DAOD 1002-4, Privacy Incident Management
Table of Contents
Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).
Approval Authority: Corporate Secretary (Corp Sec)
Enquiries: Director Access to Information and Privacy (DAIP)
The release of personal information by any method (e.g., transmission, provision of a copy, examination of a record) to any body or person. (Directive on Privacy Practices, Treasury Board)
government institution (institution fédérale)
(a) Any department or ministry of state of the Government of Canada, or any body or office, listed in the schedule, and
(b) any parent Crown corporation, and any wholly-owned subsidiary of such a corporation, within the meaning of section 83 of the Financial Administration Act.
(Section 3 of the Privacy Act)
privacy breach (atteinte à la vie privée)
The improper or unauthorized creation, collection, use, disclosure, retention or disposition of personal information. (Directive on Privacy Practices, Treasury Board)
privacy incident (incident relatif à la vie privée)
Any act or event that causes or could cause a privacy breach. (Defence Terminology Bank, record number 694742)
privacy practices (pratiques relatives à la protection de la vie privée)
All practices related to the creation, collection, retention, accuracy, correction, use, disclosure, retention and disposition of personal information. (Directive on Privacy Practices, Treasury Board)
3.1 The Privacy Act and Privacy Regulations provide the legal framework for the collection, retention, accuracy, disposition, use and disclosure of personal information in the administration of programs and activities by government institutions.
Note – The term “personal information” is defined in section 3 of the Privacy Act.
3.2 Canadians value their privacy and the protection of their personal information and they expect government institutions to respect the letter and spirit of the Privacy Act and Privacy Regulations. The DND and the CAF are committed to protecting the privacy of individuals with respect to the personal information that is under DND and CAF control. The DND and the CAF recognize that this protection is an essential element in maintaining trust.
3.3 The Deputy Minister, Chief of the Defence Staff, level one (L1) advisors and commanders of commands are ultimately responsible for ensuring that sound privacy practices are implemented in daily operations in their organizations and that access to personal information is limited to those who need it in the performance of their duties.
3.4 The Corp Sec has the functional authority to issue instructions to DND employees and CAF members in the assigned functional area of privacy.
3.5 In addition to the responsibilities set out in this DAOD, the DAIP also has specific responsibilities regarding security incidents involving privacy. See the Instruction on Privacy Incident Management and the National Defence Security Orders and Directives, Chapter 12: Security Incident Management, for additional information.
4. Instruction on Privacy Incident Management
4.1 For the purpose of section 6.1.2 of the Treasury Board Directive on Privacy Practices, the Corp Sec has issued the Instruction on Privacy Incident Management to provide direction and guidance in respect of privacy incidents in the DND and the CAF. Privacy incidents must be managed and resolved in accordance with the Instruction on Privacy Incident Management and measures implemented to prevent the reoccurrence of any privacy breach.
4.2 The Instruction on Privacy Incident Management complies with sections 4 to 8 of the Privacy Act regarding the collection, retention, accuracy, disposition, use and disclosure of personal information, commonly referred to as the Code of Fair Information Practices.
4.3 All personal information collected by the DND and the CAF is governed by the Privacy Act. Such information may be used for reporting and investigation purposes. See Personal Information Bank, PSU 939, Security Incidents and Privacy Breaches, for additional information.
5. Privacy Incident Management Process
5.1 To facilitate the privacy incident management process in the DND and the CAF, each L1 advisor and commander of a command must designate a person within their organization to act as their PLO. The PLO liaises with the DAIP and assists in the coordination of the privacy incident management process.
Causes of Privacy Breaches
5.2 A privacy breach may be the result of an inadvertent or intentional action by the DND or the CAF as institutions or by any individual. See the Instruction on Privacy Incident Management for a detailed list of potential causes of privacy breaches.
5.3 A privacy incident may be reported by any individual. A DND employee or CAF member who becomes aware of or suspects a privacy incident must report it to:
- the DAIP; or
- the office that is responsible for the custody of the personal information.
5.4 The DAIP must obtain all possible preliminary information from the individual reporting the privacy incident and subsequently engage the appropriate PLO if required.
Containment and Preliminary Assessment
5.5 The office of primary interest (OPI) is the manager of the program area or commanding officer of the unit or other element in which the privacy incident has occurred. The OPI must:
- prevent additional personal information from being affected;
- ensure that the affected personal information is not further compromised;
- notify the DAIP of the privacy incident;
- document the privacy incident and response;
- make improvements to applicable systems or processes; and
- notify the Departmental Security Officer (DSO) if the matter resulted from a deficiency in a security procedure or process.
5.6 In most circumstances the OPI will be evident. If not evident or there is a conflict as to whom the OPI is, the DAIP will identify the appropriate OPI.
5.7 The DAIP must evaluate the privacy incident information provided by the reporting individual, PLO and OPI, and make a determination as to whether an investigation is required.
5.8 The DAIP determines if affected individuals must be notified and provides recommendations to the OPI.
5.9 The DAIP must notify the Office of the Privacy Commissioner of Canada (OPC) and Treasury Board Secretariat of all material privacy breaches.
5.10 If the DAIP determines that an investigation of the privacy incident is required, the PLO, OPI and DAIP must follow the direction in the Instruction on Privacy Incident Management in respect of the:
- conduct of the investigation;
- subsequent reporting; and
- making of recommendations to prevent reoccurrence.
Findings and Recommendations
5.11 The DAIP must issue a report of findings and recommendations in response to all reported privacy incidents. This report includes a final determination as to whether or not a privacy breach did occur and recommendations on actions that should be taken to prevent reoccurrence.
6. Office of the Privacy Commissioner of Canada
6.1 As an agent of Parliament, the Privacy Commissioner reports directly to the House of Commons and the Senate, not to the government of the day, ensuring impartiality and open-mindedness when acting as an ombudsman for privacy matters. The Privacy Commissioner is responsible for the oversight of the Privacy Act in order to protect the personal information under the control of government institutions.
6.2 The OPC may initiate a complaint of an alleged privacy breach if there are reasonable grounds. The OPC notifies the DAIP that a complaint is being initiated and the DAIP then acts as the liaison between the DND and the CAF, and the OPC. Following an investigation, the OPC issues a report of findings and recommendations.
7. Compliance and Consequences
7.1 DND employees and CAF members must comply with this DAOD. Should clarification of the policies or instructions set out in this DAOD be required, DND employees and CAF members may seek direction through their channel of communication or chain of command, as appropriate. Managers and military supervisors have the primary responsibility for and means of ensuring the compliance of their DND employees and CAF members with this DAOD.
Consequences of Non-Compliance
7.2 DND employees and CAF members are accountable to their respective managers and military supervisors for any failure to comply with the direction set out in this DAOD. Non-compliance with the Privacy Act, the Privacy Regulations, this DAOD or the Instruction on Privacy Incident Management may have consequences for both the DND and the CAF as institutions and for DND employees and CAF members as individuals. Suspected non-compliance may be investigated. Managers and military supervisors must take or direct appropriate corrective measures if non-compliance with this DAOD has consequences for the DND or the CAF. The decision of an L1 or other senior official to take action or to intervene in a case of non-compliance, other than in respect of a decision under the Code of Service Discipline regarding a CAF member, will depend on the degree of risk resulting from the non-compliance and other circumstances of the case.
7.3 The nature and severity of the consequences resulting from actual non-compliance will be commensurate with the circumstances of the non-compliance. Consequences of non-compliance may include one or more of the following:
- the ordering of the completion of appropriate learning, training or professional development;
- the entering of observations in individual performance evaluations;
- increased reporting and performance monitoring;
- the withdrawal of any authority provided under this DAOD to a DND employee or CAF member;
- the reporting of suspected offences to responsible law enforcement agencies;
- revocation of a security clearance;
- revocation of user access to records or systems;
- posting or reassignment, including transfer or deployment;
- the application of specific consequences as set out in applicable laws, codes of conduct, and DND and CAF policies and instructions;
- other administrative action, including the imposition of disciplinary measures and termination, for a DND employee;
- other administrative or disciplinary action, or both, including release, for a CAF member; and
- the imposition of liability on the part of Her Majesty in right of Canada, DND employees and CAF members.
Note – In respect of the compliance of DND employees, see the Treasury Board Framework for the Management of Compliance for additional information.
7.4 Non-compliance with the requirements in the Privacy Act and Privacy Regulations poses a risk to the DND and the CAF as institutions and could result in the loss of public confidence and reputation, media scrutiny, financial loss, legal implications, and risk to national interests and operations.
Note – For examples of other consequences for institutions, see Annex C of the Framework for the Management of Compliance.
8.1 The following table identifies the responsibilities associated with this DAOD:
|The...||is or are responsible for...|
|L1 advisors and commanders of commands||
|DND employees and CAF members||
- Financial Administration Act
- Privacy Act
- Privacy Regulations
- Framework for the Management of Compliance, Treasury Board
- Directive on Privacy Practices, Treasury Board
- Guidelines for Privacy Breaches, Treasury Board
- DAOD 1002-0, Administration of the Privacy Act
- DAOD 7002-0, Boards of Inquiry and Summary Investigations
- National Defence Security Orders and Directives, Chapter 12: Security Incident Management
- Instruction on Privacy Breach Management (draft)
- Personal Information Bank, PSU 939, Security Incidents and Privacy Breaches
- Date modified: