Process and Compliance Manual

Prepared by
The ATIP Unit

April 2008

---

CHAPTER 6: PERSONAL INFORMATION – COLLECTION, RETENTION, ACCURACY, USE & DISCLOSURE

6.1 WHAT IS PERSONAL INFORMATION?

The OPC is subject to the Privacy Act (PA) and, so, all employees must adhere to the provisions of the PA that dictate the type of personal information that the OPC can collect, the circumstances under which the information can be used or disclosed by the OPC, and our retention/destruction of the information.

As the Privacy Commissioner is charged with investigating complaints against federal government institutions about the treatment of personal information under the PA and against other entities under the Personal Information Protection and Electronic Documents Act (PIPEDA), it is important that the OPC hold itself to the highest standard possible. It is crucial that all employees are aware of their obligations under the PA in order to prevent a violation of individual’s privacy rights.

The first step is in understanding that “personal information” is information about an identifiableindividual which is recorded in any form. Personal information can only be about individuals, not about corporations or associations.

The second is in understanding the definition of “personal information” which is found at section 3 of the PA (Appendix G of this manual). The definition is lengthy but it is not exhaustive, as indicated by the introductory phrase, “including, without restricting the generality of the foregoing”. Examples of personal information include:

• race, national/ethnic origin, colour, religion, age, marital status
• education, medical, employment or criminal history
• identifying number, symbol or other particular assigned to an individual (i.e. Social Insurance Numbers, bank account numbers etc.)
• address, fingerprints, blood type
• personal opinions or views (unless they are about someone else, are about a proposal for a grant, award or a prize being given/awarded to someone else)
• private or confidential correspondence and replies to that correspondence
• name of an individual when it reveals information about the individual

Information not specifically mentioned in the list is still personal information if it is about an identifiable individual. Examples include:

• information concerning sexual preference
• information concerning political affiliation
• information about an individual’s personal likes and dislikes (unless those likes and dislikes are about someone else, then a comment such as “I don’t like Sue because she is mean” is personal information about Sue, not of the person who made the remark)

Certain information is specifically excluded from the definition, in other words, there are types of information that are not considered personal information for the purposes of the PA:

• work-related information about current and former federal public servants, (i.e. title, business address and telephone number, classification, salary range, responsibilities etc.)
• details of contracts between individuals and the government
• details of discretionary financial benefits provided by the federal government
• information about individuals who have been dead more than 20 years

6.2 COLLECTION OF PERSONAL INFORMATION

Section 4 of the PA says that federal government institutions can only collect personal information if it relates directly to an operating program or activity of the institution. The obvious objective of the provision is to limit the amount of personal information collected by institutions to only that which is absolutely needed. Some examples specific to the OPC would include:

• names and addresses of individuals who wish to obtain certain publications from Communications or other branches and who have supplied their information for that purpose
• names, addresses and/or telephone numbers of individuals who provide that information to Inquiries Unit personnel so that they may obtain information or advice on a given subject
• information which individuals provide in support of their complaints under the PA and PIPEDA or information which OPC Investigators collect during the course of their investigations(information obtained in these cases is often very extensive and may include medical, criminal, financial information etc.)
• information contained within curriculum vitae sent to the OPC from individuals seeking employment
• financial and other personal information from employees submitting travel claims, damage claims, or other compensation (personal credit card numbers, home addresses etc.)
• health information from employees who have been injured on the job or who require accommodation of some sort

The amount of information collected must be strictly limited to the amount of information needed to carry out the duties associated with the operating program or activity. An excessive collection of personal information is a clear violation of section 4 of the PA.

So, if you only need a person’s name and address in order to do the task at hand, then that is the only information you can collect.

Section 4 is complemented by subsections 5(1) to (3) of the PA which say that:

• wherever possible personal information should be collected directly from the individual about whom the information pertains, unless:
  • the individual authorizes otherwise, or;
  • where personal information may be obtained under one of the provisions outlined in section 8(2) of the Act.
• Individuals must be told what their personal information will be used for
• personal information does not have to be collected directly from an individual nor does an individual have to be informed of the collection if:
  • to do so would result in the collection of inaccurate information (a person may lie or provide false information whereas information obtained from another source would be accurate), or;
  • to do so would defeat the purpose for the collection, or would prejudice the use of the information.

6.3 RETENTION OF PERSONAL INFORMATION

NOTE: “administrative purpose” is defined by the PA as “the use of that information in a decision making process that directly affects that individual.”

Once personal information has been collected and used for an administrative purpose, section 6(1) of the PA and section 4 of the Privacy Regulations require that it be retained:

• for at least 2 years after the last time it was used for an administrative purpose unless the individual to whom it relates consents to its earlier destruction, (this ensures that the individual has a reasonable opportunity to obtain access to the information);
• where a request for access to the information has been received, until the individual has had the opportunity to exercise all of his/her PA rights.

So, once personal information has been collected by the OPC under section 4 of the PA, it must be retained for at least 2 years after the last administrative action with respect to that information. Retention periods for specific types of personal information are fully described in Info Source. For more information as to how long specific information must be retained by the OPC, employees should contact Records Management.

6.4 ACCURACY OF PERSONAL INFORMATION

Under section 6(2) of the PA, the OPC must “take all reasonable steps to ensure that personal information used by the OPC for an administrative purpose” OPC is “as accurate, up-to-date and complete as possible”. For example, this would include ensuring that employee personnel files are kept up-to-date and that personal information that should be on an employee’s file, is on file.

As discussed in Chapter 4, once a person has obtained access to his/her personal information under a formal PA request, that individual has the right to ask that errors to the information be corrected by submitting a formal Correction Request to ATIP. The OPC is not required to make a correction to opinion based information because there may be a legitimate difference of opinion about certain events or situations but factual information will usually be corrected (ie. PRI or SIN number, factual financial information, education information etc).

6.5 USE OF PERSONAL INFORMATION

As a general rule, section 7 of the PA prohibits the use of personal information that the OPC has collected unless the individual about whom the information pertains consents to its use (‘use’ of personal information means the use of the information within the OPC). There are exceptions to use with consent which are outlined in sections 7 and 8 of the PA:

• for a purpose consistent with the reason for which the information was originally collected or created, or;
• for a purpose for which the information has been obtained from another federal institution under subsection 8(2) of the Act.

Original Use – is the specific reason for which the personal information was collected or created in the first place.

Example: the OPC collects certain employment history information about employees in order to administer benefit programs and that information can subsequently be used to determine the employee’s eligibility for a certain program.

Consistent Use – is a use of personal information that has a reasonable and direct connection to the specific reason for which it was collected or created in the first place. This means that the original use and the proposed use are so closely related that an individual would expect that the information would also be used for the second purpose (consistent purpose), even if the use is not spelled out.

Example: information in an employee’s annual Performance Evaluation Report is originally collected to evaluate performance—it is not collected specifically for later use in staffing actions in which the employee may be involved. Still, the use of the information in a staffing context is wholly compatible with the reason for the original collection of the information. A logical link is made between the two uses, because the information collected in an appraisal reflects the strengths and weaknesses of the employee which may indicate whether that person is good fit for the position to which he/she has applied.

Accounting for Uses / Consistent Uses

All uses and consistent uses of personal information must be submitted to the Treasury Board Secretariat for inclusion in Info Source. Should the OPC propose a new use of personal information, ATIP must be advised as soon as possible in order to ensure that:

• the new use or consistent use complies with all the applicable legislative, regulatory and policy requirements, and that;
• a description of the new use or consistent use is included in the next edition of Info Source.

ATIP must have enough information from the Branch in order to be able to include at least the following information in its submission to the Treasury Board Secretariat for inclusion into Info Source:

• the identity of the Branch requesting approval for the new use;
• details about the individual or group of individuals to whom the personal information relates;
• a description of the specific type of personal information at issue, and the title and identification number of the Personal Information Bank to which the information is associated;
• the original purpose for which the information was collected;
• a description of the proposed new use or consistent use of the information;
• whether consent from the individual(s) is required and why/why not (consent is not required for consistent uses and the uses covered by subsection 5(3) of the PA);
• the legislative base, if any, of the new use or consistent use;
• an acknowledgement that the new use or consistent use will be added to the appropriate Personal Information Bank in Info Source and—until the next edition appears—an undertaking that a record of the new use will be attached to each individual’s personal information that was used for the new purpose.

6.6 DISCLOSURE OF PERSONAL INFORMATION

Section 8 of the PA prohibits the disclosure of personal information unless the individual about whom the information pertains consents to its disclosure (‘disclosure’ means the disclosure of information outside the OPC). Exceptions to disclosure with consent are outlined in section 8(2) of the PA:

• for the purpose for which the information was collected or created by the OPC or for a use consistent with that purpose;
• to comply with an Act of Parliament or regulation which authorizes the disclosure;
• to comply with a subpoena, a warrant, a court order or in order to comply with the rules of court;
• to the Attorney General of Canada for use in legal proceedings involving the Crown or the Government of Canada;
• to an investigative body specified in the Regulations (ie. the RCMP) upon written request of that body, for law enforcement purposes;
• where there is an agreement or arrangement between the Government of Canada and certain entities for law enforcement purposes (ie. to the CIA, Interpol etc.);
• to a Member of Parliament (federal MPs or Senators only) who is assisting the individual to resolve a problem;
• to OPC employees in order to conduct internal audits or to the office of the Comptroller General for audit purposes;
• to the Library and Archives of Canada for archival purposes;
• to persons or bodies for research purposes if:
  • the OPC is satisfied that the research cannot be done unless the information is provided in a form which would identify the individual(s) about whom the information pertains, and if;
  • the OPC obtains a written undertaking from the person or body that no subsequent disclosure of the personal information will be made so as to identify the individual(s) about whom the information pertains.
• to aboriginal governments, persons etc. to research or validate claims, disputes or grievances of Canadian aboriginal peoples;
• to a federal government institution in order to locate an individual to collect a debt owed to the federal government;
• where the Privacy Commissioner concludes that disclosure is in the public interest:
  • the public interest in disclosure clearly outweighs any invasion of the privacy of the individual, or;
  • disclosure would clearly benefit the individual to whom the information relates.

NOTE: Even though the PA allows the OPC to disclose personal information for the above-noted reasons, the OPC is not compelled to do so and can nevertheless refuse access to the information.

6.7 DISPOSITION OF PERSONAL INFORMATION

Section 6(1) of the PA stipulates that personal information that has been used for an administrative purpose must be retained long enough after it is used to ensure that the individual about whom it pertains has a reasonable opportunity to obtain access to it. Section 4 of the Regulations says that personal information that has been used for an administrative purpose must be retained for at least two years after the last administrative action (unless the person consents to its destruction).

Section 6(3) of the PA requires government institutions to dispose of personal information in accordance with the Regulations and with any directives or guidelines issued by the Treasury Board. However, personal information may be designated by the National Archivist as having archival or historical value and, if so, that information must be transferred to the control of Library and Archives of Canada. Any information not so designated must be destroyed in accordance with the Government of Canada Security Policy.

Each type of information collected by a government institution must have a retention period attached to it. There are well established retention periods for certain types of personal information that all federal government institutions hold, including the OPC. However, as the OPC is newly subject to the National Archives Act, retention periods have not yet been established with respect to all of the different types of personal information held by the OPC. Once those retention periods have been established, ATIP will inform the Treasury Board Secretariat so that the information can be included in the next publication of Info Source.

6.8 PRIVACY VIOLATIONS / BREACHES

Any collection, retention, use, disclosure or disposal of personal information that is not authorized by the PA is a “privacy breach” and is a violation of the PA. The most common privacy breaches happen when personal information is stolen, lost or improperly destroyed. Breaches may be the result of inadvertent errors or malicious actions by employees, third parties or intruders, for example:

• the loss or disappearance of equipment or devices which contain personal information (ie. loss of computers, lap tops etc.);
  • intending to work at home after hours, an employee has taken home a laptop computer which contains personal information—the employee failed to remove the laptop from his vehicle which was subsequently stolen during the night;
  • intending to work at home after hours, an employee removed a file from the office that contained personal information, and then inadvertently left his briefcase on the bus.
• the inappropriate use of electronic devices—including telecommunication devices—to transmit personal information;
  • personal information contained in the body of an e-mail message or in an attachment is sent to the wrong e-mail address;
  • personal information is sent by facsimile to the wrong number;
  • using a blackberry, personal information is discussed in e-mails leaving the information vulnerable and allowing it to be accessed by others.
• intrusions that result in unauthorized access to personal information held in building, file storage containers, computer systems, or other equipment or devices;
  • despite having appropriate security systems in place, an office is broken into during the night and thieves have taken several computers, laptops and blackberries, all of which contain personal information;
  • an employee’s personnel file has been left open on her supervisor’s desk which has allowed someone else to read information from that file.
• low level of privacy awareness among staff, contractors or other third parties who handle personal information;
  • an employee is unaware of the confidentiality provisions of the PA and speaks candidly about a particular investigation file with a neighbour;
  • a contractor assisting OPC personnel in various staffing processes discloses details about applicants and their competition scores;
  • documents containing personal information are put in recycle bins rather than being shredded.
• the sale or disposal of equipment or devices without adequate security measures;
  • a hard drive containing personal information is not wiped clean before leaving the OPC for sale;
  • the foil from a facsimile machine is not removed or properly cleaned before leaving the OPC.
• the use of deceptive tactics to trick people into disclosing personal information:
  • on the telephone, an individual pretending to be an employee of the institution asks for personal information about someone on the pretext that it is needed for an administrative purpose involving that person;

Reporting Privacy Violations

Regardless of the reason for the breach, any loss of personal information or loss of control of personal information is a serious matter.

The OPC is in the process of preparing a formal privacy breach policy which, when complete, will be available to all employees on the Intranet. A copy will also be appended to this manual. In the interim, any employee who becomes aware of such a breach must report it immediately to the head of his/her Branch and/or to the Director of ATIP who will provide further guidance.

Employees will be asked to document in detail the circumstances that gave rise to the breach, describe the nature of the information at issue and provide details as to whom the information was disclosed. In order to prevent an exacerbation of the incident, employees are reminded not to discuss the incident with those who have no need to know.

6.9 ACCOUNTING FOR PERSONAL INFORMATION HOLDINGS

Sections 9, 10 and 11 of the PA require that all of the OPC’s personal information holdings be described in Info Source so that individuals know what personal information the OPC holds about them so they can exercise their right of access to it. This also allows the public to know why the OPC collects their personal information and exactly what it does with it.

The OPC accounts for its personal information holdings through Personal Information Banks (PIBs) which are described in Info Source. Each PIB is assigned a different identifying number that denotes its classification as a public bank or a federal employee bank.

Procedure for Updating Info Source

Throughout the year, OPC employees should keep in mind that Info Source must be updated every year. All new or substantially modified collections, surveys, opinion polls, data matches, research and statistical studies, evaluations, uses, consistent uses, disclosures, routine uses, classes of individuals and retention and disposal standards must be provided to the Treasury Board Secretariat for that purpose.

The deadline for submitting changes to Info Source is set by the Treasury Board Secretariat when it issues its call letter to all ATIP units. In turn, OPC ATIP will require that each OPC branch review its information holdings and provide updated information to ATIP.

6.10 PRIVACY IMPACT ASSESSMENT (PIA)

A PIA is a process that helps government departments and agencies determine whether new technologies, information systems, initiatives and proposed programs or policies meet basic privacy requirements. It also assists government organizations in anticipating the public’s reaction to the privacy implications of a given proposal which could prevent costly program, service, or process redesign.

Government institutions must demonstrate that their collection, use and disclosure of personal information respects the PA and privacy principles throughout the initiation, analysis, design, development, implementation and post-implementation phases of their program and service delivery activities. They do so by way of a PIA. Institutions are also responsible to openly communicate why their personal information is being collected and how it will be used and disclosed.

The Treasury Board Secretariat issued a Privacy Impact Assessment Policy in May of 2002 as the institution responsible for providing advice to government institutions with respect to PIAs and for monitoring compliance. It is available online.

A PIA must be conducted for each new program and/or service that raises privacy issues. If a program or service was implemented prior to May 2002, a PIA must be done if that program or service is being substantially re-designed or if the delivery channel will affect the collection, use or disclosure of personal information.

The Privacy Commissioner is responsible for promoting awareness of the requirements of the PIA policy within the OPC, for determining whether OPC initiatives have a potential impact on the privacy of Canadians and therefore warrant a PIA, and for integrating and balancing privacy with other legislative and policy requirements.

OPC Managersare responsible for developing and maintaining PIAs within their area of responsibility. This is a shared management responsibility that requires the cooperation and support of various officials throughout the OPC in order to ensure that privacy implications are identified, assessed, avoided or resolved. Collaboration with communications staff is also required to facilitate the timely dissemination of information to the public.