Directive on Privacy Practices

Provides direction to government institutions on how to implement effective privacy practices.
Date modified: 2024-11-08

Supporting tools

Mandatory procedures:

More information

Policy:

Terminology:

Topic:

Hierarchy
View complete hierarchy

Archives

This directive replaces:

View all inactive instruments
Print-friendly XML

Appendix C: Standard on Privacy Impact Assessment

C.1 Effective date

  • C.1.1This standard takes effect on October 9, 2024.
  • C.1.2

    This standard applies to all programs and activities that involve the creation, collection, use, disclosure, retention or disposal of personal information. However,

    • C.1.2.1Institutions will have until October 10, 2025, to meet the requirements in subsections C.2.2.1.2 and C.2.2.9.4 of this standard.

C.2 Standards

  • C.2.1This standard provides details on the requirements set out in section 4 of the Directive on Privacy Practices.
  • C.2.2

    Standards are as follows:

    Personal information banks

    • C.2.2.1

      Prepare a personal information bank (PIB):

      • C.2.2.1.1

        Prior to undertaking a new program or activity that uses personal information:

        • C.2.2.1.1.1For an administrative purpose; or
        • C.2.2.1.1.2Where the personal information is organized and retrievable by the name of an individual or by an identifying number, symbol or other particular assigned to an individual; and
      • C.2.2.1.2

        When there is no PIB for an existing program or activity that uses personal information:

        • C.2.2.1.2.1For an administrative purpose; or
        • C.2.2.1.2.2Where the personal information is organized and retrievable by the name of an individual or by an identifying number, symbol or other particular assigned to an individual.
    • C.2.2.2

      Update an existing PIB when:

      • C.2.2.2.1Substantial modifications are to be made to the program or activity; or
      • C.2.2.2.2Editorial changes or corrections are to be made to the PIB.
    • C.2.2.3Terminate a PIB when confirmation is received that the records or personal information referred to in the PIB have been disposed of in accordance with the institution’s Records Disposition Authority and are no longer under the control of the institution.
    • C.2.2.4

      To register, update, transfer or terminate a PIB:

      • C.2.2.4.1Submit a request to the Treasury Board of Canada Secretariat (TBS);
      • C.2.2.4.2Consider and respond to recommendations from TBS;
      • C.2.2.4.3Obtain the approval of the President of the Treasury Board unless otherwise specified in the terms and conditions of a delegation under subsection 71(6) of the Privacy Act; and
      • C.2.2.4.4Update the TBS-prescribed repository for new, substantially modified, edited or terminated personal information banks.
    • C.2.2.5

      When preparing, updating, transferring or terminating a PIB, use the following means:

    Documentation

    • C.2.2.6

      Document decisions to initiate or update privacy impact assessments (PIAs), multi-institutional PIAs and privacy protocols:

      • C.2.2.6.1Prior to undertaking a new program or activity that could involve the creation, collection, use, disclosure, retention or disposal of personal information; or
      • C.2.2.6.2When the institution intends to substantially modify an existing program or activity;
      • C.2.2.6.3

        Using the following means:

    • C.2.2.7

      Obtain approval of the Privacy Checklist from:

      • C.2.2.7.1The executive or senior official who manages the program or activity; and
      • C.2.2.7.2The official responsible for section 10 of the Privacy Act.
    • C.2.2.8Prior to initiating a PIA that involves more than one institution, provide a copy of the approved Privacy Checklist to TBS and the Office of the Privacy Commissioner (OPC), while respecting Cabinet confidences.

    Privacy impact assessments

    • C.2.2.9

      Complete a PIA or update an existing PIA:

      • C.2.2.9.1Prior to undertaking a new program or activity that will involve the creation, collection, use, disclosure, retention or disposal of personal information for an administrative purpose;
      • C.2.2.9.2

        When substantial modifications are to be made to an existing program or activity that uses personal information for an administrative purpose, including through:

        • C.2.2.9.2.1The use of any new or modified information technology or other process;
        • C.2.2.9.2.2The involvement of any other institution or any third party under contract, agreement or arrangement with the institution;
        • C.2.2.9.2.3The use of an automated decision system that would require compliance with the Directive on Automated Decision-Making; or
      • C.2.2.9.3When the official responsible for section 10 of the Privacy Act determines that a PIA is warranted given the potential risks associated with any administrative or non-administrative use of personal information; or
      • C.2.2.9.4When an existing program or activity that uses personal information for an administrative purpose does not already have a PIB;
    • C.2.2.10When initiating a multi-institutional PIA, appoint a lead institution for the completion of the PIA.
    • C.2.2.11

      When completing or updating an existing PIA, using the following means:

    • C.2.2.12

      Provide to TBS and the OPC:

      • C.2.2.12.1All completed PIAs; and
      • C.2.2.12.2Any information related to a PIA requested by TBS or the OPC, while respecting Cabinet confidences.
    • C.2.2.13Consider and respond to recommendations from TBS and the OPC related to a PIA.
    • C.2.2.14Obtain approval of the PIA from the executive or senior official who manages the program or activity and the official responsible for section 10 of the Privacy Act.
    • C.2.2.15

      Following the approval of the PIA, publish a summary that respects security, confidentiality and legal requirements, using the following means:

    • C.2.2.16Implement the risk mitigation measures identified in the PIA.
    • C.2.2.17Review and update the risk mitigation measures identified in the PIA annually or as risks are mitigated.

    Privacy protocols

    • C.2.2.18Complete or update a privacy protocol when a program or activity involves the creation, collection, use, disclosure, retention or disposal of personal information for a non-administrative purpose.
    • C.2.2.19

      When completing a privacy protocol, document the following at a minimum:

      • C.2.2.19.1The name of the program or activity;
      • C.2.2.19.2The name and contact information of the official responsible for the program or activity;
      • C.2.2.19.3A description of the program or activity;
      • C.2.2.19.4The purpose for the collection of the personal information;
      • C.2.2.19.5The legal authority for the collection of personal information;
      • C.2.2.19.6The elements of personal information being collected as part of the program or activity;
      • C.2.2.19.7Whether proper notification was given for the collection of personal information;
      • C.2.2.19.8

        Whether personal information will be disclosed, and if so:

        • C.2.2.19.8.1The purpose for the disclosure of personal information; and
        • C.2.2.19.8.2The legal authority to disclose personal information;
      • C.2.2.19.9The safeguards in place to protect the personal information; and
      • C.2.2.19.10The retention and disposal standards that will apply to the program or activity.
    • C.2.2.20Obtain approval of the privacy protocol from the executive or senior official who manages the program or activity and the official responsible for section 10 of the Privacy Act.
    • C.2.2.21

      When registering, modifying or transferring a PIB for a program or activity that uses personal information for a non-administrative purpose, provide to TBS and the OPC:

      • C.2.2.21.1The approved privacy protocol for the program or activity; and
      • C.2.2.21.2Any information related to the privacy protocol requested by TBS or the OPC, while respecting Cabinet confidences.
    • C.2.2.22Consider and respond to recommendations from TBS or OPC related to privacy protocols.
Report a problem or mistake on this page
Date modified: