The Privacy Act came into force on July 1, 1983. The Act grants Canadian citizens, permanent residents or any person present in Canada a right of access to their personal information that is held by federal government institutions, subject to specific and limited exceptions and to an independent review of decisions on access.
The Public Prosecution Service of Canada (PPSC) has been subject to the Privacy Act since it was established as an independent organization on December 12, 2006.
This Policy sets out general principles that PPSC employees and agents must follow to ensure that they comply with the Privacy Act, its regulations, related Treasury Board of Canada Secretariat (TBS) policies, directives and guidelines, relevant Court decisions, and privacy best practices. While the Access to Information and Privacy (ATIP) Office is responsible for managing the PPSC’s day-to-day activities under the Act, all staff are responsible for ensuring that the PPSC meets its responsibilities under the Privacy Act and this Policy.
This Policy applies to the activities of the PPSC in collecting and managing all personal information that it has under its control, regardless of the origin or medium of the information, during the course of its mandated activities as set out in the Director of Public Prosecutions Act and during the course of its general administrative activities. This Policy applies to all PPSC employees and agents in terms of the records they create, retain and control on behalf of the PPSC.
The PPSC is committed to protecting the privacy, confidentiality, and security of the personal information that it holds by adhering to the requirements of the Privacy Act and its regulations.
The PPSC will accept and respond to requests from individuals who seek access to their own personal information. The PPSC will also ensure that the personal information under its control is effectively protected and managed by identifying, assessing, monitoring, and mitigating privacy risks in its programs and activities when the collection, retention, use, disclosure and disposal of personal information is involved.
This Policy is issued under the authority of the Director of Public Prosecutions (DPP), and has been approved by the Executive Council of the PPSC.
This Policy takes effect on January 1, 2012.
The DPP, as the "head of institution" for the purposes of the Privacy Act, has overall responsibility for the PPSC’s compliance with the Act. Pursuant to section 73 of the Act, the DPP has delegated all related powers to the Executive Director and Senior Counsel, Ministerial and External Relations Secretariat (the ATIP Coordinator) and the Manager, Access to Information and Privacy (the ATIP Manager). The PPSC’s privacy responsibilities are interpreted, implemented, managed and monitored by the ATIP Office.
The ATIP Coordinator and the ATIP Manager will review the PPSC’s ATIP delegation instrument periodically, and whenever they become aware that circumstances surrounding the instrument have changed, will ensure that it remains current and effective.
Roles & Privacy Responsibilities
While the DPP has overall responsibility for the PPSC’s compliance with the Privacy Act, employees and agents must inform themselves of and comply with their legal obligations under the Act, its regulations, and related TBS policies, directives and guidelines and this Policy.
In addition, employees and agents must report any and all contraventions of the Policy or the Act to their supervisor, team leader or manager. The supervisor, team leader or manager, in turn, must report these contraventions to the ATIP Office.
Director of Public Prosecutions - The DPP is the PPSC’s “Head of Institution” for the purposes of the Privacy Act. The DPP has overall responsibility for ensuring that the organization complies with the Act, its regulations, and related TBS policies, directives and guidelines.
Deputy Directors of Public Prosecutions - Responsible for assisting in fulfilling the PPSC’s privacy obligations of ensuring compliance with Act, the regulations, and related TBS and PPSC policies and directives.
ATIP Coordinator - The Executive Director and Senior Counsel, Ministerial and External Relations Secretariat, is the PPSC’s ATIP Coordinator pursuant to a delegation made by the DPP under the Privacy Act, and plays an oversight role in relation to the application of the Act, its regulations, and related policies, directives, and guidelines.
Manager, Access to Information and Privacy (ATIP Manager) - The ATIP Manager has responsibility for the management of the ATIP Office by coordinating all activities relating to the operation of the Act and the regulations, as well as meeting related TBS ATIP policies, directives, and guidelines.
ATIP Counsel - The Counsel, Ministerial and External Relations Secretariat, provides privacy-related legal advice to the ATIP Coordinator, the ATIP Office, and PPSC managers.
Point(s) of Contact - As Points of Contact, Headquarter Directors and Chief Federal Prosecutors are responsible for fulfilling their Offices’ and Regions’ privacy obligations, issuing privacy-related instructions to employees and/or agents, and serving as liaison with the PPSC ATIP Office for purposes of ensuring compliance with the Act, its regulations, and related TBS and PPSC policies and directives.
Managers, Team Leaders, and Supervisors (including Agent Supervisors) – Responsible for ensuring that staff and/or agents fulfill their privacy obligations and comply with the Act, its regulations, and related TBS and PPSC policies and directives. They are also required to examine and make inquiries into any privacy-related issues brought to their attention.
Employees and Agents – Responsible for complying with the Privacy Act, its regulations, and related TBS and PPSC policies and directives. PPSC employees and agents are responsible for ensuring that any records they create are properly managed to facilitate access to the information.
The PPSC is responsible for all personal information under its control during the course of performing its mandate as set out in the Director of Public Prosecutions Act and during the course of its general administrative activities. Whether the PPSC has collected personal information directly from an individual, or indirectly from a third party (e.g., investigative agency), the PPSC will handle all personal information in accordance with the Privacy Act, its regulations, and TBS policies, directives and guidelines.
To ensure compliance with privacy related requirements, the PPSC will:
- exercise discretion in a fair, reasonable and impartial manner in the processing of privacy requests and the resolution of complaints pursuant to the Privacy Act and its regulations;
- ensure that procedures are in place under which individuals may request access to their personal information, correction of their personal information, and file complaints concerning the management of their personal information;
- ensure that requesters' identities are protected and only disclosed when authorized by virtue of the Act and where there is a clear need to know in order to perform duties and functions related to the Act;
- conduct training sessions and awareness briefings for its employees to ensure that they are aware of their legal obligations under the Act, its regulations, and TBS policies, directives, and guidelines. This also includes informing employees about this Policy and about the PPSC’s procedures, practices and expectations with respect to the handling of personal information;
- ensure that agent supervisors provide agents with this Policy to ensure their compliance with privacy requirements;
- where personal information is involved, include specific confidentiality provisions in contracts, or other arrangements with third parties in accordance with the Act, this Policy and internal procedures;
- implement safeguards to protect personal information from loss, unauthorized access, use, and disclosure;
- implement procedures to notify individuals and, in certain instances the Privacy Commissioner of Canada, are notified of an improper collection, retention, use, disclosure or destruction of their personal information;
- provide guidance to employees and agents seeking advice on privacy-related matters; and
- monitor compliance with the Act and this Policy and, where required, initiate actions to correct any deficiencies.
Collection of Personal Information
I. Authority to Collect and Notice
The PPSC primarily collects personal information for the purpose of fulfilling its statutory mandate under the Director of Public Prosecutions Act to provide prosecution-related advice to law enforcement agencies and prosecute offences under federal jurisdiction. The PPSC also collects personal information for administrative reasons, e.g., security, discipline, and career management.
The PPSC is committed to collecting only personal information that relates directly to its operational activities using fair and lawful means and will limit the collection to the information that is necessary to fulfill the identified purpose(s).
While section 5 of the Privacy Act requires that personal information be collected directly from an individual and that the individual be informed of the purpose for the collection, it also contains an exception. Pursuant to subsection 5(3), the rule does not apply if compliance would:
- result in inaccurate information being collected; or
- defeat the purpose or prejudice the use for which the personal information is being collected.
As most of the PPSC’s collections of personal information are undertaken in the course of prosecuting offences under federal jurisdiction, formal notification and direct collection are not required. The majority of information collected is from other sources, including law enforcement, provincial agencies, other federal government institutions, witnesses, and other third parties. In these instances, notification that the information is being collected could prejudice or endanger the criminal investigation or ensuing prosecution. In the context of a prosecution, an accused will subsequently be notified through the disclosure process that their personal information has been collected.
Where the PPSC collects personal information for administrative purposes, the PPSC will undertake to collect that information directly and to notify the individual of the purpose for which the information is being collected. In these circumstances, the PPSC will also ensure that privacy statements or notices are prepared to facilitate the collection and use of personal information, and that these statements or notices contain the appropriate elements prescribed in the Privacy Act and the TBS Directive on Privacy PracticesFootnote 1.
The ATIP Office will review privacy statements and notices to assess the adequacy of the statement or notice text and consult with the ATIP Counsel and ATIP Coordinator, where necessary.
Full descriptions of the types of personal information collected by the PPSC, along with the purposes for which the PPSC collects each type of information, are described in the TBS publication Info Source.
The Privacy Act does not prohibit the non-consensual collection, use and disclosure of personal information. The Act focuses upon the issue of authority. If Parliamentary authority exists, then consent is not required. In the context of providing prosecution services, obtaining consent from an individual for the collection, use, or disclosure of personal information is not required.
Similarly, the Act does not prohibit the non-consensual disclosure of information without consent. Subsection 8(2) of the Act sets out the circumstances where this may occur, including a number which are directly relevant to prosecution work. For example, personal information may be disclosed without the individual’s consent for the purpose of complying with a subpoena, a warrant issued or an order made by the court, or may be disclosed in legal proceedings involving the Crown.
Where the PPSC collects personal information for an administrative purpose and not in the context of providing prosecution services, it will endeavour to seek the consent of individuals prior to the collection of their personal information. The form of consent may vary depending on the circumstances and the type of information being sought. Consent can be express or implied and can be provided directly by the individual or by an authorized representative. Express consent of individuals is preferable and will be sought in writing whenever possible, or otherwise adequately documented.
When determining the appropriate form of consent, the PPSC will take into account the sensitivity of the personal information at issue, the purposes for which it is collected, and the reasonable expectations of the individual.
Use, Disclosure and Retention
Access to personal information under the control of the PPSC will be restricted to those employees and agents who need the information for the purpose of carrying out their duties. The individuals who are required to maintain the personal information will not provide access to unauthorized persons.
The level of access to personal information will be determined on a “need-to-know” basis based on the employee or agent’s direct job responsibility, level of security, and in accordance with the TBS Policy on Government SecurityFootnote 2.
The collection and use of the Social Insurance Number (SIN) for administrative purposes will be limited to those permitted by specific acts, regulations and authorized programs. For example, this information may be collected for the purpose of proceeds of crime prosecutions or for prosecuting offences under all statutes administered by the Canada Revenue Agency, including the Income Tax Act.
The PPSC will not disclose personal information without the consent of the individual about whom the information pertains, unless permitted by section 8(2) of the Privacy Act. In the prosecution context, the sharing of personal information for the purpose of discharging prosecutorial duties, including the provision of legal advisory services to investigative agencies, is appropriate and is permitted by section 8(2) of the Act. In the case of a permissible disclosure, the PPSC will endeavour to disclose only the specific information that is required under the circumstances.
Employees and agents are urged to seek the advice of the ATIP Office when questions arise concerning the collection, use, or disclosure of personal information.
Personal information must be retained by the PPSC for a certain period after its last use in accordance with the records retention and disposal schedules established by the PPSC’s Information Management and Technology Directorate and approved by Library and Archives Canada. The PPSC retention schedules are described in the TBS publication, Info Source.Footnote 3 Personal information must also be disposed of in a manner that is consistent with the government security standards established under the TBS Policy on Government Security.
Agreements with Third Parties
Chief Federal Prosecutors and Headquarters Directors will ensure that appropriate privacy protection clauses are included in all contracts, agreements or arrangements, particularly those that involve the devolution or privatization of a PPSC program or activity, or intergovernmental or transborder flows of personal information.
Privacy protection clausesFootnote 4 will ensure adherence to the provisions of the Privacy Act and this Policy with respect to the proper handling and protection of personal information. They will also establish appropriate safeguards for the protection of personal information in accordance with the PPSC Protection and Handling of Information Guidelines.Footnote 5
If a Chief Federal Prosecutor or Headquarters Director plans to disclose or transfer personal information pursuant to an agreement with a third party, he or she should consult with the ATIP Office to ensure that the agreement governing the disclosure or transfer of personal information contains appropriate privacy-related provisions in accordance with Government of Canada requirements.
In particular, privacy protection clauses need to be included in written major/minor agreements with provincial prosecution services, as well as other written agreements for specific assistance to the PPSC by a provincial prosecution service. The privacy protection clause(s) in these written agreements should indicate that each party is responsible for the security and integrity of the personal information entrusted to them. In addition, the clause(s) should also state that the parties will use reasonable efforts to safeguard the personal information against accidental or unauthorized access, disclosure, use, modification and deletion.
Accuracy and Correction of Personal Information
In order to minimize the possibility that a decision affecting an individual is made on the basis of inaccurate, obsolete or incomplete personal information, the Privacy Act requires that reasonable steps be taken to ensure that personal information is as accurate, up-to-date and complete as possible.
The PPSC will update personal information under its control as necessary by either directly contacting the individual to whom the information relates, or indirectly from other sources if the PPSC has the authority to collect such information from a third party. This means that if a PPSC employee becomes aware that there is an error in an individual’s personal information, such as a date of birth or address, it is incumbent on that employee to correct that individual’s information in the PPSC file.
The PPSC will correct personal information when a correction is requested to factual information which has been incorrectly recorded in an individual’s file and where documentary proof supporting the correction is provided, making it possible to correct the record.
Where a written request is made for correction to personal information and the PPSC decides not to make the change, a notation to the file will indicate that a request was made.
Personal information under the control of the PPSC must be kept in confidence and protected with measures that are appropriate to the sensitivity of that information. The level of safeguards used will vary depending on the sensitivity of the personal information (e.g., informant’s personal information); the amount, distribution and format of the information; and the method of storage. PPSC officials must follow the security standards and requirements set out in the TBS Policy on Government Security, the PPSC’s internal security procedures, and any other security directives and guidelines established by TBS and the Royal Canadian Mounted Police on physical security, and the Communications Security Establishment Canada on information technology security.
PPSC officials will employ appropriate measures to ensure that access, use, and disclosure of personal information is monitored and documented. Such measures will ensure the timely identification of inappropriate or unauthorized access to or handling of personal information related to a particular operational activity. Threat and risk assessments will be performed as required.
The measures of protection include:
- physical measures, e.g., locking filing cabinets and restricting access to offices;
- organizational measures, e.g., issuing security passes and limiting access to personal information on a “need-to-know” basis and in accordance with the appropriate level of security granted to the individual in possession of the information;
- security clearances;
- technological measures, e.g., the use of passwords and encryption; and
- procedural measures, e.g., the shredding of sensitive personal information is performed in accordance with the equipment standard established in the RCMP Security Equipment GuideFootnote 6.
Privacy Breach Protocol
A privacy breach is an incident involving the unauthorized collection, use or disclosure of personal information. Such activity is “unauthorized” if it occurs in contravention of the Privacy Act. A breach may be the result of inadvertent errors or of malicious actions by employees, agents, contractors, third parties, partners in information-sharing agreements, or intruders.
All employees and agents of the PPSC are responsible for protecting any personal information to which they have access. They are responsible for ensuring, to the greatest extent possible, that privacy breaches do not occur, and for reporting them when they do occur.
On June 7, 2011, Executive Council approved a Privacy Breach Protocol which outlines the steps that must be followed by a PPSC employee, agent, or contractor who discovers a possible breach of privacy.
The Protocol is available on the PPSC’s iNet, or by contacting the ATIP Office.
The guidance provided in the Protocol will ensure that when a breach does occur, it is quickly contained and similar breaches are prevented from occurring.
Pursuant to the Privacy Act, every individual who is a Canadian citizen, a permanent resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act, or otherwise present in Canada has a formal right to and shall, on request, be given access to:
- any personal information about the individual contained in a Personal Information Bank (PIB) maintained by the PPSC; and
- any other personal information about them under the control of the PPSC, if they are able to provide sufficiently specific information on the location of the information to render it reasonably retrievable by the PPSC.
The PPSC’s employees and agents will direct individuals who wish formal access to their personal information to the PPSC ATIP Office. When in doubt as to whether a formal request is required, employees or agents must either consult with the ATIP Office or refer the individual to the ATIP Office.
Information concerning the PPSC ATIP Office and the Privacy Act is available on the PPSC’s internet website.
Upon receipt of a formal request under the Privacy Act, the PPSC ATIP Office will respond in accordance with the Act.
Personal information will only be exempted from disclosure where it can be demonstrated that it clearly falls within the scope of one or more limited and specific exemption provisions of the Act.
Any part of a record that does not contain exempted/excluded information will be disclosed if it can be reasonably severed from the part that does contain exempted/excluded information, and if the record is not rendered meaningless by the severance.
Personal information may be unavailable because it has been destroyed, erased or made anonymous in accordance with information retention obligations. To the extent possible, the PPSC will inform the individual of the reasons why the personal information no longer exists.
The ATIP Office will advise individuals of their right to file a privacy complaint to the Office of the Privacy Commissioner (OPC) if they are not satisfied with the processing of their request by the PPSC.
In circumstances where an individual has concerns about the PPSC’s management of his/her personal information (i.e., protection or safeguards, collection or storage of information), that individual will also be informed of his/her right to file a complaint with the OPC.
The principles which guide the ATIP Office in assisting individuals who make applications related to their personal information is located on the PPSC’s internet website.
In cases where access to personal information can be given informally to individuals, the PPSC will provide individuals a reasonable opportunity to review their personal information, will do so within a reasonable time frame and, if copies are requested, these will be provided.
Accountability and Transparency
The PPSC is committed to being open about its policies and practices with respect to the handling of personal information. This Policy is available on the PPSC’s internet website. If a hard copy or additional information is required, a request may be made to the ATIP Office.
II. Privacy Impact Assessment
A Privacy Impact Assessment (PIA) is a component of risk management that focuses on ensuring compliance with the Privacy Act requirements and assessing the privacy implications of new or substantially modified programs and activities involving personal information. Pursuant to the TBS Directive on Privacy Impact AssessmentFootnote 7, the PPSC must initiate and complete a PIA for a program (e.g., Fine Recovery Program) or activity (e.g., Drug , National Security & Northern Prosecutions) in the following circumstances:
- when personal information is used for or is intended to be used as part of a decision-making process that directly affects the individual;
- upon substantial modifications to existing programs or activities where personal information is used or intended to be used for an administrative purpose; and
- when contracting out or transferring a program or activities to another level of government or the private sector results in substantial modifications to the program or activities.
Should the PPSC undertake a new activity involving the collection of personal information, or substantially modify an existing activity where personal information is being collected, the responsible Deputy Director of Public Prosecutions must ensure that a PIA is conducted. Generally, a PIA will not be required for minor changes in existing day-to-day activities of the prosecution function.
PIAs must be conducted in consultation with the ATIP Office who will ensure that the activity meets with the requirements under the Privacy Act and this Policy.
III. Personal Information Banks (PIBs)
Pursuant to the TBS Directive on Privacy PracticesFootnote 8, the PPSC must ensure that all personal information under its control is identified and described in its Personal Information Banks (PIBs) or Classes of Personal Information. This includes any personal information collected or created by the PPSC.
The creation of new or substantially modified PIBs is aligned with the development and approval of a Privacy Impact Assessment. Therefore, the ATIP Manager will establish or modify a PIB in collaboration with the Point of Contact that has functional responsibility for the new or substantially modified activity. The approval of any new or substantially modified PIB shall be obtained from the President of the Treasury Board, as the designated Minister, before the new or modified program or activity is implemented.
IV. Training and Awareness
The TBS Directive on Privacy Requests and Correction of Personal InformationFootnote 9 mandates that all employees must be aware of privacy policies, procedures, and of their legal responsibilities under the Privacy Act.
Privacy awareness for all employees
The PPSC will ensure that there are mechanisms in place to provide all PPSC employees with required privacy training. With respect to the privacy awareness for agents, agent supervisors will ensure that agents are provided with this Policy pursuant to the Terms and Conditions of Fixed-Term Agreements of AgentsFootnote 10.
PPSC employees will receive training on:
- the application of the Privacy Act, including:
- the purpose of the Act;
- the applicable definitions;
- their responsibilities, including those listed in the Principles for Assisting Applicants;
- delegation, exemption decisions and the exercise of discretion;
- the requirement to provide complete, accurate and timely responses; and
- the complaint process and reviews by the courts;
- sound privacy practices for the creation, collection, retention, validation, use, disclosure, and disposition of personal information; and
- specific PPSC policies, processes and protocols related to the administration of the Act, including policies on the management of information.
Privacy awareness for ATIP staff
The TBS Directive on Privacy Requests and Correction of Personal Information specifically mandates that ATIP staff, who hold functional responsibility for the administration of the Privacy Act, are to receive additional training on the Privacy Act. This is to include training on the provisions concerning time limit extensions, exemptions and exclusions; the language, format, and method of access; public reporting requirements (such as the PPSC Annual Report to Parliament on the administration of the Privacy Act); relevant court decisions; and the activities and operations of parliamentary committees dealing with privacy matters.
The TBS also monitors the PPSC’s compliance through a variety of means, such as through the Management Accountability Framework (MAF) process.
Reporting and Evaluation
The ATIP Office will maintain a comprehensive statistical reporting and performance measurement system that will provide the necessary data for the completion of the PPSC’s Annual Statistical Report to TBS on the administration of the Privacy Act by the PPSC. This information will also support the PPSC in meetings its evaluation and audit requirements.
In addition, the PPSC will prepare and table in each House of Parliament an annual report on the administration of the Privacy Act within the PPSC. The PPSC will post its Annual Report on the Privacy Act on the PPSC internet website.
Any inquiries or concerns regarding this Policy, or on how the PPSC manages personal information, should be directed to the ATIP Manager, by email at firstname.lastname@example.org, by telephone at 613-957-7631, or by fax at 613-948-2524.
Relevant legislation and regulations:
- Access to Information Act and its regulations
- Canada Evidence Act
- Canadian Charter of Rights and Freedoms
- Library and Archives of Canada Act
- Privacy Act and its regulations
Related policy instruments and publications:
- PPSC’ Access to Information and Privacy Delegation Order
- PPSC’ ATIP Governance Structure
- PPSC’ Privacy Breach Protocol
- PPSC’ Privacy Management Framework
- TBS Directive on Identity Management
- TBS Directive on Privacy Impact Assessment
- TBS Directive on Privacy Practices
- TBS Directive on Privacy Requests and Correction of Personal Information
- TBS Policy on Access to Information
- TBS Policy on Government Security
- TBS Policy on Information Management
- TBS Policy on Privacy Protection
Appendix A - Definitions
- Administrative Purpose
- Is the use of personal information about an individual "in a decision making process that directly affects that individual". This includes all uses of personal information for confirming identity (i.e., authentication and verification purposes).
- Applicant (or Requester)
- An individual who has requested access to personal information about himself or herself, who has requested that a correction be made or a notation attached to personal information, or who is exercising his or her right under the Privacy Act to review by the Privacy Commissioner of Canada and the Federal Court of Canada.
- Means the act of gathering, acquiring or obtaining identifiable personal information from individuals, by any means.
- A complaint made to the Privacy Commissioner of Canada on any of the grounds set forth in subsection 29(1) of the Privacy Act.
- A characteristic applied to information to signify that it can only be disclosed to authorized individuals to prevent injury to national or other interests.
- Means an individual’s voluntary agreement with what is being done or is proposed to be done. Consent can be either express or implied. Express consent is given explicitly, either orally, electronically or in writing. In appropriate circumstances, consent may be implied from an individual’s conduct. Consent can also be given by an authorized representative, such as a legal guardian or a person having power of attorney.
- Consistent Use
- Is a use that has a reasonable and direct connection to the original purpose(s) for which the information was obtained or compiled.
- Delegation Instrument
- The delegation order required pursuant to section 73 of the Privacy Act when the Head of the Institution designates an officer(s) to exercise or perform any of the powers, duties or functions of the Head of Institution under the Act.
- Refers to the release of personal information by any method (e.g., transmission, provision of a copy, examination of a record) to any body or person.
- Is the information to which the Privacy Act does not apply as described in sections 69, 69.1, 70 and 70.1.
- Is a mandatory or discretionary provision under the Act that authorizes the head of the government institution to refuse to disclose information in response to a request received under the Act.
- Government Institution
- Any (i) department or ministry of state of the Government of Canada, or any body or office, listed in the schedule to the Privacy Act and (ii) any parent crown corporation, and any wholly-owned subsidiary of such a corporation, within the meaning of section 83 of the Financial Administration Act.
- Head of Institution
- Is the Director of Public Prosecutions.
- A human being (does not include a corporation).
- Info Source
- Is a TBS publication in which government institutions describe their institutions, program responsibilities and information holdings, including personal information banks and classes of personal information.
- Personal Information
- Information about an identifiable individual as defined in section 3 of the Act.
- Personal Information Bank
- Is a description of personal information that is organized and retrievable by a person's name or by an identifying number, symbol or other particular assigned only to that person. The personal information described in the personal information bank has been used, is being used, or is available for an administrative purpose and is under the control of a government institution.
- Privacy Commissioner of Canada
- Is an independent ombudsman appointed by Parliament pursuant to subsection 53(1) of the Privacy Act, the Privacy Commissioner has significant investigative powers and mediates between dissatisfied individuals and government institutions.
- Privacy Impact Assessment
- Is a policy process for identifying, assessing and mitigating privacy risks. Government institutions are to develop and maintain privacy impact assessments for all new or modified programs and activities that involve the use of personal information for an administrative purpose.
- Is any documentary material, regardless of medium or form.
- Date modified: