Privacy notices are key transparency tools

January 23, 2020

Office of the Privacy Commissioner of Canada Privacy Alerts are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.

---

Canadian government institutions collecting personal information are required, in most circumstances, to inform individuals of the purpose for collection. (See section 5(2) of the Privacy Act.) If done correctly, a privacy notice can help to ensure people understand how the institution will handle their personal information.

Below, are three key considerations for federal institutions to keep in mind when creating a privacy notice.

Make it clear

Make sure your privacy notice is:

• written in plain language;
• clear;
• concise; and,
• as free of legalese and jargon as possible.

Make it complete

In accordance with section 6.2.9 of the Treasury Board of Canada Secretariat’s (TBS) Directive on Privacy Practices, a privacy notice should include a description of:

• the information being collected;
• the law that allows the institution to collect the information;
• the purposes for which the information is being collected and how it will be used or shared;
• individuals’ rights to access and request corrections to their personal information, and to file complaints with the Privacy Commissioner of Canada regarding the institution’s handling of their information;
• the relevant Personal Information Bank published in Info Source; and
• any legal or administrative consequences for individuals who refuse to provide the personal information.

Make it available

According to the Privacy Act, institutions should collect personal information directly from individuals whenever possible. In these circumstances, people should be provided with the privacy notice at the time of collection – for example, on an application form. When information is collected indirectly, other forms of notification may come into play. Here are some tips for providing notice to individuals, whether information is collected directly or indirectly:

• Post notifications on your institution’s website.
• Post content on your institution’s social media accounts.
• Place notification signage in places where personal information is collected.
• Develop a communications campaign to broadly inform individuals of the collection.

Sign up for future Privacy Alerts by subscribing to our RSS feed. Privacy alerts are also posted on our website.