The Access to Information Act in section 24 also provides for this confidentiality and recognizes that information collected under the Statistics Act and protected by section 17 of this Act may not be made available to anyone attempting to obtain it under the Access to Information Act. Statistics Canada`s website contains the following information: Sharing personal information with other organizations triggers the PIA request, unless the disclosure is for non-administrative purposes, in which case the institution may follow an internal protocol for the collection, use or disclosure of personal information for non-administrative purposes. The proposed principle of “limiting use, disclosure and retention” could also be complemented by specifically authorised uses and disclosures, which will be updated to ensure consistency with this new principle on the protection of personal data. The circumstances in which personal data may be used and disclosed without obtaining the consent of an individual are currently set out in Articles 7 and 8 of the Data Protection Act, respectively. These provisions reflect the complex policy choices facing Parliament, which sought to create a broad legal framework to govern the protection of personal data by some 265 federal institutions with unique mandates, information needs and partnerships between jurisdictions. With these provisions, Parliament has made policy decisions to balance the importance of protecting the privacy of individuals with the need to allow the responsible use and disclosure of information in support of legitimate public purposes. In addition, transparency measures will be crucial to ensure that individuals understand how their personal data is used, disclosed and retained – these are discussed in more detail in the annex entitled “A Renewed Accountability Model and New Tools for Meaningful Transparency”. According to Articles 10 and 11 of the Data Protection Act, state institutions must describe all personal data under their control in a personal data bank (PIB) or class of personal data. All personal information bank descriptions must also include an explanation of the purposes for which the information is used. Once it has been established that it is necessary to disclose personal data, an institution must verify that it has the legal authority to do so. The power to collect and disclose personal data is usually found in an Act of Parliament or in subsequent regulations. The following describes the most frequently cited provisions of Subsection 8(2), which are used by state institutions to transfer personal data to another level of government without the consent of the data subject.
Apart from Articles 6, 7 and 8 of the Data Protection Act, which deal with the retention, disposal, accuracy, use and disclosure, there is no specific provision in the law that focuses on the protection of personal data. Any protection afforded to personal data is ancillary to the main purpose of these sections and would apply if the State institution retains control of personal data. Greater openness regarding the application of data protection law and its enforcement is important. All the main actors in the system – the public, the federal public authorities and the Data Protection Commissioner – could benefit if clear information on what the law requires is generally and systematically available. Some of these ideas for amending the Act would align the powers of the Data Protection Commissioner with those of the Personal Data Protection and Electronic Documents Act, while others are more innovative proposals to promote greater dialogue between federal public bodies and the Data Protection Commissioner in the context of the federal public sector. The proposals currently under consideration are as follows: When considering a data-sharing initiative for the first time, institutions should ensure that it is legal. This means that once an organization has defined what, how, why, and with whom it wishes to share personal data, it must conduct an analysis of all applicable federal laws, including regulations, to ensure that it has the legal authority to do so. The recipient should also ensure that it has its own legal authority to carry out the proposed data exchange activity.
Canadians want assurance that government digital services are designed to comply with the laws and regulations set out in several statutes to protect the confidentiality, integrity and accessibility of systems and information. Develop a legal and regulatory vision of the department to design secure information systems by identifying the security requirements of the company. An enterprise security need is any protection or compliance requirement that ensures the confidentiality, integrity, or availability of a business activity or information resources to support a business activity. Operational security requirements may also arise from departmental missions, objectives, priorities, the need to preserve the image and reputation of the organization, and the various commitments that may have been made. Section 8 of the Data Protection Act states that, subject to other Acts of Parliament, personal data under the control of a government institution may not be disclosed without the consent of the person to whom the information relates, unless disclosure is permitted under subsection 8(2). This subsection of the Act describes thirteen circumstances in which personal data may be disclosed without consent. All disclosure provisions of subsection 8(2) are at your discretion. Conversely, information may be required for administrative purposes when used in a decision-making process that affects affected individuals, for example: In the event of questions, challenges or disagreements related to an issue related to an agreement, it is recommended that clauses be included to provide a dispute resolution mechanism. Adding additional emergency powers to prevent threats to public safety and individuals and contacting next of kin: Unlike many other public sector privacy laws, the Data Protection Act does not explicitly authorize the use or disclosure of personal information in an emergency to ensure public safety or the safety of individuals, or the next Notify loved ones in certain circumstances. To address this, the legislation could add additional powers that permit use or disclosure where reasonably necessary in an emergency to prevent or reduce a serious threat to the public or the safety or health of any person, to protect the safety or health of a person, and to communicate with a relative or other person; who could reasonably be contacted if a person is injured or sick. Enhancing the clarity and accountability referred to in point (j) of paragraph 8(2): point (j) of paragraph 8(2) allows for the disclosure of personal data to individuals or entities for research and statistical purposes. This provision could be amended to clarify the scope of its intent, particularly given the scope and scope of data analysis possible today.
In addition to that clarification, the head of an institution empowered to authorise disclosures under point (j) of Article 8(2) could also be required to establish conditions of data security and confidentiality in disclosure agreements. These amendments would better align paragraph 8(2)(j) with approaches in many other jurisdictions. Assuming that the Canadian Charter of Rights and Freedoms and other Acts of Parliament do not prohibit the proposed information sharing project, an institution should then ensure that the proposed disclosure and/or collection of personal data complies with the Privacy Act. For example, this provision may take into account practices in which personal data are exchanged between police forces, security and investigative authorities and their counterparts, both nationally and internationally for law enforcement purposes. This provision also contributes to the management of laws. To the extent possible, statistical program managers follow standard procedures that follow Statistics Canada`s guidelines for the accuracy of personal information. Once collected, section 7 of the Data Protection Act permits the use of personal information by a federal government institution: Access requests must be made in writing to Statistics Canada at the personal information bank in question or with sufficiently specific information about the location of the information[…].