information and privacy (ATIP) coordinator. Should your institution require additional assistance in the interpretation of this standard, the ATIP coordinator is to contact TBS Public Enquiries.
If your institution is or will be collecting the Internet Protocol (IP) address, or any other information considered to be personal information under the Privacy Act, for the purpose of carrying out Web analytics, your institution must meet the following requirements:
1.1 Personal information must be used only for: i) the purpose of Web analytics; ii) a use consistent with that purpose such as for statistical purposes; or iii) a purpose for which the information may be disclosed by the institution under subsection 8(2) of the Privacy Act.
1.2 Personal information collected for the purpose of Web analytics may not be used for an administrative purpose, as defined in the Privacy Act, except where required to do so by law.
1.3 Institutions are prohibited from using information collected in relation to Web analytics for profiling of identifiable individuals.
1.4 The IP address, and any other personal information including, but not limited to, information in digital markers used in relation to Web analytics must be safeguarded by institutions in accordance with principles as set out in the Directive on Recordkeeping and may be retained for a maximum period of only 18 months, after which time the information must be disposed of in accordance with section 6.2.23 of the Directive on Privacy Practices and as authorized by the Librarian and Archivist of Canada.
2.1 Institutions disclosing or transmitting information considered to be personal information, or causing such information to be disclosed, including the full IP address, to a third-party service provider (third party) that is not an organization of the Government of Canada, must do so only after the anonymization feature of the third-party tool has been activated whereby the third party depersonalizes the IP address.
If your institution is disclosing or transmitting personal information, or causing personal information to be disclosed, including the IP address, to a third party that is not an organization of the Government of Canada, then the following requirements must be met regardless of which technology or application might be used to disclose or transmit the information:
3.1 Your institution must ensure that a contract is in place with the third party that conveys the appropriate privacy protection as required pursuant to section 6.2.20 of the Directive on Privacy Practices and sections 6.2.10 and 6.2.11 of the Policy on Privacy Protection.
3.2 That contract must, at a minimum, contain provisions meeting the requirements as set out below.
The Privacy Notice must be clear and must provide enough detail to allow website visitors to understand the following: what personal information will be collected for Web analytics; how that information will be used by the government institution; how that information will be shared/transmitted should the institution be using a third-party service provider that is not an organization of the Government of Canada; and how long the information is being retained and the method of disposal as authorized by the Librarian and Archivist of Canada. Reference must also be made to the measures being taken to protect the privacy of individuals.
Specific requirements are set out below.
Mechanisms used to remember a visitor's online interactions with a website(s). These mechanisms may be used to record a visitor's online interactions within a single session or visit, or to record a visitor's online interactions through multiple sessions or visits.
A cookie is a data file sent by a Web server to the Web browser on a visitor's computer that the Web server uses to track or record visitor information. First-party cookies are those cookies set by the website the visitor is visiting.
A numerical label assigned by the Internet service provider to each computer and is how the computer user communicates on the Internet. An Internet Protocol (IP) address may be associated with an identifiable individual whose computer is using that address at any given time and thus may, from time to time, constitute personal information within the meaning of section 3 of the Privacy Act. Versions of IP may change from time to time.
An organization that provides access to the Internet.
Third-party cookies are those set by a different domain than the website that the visitor is currently visiting.
The collection, analysis, measurement and reporting of data about Web traffic and user visits for purposes of understanding and optimizing Web usage.