Language selection

Privacy Act - Annual Report to Parliament 2010-2011

Table of Contents

Introduction

The Privacy Act (Revised Statutes of Canada, Chapter P-21, 1985) came into force on July 1, 1983.

The purpose of the Act is to extend the present laws of Canada that protect the privacy of individuals and provide individuals with a right of access to personal information about themselves. It also protects the privacy of individuals by denying third parties access to personal information relating to them and enabling them to exercise strict control over the collection, disclosure and use of such information.

Western Economic Diversification Canada (WD) is committed to both the spirit and the intent of the Privacy Act, which are based on the principles of open government, and to ensuring the privacy of individuals with respect to their personal information held by the department.

This report summarizes WD’s implementation of the Privacy Act and fulfils the requirement under Section 72, which stipulates that, “The head of every government institution shall prepare for submission to Parliament an annual report on the administration of this Act within the institution during each financial year.”

WD will post the annual report to Parliament on its public Web site (www.wd-deo.gc.ca/eng/59.asp) once it is tabled in the House of Commons and the Senate. Alternatively, a request may be submitted to:

Access to Information and Privacy Coordinator
Western Economic Diversification Canada
Suite 1500, Canada Place
9700 Jasper Avenue N.W.
Edmonton, Alberta
T5J 4H7
atip-aiprp@wd-deo.gc.ca

Return to the top of this pagetop of page

Mandate

Western Economic Diversification Canada (WD) was established in 1987 to help lessen Western Canada’s (British Columbia, Alberta, Saskatchewan and Manitoba) strong economic dependence on natural resources. Under the Western Economic Diversification Act, 1988, the department is mandated to “…promote the development and diversification of the economy of Western Canada and to advance the interests of Western Canada in national economic policy, program and project development, and implementation.”

To support these outcomes, WD’s programs encourage business development, innovation and community economic development in rural and urban communities. The department plays an important leadership and coordination role in furthering western interests and responding to regional challenges. WD works strategically through partnerships with all orders of government, academic and research institutes, industry associations and non-profit organizations to implement initiatives that leverage funds and expertise for the benefit of the West and western Canadians.

The department organizes its programs and services to pursue its mandate effectively through the following Strategic Outcome: “The western Canadian economy is developed and diversified,” and specifically through program activities that include:

  • Business Development;
  • Innovation;
  • Community Economic Development;
  • Policy, Advocacy and Coordination.

WD’s strategic investments in these areas will help to fulfill its vision:

To be leaders in creating a more diversified western Canadian economy that has strong, competitive and innovative businesses and communities.

 

Access to Information and Privacy Unit

Overview

For the purposes of the Privacy Act, the Minister of the Public Works and Government Services, Minister of Status of Women and minister responsible for Western Economic Diversification (WD) delegated her powers, authorities and responsibilities to the Executive Director, Finance and Corporate Management (Access to Information and Privacy Coordinator) and Manager, Corporate Administration (Deputy Access to Information and Privacy Coordinator). These individuals are accountable for the development, coordination and implementation of effective policies, guidelines, systems and procedures to ensure the Minister's responsibilities under the Act are met and enabling the appropriate processing and proper disclosure of information. The Coordinator is also responsible for related policies, systems and procedures emanating from the Act.

One full-time Access to Information and Privacy (ATIP) Officer in the Corporate Administration unit assists the Coordinator and Deputy Coordinator with ATIP functions at WD.

Regional ATIP Liaison Officers (RALOs) are located in the British Columbia, Alberta, Saskatchewan and Manitoba offices, in the Policy and Strategic Direction sector office in Ottawa and within the Corporate Headquarters and Human Resources units. As the first point of contact, RALOs identify the appropriate subject experts, coordinate retrieval of records responding to access requests and provide liaison between the ATIP Unit and regional staff concerning enquiries.

The activities of WD's ATIP Unit include:

  • processing requests in accordance with the Privacy Act;
  • responding to consultations submitted by other federal institutions on WD records being considered for release;
  • developing and maintaining privacy policies, procedures and guidelines to ensure the Act is respected by staff;
  • promoting awareness of the Act within the department to ensure staff is aware of the obligations imposed by the legislation;
  • preparing annual reports to Parliament and other statutory requirements, such as annual statistical reports and the department's Info Source chapter, as well as any material that may be required by central agencies;
  • representing WD in dealings with the Treasury Board of Canada Secretariat (TBS), the Privacy Commissioner of Canada and other federal organisations regarding the application of the Act as it relates to WD;
  • monitoring compliance with the Act, its regulations as well as relevant procedures and policies;
  • providing ongoing advice and guidance to senior management and staff on information management and privacy legislation.

Return to the top of this pagetop of page

Departmental Policies and Procedures

In accordance with the TBS Directive on Privacy Practices and Directive on Privacy Impact Assessment that came into effect on April 1, 2010, WD updated its Privacy Protection Policy in January 2011 to ensure requirements on a privacy protocol, privacy impact assessments (PIAs) and privacy breaches were incorporated into the Privacy Protection Policy Suite (see Appendix A).

The WD Directive on Privacy Breaches was approved in January 2011 and a comprehensive Privacy Impact Assessment Handbook, including a privacy protocol (see Appendix B), was pending final approval by March 31, 2011. Final approval of the guidance document was received in April 2011; however, in the event of a PIA requirement, the draft Handbook would have been used.

In addition, WD improved information about ATIP on its public web site, including specific information about how to make a request under the Privacy Act as well as a page where PIA summaries will be posted, as appropriate (see Appendix C).

Privacy Training and Awareness

The ATIP Coordinator, Deputy ATIP Coordinator and ATIP Officer provide ongoing advice on privacy issues to RALOs and staff regularly to increase awareness of the Act. They also provide guidance on how the department processes privacy requests, the rationale required to apply the exemptions and exclusions under the Act, where appropriate, and when to conduct a PIA.

The Coordinator, Deputy Coordinator and Officer provide ongoing advice on privacy issues to and staff regularly to increase awareness of the Act. They also provide guidance on how the department processes privacy requests, the rationale required to apply the exemptions and exclusions under the Act, where appropriate, and when to conduct a .

WD ATIP Staff Training:

The Deputy ATIP Coordinator and ATIP Officer attended the Access and Privacy Conference held in Edmonton in June 2010. The ATIP Officer also attended TBS ATIPCommunity Meetings in April, May, September and November 2010 and February 2011.

WD Staff Training:

  • In January 2010, an ATIP Meeting and Awareness Session with the RALOs was held in Edmonton (12 attendees). This two-day meeting was the first session held specifically for the RALOs. The focus of the meeting was primarily access to information; privacy was covered in broad strokes.
  • In September 2010, a Privacy Awareness session was conducted with the Infrastructure Programs staff of the Saskatchewan Region office via teleconference to discuss questions arising from "The ATIP Eye" message, "YOUR Personal Information," concerning what personal information can be shared with co-workers (10 attendees).
  • As part of its access procedures, the ATIP Officer meets with the appropriate subject experts before retrieving records responding to personal information requests made pursuant to the Privacy Act. This has improved awareness and ensured understanding of requirements and timelines as well as clarifying the scope of requests to ensure that records and appropriate advice are received.

"The ATIP Eye" tips are sent to WD staff via email and posted on the department's internal web site. The tips provide advice on frequently asked questions concerning privacy issues or areas where the department might improve on its obligations under the Act in 2010–11, nine tips and specific privacy messages were prepared, including collecting personal information, your personal information and the "need to know." The tips are shared with ATIP officials in federal departments, including the regional development agencies in Quebec and Atlantic Canada, the Canadian Space Agency, National Research Council of Canada and other departments that are part of the Small Agency Administrators Network.

Privacy Awareness Events:

WD recognized Data Privacy Day on January 28, 2011, with staff messages and two posters placed throughout all offices (see Appendix D). The two eye-catching posters entitled "Phishing – Don't Take the Bait!" and "Wi-Fi Predators" encouraged WD staff to aggressively guard their personal information against fraudsters and ensure they practice secure wireless protocols.

The department also maintains an "Access to Information and Privacy" presence on its internal web site that includes policies, procedures, contact information, past training and awareness presentations, relevant links to useful sites related to access and privacy as well as "The ATIP Eye" tips noted above.

Return to the top of this pagetop of page

Info Source

WD made substantial changes to its 2010 Info Source chapter to include improvements that the Treasury Board Portfolio office identified as part of the Management Accountability Framework review of Area of Management No. 12 in 2009. TBS advised that the 2010 submission meet TBS requirements, needed minor corrections and provided general advice concerning the ongoing update and maintenance of the information contained in the chapter.

The department submitted two Personal Information Banks to TBS in 2010–11. One was withdrawn, while the second is still being reviewed.

Access to Information Act and Privacy Act Delegation Order

Text version: Access to Information Act and Privacy Act Delegation Order

Display full-size graphic

Scanned image of Delegation Order for the Access to Information Act and Privacy Act.

Privacy Act Delegation of Authority Schedule

Sections of the Act Powers and Duties Position
8(2)(j) Disclosure for research purposes
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
8(2)(m)

Disclosure in the public interest or in the interest of the individual

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
8 (4)

Copies of requests under 8(2)(e) to be retained

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
8 (5) Notice of disclosure under 8(2)(m)
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
9(1)

Records of disclosures to be retained

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
9(4) Consistent uses
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
10 Personal information to be included in personal information banks
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
14 Notice where access requested
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
15 Extension of time limits
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
17(2)(b)

Language of access

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
17(3)(b) Access to personal information in alternative format
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
18(2) Exemption (exempt bank) – Disclosure may be refused
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
19(1) Exemption – Personal information obtained in confidence
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
19(2) Exemption -- Where authorized to disclose
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
20

Exemption – Federal-provincial affairs

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
21

Exemption – International affairs and defence

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
22 Exemption – Law enforcement and investigations
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
22.3 Exemption – Public Servants Disclosure Protection Act
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
23 Exemption – Security clearances
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
24

Exemption – Individuals sentenced for an offence

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
25 Exemption – Safety of individuals
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
26 Exemption – Information about another individual
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
27 Exemption – Solicitor-client privilege
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
28

Exemption – Medical record

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
33(2) Right to make representations
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
35(1) Findings and recommendations of Privacy Commissioner (complaints)
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
35(4) FindinAccess to be given
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
36(3) Report of findings and recommendations (exempt banks)
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
37(3) Report of findings and recommendations (compliance review)
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
51(2), (b) Special rules of hearings
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
51(3)

Ex Parte representations

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
70

Denial of access – Cabinet confidences

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
72(1) Report to Parliament
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration

 

77

Responsibilities conferred on the head of the institution by the Regulations made under section 77 which are not included above

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration

 

Privacy Regulations Delegation of Authority Schedule

Sections of the Act Powers and Duties Position
9

Reasonable facilities and time provided to examine personal information

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
11(2)

Notification that correction to personal information has been made

 

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
11(4)

Notification that correction to personal information has been refused

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
13(1) Disclosure of personal information relating to physical and mental health may be made to a qualified medical practitioner or psychologist for an opinion on whether to release information to the requestor
  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration
14

Disclosure of personal information relating to physical or mental health may be made to a requestor in the presence of a qualified medical practitioner or psychologist

  • Executive Director, Finance and Corporate Management
  • Manager, Corporate Administration

 

Return to the top of this pagetop of page

2010–2011 Report on the Privacy Act (Statistical Report)

Name of institution: Western Economic Diversification Canada / Diversification de l'économie de l'Ouest Canada

Reporting period/Période visée par le rapportFrom: 2010/04/01
to: 2011/03/31

I – Requests under the Privacy Act / Demandes en vertu de la Loi sur l'accès à l'information

Received during reporting period / Reçues pendant la période visée par le rapport 2
Outstanding from previous period / En suspens depuis la période antérieure 1
Total 3
Completed during reporting period / Traitées pendant la période visées par le rapport 3
Carried forward / Reportées 0

 

II – Disposition of request completed / Disposition à l'égard des demandes traitées

All disclosed / Communication totale 0
Disclosed in part / Communication partielle 2
Nothing disclosed (excluded) / Aucune communication (exclusion) 0
Nothing disclosed (exempt) / Aucune communication (exemption) 0
Unable to process / Traitement impossible 1
Abandonned by applicant / Abandon de la demande 0
Transferred / Transmission 0
Total 3

 

III – Exemptions invoked / Exceptions invoquées

Section Number of requests
S. Art. 18(2) 0
S. Art. 19(1)(a) 0
(b) 0
(c) 0
(d) 0
S. Art. 20 0
S. Art. 21 0
S. Art. 22(1)(a) 0
(b) 0
(c) 0
S. Art. 22(2) 0
S. Art. 23 (a) 0
S. Art. 24 0
S. Art. 25 1
S. Art. 26 0
S. Art. 27 1
S. Art. 28 0

 

IV – Exclusions cited / Exclusions citées

Section Number of requests
S. Art. 69(1)(a) 0
(b) 0
S. Art. 70(1)(a) 0
(b) 0
(c) 0
(d) 0
(e) 0
(f) 0

 

V – Completion time / Délai de traitement

30 days or under / 30 jours ou moins 3
31 to 60 days / De 31 à 60 jours 0
61 to 120 days / De 61 à 120 jours 0
121 days or over / 121 jours ou plus 0

 

VI – Extentions / Prorogations des délais

  30 days or under / 30 jours ou moins 31 days or over / 31 jours ou plus
Interference with operations / Interruption des opérations 0 0
Consultation 0 0
Translation / Traduction 0 0
Total 0 0

 

VII – Translations/ Traductions

Translations requested / Traductions demandées 0
Translations prepared / English to French / De l'anglais au français 0
Traductions préparées French to English / Du français à l'anglais 0

 

VIII - Method of access / Méthode de consultation

Copies given / Copies de l'original 2
Examination / Examen de l'original 0
Copies and examination / Copies et examen 0

 

IX – Corrections and notation / Corrections et mention

Corrections requested / Corrections demandées 0
Corrections made / Corrections effectuées 0
Notation attached / Mention annexée 0

 

X – Costs / Coûts

Financial (all reasons) / Financiers (raisons) Amount ($)
Salary / Traitement 22,218
Administration (O and M) / Administration (fonctionnement et maintien) 276
Total 22,494

 

Person year utilization (all reasons) / Années-personnes utilisées (raisons)
Person year utilization (all reasons) / Années-personnes utilisées (raisons)
Person year (decimal format) / Années-personnes (nombre décimal) .31

 

 

Return to the top of this pagetop of page

Additional Reporting Requirements – Privacy Act

TBS is monitoring compliance with the Privacy Impact Assessment (PIA) Policy (which came into effect on May 2, 2002) and the Directive on Privacy Impact Assessment (which took effect on April 1, 2010) through a variety of means. Institutions, therefore, must report the following information for this reporting period. Note that because some institutions are using the Core PIA as outlined in the Directive in advance of the implementation deadline, they will not have Preliminary PIAs to report.

Indicate the number of:

  • Preliminary PIA initiated – 1
  • Preliminary PIA completed – 0
  • PIA initiated – 1
  • PIA completed – 0
  • PIA forwarded to the Office of the Privacy Commissioner – 0

Note: State explicitly whether your institution did not undertake any of the activities noted above during the reporting period.

In addition, institutions must report on the following:

Part III – Exemptions invoked
Paragraph 19(1)(e) WD did not invoke any of these exemptions during the 2010–2011 reporting period.
Paragraph 19.1(f)
Subsection 22.1
Subsection 22.2
Subsection 22.3

 

Part IV – Exclusions cited
Subsection 69.1 WD did not invoke any of these exclusions during the 2010–2011 reporting period.
Subsection 70.1

 

 

Privacy Trends and Statistical Overview

Highlights

  • Western Economic Diversification Canada (WD) updated its Privacy Protection Policy in January 2011 to include information requirements such as privacy impact assessments (PIAs), establishing a privacy protocol and procedures for privacy breaches. A WD Directive on Privacy Breaches was also approved in January 2011 and a comprehensive Privacy Impact Assessment Handbook was drafted, complete with the Privacy Protocol.
  • WD recognized Data Privacy Day on January 28, 2011. Staff messages and two posters, entitled Phishing – Don’t Take the Bait! and Beware of the Wi-Fi Predator! were placed throughout all offices.
  • WD received one privacy complaint in 2010–2011 on information that was withheld pursuant to section 27 of the Privacy Act, pertaining to solicitor–client privilege, and subsection 21(1)(b) of the Access to Information Act, pertaining to government consultations and deliberations. The complaint investigation is ongoing and was carried forward into fiscal year 2011–2012. There were no appeals or applications submitted to the Federal Courts.

Challenges

  • As federal departments venture into social media, issues about privacy protection, access, records retention and other regulatory requirements will pose a challenge.

Personal Information Requests Pursuant to the Privacy Act

In 2010–2011, (WD) received two requests for personal information under the Privacy Act and one request was carried forward from 2009–2010. All three requests were completed during the initial 30-day period. This is down by 50 percent from fiscal year 2009–2010; however, the department has not historically received many requests for personal information.

Records were partially disclosed on two requests, one of which the department was unable to process. In total, WD processed 449 pages for the requests, of which 372 pages were released in whole or in part.

No consultations or extensions were required when processing the personal information requests.

Return to the top of this pagetop of page

Exemptions and Exclusions Invoked

WD invoked Section 27 of the Privacy Act and subsection 21(1)(b) of the Access to Information Act in whole or in part on one personal information request and Section 25 on a second request.

Further to the request for statistical information on exemptions and exclusions applied under the Act in the additional reporting requirements attached to the “Report on the Privacy Act,” WD did not invoke any of the exemptions or exclusion during the 2010–2011 reporting period (see page 11).

Permissible Disclosure of Personal Information

Personal information collected by (WD) in the course of its programs and activities is being disclosed only for the purpose for which it was collected, in accordance with paragraph 8(2)(a) of the Privacy Act.

WD did not disclose personal information for any other purposes as outlined in paragraph 8(2)(m) during the 2010–2011 reporting period.

Return to the top of this pagetop of page

Privacy Impact Assessments

In 2002, Treasury Board Secretariat (TBS) issued a policy that requires federal institutions subject to the Privacy Act to conduct PIAs before establishing new programs, systems or policies or before making any substantial modifications to an existing program, system or policy.

While the policy has been rescinded and replaced by a new (TBS) Directive on Privacy Impact Assessment, which came into effect on April 1, 2010, the requirement still exists to ensure that a PIA is conducted whenever personal information is used in an administrative decision-making process. WD did not complete any Preliminary PIAs or PIAs in 2010–2011 and, therefore, no assessments were forwarded to the Office of the Privacy Commissioner or PIA summaries posted on WD’s public Web site.

Further to the request for statistical information on PIAs, which was from the additional reporting requirements attached to the “Report on the Privacy Act,” the following clarifies comments that were reported (see page 11):

  • Preliminary PIAs initiated – 1: WD initiated a Preliminary PIA for a Facebook initiative. Comments by the ATIP Unit were provided on the initial submission to ensure privacy considerations were adequately addressed. This initiative is not going forward, however, and, as a result, this Preliminary PIA did not proceed.
  • PIAs initiated – 1: Early work began on a Core PIA about online reporting by WD’s clients using AccessKey technology. (TBS) was very helpful in the development stages of this initiative and concluded that WD’s draft Privacy Protocol covered the collection and use of the personal information for non-administrative purposes. As a result, this PIA did not proceed.

WD ensures that careful consideration of privacy risks with respect to the creation, collection and handling of personal information as part of its programs and activities.

Return to the top of this pagetop of page

Operational Costs to Administer the Act

WD’s total cost for administrating the Privacy Act in the ATIP Unit is estimated at $22,494, almost double the costs incurred in 2009–2010. This includes estimated salary costs associated with all ATIP Unit employees of $22,218, including a portion of the ATIP and Deputy ATIP Coordinator’s salaries and 25 percent of the ATIP Officer’s salary. In addition, other administrative costs associated with operating and maintenance costs are estimated at $276.

WD also tracks additional privacy-related costs incurred throughout the department, including salary costs of officials involved in the retrieval, review and recommendation phases of the personal information requests and translation services. These additional costs result in an overall cost of $22,966 to the department to administer all aspects of its activities related to the Act.

The increased salary costs can be collated directly with the development of new policies and procedures, such as a privacy protocol, PIAs and privacy breaches. In addition, as WD explored online reporting tools and social media options, a great deal of time was invested in researching and providing guidance to ensure privacy is considered in these initiatives.

The associated ATIP Unit employee resources for 2010–2011 are estimated at 0.31 of a full-time equivalent to administer the Act.

Appendix A – WD Privacy Protection Policy (Revised January 19, 2011)

Policy Objective

Western Economic Diversification Canada (WD) is fully committed to both the spirit and the intent of the Privacy Act, which are based on the principles of open government and to ensure the privacy of individuals with respect to their personal information held by the Department. Therefore, WD’s Privacy Protection Policy ensures that the Department effectively and consistently administers it responsibilities in accordance with the Privacy Act and its Regulations.

Policy Statement

This Policy is based on the Privacy Act and the principles of open government from which it is derived. Specifically, the objectives are to:

  • facilitate statutory and regulatory compliance, and enhance effective application of the Privacy Act and its Regulations by WD;
  • ensure consistency in practices and procedures in administering the Act and Regulations so that applicants receive assistance in filing requests for access to personal information; and
  • ensure effective protection and management of personal information by identifying, assessing, monitoring and mitigating privacy risks in government programs and activities involving the collection, retention, use, disclosure and disposal of personal information.

The expected results of this Policy are:

  • sound management and decisions with respect to the handling and protection of personal information, including identifying numbers;
  • clear responsibilities in WD for decision-making and managing the operation of the Privacy Act and its Regulations, including complete, accurate and timely responses to Canadians and individuals who are present in Canada and who exercise their right to access to, and correction of, their personal information under the control to the Department;
  • consistent public reporting on the administration of the Act through WD’s Annual Report to Parliament, statistical report and the annual publication of Info Source chapters, which are produced by the Treasury Board of Canada Secretariat (TBS); and
  • identification, assessment and mitigation of privacy impacts and risks for all new or modified programs and activities that involve the use of personal information.

Return to the top of this pagetop of page

Policy Requirements

The TBS Policy on Privacy Protection (April 1, 2008), specifically Section 6 – Policy Requirements, provides guidance as follows which WD has adopted:

  • Delegation: The head of the Department (the Minister) is responsible for deciding whether to delegate any of his/her powers, duties and functions under the Act. When the decision is made to delegate responsibilities, WD must have in place a current Delegation Order, signed by the Minister, authorizing which responsibilities may be carried out by particular officials. The powers, duties and functions that may be delegated appear in Appendix B of the TBS Policy.
  • Privacy Awareness: WD is responsible for making its employees aware of the policies, procedures and legal responsibilities of the Act.
  • Protecting the Identity of Applicants: WD shall ensure that applicants’ identities are protected and only disclosed when authorized by virtue of the Act, and where there is a clear need to know in order to perform duties and functions related to the Act.
  • Processing Privacy Requests: WD shall establish effective procedures and systems to respond to privacy requests, that include:
    • directing departmental employees to provide accurate, timely and complete responses to requests made under the Act;
    • implementing written procedures and practices to ensure every reasonable effect is made to help requestors receive complete, accurate and timely responses;
    • establishing effective process and systems to respond to requests for access to, and correction of, personal information and to document deliberations and decisions made concerning requests received under the Act; and
    • establishing procedures that ensure personal information is reviewed to determine if it is subject to the Act, whether exemptions apply and conduct necessary consultations pursuant to the Act are undertaken.
  • Cabinet Confidences: WD shall follow established procedures concerning consultations with the Privy Council Office prior to excluding Cabinet Confidences.
  • Contracts and Agreements: WD shall establish measures, when personal information is involved, to ensure that it meets the requirements of the Act when contracting with private sector organizations or when entering into agreements or arrangements with public sector institutions
  • Notifying the Privacy Commissioner: WD shall notify the Privacy Commissioner of any planned initiatives (legislation, regulations, policies or programs) that could relate to the Act or to any of its provisions, or that may have an impact on the privacy of Canadians at the early stage of development to permit the Commissioner to review and discuss the issues involved.
  • Use of the Social Insurance Number: WD shall ensure compliance with the specific terms and conditions related to the use of Social Insurance Numbers and the specific restrictions with regard to its collection, use and disclosure.
  • Privacy Impact Assessments (PIAs): WD shall ensure that, when applicable, privacy impact assessments and multi-institutional PIAs are developed, maintained and published of the Department’s public website.
  • Privacy Protocol for Non-Administrative Purposes: WD shall establish a Privacy Protocol for the collection, use or disclosure of personal information for non-administrative purposes, including research, statistical, and audit and evaluation purposes.
  • Exempt Banks: WD shall consult with TBS on any proposal for the establishment or revocation of an exempt bank, and submit specific requests to the President of the Treasury Board with regard to the proposal.
  • Monitoring and Reporting Requirements: The ATIP Coordinator is responsible for monitoring compliance of the Policy as it relates to the Act, and ensuring that:
    • an Annual Report to Parliament is prepared and tabled in each House of Parliament;
    • an annual statistical report on the administration of the Act is submitted to TBS;
    • new or modified Personal Information Bank (PIB) descriptions are prepared and registered with TBS; and
    • the Department’s Info Source chapter is updated at a minimum annually, including proposed new or modified PIBs

Return to the top of this pagetop of page

Departmental Procedures

WD has developed a Privacy Protection Procedures Manual for the use of WD staff administering the legislation and provides a balanced approach to explaining how the legislation permits both the disclosure and withholding of personal information that has been requested.

In addition, the manual addresses additional mandatory privacy-related requirements including: the correction of personal information, privacy breaches, privacy and contracting, the Social Insurance Number, and the creation and registration of Personal Information Banks (PIBs).

In addition, a Privacy Impact Assessment Handbook and related documents, templates and a Privacy Protocol have been developed in accordance with the requirements of the TBS Directive on Privacy Impact Assessment, which came into effect on April 1, 2010.

The manual and handbook will serve as a reference tools for Regional ATIP Liaison Officers and staff, for the purpose of helping WD staff better understand the implications of the Privacy Act and to build a network within WD to ensure top quality responses to requests for information.

Return to the top of this pagetop of page

Authorities

The Privacy Act is supported by a number of legislative, regulatory, policy and procedural instruments that reinforce certain provisions of the Act, as well as provide interpretation and practical guidance of specific sections. These documents include:

Department of Justice Canada

  • Access to Information Act: http://laws.justice.gc.ca/en/A-1/
  • Access to Information Regulations: http://laws-lois.justice.gc.ca/eng/regulations/SOR-83-507/
  • Access to Information Act Heads of Government Institutions Designation Order:
    http://laws.justice.gc.ca/en/showtdm/cr/SI-83-113
  • Library and Archives of Canada Act:
    http://laws.justice.gc.ca/en/
  • Privacy Act: http://laws.justice.gc.ca/en/P-21/index.html
  • Privacy Regulations: http://laws.justice.gc.ca/en/showtdm/cr/SOR-83-508
  • Privacy Act Heads of Goverment Institutions Designation Order: http://laws-lois.justice.gc.ca/eng/

Treasury Board of Canada Secretariat

  • Access to Information – Policies and Guidelines:
  • http://publiservice.tbs-sct.gc.ca/pubs_pol/gospubs/tbm_121/siglist_e.asp
  • Communications Policy of the Government of Canada:
  • http://publiservice.tbs-sct.gc.ca/pubs_pol/sipubs/comm/comm_e.asp
  • Employee Privacy Code: http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/CHAP3_3-eng.asp
  • Directive on Privacy Impact Assessment (April 1, 2010):
  • http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18308
  • Directive on Privacy Practices (April 1, 2010):
    http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18308
  • Directive on Privacy Requests and Correction of Personal Information (April 1, 2010):
    http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18311
  • Directive on Social Insurance Number (April 1, 2008):
    http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=13342
  • Guidance Document: Taking Privacy into Account Before Making Contracting Decisions
    http://www.tbs-sct.gc.ca/atip-aiprp/tpa-pcp/tpa-pcptb-eng.asp
  • Guidance on Preparing Information Sharing Agreements Involving Personal Information (July 2010):
    http://www.tbs-sct.gc.ca/atip-aiprp/isa-eer/isa-eer01-eng.asp
  • Guidelines for Privacy Breaches:
    http://www.tbs-sct.gc.ca/atip-aiprp/in-ai/in-ai2007/breach-atteint-eng.asp
  • Management of Government Information – Policies and Procedures:
    http://www.tbs-sct.gc.ca/
  • Policy on Government Security:
    http://publiservice.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578
  • Policy on Prevention and Resolution of Harassment in the Workplace:
    http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12414
  • Policy on Privacy Protection:
    http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?evttoo=X&id=12510§ion=text

Return to the top of this pagetop of page

Western Economic Diversification Canada

  • Privacy Protection Procedures Manual
  • Privacy Breach Directive
  • Privacy Impact Assessment (PIA) Handbook
    • Privacy Protocol
    • Core PIA Template
    • PIA Report Template

In the event of a discrepancy, the Access to Information Act and its Regulations, Orders in Council, the Minister’s Delegation of Authority, directives and official Treasury Board policies shall take precedence over this Policy and WD’s procedures.

Date of Application

This Policy was adopted at a Management Accountability Committee meeting of Western Economic Diversification Canada on November 19, 2008, as part of its Policy Suite. It was revised and approved by Executive Committee on January 19, 2011, and shall apply to all programs services of the Department.

Policy Change Control

Revision Number Date Issued Author Brief Description of Change
v1.0 November 19, 2008 ATIP Officer New policy based on the April 2008 TBS Privacy Protection Policy.
v2.0 February 19, 2011 ATIP Officer Bi-annual review and update to ensure April 2010 TBS privacy-related directives are incorporated.

Appendix B – WD Privacy Protocol (April 22, 2011)

Western Economic Diversification Canada’s (WD)Privacy Protocol is intended to ensure that the collection, use or disclosure of personal information for non-administrative purposes within the Department is carried out in compliance with the Privacy Act, the Privacy Regulations and related privacy policy requirements of the Treasury Board of Canada Secretariat (TBS).

TBS defines a non-administrative purpose as:

  • “The use of personal information for a purpose that is not related to any decision-making process that directly affects an individual.  This includes the use of personal information for research, statistical, audit and evaluation purposes.”

WD is committed not to use the personal information it collected for any other purpose than the proposed non-administrative purpose, except where:

  • the individual consents to another use of their information at the time of collection (e.g. to be contacted for audit purposes in the future);
  • it is for a consistent purpose (e.g. to contact survey participants to clarify their response); or
  • WD might be required to disclose the information in response to a subpoena or other Court order.

Alternatives to the collection, use and disclosure of personal information

When considering the collection, use or disclosure of personal information for non administrative purposes, WD commits to:

  • consider alternatives to the collection, use and disclosure of personal information, such as the use of depersonalized or aggregate data; and
  • where the proposed non-administrative purpose cannot reasonably be fulfilled without the collection, use or disclosure of personal information, WD will weigh the benefits against the invasion of privacy before determining whether to proceed with the non-administrative program or activity.

Return to the top of this pagetop of page

Collection, use and disclosure of personal information

When the ATIP Coordinator or Deputy ATIP Coordinator authorizes the collection, use or disclosure of personal information for a non-administrative purpose, WD will ensure that:

  • the personal information relates directly to an operating program or activity of the institution, for which it has legal authority;
  • the personal information or data elements being collected, used or disclosed will be limited to that which is essential to meet the objectives of the non-administrative program or activity;
  • individuals will be given adequate notice of the non-administrative purpose for which their personal information will be collected, used or disclosed;
  • access to personal information will be limited to those individuals who have a genuine need to know to perform functions or duties related to the non-administrative program or activity;
  • the personal information will not be used or disclosed for any other purpose beyond the original non-administrative purpose for which it was collected;
  • the results of the non-administrative program or activity will not be used to subsequently make any decisions that would directly affect the individuals to whom the information relates;
  • the results of the non-administrative program activity will not be published in a way that could potentially identify the individuals to whom the information relates;
  • adequate security safeguards will be used to protect the personal information;
  • an action plan will be in place to address potential privacy breaches;
  • where possible, personal information collected, used and disclosed for a non-administrative purpose will be stripped of all personal identifiers (de-identified) once the non-administrative program or activity has been completed;
  • alternatively, if WD determines that it must retain the personal information, it will establish and apply a retention and disposal schedule to the information, including any information generated by the non-administrative program or activity;
  • any institution that receives the personal information and is also subject to the Privacy Act will demonstrate that the personal information is directly related to one of its operating programs or activities, and commit to only use the information for the proposed non-administrative purpose (such a sharing of information should be done through a Memorandum of Understanding (MOU) or similar agreement);
  • WD will establish a contract or other information sharing agreement with any other recipients of the personal information and the agreement will include adequate privacy protection clauses to ensure that the recipients continue to respect the undertakings of this protocol, including a prohibition respecting any unauthorized use or disclosure of the personal information without the express written authorization of the institution; and
  • WD will reserve the right to audit or request audits of recipients’ uses of the personal information.

Return to the top of this pagetop of page

Enquiries

All enquiries regarding this Privacy Protocol should be addressed to the ATIP Unit at (780) 495-4982.

Date of Application

This protocol was adopted the ATIP Coordinator on April 22, 2011, as part of its Privacy Protection Policy suite, and shall apply to all programs and services of the Department.

Document Change Control

Revision Number Date Issued Author Brief Description of Change
v1.0 April 22, 2011 ATIP Officer New protocol is based on the requirements of the April 1, 2010, TBS Directive on Privacy Impact Assessment

Appendix C – WD Public Web site, Access to Information and Privacy Section

Text Version (1): Image of Privacy Act section of the WD Public Web site
Screen shot image depicting the Access to Information and Privacy page on WD’s public website

Text Version (2): Image of Privacy Act section of the WD Public Web site
Screen shot image depicting the Access to Information and Privacy page on WD’s public website

Text Version (3): Image of Privacy Act section of the WD Public Web site
Screen shot image depicting the Access to Information and Privacy page on WD’s public website

Appendix D – Data Privacy Day 2011 Awareness Events

Internal Email Message to All Staff

 

Sent: Thursday, January 26, 2011 at 9:19 AM
Subject: Data Privacy Day | Journée de la protection des données

Date Privacy Day 2011 - January 28th

Visit the Privacy Act page for more information…

 

 

Privacy Act

Data Privacy Day 2011: January 28th

Every day people around the world are using powerful technologies and devices to improve their lives. Software is developed, hardware built, and services designed to enhance productivity, communications and safety. We have come to depend on mobile communications, instant access to information and intelligent services, and we’re empowered by these technologies in ways we would never have imagined…even a few years ago.

Despite the benefits of these technologies, doubts and worries persist about just how much personal information is collected, retained, used and disclosed to provide these convenient and pervasive tools and services.

Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information. In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements and histories stored as many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it – with whom are they sharing it? Most of all, individuals are asking ‘How can I protect my information from being misused?’ These are reasonable questions to ask and we should know the answers.

Even WD must question whether they are complying with privacy laws and regulations requiring privacy protections for our clients and staff.

Please take the time to read the 2011 Data Privacy Day posters located throughout WD offices, to learn ways to protect your personal information in your day-to-day lives.

  • Phishing – Don’t Take the Bait!
  • WiFi Predators

 

Canada's Logoflag of Canada

 

Return to the top of this pagetop of page

Poster: Phishing – Don’t Take the Bait!

Phishing is a criminal activity carried out by fraudsters attempting to obtain sensitive personal information such as passwords and credit card details.  Victims may stumble onto phishing websites by simply mistyping a web address (URL), but usually they receive an e-mail that masquerades as official communication from a trusted source, such as financial institutions and even government departments, and are then directed to reply to the e-mail or go to a phishing website.

Phishing e-mails and websites have become increasingly sophisticated in appearance and are often difficult to distinguish from legitimate ones.  Most create the impression that there is an immediate threat to one of your accounts (e-mail, bank, etc.).  Unfortunately, because there is an implied urgency to respond, victims often supply their personal information.

Don't take the bait and click or respond…

  • If it sounds too good to be true, it is.  And, if the message does not appear authentic, it probably isn't.
  • Delete requests for your password WD’s IT staff will never ask for your password via e-mail…if needed, be sure you know the individual making the request, understand the reason it is needed, then change the password when they have completed their work).  If you supply your passwords…
  • your e-mail accounts may be used to conduct fraud or other illegal activities!
  • your existing financial accounts may be used to withdraw money or make purchases or new bank and credit card accounts opened in your name (identity theft).
  • Be suspicious of requests for financial information or if the message asks you to send your information to them, rather than the other way around.
  • Logon regularly to your online account and check your transactions, grades, etc.
  • Don’t click links to unexpected e-mail.  If you follow links to a phishing site, “drive-by-download” software may take over your computer for criminal purposes or everything you type may be monitored (key stroke monitoring).  Safe alternatives are to type the organizations main URL into your web browser’s address bar and navigate from there, or call the organization using a telephone number from a reliable source (telephone book).  Does the content of the message appear in search engine results?
  • If you hover your mouse over the link, does your browser or security software silently scream at you?
  • Don’t fill out forms embedded in e-mail messages.
  • Avoid using public computers for financial and other sensitive communication (password sniffing software or hardware may be installed on public computers).
  • Seeing silly typos, formatting or grammatical errors a professional would not make.
  • If you don't have an account with the company supposedly sending the email!
  • If it sounds too good to be true, it is.  And, if the message does not appear authentic, it probably isn't.

 

Canada's Logoflag of Canada

 

Return to the top of this pagetop of page

Poster: Beware of the Wi-Fi Predator

It’s great! A Wi-Fi network makes life more comfortable because you can access the Internet from portable devices from virtually every corner of your home or in Wi-Fi zones even in your favourite coffee shops without those pesky cables getting in the way! Amazing!

But the downside is obvious (or maybe not to some technophobes)… you can’t stop the radio signals from going out of your home or Wi-Fi zone. That means if you haven’t enabled security to your wireless router, even the most inept neighbour can snoop and easily piggyback on your Wi-Fi connection.

Despite warnings to Twitter, Facebook and other social media sites, insecure surfing leaves your accounts open to hijacking. Just think, your neighbour or child’s friend might be hacking into your personal networks and scooping up bank passwords from just across the street or even in the next room!

Naturally, if your neighbour can do this, just think what a Wi-Fi predator can do! Someone can do something illegal on the Internet through your network, and you end up guilty. Victims could find it difficult to go after the Wi-Fi predator because how do you figure out who they are!

Tips to safeguard against the Wi-Fi predator…or even the simple snoop!

  1. Don’t use open Wi-Fi networks. If you must, when signing into Facebook, Twitter, your e-mail or other websites that require user authentication, ensure the web address starts with https…”s” stands for secure. Some sites, like banks, automatically default to https. Others like Facebook and Twitter don’t, but you can choose that option.
  2. To switch to a secure connection, go to the address bar and add an “s” to http. When you do this, you’ll find yourself at the secure sites. Be sure to bookmark the secure site (i.e. https://facebook.com).
  3. Use tools like the Firefox plug-in Force-TLS to force sites to use https, a move that makes any data transferred between your computer and the website it accesses unreadable to predators and snoops (Force-TLS – https://addons.mozilla.org).
  4. Make sure you logout of any networks that require authentication when moving to a new wireless location. When you reach your new location, login again, making sure it’s over an https connection.
  5. Use WD’s virtual private network (VPN) or set up your own VPN, although that is a complicated option the casual computer user wouldn’t want to undertake, for government-related business.

 

Canada's Logoflag of Canada

 

 

Date modified: