A privacy guidance checklist
This checklist should help give you a better idea of what privacy guidance you should be following and when, while completing your initiative.
Plan
Depending on your initiative, some of these steps may have already been completed.
List personal information
- create a list of all the personal information involved in your initiative
- for each piece of personal information on your list, indicate:
- send this information to your privacy expert
Design
Once you know what privacy deliverables are needed, get started right away. Depending on the complexity of your initiative, this work could take a team several months to complete.
Privacy deliverables
- review guidance on privacy deliverables to find out what’s required for each:
Ensuring protection
- develop access controls and other safeguards
- ensure there’s a plan to prevent privacy breaches
Retention measures
- your initiative needs a retention and disposition plan for the personal information it collects, creates, uses, or shares
- information for an administrative purpose should be kept for at least two years since its last use
Privacy training
- provide privacy training to all individuals who will have access to personal information
- the Canada School of Public Service offers Privacy Training essentials courses.
Review
These steps may differ from one institution to the next, depending on its structure and available resources.
Consultations
- consult the appropriate stakeholders to review your privacy deliverables
- stakeholders may include experts in privacy, law, information management and information technology specialists, etc.
Approvals
- submit your deliverables for approval at the appropriate levels in your institution
- if you created an Information Sharing Arrangement (ISA), make sure it's been signed by all parties. The appropriate level of approval can change depending on the exact nature of the ISA and level of risk involved
Maintenance
- create a schedule to regularly maintain and update your privacy deliverables
- ensure processes are reviewed regularly as well and updated any time there’s a change to the way your initiative manages people’s information
- make sure any new employees receive appropriate training.
Launch
Publish a privacy notice
- publish your privacy notice before collecting any personal information
- depending on the way your initiative collects information, your privacy notice may be delivered online, as a paper copy, or a call center agent may provide a summary out loud
Address any risks
- continue to address any risks identified in your Privacy Impact Assessment (PIA)
- consider including privacy training as part of your onboarding for new staff who have access to personal information
- update access controls if there have been any changes in staffing or roles
- access controls should be updated any time there are any new hires, departures or changes to positions or files
Update
Continuously review and update your privacy deliverables and processes, especially if there are any changes to the way information is handled. Despite best efforts, a privacy breach can still happen. Make sure to modify your breach plan based on any lessons learned, even after launch.
- Date modified: