Statistics Canada's privacy framework is a collection of approved practices, procedures and governance related to privacy. By consolidating all these elements of privacy protection into a single document, the full scope of privacy controls within the operations of Statistics Canada is evident.
This document will reflect any new practices, procedures or governance that are relevant to this privacy framework, as they evolve. As such, the Statistics Canada's Privacy Framework remains evergreen. When updates are required, they will be prepared by the Chief Privacy Officer for Statistics Canada and presented to Security Coordination Committee for approval.
1. Chief Privacy Officer
The Director, Office of Privacy Management and Information Coordination, is the Chief Privacy Officer (CPO) for Statistics Canada, as designated by the Chief Statistician. The CPO provides leadership on matters related to privacy, develops business strategies and processes that ensure that privacy is considered and accounted for in business decision, and ensures the safeguarding of the information by doing privacy program reviews.
The CPO draws expertise from their role as the Office of Privacy Management and Information Coordination (OPMIC) Director, and is supported by the Chief Security Officer (CSO), as well as the Chief Information Officer (CIO), as matters related to physical and IT security, and information management are crucial elements to support privacy protection in an organization.
The CPO administers the departmental privacy program, which is responsible for:
- Developing and implementing policies and procedures to support the protection of personal information in the organization
- Providing advice to employees and management on privacy related matters
- Investigating and reporting breaches of personal information
- Undertaking program reviews to ensure compliance to privacy
- Providing training to all employees on privacy
2. Privacy governance
Statistics Canada is subject to the Privacy Act which means that it must ensure compliance to the privacy principles embedded in the Act, including the protection of personal information. As Statistics Canada's main legislation, the Statistics Act also provides for the protection of the information collected under its mandate, the interpretation of the two legislations for the protection of information can work together. The Privacy Act prohibits the disclosure of personal information without the consent of the individual unless specifically permitted by the Privacy Act. However, the information may be subject to other legislation that would prohibit its disclosure. This other legislation that would prohibit the disclosure is the Statistics Act which explicitly states that information that could identify an individual cannot be disclosed. There is an exception in the Statistics Act that disclosure may be permitted with the consent of the individual (and at the discretion of the Chief Statistician) which aligns with the Privacy Act's principle of disclosure with consent.
Statistics Canada is not subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). However, PIPEDA can impact the operations of Statistics Canada as data providers are subject to it which can limit their authority to disclose personal information to Statistics Canada.
3. Policies and procedures
Policies and procedures are crucial for a consistent interpretation of the privacy obligations. Having a formal policy or procedure in the organization ensures that all employees, including management have a common understanding of the organization's objective and application of privacy principles. As not all employees can be experts in the interpretation of the Privacy Act or its supporting policies, this element is supported by experts in the Office of Privacy Management and Information Coordination that are available to provide advice.
Treasury Board Secretariat of Canada (TBS) is responsible for providing guidance on the interpretation of the Privacy Act as well as issuing policies to support compliance. Statistics Canada is subject to these policies.
Statistics Canada also has a list of policy instruments (listed below) that incorporate the privacy principles within its statistical programs. The generic Privacy Impact Assessment (PIA) offers a clear correlation of them.
In regards to employee privacy, TBS provides the policies to support compliance to privacy principles and Statistics Canada has developed best practices and procedures to reinforce the policies.
| Title of the governance instrument | Purpose |
|---|---|
| Privacy Act | Legislation that oversees the protection of personal information within the federal government |
| Statistics Act | Legislation that provides the authority for Statistics Canada to operate |
| General | |
| Policy on Privacy and Confidentiality | To ensure effective protection and use of information by identifying, assessing, monitoring and mitigating privacy and confidentiality risks in programs and activities involving the collection, retention, use, disclosure and disposal of information that falls within the scope of the Statistics Act and/or the Privacy Act. |
| Generic PIA | To demonstrate how Statistics Canada accounts for the privacy principles within all its statistical activities. Statistics Canada uses standardized tools for its statistical operations. |
| Accessing information | |
| Policy on Microdata Access | To achieve efficient and effective access to Statistics Canada microdata for statistical purposes, while ensuring that the confidentiality of the information is protected. |
| Policy on the Use of Administrative Data Obtained under the Statistics Act | To maximize the efficiency and effectiveness of the use of administrative data in statistical programs. |
| Directive on Obtaining Administrative Data under the Statistics Act | To maximize the efficiency and effectiveness of the use of administrative data in statistical programs. |
| Directive on Informing Survey Respondents | To ensure that survey participants are provided with key information about the survey, permitting them to understand the purpose of the survey, uses of the information collected, legal authority under which it is collected, and what is required of them. |
| Disclosing information | |
| Directive on Data Sharing | To ensure that confidential information is only disclosed in a manner prescribed by the Statistics Act. This directive describes the condition under which the Chief Statistician may agree to the sharing of confidential information.Footnote 1 |
| Directive on Discretionary Disclosure | To ensure that confidential information is only disclosed in a manner prescribed by the Statistics Act. This directive describes the condition under which the Chief Statistician may agree to the disclosure of confidential information. |
| Guidelines: Obtaining a Discretionary Disclosure | To provide direction on when and how to request a discretionary disclosure order from the Chief Statistician. |
| Guidelines for Obtaining Consent | To provide direction on how to seek consent from a respondent for the disclosure of their information. |
| Guidelines for the Release of Microdata Files | To provide direction for the submission of microdata releases and specifies the criteria for release of microdata. |
| Using information | |
| Directive on Microdata Linkage | To ensure the effective management of microdata linkage activity conducted within the National statistical organizations (NSO) so that the analytical benefits of microdata linkage support the mandate of the NSO while, at the same time, addressing and mitigating the inherent privacy-invasive nature of the activity. |
| Directive on the Use of Deemed Employees | To provide direction on the procedures for a researcher to become a deemed employee of Statistics Canada and the purposes for which a researcher can become a deemed employee. |
| Protecting information | |
| Policy on Privacy Protection | To facilitate statutory and regulatory compliance, and to enhance effective application of the Privacy Act (NET B) and its Regulations by government institutions; ensure consistency in practices and procedures in administering the Act and Regulations so that applicants receive assistance in filing requests for access to personal information; and ensure effective protection and management of personal information by identifying, assessing, monitoring and mitigating privacy risks in government programs and activities involving the collection, retention, use, disclosure and disposal of personal information. |
| Directive on Conducting Privacy Impact Assessments | To demonstrate that activities related to the collection, use or disclosure of personal information are assessed and evaluated for privacy, confidentiality and security risks, and to develop measures intended to mitigate or eliminate identified risks. |
| Directive on the Security of Sensitive Statistical Information | To protect the confidentiality of all sensitive statistical information as required by the Statistics Act and applicable government security requirements. |
| Directive on the Transmission of Protected Information | To assure the protection of sensitive statistical information and other information when it is transmitted to, or from, an external source, including survey respondents, and to address any risks of disclosure. |
| Information and Privacy Breach Protocol | To describe the procedures to follow for breaches of information and privacy related to designated and classified information. |
| Managing information | |
| Policy on Information Management | To ensure efficient and effective information management to support Statistics Canada in meeting its mandate. |
| Directive on the Management of Statistical Microdata Files | To establish a process to manage the agency's statistical microdata and aggregate statistics holdings with respect to file classification, required documentation and retention periods. |
| Directive on the Management of Aggregate Statistics | To establish a process to manage the agency's statistical microdata and aggregate statistics holdings with respect to file classification, required documentation and retention periods. |
4. Supporting toolsFootnote 2
| Tools | Objective |
|---|---|
| Administrative orders and authorizations | Administrative orders and authorizations were created to demonstrate the Chief Statistician's formal approval to prescribe a survey, allow an employee to acquire data on behalf of Statistics Canada or authorize the disclosure of confidential information. |
| Section 12 data-sharing standardized template | A non-negotiable data-sharing template was created to ensure a consistent approach to data-sharing with receiving organizations, ensure consistent security measures are in place as well as to facilitate and accelerate the sharing of information. |
| Data acquisition agreements and letters | The data acquisition agreements and letters were created to facilitate and accelerate the negotiations when acquiring data from a data provider. |
| Undertaking of confidentiality or Memorandum of Understanding standardized | An undertaking of confidentiality or MOU for disclosure of confidential information is required to remind receiving parties of their obligation to maintain the confidentiality of the information. |
| Acknowledgment of transfers | Acknowledgment of transfers are in place for both the director of the programs that transfers confidential information to another party and for the party receiving the information. It is meant to remind them that proper authorization must exist to transfer the information and to maintain the confidentiality of the information. |
| Microdata linkage template | When undertaking a new microdata linkage, it is required to complete a template that includes the basic information required to authorize the linkage. |
| Confirmation of compliance forms | When a statistical program seeks to undertake an activity that is not expressly authorized in a directive, but aligns to the principles in the directive, they may complete a confirmation of compliance form and submit it to the appropriate committee for confirmation. |
5. Experts
Statistics Canada also has experts to support the programs and employees with the interpretation of legislation, policies and directives.
The Security Coordination Committee, which is comprised of senior managers from across the agency, plays an important role in supporting privacy within the organization. It assists and advises in the development of appropriate policies, procedures and programs, including training and awareness programs.
The Office of Privacy Management and Information Coordination (OPMIC) is mainly responsible for providing advice on the application of the legislation, policies and directives related to privacy. It ensures proper safeguards are in place to mitigate or eliminate any risks of improper use or disclosure of information as well as measures to ensure the integrity and availability of the information.
OPMIC provides Statistics Canada employees with sound direction on the protection of information in their daily activities. Through awareness campaigns, the IM Portal on the ICN, and its questions mailboxes, OPMIC is an information source and reminder of the importance of compliance with agency directives.
The Integrated Security Awareness Working group, which is comprised of IT, IM, and physical security experts, ensures that activities related to the security of personal information communicate a consistent and clear message to all employees.
6. Addressing specific privacy elements
The following are specific privacy elements related to the statistical operations of Statistics Canada. The elements were integrated in the statistical processes and support a robust and transparent privacy framework.
a. Consent
For personal information collected under the authority of the Statistics Act, the element of consent is found in many of the processes at Statistics Canada. The Agency has developed practices for when to seek consent from an individual or not in consideration that the information is solely used for statistical purposes.
| Processes | Type of Consent | Reason |
|---|---|---|
| Collection | Direct collection: consent to participate is implied when the individual provides their information. Individuals are informed if the collection is voluntary or mandatory. | Direct collection: Individuals have an opportunity to refuse to participate in voluntary surveys by simply not providing the information. |
| Indirect collection: It is implied that consent was provided or authority to disclose to Statistics Canada exists. | Indirect collection: the data providers have the responsibility to ensure they have the authority to provide the information to Statistics Canada. | |
| Sharing and disclosing | Respondents to surveys are asked, at the time of collection, for the expressed consent to share their information, informed of the exact recipient and the statistical use of the information. | The Statistics Act allows the sharing of information with the consent of the respondent and an agreement between Statistics Canada and the receiving organization must be in place. The sharing is only allowed for statistical purposes unless the receiving organizations has a legislation that would compel the individual to provide their information. |
| Respondents to surveys are asked, at the time of collection or after, for their expressed consent to disclose their information. They are informed of the exact recipient and the statistical use of the information. | The Statistics Act allows the disclosure of information with the consent of the respondent and authorization from the Chief Statistician. When personal information is disclosed, Statistics Canada requires the recipient to sign a confidentiality agreement or undertaking, by which they agree to keep the information confidential and use it for statistical purposes only. | |
| Tax data: Respondents to surveys are asked for their expressed consent to disclose their tax information to another party. | Canada Revenue Agency (CRA) allows Statistics Canada to disclose the tax information of a respondent if the expressed and clear consent (specific question by CRA) is received from the respondent. The Chief Statistician may use his discretion to disclose the information. | |
| Children: Respondents to surveys, 14 and under, are not asked for their consent to share their information. The consent is requested from the parent/guardian. | Statistics Canada also uses the principle of reasonable expectation that the minor understands the purpose and consequences of their consent to disclose or share their information. | |
| Proxy: An individual can consent to share the information on behalf of the selected respondent. The individual is asked to confirm that they have consulted with the respondent. | This type of consent is rarely used. The Census of Population used this type of consent for the disclosure of Census information to LAC, 92 years after the collection. | |
| Use | Data matching: Respondents are always informed that their information may be linked to other information. | Data matching or linking is a statistical technique and is considered a consistent use of the information. |
b. Access, correction and complaint
The Chief Privacy Officer is also the Privacy Coordinator for Statistics Canada, who is responsible for providing access to one's own personal information. The access can only be denied in limited cases, in accordance with the Privacy Act.
The Privacy Coordinator ensures that personal information is described in personal information banks as required by the Privacy Act, which are published in "Information about Programs and Information Holdings" (formally known as Info Source). If a request for a correction to personal information is submitted to its office, the Privacy Coordinator will request the correction in the case of non-statistical programs. In the case of statistical programs, the information does not require to be corrected as it is not used for administrative purposes and such correction is not always operationally feasible.
The Chief Privacy Officer is responsible for addressing concerns or complaints from employees or the public about the management of their personal information. In some instances, the CPO will undertake an investigation of internal processes to determine if there is a breach of privacy and to ensure compliance to the Privacy Act. Incident reports are prepared, and the Chief Security Officer approves the breach report and the recommendations, based on recommendations of the CPO. If it is a material breach, Treasury Board Secretariat and the Office of the Privacy Commissioner are notified as well as the individual whose information was breached, in accordance with the Information and Privacy Breach Protocol. If the complainant is not satisfied with the results of the investigation, they may submit a complaint to the Office of the Privacy Commissioner. In the event of a non-material breach, the individual may be notified if the CPO and CSO deem it necessary. If the individual is notified, Treasury Board Secretariat and the Office of the Privacy Commissioner will also be notified as to inform them in the event of a complaint.
In regards to personal information collected under the Statistics Act, access to personal information is limited to employees that have a need to know. The Directive on the Security of Sensitive Statistical Information assigns the responsibility to directors of statistical programs to ensure the appropriate use, access and disclosure of the information. Statistics Canada has developed corporate systems to support the access control to the information.
Access to the information may also be allowed to researchers under the Directive on the Use of Deemed Employees who provide statistical services to Statistics Canada. These researchers must take the oath of confidentiality as per the Statistics Act and are subject to the same penalties as all Statistics Canada employees. The access to the information is limited to that required for their work, they must have a reliability security clearance, confirm that they do not have conflict of interest, and in some cases submit a project proposal. The information remains in the control of Statistics Canada at all times.
c. Security
To ensure the confidentiality, integrity and availability of personal information under the control of Statistics Canada, many physical, IT and Information Management measures have been put in place to mitigate the risks to personal information.
The security of information is the responsibility of the Chief Security Officer, the Chief Privacy Officer and the Chief Information Officer. Any security issues that cannot be addressed by them are brought to the Security Coordination Committee to make an evaluation of the risk and determine if the issue should be brought up to the Chief Statistician.
The measures are made available to employees in the Security Practices Manual as well as in the directives on the transmission of protected information, management of statistical microdata files, and network use policy.
The following are examples of security measures to protect personal information:
- Access control gates and security guards
- Security screening of all employees
- Network Use Policy
- Building pass for employees and visitors
- Encryption of emails containing protected information (including personal information)
- Prohibition to use USB keys unless expressly authorized
- Storage of protected information on a closed network
- Access control to electronic files
- Password requirements for access to networks
Statistics Canada's Integrated Security Awareness Group is responsible for coordinating all security related activities that take place in the agency. This group ensures that activities are corporate-wide and responsive to the security needs for Statistics Canada. Also part of its terms of reference is the yearly participation in the Government of Canada Security Awareness Week. During this week, many activities take place to remind employees of their obligations to protect the information held by Statistics Canada.
d. Privacy impact assessments
In support of the Privacy Act, a Privacy Impact Assessment (PIA) is an evaluation process which allows those involved in the collection, use or disclosure of personal information to assess and evaluate privacy, confidentiality and security risks associated with these activities, and to develop measures intended to mitigate or eliminate identified risks.
Statistics Canada developed the Directive on Conducting Privacy Impact Assessments with the expected result that a PIA will be conducted when any new or significantly redesigned collection, use or disclosure of personal information raises privacy, confidentiality or data security risks. As Statistics Canada undertakes multiple collections of personal information, follows a pre-determined process and uses similar tools, it developed a generic PIA that addresses the standard statistical activities that involve personal information. Any new processes would be addressed in a specific PIA, or a supplement or update to the generic PIA.
Although Statistics Canada is not required to conduct a PIA as the information is used for non-administrative purposes, it was determined that a PIA would demonstrate due diligence and good stewardship of personal information and identify potential risks.
In the context of data acquisition, the existence of a corporate PIA has facilitated the negotiation to satisfy the data provider that privacy risks have been identified and addressed. Supplements to the generic PIA are also developed for most administrative data acquisitions that involve personal information.
PIAs are reviewed by the statistical programs, the Chief Privacy Officer as well as other specialists, as required, and must be submitted to the Chief Statistician for approval. The collection, use or disclosure cannot take place until the PIA is approved by the Chief Statistician. The approved PIA is submitted to TBS and the Office of the Privacy Commissioner who may provide recommendations.
e. Incident management
Statistics Canada developed an information and privacy breach protocol describing the procedures to be followed for breaches of information and privacy at Statistics Canada.
The protocol defines when a privacy breach occurs as well as the steps to take to address the breach. It takes into account the following 4 steps to address a breach:
- Breach containment
- Evaluation of risks associated with the breach
- Notification and reporting
- Prevention of future breaches
Statistics Canada developed an incident reporting system and form to collect consistent and complete information about breaches. The incident is immediately reported to the CPO and CSO, with a report submitted shortly thereafter, by the responsible manager, to a breach notification mailbox and is quickly reviewed and evaluated by the CPO. The form covers the type of data breached, a chronology of the events, the risk assessment, the problem resolution, recommendations and action items.
These incident reports are reviewed by the CPO and the CSO and then submitted to the director of the division to implement the recommendations to prevent future breaches. On a quarterly basis, breaches are reported to the Security Coordination Committee to identify and address systemic breaches.
f. Oath
The protection of personal information is the focus of the oath that employees and deemed employees must take when accessing confidential information at Statistics Canada. In addition, public service employees must take the oath of public service that they will faithfully and honestly fulfil their duties and will not, without authority, disclose or make known any matter that comes to them by reason of this employment. They must also adhere to a code of conduct which includes the respect of legislation and policies.
The Statistics Act imposes an obligation of confidentiality on employees working for Statistics Canada and who have access to information collected under the authority of the Statistics Act. They are obligated to take an oath of secrecy which means that they attest that they will respect the confidentiality of the information. The oath is administered by an individual with delegated authority and with sufficient knowledge to explain the importance of the confidentiality promise. The Act imposes penalties to those that contravene the oath and is valid for a lifetime. Should the employee breach the information, they could be subject to a fine or imprisonment as per the provision of the legislation.
g. Agreements
Information Sharing Agreements
Statistics Canada undertakes information sharing with organizations, governments or business where the Statistics Act permits the sharing of information. Such sharing requires the consent of the individual to share their personal information and an agreement stating the terms and conditions for the sharing. The adoption by Statistics Canada of an information sharing standard has ensured a consistent level of protection of personal information. All information sharing agreements contain the following clauses to ensure a comprehensive and standardized approach to protect the information.
- Scope of the information
- Confidentiality of the information
- Use of the information
- Access to the information
- Notification of breach
- Audits
- Termination
The exception to the requirement to have a respondent's consent is when there is an information sharing agreement with a provincial or territorial statistical agency that has legal authority to compel the collection of that same information, has a legislation that requires to maintain the confidentiality of the information and has penalties for wrongful disclosure or another department with a legislation with the power to compel response.
Information Acquisition
Statistics Canada also has the authority to collect personal information from other organizations, business or governments. As such, it has created standardized agreements when acquiring such data. As the data is provided to Statistics Canada by another organization, Statistics Canada cannot impose the use of its standardized agreement, and the data provider may request to use its own agreement. In all instances of data acquisition, Statistics Canada must have a written exchange to document the acquisition and demonstrate its authority to collect. All acquisition agreements contain the following clauses to ensure a comprehensive and standardized approach.
- Scope of the information
- Transmission of the information
- Confidentiality and protection of the information
- Use of the information
- Disclosure of the information
- Notification of breach
- Monitoring and compliance
- Termination
h. Audit/Review
- Statistics Canada's Internal Audit Division is responsible for conducting audits and reviews that may include compliance with the Privacy Act. It has completed audits on the information sharing agreements with external stakeholders. The report, including a summary of the action plan, is available to the public.
- The elements in this privacy framework are reviewed, on a need basis, to ensure its robustness.
7. Education and awareness
Statistics Canada undertakes a variety of activities to ensure that employees are aware and understand their responsibilities and obligations when collecting, using or disclosing personal information. These activities are reviewed regularly to ensure that the information remains up-to-date, interesting and relevant to employees.
Here is a list of activities that Statistics Canada undertakes regularly, the objective of the activity, the scope of the activity as well as the privacy principles that it will address.
| Activity | Requirements | Scope | Expected output | Expected outcome |
|---|---|---|---|---|
| Training on confidentiality and privacy for new employees | Mandatory (must be taken within the first two weeks of employment at Statistics Canada). | Personal information and sensitive statistical information | New employees are made aware of the culture of confidentiality at Statistics Canada. | The information collected under the Statistics Act and personal information protected under the Privacy Act is protected from wrongful use or disclosure. |
| Mandatory training on confidentiality and privacy for current employees | Mandatory every three years | Personal information and sensitive statistical information | Current employees are reminded of their responsibilities towards confidentiality. | The information collected under the Statistics Act and personal information protected under the Privacy Act is protected from wrongful use or disclosure. |
| Confidentiality and Privacy session | Voluntary training | Personal information and sensitive statistical information | Employees are trained in privacy and confidentiality and have an opportunity to ask questions relevant to their work. | The information collected under the Statistics Act and personal information protected under the Privacy Act is protected from wrongful use or disclosure. |