Privacy Implementation Notice 2023-02: Personal information for program monitoring, evaluation and reporting purposes

1. Effective date

This implementation notice takes effect on July 24, 2023.

2. Authorities

This implementation notice is issued pursuant to paragraph 71(1)(d) of the Privacy Act.

3. Purpose

This implementation notice serves to assist government institutions in the collection, use, retention, and disclosure of personal information for program monitoring, evaluation and reporting purposes, including for Gender-based Analysis Plus (GBA Plus). This notice provides guidance to privacy officials concerning the management of personal information for such non-administrative uses.

4. Context

As a part of program delivery and management, programs collect personal information for program monitoring, evaluation and reporting purposes, including for GBA Plus. The Policy on Results sets out the fundamental requirements for accountability for performance information and evaluation for departments as defined in section 2 of the Financial Administration Act. Those institutions not covered by section 6 of the Policy on Results are encouraged to follow the requirements as a good practice. The Directive on Results outlines requirements for supporting the implementation of the Policy on Results.

The Canadian Gender Budgeting Act promotes gender equality, diversity and inclusivity in Canada. The Act requires the Government of Canada to make information available to the public on the impacts of government decisions in terms of gender and diversity and to consider gender and diversity in the development of policy in a budgetary context.

Institutions subject to the Policy on Results and its related policy instruments, and institutions subject to the Canadian Gender Budgeting Act are expected to measure and evaluate their performance, and to use the resulting information to manage, improve, and increase understanding of their programs, policies and services. In this context, departments need to collect data, including personal information, for monitoring, evaluation and reporting as part of program delivery and management. Privacy officials can refer to the following guidance for considerations when institutions are handling personal information for program monitoring, evaluation and reporting purposes.

Evaluation

In the Government of Canada, evaluations are undertaken to gather and analyze evidence to assess whether, why and how a program, initiative or policy works. The aim being to inform decision-making, improve program delivery, foster innovation, and demonstrate accountability.

Evaluations typically use social science methods such as document reviews, interviews, surveys, case studies, focus groups, statistics, advanced statistical analysis and randomized control trials. They can look at a wide variety of sources to gather information, ranging from program beneficiaries, to social media, to predictive analytics based on big data. They can be conducted before a program is implemented, to inform its design; during a program, to help it adjust course; or after a program is complete or has been running for some time, to assess its impact.

Institutions subject to the Policy on Results should have a designated Head of Evaluation responsible for leading the evaluation function. Evaluation functions must be internal to the department, but outside of program areas. The evaluation function is supported by the Results Division, within the Expenditure Management Sector of the Treasury Board of Canada Secretariat.

Departmental Results Framework

Federal government departments present their plans and results, and reports to the people of Canada and Parliament, based on their Departmental Results Framework and a Program Inventory, as described in the Policy on Results.

To ensure clear, transparent, and accessible reporting on performance, institutions identified in Schedules I, I.1 and II of the Financial Administration Act must table Departmental Plans and Departmental Results Reports in Parliament annually. The Departmental Plans allow parliamentarians and the public to hold the government accountable by requiring organizations to describe how resources are allocated to each of their programs, what they intend to achieve with these resources, and how they will measure progress toward the results they seek to achieve over a three-year period. At the end of the fiscal year, through their Departmental Results Report, institutions report on how they performed using their indicators to measure if they have met the targets they set at the start of the year.

Performance Information Profiles

Per the Policy on Results, a Performance Information Profile is a document that identifies the performance information for each program from the Program Inventory.

Institutions subject to the Policy on Results should have a designated Head of Performance Measurement responsible for establishing, implementing and maintaining a Program Inventory and overseeing Performance Information Profiles. Meanwhile, program officials are responsible for establishing, implementing and maintaining Performance Information Profiles for their programs. The profiles must include information on the outputs and outcomes of programs.

Gender-Based Analysis Plus (GBA Plus)

The Directive on Results requires both program officials and evaluators to include government-wide policy considerations, such as GBA Plus, where relevant, in performance information, as well as in reporting and other government activities. It also requires evaluators to plan evaluations to take those same considerations into account.

The Canadian Gender Budgeting Act enshrined gender budgeting in the federal government’s budgetary and financial management process. The Act requires the President of the Treasury Board make available to the public an annual analysis of the impacts of existing Government of Canada expenditure programs on gender and diversity. Currently, government institutions are required to report this information in a GBA Plus Supplementary Information Table that is released as a supplement to their Departmental Results Report.

Institutions are encouraged to consider GBA Plus when programs are being designed and developed and when related data collection is being planned. If GBA Plus is undertaken at the planning stage, evaluators can help make it part of established processes, and thereby lay the groundwork for a comprehensive analysis during the evaluation. Also, if undertaken at the planning stage, program officials can ensure that it is incorporated into their data collection efforts allowing for program monitoring and reporting. This should be captured in the Performance Information Profiles.

If GBA Plus was not conducted at the outset, evaluators may need to gather, often retrospectively, supplementary data and carry out additional analysis to fill gaps.

Disaggregated data

Aggregated data is information that is combined or summarized for statistical analysis. In contrast, disaggregated data is data that is broken down into subcategories, allowing for analysis on the specific characteristics of different groupings along different indicators. Disaggregated data includes characteristics of the data subjects (for example, university programs, cities, program applicants), without directly or indirectly identifying them. Note that disaggregated data may be personal information if the breakdowns are granular enough that an individual can be identified.

Institutions employ disaggregated data to better understand the impacts of policies and programs. The analysis of disaggregated data is a key factor in making informed decisions regarding the design and delivery of federal policies and programs.

For example, GBA Plus impacts are measured using disaggregated data. It can be used to uncover trends, patterns, and inequalities among diverse groups by attributes such as gender, region, ethnicity, and countless others. Disaggregated data can be used to identify potential barriers or issues that disproportionately impact certain groups during policy development, service design and delivery, and program/policy evaluation.

Data collection plans

In the context of programs, data collection plans can be developed to articulate what data needs to be collected, how it will be collected, when, and from where. Data collection plans encompass all data being used for a program, including data that are personal information. For program monitoring, evaluation and reporting purposes, programs should leverage the data already collected to make administrative decisions about program participants. However, in some cases, additional data may need to be collected. Developing a data collection plan can help institutions to assess what data they hold, what data will need to be collected, and how different data will be used in the various phases of program delivery. Developing a data collection plan may also serve institutions to align with the 2023–2026 Data Strategy for the Federal Public Service. The Data Strategy has as one of its missions Data by design, which includes planning for data needs appropriately at the outset.

5. Guidance

Personal information must only be created, collected, retained, used, disclosed and disposed of in a manner that respects the provisions of the Privacy Act. This includes for non-administrative purposes such as evaluation, impacts reporting, and GBA Plus. Personal information collected and created as part of program delivery, such as for determining eligibility for a benefit, will be necessary for program monitoring, evaluation and reporting. However, it may be augmented by other personal information such as personal opinions, income, or education, medical, criminal or employment history. The personal information collected depends on the program and how its expected outcomes are being measured.

In all cases, when considering the collection of personal information for program monitoring, evaluation and reporting purposes, institutions should ensure the personal information that is collected is reflected in any privacy notice, Privacy Impact Assessment, and personal information bank(s) (PIBs) relevant to the program. Depending on the monitoring and evaluation methodologies to be applied, consideration should also be given for privacy preserving techniques such as data minimization and de-identification.

5.1 Collection

Per the Privacy Act, personal information may be collected if it relates directly to an operating program or activity of the institution. This applies to both administrative and non-administrative uses of personal information. Since program monitoring, evaluation and reporting are intrinsic to program delivery, there may be no need to have specific legal authorities to collect personal information for these purposes. Institutions should consult with their legal services prior to data collection.

When establishing a program or activity, program officials should consider developing a data collection plan, supported by performance measurement, evaluation, privacy and legal officials, to articulate what data needs to be collected, how it will be collected, when it will be collected, and the source of the data.

Beyond the legal authorities that establish the program, for many institutions, personal information for evaluation purposes is collected pursuant to 42.1 of the Financial Administration Act.

Since program monitoring, evaluation and reporting relate directly to the delivery and management and oversight of programs, the management of personal information for these purposes should be captured in a given program’s Privacy Impact Assessment as per 4.2.4 of the Policy on Privacy Protection and the associated PIB. In certain circumstances institutions may employ the “Evaluation” Standard PIB PSU 942. For example, if the original program did not collect personal information, so did not have a registered PIB, this Standard PIB may be employed if personal information, such as the opinions of community members, are being collected as part of the evaluation. Where a standard PIB does not sufficiently capture the new or modified program activities, an institution-specific PIB must be developed or modified. Note that if the personal information is collected for a non-administrative purpose outside of program delivery, a privacy protocol is required as per 4.2.5 of the Policy on Privacy Protection.

Privacy notice statements for programs should capture any collection, use, or disclosure of personal information for program monitoring, evaluation and reporting purposes. For more information on the requirements for privacy notices refer to 4.2.10 of the Directive on Privacy Practices.

5.2 Use and disclosure

Sections 7 and 8 of the Privacy Act require that an individual’s personal information may be used or disclosed only for the purpose for which it was obtained, for uses consistent with those purposes, and for purposes for which information may be disclosed under subsection 8(2) of the Act. Uses or disclosures of personal information for a different purpose require the consent of the individual. As program monitoring, evaluation and reporting are part of the continuum of use for a program, the use of the personal information for these purposes is consistent with the original collection. If in doubt, consult your institution’s legal services.

Institutions can consider capturing the use of personal information for program monitoring, evaluation and reporting in the Consistent Uses section of the relevant PIB(s). However, these purposes should generally not be considered as 8(2) disclosures for the purposes of the Act as program monitoring, evaluation and reporting can be considered part of program delivery. If a new consistent use is identified, privacy officials will need to notify the Office of the Privacy Commissioner and update the related institution-specific PIB, as per 4.1.17 of the Directive on Privacy Practices.

5.2.1 Sharing information with Performance Measurement and Evaluation

The evaluation function within an institution is established as per the Policy on Results. Evaluators are at arm’s length from the programs and activities, so they may objectively conduct evaluations. Performance measurement is conducted by program officials who work in consultation with the Head of Performance Measurement and the Head of Evaluation. For the purposes of the Privacy Act, any activities conducted as part of the administration of a program or activity, including evaluation and performance measurement, could be considered part of the program. If so, evaluators may collect, create, use and disclose the personal information for the program. Therefore, an information sharing agreement does not need to be established. However, institutions must take care to meet the requirements under the Directive on Privacy Practices with respect establishing safeguards, use, disclosure and retention. When sharing with performance measurement and evaluation colleagues, ensure these requirements are well understood. Where possible, leverage privacy preserving techniques such as de-identification and data minimization when select personal information is not necessary for the analysis.

If the institution opts to employ a contractor to conduct evaluation, it must ensure that, as per 4.2.16 of the Policy on Privacy Protection, third parties under contract provide appropriate privacy protections. The Directive on Privacy Practices goes into further detail on these requirements in 4.2.23 to 4.2.27. For more information on ensuring appropriate privacy safeguards are in place for contract, consult the Guidance Document: Taking Privacy into Account Before Making Contracting Decisions.

5.2.2 Sharing information with other government institutions

Institutions may require personal information held by another federal government institution for program monitoring, evaluation or reporting purposes. An institution requesting personal information should be able to clearly identify the purpose for which the information is needed. Additionally, per 4.2.23 of the Directive on Privacy Practices, institutions are required to establish a contract, information sharing agreement or information sharing arrangement with appropriate safeguards prior to any disclosure of personal information to another federal program.

If a program is delivered by multiple institutions in cooperation, the information sharing agreements that have been established should also include sharing for program monitoring, evaluation and reporting. If a centrally-led evaluation is requested by the Treasury Board of Canada Secretariat, as per 4.6.2 of the Policy on Results, an information sharing agreement outlining the management of the shared information is required.

For more information on the requirements for information sharing arrangements, consult the Guidance on Preparing Information Sharing Agreements Involving Personal Information.

5.3 Programs delivered by third parties

Control of the personal information and Privacy Act responsibilities remain with government institutions when employing third-party services for the administration of programs. Contracts established with third-party service or data providers should clearly outline measures to protect personal information in accordance with the requirements of the Privacy Act and related policy instruments. They should also include specific provisions for the collection and management of accurate personal information for program monitoring, evaluation and reporting. Including specific provisions for these functions can ensure that the necessary personal information elements are captured. It also sets out expectations for good practices when collecting sensitive personal information for those purposes. Contracting authorities and legal services can help ensure that contracts include the appropriate clauses to meet the obligations of the Privacy Act.

5.4 Retention

Section 7 of the Privacy Regulations requires that all personal information used for an administrative purpose must be retained for a minimum of two years. This retention period enables individuals to exercise their rights of access and recourse under the Privacy Act. The Privacy Act and the Privacy Regulations do not specify a minimum retention period for personal information that is used for non-administrative purposes, such as personal information elements collected solely for program monitoring, evaluation and reporting purposes. Where personal information is collected for non-administrative purposes, the information should be disposed of as soon as it is no longer required for the activity. Occasionally information must be retained because of other obligations imposed on the program or activity, such as through institutional legislation and related policy instruments. In all cases, institutions should review the information they hold regularly and determine if continued retention is required. Clear retention periods and disposal once the retention period has lapsed will help mitigate privacy risks. Consult the information management specialists within your institution for more information on retention periods.

5.5 Transparency requirements

Section 4.3.18 of the Policy on Results requires institutions to publish evaluation reports and summaries, including complete management responses and actions plans. The Treasury Board of Canada Secretariat must publish reports and summaries of centrally-led evaluations, per 5.2.3 of that policy. As per 4.2.3 of that policy, departments and agencies identified in Schedules I, I.1 and II of the Financial Administration Act must report on departmental results, which are tabled in Parliament via the Departmental Results Reports. Agents of Parliament and Crown corporations are not subject to the reporting requirements per the Policy on Results but may have obligations in accordance with their enabling legislation.

When preparing reports and evaluations, officials are encouraged to share advance copies of their reports with privacy officials so that proactive publication reviews can be conducted. In most cases, the analysis of the results will be rolled up to such an extent that personal information will be sufficiently anonymized. However, a limited amount of personal information, typically names or titles of academics or other experts, may appear in evaluation reports where informed consent has been given by the person or people to whom the information relates.

5.6 Consent

Institutions may use and disclose the personal information they collect without the consent of the individual for one of the 13 specific purposes outlined in the Act. These purposes include: for the purpose for which the information was collected, for research and statistical purposes, which can include assessing the impact of the program or activity, for a use consistent with the original purpose of collection, and for a purpose for which the information may be disclosed, as outlined in section 8(2) of the Act. Section 4.2.12.1 of the Directive on Privacy Practices permits the indirect collection of personal information for a non-administrative purpose without the consent of the individual.

However, when collecting, using and disclosing personal information, especially potentially sensitive information such as GBA Plus or health information, for program monitoring, evaluation and reporting, institutions should consider public trust, the sensitivity of the personal information, and the context in which it is being collected. When collecting potentially sensitive personal information for program monitoring, evaluation and reporting purposes seeking consent and collecting information directly wherever possible can help individuals understand why their personal information is being collected and enable them to make informed decisions about the use of their information. When collecting information via surveys and self-identification questionnaires, participation should be voluntary and “prefer not to say” options to questions should be offered. While direct collection and obtaining consent may not always be required for non-administrative purposes such as program monitoring, evaluation and reporting, obtaining consent from the individual and collecting information directly can provide more accurate data and better support public trust by strengthening transparency and accountability.

It should be noted that obtaining an individual’s consent for collecting personal information does not replace, nor establish, legal authority for collecting that information. Further, certain elements of potentially sensitive personal information, such as information about race or gender, may be subject to additional protections. If in doubt about whether elements of personal information can be collected, used or disclosed without consent, consult your institution’s legal services.

5.7 Data linking for program monitoring, evaluation and reporting

Data linking is a technique to connect or join datasets by matching unique identifier information on individuals or businesses common to the datasets. This linked data is then anonymized to protect privacy and used to conduct much more wide-ranging statistical analysis, comparisons, and evaluation than would be possible with the original single dataset.

In the Government of Canada, data linking is a proven technique for evaluating program impacts. Institutions can undertake data linking activities internally on their own data where the collection authorities exist, or they can leverage Statistics Canada’s data to conduct data linking for non-administrative purposes. Data linking at Statistics Canada is facilitated through their secured data linking environments and microdata linking protocols. The Linkable File Environment is for businesses and the Social Data Linkage Environment is for individuals.

By linking together data from multiple sources and leveraging existing datasets, institutions can better understand the impacts of policies and programs for monitoring, evaluation, and reporting purposes. Data linking also can enhance privacy by reducing data collection across different programs and institutions. For example, institutions that work with Statistics Canada may not need to administer follow-up surveys (for example, on income or educational attainment) for impact analysis, when Statistics Canada already has the data.

When data-linking, institutions must ensure compliance with the Privacy Act and related policy instruments. This includes confirming legal authorities and ensuring that practices related to data linking are addressed in any relevant Privacy Impact Assessments, privacy protocols, PIBs, privacy notice statements, and information sharing agreements, arrangements or contracts. When working with Statistics Canada to leverage data elements that are not within their program’s authority to collect institutions should only be conducting the data linking for non-administrative purposes such as program monitoring, evaluation and reporting. The analyst from the institution will need to swear an oath of secrecy and work within the Statistics Canada data environment. The analyst will have access only to the data stripped of personal identifiers following their swearing of an oath of secrecy. They will return to their institution with the aggregated analysis.

5.8 Additional measures to protect privacy

This section will discuss practices which can help safeguard privacy when collecting, using, retaining, or disclosing personal information for non-administrative use. These measures may offer additional opportunities to ensure that programs and activities respect privacy interests.

Data minimization

Institutions need to be able to demonstrate how the different elements of personal information they collect are directly related to and demonstrably necessary for programs and activities that fall within the institution’s mandate for which it has legal authority (4.2.9, Directive on Privacy Practices).

Even when collecting, using, and disclosing personal information for non-administrative uses, such as program monitoring, evaluation and reporting, government institutions should have administrative controls in place to ensure they do not collect, use, or disclose any more personal information than is necessary for the related programs or activities, and to ensure that the information is not kept longer than required. For example, are day, month and year of birth necessary for monitoring the impacts of a program or activity, or would year of birth alone suffice? Are house number, street name and city name necessary, or would the name of province alone suffice?

De-identification

De-identified information is personal information which has been modified through a process to remove or alter identifiers to a degree that is appropriate in the circumstances. Data aggregation for example, modifying personal information to remove direct identifiers and grouping it into a summary for statistical analysis, is a form of de-identification. It should be noted that de-identified information carries a residual risk of re-identification and as such falls within the scope of the Privacy Act.

De-identification is a privacy preserving technique that can be used to enable institutions to derive value from the information they have already collected in line with their legal authority, while protecting the privacy of individuals. In the context of program monitoring, evaluation and reporting, institutions should consider de-identifying information collected for the administration of a program prior to using and disclosing it in cases when the identity of individuals does not need to be known.

Institutions may consider including de-identification in new or existing processes where other uses of information are envisioned. For example, creating a de-identified version of the information immediately following its administrative use may facilitate future uses and disclosures, even if the technique to de-identify is rudimentary and only deletes direct identifiers. This version of the information would inherently have a layer of privacy protection that can then be built upon with additional de‑identification methods later for a particular use or disclosure. Because de‑identified information carries a risk of re‑identification, the Privacy Act often continues to apply. At the discretion of the institution and following an assessment, de‑identified information may be used or disclosed for program monitoring, evaluation and reporting purposes with appropriate and proportionate privacy protections.

The institution would also have a fully identified version that is retained for a minimum of two years following the last administrative action and for a maximum as defined by the institution’s retention and disposition schedules. Building de-identification into processes allows institutions to make greater use of the data under their control, while also protecting the personal information of individuals.

Institutions should consult the Privacy Implementation Notice 2023-01: De-identification for further information.

Protecting privacy when releasing information about a small number of individuals

In the context of program monitoring, evaluation and reporting, institutions may want to disclose information about a small number of individuals. For example, when publishing evaluation reports that pertain to programs with a limited number of participants (for example, grant programs targeting remote locations or specific populations).

When releasing data about a small number of individuals, where the intention is not to release the identity of the individuals, there is a risk that one or more individuals could be identified in a dataset, even after names and other identifiers have been removed. In order to minimize this risk, institutions may need to take additional measures to help protect privacy and comply with the Privacy Act. For example, institutions can protect against re-identification by applying measures such as suppressing, masking and redacting direct identifiers. When releasing aggregate tables, institutions should determine the appropriate minimum cell size and consider modifying the data to mitigate the risk of re‑identification. Institutions should consult the Privacy Implementation Notice 2020-03: Protecting privacy when releasing information about a small number of individuals for further information.

6. Application

This implementation notice applies to the government institutions defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations. However, this notice does not apply to the Bank of Canada or to information that is excluded under the Privacy Act.

The Policy on Results and its supporting instruments apply to all departments as defined in section 2 of the Financial Administration Act, except for those that fall under paragraph (b) of the definition, and unless otherwise excluded by other acts, regulations or orders-in-council. Section 6 of that policy sets out its application to small departments and agencies (6.2); Agents of Parliament (6.3); and Crown corporations (6.5).

Institution-specific legislation

Some institutions have their own privacy codes embedded in their enabling legislation, such as Employment and Social Development Canada. In these cases, institutions may be subject to specific requirements for the collection, retention, use, disclosure and disposal of personal information for program monitoring, evaluation and reporting purposes. Additionally, some Privacy Act provisions may be superseded by the institution’s legislation. In such cases, institutions should conform to the privacy requirements set out in their enabling legislation. If in doubt about which legislation applies to your institution’s program monitoring, evaluation and reporting functions, consult your institution’s legal services.

7. References

Legislation

• Canadian Gender Budgeting Act
• Financial Administration Act
• Privacy Act

Related policy instruments

• Directive on Privacy Practices
• Directive on Results
• Directive on Service and Digital
• Policy on Privacy Protection
• Policy on Results
• Policy on Service and Digital

Related guidance instruments and strategies

• 2023–2026 Data Strategy for the Federal Public Service
• Evaluation in the Government of Canada
• Guidance on Preparing Information Sharing Agreements Involving Personal Information
• Impacts of Gender Based Analysis Plus
• Integrating Gender-Based Analysis Plus into Evaluation: A Primer (2019)
• Privacy Implementation Notice 2023-01: De-identification
• Privacy Implementation Notice 2020-03: Protecting privacy when releasing information about a small number of individuals
• Guidance Document: Taking Privacy into Account Before Making Contracting Decisions

8. Enquiries

Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries at publicenquiries-demandesderenseignement@tbs-sct.gc.ca for information about this implementation notice.

Employees of government institutions may contact their Access to Information and Privacy (ATIP) coordinator for information about this implementation notice.

ATIP coordinators may contact the Treasury Board of Canada Secretariat’s Privacy and Responsible Data division at ippd-dpiprp@tbs-sct.gc.ca for information about this implementation notice.