OPC sources of federal government and employee information

Sources of Federal Government and Employee Information

Office of the Privacy Commissioner of Canada


Introduction to Info Source

Info Source: Sources of Federal Government and Employee Information provides information about the functions, programs, activities and related information holdings of government institutions subject to the Access to Information Act and the Privacy Act. It provides individuals and employees of the government (current and former) with relevant information to access personal information about themselves held by government institutions subject to the Privacy Act and to exercise their rights under the Privacy Act.

The Introduction and an index of institutions subject to the Access to Information Act and the Privacy Act are available centrally.

The Access to Information Act and the Privacy Act assign overall responsibility to the President of Treasury Board (as the designated Minister) for the government-wide administration of the legislation.

Background

 The Office of the Privacy Commissioner of Canada (OPC) was created when the Privacy Act came into force on July 1, 1983 expanding the privacy rights and protections formerly contained in Part IV of the Canadian Human Rights Act.

The OPC’s role was expanded in April, 2000 with the enactment of the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Privacy Commissioner of Canada is an Officer of Parliament who reports directly to the House of Commons and the Senate.

Responsibilities

As an ombudsman and guardian of privacy in Canada, the Commissioner enforces two federal laws that focus on the protection of personal information: the Privacy Act, which applies to the federal public sector; and PIPEDA, Canada's private-sector privacy law. The mission of the Office is to protect and promote the privacy rights of individuals.

Learn more about the Office of the Privacy Commissioner here:  mandate, program responsibilities and corporate privacy policy.

The Commissioner's functions and powers to further the privacy rights of Canadians include: investigating complaints, conducting audits and pursuing court action under two federal laws; publicly reporting on the personal information-handling practices of public and private-sector organizations; supporting, undertaking and publishing research into privacy issues; and promoting public awareness and understanding of privacy issues. The Commissioner works independently from other parts of the government to investigate complaints from individuals with respect to the federal public sector and the private sector.

For matters relating to personal information in the private sector, the Commissioner may investigate complaints under Section 11 of PIPEDA except in the provinces that have adopted substantially similar privacy legislation, namely Québec, British Columbia, and Alberta. Ontario, New Brunswick and Newfoundland and Labrador now fall into this category with respect to personal health information held by health information custodians under their health sector privacy laws. However, even in those provinces with substantially similar legislation, and elsewhere in Canada, PIPEDA continues to apply to personal information collected, used or disclosed by all federal works, undertakings and businesses, including personal information about their employees. PIPEDA also applies to all personal data that flows across provincial or national borders, in the course of commercial activities.

Institutional Functions, Programs and Activities

Compliance Activities

This program oversees compliance with federal privacy legislation for public- and private-sector organizations, thus contributing to the protection of Canadian's privacy rights. Through this Program, the OPC investigates privacy-related complaints and responds to inquiries from individuals and organizations, reviews breach reports and has the power to initiate its own investigations when warranted (Commissioner initiated complaints). Through audits and reviews, the OPC also assesses how well organizations are complying with requirements set out in the two federal privacy laws and provides recommendations on Privacy Impact Assessments (PIAs), pursuant to the Treasury Board Directive on Privacy Impact Assessment. This program is supported by a legal team that provides specialized advice and litigation support, and a research team with senior technical and risk-assessment support.

Privacy Complaints and Investigations

Description:

These records relate to complaints of alleged violations of the Privacy Act and the PIPEDA as well as incident reports and personal information breach notifications. The records contain identifying information about complainants, details of allegations, information about complainants and parties to the allegations, and information gathered during investigations, including statements provided by individuals and parties to the allegations.

Document Types:

Complaint applications, representations made by the parties to the allegations, submissions and third-party reports received by the Spam reporting Centre, documentary evidence, investigators' notes and records of discussions, technical analysis, internal and external correspondence, legal opinions, investigations reports, briefing notes, reports of findings, records of follow-up on recommendations, and case summaries.

Record Number:

OPC CPL 001

Privacy Complaints and Investigations
– Bank Number: OPC PPU 005

Description:

This bank describes information related to investigations arising out of complaints submitted to the Privacy Commissioner pursuant to subsection 29(1) of the Privacy Act and 11(1) of PIPEDA, or those initiated by the Commissioner pursuant to subsection 29(3) of the Privacy Act or 11(2) of PIPEDA. It also includes information related to investigations of incidents and alleged violations of the Acts including privacy breaches.

Personal information may include name, contact information, details of allegations, opinions and views of complainant and others, as well as the personal information that is the focus of the complaint or incident (e.g. medical, criminal, educational, financial, etc.), evidence provided, as well as decisions and recommendations relevant to the investigation. In certain cases, depending upon the nature of the complaint or the investigations conducted under the Privacy Act or PIPEDA, other personal information such as social insurance numbers (SIN), employee identification numbers and other identification numbers.  IP addresses may also be collected.

Class of Individuals:

Individuals who file complaints alleging violations of the Privacy Act and PIPEDA, individuals who may be involved in investigations, and individuals affected by incidents.

Purpose:

Information is collected under the authority of the Privacy Act and PIPEDA. It is used to conduct investigations as authorized under these laws.

Consistent Uses:

Limited information is shared with federal government institution(s) or private sector organizations(s) involved in the complaint (e.g. name of the individual, nature of the allegations, information that is permitted to be shared by section 64(1) of the Privacy Act or 20(3) of PIPEDA in order to conduct an investigation).

Information pertaining to privacy complaints and investigations can be shared with domestic and international privacy enforcement agency counterparts that have functions and duties similar to those of the Commissioner with respect to the protection of personal information, under sections 23 and 23.1 of PIPEDA, subject to an agreement or an arrangement in writing.

Information pertaining to spam and other related electronic threats can be shared with the Canadian Radio-television and Telecommunications Commission, the Competition Bureau and foreign agencies, under sections 57 to 60 of Canada’s Anti-Spam Legislation.

The Privacy Commissioner submits annual reports to Parliament with respect to activities under the Privacy Act and PIPEDA which may include select anonymized case summaries. The information may be used to conduct audits and to identify and address systemic privacy issues. It may also be used for evaluation and quality control purposes in order to ensure consistency in the investigative process, for the training of investigators, and for research and litigation purposes.

Retention and Disposal Standards:

Records collected to process PIPEDA complaints are disposed of 10 years after the last administrative action.

Where Records collected pursuant to a Privacy Act time delay complaint are retained for 2 years and all other types of complaints pursuant to the Privacy Act are retained for 5 years following the last administrative action and then destroyed.

Records collected from the Spam Reporting Centre are disposed of after 2 years, if the information collected does not ultimately lead to an investigation.

RDA Number:

DA 2015/018

Related Record Number:

OPC CPL 001

TBS Registration:

20090490

Bank Number:

OPC PPU 005

Notes:

Access to this bank may require the complaint file number, the name and address of complainant, the approximate date of complaint, the name of the government institution or private sector organization, and/or the investigator's name.

Privacy-related enquiries

Description:

These records relate to enquiries concerning the Privacy Act or PIPEDA, or other subject matters, and results of responses to those enquiries.

Document Types:

Correspondence, background information relating to requests.

Record Number:

OPC CPL 002

Privacy-related enquiries
– Bank Number: OPC PPU 001

Description:

This bank describes information collected when an individual contacts the OPC to request information by telephone, e-mail or regular mail concerning the  Privacy Act, PIPEDA and/or related issues. Personal information may include: name, contact information, and other personal details, which can vary significantly depending on the nature of the inquiry, but which may include the individual's financial, medical, criminal or educational history, etc.

Class of Individuals:

Members of the public and individuals representing private sector organizations, other government institutions (municipal, provincial, international) or federal government institutions who make written or telephone inquiries concerning issues related to the  Privacy Act or PIPEDA.

Purpose:

Information is collected pursuant to the  Privacy Act or PIPEDA. It is used to respond to enquiries related to the application of these laws.

Consistent Uses:

Information may also be used for research on policy questions or in order to inform public education initiatives. The information may be provided to an OPC investigator if the enquiry leads to a complaint (see OPC PPU 005). Personal information may also be used for audit, evaluation, reporting (e.g. Annual Reports to Parliament) and/or statistical purposes.

Retention and Disposal Standards:

Records are disposed of 3 years after the last administrative action.

RDA Number:

DA 2015/018

Related Record Number:

OPC CPL 002

TBS Registration:

20090493

Bank Number:

OPC PPU 001

Notes:

A file is created for all written enquiries received. A file is created for telephone enquiries only if the enquiry is significant, warrants research, or requires a written response.

Privacy Audits

Description:

These records relate to audits conducted pursuant to section 37 of the  Privacy Act and section 18(1) of PIPEDA to review the personal information management practices of government institutions and private sector organizations. Information gathered during such audits may include annual reports, documents related to practices, systems and procedures and statements provided by individuals.

Document Types:

Internal and external correspondence, legal opinions and requests for opinions, auditors' notes and records of discussions, audit reports, briefing notes as required, and records of follow-ups to recommendations as required.

Record Number:

OPC CPL 003

Privacy Commissioner Ad Hoc - Complaints and Investigations

Description:

These records relate to complaints made under the Privacy Act against the OPC. These are reviewed and investigated by an independent Privacy Commissioner Ad Hoc appointed for this purpose. The records contain identifying information about complainants; details of the allegations; information about complainants and parties to the allegations; information gathered during the investigation including statements provided by individuals and parties to the allegations.

Document Types:

Representations made by the parties to the allegations; documentary evidence; investigators' notes and records of discussions; internal and external correspondence; legal opinions and requests for opinions; investigation reports; briefing notes as required; reports of findings; records of follow-ups to recommendations as required.

Record Number:

OPC CPL 004

Privacy Commissioner Ad Hoc - Complaints and Investigations
– Bank Number: OPC PPU 008

Description:

This bank describes information related to complaints made under section 29 of the  Privacy Act  against the Office of the Privacy Commissioner (OPC), which are referred to an appointed Privacy Commissioner Ad Hoc for follow-up and investigation. It relates also to investigations conducted by the Privacy Commissioner Ad Hoc in response to complaints, and to any investigation initiated by the Privacy Commissioner Ad Hoc under subsection 29(3) of the  Privacy Act. It includes information on inquiries received and investigations of incidents involving alleged violations of the  Privacy Act. The personal information collected may include name, contact information, details of allegations, opinions and views of complainant and other individuals, and other personal details, which vary depending on the nature of the complaint, inquiry, etc.

Class of Individuals:

Individuals who file complaints alleging violation of the Privacy Act by the OPC and other individuals involved in investigations or affected by incidents.

Purpose:

Information is collected pursuant to the  Privacy Act. It is used to conduct investigations related to complaints made with respect to the OPC.

Consistent Uses:

Limited information is shared with the Office of the Privacy Commissioner of Canada, who is the subject of complaints directed to the Privacy Commissioner Ad Hoc (e.g. name of the individual, nature of the allegations, information that is permitted to be shared by section 64(1) of the Privacy Act). The information may be used for evaluation and quality control purposes in order to ensure consistency in the investigative process, for the training of investigators, and for research and litigation purposes.

Retention and Disposal Standards:

Records are disposed of 5 years after the last administrative action.

RDA Number:

DA 2015/018

Related Record Number:

OPC CPL 004

TBS Registration:

20090495

Bank Number:

OPC PPU 008

Notes:

Access to this bank may require the complaint file number, name and address of complainant, approximate date of the complaint or correspondence, and/or investigator's name.

Privacy Impact Assessments

Description:

These records relate to Privacy Impact Assessments (PIAs) submitted to the Privacy Commissioner by federal government institutions as required by federal policy. Because they require privacy risks to be considered during the planning stages of new and revised programs and activities, PIAs help managers and decision-makers to avoid or mitigate privacy risks and result in better-informed policy, program and system choices.

Document Types:

Internal and external correspondence, legal opinions and requests for opinions, reviewers' notes and records of discussions, reports, briefing notes as required, assessment reports submitted by the institution for comment as well as additional information requested from the institution related to its PIA and records of recommendations and follow-ups as required.

Record Number:

OPC CPL 005

Notifications to OPC - Public Interest Disclosure

Description:

These records relate to notifications under section 8(2)(m) of the  Privacy Act or under other legislation that provides for public interest disclosures; the rationale for disclosure; and the personal information at issue.

Document Types:

Correspondence, notes and reports of the reviewer.

Record Number:

OPC CPL 006

Notifications to OPC - Public Interest Disclosure
– Bank Number: OPC PPU 004

Description:

This bank describes information sent to the Privacy Commissioner pursuant to subsection 8(5) of the Privacy Act by federal institutions related to proposals to disclose personal information based on invoking the public interest as set out in paragraph 8(2)(m)(i) of the Privacy Act, or under other legislation that provides for public interest disclosures, such as the Canada Pension Plan Act and the Old Age Security Act. The personal information may include name, contact information and the specific personal information that the notifying institution proposes to disclose in the public interest.

Class of Individuals:

Individuals whose personal information institutions propose to disclose in the public interest subject to first notifying the OPC.

Purpose:

The information in this bank is collected pursuant to subsection 8(5) of the  Privacy Act in accordance with the mandatory requirement to notify the Privacy Commissioner of decisions by authorized officials of federal institutions to disclose personal information in the public interest. It may also be used to notify the individuals to whom the information disclosure relates.

Consistent Uses:

Information in this bank may be used to conduct investigations, audits, and/or to identify and address any systemic privacy issues. It may be used to provide anonymized statistical and descriptive information in annual reports to Parliament with respect to activities under the Privacy Act. This information may also be used for quality control purposes to ensure consistency in the investigative process, for training purposes of investigators and research.

Retention and Disposal Standards:

Records are disposed of 2 years after the last administrative action.

RDA Number:

DA 2015/018

Related Record Number:

OPC CPL 006

TBS Registration:

20090492

Bank Number:

OPC PPU 004

Notifications to OPC - New Uses of Personal Information

Description:

These records relate to notifications under subsection 9(4) of the  Privacy Act; the statement of the nature of the information that was used or disclosed; the reasons of the use or disclosure; and the description of the new consistent use that will be added to Info Source.

Document Types:

Correspondence, memoranda, notes and reports.

Record Number:

OPC CPL 007

Notification to OPC Under PIPEDA Where Access to Personal Information Is Not Given

Description:

These records relate to notifications of denial of access to personal information, which are received from private organizations; such notifications are obligatory pursuant to paragraph 9(2.4)(b)) and subsection 9(5) of the PIPEDA. They contain information about individuals, the rationale for the non-disclosure of the personal information, as well as the personal information at issue.

Document Types:

Correspondence, individuals' requests for the information, the responses to the requests, investigators' notes and investigation reports.

Record Number:

OPC CPL 008

Notification to OPC Under PIPEDA Where Access to Personal Information Is Not Given
– Bank Number: OPC PPU 006

Description:

This bank describes information sent to the OPC by private sector organizations as an obligatory notification where access to personal information has been denied  pursuant to paragraphs 9(2.4)(a))  and 9(3)(c.1) of PIPEDA. Personal information may include: name, contact information, and details of the personal information not provided, which will vary from case to case.

Class of Individuals:

Individuals who have been denied access to their personal information by a private sector organization pursuant to PIPEDA.

Purpose:

Information is obtained pursuant to the obligatory notification provisions of paragraph 9(2.4)(b)) and subsection 9(5) of PIPEDA to allow the OPC an opportunity to ensure that private sector organizations are in compliance with PIPEDA.

Consistent Uses:

Information in this bank may be used to conduct investigations and audits, as well as to identify and address any systemic privacy issues. It may be used to provide anonymized statistical and descriptive information in annual reports to Parliament with respect to activities under PIPEDA. This information may also be used for the following purposes: quality control to ensure consistency in the investigative process, training of investigators, and research.

Retention and Disposal Standards:

Records are disposed of 2 years after the last administrative action.

RDA Number:

DA 2015/018

Related Record Number:

OPC CPL 008

TBS Registration:

20090491

Bank Number:

OPC PPU 006

Research and Policy Development

This program advances privacy knowledge, develops policy positions and provides strategic advice on the full range of privacy issues to Parliamentarians, government institutions and private sector stakeholders. Through this program, the OPC serves as a centre of expertise on emerging privacy issues in Canada and abroad by researching trends and technological developments, monitoring and analysing legislative and regulatory initiatives, providing strategic legal, policy and technical advice on key issues, and developing policy positions that advance the protection of privacy rights in both the public and private sectors. An important part of the work involves supporting the Commissioner and senior officials in providing advice to Parliament on potential privacy implications of proposed legislation, government programs, and private-sector initiatives. Since 2004, the Program includes the administration of the Personal Information Protection and Electronic Documents Act Contributions Program that funds independent privacy research and related knowledge translation initiatives, to advance knowledge and promote the practical application of that knowledge in ways that enhance privacy protection for Canadians.

Contributions Program – Privacy-Related Research

Description:

The objectives of the Program are to capitalize on existing research capacity by funding independent external research projects in academic, not-for-profit and other sectors to generate new knowledge and to support the development of expertise in areas of privacy and data protection. The program also aims to increase awareness and understanding among individuals and organizations across Canada of their privacy rights and obligations. Topics vary from year to year based on the OPC's priorities but address privacy issues in many areas including: national security; identity integrity and protection; information technology; genetics; bio-banking; innovative public education; and outreach and awareness raising initiatives.

Document Types:

Strategic planning documents, calls for proposals, proposals received, assessments and evaluations of proposals, correspondence, contribution agreements, and project expenditure reports.

Record Number:

OPC RPD 001

Research and Analysis Files

Description:

These records relate to research conducted into developing areas of privacy and data protection including: genetic privacy; public safety/national security; information management/information technology; identity integrity and protection; and surveillance. Information gathered from research of publicly available sources and studies; public opinion and academic research; and results of investigations conducted by privacy, consumer and law enforcement authorities.

Document Types:

Notes and records of discussions, seminars, and conferences; memorandum; briefing notes; presentations and speeches; and reports on contracted research.

Record Number:

OPC RPD 002

Public Outreach

This Program promotes public awareness and understanding of rights and obligations under federal privacy legislation. Through this program, the OPC's delivers public education and communications activities, including speaking engagements and special events, exhibiting, media relations, and the production and distribution of promotional and educational material. Through public outreach activities, individuals are informed about privacy and personal data protection. Such activities also enable federal and private-sector organizations to better understand their obligations under federal privacy legislation.

Public Outreach

Description:

These records relate to OPC's privacy-related public communications, education and outreach activities. It includes policies, strategies and plans, production of promotional and educational material, development and dissemination of targeted tools and guidance, media and public relations, inquiries, special events, advertising, graphic arts, public opinion research, public contests and competitions, promotional activities and other services provided.

Document Types:

Communication plans, backgrounders, fact sheets, news releases, media advisories, speeches, questions and answers, event calendars, presentations, exhibits and displays, targeted educational tools in all media, content submitted by entrants in contests and competitions, directories, publications, corporate website content, content produced for social media, feedback submitted by readers through social media, survey results and reports and news clippings.

Record Number:

OPC PEC 002

Publication Requests
– Bank Number: OPC PPU 003

Description:

A log is created when an individual requests an OPC publication. The log contains the date of the request, the requester's name, contact information, and the publication being requested.

Class of Individuals:

Members of the public (individuals and businesses) who request a specific publication from the OPC.

Purpose:

This information is obtained and recorded to provide the publication being requested and to follow up with the requester if necessary.

Consistent Uses:

There are no consistent uses.

Retention and Disposal Standards:

1 year after publication appears or is cancelled.

RDA Number:

DA 2015/018

Related Record Number:

OPC PEC 002

TBS Registration:

20090494

Bank Number:

OPC PPU 003

Standard Classes of Records and Personal Information Banks

Internal Services

Internal services constitute groups of related activities and resources that are administered to support the needs of programs and other corporate obligations of an organization. These groups are management and oversight services, communications services, legal services, human resources management services, financial management services, information management services, information technology services, real property services, materiel services, acquisition services, and travel and other administrative services. Internal services include only those activities and resources that apply across an organization and not to those provided specifically to a program.

Acquisition Services

Acquisition services involve activities undertaken to acquire a good or service to fulfill a properly completed request (including a complete and accurate definition of requirements and certification that funds are available) until entering into or amending a contract.

Communications Services

Communications services involve activities undertaken to ensure that Government of Canada communications are effectively managed, well coordinated and responsive to the diverse information needs of the public. The communications management function ensures that the public—internal or external—receives government information, and that the views and concerns of the public are taken into account in the planning, management and evaluation of policies, programs, services and initiatives.

Financial Management Services

Financial management services involve activities undertaken to ensure the prudent use of public resources, including planning, budgeting, accounting, reporting, control and oversight, analysis, decision support and advice, and financial systems.

Human Resources Management Services

Human resources management services involve activities undertaken for determining strategic direction, allocating resources among services and processes, as well as activities relating to analyzing exposure to risk and determining appropriate countermeasures. They ensure that the service operations and programs of the federal government comply with applicable laws, regulations, policies and plans.

Information Management Services

Information management services involve activities undertaken to achieve efficient and effective information management to support program and service delivery; foster informed decision making; facilitate accountability, transparency and collaboration; and preserve and ensure access to information and records for the benefit of present and future generations.

Information Technology Services

Information technology services involve activities undertaken to achieve efficient and effective use of information technology to support government priorities and program delivery, to increase productivity, and to enhance services to the public.

Legal Services

Legal services involve activities undertaken to enable government departments and agencies to pursue policy, program and service delivery priorities and objectives within a legally sound framework.

Management and Oversight Services

Management and oversight services involve activities undertaken for determining strategic direction and allocating resources among services and processes, as well as those activities related to analyzing exposure to risk and determining appropriate countermeasures. They ensure that the service operations and programs of the federal government comply with applicable laws, regulations, policies or plans.

Materiel Services

Materiel services involve activities undertaken to ensure that materiel can be managed by departments in a sustainable and financially responsible manner that supports the cost-effective and efficient delivery of government programs.

Real Property Services

Real property services involve activities undertaken to ensure that real property is managed in a sustainable and financially responsible manner, throughout its life cycle, to support the cost-effective and efficient delivery of government programs.

Travel and Other Administrative Services

Travel and other administrative services include Government of Canada travel services, as well as those other internal services that do not smoothly fit with any of the internal services categories.

Legend

  • Standard Classes of Records (CoRs)
  • Standard Personal Information Banks (PIBs)

Manuals

Additional Information

Requests Outside of the ATIP Process (Completed Access to Information Summaries; Informal Requests for Information)

The Government of Canada encourages the release of information through requests outside of the ATIP process. You may wish to consult the OPC's completed Access to Information (ATI) summaries.  To make an informal request, contact:

Director, Access to Information and Privacy
Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec
K1A 1H3
Email: atip-aiprp@priv.gc.ca

For additional information about the programs and activities of the OPC, please visit the Office’s web site: www.priv.gc.ca or contact our Information Centre at:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec
K1A 1H3
Telephone: 819-994-5444
Toll-free: 1-800-282-1376
Online Information Request Form
TTY: (819) 994-6591

Privacy Impact Assessments (PIAs)

The OPC conducts Privacy Impact Assessments (PIAs) to ensure that privacy implications will be appropriately identified, assessed and resolved before a new or substantially modified program or activity involving personal information is implemented. Here are Summaries of completed PIAs.

Access to Information Procedures

Please visit the OPC's Access to Information and Privacy web page for information on access procedures under the provisions of the Access to Information Act and the  Privacy Act.

Mail your letter or Access to Information Request Form (Access to Information Act) or Personal Information Request Form (Privacy Act), along with any necessary documents (such as consent or the $5.00 application fee for a request under the Access to Information Act) to the following address:

Director, Access to Information and Privacy
Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec
K1A 1H3
Email: atip-aiprp@priv.gc.ca

Please note: Each request made to the OPC under the Access to Information Act must be accompanied by an application fee of $5.00, cheque or money order made payable to the Receiver General for Canada.

Reading Room

In accordance with the Access to Information Act and Privacy Act, an area on the premises will be made available should the applicant wish to review materials on site. The address is:

The Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec
K1A 1H3
Telephone: 819-994-5444
Toll-free: 1-800-282-1376

Date modified: