Effective Date: October 21, 2008
Reviewed: September 2017
On this page
- Policy objectives
- Why we collect personal information
- What personal information do we collect?
- Who sees your personal information?
- How we protect your personal information
- Retention and destruction of personal information
- Access or corrections to personal information
- Our roles and responsibilities
- Monitoring and evaluation
- Related references
- Questions or complaints
This Policy is designed to comply with the Privacy Act and the principles of natural justice.
Why we collect personal information
We collect personal information for various reasons. Usually, it relates to the investigations that we conduct or the enquiries that we receive. We may also collect personal information for administrative reasons such as providing individuals with publications or other information that they ask for. We may also, for example, collect it for the purposes of holding a public consultation.
We can only use your personal information for the purpose for which it was obtained or for a use consistent with that purpose, or for a purpose listed in Section 8 of the Privacy Act.
Some of our online tools, which we use to better serve Canadians, involve the collection of personal information. Our Online Complaint Form asks for more detailed personal information. As such, it has its own Online Complaint Form - Privacy Statement. For more information about how our online tools collect and use your personal information, please read our Website Terms and Conditions of Use.
What personal information do we collect?
We only collect personal information that is directly related to one of our programs or activities. Wherever possible, such information will be collected directly from the individual about whom it pertains. The amount and the type of the information collected will be limited to that which is needed to fulfil the identified purpose(s). We only collect what we need.
We may for example, collect your name, contact information, and views in connection with an investigation or a consultation. We may also collect your IP address if you visit our website.
Sometimes we receive more personal information than is needed. For example, we sometimes receive a social insurance number on someone’s general information enquiry. We strongly encourage you not to provide us with information beyond that which is necessary.
We may also collect personal information from other sources, as appropriate, including witnesses, employers, government, or corporate files and records.
Personal information banks (PIBs) are descriptions of personal information under the control of a government institution. The personal information described in a PIB has been used, is being used or is available for an administrative purpose or is organized in such way to make it more efficient to retrieve it. It could be organized by the name of an individual or by an identifying number or symbol. The PIB describes how personal information is collected, used, disclosed, retained and/or disposed of in the administration of a government institution's program or activity.
Who sees your personal information?
We will not disclose your personal information without your consent unless it is allowed under section 8(2) of the Privacy Act. In this case, we will aim to disclose only the specific information that is needed under the circumstances and, wherever possible, will inform you about the disclosure.
Access to personal information within the OPC will be restricted to those staff members who need the information in order to carry out their job duties. Those employees will maintain the information in the strictest of confidence and will not provide access to the information to anyone who is not authorized. The level of staff access to personal information will be granted on a need-to-know basis.
All individuals we hire under contract or other means to conduct business on our behalf will be required to respect the provisions of the Privacy Act as well as this Policy and related internal procedures. Violations of any part of the contractual agreement may result in termination of the contract.
How we protect your personal information
In any organization, failure to protect personal information can increase the risk of a privacy breach. These privacy breaches can lead to things such as reputational harm, fraud or identity theft.
We will protect personal information from loss or theft, unauthorized access, use or disclosure, modification or destruction through appropriate administrative, technical and physical security measures and safeguards.
The level of safeguards used to protect personal information will depend on the:
- sensitivity of the personal information;
- amount, distribution and format of the information;
- method of storage.
We follow the Government of Canada's Policy on Government Security and any other direction or guidance on information technology security received from the relevant federal agencies.
Additional information about our methods of protection:
- staff training on privacy and the protection of personal information,
- granting access to information on a “need-to-know” basis;
- screening and security checks of employees and prospective employees in line with the sensitivity of the information those employees will be handling;
- technical measures such as passwords, audit trails, encryption, firewalls and other technical security safeguards; and
- physical measures such as locked filing cabinets, restricted access to our offices and other areas where personal information is stored.
We will use contractual or other means to ensure a similar level of protection while personal information is being handled by a third party.
Wherever possible, we seek a person’s consent before we collect their personal information. The form of consent may vary depending on the circumstances and the type of information being requested. Consent can be express or implied, and can be provided directly by the individual or by an authorized representative.
Express consent is preferred. Express consent can be given orally, electronically or in writing. Implied consent may be reasonably inferred from a person’s action or inaction. For example, providing a name and address to receive a publication or providing a name and telephone number to receive a response to a question. When determining the appropriate form of consent, we take into account the sensitivity of the personal information, the reasons we are collecting it, and the reasonable expectations of the person. When using personal information for a new purpose, we will document that new purpose and ask for consent again.
During our investigations, it may not always be possible to obtain a person’s consent to collect, use, or disclose their personal information. Both the Privacy Act and PIPEDA allow for the disclosure of personal information during the course of an investigation if it is necessary to carry out that investigation.
We will not use your personal information without your consent unless it is either:
- for the same purpose for which the information was originally collected or compiled,
- consistent with that purpose,
- for a purpose that may be disclosed under section 8(2) of the Privacy Act.
Retention and destruction of personal information
We are responsible for ensuring that all personal information is managed within a set life cycle. According to the Privacy Act, the Privacy Regulations and the Library and Archives of Canada Act, personal information we use to make a decision about an individual shall be retained for at least two years after that decision was made. This allows the person time to exercise legal recourse and provides them with a chance to exercise all their rights under the Privacy Act.
We will retain personal information in accordance with the maximum retention periods set out under the Library and Archives of Canada Act.
The retention, disposition and destruction of personal information is made in strict accordance with the Government of Canada’s Directive on Privacy Practices. Please see OPC sources of federal government and employee information for more details.
Access or corrections to personal information
Individuals do not always need to use the Privacy Act to access to or correct their personal information (e.g. informal request). However, they do have the right to formally request access or corrections to their personal information under the Privacy Act. People also have the right under the Access to Information Act to formally request access to information in our files which may contain their personal information.
Only formal access requests to personal information under the Privacy Act provide you with the right to complain to the Ad Hoc Privacy Commissioner should you be unhappy with the outcome. Likewise, you can only request a correction of your personal information if it has been provided under an official access request pursuant to the Privacy Act. Moreover, only formal access requests for information under the Access to Information Act provide you with the right to complain to the Information Commissioner should you be unsatisfied with the result of your request.
Our staff is required to direct individuals who request formal access or corrections to their personal information to our Access to Information and Privacy (ATIP) Directorate.
Once we receive a formal request under the Privacy Act or the Access to Information Act, our ATIP Directorate responds according to which law the request was made under. Please see our ATIP’s Process and Compliance Manual for more information.
We make every effort to ensure that information we use to make a decision that directly affects someone is as accurate, up-to-date and complete as possible. This also applies to personal information disclosed to third parties.
Additional information about access and correction of personal information:
In cases of access outside of the Privacy Act and the Access to Information Act (e.g. informal access request), we give individuals a reasonable chance to review their personal information, within a reasonable timeframe. If copies are requested, we provide them when possible.
Personal information may be unavailable because it has been destroyed, erased or made anonymous in accordance with information retention policies. To the extent possible, we will inform the individual of the reasons why the personal information no longer exists.
Usually, we will rely on the individual to ensure that factual personal information is accurate, up-to-date and complete. An individual may request a correction to their personal information if it was used in a decision that directly affected them. If an individual is able to prove that their personal information is inaccurate or incomplete, we will correct it. Correction of opinion will normally be made if the individual was the source of the opinion and the opinion does not concern anyone else. Corrections will not normally be made to opinions given by other people about an individual unless there is reason to believe that the source of the opinion was unreliable. If the source of the opinion agrees that their opinion was based on incorrect information, that opinion could be corrected.
If a challenge regarding the accuracy of personal information is not resolved to someone’s satisfaction, we will, at the request of the individual, place a note on the personal information in question advising that a correction was requested but not made. An individual has the right to have a document outlining their version of the matter included on the file.
If the information in question was disclosed to and used by a third party to make an administrative decision about the individual within the 2 years preceding the correction or notation being made, the individual may request that party be notified of the relevant correction or notation.
Our roles and responsibilities
We are responsible for the personal information that we collect, retain, use, disclose, and destroy in the course of fulfilling our mandate. We will continue to develop policies and practices to ensure that personal information is handled in strict accordance with the Privacy Act. Our Chief Privacy Officer is responsible for overseeing the implementation of those policies and practices, including:
- ensuring open, full and timely communication with employees and individuals about our policies, practices and expectations with respect to the handling of personal information;
- establishing standards for classifying the sensitivity of personal information, to determine the appropriate level of security required for the information;
- working with the Departmental Security Officer to ensure that personal information is safeguarded from improper access, loss, use, disclosure or destruction through;
- the implementation of systems to ensure that only our staff whose responsibilities require access to personal information, are granted access to that information;
- the inclusion of specific provisions in contracts or other arrangements with third parties, that require adherence to the Privacy Act as well as to this Policy and other internal procedures;
- ensuring procedures are in place under which individuals may request access to their personal information, request correction of their personal information, and file complaints concerning the management of their personal information;
- ensuring procedures are in place under which individuals are notified of an improper collection, retention, use, disclosure or destruction of their personal information; and
- monitoring the degree of compliance with this Policy and, where required, initiating action to correct any issues.
Employees –staff that collect personal information on our behalf will be required to explain the purpose(s) for which the information is being collected. If unable to do so, they will be required to refer the individual to someone within our office who is able to explain the purpose(s). It is every OPC employee’s duty to inform themselves of their obligations under this Policy and the Privacy Act. Employees must report any and all violations of the Policy or the Act to their manager or to the OPC Chief Privacy Officer.
Managers and Supervisors – along with the responsibilities noted above, managers and supervisors must instruct their staff to respect the Policy and the Act. They must also examine and/or make inquiries into any issues brought to their attention concerning this Policy and the Act. When appropriate, managers and supervisors must notify, work with, or refer certain matters to the Director of HR and the Departmental Security Officer.
OPC Chief Privacy Officer – the OPC Chief Privacy Officer (CPO) will provide advice and guidance to Senior Management, managers, supervisors and employees of the OPC with respect to the treatment of personal information within our Office. The CPO will also act as the main point of contact for individuals seeking information or who have concerns about our handling of their personal information. The CPO is the Director of ATIP and reports to the Privacy Commissioner of Canada.
Director of ATIP - Along with all of the responsibilities noted above, the Director of ATIP is responsible for the proper application of the Privacy Act and policies with respect to individuals’ personal information and their access to it.
Violation of this Policy through intent or neglect may result in disciplinary action up to and including termination of employment or association with the OPC. Legal sanctions may also be pursued if appropriate.
Monitoring and evaluation
Measuring compliance with this policy is part of our internal audit program. We conduct periodic audits within all of our programs and services. The results of internal audits will be reported to the Privacy Commissioner.
The following laws, policies and guidelines should be read along with this Policy:
- Privacy Act and Privacy Regulations
- Access to Information Act and Regulations
- Library and Archives of Canada Act
- Policy on Privacy Protection
- Policy on Government Security
- Directive on Privacy Practices
- Directive on Personal Information Requests and Correction of Personal Information
- Directive on Privacy Practices - Appendix E: Standard on Privacy and Web Analytics
- Directive on Privacy Practices - Appendix B: Mandatory Procedures for Privacy Breaches
- OPC Access to Information and Privacy Process and Compliance Manual
Questions or complaints
Questions or concerns may be brought to the attention of any OPC employee. If they are unable to help, the employee must refer the matter to their immediate supervisor or member of management staff.
If you have any questions about this policy or about how we manage personal information, you may also contact:
Chief Privacy Officer/ATIP Director
Where an individual is not satisfied with the actions we may have taken to rectify a matter, or with the explanations given, they will be informed of their right to file a Privacy Act complaint, and will be given direction as to how to do so. Please note that we do not investigate our own actions with respect to compliance with the Privacy Act. Any related complaints are independently investigated by the Ad Hoc Privacy Commissioner.
- Date modified: