Access to Information and Privacy
October 21, 2008
In carrying out its mandate under both the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), the Office of the Privacy Commissioner (hereinafter referred to as the OPC) collects personal information about individuals as defined by section 3 of the Privacy Act. As guardian of the privacy rights of individuals in Canada under the Privacy Act and PIPEDA, the OPC is committed to respecting the privacy rights of all individuals whose personal information has been collected by the OPC.
All communications regarding this Policy will respect the applicable official language provisions of the Official Languages Act and supporting policies and guidelines.
This Policy applies to the activities of the OPC in managing personal information that it collects during the course of mandated activities under the Privacy Act and PIPEDA and during the course of its regular administrative activities. The Policy is intended to be consistent with the legislative requirements of the Privacy Act and the Library and Archives of Canada Act to which the OPC has been subject since April 1, 2007.
The OPC is committed to adhering not only to the Privacy Act to which it is subject, but also to the obligations set out in Schedule I of PIPEDA wherever possible and to the extent relevant.
The OPC is committed to protecting the privacy, confidentiality and security of the personal information that it holds by adhering to the requirements of the Privacy Act with respect to the management of personal information. The OPC is equally committed to ensuring that all employees and agents of the OPC uphold these obligations.
Violation of this Policy through intent or neglect may result in disciplinary action up to and including termination of employment or association with the OPC. Where appropriate, legal sanctions may also be pursued.
The OPC is responsible for the personal information that it collects as a result of its mandate under the Privacy Act and PIPEDA and which it subsequently retains, uses, discloses, and destroys. The OPC has and will continue to develop and implement policies and practices to ensure that personal information is handled in strict accordance with the Privacy Act. The OPC’s Chief Privacy Officer is designated as responsible for overseeing the implementation of those policies and practices to ensure compliance, including:
- ensuring open, full and timely communication to employees and individuals about the OPC’s policies, practices and expectations with respect to the handling of personal information;
- the establishment of standards for classifying the sensitivity of personal information, to determine the appropriate level of security required for the information;
- ensuring that personal information is safeguarded from improper access, loss, use, disclosure or destruction through;
- the implementation of systems to ensure that only OPC employees (including temporary staff) whose OPC responsibilities require access to personal information, are granted access to that information;
- the inclusion of specific confidentiality provisions in contracts or other arrangements with third parties, which require adherence to the Privacy Act as well as to this Policy and internal procedures;
- ensuring procedures are in place under which individuals may request access to their personal information, request correction of their personal information, and file complaints concerning the management of their personal information;
- ensuring procedures are in place under which individuals are notified of an improper collection, retention, use, disclosure or destruction of their personal information; and
- monitoring the degree of compliance with this Policy annually and, where required, initiating action to correct any deficiencies.
Collection of Personal Information
The OPC collects personal information from individuals for various purposes, primarily relating to the investigation of complaints made under the Privacy Act and PIPEDA or relating to inquiries concerning those Acts. The OPC may also collect personal information for administrative reasons, e.g. to provide individuals with publications or other requested information, concerning attendees to conferences or other functions.
The OPC commits to collecting only personal information which is directly related to an operating program or activity of the OPC. Wherever possible, such information will be collected directly from the individual about whom it pertains. The amount and the type of the information collected will be limited to that necessary to fulfil identified purpose(s).
When conducting investigations, a great deal of personal information is collected directly from the individual about whom it pertains, however, the OPC also collects personal information from other sources, including witnesses, employers, government or corporate files and records, from other third parties etc. Personal information collected for administrative reasons is often collected directly from the individual about whom the information pertains but may also be collected through a third party (e.g. an administrative assistant may provide information concerning his/her supervisor’s attendance at a conference).
OPC staff collecting personal information on behalf of the OPC will be required to be able to explain to individuals the purpose(s) for which the information is being collected or—if unable to do so—will be required to refer the individual to a designated person within the OPC who is able to explain the purpose(s).
Full descriptions of the types of personal information collected by the OPC, along with the purposes for which the OPC collects each type of information, are described in the Treasury Board Secretariat’s (TBS) publication entitled Info Source—Sources of Federal Government Information (available at the OPC and at www.infosource.gc.ca).
Wherever possible, the OPC is committed to seeking the consent of individuals prior to the collection of their personal information. The form of consent may vary depending on the circumstances and the type of information being sought. Consent can be express or implied and can be provided directly by the individual or by an authorized representative. Express consent of individuals is preferable and will be sought whenever possible. Express consent can be given orally, electronically or in writing. Implied consent may be reasonably inferred from an individual’s action or inaction (i.e. providing a name and address in order to receive a publication, providing a name and telephone number in order to obtain a response to a question). When determining the appropriate form of consent, the OPC will take into account the sensitivity of the personal information at issue, the purposes for which it is collected, and the reasonable expectations of the individual.
In the context of investigations conducted under the Privacy Act or PIPEDA, obtaining consent from an individual for the collection, use, or disclosure of personal information may not be possible, appropriate or required. Further, both the Privacy Act and PIPEDA provide for the disclosure of personal information during the course of an investigation if to do so is necessary to carry out an investigation under those Acts and/or to establish the grounds for findings and recommendations contained in the Privacy Commissioner’s report.
Accuracy / Correction of Personal Information
The OPC will not require that individuals utilize the Privacy Act in order to correct their personal information if there is no need to do so (e.g. to update the individual’s address on a mailing list). There will be instances, however, where individuals will be required to do so (e.g. the individual requests corrections to his/her personal information in an investigation file).
OPC staff will be required to direct individuals who wish to formally correct their personal information to the OPC’s Access to Information and Privacy (ATIP) Unit. When in doubt as to whether a formal request for correction is required, OPC employees must consult with the ATIP Unit or refer the individual to the ATIP Unit. Information concerning the OPC and the Privacy Act is found on the OPC website at www.priv.gc.ca.
Upon receipt of a formal request for the correction of personal information, the OPC’s ATIP Unit will respond in accordance with the Privacy Act. A copy of ATIP’s Process and Compliance Manual can also be found on the OPC website at www.priv.gc.ca.
The OPC will make every reasonable effort to ensure that personal information used in a decision-making process which directly affects the individual to whom the information relates is as accurate, up-to-date and complete as possible. The OPC will also make every reasonable effort to ensure that personal information disclosed to third parties is as accurate, up-to-date and complete as possible.
The OPC will update personal information as necessary in order to fulfil the identified purposes either directly by contacting the individual to whom the information relates, or indirectly from other sources if the OPC has the authority to collect such information from a third party.
In most cases, the OPC will rely on the individual to ensure that factual personal information is accurate, up-to-date and complete. If an individual is able to demonstrate that his/her personal information is inaccurate or incomplete, the OPC will amend the information as required. If appropriate, the OPC will send the amended information to third parties to whom the information has been disclosed.
Correction of opinion will normally be made if the individual was the source of the opinion and the opinion does not concern any other individual. Corrections will not normally be made to opinions given by other
individuals about the individual unless there are reasons to suspect the reliability of the source of the opinion, or if the source of the opinion agrees that the opinion was based on incorrect information.
When a challenge regarding the accuracy of personal information is not resolved to an individual’s satisfaction, the OPC will annotate the personal information at issue with a note advising that a correction was requested but that it was not made. An individual has the right to have a document outlining his/her version on the matter included on the appropriate file. Where appropriate the OPC will provide a copy of that document to any person or body who was provided with the information at issue in order that the other person or body is aware of the individual’s version of the matter.
Retention / Destruction of Personal Information
The OPC is responsible for ensuring that all personal information is managed within an established life cycle. In accordance with the Privacy Act, the Privacy Regulations and the Library and Archives of Canada Act, personal information used by the OPC to make a decision about an individual shall be retained for at least two years after the decision was made. This allows the individual to exercise legal recourse and ensures that the individual has the opportunity to exercise all of the rights afforded him/her under the Privacy Act.
The OPC will retain personal information in accordance with the maximum retention periods set out under the Library and Archives of Canada Act. Retention periods for specific types of personal information are set out in the TBS publication entitled Info Source—Sources of Federal Government Information (available at the OPC and at http://www.infosource.gc.ca).
The OPC will ensure that proper care is taken in the retention, disposal/destruction of personal information in order to prevent its premature disposal and to ensure its timely disposal. The retention, disposition and destruction of personal information will be made in strict accordance with the Operational Security Standards on Physical Security of the Government Security Policy.
The OPC will develop guidelines and implement procedures with respect to the retention and destruction of personal information.
Use / Disclosure of Personal Information
The OPC will not use personal information without the consent of the individual about whom the information pertains, unless to do so is for the purpose for which the information was originally collected or compiled, is consistent with that purpose, or is for a purpose for which the information may be disclosed to the OPC under section 8(2) of the Privacy Act. The OPC is committed to seeking the consent of individuals whenever possible. The OPC—when using personal information for a new purpose—will document the new purpose.
The OPC will not disclose personal information outside of the OPC without the consent of the individual about whom the information pertains, or unless to do so is permitted by section 8(2) of the Privacy Act. In the case of a permitted disclosure, the OPC will endeavour to disclose only the specific information that is required under the circumstances and, wherever possible, will inform the individual about the disclosure.
Access to personal information within the OPC will be restricted to those within the OPC who need the information in order to carry out their specific job duties (e.g. conduct investigations, answer inquiries, send publications). Those employees will maintain the information in the strictest of confidence and will not provide access to the information to any unauthorized persons. The level of access to personal information will be determined by the OPC on a need-to-know basis which will be included in relevant OPC policies and guidelines.
OPC staff will be cautioned to avoid engaging in discussions involving personal information in any area of OPC premises, or in any public or private area outside of the OPC (e.g. hallways, elevators, restaurants, washrooms, homes) where remarks could be overheard and which could result in the disclosure of personal information. Doing so without a legitimate reason directly related to a current job responsibility will be considered a violation of this Policy and could constitute a violation of the Privacy Act.
All individuals hired under contract or other means, by the OPC, to conduct business for or on behalf of the OPC, will be required to adhere to the provisions of the Privacy Act with respect to the proper handling and protection of personal information as well as to this Policy and internal procedures. Violations of any part of the contractual agreement may result in termination of the contract.
Safeguarding Personal Information
The OPC will protect personal information from loss or theft, unauthorized access, use or disclosure, modification or destruction through appropriate administrative, technical and physical security measures and safeguards, regardless of the format in which the information is held.
The level of safeguards used to protect personal information will vary depending on the sensitivity of the personal information; the amount, distribution and format of the information; and the method of storage. The OPC will follow the requirements of the Government Security Policy and any other security direction and/or guidance provided by the Treasury Board Secretariat, the Royal Canadian Mounted Police and the Communications Security Establishment Canada on physical and information technology security. At a minimum, methods of protection will include:
- controlled entry to OPC premises, staff training on privacy and the protection of personal information, and limiting access to information on a “need-to-know” basis;
- screening and security checks of employees and prospective employees commensurate with the sensitivity of the information those employees will be handling, before they handle such information;
- technical measures such as passwords, audit trails, encryption, firewalls and other technical security safeguards;
- physical measures such as locked filing cabinets, restricted access to offices and other areas where personal information is stored.
The OPC will ensure that contractual or other means are used to provide a comparable level of protection while personal information is being processed by a third party.
Access to Personal Information
The OPC will not require that individuals utilize the Privacy Act to obtain access to their personal information if there is no need to do so. Individuals nevertheless have the right to formally request access to their personal information under the Privacy Act. Under the Access to Information Act, individuals also have the right to formally request access to information in OPC files which may contain their personal information.
OPC staff will be required to direct individuals who wish formal access to their personal information to the OPC’s Access to Information and Privacy (ATIP) Unit. When in doubt as to whether a formal request is required, OPC employees must consult with the ATIP Unit or refer the individual to the ATIP Unit. Information concerning the OPC, the Privacy Act and the Access to Information Act is found on the OPC website at www.priv.gc.ca.
Upon receipt of a formal request under the Privacy Act or the Access to Information Act, the OPC’s ATIP Unit will respond in accordance with the legislation under which the request was made. A copy of ATIP’s Process and Compliance Manual can also be found on the OPC website at www.priv.gc.ca.
In cases of access that can be given outside of the Privacy Act and the Access to Information Act, the OPC will afford individuals a reasonable opportunity to review their personal information, will do so within a reasonable time frame and, if copies are requested, will provide them whenever possible. Explanations for abbreviations and codes will be provided.
Personal information may be unavailable because it has been destroyed, erased or made anonymous in accordance with information retention obligations. To the extent possible, the OPC will inform the individual of the reasons why the personal information no longer exists.
Complaints / Concerns
As it is inappropriate that the OPC investigate its own actions with respect to its administration of the Privacy Act, complaints lodged against the OPC under the Act are investigated by the Privacy Commissioner, ad hoc—an individual mandated to independently investigate such complaints against the OPC. Given that a formal complaint mechanism is in place with respect to the Act, this section of the Policy speaks only to questions or concerns which may be raised about the OPC’s management of personal information.
Such questions or concerns may be brought to the attention of any OPC employee who is in a position to address the matter. If unable to do so, or where particular circumstances exist, the employee must refer the matter to his/her immediate supervisor or member of management staff. Where an individual is not satisfied with the results of the actions which may have been taken by the OPC to rectify the matter, or with the explanations given, the individual will be informed of his/her right to file a Privacy Act complaint to the Privacy Commissioner, ad hoc and will be provided direction as to how to do so.
Roles and Responsibilities
Employees – it is incumbent upon all employees of the OPC to inform themselves of their obligations under this Policy and the Privacy Act. Employees must report any and all contraventions of the Policy or the Act to their manager or to ATIP.
Managers and Supervisors – along with the responsibilities noted above, managers and supervisors are required to issue instructions to their staff (as necessary) in order to ensure the adherence to this Policy and the Act. They are also required to examine and/or make inquiries into any issues brought to their attention concerning this Policy and the Act. Where and as appropriate, managers and supervisors must notify, work in concert with, or refer certain matters to the Director of HR and the Departmental Security Officer.
OPC Chief Privacy Officer – the OPC Chief Privacy Officer (CPO) will provide advice and guidance to Senior Management, managers, supervisors and employees of the OPC with respect to the treatment of personal information within the OPC. The CPO will also act as the primary point of contact for individuals seeking information about the OPC’s handling of their personal information or who have concerns about the OPC’s handling of their personal information. For the purposes of this Policy, the CPO is the Director, ATIP and reports to the Privacy Commissioner of Canada.
Director ATIP – in the context of this Policy—and along with the responsibilities noted in all of the above—the Director is responsible for the proper application of the Privacy Act and policies with respect to individuals’ personal information and with respect to their requests for access to their personal information under the Act.
Monitoring & Evaluation
Measuring compliance with this policy will form part of the OPC internal audit program, which will conduct periodic audits within all programs and services of the OPC. The results of internal audits will be reported to the Privacy Commissioner.
Related Government of Canada References
This Policy is designed to comply with the Privacy Act and the principles of natural justice, and to express the OPC’s commitment to comply with the Privacy Act.
Related OPC References
The following laws, policies and guidelines should be read in conjunction with this Policy:
- Privacy Act and Privacy Regulations
- Access to Information Act and Regulations
- Library and Archives of Canada Act
- Public Service Employment Act
- Public Service Labour Relations Act
- Treasury Board of Canada Policy on Privacy Protection
- Treasury Board of Canada Guidelines on Privacy and Data Protection
- Treasury Board of Canada Policy on the Use of Electronic Networks
- Government of Canada Security Policy
- OPC Policy on Departmental Security (when approved)
- OPC Guidelines for Managing Electronic Mail
- OPC Information Management Policy
- OPC Policy on the Acceptable Use of Electronic Networks (when approved)
- OPC Policy on Computer Workstations and Peripherals
- OPC Privacy Breach Policy (when approved)
- OPC Access to Information and Privacy Process and Compliance Manual
Any inquiries regarding this Policy or for further information or concerns about how the OPC manages the personal information that it collects, should be directed to:
Andréa Rousseau, the OPC’s Chief Privacy Officer. She can be reached at Andrea.Rousseau@priv.gc.ca or (613) 995-3503.