Tbs Standard Personal Information Banks

[Quincey Homer]

Personalinformation banks (PIBs) are descriptions of personal information under the control of a government institution that is organized and retrievable by an individual's name or by a number, symbol or other element that identifies that individual. The personal information described in a PIB has been used, is being used or is available for an administrative purpose. The PIB describes how personal information is collected, used, disclosed, retained and/or disposed of in the administration of a government institution's program or activity.

There are three types of PIBs: central, institution-specific and standard. The PIBs listed below are either OPC-specific or standard PIBs. Standard PIBs describe information about members of the public as well as current and former federal employees contained in records created, collected and maintained by most government institutions in support of common internal services. These include personal information relating to human resources management, travel, corporate communications and other administrative services. Standard PIBs are created by the Treasury Board of Canada Secretariat.

As an ombudsman and guardian of privacy in Canada, the Commissioner enforces two federal laws that focus on the protection of personal information: the Privacy Act, which applies to the federal public sector; and PIPEDA, Canada's private-sector privacy law. The mission of the Office is to protect and promote the privacy rights of individuals.

The Commissioner's functions and powers to further the privacy rights of Canadians include: investigating complaints, conducting audits and pursuing court action under two federal laws; publicly reporting on the personal information-handling practices of public and private-sector organizations; supporting, undertaking and publishing research into privacy issues; and promoting public awareness and understanding of privacy issues. The Commissioner works independently from other parts of the government to investigate complaints from individuals with respect to the federal public sector and the private sector.

For matters relating to personal information in the private sector, the Commissioner may investigate complaints under Section 11 of PIPEDA except in the provinces that have adopted substantially similar privacy legislation, namely Qubec, British Columbia, and Alberta. Ontario, New Brunswick and Newfoundland and Labrador now fall into this category with respect to personal health information held by health information custodians under their health sector privacy laws. However, even in those provinces with substantially similar legislation, and elsewhere in Canada, PIPEDA continues to apply to personal information collected, used or disclosed by all federal works, undertakings and businesses, including personal information about their employees. PIPEDA also applies to all personal data that flows across provincial or national borders, in the course of commercial activities.

This program oversees compliance with federal privacy legislation for public- and private-sector organizations, thus contributing to the protection of Canadian's privacy rights. Through this Program, the OPC investigates privacy-related complaints and responds to inquiries from individuals and organizations, reviews breach reports and has the power to initiate its own investigations when warranted (Commissioner initiated complaints). Through audits and reviews, the OPC also assesses how well organizations are complying with requirements set out in the two federal privacy laws and provides recommendations on Privacy Impact Assessments (PIAs), pursuant to the Treasury Board Directive on Privacy Impact Assessment. This program is supported by a legal team that provides specialized advice and litigation support, and a research team with senior technical and risk-assessment support.

These records relate to complaints of alleged violations of the Privacy Act and the PIPEDA as well as incident reports and personal information breach notifications. The records contain identifying information about complainants, details of allegations, information about complainants and parties to the allegations, and information gathered during investigations, including statements provided by individuals and parties to the allegations.

Complaint applications, representations made by the parties to the allegations, submissions and third-party reports received by the Spam reporting Centre, documentary evidence, investigators' notes and records of discussions, technical analysis, internal and external correspondence, legal opinions, investigations reports, briefing notes, reports of findings, records of follow-up on recommendations, and case summaries.

This bank describes information related to investigations arising out of complaints submitted to the Privacy Commissioner pursuant to subsection 29(1) of the Privacy Act and 11(1) of PIPEDA, or those initiated by the Commissioner pursuant to subsection 29(3) of the Privacy Act or 11(2) of PIPEDA. It also includes information related to investigations of incidents and alleged violations of the Acts including privacy breaches.

Personal information may include name, contact information, details of allegations, opinions and views of complainant and others, as well as the personal information that is the focus of the complaint or incident (e.g. medical, criminal, educational, financial, etc.), evidence provided, as well as decisions and recommendations relevant to the investigation. In certain cases, depending upon the nature of the complaint or the investigations conducted under the Privacy Act or PIPEDA, other personal information such as social insurance numbers (SIN), employee identification numbers and other identification numbers. IP addresses may also be collected.

Limited information is shared with federal government institution(s) or private sector organizations(s) involved in the complaint (e.g. name of the individual, nature of the allegations, information that is permitted to be shared by section 64(1) of the Privacy Act or 20(3) of PIPEDA in order to conduct an investigation).

Information pertaining to privacy complaints and investigations can be shared with domestic and international privacy enforcement agency counterparts that have functions and duties similar to those of the Commissioner with respect to the protection of personal information, under sections 23 and 23.1 of PIPEDA, subject to an agreement or an arrangement in writing.

The Privacy Commissioner submits annual reports to Parliament with respect to activities under the Privacy Act and PIPEDA which may include select anonymized case summaries. The information may be used to conduct audits and to identify and address systemic privacy issues. It may also be used for evaluation and quality control purposes in order to ensure consistency in the investigative process, for the training of investigators, and for research and litigation purposes.

Where Records collected pursuant to a Privacy Act time delay complaint are retained for 2 years and all other types of complaints pursuant to the Privacy Act are retained for 5 years following the last administrative action and then destroyed.

Access to this bank may require the complaint file number, the name and address of complainant, the approximate date of complaint, the name of the government institution or private sector organization, and/or the investigator's name.

This bank describes information collected when an individual contacts the OPC to request information by telephone, e-mail or regular mail concerning the Privacy Act, PIPEDA and/or related issues. Personal information may include: name, contact information, and other personal details, which can vary significantly depending on the nature of the inquiry, but which may include the individual's financial, medical, criminal or educational history, etc.

Members of the public and individuals representing private sector organizations, other government institutions (municipal, provincial, international) or federal government institutions who make written or telephone inquiries concerning issues related to the Privacy Act or PIPEDA.

Information may also be used for research on policy questions or in order to inform public education initiatives. The information may be provided to an OPC investigator if the enquiry leads to a complaint (see OPC PPU 005). Personal information may also be used for audit, evaluation, reporting (e.g. Annual Reports to Parliament) and/or statistical purposes.

These records relate to audits conducted pursuant to section 37 of the Privacy Act and section 18(1) of PIPEDA to review the personal information management practices of government institutions and private sector organizations. Information gathered during such audits may include annual reports, documents related to practices, systems and procedures and statements provided by individuals.

Internal and external correspondence, legal opinions and requests for opinions, auditors' notes and records of discussions, audit reports, briefing notes as required, and records of follow-ups to recommendations as required.

These records relate to complaints made under the Privacy Act against the OPC. These are reviewed and investigated by an independent Privacy Commissioner Ad Hoc appointed for this purpose. The records contain identifying information about complainants; details of the allegations; information about complainants and parties to the allegations; information gathered during the investigation including statements provided by individuals and parties to the allegations.

Representations made by the parties to the allegations; documentary evidence; investigators' notes and records of discussions; internal and external correspondence; legal opinions and requests for opinions; investigation reports; briefing notes as required; reports of findings; records of follow-ups to recommendations as required.

This bank describes information related to complaints made under section 29 of the Privacy Act against the OPC, which are referred to an appointed Privacy Commissioner Ad Hoc for follow-up and investigation. It relates also to investigations conducted by the Privacy Commissioner Ad Hoc in response to complaints, and to any investigation initiated by the Privacy Commissioner Ad Hoc under subsection 29(3) of the Privacy Act. It includes information on inquiries received and investigations of incidents involving alleged violations of the Privacy Act. The personal information collected may include name, contact information, details of allegations, opinions and views of complainant and other individuals, and other personal details, which vary depending on the nature of the complaint, inquiry, etc.

3a8082e126