This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Author/Information:
Financial and Information Management Branch
Treasury Board Secretariat
Telephone: (613) 957-2409
Last Revision: December 1, 1993
Alternative Formats: This publication is available in alternative formats.
To ensure the effective and consistent application of the provisions of the Privacy Act and the Privacy Regulations by government institutions.
To ensure that data-matching and data linkage of personal information for administrative purposes meet the requirements of that legislation.
To limit collection and use of the Social Insurance Number (SIN) for administrative purposes to those permitted by specific acts, regulations and programs and to establish conditions for its collection.
It is the policy of the government:
The Privacy Act and Regulations (see Chapters 4-1 and 4-2) provide the legal framework for carrying out the government's policies in regard to protection of personal information, access to such information, data-matching and control of the Social Insurance Number.
An interpretation of the provisions of the Privacy Act and Regulations needed to implement this policy is set out in the guidelines.
This policy applies to all institutions listed in the Schedule to the Privacy Act, except the Bank of Canada.
1. Government institutions must have in place a current Delegation Order signed by the head of the institution which lists responsibilities delegated under section 73 of the Privacy Act, if any, and specifies the officials to whom each responsibility is delegated. A list of responsibilities which may be delegated by the head of the institution is contained in Chapter 3-1.
2. Government institutions must appoint an official, known as the Privacy Co-ordinator, who will generally co-ordinate activities relating to the Privacy Act for the institution.
3. Government institutions must have appropriate administrative controls in place to ensure that they do not collect any more personal information than is required for their programs or activities.
4. Government institutions must inform individuals from whom personal information is to be collected:
4.2 whether response is voluntary or is required by law;
4.3 of the possible consequences of refusing to respond;
4.4 that the individual to whom the information pertains has rights of access to and protection of the personal information under the Privacy Act; and
4.5 of the registration number of the personal information bank in which the information to be collected is to be contained.
Note: This requirement may not apply in a limited number of situations where notifying an individual would result in the collection of inaccurate or misleading information. These situations are discussed in the guidelines in Part 2.
5. Government institutions, in addition to the requirements of the Privacy Act, must ensure:
5.2 that the right to protection of privacy is fully considered where the Privacy Act allows discretion to disclose personal information;
5.3 that authority to disclose personal information to federal investigative bodies under paragraph 8(2)(e) of the Privacy Act is restricted to senior officials and that requests for such disclosures meet all the conditions set out in Chapter 3-6;
5.4 that a separate personal information bank is maintained for records of disclosures to federal investigative bodies. The bank must include a copy of the request and a copy of the personal information disclosed;
5.5 that any agreements made for the disclosure of information to other governments or international organizations under paragraph 8(2)(f) of the Privacy Act meet the minimum requirements set out in Chapter 3-6. These agreements must be indicated in all appropriate personal information bank descriptions in Info Source; and
5.6 that research privileges are withdrawn from any person or body discovered to be improperly disclosing personal information under the research and statistical purposes provision in paragraph 8(2)(j) of the Privacy Act, and that immediate steps are taken to prevent further disclosure of the personal information.
6. Government institutions must account for and describe their holdings of personal information in accordance with the government-wide standards periodically issued by Treasury Board Secretariat.
7. Government institutions must:
7.2 satisfy themselves as to the identity of an individual requesting access to personal information under the Privacy Act and their qualification for rights under the Act. They must also satisfy themselves as to the identity and rights of anyone who purports to represent another individual for the purposes of the Act; and
7.3 record all administrative actions taken in processing requests for access, correction or notation under the Privacy Act, where such actions are required by the Act or regulations. Administrative actions taken must be recorded in such a manner as to account for all deliberations and decisions regarding the processing of such requests.
8. Where the personal information to be disclosed to an individual with a sensory disability already exists in more than one alternative format which is acceptable to that individual, access shall be given in the alternative format they prefer.
When determining the necessity of conversion to an alternative format under paragraph 17(3)(b), among other factors that may be considered, the institution must consider the requestor's certification of their disability.
When determining whether the conversion of requested information to an alternative format is reasonable under paragraph 17(3)(b), among other factors that may be considered, government institutions shall consider:
9. Government institutions must consult through their institutional legal counsel with the Legal Counsel, Privy Council Office when information which may be considered to be Confidences of the Queen's Privy Council for Canada has been identified in response to a request for access to personal information under the Privacy Act, and must provide all the necessary related documents to the Privy Council Office.
10. Government institutions must:
10.2 ensure that due regard is given to the injury or detrimental effect on the interest specified in the exemption when discretion to exempt information is provided;
10.3 ensure that any decision to give or refuse access is made by an official with properly delegated authority and that the written exemption notification to the applicant is signed by someone to whom this authority has been properly delegated;
10.4 specify in their response to the applicant the subsection or paragraph of the Act upon which each exemption is based, except where to do so would reveal exempted information or cause the injury which forms the basis for the exemption; and
10.5 indicate the exemptions in a manner which allows the applicant to relate the particular exemptions to specific documents or portions of documents which have been withheld, except where to do so would reveal exempted information or cause the injury which forms the basis for the exemption.
11. Government institutions must consult with:
11.2 National Defence before determining to exempt or disclose any personal information that could reasonably be expected to be injurious to the defence of Canada or any state allied or associated with Canada;
11.3 the government institution having the primary interest (i.e. the Department of the Solicitor General, the R.C.M.P., the Canadian Security Intelligence Service, National Defence or External Affairs) before determining to exempt or disclose any personal information that could reasonably be expected to be injurious to the detection, prevention, or suppression of crime or of activities suspected of constituting threats to the security of Canada within the meaning of the CSIS Act;
11.4 the investigative body or other government institution with primary interest in the law being enforced or investigation being undertaken before determining to exempt or disclose personal information on the basis of injury to the enforcement of a law of Canada or a province or the conduct of lawful investigations, or, in the case of the security of penal institutions, with the Correctional Service of Canada;
11.5 the investigative body that provided the information before determining to exempt or disclose personal information regarding a security clearance; and
11.6 the supplying institution before determining to exempt or disclose personal information the disclosure of which could affect the safety of individuals.
12. These consultations must be undertaken with or initiated through either the Privacy Co-ordinator or the official in that institution with delegated authority to exempt or disclose the information.
13. Government institutions must consult with Treasury Board on any proposal for the establishment or revocation of an exempt bank.
14. Government institutions must submit to the Designated Minister any requests to designate exempt personal information banks. Requests for exempt banks submitted to the Designated Minister must include:
14.2 the specific exemption provision under which the information requires protection, including, for exemption provision 22(1)(a)(ii), the law concerned (e.g. the Income Tax Act) and, for any injury test exemption, a statement of the expected detrimental effect;
14.3 an explanation, including cost implications, of why the information should be placed in an exempt bank rather than being subject to review on a case-by-case basis;
14.4 certification that all the files in the bank consist predominantly of personal information of the type described in Sections 21 or 22 of the Privacy Act and that procedures are in place to ensure that files are reviewed on an ongoing basis;
14.5 a draft Order in Council; and
14.6 a draft Regulatory Impact Analysis Statement.
15. Government institutions must conform to the principles of the Employee Privacy Code set out in Chapter 3-3.
16. Government institutions must notify the Privacy Commissioner of any planned initiatives (legislation, regulations, policies, programs) that may relate to the Privacy Act or any of its provisions, or that may have an impact on the privacy of CanadiansThis notification must take place at a sufficiently early stage to permit the Commissioner to review and discuss the issues involved.
17. Government institutions must:
17.2 not withhold any right, benefit or privilege nor impose any penalty by reason of an individual's refusal to disclose the SIN to a government institution except for the purposes set out in Chapter 3-4 or as otherwise authorized by Parliament;
17.3 when collecting the SIN, inform the individual of the purpose for which the number is being collected; the authority under which the number is required; and whether any right, benefit or privilege can be withheld or penalty imposed if the number is not disclosed; and
17.4 when the SIN is included in any personal information bank, so indicate in the description of the bank provided for Info Source and cite the authority under which the number is collected and the purposes for which it is used.
Data-matching is defined as the comparison of personal data obtained from different sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains. Data-matching is therefore a specialized activity involving the collection, use and disclosure of personal information. Included in the definition of data-matching is data linkage, also known as data profiling.
18. Prior to initiating a matching program, government institutions must assess the feasibility of the proposed match. They must analyse the potential impact on the privacy of individuals and the costs and benefits of the data-matching program.
19. Government institutions must notify the Privacy Commissioner of a new matching program by providing him with a copy of their assessment of the program at least 60 days before it is to begin.
20. A data-matching program must be approved only by the head of the government institution or an official specifically delegated this authority by the head.
21. Government institutions must account for all matching activities in Info Source.
22. Government institutions must subject information generated by a matching program to verification with original or additional authoritative sources before that information is used for an administrative purpose.
The annual reports to Parliament required by the Privacy Act will be used to monitor compliance with this policy. Compliance with the SIN and data-matching provisions of this policy will be monitored through the advance notification and public accounting requirements. The Office of the Privacy Commissioner and internal audit groups within institutions will examine the institution's success in meeting the requirements for privacy and data protection.
This policy is issued under the authority of the Designated Minister (President of the Treasury Board) provided in Section 71 of the Privacy Act.
Chapters of the Treasury Board Manual that relate to this policy are:
This policy replaces directives in:
All enquiries about this policy should be directed to the Privacy Co-ordinator of the institution concerned.
For policy interpretation, the Privacy Co-ordinator should contact the
Information, Communications and Security Policy Division, Administrative Policy
Branch, Treasury Board Secretariat.