DAOD 1002-4, Privacy Incident Management

Table of Contents

  1. Introduction
  2. Definitions
  3. Overview
  4. Instruction on Privacy Incident Management
  5. Privacy Incident Management Process
  6. Office of the Privacy Commissioner of Canada
  7. Compliance and Consequences
  8. Responsibilities
  9. References

1. Introduction

Date of Issue: 2018-03-23

Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).

Approval Authority: Corporate Secretary (Corp Sec)

Enquiries: Director Access to Information and Privacy (DAIP)

2. Definitions

disclosure (divulgation)

The release of personal information by any method (e.g., transmission, provision of a copy, examination of a record) to any body or person. (Directive on Privacy Practices, Treasury Board)

government institution (institution fédérale)

Means

(a) Any department or ministry of state of the Government of Canada, or any body or office, listed in the schedule, and

(b) any parent Crown corporation, and any wholly-owned subsidiary of such a corporation, within the meaning of section 83 of the Financial Administration Act.

(Section 3 of the Privacy Act)

privacy breach (atteinte à la vie privée)

The improper or unauthorized creation, collection, use, disclosure, retention or disposition of personal information. (Directive on Privacy Practices, Treasury Board)

privacy incident (incident relatif à la vie privée)

Any act or event that causes or could cause a privacy breach. (Defence Terminology Bank, record number 694742)

privacy practices (pratiques relatives à la protection de la vie privée)

All practices related to the creation, collection, retention, accuracy, correction, use, disclosure, retention and disposition of personal information. (Directive on Privacy Practices, Treasury Board)

3. Overview

3.1 The Privacy Act and Privacy Regulations provide the legal framework for the collection, retention, accuracy, disposition, use and disclosure of personal information in the administration of programs and activities by government institutions.

Note The term “personal information” is defined in section 3 of the Privacy Act.

3.2 Canadians value their privacy and the protection of their personal information and they expect government institutions to respect the letter and spirit of the Privacy Act and Privacy Regulations. The DND and the CAF are committed to protecting the privacy of individuals with respect to the personal information that is under DND and CAF control. The DND and the CAF recognize that this protection is an essential element in maintaining trust.

3.3 The Deputy Minister, Chief of the Defence Staff, level one (L1) advisors and commanders of commands are ultimately responsible for ensuring that sound privacy practices are implemented in daily operations in their organizations and that access to personal information is limited to those who need it in the performance of their duties.

3.4 The Corp Sec has the functional authority to issue instructions to DND employees and CAF members in the assigned functional area of privacy.

3.5 In addition to the responsibilities set out in this DAOD, the DAIP also has specific responsibilities regarding security incidents involving privacy. See the Instruction on Privacy Incident Management and the National Defence Security Orders and Directives, Chapter 12: Security Incident Management, for additional information.

4. Instruction on Privacy Incident Management

4.1 For the purpose of section 6.1.2 of the Treasury Board Directive on Privacy Practices, the Corp Sec has issued the Instruction on Privacy Incident Management to provide direction and guidance in respect of privacy incidents in the DND and the CAF. Privacy incidents must be managed and resolved in accordance with the Instruction on Privacy Incident Management and measures implemented to prevent the reoccurrence of any privacy breach.

4.2 The Instruction on Privacy Incident Management complies with sections 4 to 8 of the Privacy Act regarding the collection, retention, accuracy, disposition, use and disclosure of personal information, commonly referred to as the Code of Fair Information Practices.

4.3 All personal information collected by the DND and the CAF is governed by the Privacy Act. Such information may be used for reporting and investigation purposes. See Personal Information Bank, PSU 939, Security Incidents and Privacy Breaches, for additional information.

5. Privacy Incident Management Process

Privacy Liaison Officers (PLOs)

5.1 To facilitate the privacy incident management process in the DND and the CAF, each L1 advisor and commander of a command must designate a person within their organization to act as their PLO. The PLO liaises with the DAIP and assists in the coordination of the privacy incident management process.

Causes of Privacy Breaches

5.2 A privacy breach may be the result of an inadvertent or intentional action by the DND or the CAF as institutions or by any individual. See the Instruction on Privacy Incident Management for a detailed list of potential causes of privacy breaches.

Reporting

5.3 A privacy incident may be reported by any individual. A DND employee or CAF member who becomes aware of or suspects a privacy incident must report it to:

5.4 The DAIP must obtain all possible preliminary information from the individual reporting the privacy incident and subsequently engage the appropriate PLO if required.

Containment and Preliminary Assessment

5.5 The office of primary interest (OPI) is the manager of the program area or commanding officer of the unit or other element in which the privacy incident has occurred. The OPI must:

5.6 In most circumstances the OPI will be evident. If not evident or there is a conflict as to whom the OPI is, the DAIP will identify the appropriate OPI.

Evaluation

5.7 The DAIP must evaluate the privacy incident information provided by the reporting individual, PLO and OPI, and make a determination as to whether an investigation is required.

Notification

5.8 The DAIP determines if affected individuals must be notified and provides recommendations to the OPI.

5.9 The DAIP must notify the Office of the Privacy Commissioner of Canada (OPC) and Treasury Board Secretariat of all material privacy breaches.

Investigation

5.10 If the DAIP determines that an investigation of the privacy incident is required, the PLO, OPI and DAIP must follow the direction in the Instruction on Privacy Incident Management in respect of the:

Findings and Recommendations

5.11 The DAIP must issue a report of findings and recommendations in response to all reported privacy incidents. This report includes a final determination as to whether or not a privacy breach did occur and recommendations on actions that should be taken to prevent reoccurrence.

6. Office of the Privacy Commissioner of Canada

6.1 As an agent of Parliament, the Privacy Commissioner reports directly to the House of Commons and the Senate, not to the government of the day, ensuring impartiality and open-mindedness when acting as an ombudsman for privacy matters. The Privacy Commissioner is responsible for the oversight of the Privacy Act in order to protect the personal information under the control of government institutions.

6.2 The OPC may initiate a complaint of an alleged privacy breach if there are reasonable grounds. The OPC notifies the DAIP that a complaint is being initiated and the DAIP then acts as the liaison between the DND and the CAF, and the OPC. Following an investigation, the OPC issues a report of findings and recommendations.

7. Compliance and Consequences

Compliance

7.1 DND employees and CAF members must comply with this DAOD. Should clarification of the policies or instructions set out in this DAOD be required, DND employees and CAF members may seek direction through their channel of communication or chain of command, as appropriate. Managers and military supervisors have the primary responsibility for and means of ensuring the compliance of their DND employees and CAF members with this DAOD.

Consequences of Non-Compliance

7.2 DND employees and CAF members are accountable to their respective managers and military supervisors for any failure to comply with the direction set out in this DAOD. Non-compliance with the Privacy Act, the Privacy Regulations, this DAOD or the Instruction on Privacy Incident Management may have consequences for both the DND and the CAF as institutions and for DND employees and CAF members as individuals. Suspected non-compliance may be investigated. Managers and military supervisors must take or direct appropriate corrective measures if non-compliance with this DAOD has consequences for the DND or the CAF. The decision of an L1 or other senior official to take action or to intervene in a case of non-compliance, other than in respect of a decision under the Code of Service Discipline regarding a CAF member, will depend on the degree of risk resulting from the non-compliance and other circumstances of the case.

7.3 The nature and severity of the consequences resulting from actual non-compliance will be commensurate with the circumstances of the non-compliance. Consequences of non-compliance may include one or more of the following:

  1. the ordering of the completion of appropriate learning, training or professional development;
  2. the entering of observations in individual performance evaluations;
  3. increased reporting and performance monitoring;
  4. the withdrawal of any authority provided under this DAOD to a DND employee or CAF member;
  5. the reporting of suspected offences to responsible law enforcement agencies;
  6. revocation of a security clearance;
  7. revocation of user access to records or systems;
  8. posting or reassignment, including transfer or deployment;
  9. the application of specific consequences as set out in applicable laws, codes of conduct, and DND and CAF policies and instructions;
  10. other administrative action, including the imposition of disciplinary measures and termination, for a DND employee;
  11. other administrative or disciplinary action, or both, including release, for a CAF member; and
  12. the imposition of liability on the part of Her Majesty in right of Canada, DND employees and CAF members.

Note In respect of the compliance of DND employees, see the Treasury Board Framework for the Management of Compliance for additional information.

7.4 Non-compliance with the requirements in the Privacy Act and Privacy Regulations poses a risk to the DND and the CAF as institutions and could result in the loss of public confidence and reputation, media scrutiny, financial loss, legal implications, and risk to national interests and operations.

Note For examples of other consequences for institutions, see Annex C of the Framework for the Management of Compliance.

8. Responsibilities

Responsibility Table

8.1 The following table identifies the responsibilities associated with this DAOD:

The... is or are responsible for...
L1 advisors and commanders of commands
  • implementing the Instruction on Privacy Incident Management in their organizations to address privacy incidents, including the appointment of a PLO;
  • notifying the DAIP of any suspected improper or unauthorized collection, retention, disposition, use, disclosure or modification of, or access to, personal information in their organizations;
  • cooperating with the DAIP during the privacy incident management process; and
  • informing DND employees or CAF members in their organizations of any legal, disciplinary or administrative consequences for improper or unauthorized collection, retention, disposition, use, disclosure or modification of, or access to, personal information related to a particular program or activity.
DAIP
  • applying the Instruction on Privacy Incident Management to address privacy incidents in the DND and the CAF;
  • ensuring that investigations of privacy incidents are completed in a timely and coordinated manner with internal stakeholders as required;
  • notifying, in accordance with the Treasury Board Guidelines for Privacy Breaches, the OPC and Treasury Board Secretariat of all material privacy breaches;
  • providing advice to L1 advisors, other managers, commanders of commands and commanding officers regarding their notification responsibilities in respect of privacy incidents; and
  • issuing a determination as to whether or not a reported privacy incident resulted in a privacy breach.
DSO
  • establishing procedures for handling security incidents that involve personal information;
  • ensuring the conduct of an investigation of a security incident if it results in a privacy breach; and
  • identifying deficiencies in security systems or processes that involve personal information and making recommendations to OPIs if necessary.
OPIs
  • notifying the DAIP of any suspected improper or unauthorized collection, retention, disposition, use, disclosure or modification of, or access to, personal information;
  • taking immediate action to prevent any further privacy breach and securing the affected records, systems or websites;
  • implementing the Instruction on Privacy Incident Management and documenting a privacy incident in accordance with the Instruction;
  • cooperating with the DAIP during the privacy incident management process;
  • notifying the DSO if there is a breach of security involving personal information;
  • notifying public affairs officials if a privacy incident is a matter of public interest and if communications materials are required; and
  • conducting an investigation if requested by the DAIP, and producing an investigation report in accordance with the Instruction on Privacy Incident Management.
PLOs
  • acting in accordance with the Instruction on Privacy Incident Management as the official designated by their L1 advisor or commander of a command to assist the DAIP in the coordination of the privacy incident management process within their organization;
  • cooperating with the DAIP during the privacy incident management process; and
  • liaising with the DAIP and obtaining required information during the evaluation and investigation of privacy incidents.
DND employees and CAF members
  • complying with the Privacy Act, Privacy Regulations and this DAOD;
  • protecting personal information and raising compliance concerns with their supervisor or DAIP, or both; and
  • reporting privacy incidents to the DAIP or the office that is responsible for the custody of the personal information.

9. References

Acts, Regulations, Central Agency Policies and Policy DAOD

Other References

Page details

Date modified: