Personal information handling and transparency

Table of Contents

On this page

 

The controls and activities in the Personal information handling and transparency (PT) family support the confidentiality and integrity of personal information and its lawful handling as per Canadian privacy laws.

The controls in this family loosely correspond to the ones in NIST SP 800-53 Rev.5, but the privacy laws in Canada are significantly different from those in the United-States, hence the control and activity statements and discussions are not directly aligned.

PT-01 Personal information handling and transparency policy and procedures

Activity

  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]
    1. [Selection (1 or more): organization-level; mission/business process-level; system-level] privacy policy and personal information handling procedures that
      1. addresses objectives, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance obligations
      2. is consistent with applicable laws, jurisprudence, directives, regulations, policies, directives, standards, and guidelines
    2. procedures to facilitate the implementation of the privacy policy and procedures for personal information handling and the associated personal information handling and transparency controls
  2. Delegate responsibility to [Assignment: organization-defined official] to develop, document, and communicate personal information handling and transparency policy and procedures
  3. Review and update personal information handling and transparency
    1. privacy policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
    2. personal information handling procedures, including transparency requirements [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]

Discussion

Privacy policies and personal information handling procedures, including transparency requirements, address the controls in the PT family that are implemented within systems or that are specific to program activities and to the organization. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of policies that document or affect personal information handling and procedures.

Security and privacy policies and procedures at the organization level are required and augment program activity or system-specific personal information handling procedures. The privacy policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations.

Procedures can be established at the organizational level, for program activities or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents.

Events that may precipitate an update to an organization privacy policy and personal information handling and transparency procedures include assessment or audit findings, breaches, or changes in applicable laws, jurisprudence, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Related controls and activities

PM-18, PM-20, PM-27, SI-02.

Enhancements

None.

References

Top of page 
 

PT-02 Authority to collect and use personal information

Control

  1. Determine and document the [Assignment: organization-defined authority] that permits the [Assignment: organization-defined collection and use] of personal information
  2. Restrict the [Assignment: organization-defined collection and use] of personal information to only that which is authorized

Discussion

The collection and use of personal information is an operation or set of operations that the information system or organization performs with respect to personal information across the information lifecycle. Handling includes but is not limited to creation, collection, use, correction, modification, retention, disclosure, and disposal. Handling operations may also include accessing, logging, creating/generating, and transforming, as well as statistical and analysis techniques, such as data mining and advanced analytics. Handling is commonly required by service suppliers to provide the service.

Organizations take steps to ensure that personal information is only handled for authorized purposes, including training organizational personnel on the authorized handling of personal information and monitoring and auditing organizational use of personal information.

GC discussion

Federal institutions are subject to laws or Orders in Council that provide the institution’s authority to establish program activities that collect and use personal information. Institutions must handle the personal information under their control in accordance with the requirements of the Privacy Act and related TBS policies and directives.

Appropriate privacy senior officials should consult with the appropriate privacy practitioner or executive and legal counsel regarding their authority and the appropriate handling requirements, particularly if the authorities are complex in nature. While handling of personal information is legally permissible, privacy risks may still arise.

PIAs, combined with other risk assessments, can identify the privacy impacts associated with the handling of personal information and support solutions to manage such risks. The Cyber Centre publication Organizational cyber security and privacy risk management activities (ITSP.10.036) provides an integrated approach to mitigating security and privacy risks through the system development lifecycle.

When handling personal information, federal institutions must follow the Privacy Act, its regulations, and related TBS policies and directives. Some organizations may also be subject to additional legislation that dictates handling requirements for personal information. With few exceptions, institutions must notify individuals of the purpose for collecting their information and how it will be used and disclosed. This notice should be given at the point of collection.

If personal information is used in a decision-making process or stored in a manner designated to be retrieved by the individual’s identity, institutions should further document the personal information elements that are collected or created (including the legal authority), and how they may be disclosed in PIBs. In addition, these program activities must conduct a PIA, which will serve as an input to the risk assessment. Privacy risks should be identified before the start of the program or activity. A summary of the PIA must be posted online. Additional accountability and governance steps must be taken prior to sharing personal information or contracting out services that involve personal information such as information sharing agreements or arrangements, contracts, and memoranda of understanding.

Related controls and activities

AC-02, AC-03, CM-13, IR-09, PM-09, PM-19, PM-24, PT-01, PT-03, PT-05, PT-06, RA-03, RA-08, SI-12, SI-18.

Enhancements

  • (01) Authority to collect and use personal information: Data tagging
    • Attach data tags containing [Assignment: organization-defined authorized handling] to [Assignment: organization-defined elements of personal information].
    • Discussion: Data tags support the tracking and enforcement of authorized handling by conveying the types of handling that are authorized, along with the relevant elements of personal information throughout the system. Data tags may also support the use of automated tools.
    • Related controls and activities: AC-16, CA-06, CM-12, PM-05, PM-22, PT-04, SC-16, SC-43, SI-10, SI-15, SI-19.
  • (02) Authority to collect and use personal information: Automation
    • Manage enforcement of the authorized handling of personal information using [Assignment: organization-defined automated mechanisms].
    • Discussion: Automated mechanisms augment verification that only authorized handling is occurring.
    • Related controls and activities: CA-06, CM-12, PM-05, PM-22, PT-04, SC-16, SC-43, SI-10, SI-15, SI-19.

References

Top of page 
 

PT-03 Personal information handling uses and disclosures

Control

  1. Identify and document the [Assignment: organization-defined use(s) and disclosure(s)] associated with collections of personal information
  2. Describe the purpose(s) of collection in the privacy notices and policies of the program activity or organization
  3. Restrict the [Assignment: organization-defined use(s) and disclosure(s)] of personal information to only that which is compatible with the identified purpose(s) or permissible under the Privacy Act
  4. Monitor changes in handling personal information and implement [Assignment: organization-defined mechanisms] to ensure that any changes are made in accordance with [Assignment: identified legislative requirements]
  1. Update the PIB and notify the OPC and TBS of the new use or disclosure

Discussion

Identifying and documenting the purpose of collection provides organizations with a basis for understanding how personal information may then be handled. The term “handling” refers to any process involving personal information in the information lifecycle, including collection, creation, correction, modification, use, retention, disclosure, and disposal. Identifying and documenting the primary purpose of collection, along with consistent uses or permissible secondary uses or disclosures, enables information custodians and operators of the system and individuals whose information is handled by the system to understand how the information will be used. This enables individuals to make informed decisions about their engagement with information systems and organizations and to manage their privacy interests.

Organizations should take steps to help ensure that personal information is used or disclosed only for the identified purpose. Organizational personnel should receive training and the organizational handling of personal information should be monitored and audited.

GC discussion

Once the primary purpose of collection has been identified, the purpose is described in the activity or service privacy notices, policies, and any related privacy compliance documentation, including PIAs, PIBs, PIPEDA or Privacy Act requirements, and applicable legislation.

Organizations must monitor for changes in personal information handling. Organizational personnel should consult with the appropriate privacy senior official or executive and legal counsel to ensure that any new uses or disclosures that arise are compatible with the purpose for which the information was collected and are consistent with that purpose or a permissible use or disclosure in accordance with the Privacy Act. If the use or disclosure is not permissible, consent may be required.

Related controls and activities

AC-02, AC-03, AT-03, CM-13, IR-09, PM-09, PM-25, PT-02, PT-05, PT-06, PT-07, RA-08, SC-43, SI-12, SI-18.

Enhancements

  • (01) Personal information handling uses and disclosures: Data tagging
    • Attach data tags containing the following purposes to [Assignment: organization-defined elements of personal information]: [Assignment: organization-defined handling purposes].
    • Discussion: Data tags support the tracking of handling purposes by conveying the purposes along with the relevant elements of personal information throughout the system. By conveying the handling purposes in a data tag along with the personal information as the information transits a system, a system owner or operator can identify whether a change in handling would be compatible with the identified and documented purposes. Data tags may also support the use of automated tools.
    • Related controls and activities: CA-06, CM-12, PM-05, PM-22, SC-16, SC-43, SI-10, SI-15, SI-19.
  • (02) Personal information handling uses and disclosures: Automation
    • Track handling purposes of personal information using [Assignment: organization-defined automated mechanisms].
    • Discussion: Automated mechanisms augment tracking of the handling purposes.
    • Related controls and activities: CA-06, CM-12, PM-05, PM-22, SC-16, SC-43, SI-10, SI-15, SI-19.

References

Top of page 
 

PT-04 Consent

Control

  1. Ensure that consent is obtained in writing or is otherwise adequately documented, including information such as the date and time of consent
  2. In the federal government, implement [Assignment: organization-defined tools or mechanisms] for individuals to provide informed consent to the secondary uses or indirect collection of their personal information. Consent must include
    1. the purpose of the consent
    2. the specific personal information elements involved
    3. in the case of indirect collection, the sources that will be asked to provide the information, as well as the reason for making the collection indirectly
    4. uses or disclosures that are not consistent with the original purpose of the collection and for which consent is being sought
    5. any consequences that may result from withholding consent
    6. any alternatives to providing consent
  3. In the private sector, implement [Assignment: organization-defined tools or mechanisms] for individuals to provide meaningful consent to the collection, use and disclosure of their personal information

Discussion

Organizations should also consider any demographic or contextual factors that may influence the understanding or behaviour of individuals with respect to the use of their personal information by the organization. When soliciting consent from individuals, organizations should consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity-proof individuals, and how to obtain consent through electronic means.

Consent should require a positive action on behalf of the individual and should not be considered implied. In addition, organizations must consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. In the event that consent is revoked, individuals may be entitled to assurance that their personal information has been deleted from the collection database. Organizations should consider usability factors, such as using plain language and avoiding technical jargon, to help individuals understand the risks being accepted when providing consent.

Private-sector organizations are required to obtain meaningful consent for the collection, use, and disclosure of personal information. Consent is considered meaningful when individuals are provided with clear information explaining what organizations are doing with their information. An organization must identify and document the purposes for which it seeks to collect personal information at or before the time of collection. There may be exceptions where consent is not required.

GC discussion

While consent is appropriate in the private sector, it is only required in the GC if personal information will be used for a secondary purpose or may be appropriate if information will be collected indirectly. Federal institutions only require that the personal information collected has a direct connection to an operating program or service, commonly referred to as requiring legislative authority. The original use of personal information is the purpose that was communicated to the individual when the personal information was collected and is directly related to an operating program or activity of the institution. A use of the information that is not consistent with the original purpose is considered to be a secondary purpose.

Consent for secondary uses allows individuals to control the circumstances in which their personal information can be used. Consent may be required by applicable laws, directives, regulations, policies, standards, or guidelines. When selecting consent as a control, organizations should consider whether individuals have the capacity to provide informed consent.

Before collecting personal information, federal government organizations should make sure that they have parliamentary authority for the program or activity for which the information will be collected. Obtaining an individual's consent for the collection or use of personal information does not replace or establish authority for the collection of that information.

Related controls and activities

AC-16, PT-02, PT-05.

Enhancements

  • (01) Consent: Tailored consent Government of Canada
    • Provide [Assignment: organization-defined mechanisms] to allow individuals to tailor handling permissions to selected elements of personal information.
    • Discussion: None.
    • GC discussion: Not all secondary uses will require all of the personal information that was collected for the primary purpose. In such cases, tailored consent should be considered. Organizations should inform individuals of their personal information that will be applied to the secondary use. For example, collecting the name, contact information, and financial information for a primary purpose and a secondary use of the name and contact information for proactive communication would require tailored consent. More tailored consent may help reduce privacy risk, increase individual satisfaction, and avoid adverse behaviours, such as abandonment of the product or service.
    • Related controls and activities: PT-02.
  • (02) Consent: Timely consent
    • Present [Assignment: organization-defined consent mechanisms] to individuals at [Assignment: organization-defined frequency] and in conjunction with [Assignment: organization-defined personal information handling].
    • Discussion: Timely consent enables individuals to understand how their personal information will be handled at the time or in conjunction with specific types of data handling when such participation may be most useful to the individual. Individual assumptions about how personal information is being processed might not be accurate or reliable if time has passed since the individual last gave consent or if the type of handling creates significant privacy risk. Organizations should use discretion to determine when to request consent and may use supporting information on demographics, focus groups, or surveys to learn more about individuals’ privacy interests and concerns.
    • Related controls and activities: PT-02.
  • (03) Consent: Revocation
    • Implement [Assignment: organization-defined tools or mechanisms] for individuals to revoke consent to the handling of their personal information.
    • Discussion: Revocation of consent enables individuals to exercise control over their initial consent decision when circumstances change. Organizations should consider usability factors in enabling easy-to-use revocation capabilities.
    • Related controls and activities: PT-02.
  • (400) Consent: Tailored consent private sector
    • Provide [Assignment: organization-defined mechanisms] to allow individuals to tailor handling permissions to selected elements of personal information.
    • Discussion: While some handling of personal information may be necessary for the basic functionality of the product or service, other handling may not be necessary. In such cases, tailored consent should be considered. Organizations should inform individuals of their personal information that will be used for the secondary use. Tailored consent allows individuals to select how personal information elements may be handled. More tailored consent may help reduce privacy risk, increase individual satisfaction, and avoid adverse behaviours, such as abandonment of the product or service.
    • Related controls and activities: PT-02.

References

Top of page 
 

PT-05 Privacy notice

Control

Provide notice to individuals about the collection of their personal information that includes:

  1. the legal authority for the collection of personal information
  2. any legal or administrative consequences of refusing to provide the personal information
  3. the rights of access to, correction, and protection of personal information
  4. a warning that system usage may be monitored, recorded, and subject to audit and includes
    1. a statement explaining the regular monitoring practices of electronic networks
    2. a statement that electronic networks will be monitored for work-related purposes
    3. a statement that special monitoring may be permitted without notice in instances where illegal or other unacceptable use is suspected
  5. an explanation of how the information will be used
  6. the right to file a complaint with the Privacy Commissioner of Canada regarding the institution’s handling of the individual’s personal information
  7. the relevant PIB reference, if applicable

Discussion

None.

GC discussion

Privacy notices ensure individuals are informed about how their personal information is being collected or used by the organization. Organizations should use privacy notices to inform individuals about how, under what authority, and for what purpose their personal information is processed, as well as other information such as the choices individuals might have with respect to that handling and other parties with whom information is shared. Laws, Orders in Council, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats.

GC personnel should consult with the appropriate privacy senior official or executive and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.

To help individuals understand how their information is being used, organizations should write materials in plain language and avoid technical jargon.

Related controls and activities

PM-20, PM-22, PT-02, PT-03, PT-04, PT-07, RA-03, SC-42, SI-18.

Enhancements

  • (01) Privacy notice: Timely privacy notice statements
    • Present notice of personal information handling to individuals at the time that the individual provides personal information.
    • Discussion: None.
    • GC discussion: Privacy notice statements inform individuals of how organizations process their personal information at a time when such notices may be most useful to the individuals. Individual assumptions about how personal information will be used or disclosed might not be accurate or reliable if time has passed since the organization last presented notice or if the circumstances under which the individual was last provided notice have changed. Periodic communication of a privacy notice statement can remind individuals about uses or disclosures of their personal information. Organizations should use discretion to determine when to communicate privacy notice reminders and may use supporting information on user demographics, focus groups, or surveys to learn about users’ privacy interests and concerns.
    • Related controls and activities: PM-21.
  • (02) Privacy notice: Privacy notice statements
    • Include privacy notice statements on forms that collect information that will be maintained in a PIB.
    • Discussion: None.
    • GC discussion: If a federal department or agency asks individuals to supply information, the department or agency is required to provide a privacy notice statement on the form used to collect the information. The department or agency provides a privacy notice statement in such circumstances, regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium.
      Privacy notice statements provide formal notice to individuals of the legislative authority under which the collection of the information is conducted; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published consistent uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant PIB.
      Federal department and agency personnel should consult with the appropriate privacy senior official or executive and legal counsel regarding the notice provisions of the Privacy Act.
    • Related controls and activities:

References

Top of page 
 

PT-06 Personal information banks

Control

Program activities that collect personal information must register and publish a PIB if that information has been used, is being used, or is available for use for an administrative purpose or if it is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual. [Assignment: organization-defined roles or personnel] are responsible for:

  1. registering or submitting new or significantly modified PIBs in accordance with TBS Directive on Privacy Practices, using the Personal Information Bank Submission form provided by TBS
  2. publishing PIBs on the relevant institution’s Info Source webpage and updating this information once a year
  3. keeping PIBs accurate, up-to-date, and scoped in accordance with policy

Discussion

None.

GC discussion

The Privacy Act requires that federal departments and agencies listed in Schedule III of the Act publish a collection of PIBs in their annual Info Source publication. Generally, a PIB is required when a GC department or agency collects personal information for an administrative purpose or if the personal information is retrievable by an individual’s name, identifying number, symbol, or other identifier.

Institution-specific PIBs describe personal information collected in support of institution-specific programs or services. Standard PIBs describe information about members of the public, as well as current and former federal employees, contained in records created, collected, and maintained by most government institutions in support of common internal services. Central PIBs describe personal information that is held by one government department on behalf of other government departments. Finally, exempt banks, which are institution-specific, and their content can be withheld by the Head of the institution.

The PIB describes the legislative authority for the collection, the class of individuals affected, the personal information data elements collected, all uses of the information, consistent disclosures, retention expectations, and additional details about the system as described in TBS guidelines.

Related controls and activities

AC-03, PM-20, PT-02, PT-03, PT-04, PT-05.

Enhancements

  • (01) Personal information banks: Consistent uses and disclosures
    • Review all consistent uses published in the PIB at [Assignment: organization-defined frequency] to ensure continued accuracy, and to ensure that consistent uses continue to be compatible with the purpose for which the information was collected.
    • Discussion: None.
    • GC discussion: The Privacy Act requires federal departments and agencies to describe each consistent use of the records as documented in the PIB. A consistent use has a reasonable and direct connection to the original purpose(s) for which the information was obtained. Personal information, as referenced in a PIB, can be disclosed without the consent of the individual in specific circumstances. One such circumstance is a disclosure for a purpose for which the information was obtained or compiled by the institution for a use consistent with that purpose. There are other permissible disclosures as documented in the subsection 8(2) of the Privacy Act.
    • Related controls and activities: None.
  • (02) Personal information banks: Exempt banks
    • Review all PIBs that were designated as exempt banks under section 18 of the Privacy Act [Assignment: organization-defined frequency] to ensure they remain appropriate and necessary in accordance with law.
    • Discussion: None.
    • GC discussion: The Privacy Act includes provisions that allow federal departments and agencies to claim exemptions to TBS from certain requirements. A PIB qualifies for exemption when more than half of the information in each file contained in the bank qualifies for an exemption under section 21 or 22 of the Privacy Act. The described files consist predominantly of personal information that relates to international affairs, defence, and law enforcement and investigation. Exempt PIBs still require registration with TBS.
    • Related controls and activities: None.

References

Top of page 
 

PT-07 Particularly sensitive personal information

Control

Apply [Assignment: organization-defined handling conditions] for particularly sensitive personal information.

Discussion

Organizations should apply any conditions or protections that may be necessary for particularly sensitive personal information. These conditions may be required by laws, Orders in Council, directives, regulations, policies, standards, or guidelines. The requirements may also come from the results of privacy risk assessments that factor in contextual changes that may result in an organizational determination that a particular category of personal information is particularly sensitive or raises particular privacy risks. Organizations should consult with the appropriate privacy senior official or executive and legal counsel regarding any protections that may be necessary.

Related controls and activities

IR-09, PT-02, PT-03, PT-05, PT-06, RA-03.

Enhancements

  • (01) Particularly sensitive personal information: Social insurance numbers
    • When a program or activity collects, uses, or discloses social insurance numbers (SINs):
      1. ensure there is express authority for the collection and use of the SIN
      2. provide notice, at the point of collection, regarding the authority to collect as well as the anticipated use or disclosures of the SIN
      3. ensure the collection and use of SIN is included in the associated PIB, if appropriate
    • Discussion: None.
    • GC discussion: GC policy establishes specific requirements for organizations’ handling of some categories of particularly sensitive personal information such as SINs. The SIN is a confidential number that should not be used as identification or provided for non-governmental purposes. Organizations should take steps to eliminate unnecessary uses of SINs and other sensitive information and should observe any particular requirements that apply.
      The collection and use of the SIN by government institutions should only be for the authorized and lawful purposes outlined in Appendix A of the TBS Directive on Social Insurance Number. The directive provides direction to government institutions on how the SIN can be collected, used, and disclosed. It also outlines the methods to establish policy authority for a new collection or new consistent use of the SIN.
    • Related controls and activities: IA-04.
  • (02) Particularly sensitive personal information: Canadian Charter of Rights and Freedoms
    • Restrict the handling of information describing how any individual exercises rights guaranteed by the Canadian Charter of Rights and Freedoms unless there is lawful authority or if it is within the scope of an authorized law-enforcement activity.
    • Discussion: None.
    • GC discussion: Organizations should exercise caution when considering the collection of data elements protected under the Canadian Charter of Rights and Freedoms to ensure there is lawful authority for the handling of that personal information. Organizations should consult with the appropriate privacy senior official or executive and legal counsel.
    • Related controls and activities: None.
  • (400) Particularly sensitive personal information: Private sector
    • When collecting, using, or disclosing particularly sensitive personal information, private sector organizations should:
      1. determine the form of consent to use, considering the sensitivity of information
      2. protect personal information with [Assignment: organization-defined tools or mechanisms] appropriate to the sensitivity of information
    • Discussion: Under PIPEDA, any personal information can be sensitive depending on the context. However, certain types of personal information will generally be considered sensitive because of the specific risks to individuals associated with the collection, use, or disclosure of these categories of information. Information that will generally be considered sensitive and require a higher degree of protection includes health and financial data, ethnic and racial origin, political opinions, genetic and biometric data, information about an individual’s sex life or sexual orientation, and religious or philosophical beliefs.
      Whether personal information is considered sensitive under PIPEDA will vary depending on the facts of each case. Context is important when determining whether personal information would be considered sensitive.
    • Related controls and activities: IA-04, PT-04.

References

Top of page 
 

PT-08 Data matching requirements

Control

When a program activity seeks to collect, use, or disclose personal information for the purpose of conducting a data matching activity:

  1. ensure the authority exists to collect, use, or disclose the personal information for the purpose of data matching
  2. develop and enter into an information sharing agreement or information sharing arrangement for the purpose of data matching
  3. verify that the [Selection (1): notice to the individual; consent obtained from the individual] identifies that the information will be used for data matching activities
  4. verify that the associated PIB identifies that the information will be used for data matching activities

Discussion

None.

GC discussion

Data matching is defined as an activity involving the comparison of personal information from different sources, including sources within the same government institution, for administrative or non-administrative purposes. The data-matching activity that is established can be systematic or recurring. The data-matching activity can also be conducted on a periodic basis when deemed necessary. Data matching includes the disclosure or sharing of personal information with another organization for data-matching purposes.

Related controls and activities

AC-21, PT-02, PT-03, PT-05, PT-06, PT-07, SI-18.

Enhancements

None.

References

TBS Policy on Privacy Protection

 
Table of Contents
Date modified: