DAOD 1002-3, Management of Personal Information
Identification
Date of Issue: 2004-10-01
Application: This is a directive that applies to employees of the Department of National Defence ("DND employees") and an order that applies to officers and non-commissioned members of the Canadian Forces ("CF members").
Approval Authority: This DAOD is issued under the authority of the Assistant Deputy Minister (Finance and Corporate Services) (ADM(Fin CS)).
Enquiries: Director Access to Information and Privacy (DAIP)
Overview
Terminology
The following table provides information on terminology used in this DAOD:
| In this DAOD... | has/have the same meaning as in... |
|---|---|
|
section 3 of the Privacy Act. |
|
chapter 3 of the Treasury Board of Canada Secretariat (TBS) policy entitled Use and Disclosure of Personal Information. |
|
section 3 of the Access to Information Act. |
Scope
This DAOD describes the requirements for the collection, use, disclosure, retention and disposal of personal information under sections 4 to 8 of the Privacy Act.
Collection of Personal Information
Authorized Operating Program or Activity
The personal information of DND employees and CF members must not be collected unless it is related directly to an authorized operating program or activity. In addition, the DND and the CF must not collect any more personal information than is necessary to carry out the program or activity.
Personal information is collected by the DND and the CF for purposes such as:
- career management;
- security;
- discipline;
- administration; and
- medical and dental treatment.
Personal information that is collected must be maintained at National Defence Headquarters (NDHQ), an NDHQ-controlled formation, a unit or a records support unit.
Personal Information to be Collected Directly
Personal information which is intended to be used for an administrative purpose must be collected directly, if possible, by the DND or the CF from the individual concerned, unless:
- the individual authorizes otherwise; or
- the personal information may be disclosed to the DND or the CF under subsection 8(2) of the Privacy Act.
Individual to Be Informed of Purpose
When personal information is collected from an individual, the individual must be informed of the purpose for which the information is obtained. This provides the individual with knowledge of, and some control over, the collection of the information.
Normally, the purpose should be evident from the title of the record containing the personal information. If not, it must be indicated clearly on the record.
Exceptions
It is not necessary to collect personal information directly from an individual or to inform the individual of the purpose of the collection if this would:
- result in the collection of inaccurate information;
- defeat the purpose of the collection; or
- prejudice the use for which the information is collected.
Use and Disclosure of Personal Information
Authorized Use of Personal Information
Personal information under the control of the DND or the CF must not, without the consent of the individual to whom it relates, be used for any purpose not mentioned in section 7 of the Privacy Act.
Consistent Use of Personal Information
Personal information may be used by the DND or the CF for a use consistent with the purpose for which it was collected. Consistent use of personal information is explained in detail in the TBS policy entitled Use and Disclosure of Personal Information.
Disclosure of Personal Information
Personal information under the control of the DND or the CF must not, without the consent of the individual to whom it relates, be disclosed except in accordance with section 8 of the Privacy Act.
Disclosure to Federal Investigative Bodies
A federal investigative body may request personal information under the control of a government institution.
Under paragraph 8(2)(e) of the Privacy Act, such a request must:
- be in written form;
- describe the information required; and
- describe the purpose for which it is required.
A copy of the request must be submitted to the Office of Primary Interest (OPI) for the personal information that is requested before disclosure of the information.
Such requests may only be authorized by the DAIP or the acting DAIP.
The DAIP must retain a copy of every request received and the personal information disclosed and must make those copies available to the Privacy Commissioner, as required. Requests are held for a minimum of two years.
Individuals may request access to their personal information held in banks related to federal investigative bodies. However, much of the information would normally be exempt under section 22 of the Privacy Act, for example, that in Military Police investigations.
For the purpose of paragraph 8(2)(e) of the Privacy Act, the federal investigative bodies relevant to the DND and the CF are:
- boards of inquiry;
- the Canadian Forces National Counter-Intelligence Unit; and
- the Military Police.
Guidance on Use and Disclosure
DND employees and CF members who require guidance on the use and disclosure of personal information should contact the DAIP.
Correction, Notation and Notification
Subsection 12(2) of the Privacy Act provides that an individual who is given access to personal information that has been used, is being used or is available for use for an administrative purpose, and who believes that the information is inaccurate or incomplete, may:
- request the correction of that information;
- require that a notation be attached to the information reflecting any correction requested, but not made; and
- require that any person or body, to whom such information has been disclosed for use for an administrative purpose within two years, be notified of the correction or notation.
If the information was disclosed to another government institution, the DND or the CF must ask that institution to make the correction or notation on any copy of the information under its control.
Retention and Disposal of Personal Information
Retention Periods
The required retention periods for most DND and CF related personal information bank (PIB) records are stated in records retention and disposal schedules approved by the National Archivist and set out in the Defence Subject Classification and Disposition System.
Administrative Purpose
In accordance with subsection 4(1) of the Privacy Regulations and the TBS policy entitled Retention and Disposal of Personal Information, personal information that has been used by the DND or the CF for an administrative purpose must be retained.
Disposal of Personal Information
The disposal of personal information is carried out in accordance with the principles outlined in the Retention and Disposal of Personal Information policy.
Personal Information Banks
Context
The Privacy Act requires that the DND and the CF establish PIBs and include in them all the personal information under their control.
With the approval of the TBS, new PIBs are established, and existing PIBs are modified, by the DAIP.
All PIBs designated for informal access and their corresponding numbers are listed in DAOD 1002-2, Informal Requests for Personal Information.
Information to be Included in PIBs
PIBs must include personal information that:
- has been used, is being used or is available for use for an administrative purpose; or
- is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual.
Content of PIBs
Each PIB contains the description of the personal information, authorized uses, consistent uses, and retention and disposal standards. The classes of personal information must be described in sufficient detail to facilitate the right of access under the Privacy Act.
Info Source
Info Source is a TBS publication that contains an index and a description of all PIBs as well as classes of personal information under the control of each federal institution. It is updated annually by individual departments such as the DND and is available electronically on the Access to Information and Privacy (ATIP) website on the Defence Information Network and also on the TBS web site.
Responsibilities
Responsibility Table
The following table identifies the responsibilities associated with the management of personal information:
| The... | is/are responsible for... |
|---|---|
|
DAIP |
|
|
OPIs |
|
References
Source References
- Privacy Act and Privacy Regulations
- Collection of Personal Information, Treasury Board of Canada Secretariat
- Corrections and Notations, Treasury Board of Canada Secretariat
- Privacy and Data Protection, Treasury Board of Canada Secretariat
- Retention and Disposal of Personal Information, Treasury Board of Canada Secretariat
- Use and Disclosure of Personal Information, Treasury Board of Canada Secretariat
- Info Source - Sources of Federal Employee Information, Treasury Board of Canada Secretariat
- DAOD 1002-0, Personal Information
- ATIP website
Related References
- Access to Information Act
- DAOD 1001-0, Access to Information
- DAOD 1001-1, Formal Requests for Access to Departmental Information
- DAOD 1001-2, Informal Requests for Access to Departmental Information
- DAOD 1002-1, Requests under the Privacy Act for Personal Information
- DAOD 1002-2, Informal Requests for Personal Information
- CFAO 15-2, Release - Regular Force
- Defence Subject Classification and Disposition System
- MPPol & TP, Information Management: Release of Information and disclosure, Chapter 11
