Privacy Act - Annual Report to Parliament 2010-2011

Introduction

The Privacy Act (Revised Statutes of Canada, Chapter P-21, 1985) came into force on July 1, 1983.

The purpose of the Act is to extend the present laws of Canada that protect the privacy of individuals and provide individuals with a right of access to personal information about themselves. It also protects the privacy of individuals by denying third parties access to personal information relating to them and enabling them to exercise strict control over the collection, disclosure and use of such information.

Western Economic Diversification Canada (WD) is committed to both the spirit and the intent of the Privacy Act, which are based on the principles of open government, and to ensuring the privacy of individuals with respect to their personal information held by the department.

This report summarizes WD’s implementation of the Privacy Act and fulfils the requirement under Section 72, which stipulates that, “The head of every government institution shall prepare for submission to Parliament an annual report on the administration of this Act within the institution during each financial year.”

WD will post the annual report to Parliament on its public Web site (www.wd-deo.gc.ca/eng/59.asp) once it is tabled in the House of Commons and the Senate. Alternatively, a request may be submitted to:

Access to Information and Privacy Coordinator
Western Economic Diversification Canada
Suite 1500, Canada Place
9700 Jasper Avenue N.W.
Edmonton, Alberta
T5J 4H7
atip-aiprp@wd-deo.gc.ca

top of page

Mandate

Western Economic Diversification Canada (WD) was established in 1987 to help lessen Western Canada’s (British Columbia, Alberta, Saskatchewan and Manitoba) strong economic dependence on natural resources. Under the Western Economic Diversification Act, 1988, the department is mandated to “…promote the development and diversification of the economy of Western Canada and to advance the interests of Western Canada in national economic policy, program and project development, and implementation.”

To support these outcomes, WD’s programs encourage business development, innovation and community economic development in rural and urban communities. The department plays an important leadership and coordination role in furthering western interests and responding to regional challenges. WD works strategically through partnerships with all orders of government, academic and research institutes, industry associations and non-profit organizations to implement initiatives that leverage funds and expertise for the benefit of the West and western Canadians.

The department organizes its programs and services to pursue its mandate effectively through the following Strategic Outcome: “The western Canadian economy is developed and diversified,” and specifically through program activities that include:

• Business Development;
• Innovation;
• Community Economic Development;
• Policy, Advocacy and Coordination.

WD’s strategic investments in these areas will help to fulfill its vision:

To be leaders in creating a more diversified western Canadian economy that has strong, competitive and innovative businesses and communities.

Access to Information and Privacy Unit

Overview

For the purposes of the Privacy Act, the Minister of the Public Works and Government Services, Minister of Status of Women and minister responsible for Western Economic Diversification (WD) delegated her powers, authorities and responsibilities to the Executive Director, Finance and Corporate Management (Access to Information and Privacy Coordinator) and Manager, Corporate Administration (Deputy Access to Information and Privacy Coordinator). These individuals are accountable for the development, coordination and implementation of effective policies, guidelines, systems and procedures to ensure the Minister's responsibilities under the Act are met and enabling the appropriate processing and proper disclosure of information. The Coordinator is also responsible for related policies, systems and procedures emanating from the Act.

One full-time Access to Information and Privacy (ATIP) Officer in the Corporate Administration unit assists the Coordinator and Deputy Coordinator with ATIP functions at WD.

Regional ATIP Liaison Officers (RALOs) are located in the British Columbia, Alberta, Saskatchewan and Manitoba offices, in the Policy and Strategic Direction sector office in Ottawa and within the Corporate Headquarters and Human Resources units. As the first point of contact, RALOs identify the appropriate subject experts, coordinate retrieval of records responding to access requests and provide liaison between the ATIP Unit and regional staff concerning enquiries.

The activities of WD's ATIP Unit include:

• processing requests in accordance with the Privacy Act;
• responding to consultations submitted by other federal institutions on WD records being considered for release;
• developing and maintaining privacy policies, procedures and guidelines to ensure the Act is respected by staff;
• promoting awareness of the Act within the department to ensure staff is aware of the obligations imposed by the legislation;
• preparing annual reports to Parliament and other statutory requirements, such as annual statistical reports and the department's Info Source chapter, as well as any material that may be required by central agencies;
• representing WD in dealings with the Treasury Board of Canada Secretariat (TBS), the Privacy Commissioner of Canada and other federal organisations regarding the application of the Act as it relates to WD;
• monitoring compliance with the Act, its regulations as well as relevant procedures and policies;
• providing ongoing advice and guidance to senior management and staff on information management and privacy legislation.

top of page

Departmental Policies and Procedures

In accordance with the TBS Directive on Privacy Practices and Directive on Privacy Impact Assessment that came into effect on April 1, 2010, WD updated its Privacy Protection Policy in January 2011 to ensure requirements on a privacy protocol, privacy impact assessments (PIAs) and privacy breaches were incorporated into the Privacy Protection Policy Suite (see Appendix A).

The WD Directive on Privacy Breaches was approved in January 2011 and a comprehensive Privacy Impact Assessment Handbook, including a privacy protocol (see Appendix B), was pending final approval by March 31, 2011. Final approval of the guidance document was received in April 2011; however, in the event of a PIA requirement, the draft Handbook would have been used.

In addition, WD improved information about ATIP on its public web site, including specific information about how to make a request under the Privacy Act as well as a page where PIA summaries will be posted, as appropriate (see Appendix C).

Privacy Training and Awareness

The ATIP Coordinator, Deputy ATIP Coordinator and ATIP Officer provide ongoing advice on privacy issues to RALOs and staff regularly to increase awareness of the Act. They also provide guidance on how the department processes privacy requests, the rationale required to apply the exemptions and exclusions under the Act, where appropriate, and when to conduct a PIA.

The Coordinator, Deputy Coordinator and Officer provide ongoing advice on privacy issues to and staff regularly to increase awareness of the Act. They also provide guidance on how the department processes privacy requests, the rationale required to apply the exemptions and exclusions under the Act, where appropriate, and when to conduct a .

WD ATIP Staff Training:

The Deputy ATIP Coordinator and ATIP Officer attended the Access and Privacy Conference held in Edmonton in June 2010. The ATIP Officer also attended TBS ATIPCommunity Meetings in April, May, September and November 2010 and February 2011.

WD Staff Training:

• In January 2010, an ATIP Meeting and Awareness Session with the RALOs was held in Edmonton (12 attendees). This two-day meeting was the first session held specifically for the RALOs. The focus of the meeting was primarily access to information; privacy was covered in broad strokes.

• In September 2010, a Privacy Awareness session was conducted with the Infrastructure Programs staff of the Saskatchewan Region office via teleconference to discuss questions arising from "The ATIP Eye" message, "YOUR Personal Information," concerning what personal information can be shared with co-workers (10 attendees).

• As part of its access procedures, the ATIP Officer meets with the appropriate subject experts before retrieving records responding to personal information requests made pursuant to the Privacy Act. This has improved awareness and ensured understanding of requirements and timelines as well as clarifying the scope of requests to ensure that records and appropriate advice are received.

"The ATIP Eye" tips are sent to WD staff via email and posted on the department's internal web site. The tips provide advice on frequently asked questions concerning privacy issues or areas where the department might improve on its obligations under the Act in 2010–11, nine tips and specific privacy messages were prepared, including collecting personal information, your personal information and the "need to know." The tips are shared with ATIP officials in federal departments, including the regional development agencies in Quebec and Atlantic Canada, the Canadian Space Agency, National Research Council of Canada and other departments that are part of the Small Agency Administrators Network.

Privacy Awareness Events:

WD recognized Data Privacy Day on January 28, 2011, with staff messages and two posters placed throughout all offices (see Appendix D). The two eye-catching posters entitled "Phishing – Don't Take the Bait!" and "Wi-Fi Predators" encouraged WD staff to aggressively guard their personal information against fraudsters and ensure they practice secure wireless protocols.

The department also maintains an "Access to Information and Privacy" presence on its internal web site that includes policies, procedures, contact information, past training and awareness presentations, relevant links to useful sites related to access and privacy as well as "The ATIP Eye" tips noted above.

top of page

Info Source

WD made substantial changes to its 2010 Info Source chapter to include improvements that the Treasury Board Portfolio office identified as part of the Management Accountability Framework review of Area of Management No. 12 in 2009. TBS advised that the 2010 submission meet TBS requirements, needed minor corrections and provided general advice concerning the ongoing update and maintenance of the information contained in the chapter.

The department submitted two Personal Information Banks to TBS in 2010–11. One was withdrawn, while the second is still being reviewed.

Access to Information Act and Privacy Act Delegation Order

Text version: Access to Information Act and Privacy Act Delegation Order

Display full-size graphic

Privacy Act Delegation of Authority Schedule

Privacy Regulations Delegation of Authority Schedule

top of page

2010–2011 Report on the Privacy Act (Statistical Report)

Name of institution: Western Economic Diversification Canada / Diversification de l'économie de l'Ouest Canada

I – Requests under the Privacy Act / Demandes en vertu de la Loi sur l'accès à l'information

II – Disposition of request completed / Disposition à l'égard des demandes traitées

III – Exemptions invoked / Exceptions invoquées

IV – Exclusions cited / Exclusions citées

V – Completion time / Délai de traitement

VI – Extentions / Prorogations des délais

VII – Translations/ Traductions

VIII - Method of access / Méthode de consultation

IX – Corrections and notation / Corrections et mention

X – Costs / Coûts

top of page

Additional Reporting Requirements – Privacy Act

TBS is monitoring compliance with the Privacy Impact Assessment (PIA) Policy (which came into effect on May 2, 2002) and the Directive on Privacy Impact Assessment (which took effect on April 1, 2010) through a variety of means. Institutions, therefore, must report the following information for this reporting period. Note that because some institutions are using the Core PIA as outlined in the Directive in advance of the implementation deadline, they will not have Preliminary PIAs to report.

Indicate the number of:

• Preliminary PIA initiated – 1
• Preliminary PIA completed – 0
• PIA initiated – 1
• PIA completed – 0
• PIA forwarded to the Office of the Privacy Commissioner – 0

Note: State explicitly whether your institution did not undertake any of the activities noted above during the reporting period.

In addition, institutions must report on the following:

Privacy Trends and Statistical Overview

Highlights

• Western Economic Diversification Canada (WD) updated its Privacy Protection Policy in January 2011 to include information requirements such as privacy impact assessments (PIAs), establishing a privacy protocol and procedures for privacy breaches. A WD Directive on Privacy Breaches was also approved in January 2011 and a comprehensive Privacy Impact Assessment Handbook was drafted, complete with the Privacy Protocol.

• WD recognized Data Privacy Day on January 28, 2011. Staff messages and two posters, entitled Phishing – Don’t Take the Bait! and Beware of the Wi-Fi Predator! were placed throughout all offices.

• WD received one privacy complaint in 2010–2011 on information that was withheld pursuant to section 27 of the Privacy Act, pertaining to solicitor–client privilege, and subsection 21(1)(b) of the Access to Information Act, pertaining to government consultations and deliberations. The complaint investigation is ongoing and was carried forward into fiscal year 2011–2012. There were no appeals or applications submitted to the Federal Courts.

Challenges

• As federal departments venture into social media, issues about privacy protection, access, records retention and other regulatory requirements will pose a challenge.

Personal Information Requests Pursuant to the Privacy Act

In 2010–2011, (WD) received two requests for personal information under the Privacy Act and one request was carried forward from 2009–2010. All three requests were completed during the initial 30-day period. This is down by 50 percent from fiscal year 2009–2010; however, the department has not historically received many requests for personal information.

Records were partially disclosed on two requests, one of which the department was unable to process. In total, WD processed 449 pages for the requests, of which 372 pages were released in whole or in part.

No consultations or extensions were required when processing the personal information requests.

top of page

Exemptions and Exclusions Invoked

WD invoked Section 27 of the Privacy Act and subsection 21(1)(b) of the Access to Information Act in whole or in part on one personal information request and Section 25 on a second request.

Further to the request for statistical information on exemptions and exclusions applied under the Act in the additional reporting requirements attached to the “Report on the Privacy Act,” WD did not invoke any of the exemptions or exclusion during the 2010–2011 reporting period (see page 11).

Permissible Disclosure of Personal Information

Personal information collected by (WD) in the course of its programs and activities is being disclosed only for the purpose for which it was collected, in accordance with paragraph 8(2)(a) of the Privacy Act.

WD did not disclose personal information for any other purposes as outlined in paragraph 8(2)(m) during the 2010–2011 reporting period.

top of page

Privacy Impact Assessments

In 2002, Treasury Board Secretariat (TBS) issued a policy that requires federal institutions subject to the Privacy Act to conduct PIAs before establishing new programs, systems or policies or before making any substantial modifications to an existing program, system or policy.

While the policy has been rescinded and replaced by a new (TBS) Directive on Privacy Impact Assessment, which came into effect on April 1, 2010, the requirement still exists to ensure that a PIA is conducted whenever personal information is used in an administrative decision-making process. WD did not complete any Preliminary PIAs or PIAs in 2010–2011 and, therefore, no assessments were forwarded to the Office of the Privacy Commissioner or PIA summaries posted on WD’s public Web site.

Further to the request for statistical information on PIAs, which was from the additional reporting requirements attached to the “Report on the Privacy Act,” the following clarifies comments that were reported (see page 11):

• Preliminary PIAs initiated – 1: WD initiated a Preliminary PIA for a Facebook initiative. Comments by the ATIP Unit were provided on the initial submission to ensure privacy considerations were adequately addressed. This initiative is not going forward, however, and, as a result, this Preliminary PIA did not proceed.
• PIAs initiated – 1: Early work began on a Core PIA about online reporting by WD’s clients using AccessKey technology. (TBS) was very helpful in the development stages of this initiative and concluded that WD’s draft Privacy Protocol covered the collection and use of the personal information for non-administrative purposes. As a result, this PIA did not proceed.

WD ensures that careful consideration of privacy risks with respect to the creation, collection and handling of personal information as part of its programs and activities.

top of page

Operational Costs to Administer the Act

WD’s total cost for administrating the Privacy Act in the ATIP Unit is estimated at $22,494, almost double the costs incurred in 2009–2010. This includes estimated salary costs associated with all ATIP Unit employees of $22,218, including a portion of the ATIP and Deputy ATIP Coordinator’s salaries and 25 percent of the ATIP Officer’s salary. In addition, other administrative costs associated with operating and maintenance costs are estimated at $276.

WD also tracks additional privacy-related costs incurred throughout the department, including salary costs of officials involved in the retrieval, review and recommendation phases of the personal information requests and translation services. These additional costs result in an overall cost of $22,966 to the department to administer all aspects of its activities related to the Act.

The increased salary costs can be collated directly with the development of new policies and procedures, such as a privacy protocol, PIAs and privacy breaches. In addition, as WD explored online reporting tools and social media options, a great deal of time was invested in researching and providing guidance to ensure privacy is considered in these initiatives.

The associated ATIP Unit employee resources for 2010–2011 are estimated at 0.31 of a full-time equivalent to administer the Act.

Appendix A – WD Privacy Protection Policy (Revised January 19, 2011)

Policy Objective

Western Economic Diversification Canada (WD) is fully committed to both the spirit and the intent of the Privacy Act, which are based on the principles of open government and to ensure the privacy of individuals with respect to their personal information held by the Department. Therefore, WD’s Privacy Protection Policy ensures that the Department effectively and consistently administers it responsibilities in accordance with the Privacy Act and its Regulations.

Policy Statement

This Policy is based on the Privacy Act and the principles of open government from which it is derived. Specifically, the objectives are to:

• facilitate statutory and regulatory compliance, and enhance effective application of the Privacy Act and its Regulations by WD;
• ensure consistency in practices and procedures in administering the Act and Regulations so that applicants receive assistance in filing requests for access to personal information; and
• ensure effective protection and management of personal information by identifying, assessing, monitoring and mitigating privacy risks in government programs and activities involving the collection, retention, use, disclosure and disposal of personal information.

The expected results of this Policy are:

• sound management and decisions with respect to the handling and protection of personal information, including identifying numbers;
• clear responsibilities in WD for decision-making and managing the operation of the Privacy Act and its Regulations, including complete, accurate and timely responses to Canadians and individuals who are present in Canada and who exercise their right to access to, and correction of, their personal information under the control to the Department;
• consistent public reporting on the administration of the Act through WD’s Annual Report to Parliament, statistical report and the annual publication of Info Source chapters, which are produced by the Treasury Board of Canada Secretariat (TBS); and
• identification, assessment and mitigation of privacy impacts and risks for all new or modified programs and activities that involve the use of personal information.

top of page

Policy Requirements

The TBS Policy on Privacy Protection (April 1, 2008), specifically Section 6 – Policy Requirements, provides guidance as follows which WD has adopted:

• Delegation: The head of the Department (the Minister) is responsible for deciding whether to delegate any of his/her powers, duties and functions under the Act. When the decision is made to delegate responsibilities, WD must have in place a current Delegation Order, signed by the Minister, authorizing which responsibilities may be carried out by particular officials. The powers, duties and functions that may be delegated appear in Appendix B of the TBS Policy.
• Privacy Awareness: WD is responsible for making its employees aware of the policies, procedures and legal responsibilities of the Act.
• Protecting the Identity of Applicants: WD shall ensure that applicants’ identities are protected and only disclosed when authorized by virtue of the Act, and where there is a clear need to know in order to perform duties and functions related to the Act.
• Processing Privacy Requests: WD shall establish effective procedures and systems to respond to privacy requests, that include:
  • directing departmental employees to provide accurate, timely and complete responses to requests made under the Act;
  • implementing written procedures and practices to ensure every reasonable effect is made to help requestors receive complete, accurate and timely responses;
  • establishing effective process and systems to respond to requests for access to, and correction of, personal information and to document deliberations and decisions made concerning requests received under the Act; and
  • establishing procedures that ensure personal information is reviewed to determine if it is subject to the Act, whether exemptions apply and conduct necessary consultations pursuant to the Act are undertaken.
• Cabinet Confidences: WD shall follow established procedures concerning consultations with the Privy Council Office prior to excluding Cabinet Confidences.
• Contracts and Agreements: WD shall establish measures, when personal information is involved, to ensure that it meets the requirements of the Act when contracting with private sector organizations or when entering into agreements or arrangements with public sector institutions
• Notifying the Privacy Commissioner: WD shall notify the Privacy Commissioner of any planned initiatives (legislation, regulations, policies or programs) that could relate to the Act or to any of its provisions, or that may have an impact on the privacy of Canadians at the early stage of development to permit the Commissioner to review and discuss the issues involved.
• Use of the Social Insurance Number: WD shall ensure compliance with the specific terms and conditions related to the use of Social Insurance Numbers and the specific restrictions with regard to its collection, use and disclosure.
• Privacy Impact Assessments (PIAs): WD shall ensure that, when applicable, privacy impact assessments and multi-institutional PIAs are developed, maintained and published of the Department’s public website.
• Privacy Protocol for Non-Administrative Purposes: WD shall establish a Privacy Protocol for the collection, use or disclosure of personal information for non-administrative purposes, including research, statistical, and audit and evaluation purposes.
• Exempt Banks: WD shall consult with TBS on any proposal for the establishment or revocation of an exempt bank, and submit specific requests to the President of the Treasury Board with regard to the proposal.
• Monitoring and Reporting Requirements: The ATIP Coordinator is responsible for monitoring compliance of the Policy as it relates to the Act, and ensuring that:
  • an Annual Report to Parliament is prepared and tabled in each House of Parliament;
  • an annual statistical report on the administration of the Act is submitted to TBS;
  • new or modified Personal Information Bank (PIB) descriptions are prepared and registered with TBS; and
  • the Department’s Info Source chapter is updated at a minimum annually, including proposed new or modified PIBs

top of page

Departmental Procedures

WD has developed a Privacy Protection Procedures Manual for the use of WD staff administering the legislation and provides a balanced approach to explaining how the legislation permits both the disclosure and withholding of personal information that has been requested.

In addition, the manual addresses additional mandatory privacy-related requirements including: the correction of personal information, privacy breaches, privacy and contracting, the Social Insurance Number, and the creation and registration of Personal Information Banks (PIBs).

In addition, a Privacy Impact Assessment Handbook and related documents, templates and a Privacy Protocol have been developed in accordance with the requirements of the TBS Directive on Privacy Impact Assessment, which came into effect on April 1, 2010.

The manual and handbook will serve as a reference tools for Regional ATIP Liaison Officers and staff, for the purpose of helping WD staff better understand the implications of the Privacy Act and to build a network within WD to ensure top quality responses to requests for information.

top of page

Authorities

The Privacy Act is supported by a number of legislative, regulatory, policy and procedural instruments that reinforce certain provisions of the Act, as well as provide interpretation and practical guidance of specific sections. These documents include:

Department of Justice Canada

• Access to Information Act: http://laws.justice.gc.ca/en/A-1/
• Access to Information Regulations: http://laws-lois.justice.gc.ca/eng/regulations/SOR-83-507/
• Access to Information Act Heads of Government Institutions Designation Order:
  http://laws.justice.gc.ca/en/showtdm/cr/SI-83-113
• Library and Archives of Canada Act:
  http://laws.justice.gc.ca/en/
• Privacy Act: http://laws.justice.gc.ca/en/P-21/index.html
• Privacy Regulations: http://laws.justice.gc.ca/en/showtdm/cr/SOR-83-508
• Privacy Act Heads of Goverment Institutions Designation Order: http://laws-lois.justice.gc.ca/eng/

Treasury Board of Canada Secretariat

• Access to Information – Policies and Guidelines:
• http://publiservice.tbs-sct.gc.ca/pubs_pol/gospubs/tbm_121/siglist_e.asp
• Communications Policy of the Government of Canada:
• http://publiservice.tbs-sct.gc.ca/pubs_pol/sipubs/comm/comm_e.asp
• Employee Privacy Code: http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/CHAP3_3-eng.asp
• Directive on Privacy Impact Assessment (April 1, 2010):
• http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18308
• Directive on Privacy Practices (April 1, 2010):
  http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18308
• Directive on Privacy Requests and Correction of Personal Information (April 1, 2010):
  http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18311
• Directive on Social Insurance Number (April 1, 2008):
  http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=13342
• Guidance Document: Taking Privacy into Account Before Making Contracting Decisions
  http://www.tbs-sct.gc.ca/atip-aiprp/tpa-pcp/tpa-pcptb-eng.asp
• Guidance on Preparing Information Sharing Agreements Involving Personal Information (July 2010):
  http://www.tbs-sct.gc.ca/atip-aiprp/isa-eer/isa-eer01-eng.asp
• Guidelines for Privacy Breaches:
  http://www.tbs-sct.gc.ca/atip-aiprp/in-ai/in-ai2007/breach-atteint-eng.asp
• Management of Government Information – Policies and Procedures:
  http://www.tbs-sct.gc.ca/
• Policy on Government Security:
  http://publiservice.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578
• Policy on Prevention and Resolution of Harassment in the Workplace:
  http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12414
• Policy on Privacy Protection:
  http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?evttoo=X&id=12510§ion=text

top of page

Western Economic Diversification Canada

• Privacy Protection Procedures Manual
• Privacy Breach Directive
• Privacy Impact Assessment (PIA) Handbook
  • Privacy Protocol
  • Core PIA Template
  • PIA Report Template

In the event of a discrepancy, the Access to Information Act and its Regulations, Orders in Council, the Minister’s Delegation of Authority, directives and official Treasury Board policies shall take precedence over this Policy and WD’s procedures.

Date of Application

This Policy was adopted at a Management Accountability Committee meeting of Western Economic Diversification Canada on November 19, 2008, as part of its Policy Suite. It was revised and approved by Executive Committee on January 19, 2011, and shall apply to all programs services of the Department.

Policy Change Control

Appendix B – WD Privacy Protocol (April 22, 2011)

Western Economic Diversification Canada’s (WD)Privacy Protocol is intended to ensure that the collection, use or disclosure of personal information for non-administrative purposes within the Department is carried out in compliance with the Privacy Act, the Privacy Regulations and related privacy policy requirements of the Treasury Board of Canada Secretariat (TBS).

TBS defines a non-administrative purpose as:

• “The use of personal information for a purpose that is not related to any decision-making process that directly affects an individual.  This includes the use of personal information for research, statistical, audit and evaluation purposes.”

WD is committed not to use the personal information it collected for any other purpose than the proposed non-administrative purpose, except where:

• the individual consents to another use of their information at the time of collection (e.g. to be contacted for audit purposes in the future);
• it is for a consistent purpose (e.g. to contact survey participants to clarify their response); or
• WD might be required to disclose the information in response to a subpoena or other Court order.

Alternatives to the collection, use and disclosure of personal information

When considering the collection, use or disclosure of personal information for non administrative purposes, WD commits to:

• consider alternatives to the collection, use and disclosure of personal information, such as the use of depersonalized or aggregate data; and
• where the proposed non-administrative purpose cannot reasonably be fulfilled without the collection, use or disclosure of personal information, WD will weigh the benefits against the invasion of privacy before determining whether to proceed with the non-administrative program or activity.

top of page

Collection, use and disclosure of personal information

When the ATIP Coordinator or Deputy ATIP Coordinator authorizes the collection, use or disclosure of personal information for a non-administrative purpose, WD will ensure that:

• the personal information relates directly to an operating program or activity of the institution, for which it has legal authority;
• the personal information or data elements being collected, used or disclosed will be limited to that which is essential to meet the objectives of the non-administrative program or activity;
• individuals will be given adequate notice of the non-administrative purpose for which their personal information will be collected, used or disclosed;
• access to personal information will be limited to those individuals who have a genuine need to know to perform functions or duties related to the non-administrative program or activity;
• the personal information will not be used or disclosed for any other purpose beyond the original non-administrative purpose for which it was collected;
• the results of the non-administrative program or activity will not be used to subsequently make any decisions that would directly affect the individuals to whom the information relates;
• the results of the non-administrative program activity will not be published in a way that could potentially identify the individuals to whom the information relates;
• adequate security safeguards will be used to protect the personal information;
• an action plan will be in place to address potential privacy breaches;
• where possible, personal information collected, used and disclosed for a non-administrative purpose will be stripped of all personal identifiers (de-identified) once the non-administrative program or activity has been completed;
• alternatively, if WD determines that it must retain the personal information, it will establish and apply a retention and disposal schedule to the information, including any information generated by the non-administrative program or activity;
• any institution that receives the personal information and is also subject to the Privacy Act will demonstrate that the personal information is directly related to one of its operating programs or activities, and commit to only use the information for the proposed non-administrative purpose (such a sharing of information should be done through a Memorandum of Understanding (MOU) or similar agreement);
• WD will establish a contract or other information sharing agreement with any other recipients of the personal information and the agreement will include adequate privacy protection clauses to ensure that the recipients continue to respect the undertakings of this protocol, including a prohibition respecting any unauthorized use or disclosure of the personal information without the express written authorization of the institution; and
• WD will reserve the right to audit or request audits of recipients’ uses of the personal information.

top of page

Enquiries

All enquiries regarding this Privacy Protocol should be addressed to the ATIP Unit at (780) 495-4982.

Date of Application

This protocol was adopted the ATIP Coordinator on April 22, 2011, as part of its Privacy Protection Policy suite, and shall apply to all programs and services of the Department.

Document Change Control

Appendix C – WD Public Web site, Access to Information and Privacy Section

Text Version (1): Image of Privacy Act section of the WD Public Web site

Text Version (2): Image of Privacy Act section of the WD Public Web site

Text Version (3): Image of Privacy Act section of the WD Public Web site

Appendix D – Data Privacy Day 2011 Awareness Events

Internal Email Message to All Staff

top of page

top of page