Video: The privacy life cycle – Event recording

The privacy life cycle: Tips for minimizing privacy risks and safeguarding personal information

(Presentations)

Flavie Gagné: It’s going to be a great discussion, I’m sure. Today’s session is hosted by TBS Access to Information in Privacy Community Development Office or APCDO.

I’d like to acknowledge that I’m joining you from the traditional unceded territory of the Algonquin Anishinaabe people. I encourage you to take a moment to reflect on the Indigenous territory upon which you yourselves live, work and play. I acknowledge that Indigenous peoples have long fought for their voices to be heard and for their rights to be respected including their rights to privacy.

Before we dig in let’s briefly introduce ourselves and explain to our listeners how this 90 minute is going to unfold.

Benoit Deshaies: That’s a great idea, Flavie. Do you want to kick us off?

Flavie Gagné: Of course. So, my name is Flavie. I’m a senior privacy advisor at the OPC. My role here today is going to be to act as the moderator. So, I will be largely asking questions and facilitating the discussion.

Joining me here today is Benoit Deshaies, Director of Privacy and Responsible Data Division at TBS. We also have Pascal Lacroix-Piché, a manager in the Compliance, Intake and Resolution Directorate here at the OPC. And we have Katherine Glasgow, a Special Advisor with Promotion and Engagement, also at the OPC.

We would also like to introduce the new Executive Director of Promotion and Engagement at the OPC, Mike Maguire, in his new role. Mike will be overseeing government advisory services alongside advisory services for private businesses, the OPC’s information call centre and some aspects of reach response. Mike, would you like to say a few words?

Michael Maguire: Sure. Thanks, Flavie. I’m really excited to be with you here today. Flavie mentioned that it’s… I’m the new executive director of the team and this is actually my first week. I’ve worked at OPC for 13 years, but my time has been spent working with private sector legislation. Most recently, I’ve been the Director of the PIPEDA compliance team for about six years.

So, while I have a lot of experience with privacy, the public sector law and policies are new to me and I’m eager to dive in and learn. I know that the government advisory team has a lot of interaction with many of the institutions attending today and I look forward to engaging with you all.

It’s a perfect timing that my first week coincides with Privacy Awareness Week. I can’t wait to hear what the experts have to say to share with us. So, on that note, Flavie, what are we going to talk about today and will people have a chance to ask questions?

Flavie Gagné: Both great questions. Thanks, Mike. We’re really pleased to have you with us today. So, during the session we’re going to cover privacy life cycle and look at why privacy matters at every step of the way from collecting personal information all the way to retention and deletion of said personal information.

We’re going to speak for one hour and then hold a 30-minute question period at the end.

Now that we know each of your names and titles I think it would be great to hear a little bit more about your roles. Benoit, could you please provide us with an overview of the work that you and your team do at TBS?

Benoit Deshaies: Yeah, thank you. So, at the Treasury Board Secretariat, or TBS, we’re committed to supporting effective privacy practices across the entire federal government. Our role is to guide departments with policy frameworks, with standards, resources, ensuring that privacy is going to be managed with care and compliance. We also provide expert advice and best practices to help departments protect personal info while meeting the requirements of the Privacy Act.

My team receives privacy breach reports and privacy impact assessments, also known as PIAs, and we review Treasury Board submissions where institutions seek authorities for their program or activities that would involve personal information. And of course we oversee compliance with our policies.

Myself as the Director of Privacy Policy, I support the implementation of these policies and practices to strengthen public trust and protect the personal information.

Flavie Gagné: Great. Thank you, Benoit. Kat, your turn.

Katherine Glasgow: Thanks, Flavie. So, since we have an audience from across the public service today I’ll start at the very beginning. The Office of the Privacy Commissioner of Canada, or the OPC, was established in 1983 following the passage of the Privacy Act, and our mission is really to protect and promote privacy rights.

The current commissioner, Commissioner Dufresne, started his seven-year mandate in June 2023. He is an agent of parliament which means he’s independent of government and reports directly to parliament.

So, whereas Treasury Board of Canada’s Secretariat is the government of Canada’s central agency that sets policy and directives, the Office of the Privacy Commissioner’s core responsibility is the protection of privacy rights through both promotion and proactive guidance and through compliance and investigative activities.

The promotion and engagement team’s government advisory unit undertakes three main activities. So, we review privacy impact assessments that are submitted to us by institutions which is required by TBS policy. We offer proactive advisory consultations and we conduct outreach sessions as well.

Flavie Gagné: Thank you, Kat. We’re also very lucky to have another colleague from the OPC with us today. Pascal, over to you.

Pascal Lacroix-Piché: Hello, my name is Pascal Lacroix-Piché, I am the manager of the Breach Intake Unit at the Office of the Privacy Commissioner. So, my team is responsible for analyzing the breach reports submitted to the office by public sector institutions and private sector organizations and companies. We review over a thousand reports a year.

As part of our analysis, we have numerous interactions that enable us to provide direction, advice and recommendations to help institutions and organizations comply with the law or improve their breach management practices.

Flavie Gagné: That’s helpful to know. Thank you, Pascal. As you all know we are here to talk about privacy life cycle. In today’s modern age the Government of Canada collects vast amounts of personal information via its many departments and agencies. This information is being processed and shared at an ever-increasing rate and the technology that we use to collect, store and leverage this information is developing at a rapid pace.

In order to maintain these practices while upholding Canadians’ rights to privacy we need to have equally evolved and sophisticated privacy practices. This makes it… this makes it all the more important that we each understand the privacy life cycle and what to consider at each stage along the way.

So before collecting personal information let’s turn the focus to… of our discussion today an overview of the privacy life cycle in the Government of Canada. We’ll explore how public servants can protect individuals’ personal information through its life cycle from the moment we collect the information through our use of it to the ongoing storage and eventual destruction of that information.

We’ll cover what to do before beginning a program that uses personal information, obviously privacy impact assessments or PIAs, how to share personal information with other organizations, employee training and awareness, some transparency measures, breach response and storage and safeguarding.

(Personal information)

To wrap up we’ll talk about key takeaways and give our audience a chance to ask questions. Let’s start at the very beginning of the life cycle. Benoit, can you please remind us what personal information is and what is it that we are working to protect?

Benoit Deshaies: Yeah, thank you for that question. So, under the Privacy Act personal information is any recorded information about an individual. This can include things like their names, their age, their postal address or their IP address when you browse the web. It can even include their views and opinions. And yes, views and opinions can be personal information in certain circumstances.

For example, if an employee shares her thoughts about a road closure on her commute that opinion is her personal information. If she comments afterwards on her manager’s leadership style then that comment may be both that employee’s personal information, as well as since it’s about her manager, it could also be her manager’s personal information. It’s both people’s personal information in that case.

There are exceptions, however, to the definition of personal information in the interest of government transparency. So, for example, information that relates to the work that you do as a public servant, and this includes your title, your role and the opinions that you share but related to your work, for example, about the grants application and the recipients that could fit within the exception of what is personal information.

(Legal authority)

Flavie Gagné: Thanks, Benoit. Kat, I have a question for you. If a program area approaches the privacy team about a new program or activity what should organizations think about before they even begin to first collect personal information?

Katherine Glasgow: Well, the first step is that it’s critical to determine the legal authority for your program or activity before you start collecting any personal information. Your institution must have the legal right to collect and use personal information involved in the initiative.

So simply put, you can’t just collect or use personal information without the legal authority to do so regardless of whether your initiative needs it to meet its objectives. So, you can refer to your department or program specific legislation to determine your legal authority but if you’re unclear you should always reach out to your institution’s legal services unit, they will be able to advise you on whether the legal authority exists, and if not what is required to obtain it.

Now for initiatives that are more complex or involve more sensitive personal information it can be really useful to carefully evaluate the impact on individuals’ right to privacy. You should be able to demonstrate that your program’s use of personal information is necessary to meet a specific need, effective in meeting your pressing and substantial goals, that it’s proportional which means that the intrusion on privacy is balanced by the benefit gains and that it’s minimally intrusive, meaning that there’s no less privacy invasive method of achieving the same goal.

Similarly, you should assess each element of personal information you collect to determine the reason and necessity for collecting it, and that’s what we call a data minimization exercise.

Determining authority and rationale for your program’s collection of personal information is the start of a Privacy Impact Assessment, or PIA. A PIA is basically a risk management process that helps institutions ensure they meet legislative requirements and identify the impacts their programs and activities will have on an individual’s privacy.

PIAs are meant to describe and document what personal information is collected, how it’s collected, how it’s used, transmitted and stored, how and why it can be shared and how it’s protected from inappropriate disclosure at each step along the way. It’s important to keep in mind that a PIA is much more than a document, it’s a process that, when undertaken properly, is a risk mitigation tool.

Institutions in the federal public service are required by policy to share their completed PIAs with both the OPC and TBS for review. Our office’s review of PIAs is intended to provide a second set of eyes to identify risks and to further strengthen your institution’s risk mitigations.

So, our team can also consult with institutions early in the PIA process to provide some preliminary guidance and help programs understand the main privacy risks associated with their activities.

(PIAs)

Flavie Gagné: Thanks, Kat. So, clearly PIAs are the foundational point in the privacy life cycle for a new program or activity. Speaking of PIAs, TBS recently updated requirements related to PIAs, didn’t you? Benoit, can you explain what has changed?

Benoit Deshaies: Yeah, absolutely. Thank you for the question. The Directive on Privacy Practices requires that institutions complete the Privacy Impact Assessment, the PIA. This is true for any program or activity that involves personal information, and it’s true whether this is a new program or whether you make a significant modification to an existing program.

This means assessing potential privacy risks before the implementation and documenting how your institutions will manage those risks. The directive I’ve mentioned also requires institutions to use the mandatory PIA template and you can download that template from our website.

It requires aligning the assessment with the relevant personal information bank, and we’ll talk about those a bit later, but that’s a transparency mechanism. And talking about transparency we also request that a web summary be published once the PIA is completed.

The updates that we published in October aim to simplify and strengthen how we manage privacy risks. With mandatory tools and templates the new standard will support a consistent and proactive approach to this.

So, a key principle to think about when doing a PIA is privacy by design which means thinking about privacy right from the start and not as an afterthought once the implementation is underway. The PIA checklist and template will help you do just that, they walk you through key questions and risk areas at the planning stage of your program and activity.

If the project involves artificial intelligence, AI, or automated decision making, and this could be, for example, models to help identify fraudulent patterns and applications or applying facial recognition technology to issue official documents, well then institutions must complete an algorithmic impact assessment, an AIA, that’s an additional assessment.

The AIA will help determine how the system will use personal information to make those decisions. The AIA will enable you to evaluate the risk of the automation before you implement it and to help ensure that the project will be compliant with laws and policies including those for privacy protection.

Thinking privacy first from the design of your program all the way to their daily operations, it’s not just a policy requirement, it’s also a best practice. And remember, your institution’s ATIP office and privacy officials are there to support you at every step of the way, and so is TBS’s privacy and responsible data team, that’s our team, if you have questions or if you need help navigating the requirements.

Flavie Gagné: But what if a program area wants to run a pilot program that is collecting new personal information?

Katherine Glasgow: Well, a pilot project can be a great way to identify possible risks and problems with a new approach to a program. We really encourage institutions to conduct pilots ahead of launching new programs at a larger scale.

However, pilot programs are still subject to the same privacy requirements as any other program. So, if you collect personal information through a pilot program to make administrative decisions you must still conduct the PIA ahead of launching the pilots.

What you learn through the pilot might provide material for later updates to the PIA. Privacy assessments are meant to be an ongoing process.

Flavie Gagné: Kat, can you tell us a bit about how the OPC reviews PIAs?

Katherine Glasgow: Absolutely. The OPC reviews… receives and reviews PIAs from federal government institutions and we use a triage process to determine which reports will be subject to a secondary review and for formal recommendations.

Our process takes into account certain factors, so those can include… do include the sensitivity of the personal information, the number of people affected, whether there’s parliamentary or public interest in the topic, if a novel technology is used and whether the initiative relates to one of the OPC’s strategic priorities.

And our advice to institution… institutions is grounded in the Privacy Act, TBS policies and internationally recognized privacy principles. And I would really stress and note that the OPC does not approve or endorse programs, we cannot provide legal advice nor can we help design programs, these are tasks that are all the responsibility of your institution.

Flavie Gagné: Thank you. And how should organizations respond to the OPC’s recommendation once a PIA is reviewed?

Katherine Glasgow: So, the OPC makes recommendations to guide institutions toward the most privacy-protective option possible. It’s not necessarily our expectation that institutions accept every single recommendation we make, our recommendations are non-binding. However, we do expect institutions to respond to our recommendations and provide justification for any recommendation they choose not to accept.

Keep in mind that not all risks are equal and that it may be impossible to completely address every risk. It’s important to justify any residual risk and to ensure that the person accountable for privacy at your institution understands and accepts those residual risks.

Every PIA should include an action plan that outlines the mitigations an institution has planned to address the risks that they’ve identified. This action plan should include both timelines and the person responsible for each action.

Privacy teams should follow up with their colleagues working on programs that collect personal information to understand whether programs have implemented planned actions. In general, you should treat PIA reports as living documents.

So, as I mentioned earlier, privacy risk analysis is an ongoing process and it does not stop with the approval of the PIA. You should assess privacy risks such as controls and should assess those risks and the controls and mitigations regularly as the environment changes, and you want to pay particular attention to whether the measures implemented are having the intended effect of mitigating the risks.

Ongoing management of privacy risk can be incorporated into your institution’s overall risk management strategy, and if you notice substantial change that results in a new significant… in a significant new privacy impact that you’ve not considered in the PIA you should update the PIA in accordance with the Directive on Privacy Practices.

(Collection, use and disclosure of personal information)

Flavie Gagné: Very good to know. Thank you, Kat. Benoit, another question for you. What if my institution is working with other organizations on the program that involves personal information? For example, I’m starting a pilot program that tests new approaches to conflict resolution in the workplace.

Now imagine that program involves multiple government institutions or even a private sector partner for services like investigations, asynchronous video interviews or even artificial intelligence-powered analysis. Are there any privacy considerations we should keep in mind, especially when it comes to contracting and information sharing?

Benoit Deshaies: It’s a great and complex question with many elements, I really like that, but please be patient as I go through everything then. Let’s start with when you are making a decision about someone.

In that case, whenever possible, we should collect the necessary personal information directly from that person. Examples of decisions could be whether the individual should get a benefit, should be part of a program, should receive disciplinary measure in a conflict resolution program or whatever other administrative decisions, really.

Collecting the information directly with the individual helps ensure that they are aware of the collection and they can review the privacy notice statement which will list the expected uses of the information and provide recourse if they would like to make a complaint to the OPC. The direct collection also helps to ensure the accuracy of the information.

So, in the example of conflict resolution, we’d be hearing directly from the people in the conflict about what occurred. There are exceptions to the requirement for direct collection however, and some of the exceptions could be when the individuals consent to their information being shared elsewhere or when the different use would be consistent with the original collection or when the law authorizes the disclosure. There’s many acts that mention data sharing for different purposes.

If we look at the Privacy Act there are 13 paragraphs in subsection 8.2 that enable sharing without consent under certain circumstances. In the example about conflict resolution a consistent use could be for information for the health and safety program, for example.

Just remember, though, that because your institution can use information does not mean that you can share it freely. Collection, usage and sharing of personal information are very different things.

Once you confirm that you can share information, an information sharing agreement or a contract is needed. These documents are required by the Directive on Privacy Practices before you will disclose the personal information and this disclosure could be to another program within your institution, your organization, to another federal department or institution, a provincial or a municipal partner or even a private sector organization.

These agreements must include many elements to ensure that the personal information shared is appropriately handled. So, for example, if I’m going to share immigration data with Service Canada I will need to document Services Canada’s legal authority to receive and collect the information.

How often I’m going to share the data and through what means and for how long, if Service Canada is permitted or not to then further share the information with some of their other partners, the steps that we’re going to take to maintain the accuracy of the data and what to do if there is an ATIP request for this data.

What to do in the case of a security incident or a privacy breach should any occur, the safeguards that we want to put in place like training, access control and security markings that will be needed, how often we’re going to review this agreement and much more. So, as you can see that’s a lot of information to include in these agreements. Luckily TBS provides guidance and templates to help institutions develop these agreements.

If you’re contracting with a third party from the private sector, the privacy obligations still apply. For example, maybe we need to hire an investigator to help resolve the harassment complaint or a video recruitment firm to evaluate astronauts. That would be exciting.

But in this case institutions must ensure that contracts include strong privacy clauses that the third party understands their responsibilities to protect the personal information. This includes controls around who can access the data, where it’s going to be stored, whether in Canada or abroad, how long it’s retained, how is it deleted and removed from their systems once the contract is over and what happens in the case of a privacy breach.

TBS is currently renewing its privacy and contracting guidance and the updated document will provide guidance on everything I’ve just talked about. The goal is really to help institutions ensure that contractors will be in compliance with privacy laws and policies. We also want to clarify expectations for privacy risks assessments and management at all stages of the contracting process.

Programs will also use and share personal information for non-administrative uses, things like research, statistics and GBA plus reporting. With the right site guards in place innovative practices like linking administrative data across programs can really generate powerful insights, improve decision making and support better government programs and outcomes and all of this without compromising privacy.

A good example is from Statistics Canada. They have what’s called their social data linkage environment, the SDLE, and that’s a good example of how institutions can enable high quality research while upholding strict privacy and security standards.

The model here works because personal identifiers are kept separate and only the identified data is used for the research. To access the environment and the data this access is tightly controlled and all projects will undergo a rigorous review to ensure privacy compliance.

Institutions can take inspiration from this model to use personal information more strategically, for example, identifying service gaps across programs, improving policy development and evaluating the long-term impacts of their initiatives.

The key is really to ensure that the controls will be in place by establishing a clear purpose, consistent uses aligned with what is defined in the personal information banks and strong privacy controls that include access controls and formal information sharing agreements. I hope this answers the question.

Flavie Gagné: Yes, thank you. Kat, do you have anything to add about working with other organizations?

Katherine Glasgow: Yeah, I think the biggest lesson from past contracts is simply that it’s really important for contracting specialists to consult with their privacy teams to ensure that those contracts include basic privacy clauses in context where the contracting program uses personal information. If privacy experts aren’t involved in the process, privacy elements risk being forgotten.

Another big lesson we can take from contracting experiences is the importance of conducting due diligence with the third-party service provider. This is particularly important in cases where a government institution is entering into a contract for the use of new and innovative technology solutions which leads to unidentified privacy risks.

Our team in Government Advisory can work with your institution to review information sharing agreements. We’re also happy to discuss elements that you may want to include in your contract as part of the consultation process. So again, as we cannot… although we cannot offer legal advice, we base our recommendations on the Privacy Act, TBS policy and those internationally recognized privacy principles.

(Training)

Flavie Gagné: Thanks, Kat. I have another question for you. When it comes to preparation and understanding what kinds of resources are available to public servants at an individual level? How can each of us come to a better understanding of our own privacy responsibilities?

Katherine Glasgow: So, in addition to our consultations and PIA review services we also run outreach events with institutions. Some events like this one provide general information to a wide audience, but we can also work with your institution to provide a more tailored outreach session about privacy principles, our processes and how privacy connects with your work.

Flavie Gagné: And Benoit, what training and resources does TBS offer?

Benoit Deshaies: Yeah, thank you. Well, respecting privacy obligations helps promote trust in the government and for this reason we made privacy training mandatory, it’s not optional.

In Appendix B of the Directive on Personal Information Request, we set out the training requirements for all employees as well as those for specific responsibilities for the administration of the Privacy Act.

To help institutions support… to support them in delivering this mandatory training TBS is currently developing a new ATIP 101 style presentation that institutions will be able to use and adapt to fit their operational realities.

TBS also has many tools, templates and training materials to support institutions at all stages of the privacy life cycle. I’ve mentioned a few already, but I’ll mention a few more. There is the Digital Privacy Playbook which offers practical checklists, real world examples and step-by-step guidance for managing privacy in digital programs and today most programs have a digital or IT component.

Another guide is the Plain Language Guide to Exceptions and Exclusions under the Privacy Act and this guide helps program officials and ATIP teams clearly explain and justify their use of exemptions and exclusions when they’re responding to personal information requests.

A third tool is the Privacy Breach Management Toolkit which walks you through how to prepare for, how to assess and respond to privacy breaches when they do occur, whether they’re small or large in scale. And as I mentioned before, we have the Contracting Guidance and Information Sharing Agreement Guidance which includes sample clauses and templates that you can use.

Of course we have the Canada School of Public Service, the CSPS, that offers many online courses and this includes CORE 502 which is titled Access to Information and Privacy Fundamentals, there’s CORE 505, Privacy in the GC and CORE 502, Access to Information in the GC, and there’s many more.

So just look for privacy or personal information under learning catalogue and you’ll find many great resources. And all of these resources, whether from CSPS or TBS, they’re designed to ensure that employees, first of all, understand their privacy responsibilities but also are equipped to apply them in their day-to-day work.

Finally, if you’re in an ATIP or privacy official and you’re facing uncertainties or challenges with interpreting privacy policies or you have issues conducting a complex PIA remember that we’re here to help. When you’re stumped come see us, we’ll help you navigate the hard questions and work with you to find the answers that you need. We’re your guide to government-wide privacy success.

(Transparency when collecting personal information)

Flavie Gagné: All right. Thank you, Benoit. Moving on to while collecting personal information. So once the groundwork is complete you’ve assessed your authorities or your risks and your partners. Then what? We’ll discuss now what to keep in mind while collecting personal information.

Benoit, can you talk briefly about what institutions should keep in mind to maximize transparency when collecting personal information? Let’s say the launch of the new conflict resolution pilot program is underway, what transparency measures should we have in place?

Benoit Deshaies: Yeah, so transparency is a fundamental principle of the Privacy Act and the policy framework that supports it. When collecting personal information from individuals it’s… whether it’s for a pilot program or any other service the institutions are required to be clear about what they’re collecting, why and how that information will be used or shared.

As I mentioned before, the privacy notice statements show that individuals will know what institutions are doing with their personal information. The notice needs to include many things including the purpose for collecting the information, the legal authority for the collection, whether the information will be shared with any other parties, the consequences of refusing to provide the information to the government, the right to access and correct the personal information that the government will collect, the relevant personal information bank that will describe the collection and informing people of their right to file a complaint with the Office of Privacy Commissioner if they’re not happy with the way it’s going.

So, for your conflict resolution pilot program you’d want to make sure that you have a clear privacy notice that’s provided to the participants beforehand and this is required irrelevant of how you will collect the information. It’s required whether you’re submitting the information online or that you’ll be speaking to a program representative, say, or using a third-party platform. In all cases, a notice must be provided.

Another transparency mechanism is a website that institutions must maintain which is called InfoSource and it supports transparency by publicly describing all of the institution’s program and activities, the personal information holdings linked to those activities, the summaries of the Privacy Impact Assessment, summaries of contracts and information sharing agreement so people understand where their information and who their information is being shared with, and also information on how employees and members of the public can request their personal information and request corrections to that information.

Going back to our conflict resolution pilot program, for example, if there are any changes in how personal information is collected, used, shared or kept, the institution should review the InfoSource page to ensure that it’s still accurate. And if you’ve never seen that InfoSource page for your institution I encourage you to go look at it to see what your institution publishes.

And so far, I’ve mentioned privacy notices and InfoSource pages that are proactive transparency measures but there are also reactive ones, particularly responses to access to information requests.

As you likely know, people can make requests for the personal information that the government has about them. This could include public servants seeking info on labour relation issues, it could be travellers asking about their visa processing or bystanders wanting to know about the body-worn camera footage to an event they were witness to.

So, some information in these requests will need to be protected because it contains information about somebody else or is part of an investigation, but generally we must be as transparent as possible.

The Directive on Personal Information Request and Correction of Personal Information outlines the procedures that institutions must follow when an individual requests access to or a correction of their personal information. To meet the transparency objective this requires having clear instructions on how individuals can submit their requests, prompt responses to those requests as well as internal procedures to verify an individual’s identity and to evaluate whether corrections are warranted when they request them.

To conclude, transparency is not just about compliance but it’s also about building trust. Whether your institution collects personal information for a one-time pilot or a long-standing service people have the right to know what’s happening with their personal information and how they can stay informed about it or act if need be.

Flavie Gagné: All very helpful. Thank you. Kat, can you tell us how the OPC assesses transparency against these requirements? Any success stories to share?

Katherine Glasgow: We do always examine privacy notice statements and consent statements with a great deal of attention. The statements are an important baseline. It’s essential that individuals have a reference point for what their rights are when the government is collecting their information including the right to make complaints to our office, of course.

But that being said, we know that people do not necessarily read the fine print and it’s very easy for information to get lost in formal notice statements. So that means that we also encourage institutions to find creative ways to make sure that individuals understand what information is being collected and why. This might involve design decisions to make privacy information easier to understand or communication plans to share the purpose of an initiative more broadly.

There are some useful transparency measures that we’ve seen in the past, so very important, scoping the level of information available in a PIA summary to provide sufficient details. Also using public-facing websites to explain programs and how they use the personal information and that’s particularly important for programs with a high degree of privacy intrusion.

There’s also… you could have public consultations about privacy intrusive programs, and then of course oversight and advisory bodies for programs where new privacy issues are likely to arise.

(Privacy breaches)

Flavie Gagné: Thanks, Kat. So now we’re on to the after collecting personal information part. So once your institution is holding personal information there is an obligation to safeguard this information and prevent breaches. Still, no matter how cautious we are, we know that breaches may still happen. So, Benoit, can you talk to us about TBS’s recommendations for handling your breach?

Benoit Deshaies: Yeah, as you say, despite every organization’s best effort to ensure personal information is always protected, breaches do occur. Both of our offices, the OPC and TBS were particularly sensitive to safeguarding personal information but still we have committed or have been the subject of breaches in the past.

It’s important to remember that breaches can happen by accident and be committed by anyone. The consequences of inadvertently causing a breach will always be far less serious than trying to cover it up intentionally.

Most people think that privacy breaches are only the loss or unauthorized access or disclosure of personal information but it’s important to remember that according to our definition a breach can occur whenever an institution is out of compliance with any of the requirements for collection, for use, retention or disclosure.

For example, if an institution destroys a record before its retention period is met that is considered a breach. People had a right to access that record and by deleting it early you prevented these people from exercising the right. So that’s a breach.

There are therefore many ways that we can accidentally cause a privacy breach as a public servant. This can include losing physical records with personal information on them, accidentally disclosing personal information through a misdirected email or over collecting personal information. Privacy breaches can also take the form of malicious unauthorized access through hacking or phishing.

TBS offers the Privacy Breach Management Toolkit which provides practical advice to managing the breaches including how to identify and contain the breach, how to assess the risk of the breach, when to notify individuals and the people responsible, what mitigation measures to take, whether the incident is material and must be reported and how to document and prevent future breaches.

It’s important to act fast when breach do occur. Initially the priority needs to be the containment of the breach to prevent its harm from being made worse over time. So, for example, when someone realizes that they’ve put everyone in the CC line instead of a BCC for a sensitive email and we want to keep the distribution list protected, well, they need to recall that message quickly and then promptly send a message to all recipients asking that they delete any copies of the improperly sent message.

To prevent the breach from worsening it’s also necessary to accurately report the breach to your ATIP office so that the institution can take all necessary measures to contain it.

Let the institution’s privacy officials know as soon as possible about the breach so they can guide you in its containment. There are many communications that will need to take place within your institution to manage the breach. This will usually include the program that holds the information, the group that discovered the breach, the institution’s privacy officials and security officials and more people often.

Reporting a breach will lead to a thorough assessment which could reveal that what appeared to be a small breach initially might actually be more severe than we thought. And if the breach is cyber-related institutions should also refer to the Government of Canada Cyber Security Event Management Plan, the GC CSEMP, and if you don’t know what that is, your cyber or security team will be able to provide you guidance there.

And this plan provides an operational framework to help departments respond in a consistent and timely manner to the cyber threats or cyber security events that could impact service delivery or compromise trust in the government systems.

To the greatest extent possible it’s strongly recommended that institutions notify all affected individuals for whom the personal information may have been compromised. The notification should occur as soon as possible following the breach. This will allow individuals to take action to protect themselves or to minimize the damage from the breach.

Remember that failing to promptly and accurately report a breach can lead to delays in informing the individuals who’ve been affected by it. It will increase the potential for harm that the breach may cause and it will further erode the trust that people have in your institution. The group in the institution that has the direct relationship with the affected individuals should typically be the one sending the notification.

The next consideration is whether or not the privacy breach is considered material, and this is an important concept. We’ll spend some time on this. The TBS Policy on Privacy Protection defines a material breach as one that can be reasonably expected to create a real risk of significant harm to an individual.

Types of significant harm could include personal injury, identity theft, humiliation and reputational damage, loss of employment or loss of professional opportunities, financial loss or financial impacts let’s say on credit. And finally, damage or loss of property.

And this threshold is crucial because if a breach is assessed to be material it must be reported to both the OPC and TBS within seven days. These cases will often require more detailed mitigation measures.

To assess whether a breach is material, institutions should conduct a risk assessment that will consider the sensitivity of personal information because not all personal information is equally sensitive. However, even an email address could be sensitive in some context.

And the context is the next piece. What was the data sent to someone who knows the person? Was it public or internal disclosure? Did the recipient recognize the error? We should also consider the intent. Was the breach accidental or malicious? Was it an isolated mistake or is there a systemic issue? And the exposure time, the longer the information was exposed the higher the risk will be.

As I said, substantial breaches must be communicated to TBS and the OPC within seven days and the best way to do this is using their online breach reporting form. The online form will make it easy to enter all the relevant details about the breach and then review and edit this information online. Once you submit it the OPC and TBS will receive the report at the same time, and you can also download the copy for your records.

At the end of this process to manage the breach, once the breach is resolved it’s important to learn from it and to adapt to address the shortcomings that led to this breach. Maybe the PIA needs to be updated to reflect the new risk that you identified and the necessary mitigation measures.

Reporting to TBS and the OPC that you would have done will further help prevent similar breaches from occurring in other institutions because our organizations can share the lessons learned with the greater federal community.

So, to conclude, remember that no matter the severity, institutions are expected to contain the breach, assess the risks, notify the appropriate parties which can include TBS and the OPC if the breach is material, and then take steps to prevent future breaches.

Flavie Gagné: Thank you, Benoit. Now let’s think about a couple possible scenarios. What happens if the breach is relatively minor? Say maybe I emailed relatively non-sensitive personal information of one person to someone else with a similar name. For example, a timesheet.

And what happens if it is more serious, say if our department discovers that a database that holds information about benefit payouts including financial information has been compromised by external hackers. How do you draw the line between what is significant and what is not?

Pascal Lacroix-Piché: So, as Benoit was explaining, it’s true, not all breaches are equal. What determines the appropriate response is the real risk of significant harm that a breach might cause.

So, let’s say in the first scenario someone accidentally sends an email containing the personal information of one person to someone with a similar name. So, while this is a privacy breach it may not rise to the level of material breach. In this case personal information may include something like a personal email address or a phone number, so it’s relatively low sensitivity.

However, context matters. If the message also contains sensitive information like a medical diagnosis or disciplinary record the risk of harm becomes much higher. So even if the content seems innocuous, if the recipient knows the individual involved or works in the same small office it could increase the risk of harm like embarrassment or workplace tension.

In a second scenario your institution discovers that a database containing financial information about benefit payouts has been accessed by unauthorized individual, potentially hackers. So, this is likely a material breach. The sensitivity of personal information including financial details, banking information or social insurance number coupled with unauthorized access by external parties creates a real risk of significant harm.

These harms could include identity theft, financial loss or even reputational damage if the breach becomes public.

So, in the first example where the recipient is internal and the data isn’t sensitive, the likelihood and severity of harm are low, likely not a material breach. In the second example where sensitive financial information has been accessed by outsiders both the likelihood and severity of harm are high, likely a material breach.

The factors to be considered when assessing RROSH, or the Real Risk of Significant Harm, are sensitivity of the information and the probability of misuse. We often see institutions consider only the risk of identity theft or other related fraud when they assess the real risk of significant harm, but please keep in mind that significant harm can also include bodily harm, humiliation, damage to reputation or relationship, loss of employment, business or professional opportunities, financial loss, negative effects on the credit record and damage to or loss of property.

Flavie Gagné: And, Pascal, in the breach scenarios we just talked about I believe the OPC has a new tool that might be helpful. Can you explain?

Pascal Lacroix-Piché: Yes, we were really proud to announce in March 2025 that the OPC launched the Privacy Breach Risk Self-Assessment tool. This is an online tool that businesses and federal institutions can use when they experience a privacy breach to assess whether the breach is likely to create a real risk of significant harm to individuals.

The tool guides users through a series of questions to assess the sensitivity of personal information that is involved in a data breach and the probability that it will be misused. The results provided through this tool will help organizations to conduct a risk assessment following a data breach and determine the required next steps including notifying affected individuals and reporting the breach to our office.

And it’s important we want to stress that the results of the tool are meant to act as guidance, only the tool does not replace your judgement. The institution experiencing the breach is responsible for carrying out a thorough assessment of risk to the affected individuals accounting for all facts and nuances of the breach.

You can find the Privacy Breach Risk Self-Assessment tool on the OPC website. We encourage institutions to incorporate the tool into the breach response process. And finally, you can also reach out to my team if you’re ever in doubt. We can help you through your assessment as we have reviewed thousands of breach reports and have been using the assessment tool internally.

Flavie Gagné: It sounds like it would be very helpful. Does the OPC have any other general suggestions for how to react to a breach?

Pascal Lacroix-Piché: Of course, I would like first to emphasize the importance of looping in the key stakeholders within your institution and keeping each other informed of breach developments. Responding to a breach will often involve the coordinated efforts of privacy, IT and security teams in addition to the OPIs.

Also, please ensure that notifications are sent promptly. It’s not so reassuring for affected individuals to receive a warning to be vigilant when the institution took nine months after the breach occurred to send the notification letter.

Apart from notifications, institutions need to consider other mitigation measures are required in their circumstances. For instance, in response to breaches that create a risk of identity theft we often see institutions offering credit monitoring to the affected individuals.

And finally, institutions need to take measures to prevent future breach occurrences. In additions… in addition to addressing the root cause of the breach institutions may consider establishing an action plan to prevent future breaches.

The action plan could include a security audit of both physical and technical security, a review of policies and procedures and any changes to reflect the lessons learned from the breach and regularly after that. For example, security policies, record retention and collection policies, etcetera. Also, a review of employee training practices. And finally, a review of contracts and sharing agreements with third parties.

Flavie Gagné: Thanks, Pascal. Kat, do you have any general best practices to share when it comes to maintaining the safety and security of personal information and preventing breaches?

Katherine Glasgow: So, one element we would emphasize is the importance of controlling and monitoring access to personal information. In a digital information system, identity and access management systems ensure that only individuals with a reason to access the personal information can do so.

Techniques for identity authentication and management continue to evolve. So, it’s important for privacy teams and technology teams to work closely together on this area of operations.

Fundamental safeguarding measures also include maintaining and monitoring audit laws of system activity to track who has accessed personal information in case of discovery of a breach later on.

And finally, we strongly encourage institutions to consider the findings of cybersecurity assessments in their privacy assessment work. PIA should include summaries of the findings of assessment such as threat and risk assessment, security assessment and authorizations and reducing the risk of technological threats means stronger safeguarding of personal information.

Cyber threats do continue to evolve with new advancements in technology so it’s important for privacy teams to keep their cybersecurity colleagues involved over the life of a program. This allows you to be more effective in identifying and mitigating emerging risks.

Privacy teams may not be experts in cybersecurity but we value the input and recommendations of our technology colleagues who are, and institutions should document that input as part of their privacy assessment process.

(Conclusions)

Flavie Gagné: All good things to keep in mind. Finally, to close, I’d like to ask each of you if there is one thing you would like the audience to remember about the privacy life cycle we have talked about today, what would that be?

Benoit Deshaies: Yeah, I’ll start. Privacy isn’t about limiting the use of personal information, it’s about using it correctly. Protecting privacy from the start protects the individuals and strengthens public trust. Every step of the life cycle is a chance to be strategic toward that goal.

With the right safeguards and transparency institutions can use personal information responsibly to improve programs and services. Privacy needs to be embedded in everything that we do in the public service and managing it well from the start means protecting both the people and the value of what we deliver.

Pascal Lacroix-Piché: Yeah, and I would like to reiterate that institutions are welcome to seek guidance from the OPC at any stage of their response to a privacy breach. Institutions do not need to wait until they have determined that a breach is material before engaging with us.

In fact, we strongly encourage your privacy teams to provide us with a heads up about a material breach or potential material breach even if the breach is not fully contained or if certain breach details are still unknown. These heads up are also useful for us if you anticipate that a breach will attract media attention or public scrutiny.

Katherine Glasgow: I would say that the most important point to remember is that you should be thinking about privacy as a life cycle. Privacy should not be a regulatory checkbox at one point in the process of designing a program and nor should it be an afterthought tacked on at the end.

Our office talks about privacy by design which is a method to proactively embed privacy into your business practices and this idea is that the most effective way to ensure privacy and by extension to build trust with the people you serve is to really think about privacy at every step along the way.

Flavie Gagné: Well, thank you, Benoit, Kat, and Pascal. This has been a really informative and helpful discussion. Mike, we’re very glad you could join us today and welcome to the advisory side of the office. Before we move to the question period, Kat, I understand you have some positive news about the PIA submission form. Could you please share it with us?

Katherine Glasgow: Yeah, really excited to confirm to everyone that now when you submit your PIA using the privacy… the PIA submission form it is also going to submit that PIA to TBS as well. So TBS is fully incorporated in the process and you only have to submit a PIA once to end up in both our offices.

(Question period)

Flavie Gagné: This is awesome. Thank you. Now let’s get into some questions.

We already have a question that I can maybe start. Completing a PIA is part of the security authorization and assessment and completing an SA&A is part of the PIA. How do you recommend team sequence these assessments?

Katherine Glasgow: Benoit, do you want to start?

Benoit Deshaies: No, I was going to offer for you to start. You’ve already mentioned SA&A in your earlier remarks.

Katherine Glasgow: Yeah, so I would say that completing a PIA is part of the SA&A but I think it’s more along the lines of like are you completing a PIA? How is a PIA being completed to ensure that the SA&A is part of that PIA? So I would say that because the risks involved in a program or activity need to be reflected in the PIA I would start with the SA&A or start that process at least so you can start identifying like what are the technical risks involved in this program and they can be reflected in the PIA. That’s how I would go about it. Benoit, I don’t know if you have a different perspective.

Benoit Deshaies: Well, I think that’s entirely valid but I would also add like they need to be done hand in hand. Privacy protection and security protection are really related. It’s important for your privacy officials to understand the privacy risks and it’s important for privacy officials to understand the controls and the security controls around the personal information.

So, collaborating together toward the completion of these things is really important and recognizing that we’ve recently made contact with some people responsible for security guidance toward improving the linkages between both tools. So, for example, in ITSG-33 there’s… we’re working with SSC, with the Cyber Security Centre, to make sure that the privacy considerations in there will mirror what’s in our policies for privacy. So expect more linkages in the future, but yeah, really need to be done in collaboration.

Flavie Gagné: Thank you. I have another good question here. What suggestions do you have for a time sensitive project needing immediate implementation plans given that PIA can take six to eight months to complete?

Benoit Deshaies: So, it used to be that PIAs took this long, I recognize that. Part of our objective with the October updates that we did last year was to simplify the process. The new template really guides institutions in assessing the different risks and the best mitigations to manage them and we found that completion of the PIA can be much less as a result.

In some cases, we’ve seen people complete PIAs within a matter of weeks rather than months and that’s really positive. So, I would encourage people to work together with their privacy office and the program sector to really address this before the initiative needs to launch.

And as we said from the onset, from the early thinking, often people will put this out, this activity until it’s too late. Right at the beginning once you start having signals that, okay, we need to develop a program, you need to build privacy into it and you need to start on the PIA.

Katherine Glasgow: I would also add that part of this is really important to scope your PIA appropriately. Sometimes we’ve seen PIA’s with like very large scopes covering multiple business lines and that’s when I think things get kind of out of control and unwieldy and the timeframe ticks up.

So, if you’ve scoped the PIA, especially if you’re looking at a program that like this needs to start pretty immediately, we really need to work on this and get it going, I would scope the PIA so it’s focussed on a very defined business process.

What is the most… like where’s the risk involved? How can we review what personal information is being collected? Again, how it’s used, retained, disposed of, disclosed. Let’s keep it… let’s keep it narrow as possible with… not so narrow that you’re leaving out important processes or important parts of the initiative but scoping appropriately will really help you make sure that you can move through a PIA much more quickly.

Flavie Gagné: Another question would be, do you have any examples of PIAs that were completed using the new template? How was the level of detail in it? Was it clear? Was it missing any details?

Benoit Deshaies: So, our teams both have… at the OPC and TBS we both have examples now using the new template. Unfortunately, it’s not possible for us to share that, they’re sent to us in confidence but that’s something that can be discussed within the community.

So, we have an active GC collab. I encourage people to ask other departments to share if they can their privacy impact assessments as examples to the wider community and we’ve had institutions agree to doing such sharing already. So, there should be a reception there. And, yeah, Kat, I think you were going to jump in too, I saw you.

Katherine Glasgow: Well, I was going to say much the same thing.

Benoit Deshaies: Okay.

Katherine Glasgow: We have received a couple, not too many yet, I would say it’s still early days for the new templates, but there are a couple of examples that have come in. But yes, unfortunately we don’t… we don’t share those PIA’s.

Flavie Gagné: What do you do when IT asks for your password to install software? They say it’s fine to just change your password after giving it.

Katherine Glasgow: Yeah, I would say don’t, we don’t encourage sharing our passwords. Passwords are personal and exclusive to you and help ensure that there is no unauthorized access to personal information involved that you may hold on your laptop or computer. I will say at the OPC what we do is when… if there’s an issue where IT has to access my laptop there is an option for IT to remotely take control of my laptop.

So, what happens is I’m sitting here, and I get a pop up that says can IT please take control of your laptop? So, it’s sort of a proactive consent. I click yes, then IT can be in the background doing the things that they need to do and at the end they exit out and my laptop is back in my control.

So that’s what… that’s our best practice, it’s what we do here at the OPC and certainly I would encourage other institutions to look into that because we would… we would strongly encourage you never to share your password.

Flavie Gagné: Okay. Will there be a job aid or guidance for the template? My office sent an email to IPPD due to the vagueness of a few items in the template but have not received detailed answers.

Benoit Deshaies: Yes. So, part of what… we’ve, as the department started using the new templates we’ve received a few common questions and we’re planning to make changes to the template to clarify the areas where people have questions. So, to an improved template there should be less questions, but supporting that as well will be guidance to support you in completing it. So, both are coming, yeah.

Flavie Gagné: Can you clarify guidance for personal information that is collected indirectly for non-administrative use?

Katherine Glasgow: Can we clarify guidance on… so sometimes personal information is collected for a non-administrative use. For example, there’s a lot of public communication programs that are out there. So, if you are… if you sign up for a newsletter, per se, or sometimes institutions with their social media platforms are responding to individuals, so they’re collecting their data for non-administrative uses. I’m trying to think of a… Benoit, I don’t know if you can think of a case where it’s non-directly or I don’t know if the questioner has a more specific example of what they’re asking.

Benoit Deshaies: But maybe I would add that for non-administrative uses the Privacy Act still applies if you’re dealing with personal information and it still needs to be protected but the requirements are a little bit lessened, but the same principle holds. So, you need to make sure that you’re transparent about it.

If this is information you’re collecting and holding your InfoSource page should mention that, and there’s different ways to do this when it’s for non-administrative uses. And at the same time, you need to manage the privacy risks.

A privacy impact assessment may not be the right tool, maybe you need to do a privacy protocol, but it’s the same idea where you need to reflect about what are the privacy implications and risks of using this information and how are we going to manage that.

Katherine Glasgow: That’s true. I sort of blanked out on that, but of course in InfoSource there’s classes of personal information which are different from personal information banks to cover the non-administrative uses of personal information, for sure.

Benoit Deshaies: And we had the… as you mentioned there is often in communications, that’s a common example where institutions will publish the correspondence that they receive in classes of information. But think, maybe you’re taking pictures around the office and those photos constitute personal information of employees. So, if you’re keeping a bank of those photos, that’s the non-administrative use of personal information.

Flavie Gagné: Can you give an example of how to determine the legal authority?

Benoit Deshaies: Oh, go ahead.

Katherine Glasgow: Sorry about that. I was going to say it’s often within your enabling legislation for your institution, there’s often a section of the legal authority of the legislation that will say that your department is… part of its obligations are to conduct programs or to oversee law enforcement or whatever the case may be. So often it’s in your enabling legislation, but we always say that if you’re not sure you should confer with your legal services and they’ll be able to point you in the right direction.

Benoit Deshaies: That’s very good advice. And to that I would just add that there are some things that many departments do like hiring, for example, and that may not be present in their department or institution-specific legislation but in more central laws like the Financial Administration Act. And so, for those we also have standard personal information banks which apply to many institutions and there’s possibly some authorities there as well.

Flavie Gagné: How do you mitigate risks related to the use of novel technologies such as Microsoft Recall AI tool by third party. Example, contractors, clients, stakeholders?

Benoit Deshaies: I have a few so maybe I’ll start. It starts by reviewing the… here it’s kind of implied that they will be third party tools, so it’s really important to review the privacy policies of these third parties for these tools. How will they use and retain the information that is processed through it? So that’s an important consideration.

But also, tools that are offered by these companies should be assumed not to meet Government of Canada security and privacy policies until shown otherwise until we’ve done the homework to show that they are compliant with these things.

So, tools like ChatGPT have not been vetted as protected, be compliant, for example, so they should not be used to process most personal information. So, use caution really. Do your homework, verify the tools, work with security and your CIO to really validate the tools before you start using them for anything sensitive.

Flavie Gagné: Any initiatives to reduce the burden involved in producing a PIA?

Benoit Deshaies: The templates that we’ve produced last October were certainly an important step toward that and the changes that we’re doing in response to the feedback of institutions that have used it will further help but if people have suggestions on how we can further streamline the process please get in touch with us, we’d love to hear your suggestions.

Flavie Gagné: How do you adapt a privacy notice to be shared verbally? There are so many items required for a privacy notice, any verbal sharing of it might feel overwhelming.

Benoit Deshaies: Yeah, I agree. And as I was listing off these things that makes for an unpleasant conversation, but there’s many ways that this can be managed. What I would encourage people to do is if you’re planning to interview someone or have a conversation with them with the purpose of collecting personal information, ahead of doing that share the privacy notice so they have time to read it, to understand it before you actually meet with them and start asking questions.

You can also, at the beginning, give them a quick summary of what is the purpose of the collection, why you’re doing this, what will happen to the personal information. Inform them of their right to recourse and then offer them perhaps a printed copy that they can keep with them and consult as well. These would all be good ways to do it I think.

Flavie Gagné: If a program is amended and personal information is aggregated in order to monitor but not make decisions is a PIA required?

Katherine Glasgow: I think it really comes down to sort of what personal information is involved and how it’s going to be safeguard and manage. So if we’re talking about aggregated, like this might be something you’re referring to like GBA plus data about for evaluation purposes and monitoring purposes.

Some of that can be like quite sensitive personal information and so we still want to make sure that you’re reflecting upon like how is it being collected, how is it being aggregated, because again sometimes that can be like a complicated process that’s not always straightforward. And then how is it going to be protected?

So, I would say always good to sort of open the PIA again, reflect how you’re going to… what processes you’re going to put in place for that part of the program. That sort of makes sure that you… you’re headed into this part of the program like eyes wide open and you’re not missing any potential risks that could exist.

Flavie Gagné: How do you determine a substantial modification? And when do you need to update your PIA?

Benoit Deshaies: So that’s a question we started receiving more and more often so we’re planning guidance on this. That’s the good news. But I’ll try to answer it a little bit. Essentially if there’s a change in the information that you collect or use or the way in which you handle it that’s a substantial modification that warrants an updated PIA. I’ll give a few examples of that.

Let’s say you had a form and suddenly because your program needs change you need to collect more information on that form. You need to assess that new information, so that’s a change.

It would also be if there’s a change in the flow of the information. So perhaps before you had a system within your department that’s used to process this personal information but through modernization efforts you’re moving to a cloud-based system. So now the information won’t stay within your organization but they’ll transit through the Internet to a cloud provider. That’s also a substantial modification in the flow of information.

Let’s say you used to use a platform from IBM and then you upgrade to a platform from Microsoft. Well, different vendors have different ways of protecting personal information and so that also warrants a new… an updated PIA to understand that. So these are all examples of changes that would result in a substantial modification.

Something that would not would be you’re applying monthly security patches. So often I’m sure you need to reboot your computer because security patches have been applied. These are not changing the flow of the information, the protection of the information or what personal information is used so these do not need to trigger this requirement. Hopefully that helps clarify, but as I’ve said, we’ll come up with a written guide to help answer that question.

Flavie Gagné: Are there resources on balancing data information with the public interest in sharing data, especially in the context of Indigenous data sovereignty, especially science data co-produced with Indigenous peoples, not like administrative or financial data?

Benoit Deshaies: It’s a complex question and I know it’s one that the Department of Justice is considering as part of their efforts to modernize the Privacy Act. It’s recognized that today the rigidity that’s there is not necessarily providing the flexibility that’s needed so that’s something that’s being studied by our colleagues at Justice.

Flavie Gagné: What’s the difference between personal information and personal data?

Benoit Deshaies: That’s funny. The Commissioner published a piece in The Hill Times I believe it was this morning or yesterday and a colleague shared it. Personal information was used five times and personal data was used 10 or 11 times. But I think largely speaking they’re referring to the same idea, the same concept.

It’s information, it’s data about you as a person. So, it’s really getting into semantics. If you look in the Policy on Service and Digital we do give a definition for information and for data and we clarify what is the distinction, but for the purposes of privacy discussions I think they’re largely the same.

Katherine Glasgow: Yeah, I would say here at the OPC we use them interchangeably. We would see them as the same thing, for sure.

Flavie Gagné: What about the information collected from employees for GCWCC events for fundraising?

Katherine Glasgow: So, definitely employees who are participating in GCWCC, that is… those activities are outside of your job functions, are outside of your job duties, so a lot of that is going to be your personal information, right?

Like Katherine Glasgow participating in the Zumba course or whatever that was led by one of our DCs this past fall, the fact that I did that or that I… whatever amount of money I paid to do that, that’s considered personal information. Of course no one’s making an administrative decision about me based on that personal information but it still needs to be protected and it should be considered personal.

Flavie Gagné: I have another interesting question. Are there plans to develop tools that integrate AI or automation? For example, a tool that would provide immediate advice on privacy needs for an initiative?

Benoit Deshaies: That’s an interesting question and it’s something I’ve tried very informally. For example, I wanted to see how ChatGPT would fill out our PIA templates so I gave it information about the program, I gave it the template and I said, can you fill out this PIA template using the program’s information?

And what we found, and it was a very basic example, like not much thought had been put into it, it was very good at filling out the boilerplate stuff, like what is the name of the program, what is its purpose and so on and so forth.

Where it fell apart a little bit was in identifying the privacy risks. They were the very obvious ones and the analysis lacked depth, as you can imagine, but there was certainly some potential in helping streamline some of the activities and I’ve had conversations with some departments that are doing experiments in the same vein, trying to streamline some of the processes.

But so far it seems to be, let’s say, administrative help, but I would really caution people and encourage people to leverage their ATIP professionals and their privacy professionals when it comes time to identify the privacy risks and the best ways to manage them rather than rely on these tools.

Flavie Gagné: And maybe to add on that, the OPC, we might not be a tool like leveraging AI or automation but we do offer consultation if you need any advice regarding your initiative, your program related to privacy, we’re there. We’re pretty fast on scheduling consultation so don’t hesitate to reach out to us.

Katherine Glasgow: Yes, Flavie and I haven’t yet been turned into AI. They’re working on it I think. Our CIO might be somewhere in the background working on that. So also I want to apologize, my light keeps turning off in my office so when I go off camera I’m turning the lights back on. This is a return to office scenario where we have to manage the environment more sometimes.

Flavie Gagné: Okay. Does considering IP addresses as personal information create a hard stop in assessing how to manage survey data as an example?

Benoit Deshaies: I don’t think so but I would ask, why do you need to capture IP address that’s associated with the submission of a survey, for example? Maybe it’s not needed. So I would really question why, in that case, it needs to be collected. There are some cases where it must be collected within the government and for those cases we do have guidance. So, for example, we have the policies around the web analytics, and how IP address needs to be managed there.

It’s personal information so it needs to be protected accordingly and there’s ways to do that. But so I wouldn’t say it’s a hard stop but in the context of a survey I would question why you need to collect it at all.

Flavie Gagné: Do you still need to notify individuals of indirect collection when it’s going to be used for a non-administrative purpose per subsection 5.2 of the Privacy Act?

Katherine Glasgow: Well, it can be difficult to notify individuals when there’s an indirect collection because that means you’re not collecting directly from the individual. So, they might not be aware that you’re collecting it if it’s coming from a third party or if you’re doing, in some cases with law enforcement, for example, it’s coming from other sources. So, I would say that’s a real case-by-case example. We want to provide notice as much as possible whenever we can but it’s sort of… it can be a little bit more difficult in a non-direct circumstance.

Benoit Deshaies: Yeah, and I’ll add that as you said, we always try to provide notice even if it’s for non-administrative uses when it’s possible. We have guidance on the use of drones coming up and often these will be for non-administrative uses. But regardless, if you’re going to use a drone it’s best practice to put up a sign to say, look, we’re capturing some footage right now using these things. So, the sign provides a notice.

But as was said, it’s really a case-by-case. So happy to discuss what could be an appropriate notification, and it’s not always required but to the extent possible we try to provide it.

Flavie Gagné: We have time for maybe one more question. Do we always have to go through our ATIP coordinators to connect with the OPC?

Katherine Glasgow: We definitely encourage it. We think that that’s best because your ATIP, your privacy team is going to have to be involved in whatever initiative you’re undertaking. If you’re going to do a PIA, if they’re deciding not to do a PIA and you want to talk about it your privacy team is really always going to need to be looped in because ultimately, they’re going to be responsible for what PIA or maybe updates to Infosource might be needed.

So, I would say it’s a best practice to always loop in your ATIP coordinator or some offices have like privacy management offices specifically with privacy management directors, so I would loop them in. That’s really going to be the best-case scenario for you and your initiative at the end of the day is to make sure that they’re included in the conversation.

Flavie Gagné: I think we have time for another question. What skill sets should we look for in someone leading PIA?

Katherine Glasgow: Time management, detail-oriented, someone with really good communication skills who’s going to know how to… which people to reach out to and how to coordinate with them and some writing skills as well. It’s probably what I would say. Benoit?

Benoit Deshaies: These are all great and really like an understanding and knowledge of the people impacted by this. So who are the people whose personal information we’re using and what would it mean to them how we manage this information, what happens if it’s breached, things like that. What are the consequences? So really a good understanding of the clients of the government in this case.

Flavie Gagné: Okay. I don’t see any other question. So maybe we can… oh, I got a new one and we still have time, we have one minute left. Any intentions to provide a privacy notice template to streamline for modifying a PIB? Are changes to the templates by department accepted or necessary?

Benoit Deshaies: And I hate to end like this but unfortunately, I don’t know the answer, I would need to check with my team.

Flavie Gagné: All right. Well, it’s 3:00 o’clock, we don’t have any more questions that I’m seeing on my screen. So, I just want to thank everyone for your participation in this session, it was very informative. I want to thank also TBS for organizing it, Benoit, Kat, Pascal and Mike, it was a very great session and thanks to you all.

Katherine Glasgow: Thank you, Flavie. Thank you, Benoit. Thank you, Pascal. Thank you, Mike.

Benoit Deshaies: Thanks, everyone.

Flavie Gagné: Have a great day.