Final benchmarking report on the handling of sensitive and personal information: chapter 2

2. Background

2.1 Applicable legislation and policies

The Privacy Act, Regulations and related policies and directives support the government’s commitment to ensure personal information collected on individuals is secured, used and maintained in a consistent and appropriate manner. Personal information is defined as information about an identifiable individual which is recorded in any form. Under the Act, no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.^Footnote1

Also under the Act, the institution/department head or the head’s delegates are responsible for:

• Preparing and tabling in each House of Parliament an annual report on the administration of the Act;
• Preparing new or modified personal information bank (PIB) descriptions; and
• Providing TBS with:
• A copy of the annual report;
• An update to its chapter in Info Source, including proposed new or modified PIBs; and
• A statistical report on the administration of the Privacy Act within the institution.^Footnote2

As well, any program, service or system that collects and stores personal information must conduct Privacy Impact Assessments (PIAs) to identify, assess and mitigate privacy risks.

In addition to the Privacy Act and Privacy Regulations, there are several TB policies and directives which impact directly the management of privacy and personal information, including, but not limited to:

• Policy on Privacy Protection;
• Policy on Government Security;
• Policy on Information Management;
• Directive on Privacy Practices;
• Directive on Privacy Impact Assessment; and
• Guidelines for Privacy Breaches.

The TB Policy on Privacy Protection of 2008 underwent minor revisions and was updated in August 2014. The policy specifies a number of obligations of federal institutions for sound management practices in the handling and protection of personal information, including the following key requirements:

• Making employees of the government institution aware of policies, procedures and legal responsibilities under the Act.
• Meeting the requirements of the Privacy Act when contracting with private sector organizations or when establishing agreements or arrangements with public sector organizations.
• Ensuring that appropriate privacy protection clauses are included in contracts or agreements that may involve intergovernmental or trans-border flows of personal information.
• Ensuring compliance with the specific terms and conditions related to the use of Social Insurance Numbers and the specific restrictions with regard to their collection, use and disclosure.
• Ensuring that, when applicable, Privacy Impact Assessments (PIAs) and multi-institutional PIAs are developed, maintained and published.
• Updating on a yearly basis personal information banks (PIBs). These PIBs hold descriptions of personal information organized and retrievable by a person’s name or by an identifying number, symbol or other specific information assigned only to that person.
• Consulting with TBS on any proposal for the establishment or revocation of an exempt bank, and submitting a specific request to the President of the Treasury Board with regard to the proposal.