Commissioner's Directive 228: Data and Information

Applies to all authorized producers and users of data or information under the control of CSC, regardless of its form 

Responsibilities

1. The Chief Digital Service Officer (CDSO), as CSC’s delegated data and information management senior official, ensures CSC achieves the following expected results:
   1. integrated decision-making is supported by enterprise governance, planning, and reporting
   2. service delivery, business and program innovation are enabled by technology and data
   3. service design and delivery is client-centric by design, and
   4. workforce capacity and capability development is supported.
2. The CDSO:
   1. establishes enterprise policy and direction as per the Policy on Service and Digital, the Directive on Service and Digital, or other relevant data or information policies, directives, or standards for application and compliance at CSC
   2. supports government operations, analysis, decision-making, and service delivery by ensuring CSC’s data and information are managed as strategic assets as per the Policy on Service and Digital, the Directive on Service and Digital, or other relevant data or information policies, directives, or standards
   3. ensures CSC’s participation in government-wide governance to support the development and implementation of government-wide policy instruments and architecture
   4. ensures CSC’s responsibility and accountability structures are clear and defined for the management of data and information, as per the Governance section of Digital Directive (DD) 228-1: Data and Information Management
   5. verifies that the methodologies supporting data and information lifecycle management are implemented across CSC in accordance with applicable legislation, regulations, responsibility structures, policies, and the data principles
   6. ensures decisions and decision-making processes at CSC are documented to:
      1. account for and support the continuity of CSC operations
      2. permit the reconstruction of how policies and programs have evolved
      3. support litigation readiness, and
      4. allow for independent evaluation, audit, and review
   7. reduces redundancy and enables interoperability through data and information management as per the Government of Canada’s data standards
   8. manages CSC’s data and information in the context of any plan or strategy and confirms that privacy is addressed
   9. ensures sensitive data and information under CSC’s control are protected in accordance with the Policy on Government Security and any relevant legislation, policy, or arrangement
   10. oversees a CSC architecture review board that is mandated to review and approve the architecture of all CSC digital initiatives and ensure their alignment with government-wide architectures, and
   11. advises the Chief Information Officer of Canada about decisions, plans, strategies, directions, progress, risks, and challenges related to initiatives that affect the provision or use of data services across CSC.
3. All executive members of the Digital Services Sector, in collaboration with other CSC officials as necessary:
   1. ensure the quality of CSC’s data and information is managed and preserved to satisfy the requirements and expectations of users to meet operational needs, responsibilities, and long-term retention requirements as per the Policy on Service and Digital, the Directive on Service and Digital, or other relevant data or information policies, directives, or standards
   2. ensure CSC’s investments, service modernization and improvement initiatives are informed by and integrated into CSC’s business planning, and
   3. approve the data or information component of all CSC strategies, plans, policies, initiatives, projects, procurements, and spending authority requests.
4. All executives ensure effective data and information management, governance and accountability structures are in place throughout their area of responsibility.
5. The Director, Enterprise Data and Information Management (EDIM), provides leadership for the strategic planning, resourcing and implementation of data and information management activities, including training and development for employees.
6. The Director, Access to Information and Privacy, coordinates CSC’s administration of the Privacy Act, and Privacy Regulations, as well as TB policies, directives and guidelines relating to privacy.
7. All authorized producers and users of CSC's data and information ensure their responsibilities and procedures outlined in DD 228-1: Data and Information Management are executed.

Procedures

Strategic Management of Data and Information

8. The CDSO:
   1. outlines and approves CSC’s data and information strategies, standards, directives, and procedures, ensuring they remain relevant, and measures their implementation progress for effectiveness
   2. defines and documents CSC’s data and information lifecycle management practices that align with the nature or purpose of the data or information, and that address accountability, stewardship, performance measurement, reporting, and legal requirements
   3. ensures digital systems are the preferred means of creating, capturing, and managing data and information
   4. identifies, establishes, implements, and maintains designated corporate repositories so that data and information of business value will be managed throughout its lifecycle while respecting privacy and security requirements
   5. establishes CSC’s data and information architecture in alignment with prescribed governmentwide standards
   6. confirms that CSC’s data and information assets are created in an accessible format where appropriate, in accordance with the Accessible Canada Act, and that they are available for access in accordance with the Guidance on Data Quality, Standard on Web Accessibility and other Government of Canada policies, directives and standards
   7. maximizes the release of CSC’s data and information as an open resource through the Government of Canada’s open government portal, while ensuring privacy, security, and legal considerations are in compliance with the Directive on Open Government
   8. identifies data and information of business value, based on the functions and activities conducted by CSC to fulfil its legislated mandate
   9. ensures an approved Government of Canada enterprise information management solution is utilized to document business activities, decisions, and decision-making processes
   10. certifies data interoperability to the greatest extent possible within CSC and with other government agencies to avoid duplication and maximize utility, while respecting relevant security and privacy requirements
   11. initiates and maintains classification structures, data cataloguing, dictionaries, and taxonomies to manage, store, search, and retrieve data and information in all formats according to prescribed enterprise-wide standards
   12. establishes, implements, and maintains retention periods for all data and information, as appropriate, according to legislation, policy, content, format, and security
   13. develops a documented disposition process and performs regular disposition activities for all data and information, as required by applicable legislation, policies, and standards
   14. maximizes the removal of access restrictions on CSC’s data and information identified as possessing archival value, before transferring them to Library and Archives Canada as part of the planned disposition activities, and
   15. participates, as a service provider or as a service client, in the conception, planning, evolution and oversight of enterprise-wide data services and solutions.

Privacy and Protection

9. When managing personal data or information, including in the context of data interoperability, the CDSO ensures the privacy of individuals is protected according to the Privacy Act and any other relevant legislation, policy, standard or arrangement.
10. All executive members within the Digital Services Sector support the protection of CSC’s data and information by documenting and mitigating risks, while taking into consideration:
    1. the business value of data and information
    2. legislative and regulatory risks
    3. access to information
    4. security of information, and
    5. the protection of personal information.

Open Data and Information

11. The Director, EDIM, in collaboration with other CSC officials as necessary:
    1. ensures proactive publication of CSC's data and information on the open government portal, as informed by sectors and public demand, and
    2. ensures accuracy and quality of data and information released to the public.

Data and Information Sharing

12. The Director, EDIM, in collaboration with other CSC officials:
    1. confirms that partnership arrangements for data and information sharing are aligned with legislative requirements and best practices, including those in Commissioner’s Directive (CD) 701: Information Sharing
    2. ensures legal and security requirements are addressed within the scope of partnerships and documented in agreements
    3. confirms sharing of CSC’s data and information is in accordance with data release procedures and through partnerships, academia, and other levels of government, and
    4. ensures the privacy of individuals is protected when data and information is shared within external partnerships, academia, and other levels of government.

Governance

13. The CDSO:
    1. establishes governance to ensure the integrated management of data and information with service, information technology, and cyber security within CSC
    2. advocates for innovation and experimentation in service, data, information, information technology, and cyber security in accordance with applicable legislation and government policies, and
    3. informs TBS of activities related to the policy and directive on service and digital that involve the development of national or international information technology, information, or data standards.
14. The Director, EDIM:
    1. implements and maintains an effective data governance program to support the integrated management of data
    2. defines rules governing core data
    3. promotes CSC participation in data governance to support the development and implementation of government-wide data policies, directives, and guidelines, and
    4. assesses the impact of CSC decisions on the integrity (for example, quality, availability, access, use) of CSC data, and proposes strategies to mitigate identified risks.

Monitoring and Oversight

15. The CDSO:
    1. monitors compliance with TB Guidelines, Policy and Directive on Service and Digital, their supporting instruments, this policy and accompanying digital directives
    2. advises TBS when there are significant compliance issues with TB Guidelines, Policy and Directive on Service and Digital or their supporting instruments, and
    3. takes appropriate and timely remedial action when significant issues with compliance arise within CSC.
16. All executive members of the CDSO office ensure client feedback, including client satisfaction surveys and user experience testing, is collected, and used to inform design, delivery, and continuous improvement of services.

Support of Workforce Capacity and Capability

17. The CDSO:
    1. ensures CSC workforce awareness, capacity, and capability meet CSC and Government of Canada data and information requirements, and
    2. supports the Chief Information Officer of Canada’s enterprise-wide talent management and community development initiatives, including the Directive on Digital Talent.

Enquiries

18. Strategic Policy Division
    National Headquarters
    Email: NHQ.Policy-Politiques.AC@csc-scc.gc.ca

Commissioner,
Anne Kelly

Annex A: Cross-References and Definitions

Cross -references

• CD 001: Mission, Values and Ethics Framework of the Correctional Service of Canada
• CD 225: Information Technology Security
• CD 226: Use of Electronic Resources
• CD 227: Use of Web 2.0 Technology
• CD 228-1: Data and Information Management
• CD 340: Electronic Security Systems
• CD 701: Information Sharing

• Access to Information Act
• Canada Evidence Act
• Copyright Act
• Corrections and Conditional Release Act
• Corrections and Conditional Release Regulations
• Criminal Records Act
• Financial Administration Act
• Library and Archives of Canada Act
• Official Languages Act
• Personal Information Protection and Electronic Documents Act (Part 2)
• Privacy Act
• Privacy Regulations
• Security of Information Act
• Values and Ethics Code for the Public Sector

• Policy on Access to Information
• Policy on Government Security
• Policy on Official Languages
• Policy on Privacy Protection
• Policy on Service and Digital

• Directive on Automated Decision-Making
• Directive on Digital Talent
• Directive on Open Government
• Directive on Privacy Practices
• Directive on Security Management
• Directive on Service and Digital

• Resources on the HUB
• Managing Information
• Regional contacts for information management

Definitions

Authorized producers and users

staff, contractors, and volunteers authorized by CSC management to produce or use data and information resources, regardless of its form. 

Client

an individual, a business or its representatives served by or using either internal or external services provided by the Government of Canada. When describing interactions with information technologies, clients can be referred to as users. 

Client feedback

information coming directly from recipients of services about the satisfaction or dissatisfaction they feel with a service or product. It is a critical part of service improvement and can take several forms, including in-service client feedback, client satisfaction surveys, user experience testing, and consultations. 

Critical assets

 physical or intangible resources or components whose compromise would have severe consequences on the effective functioning of an organization, public health, the environment, or the economy. 

Cyber security

 the body of technologies, processes, practices, and response and mitigation measures designed to protect electronic information and information infrastructure from mischief, unauthorized use, or disruption. 

Data

a set of values of subjects with respect to qualitative or quantitative variables representing facts, statistics, or items of information in a formalized manner suitable for communication, interpretation, or processing. 

Data and information governance

 the exercise of authority, control, and shared decision making (planning, monitoring, and enforcement) over the management of data and information assets. 

Data standards

a set of documented rules and/or best practices that enables the standardization of consistent and repeatable description, representation, structuring, and sharing of data. 

Digital

processes, practices and technologies related to the production, storage, processing, dissemination and exchange of electronic information and data. It refers to, among other things, information and communications technologies, infrastructures, and the information and data they produce and collect. 

Digital initiative

a digitally enabled service, solution, information system, or application. 

Enterprise information management solution

an enterprise automated solution used to manage, protect, and preserve information resources, from creation to disposition. These solutions maintain appropriate contextual information (metadata) and enable organizations to access, use, retain, and dispose of records (such as, their destruction or transfer) in a managed, systemic, and auditable way to support accountability, transparency, and departmental business objectives. 

Governance

the management structures and processes that support the development, implementation, and enforcement of policies, programs, and activities. 

Information

knowledge captured in any format, such as facts, events, things, processes, or ideas, that can be structured (spreadsheet, Finger Print Section (FPS) numbers, chart of accounts) or unstructured (audio clips, video footage, pictures), including concepts that within a certain context have particular meaning. Information includes data. 

Information architecture

the structure of the information and data components of an enterprise, their interrelationships, as well as the principles and guidelines governing their design and evolution over time. Information architecture enables the sharing, reuse, horizontal aggregation, and analysis of information. 

Information lifecycle

the planning, collection, creation, receipt, capture, organization, use, re-use, dissemination, maintenance, protection, preservation, disposition, and evaluation of information. 

Information management

a discipline that directs and supports effective and efficient management of information and data in an organization, from planning and systems development to disposal or long-term preservation. 

Information technology

any equipment or system that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of information or data. It includes all matters concerned with the design, development, installation and implementation of information systems and applications. 

Interoperability

the ability of different types of electronic devices, networks, operating systems, and applications to work together effectively, without prior communication, to exchange information in a useful and meaningful manner. 

Personal information

information about an identifiable individual that is recorded in any form, as defined in the Privacy Act. 

Retention

the length of time that data is stored or archived before purging. 

Service

the provision of a specific final output that addresses one or more needs of an intended recipient and contributes to the achievement of an outcome. 

Related Links

• Policy Bulletin 570
• Policy Bulletin 734