DAOD 1002-5, Privacy Impact Assessments
Table of Contents
Date of Issue: 2019-04-10
Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).
Approval Authority: Corporate Secretary (Corp Sec)
Enquiries: Director Access to Information and Privacy (DAIP)
administrative purpose (fins administratives)
The use of personal information about an individual "in a decision making process that directly affects that individual" (section 3 of the Privacy Act). This includes all uses of personal information for confirming identity (in other words, authentication and verification purposes) and for determining eligibility of individuals for government programs. (Policy on Privacy Protection, Treasury Board)
core privacy impact assessment (évaluation des facteurs relatifs à la vie privée de base)
Consists of those standardized elements of a privacy impact assessment that are directly linked to policy and legal compliance. (Directive on Privacy Impact Assessment, Treasury Board)
government institution (institution fédérale)
(a) any department or ministry of state of the Government of Canada, or any body or office, listed in the schedule of the Privacy Act, and
(b) any parent Crown corporation, and any wholly-owned subsidiary of such a corporation, within the meaning of section 83 of the Financial Administration Act.
(Section 3 of the Privacy Act)
multi-institutional privacy impact assessment (évaluation des facteurs relatifs à la vie privée multi-institutionnelles)
A privacy impact assessment that involves more than one government institution. (Policy on Privacy Protection, Treasury Board)
non-administrative purpose (fins non administratives)
The use of personal information for a purpose that is not related to any decision-making process that directly affects the individual. This includes the use of personal information for research, statistical, audit and evaluation purposes. (Policy on Privacy Protection, Treasury Board)
personal information (renseignements personnels)
Means information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing,
(a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual,
(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
(c) any identifying number, symbol or other particular assigned to the individual,
(d) the address, fingerprints or blood type of the individual,
(e) the personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations,
(f) correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence,
(g) the views or opinions of another individual about the individual,
(h) the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution or a part of an institution referred to in paragraph (e), but excluding the name of the other individual where it appears with the views or opinions of the other individual, and
(i) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual,
but, for the purposes of sections 7, 8 and 26 and section 19 of the Access to Information Act, does not include
(j) information about an individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual including,
(i) the fact that the individual is or was an officer or employee of the government institution,
(ii) the title, business address and telephone number of the individual,
(iii) the classification, salary range and responsibilities of the position held by the individual,
(iv) the name of the individual on a document prepared by the individual in the course of employment, and
(v) the personal opinions or views of the individual given in the course of employment,
(k) information about an individual who is or was performing services under contract for a government institution that relates to the services performed, including the terms of the contract, the name of the individual and the opinions or views of the individual given in the course of the performance of those services,
(l) information relating to any discretionary benefit of a financial nature, including the granting of a licence or permit, conferred on an individual, including the name of the individual and the exact nature of the benefit, and
(m) information about an individual who has been dead for more than twenty years.
(Section 3 of the Privacy Act)
personal information bank (fichier de renseignements personnels)
A description of personal information that is organized and retrievable by a person's name or by an identifying number, symbol or other particular assigned only to that person. The personal information described in the personal information bank has been used, is being used, or is available for an administrative purpose and is under the control of a government institution. (Policy on Privacy Protection, Treasury Board)
privacy impact assessment (évaluation des facteurs relatifs à la vie privée)
A policy process for identifying, assessing and mitigating privacy risks. Government institutions are to develop and maintain privacy impact assessments for all new or modified programs and activities that involve the use of personal information for an administrative purpose. (Policy on Privacy Protection, Treasury Board)
privacy protocol (protocole relatif à la protection des renseignements personnels)
A set of documented procedures to be followed when using personal information for non-administrative purposes including research, statistical, audit and evaluation purposes. These procedures are to ensure that the individual's personal information is handled in a manner that is consistent with the principles of the Privacy Act. (Policy on Privacy Protection, Treasury Board)
program or activity (programme ou activité)
For the purposes of the appropriate collection, use or disclosure of personal information by government institutions subject to the Policy on Privacy Protection, a program or activity that is authorized or approved by Parliament. Parliamentary authority is usually contained in an Act of Parliament or subsequent Regulations. Parliamentary authority can also be in the form of approval of expenditures proposed in the Estimates and as authorized by an appropriation Act. Also included in this definition are any activities conducted as part of the administration of the program. (Policy on Privacy Protection, Treasury Board)
substantial modification (modification importante)
Refers to a change or an amendment to the privacy practices related to a particular program or activity, which is reflected in a personal information bank description. This includes any change or amendment to the privacy practices related to activities that use automated or technological means to identify, create, analyze, compare, extract, cull, match or define personal information. (Directive on Privacy Impact Assessment, Treasury Board)
3.1 The objectives of this DAOD are to:
- provide direction to DND employees and CAF members with respect to the administration of privacy impact assessments (PIAs) for a new program or activity involving the creation, collection or handling of personal information, or the making of any substantial modification to an existing program or activity; and
- ensure, through the conduct of PIAs, sound management and decision making as well as careful consideration of privacy risks with respect to the creation, collection and handling of personal information as part of a program or activity.
3.2 It is expected that by following the instructions in this DAOD that:
- PIAs will be conducted in a manner that is commensurate with the level of privacy risk identified prior to establishing any new program or activity involving the creation, collection or handling of personal information, or the making of any substantial modification to an existing program or activity; and
- privacy implications will be appropriately identified, assessed and resolved prior to implementing any new program or activity, or the making of any substantial modification to an existing program or activity.
4.1 The Privacy Act and the Privacy Regulations provide the legal framework for the creation, collection, accuracy, correction, use, disclosure, retention and disposition of personal information required by a government institution in the administration of a program or activity.
4.2 The DND and the CAF must ensure that privacy protection is a core consideration when any new program or activity is developed, or if any substantial modification is made to any existing program or activity. Sound management and decision making, as well as careful consideration of privacy risks with respect to the creation, collection and handling of personal information, must be integrated into any program or activity of the DND and the CAF.
4.3 The DND and the CAF routinely perform broad risk management activities and develop risk profiles for a program or activity. The PIA is the component of risk management that focuses on ensuring compliance with the requirements of the Privacy Act and assessing the privacy implications of a program or activity.
4.4 A PIA may also be used to evaluate any planned legislative, regulatory, policy or program initiative that could relate to the Privacy Act or have an impact on the privacy of individuals.
4.5 When a PIA is properly framed and integrated within the broader risk management framework, the completion of a PIA should not be a resource-intensive exercise. As such, a PIA is conducted in a manner that is commensurate with the privacy risk identified, respects the operating environment, and leverages other existing risk management tools.
4.6 For the purpose of the Treasury Board (TB) Policy on Privacy Protection and the Directive on Privacy Impact Assessment, the Corp Sec has issued this DAOD and the Privacy Impact Assessment Toolkit to provide direction and guidance to the DND and the CAF on the effective administration of PIAs. A PIA must be developed and maintained in accordance with the Privacy Impact Assessment Toolkit.
5.1 Level one advisors (L1s) are accountable for ensuring that privacy risks are properly assessed and, if possible, mitigated for any program or activity within their organizations. The initial undertaking and ongoing updating of a PIA is essential in order to document the privacy risks and proposed mitigations of any new, ongoing or modified program or activity if there is potential impact to the personal information under the control of the DND and the CAF.
5.2 Upon the initiation of a new or modified program or activity, the program lead for the program or activity should contact DAIP to assist with the determination as to whether there is a potential impact on the privacy of individuals. If there is potential impact, a PIA must be developed. The PIA balances privacy with other legislative, regulatory, policy, program and activity requirements.
Note ̶ The program lead is the official holding administrative responsibility for the completion of a PIA. If an official is not specifically assigned, this responsibility will rest with the senior official or executive holding functional responsibility for the program or activity in question.
5.3 The program lead must initiate a PIA for any program or activity under the control of their organization in the following circumstances:
- personal information is used for or is intended to be used as part of a decision-making process that directly affects individuals;
- any substantial modification is being made to an existing program or activity in which personal information is used or intended to be used for an administrative purpose;
- the contracting out or transfer of a program or activity to another level of government, a private sector entity or an individual results in any substantial modification to the program or activity; or
- decisions that directly affect individuals are not being made but there will be an impact on privacy that warrants the conduct of a PIA (see paragraph 5.5 for additional information).
Personal Information Bank (PIB)
5.4 A PIB must exist prior to the collection of personal information. The Privacy Act requires government institutions to identify, describe and publicly report collections of personal information. It is necessary to complete a PIA in order to establish a PIB. See DAOD 1002-3, Personal Information Management, for additional information.
Use of a Privacy Protocol
5.5 If any new program or activity or any substantial modification to an existing program or activity does not use or intend to use personal information as part of a decision-making process that directly affects individuals, the program lead must still determine, in consultation with DAIP, if there is any impact on privacy that would warrant the conduct of an assessment. In some circumstances a privacy protocol may be adequate to address the potential impact on privacy by such a program or activity.
5.6 The program lead must ensure that the decision to rely on a privacy protocol and not complete a PIA is documented.
5.7 All personal information collected by the DND and the CAF that is not related to a decision-making process that directly affects an individual must be collected in accordance with a privacy protocol for a non-administrative purpose. See the Instruction on Privacy Protocols for Non-Administrative Purpose for additional information.
5.8 During the development of the PIA, the program lead must:
- evaluate whether:
- the program or activity is necessary to achieve a specific and legitimate purpose;
- the program or activity is likely to be effective in achieving the legitimate purpose;
- the intrusion of privacy is proportional to the benefit to be derived; and
- there is no other alternative that is less intrusive to the privacy of individuals that would achieve the same purpose; and
- seek the review and recommendations of DAIP privacy analysts, legal advisors and other applicable technical and information specialists.
5.9 DAIP privacy analysts must provide advice and recommendations with respect to relevant program statutes, the Privacy Act, the Access to Information Act, privacy issues, current privacy developments, and national and international privacy standards. The program lead develops or modifies the PIB description in consultation with DAIP.
5.10 The program lead must seek legal review as to the legal authority to conduct any new program or activity or make any substantial modification to an existing program or activity, including legal review of any potential issues that may have been raised with respect to the Canadian Charter of Rights and Freedoms.
5.11 The program lead must seek the review and recommendations of:
- technical specialists to provide technical and systems advice on legacy systems, Internet tools, system interfaces, security, data flows and technical architecture; and
- information specialists to provide advice on how records for the new program or activity will be kept and their retention requirements.
5.12 The program lead must ensure that:
- the PIA is completed in accordance with the Privacy Impact Assessment Toolkit;
- a determination is made as to the appropriate format for the PIA, based on the DND and the CAF business needs, internal reporting and broader risk management activities;
- the PIA includes a risk level that is based on the DND and the CAF business needs, internal reporting and broader risk management activities; and
- additional documentation and analysis, including mitigation plans and strategies, are provided in consultation with DAIP if further elaboration on specific risk mitigation is warranted.
5.13 The signature of the responsible program lead as well as that of the L1 are required for a completed PIA to be approved.
5.14 The L1 must provide the approved PIA to DAIP.
5.15 DAIP must ensure that the approved PIA is provided to the Treasury Board Secretariat (TBS), along with the proposed PIB description for any new program or activity, or modified PIB description for any substantial modification to an existing program or activity, unless otherwise specified in the terms and conditions of a delegation made under subsection 71(6) of the Privacy Act. The TBS confirms that mandatory requirements of the core PIA have been completed for the purpose of establishing or modifying a PIB.
5.16 DAIP must also simultaneously send the approved PIA to the Office of the Privacy Commissioner (OPC). The OPC undertakes a comprehensive review of the PIA and all associated documents and will offer advice, comments, consultation and recommendation.
5.17 Once approved, a PIA will require routine updating and maintenance to reflect any changes to delivery of the program or activity.
6.1 In accordance with the Directive on Privacy Impact Assessment, the following sections of a core PIA, once approved, must be made available to the public:
- overview and PIA initiation; and
- risk area identification and categorization.
6.2 While respecting security requirements as well as any other confidentiality or legal consideration, DAIP is responsible for making sections of the core PIA available to the public.
6.3 DAIP is responsible for monitoring compliance with this DAOD as it relates to the administration of the Privacy Act.
7.1 A multi-institutional PIA involves more than one government institution. A lead government institution must be identified in any multi-institutional PIA. Unless otherwise established by a contract or arrangement, the lead government institution will be the government institution that has primary control over the personal information or holds the authority for initiating the program or activity.
7.2 If the lead government institution cannot be identified under paragraph 7.1 because the program or activity is common to all government institutions, the lead will be, unless otherwise established by a contract or arrangement, the government institution that either:
- is responsible for delivering the program or activity across government;
- is the contracting authority for the program or activity; or
- is the policy authority for the program or activity across government.
7.3 A multi-institutional PIA requires the coordination of an interdepartmental committee comprised of key stakeholders, including policy and legal advisors.
7.4 In the case of a joint program or activity, a multi-institutional PIA is favored. The most appropriate approach for the completion and approval of the multi-institutional PIA in support of the program or activity must be determined and documented. At a minimum, the approach must take into consideration the approval process of the government institutions involved and will cover the full scope of the program or activity.
7.5 There must be oversight of the collection of personal information as well as any disclosures to government institutions involved in the program or activity.
7.6 Approval of a multi-institutional PIA by all appropriate stakeholders must be obtained.
8.1 DND employees and CAF members must comply with the Privacy Act, the Privacy Regulations, this DAOD and the Privacy Impact Assessment Toolkit. Should clarification of these laws, policies or instructions be required, DND employees and CAF members may seek direction through their channel of communication or chain of command, as appropriate. Managers and military supervisors have the primary responsibility for and means of ensuring the compliance of their DND employees and CAF members with the Privacy Act, the Privacy Regulations, this DAOD and the Privacy Impact Assessment Toolkit.
Consequences of Non-Compliance
8.2 DND employees and CAF members are accountable to their respective managers and military supervisors for any failure to comply with the Privacy Act, the Privacy Regulations, this DAOD or the Privacy Impact Assessment Toolkit. Non-compliance may have consequences for both the DND and the CAF as institutions, and for DND employees and CAF members as individuals. Suspected non-compliance may be investigated. Managers and military supervisors must take or direct appropriate corrective measures if non-compliance has consequences for the DND or the CAF. The decision of an L1 or other senior official to take action or to intervene in a case of non-compliance, other than in respect of a decision under the Code of Service Discipline regarding a CAF member, will depend on the degree of risk based on the impact and likelihood of an adverse outcome resulting from the non-compliance and other circumstances of the case.
8.3 The nature and severity of the consequences resulting from non-compliance should be commensurate with the circumstances of the non-compliance and other relevant circumstances. Consequences of non-compliance may include one or more of the following:
- the ordering of the completion of appropriate learning, training or professional development;
- the entering of observations in individual performance evaluations;
- increased reporting and performance monitoring;
- the withdrawal of any authority provided under this DAOD to a DND employee or CAF member;
- the reporting of suspected offences to responsible law enforcement agencies;
- the application of specific consequences as set out in applicable laws, codes of conduct, and DND and CAF policies and instructions;
- other administrative action, including the imposition of disciplinary measures, for a DND employee;
- other administrative or disciplinary action, or both, for a CAF member; and
- the imposition of liability on the part of Her Majesty in right of Canada, DND employees and CAF members.
Note – In respect to the compliance of DND employees, see the Treasury Board Framework for the Management of Compliance for additional information.
9.1 The following table identifies the responsibilities associated with this DAOD:
|The...||is or are responsible for...|
|DND employees and CAF members
Acts, Regulations, Central Agency Policies and Policy DAOD
- Canadian Charter of Rights and Freedoms
- Access to Information Act
- Financial Administration Act
- Privacy Act
- Privacy Regulations
- Framework for the Management of Compliance, Treasury Board
- Policy on Privacy Protection, Treasury Board
- Directive on Privacy Impact Assessment, Treasury Board
- Directive on Privacy Practices, Treasury Board
- DAOD 1002-0, Administration of the Privacy Act
- DAOD 1001-0, Access to Information
- DAOD 1002-3, Personal Information Management
- DAOD 1002-4, Privacy Incident Management
- DAOD 1002-6, Disclosure of Personal Information
- Privacy Impact Assessment Toolkit (in draft)
- Instructions on Privacy Protocols for Non-Administrative Purpose
- Info Source – Sources of Federal Government and Employee Information
- Date modified: