8. Introducing stronger accountability mechanisms in the Act
CLOSED: This discussion has concluded.
Specific obligations could be added in the Act to help federal public bodies demonstrate how they are accountable for their personal information practices
The Act could introduce obligations to support the principle that each federal public body is responsible for personal information under its control. The Act could also set out tools to assist federal public bodies in demonstrating to Canadians, and to the Office of the Privacy Commissioner where required, that they have effective measures in place to comply with the Act and protect personal information. These could include:
An obligation to ensure that personal information sent outside of Canada is appropriately protected : The Act could impose legal requirements for federal public bodies to ensure that appropriate privacy-protection clauses are included in contracts or agreements that may involve intergovernmental or transborder flows of personal information, consistent with current Government policy. A flexible, risk-based approach to this requirement would take into account the various contexts in which information can be shared outside of Canada, as well as the variety of frameworks for protecting personal information outside of Canada. The Act could require that flows of personal information outside of Canada be governed by a written agreement or arrangement that would include safeguards appropriate to the context of the disclosure, including whether there is already an applicable agreement or arrangement, the nature of the privacy-protection regime where the information is flowing to, and the sensitivity of the personal information being disclosed. Regulations or policy could support this obligation.
An obligation to design programs and activities with the protection of personal information in mind : The Act could impose a process for proactively protecting personal information by integrating considerations of how to protect such information into the early stages of the development and implementation of an initiative, such as a new program or service offered by a federal public body. This is also known as privacy by design. Government policies already require federal public bodies to assess and mitigate privacy risks when they develop new or modified government programs and activities. Making this a legislative requirement would reflect the Government’s current practices and commitment to addressing privacy issues from the outset.
An obligation to undertake a Privacy Impact Assessment : The Act could impose an obligation on federal public bodies to undertake an analysis to identify and mitigate privacy risks. This type of analysis is commonly known as a privacy impact assessment (PIA) and is currently framed by policy. This obligation would apply to new programs or activities or substantially modified existing programs that involve the collection, use or disclosure of personal information for administrative purposes, for automated or manual profiling activities that involve sensitive personal information, or as otherwise mandated by Government policy. The Act could define “substantially modified” to clarify the circumstances in which such an analysis needs to be undertaken, and the requirements of the Act could be supported by updated policy.
An obligation to have a Privacy Management Program : The Act could also impose a new requirement for federal public bodies to create and maintain a Privacy Management Program. This is essentially an organizational plan for protecting personal information that a government public body can use to identify, organize, review and improve its practices relating to personal information. It would serve as an individualized guide for compliance with the Act. The Act could identify the minimal components of what a Privacy Management Program had to include, along with a requirement that they be regularly reviewed and updated. These requirements would be supplemented by supporting regulations or Government policy.
Clarifying which federal public body is accountable when multiple public bodies are involved : The Act could clarify which federal public body, or bodies, would be responsible for personal information where two or more federal public bodies have access to the same datasets, such as where a shared database is accessed by a number of federal public bodies.
Share on Facebook
Share on Linkedin
Email this link
Consultation has concluded. Thank you for your contributions.