DAOD 1002-3, Management of Personal Information

Identification

Date of Issue: 2004-10-01

Application: This is a directive that applies to employees of the Department of National Defence ("DND employees") and an order that applies to officers and non-commissioned members of the Canadian Forces ("CF members").

Approval Authority: This DAOD is issued under the authority of the Assistant Deputy Minister (Finance and Corporate Services) (ADM(Fin CS)).

Enquiries: Director Access to Information and Privacy (DAIP)


Overview

Terminology

The following table provides information on terminology used in this DAOD:

In this DAOD... has/have the same meaning as in...
  • administrative purpose;
  • government institution;
  • personal information;
  • personal information bank; and
  • Privacy Commissioner

section 3 of the Privacy Act.

  • disclosure of personal information

chapter 3 of the Treasury Board of Canada Secretariat (TBS) policy entitled Use and Disclosure of Personal Information.

  • record

section 3 of the Access to Information Act.

Scope

This DAOD describes the requirements for the collection, use, disclosure, retention and disposal of personal information under sections 4 to 8 of the Privacy Act.

Collection of Personal Information

Authorized Operating Program or Activity

The personal information of DND employees and CF members must not be collected unless it is related directly to an authorized operating program or activity. In addition, the DND and the CF must not collect any more personal information than is necessary to carry out the program or activity.

Personal information is collected by the DND and the CF for purposes such as:

Personal information that is collected must be maintained at National Defence Headquarters (NDHQ), an NDHQ-controlled formation, a unit or a records support unit.

Personal Information to be Collected Directly

Personal information which is intended to be used for an administrative purpose must be collected directly, if possible, by the DND or the CF from the individual concerned, unless:

Individual to Be Informed of Purpose

When personal information is collected from an individual, the individual must be informed of the purpose for which the information is obtained. This provides the individual with knowledge of, and some control over, the collection of the information.

Normally, the purpose should be evident from the title of the record containing the personal information. If not, it must be indicated clearly on the record.

Exceptions

It is not necessary to collect personal information directly from an individual or to inform the individual of the purpose of the collection if this would:

Top of Page

Use and Disclosure of Personal Information

Authorized Use of Personal Information

Personal information under the control of the DND or the CF must not, without the consent of the individual to whom it relates, be used for any purpose not mentioned in section 7 of the Privacy Act.

Consistent Use of Personal Information

Personal information may be used by the DND or the CF for a use consistent with the purpose for which it was collected. Consistent use of personal information is explained in detail in the TBS policy entitled Use and Disclosure of Personal Information.

Disclosure of Personal Information

Personal information under the control of the DND or the CF must not, without the consent of the individual to whom it relates, be disclosed except in accordance with section 8 of the Privacy Act.

Disclosure to Federal Investigative Bodies

A federal investigative body may request personal information under the control of a government institution.

Under paragraph 8(2)(e) of the Privacy Act, such a request must:

A copy of the request must be submitted to the Office of Primary Interest (OPI) for the personal information that is requested before disclosure of the information.

Such requests may only be authorized by the DAIP or the acting DAIP.

The DAIP must retain a copy of every request received and the personal information disclosed and must make those copies available to the Privacy Commissioner, as required. Requests are held for a minimum of two years.

Individuals may request access to their personal information held in banks related to federal investigative bodies. However, much of the information would normally be exempt under section 22 of the Privacy Act, for example, that in Military Police investigations.

For the purpose of paragraph 8(2)(e) of the Privacy Act, the federal investigative bodies relevant to the DND and the CF are:

Guidance on Use and Disclosure

DND employees and CF members who require guidance on the use and disclosure of personal information should contact the DAIP.

Correction, Notation and Notification

Subsection 12(2) of the Privacy Act provides that an individual who is given access to personal information that has been used, is being used or is available for use for an administrative purpose, and who believes that the information is inaccurate or incomplete, may:

If the information was disclosed to another government institution, the DND or the CF must ask that institution to make the correction or notation on any copy of the information under its control.

Retention and Disposal of Personal Information

Retention Periods

The required retention periods for most DND and CF related personal information bank (PIB) records are stated in records retention and disposal schedules approved by the National Archivist and set out in the Defence Subject Classification and Disposition System.

Administrative Purpose

In accordance with subsection 4(1) of the Privacy Regulations and the TBS policy entitled Retention and Disposal of Personal Information, personal information that has been used by the DND or the CF for an administrative purpose must be retained.

Disposal of Personal Information

The disposal of personal information is carried out in accordance with the principles outlined in the Retention and Disposal of Personal Information policy.

Personal Information Banks

Context

The Privacy Act requires that the DND and the CF establish PIBs and include in them all the personal information under their control.

With the approval of the TBS, new PIBs are established, and existing PIBs are modified, by the DAIP.

All PIBs designated for informal access and their corresponding numbers are listed in DAOD 1002-2, Informal Requests for Personal Information.

Information to be Included in PIBs

PIBs must include personal information that:

Content of PIBs

Each PIB contains the description of the personal information, authorized uses, consistent uses, and retention and disposal standards. The classes of personal information must be described in sufficient detail to facilitate the right of access under the Privacy Act.

Info Source

Info Source is a TBS publication that contains an index and a description of all PIBs as well as classes of personal information under the control of each federal institution. It is updated annually by individual departments such as the DND and is available electronically on the Access to Information and Privacy (ATIP) website on the Defence Information Network and also on the TBS web site.

Responsibilities

Responsibility Table

The following table identifies the responsibilities associated with the management of personal information:

The... is/are responsible for...

DAIP

  • ensuring that regulations, guidelines and publications pertaining to the management of personal information are available within the DND and the CF;
  • creating and amending, with TBS approval, PIBs within the DND and the CF; and
  • providing guidance to OPIs on questions concerning the management of personal information.

OPIs

  • managing personal information in accordance with sections 4 to 8 of the Privacy Act; and
  • seeking guidance from the DAIP as required in the management of personal information.

References

Source References

Related References