DAOD 1002-3, Personal Information Management
Table of Contents
- Introduction
- Definitions
- Objectives and Expected Results
- Overview
- Collection of Personal Information
- Use and Disclosure of Personal Information
- Retention and Disposal of Personal Information
- Accuracy of Personal Information
- Privacy Impact Assessment
- Privacy Notices
- Web Analytics and Social Media
- Administrative, Technical and Physical Safeguards
- Info Source
- Privacy Incident Management
- Privacy Training and Awareness
- Compliance and Consequences
- Responsibilities
- References
1. Introduction
Date of Issue: 2004-10-01
Date of Last Modification: 2019-04-10
Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).
Approval Authority: Corporate Secretary (Corp Sec)
Enquiries: Director Access to Information and Privacy (DAIP)
2. Definitions
administrative purpose (fins administratives)
The use of personal information about an individual "in a decision making process that directly affects that individual" (section 3 of the Privacy Act). This includes all uses of personal information for confirming identity (in other words, authentication and verification purposes) and for determining eligibility of individuals for government programs. (Policy on Privacy Protection, Treasury Board)
classes of personal information (catégories de renseignements personnels)
Personal information that is not intended to be used for an administrative purpose or that cannot be retrieved by the name of the individual or another personal identifier (e.g., unsolicited opinions and general correspondence). (Directive on Privacy Practices, Treasury Board)
consistent use (usage compatible)
A use that has a reasonable and direct connection to the original purpose(s) for which the information was obtained or compiled. This means that the original purpose and the proposed purpose are so closely related that the individual would expect that the information would be used for the consistent purpose, even if the use is not spelled out. (Policy on Privacy Protection, Treasury Board)
disclosure (divulgation)
The release of personal information by any method (e.g., transmission, provision of a copy, examination of a record) to any body or person. (Directive on Privacy Practices, Treasury Board)
exempt bank (fichier inconsultable)
A personal information bank that describes files, all of which consist predominantly of personal information that relates to international affairs, defence, law enforcement and investigation, as outlined in sections 21 and 22 of the Privacy Act. The head of a government institution can refuse to disclose any personal information requested that is contained in an exempt bank. (Policy on Privacy Protection, Treasury Board)
government institution (institution fédérale)
Means
a) any department or ministry of state of the Government of Canada, or any body or office, listed in the schedule of the Privacy Act, and
b) any parent Crown corporation, and any wholly-owned subsidiary of such a corporation, within the meaning of section 83 of the Financial Administration Act.
(Section 3 of the Privacy Act)
Info Source (Info Source)
A series of annual Treasury Board Secretariat publications in which government institutions are required to describe their institutions, program responsibilities and information holdings, including personal information banks and classes of personal information. The descriptions are to contain sufficient clarity and detail to facilitate the exercise of the right of access under the Privacy Act. Data-matching activities, use of the social insurance number and all activities for which privacy impact assessments were conducted have to be cited in Info Source personal information banks, as applicable. The Info Source publications also provide contact information for government institutions as well as summaries of court cases and statistics on access requests. (Policy on Privacy Protection, Treasury Board)
personal information (renseignements personnels)
Means information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing,
(a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual,
(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
(c) any identifying number, symbol or other particular assigned to the individual,
(d) the address, fingerprints or blood type of the individual,
(e) the personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations,
(f) correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence,
(g) the views or opinions of another individual about the individual,
(h) the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution or a part of an institution referred to in paragraph (e), but excluding the name of the other individual where it appears with the views or opinions of the other individual, and
(i) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual,
but, for the purposes of sections 7, 8 and 26 and section 19 of the Access to Information Act, does not include
(j) information about an individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual including,
(i) the fact that the individual is or was an officer or employee of the government institution,
(ii) the title, business address and telephone number of the individual,
(iii) the classification, salary range and responsibilities of the position held by the individual,
(iv) the name of the individual on a document prepared by the individual in the course of employment, and
(v) the personal opinions or views of the individual given in the course of employment,
(k) information about an individual who is or was performing services under contract for a government institution that relates to the services performed, including the terms of the contract, the name of the individual and the opinions or views of the individual given in the course of the performance of those services,
(l) information relating to any discretionary benefit of a financial nature, including the granting of a licence or permit, conferred on an individual, including the name of the individual and the exact nature of the benefit, and
(m) information about an individual who has been dead for more than twenty years.
(Section 3 of the Privacy Act)
personal information bank (fichier de renseignements personnels)
A description of personal information that is organized and retrievable by a person's name or by an identifying number, symbol or other particular assigned only to that person. The personal information described in the personal information bank has been used, is being used, or is available for an administrative purpose and is under the control of a government institution. (Policy on Privacy Protection, Treasury Board)
privacy impact assessment (évaluation des facteurs relatifs à la vie privée)
A policy process for identifying, assessing and mitigating privacy risks. Government institutions are to develop and maintain privacy impact assessments for all new or modified programs and activities that involve the use of personal information for an administrative purpose. (Policy on Privacy Protection, Treasury Board)
privacy notice (avis de confidentialité)
A verbal or written notice informing an individual of the purpose of a collection of personal information and of the government institution's authority for collecting, including creating, using and disclosing the information. The notice, which must reference the personal information bank described in Info Source, also informs the individual of his or her right to access, and request the correction of, the personal information and of the consequences of refusing to provide the information requested. (Directive on Privacy Practices, Treasury Board)
privacy practices (pratiques relatives à la protection de la vie privée)
All practices related to the creation, collection, accuracy, correction, use, disclosure, retention and disposition of personal information. (Directive on Privacy Practices, Treasury Board)
program or activity (programme ou activité)
For the purposes of the appropriate collection, use or disclosure of personal information by government institutions subject to the Policy on Privacy Protection, a program or activity that is authorized or approved by Parliament. Parliamentary authority is usually contained in an Act of Parliament or subsequent Regulations. Parliamentary authority can also be in the form of approval of expenditures proposed in the Estimates and as authorized by an appropriation Act. Also included in this definition are any activities conducted as part of the administration of the program. (Policy on Privacy Protection, Treasury Board)
substantial modification (modification importante)
Refers to a change or an amendment to the privacy practices related to a particular program or activity, which is reflected in a personal information bank description. This includes any change or amendment to the privacy practices related to activities that use automated or technological means to identify, create, analyze, compare, extract, cull, match or define personal information. (Directive on Privacy Impact Assessment, Treasury Board)
3. Objective and Expected Results
Objective
3.1 The objective of this DAOD is to facilitate the implementation and public reporting of consistent and sound privacy management practices for the creation, collection, accuracy, correction, use, disclosure, retention and disposition of personal information under the control of the DND and the CAF.
Expected Results
3.2 It is expected that by following the instructions set out in this DAOD that personal information will only be created, collected, used, disclosed, retained and disposed of in a manner that respects the provisions of the Privacy Act and the Privacy Regulations.
3.3 This DAOD sets out clear responsibilities for DND employees and CAF members for personal information management in accordance with the Privacy Act and the Privacy Regulations.
4. Overview
Context
4.1 The Privacy Act and the Privacy Regulations provide the legal framework for privacy practices of personal information required in the administration of programs and activities by government institutions.
4.2 The Deputy Minister, Chief of the Defence Staff and level one advisors (L1s) are ultimately responsible for ensuring that sound privacy practices are implemented in daily operations in their organizations and that access to personal information is limited to those who need it in the performance of their duties.
4.3 To facilitate requests for access to information under the Access to Information Act and the Privacy Act, the DND and the CAF are required to inform the public, DND employees and CAF members about the privacy practices of personal information, and provide individuals with access to information about themselves. The underlying principle is that individuals have the basic right to control their personal information and know:
- why it is collected by the government;
- how it will be used;
- how long it will be kept; and
- who will have access to it.
4.4 DND employees and CAF members regularly create, collect, access, use, disclose, retain and dispose of large amounts of personal information about DND employees and CAF members and other individuals in and outside of Canada. The Privacy Act sets controls and restrictions on the handling of personal information. DND employees and CAF members must recognize that privacy protection is an essential element in maintaining public trust and that they therefore have a vital role in protecting the personal information that is under their control.
4.5 Privacy impacts and risks for all programs and activities of the DND and the CAF must be identified, assessed and mitigated using sound personal information management practices.
4.6 All DND employees and CAF members must be aware of the policies and procedures relating to personal information under the control of the DND and the CAF, and of their legal responsibilities under the Privacy Act and the Privacy Regulations.
4.7 This DAOD is to be read in conjunction with the Instructions on Personal Information Management, which provides specific direction and guidance regarding principles and practices for the management of personal information under the control of the DND and the CAF.
4.8 This DAOD also outlines the requirements of sections 4 to 8 of the Privacy Act that govern the collection, retention, accuracy, disposal, use and disclosure of personal information, as well as associated Treasury Board (TB), DND and CAF policies, directives, standards and guidelines that affect personal information. Personal information management principles, combined with robust personal information management practices, form a framework that fosters a DND and CAF culture that is sensitive to, and protective of, all personal information under the control of the DND and the CAF.
5. Collection of Personal Information
Authorized Program or Activity
5.1 DND employees and CAF members must not collect personal information unless it relates directly to an authorized program or activity of the DND and the CAF.
Limited Collection
5.2 Each element of personal information collected by the DND and the CAF must be directly related to and demonstrably necessary to carry out an authorized program or activity of the DND and the CAF.
Creation of Personal Information
5.3 Personal information that is created by the government institution is also considered a collection under the Privacy Act.
Establishment of a Personal Information Bank (PIB)
5.4 A PIB must be established prior to collecting personal information to administer a program or activity of the DND and the CAF if the personal information will be:
- used or be available for use for an administrative purpose; or
- organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual.
5.5 The PIB description includes the purpose of the collection, class of individuals in the PIB, authorized uses consistent with the original purpose for the collection, and plans for the retention and disposal of the personal information.
Exempt Banks
5.6 Exempt banks are PIBs that describe files consisting primarily of personal information related to international affairs, defence, law enforcement and investigation. The head of a government institution may refuse to disclose any personal information requested that is contained in an exempt bank.
5.7 Exempt banks are designated by Governor in Council order. Any proposal for an exempt bank of personal information under the control of the DND and the CAF must be submitted to the Treasury Board Secretariat (TBS) with a draft order in council and regulatory impact analysis statement.
Direct Collection and Right to be Informed
5.8 Personal information that is to be used for an administrative purpose must be collected, wherever possible, directly from the individual to whom it relates. Individuals must be informed of the purpose for which personal information is being collected. The requirement for the direct collection of personal information from an individual carries with it implicit consent to the collection.
5.9 The Privacy Act sets out the following three exceptions to the requirement for direct collection and the requirement to inform individuals about the collection of their personal information:
- collection from another source is allowed if the individual has provided written consent for the indirect collection;
- direct collection is not required if personal information was previously collected from the individual by another government institution, which is permitted to disclose the information in accordance with subsection 8(2) of the Privacy Act; and
- there is an exception to direct collection, as well as to the requirement to inform individuals about the collection of their personal information, in limited instances, such as an investigation, during which personal information may be collected without the knowledge or consent of an individual from another source when direct collection or knowledge of the collection could result in collecting inaccurate information, or when it might defeat the purpose or prejudice the use for which the information is collected.
5.10 If personal information is collected indirectly, measures must be implemented to ensure that:
- the personal information is obtained from a reliable source; or
- the accuracy of the personal information can be verified or validated before use.
Consent
5.11 Although personal information that is to be used for an administrative purpose must be collected, wherever possible, directly from the individual to whom it relates, consent to the collection of the personal information is not required if:
- the individual to whom the information relates has already consented to the indirect collection;
- personal information may be disclosed to the institution under subsection 8(2) of the Privacy Act;
- consent would result in the collection of inaccurate information; or
- consent would defeat the purpose or prejudice the use for which the information is collected.
5.12 Obtaining the consent of an individual to a collection of personal information does not provide the DND and the CAF with the authority to collect that personal information. Personal information intended to support a program or activity of the DND and the CAF must only be collected if it relates directly to the program or activity.
Social Insurance Number (SIN)
5.13 A SIN may only be collected or used by the DND and the CAF for administrative or non-administrative purposes expressly authorized by the TB Directive on Social Insurance Number.
6. Use and Disclosure of Personal Information
Use and Disclosure
6.1 Personal information under the control of the DND and the CAF must not, without the consent of the individual to whom it relates, be used by the DND and the CAF except for:
- the purpose for which the information was obtained or compiled by the DND and the CAF or a use that is consistent with that purpose; or
- a purpose for which the information may be disclosed to the DND and the CAF under subsection 8(2) of the Privacy Act.
6.2 The personal information of an individual may be disclosed with the written consent of that individual. See DAOD 1002-6, Disclosure of Personal Information, for additional information.
Consistent Use
6.3 Any consistent use of personal information must be described in the approved PIB that authorizes the collection of the information. If a new consistent use for the information is identified, DAIP must be notified.
Consent
6.4 Individual consent is required if personal information is to be:
- used for a purpose other than the original authorized purpose;
- used for a purpose that is not a consistent use described in the authorized PIB; or
- disclosed for a purpose not listed in subsection 8(2) of the Privacy Act.
Information Sharing or Disclosure
6.5 If personal information under the control of the DND and the CAF is shared between DND and CAF organizations, or disclosed to external parties on a routine and systematic basis, the sharing or disclosure must be accounted for in the applicable PIB. If sharing or disclosures are not described in the PIB and additional control measures are required, a formal information sharing agreement should be considered. In all cases, the office of primary interest for the program or activity area that has control of the personal information can determine whether sharing or disclosure is appropriate. The advice of DAIP and legal advisors should be sought.
7. Retention and Disposal of Personal Information
Records Disposition Authority (RDA)
7.1 Personal information must be retained and disposed of in accordance with applicable RDAs. See the Defence Subject Classification and Disposition System and DAOD 6001-1, Recordkeeping, for additional information.
Minimum Two-Year Retention
7.2 Personal information under the control of the DND and the CAF that has been used or is available for use for an administrative purpose must be retained for a period of at least two years following the last administrative action. Subject to applicable laws and policies, the DND and the CAF may dispose of personal information within the two-year period if the individual consents to its disposal.
Emergency
7.3 In the event of an emergency, personal information under the control of the DND and CAF that is held at a post outside Canada may be destroyed in order to prevent its removal from control of the DND and CAF.
8. Accuracy of Personal Information
All Reasonable Steps
8.1 DND employees and CAF members must take all reasonable steps to ensure that personal information that is used for an administrative purpose is as accurate, up-to-date and complete as possible.
Correction of Personal Information
8.2 Any request for the correction of personal information under the control of the DND and the CAF must be forwarded to DAIP. See DAOD 1002-1, Privacy Act Requests and Correction of Personal Information, for additional information.
9. Privacy Impact Assessment
Privacy Impact Assessment (PIA) Initiation
9.1 A PIA must be initiated if:
- personal information is used for or is intended to be used as part of a decision-making process that directly affects individuals;
- a substantial modification is being made to an existing program or activity in which personal information is used or intended to be used for administrative purposes;
- the contracting out or transfer of a program or activity to another level of government, a private sector entity or an individual results in a substantial modification to the program or activity; or
- decisions that directly affect individuals are not being made but there will be an impact on privacy that warrants the conduct of a PIA.
Procedures
9.2 Procedures for PIAs are set out in DAOD 1002-5, Privacy Impact Assessment.
10. Privacy Notices
Requirement to Provide a Privacy Notice
10.1 A privacy notice must be provided when the DND and the CAF collect personal information directly from an individual, either verbally, in writing or online. See the Instructions on Privacy Notices for additional information.
Exception
10.2 A privacy notice is not required if it might result in collecting inaccurate information or might defeat the purpose or prejudice the use for which the information is being collected
11. Web Analytics and Social Media
Websites and Web applications
11.1 DND employees and CAF members responsible for DND and CAF websites and Web applications that involve personal information must provide a privacy notice and ensure that users are informed about their rights, responsibilities and legal obligations under the Privacy Act. See Appendix B of the TB Standard on Privacy and Web Analytics for privacy notice requirements.
11.2 DND and the CAF websites that collect personal information must include a personal information collection statement that informs users that personal information will be collected. See the TB Terms and Conditions – Privacy Notice for additional information.
Internet Protocol (IP) Address
11.3 The collection by the DND and the CAF of any IP address or any other personal information for the purpose of web analytics must comply with the Standard on Privacy and Web Analytics.
12. Administrative, Technical and Physical Safeguards
Appropriate Safeguards
12.1 Personal information under the control of the DND and the CAF must be protected using administrative, technical and physical safeguards appropriate to the sensitivity of the information, the risks identified and the manner in which the information is stored, handled and transmitted.
13. Info Source
General
13.1 Personal information under the control of the DND and the CAF must be described in a PIB or a class of personal information, and published in the DND and CAF Info Source chapter.
13.2 All PIBs and classes of personal information must be:
- aligned with the DND and the CAF Program Alignment Architecture for corporate planning and reporting purposes; and
- reported to DAIP for publication in the DND and CAF Info Source chapter.
13.3 All personal information collected by the DND and the CAF that is not related to a decision-making process that directly affects an individual, or cannot be retrieved by the name of an individual or an identifying number, symbol or other particular assigned to an individual, must be described in the DND and CAF Info Source chapter in classes of personal information.
14. Privacy Incident Management
Privacy Breach
14.1 A privacy breach is the improper or unauthorized creation, collection, use, disclosure, retention or disposition of personal information.
14.2 Any allegation of a privacy breach must be reported to DAIP. Only DAIP may determine if a privacy breach has occurred.
14.3 Procedures for privacy incident management are set out in DAOD 1002-4, Privacy Incident Management. DND and CAF organizations are encouraged to implement internal procedures for managing privacy incidents but such procedures must be consistent with those in DAOD 1002-4.
15. Privacy Training and Awareness
Appropriate training
15.1 DAIP is responsible for ensuring that personal information management training and necessary tools are available to DND employees and CAF members.
15.2 L1s must ensure that all DND employees and CAF members in their organizations who are responsible for managing, handling, using or accessing personal information receive appropriate training.
16. Compliance and Consequences
Compliance
16.1 DND employees and CAF members must comply with the Privacy Act, the Privacy Regulations, this DAOD and the Instructions on Personal Information Management. Should clarification of these laws, policies or instructions be required, DND employees and CAF members may seek direction through their channel of communication or chain of command, as appropriate. Managers and military supervisors have the primary responsibility for and means of ensuring the compliance of their DND employees and CAF members with the Privacy Act, the Privacy Regulations, this DAOD and the Instructions on Personal Information Management.
Consequences of Non-Compliance
16.2 DND employees and CAF members are accountable to their respective managers and military supervisors for any failure to comply with the Privacy Act, the Privacy Regulations, this DAOD or the Instructions on Personal Information Management. Non-compliance may have consequences for both the DND and the CAF as institutions, and for DND employees and CAF members as individuals. Suspected non-compliance may be investigated. Managers and military supervisors must take or direct appropriate corrective measures if non-compliance with this DAOD has consequences for the DND or the CAF. The decision of an L1 or other senior official to take action or to intervene in a case of non-compliance, other than in respect of a decision under the Code of Service Discipline regarding a CAF member, will depend on the degree of risk based on the impact and likelihood of an adverse outcome resulting from the non-compliance and other circumstances of the case.
16.3 The nature and severity of the consequences resulting from non-compliance should be commensurate with the circumstances of the non-compliance and other relevant circumstances. Consequences of non-compliance may include one or more of the following:
- the ordering of the completion of appropriate learning, training or professional development;
- the entering of observations in individual performance evaluations;
- increased reporting and performance monitoring;
- the withdrawal of any authority provided under this DAOD to a DND employee or CAF member;
- the reporting of suspected offences to responsible law enforcement agencies;
- the application of specific consequences as set out in applicable laws, codes of conduct, and DND and CAF policies and instructions;
- other administrative action, including the imposition of disciplinary measures, for a DND employee;
- other administrative or disciplinary action, or both, for a CAF member; and
- the imposition of liability on the part of Her Majesty in right of Canada, DND employees and CAF members.
Note – In respect to the compliance of DND employees, see the TB Framework for the Management of Compliance for additional information.
16.4 Non-compliance with the Privacy Act or the Privacy Regulations also poses a risk to the DND and the CAF as institutions and could result in the loss of public confidence and reputation, financial loss, legal implications, and risk to national interests and operations.
17. Responsibilities
Responsibility Table
17.1 The following table identifies the responsibilities associated with this DAOD:
| The … |
is or are responsible for... |
|---|---|
| Corp Sec |
|
| L1s |
|
| DAIP |
|
| DND employees and CAF members |
|
18. References
Acts, Regulations, Central Agency Policies and Policy DAOD
- Access to Information Act
- Financial Administration Act
- Privacy Act
- Statutory Instruments Act
- Privacy Regulations
- Framework for the Management of Compliance, Treasury Board
- Policy on Privacy Protection, Treasury Board
- Directive on Privacy Impact Assessment, Treasury Board
- Directive on Privacy Practices, Treasury Board
- Directive on Privacy Requests and Correction of Personal Information, Treasury Board
- Directive on Social Insurance Number, Treasury Board
- Directive on the Management of Communications, Treasury Board
- Standard on Privacy and Web Analytics, Treasury Board
- Guidelines for Privacy Breaches, Treasury Board
- Terms and Conditions – Privacy Notice, Treasury Board
- DAOD 1002-0, Administration of the Privacy Act
Other References
- DAOD 1002-1, Privacy Act Requests and Correction of Personal Information
- DAOD 1002-2, Informal Requests for Personal Information
- DAOD 1002-4, Privacy Incident Management
- DAOD 1002-5, Privacy Impact Assessments
- DAOD 1002-6, Disclosure of Personal Information
- DAOD 6001-0, Information Management
- DAOD 6001-1, Recordkeeping
- National Defence Security Orders and Directives
- Program Alignment Architecture
- Defence Subject Classification and Disposition System
- Instructions on Personal Information Management (in draft)
- Instructions on Privacy Notices (in draft)
- Info Source – Sources of Federal Government and Employee Information
Page details
- Date modified: