Treasury Board of Canada Secrétariat du Conseil du Trésor Secretariat du Canada

FRAMEWORK FOR THE MANAGEMENT OF INFORMATION IN THE

Overview to, and Links to Legislation, Regulations and Policies

DOCUMENT VERSION 6.2 March 31, 2006

Information Management Strategies Division Treasury Board of Canada Secretariat

Canada Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Table of Contents

1. INTRODUCTION...... 3 1.1 TITLE...... 3 1.2 DOCUMENT REVISION HISTORY ...... 3 1.3 CONTEXT...... 3 1.4 SCOPE...... 3 1.5 APPLICABILITY...... 3 2. DESCRIPTION...... 4 2.1 LEGISLATION OVERVIEW...... 4 The Role of Legisla tion in Governing the Management of Information ...... 4 The Legislative Process...... 4 Accounting for Results ...... 4 2.2 LEGISLATION AND REGULATIONS...... 5 Access to Information Act and Regulations...... 5 Appropriation Acts ...... 6 Auditor General Act...... 6 Canada Evidence Act...... 7 Canadian Charter of Rights and Freedoms ...... 7 Canadian Security Intelligence Service Act...... 8 Copyright Act...... 9 Crown Liability and Proceedings Act...... 9 Emergency Preparedness Act...... 10 Financial Administration Act...... 10 Library and Archives of Canada Act...... 11 Official Languages Act...... 12 Personal Information Protection and Electronic Documents Act...... 13 Public Service Employment Act...... 17 Security of Information Act...... 18 Statistics Act...... 19 2.3 POLICIES...... 21 Access to Information Policy ...... 21 Common Services Policy...... 21 Communications Policy ...... 22 Electronic Authorization and Authentication Policy...... 25 Evaluation Policy...... 26 Government PKI Policy ...... 26 Government Security Policy...... 27 Learning, Training and Development Policy (Replaces Continuous Learning in the Public Service of Canada Policy and Training and Development Policy) ...... 28 Management of Government Information Policy...... 28 Management of Information Technology Policy ...... 30 Personnel Information Management Policy...... 30 Policy on the Use of Electronic Networks ...... 31 Privacy and Data Protection Policy...... 32 Privacy Impact Assessment Policy...... 33 Project Management Policy...... 34 Risk Management Policy ...... 35 3. FOR FURTHER INFO ...... 35

4. AUTHOR AND DATE...... 35

Date: 2006 -03-31 Draft: Version 6.2 Page 1

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

ANNEX A – LINKS TO LEGISLATION AND POLIC IES ...... 36

ANNEX B – MAPPING OF LEGISLATION AND POLICIES TO THE FMI ...... 38

ANNEX C – MAPPING OF LEGISLATION AND POLICIES PROVISIONS AND REQUIREMENTS TO FMI COMPONENTS ...... 40 COMMON LEGAL/POLICY PROVISIONS...... 40 Access to Information...... 40 Privacy & Confidentiality...... 49 Intellectual Property...... 58 Security...... 59 Liability...... 63 Official Languages ...... 66 Communications...... 67 MANAGEMENT RELATED GUIDELINES ...... 70 Governance and Accountability...... 70 Management Functions...... 73 Competencies & Training...... 74 Program/Service Delivery Considerations...... 75 Technology Considerations...... 81 Quality of Information ...... 84

List of Tables

Table 1. Links to Legislation ...... 36 Table 2. Links to Policies...... 37 Table 3. Mapping of Legislation and Policies to the FMI...... 38

Date: 2006 -03-31 Draft: Version 6.2 Page 2

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

1. Introduction 1.1 Title Overview of, and Links to Legislation, Regulations and Policies

1.2 Document Revision History Revision History:

Revision Number Date of Issue Author(s) Brief Description of Change 6.1 July 2002 IMS 6.2 March 2006 IMS Update of Official Languages Act, Learning, Training and Development Policy and removal of references to Communications Canada

1.3 Context The Management of Government Information Policy requires government departments to “manage information throughout its life cycle in a manner that supports the government’s activities, its delivery of information and services to citizens through a variety of service delivery channels, and its commitment to openness.” This key information policy in conjunction with other legislation and policies provides the requirements for the management of information in the government of Canada – the “what”. The Framework for Managing Information in the Government of Canada provides guidance and standards for government departments to fulfil the requirements for the management of information - the “how”. This document is part of the Treasury Board Framework for the Management of Information Foundation. It provides a consolidated view of the government-wide legislation and policy that governs the management of information in the Government of Canada.

1.4 Scope This document includes: § An overview of the legislative process and the role of legislation in governing the management of information; § The management of information provisions and requirements for key government-wide legislation and policies that in whole or in part govern the management of information; and § A mapping of the management of information legal and policy requirements to the Framework for Management of Information in the Government of Canada.

1.5 Applicability This overview applies to all federal government institutions identified in schedules I, I.1 and II of the Financial Administration Act. It shall be used as a reference to assist with planning and a checklist to ensure all information management requirements have been considered.

Date: 2006 -03-31 Draft: Version 6.2 Page 3

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

2. Description 2.1 Legislation Overview

The Role of Legislation in Governing the Management of Information The authority and power of the Canadian government has its basis in legislation that is defined and controlled through a democratic legislative process. Legislation establishes our government structure, allocates powers to various levels of government, defines the laws of our country and our judicial system, mandates what government will deliver on behalf of Canadians, sets government direction and policy on important issues, identifies government priorities, and authorizes the expenditure of public funds. Legislation authorizes government departments to deliver programs and services and holds them accountable for results. Managing and disseminating information is an integral component of program and service delivery, present in all aspects of it, and subject to legislation. The requirements for managing information are implicit in the broad realm of Canadian legislation and are explicitly defined in legislation and policy that deals in whole or in part with the government direction for managing information. In delivering programs and services, government institutions must ensure they respect government-wide information law and policy as well as information related legislation and policy specific to their mandate. When undertaking collaborative initiatives with the private sector and/or other Canadian and international governments, government institutions must recognize differences in legislative requirements and must ensure the legal requirements for management of information in the Government of Canada are respected and fulfilled.

The Legislative Process Consideration of new legislation or changes to existing legislation is generally in response to citizen or business needs, a particular opportunity or a particular threat. Legislation starts as a bill introduced in either of the two houses of Parliament - the House of Commons or the Senate. Although private members and the Senate may introduce bills most are introduced by Cabinet and reflect a priority of the ruling party. The bill is read, debated, examined in detail by a standing or legislative committee (which may include consultation with business and/or the public), amended and referred to the other house where it undergoes a similar process. Once both houses have endorsed the bill, it receives royal assent from the Governor General or a deputy and becomes law.

Accounting for Results A fundamental principle of responsible government is making results visible and being held accountable for their delivery. In the annual budgeting exercise, departments respond to government legislation and new priorities and make provision for the continuation of existing services. Each department prepares a Departmental Report on Plans and Priorities (RPP) - an expenditure plan that provides information on objectives, initiatives, and planned results. These department plans and priorities are tabled with the Main Estimates as Supply Bills and once passed become law as Appropriation Acts - an integral part of departments’ accountability to Parliament and Canadians. The plans and priorities are translated into the department strategies and operational plans that drive day-to-day business delivery. On an as required basis, information is provided to Cabinet and Parliament to support their decisions and to address public questions and concerns. For example, a department may be asked to provide information relative to a specific incident or to the general operations of a program or service in response to a public complaint or inquiry. In addition, a department may be asked to provide input and advice to support discussions and decisions on areas relative to their mandate and expertise. Every fall, departments provide Parliament with a Departmental Performance Report (DPR) that outlines results and achievements against their plans, assisting Parliament in holding them accountable for results. The DPRs feed Canada’s Performance Report that forms part of the government-wide performance reporting package

Date: 2006 -03-31 Draft: Version 6.2 Page 4

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

released each fall. The reporting provides the public with an accounting for how government has spent public funds and the results achieved in delivering services on behalf of the public.

2.2 Legislation and Regulations

This section provides an overview of the government-wide legislation that, in whole or in part, provides the legal basis and statutory direction for the management of information in the government of Canada. The purpose of each Act is identified and a list of management of information related provisions provided. In some cases, the information provisions are direct extractions and quotes. In other cases, they are a summarization of one or more legislative provisions. This information is intended to be informative rather than official.

Access to Information Act and Regulations Regulations Provides a right of access to information in records under the control of a government institution in accordance with the principles that government information should be available to the public, necessary exceptions to the right of access should be limited and specific, and that decisions on the disclosure of government information should be reviewed independently of government. Information requirements are summarized below and further detailed in the Appendix B ma pping to the Framework for the Management of Information.

INFORMATION REQUIREMENTS:

§ Defines a record for purposes of the Access to Information Act and extends this to include records that do not exist but can be produced form a machine-readable record. (3) § Provides Canadian citizens, permanent residents, and all individuals and corporations present in Canada with the right to access records under the control of a government institution. (4, ATIA Extension Order NO 1) § Requires publication of a description of each government institution’s organization and responsibilities, information holdings, manuals used to carry out programs and activities, and contact information for access requests. (5) § Identifies information that is or may be exempt from access under this Act. Schedule II includes exemptions specific to other Acts and must be considered if the information access request is for corresponding information. (13-26, 68,69, Schedule II) § Makes provisions and identifies processes for requesting access to government information, verifying access rights, consulting with other government institutions and third parties where required, and responding to the applicant. (6-11, 27,29) § Makes provisions to provide access to records (or part thereof) or a copy of re cords (or part thereof) that are to be disclosed. Where reasonable (as defined in the Act) access is to be provided in the requested official language. Where reasonable (as defined in the Act) access may be provided in an alternate format. (12,71) § Make s provisions and identifies the process for making an access complaint and for independent investigation by the Information Commissioner. (30-37) § Makes provisions and identifies the process for complaint appeals and review by the federal court. (41-53) § Establishes the office and role of the Information Commissioner to ensure compliance with the Act, to investigate information access related issues, and to investigate access complaints. (54-66) § Requires the Information Commissioner to provide an annual report to Parliament and makes provisions for the Information Commissioner to provide special reports to Parliament. (38-40) § Requires the head of each government institution to submit an annual report to Parliament on administration of Act during the fiscal year. (72,75) § Identifies offences and corresponding punishments related to this Act. (67)

Date: 2006 -03-31 Draft: Version 6.2 Page 5

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Makes provision to protect government employees acting in good faith from liability as it relates to this Act. (66,74) § Defines authority to make regulations and to designate responsibility within a government institution (73,77) (Heads of Gov’t Institutions Designation Order )

Appropriation Acts Identifies government programs, services and activities and allocates annual funding for their development and operation. Department level planning information provides a basis against which results may be measured.

INFORMATION REQUIREMENTS :

§ Information is included as a standard object of expenditure against which budgetary estimates are distributed. It includes three main categories of expenditure – advertising services; publishing, printing and exposition services; and public relations and public affairs services. § Identifies and funds department business lines - including the Treasury Board Information Management and Information Technology business line with a goal to provide strategic direction and leadership in leveraging information management and information technology to improve public access to government services and to meet Public Service renewal objectives .

Auditor General Act Establishes the role of the Auditor General to audit government departments, agencies and Crown corporations, and the Accounts of Canada and to report the results to the House of Commons. Provides for an independent assessment of government activity which relies heavily on the availability of quality information and makes observations and recommendations, at least in part, based on assessment of available information.

INFORMATION REQUIREMENTS:

§ The Auditor General will audit government financial statements to ensure accordance with government accounting principles. (6) § The Auditor General shall report annually to the House of Commons and may make, in addition to any special reports made under subsection 8(1) and 19(2), not more than three additional reports in any year to the House of Commons on the work of his office and on whether, in carrying on the work of his office, he received all the information and explanations he required. Each report shall call attention to anything he considers to be of significance and of a nature that should be brought to the attention of the House of Commons, including cases observed that: a) accounts have not been faithfully and properly maintained or public money has not been fully accounted for or paid, where so required by law, into the Consolidated Revenue Fund; (b) essential records have not been maintained or the rules and procedures applied have been insufficient to safeguard and control public property, to secure an effective check on the assessment, collection and proper allocation of the revenue and to ensure that expenditures have been made only as authorized; or (e) satisfactory procedures have not been established to measure and report the effectiveness’ of programs, where such procedures could appropriately and reasonably be implemented. (7) § The Auditor General is entitled to access information, reports and explanations from departments and crown corporations necessary to fulfil his responsibilities and will identify in his annual report if required information was provided. (13, 14, 7) § The Governor in Council may on recommendation of the Minister of the Environment, make regulations prescribing the form in which sustainable development strategies are to be prepared, updated at least every three years and the information required to be contained in them. (24)

Date: 2006 -03-31 Draft: Version 6.2 Page 6

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Canada Evidence Act Describes roles and procedures with respect to witnesses and documentary evidence in civil and criminal proceedings, and other matters where Parliament has jurisdiction. It identifies the nature and characteristics of information that is admissible as evidence and information that is not.

INFORMATION REQUIREMENTS:

§ The types of documentary evidence that can be used in a legal proceeding are detailed. (19-23) § Makes provisions for information (original or copies) to be accepted as a certified original in legal proceedings, and describes the conditions for admissibility into evidence are outlined. (24-30) § Provides rules for the admissibility of electronic documents in evidence including the use of any standard, procedure, usage or practice concerning the manner in which electronic documents are to be recorded or stored are defined. (31) § Makes provision for objection to disclosure of information before a court, person or body with jurisdiction to compel the production of information by certifying orally or in writing to the court, person, or body that the information should not be disclosed on the grounds of a specified public interest. Specifies the authority and timing for determining whether the information must be disclosed and for handling appeals that may arise from the disclosure determination. (37) § Where objection to disclosure of information is based on grounds that disclosure would be injurious to international relations or national defence or security, the objection may be determined only by the Chief Justice of the Federal Court or other judge of that Court the Chief Justice may designate to hear such applications. Objection hearings and appeals will be heard in camera, may include representations ex parte by the person who made the objection or requested the appeal, and may at the request of that person, be heard and determined in the National Capital Region. (38) § A minister of the Crown or the Clerk of the Privy Council may object to disclosure of information, on grounds that the information constitutes a confidence of the Queen’s Privy Council for Canada, before a court, person, or body with jurisdiction to compel the production of information. Disclosure of the information shall be refused without examination or hearing of the information by the court, person or body. A definition of a confidence of the Queen’s Privy Council for Canada is included. (39)

Canadian Charter of Rights and Freedoms The Canadian Constitution is a series of documents that collectively establish the executive, legislative and judicial branches of government, allocate government powers and define citizen rights. The Canadian Charter of Rights and Freedoms is Schedule B of the Constitution Act, 1982. It guarantees the fundamental rights and freedoms of every individual subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.

INFORMATION RELATED REQUIREMENTS:

§ Provides for freedom of thought, belief, opinion, religion, freedom of association, and expression, including freedom of the press and other media of communication. (2) § Everyone has the right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principles of fundamental justice. (7)

§ Everyone has the right to be secure against unreasonable search or seizure. (8) § Everyone has the right on arrest or detention to be informed promptly of the reasons, to retain and instruct counsel without delay and to be informed of that right; and to have the validity of the detention determined by way of habeas corpus and to be released if the detention is not lawful. (10) § Any person charged with an offence has the right to be informed without unreasonable delay of the specific

Date: 2006 -03-31 Draft: Version 6.2 Page 7

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

offence and not to be compelled to be a witness in proceedings against that person in respect of offence. (11 a, c) § A witness who testifies in any proceedings has the right not to have any discriminating evidence so given used to incriminate that witness in any other proceedings, except in a prosecution for perjury or for the giving of contradictory evidence. (13) § Equality of status and equal rights and privileges of English and French as to their use in all institutions of the Parliament and Government of Canada, including printed and published materials. (16-18) § The Canadian public has the right to communicate with and receive available services from any head or central office of an institution of the Parliament or government of Canada in English or French - and has the same right with respect to any other office of any such institutions - where there is a significant demand for service in that language and communication in the language is reasonable given the nature of the office. (20)

Canadian Security Intelligence Service Act Establishes the Canadian Security Intelligence Service (CSIS) to investigate and advise government on activities that may constitute a threat to the security of Canada. It makes special provisions for access to information in the interests of national security.

INFORMATION REQUIREMENTS:

§ The Service shall collect, by investigation or otherwise, to the extent that is strictly necessary, and analyse and retain information and intelligence respecting activities that may on reasonable grounds be suspected of constituting threats to the security of Canada. (12) § The Service may conduct investigations to provide security assessments to departments of the GC. With approval from the Minister may enter into an arrangement with the government or department of a province or any police force in a province (with the approval of the Minister responsible for policing the province) to provide security assessments. With approval of the Minister and after consultation by the Minister with the Minister of Foreign Affairs, enter into an arrangement with the government of a foreign state or an international organization of states to provide security assessments. (13,15) § The Service may conduct investigations and advise any minister of the Crown on matters relating to the security of Canada or provide any minister of the Crown with information relating to security matters or criminal activity that is relevant to exercise of any power or performance of any duty or function by that Minister under the Citizenship Act or the Immigration Act. (14,15) § In relation to the defence of Canada or the conduct of the international affairs of Canada, the Service may assist the Minister of National Defence or the Minister of Foreign Affairs, within Canada, collect information or intelligence relating to the capabilities, intentions or activities of any foreign state or group of foreign state or person other than a Canadian citizen, permanent resident (within the meaning of the Immigration Act) or corporation incorporated by or under an Act of Parliament of the legislature of a province. Personal consent in writing of the Minister and the Minister of National Defence or Minister of Foreign Affairs is required. (16) § With approval of the Minister, the Service may enter into arrangement or cooperate with any department of the Government of Canada, the government or department of a province, any police force in a province (with approval of the Minister responsible for policing in the province) or, after consultation by the Minister with the Minister of Foreign Affairs, the government of a foreign station or international organization of states. (17) § No person shall disclose information obtained or to which they had access through performing their duties and functions under this Act, except as authorized by the Act. (18,19) § Where there is reasonable grounds to believe that a warrant is required to enable the Service to investigate a threat to the security of Canada or to perform its role in collecting information or intelligence relating to the defence of Canada or the conduct of the international affairs of Canada, a warrant may be issued for a specified period of time allowing the Service: to intercept communications; to enter any place or open or

Date: 2006 -03-31 Draft: Version 6.2 Page 8

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

obtain access to any thing; to a search for, remove or return, or examine, take extracts from or make copies of or record in any manner the information, record, document or thing; or to install, maintain or remove any thing. (21) § The use of disclosure of any communication intercepted under this Act is exempt for the provisions of section 18 of the Crown Liability and Proceedings Act and Part VI of the Criminal Code. (25,26) § An Inspector General (reporting to the Solicitor General) is appointed to monitor the Service and is entitled to have access to any information under the control of the Service that relates to the performance of his duties and functions. (31) § A Security Intelligence Review Committee (reporting to Parliament) is established to review the performance of the Service and conduct investigations and will have access to any information required to perform these functions and address complaints. (34,38, 39, 40, 41)

Copyright Act To establish and protect ownership and the corresponding rights to produce or reproduce works or any substantial part of them in any material form; to perform them; or to publish them. The Act provides definit ions for intellectual properties and provides rules relative to ownership of copyright. The Act identifies actions representing infringement; identifies remedies to which the owner is entitled in cases of infringement; establishes the Copyright Office to process copyright requests and to maintain a register of copyrights; and establishes the Copyright Board to administer the Act, rule on issues and certify royalties. Note: under the Common Services Policy, Public Works and Government Services Canada is responsible for administration of Crown copyright

INFORMATION REQUIREMENTS:

§ Copyright in relation to a work means the sole right to produce or reproduce it or any substantial part of it, in any material form, to perform, or to publish it. Subject to the Copyright Act the author is the first owner of the copyright. (3) § Unless a specific ownership agreement is in place any work prepared or published by or under the direction of the government, belongs to the government and shall continue to belong for the remainder of the calendar year of first publication and for a period of fifty years following the end of that calendar year. (12) § It is an infringement for any person, without the consent of the copyright to sell or rent out; distribute to such an extent as to affect prejudicially the owner of the copyright; or by way of trade distribute, expose or offer for sale or rental, or exhibit in public. (27) § The Act sets limits on copyright and identifies acts and conditions that represent fair dealing of copyrighted works that do not constitute copyright infringement. (29-32.2) § Where a copyright has been infringed, the owner of the copyright is entitled to remedies by way of injunction, damages, accounts, delivery up and other measures that may be conferred by law for the infringement of right. (34)

Crown Liability and Proceedings Act Identifies the liability of the government and rules and procedures for proceedings, by or against the government. Information liability is specifically addressed in the context of invasion of privacy.

INFORMATION REQUIREMENTS:

§ The government is liable in tort for damages for which, if it were a private person of full age and capacity, it would be liable in respect of activities committed by a servant of the Crown or in respect of a breach of duty attaching to the ownership, occupation, possession or control of property. (3) § Unless lawfully made or where consent is given - where a government employee intercepts, uses or

Date: 2006 -03-31 Draft: Version 6.2 Page 9

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

discloses the existence or content of private communication of radio -based telephone communication, or any part of the substance, the Crown is liable for all loss or damage caused and for punitive damages in an amount not exceeding five thousand dollars, to each person who incurred that loss or damage. (17,18)

Emergency Preparedness Act The Emergency Preparedness Act requires civil preparedness in Canada for emergencies of all types by defining responsibility for the development and implementation of emergency plans, including preservation of essential records and business resumption planning.

INFORMATION REQUIREMENTS:

§ Ministers are responsible for the development and implementation of civil emergency contingencies and plans within their area of accountability. (5,7) § The Preservation of Essential Records, A guide for governments, organizations, institutions and businesses provides guidelines for essential records within the context of emergency preparedness and business resumption planning.

Financial Administration Act Establishes the Treasury Board and Department of Finance and provides for the financial and human resource administration of the Government of Canada, the establishment and maintenance of the accounts of Canada, and the control of Crown corporations. It primary relevance for managing information is in the delegation of administrative authority and the provisions requiring maintenance of adequate government records and transactions. Availability of quality government information is required on a timely basis for decision-making, business delivery, evidential needs, historical purposes, access by the Public and for continual monitoring and improvement of program and service results. Note: Other statutes, such as the Public Service Employment Act, the Public Service Staff Relations Act, the Superannuation Act, and the Canada Labour Code deal very specifically with human resources.

INFORMATION REQUIREMENTS:

§ TB may make regulations for the effective administration of the public service, prescribe the manner and form in which accounts and records will be kept, and request information or documents the TBS considers necessary for due performance of its duties. (9,10, 7,32,33,34,35,36) § Finance must maintain books and records for any money borrowed and provide an accounting of all transactions on request. (52) § The register maintained (for securities management) is deemed a record, for the purpose of the Canada Evidence Act. (60 (3)) § Departments must maintain adequate records for public property they are responsible for and comply with regulations of the Treasury Board governing the custody and control of public property. (62) § The Receiver General must keep records of public accounts and may request records, statements or other information from Ministers relative to the accounts. (63,64,65) § The Governor in Council may prescribe the documents to be submitted in connection with a notice of assignment (crown debts) and records be kept for monies received on behalf of the government but not duly paid over. (71, 79) § Books of accounts may be used as evidence in proceedings where money has been received on behalf of the government but has not been duly applied or paid it over. (76,77) § Crown corporations must keep books, records, systems and practices in a manner to provide reasonable

Date: 2006 -03-31 Draft: Version 6.2 Page 10

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

assurance that: the assets of the corporation are safeguarded and controlled; the transactions of the corporation are in accordance with the Financial Administration Act, regulations and internal directives; and the resources of the corporation are managed efficiently and effectively. (131) § Treasury Board may determine the human resource requirements of the public service, provide for their allocation and effective utilization, determine training requirements and terms, and provide for the classification of positions and employees. Note: this provides for a competent public service with the required knowledge and skills to effectively manage government information. (11) § All books, papers, accounts and documents kept or used by any officer or person who is or has been employed in the collection or management of revenue belong to the government. (82)

Library and Archives of Canada Act Establishes the Library and Archives of Canada, (LAC) April, 2004 to: preserve the documentary heritage of Canada; establish an institution that is a source of enduring knowledge accessible to all, contribute to Canada’s cultural, social and economic advancement; facilitate communities involved in the acquisition, preservation and diffusion of knowledge; and serve as the continuing memory of the Government of Canada (GC); and define the powers and duties of the Librarian and Archivist.

INFORMATION REQUIREMENTS:

§ Provides definitions of documentary heritage, record, government record, ministerial record, publication (2) . § Establishes the objects and powers of LAC: acquiring and preserving the documentary heritage; making that heritage known to Canadians and anyone with an interest in Canada and facilitating access to the documentary heritage; being the permanent repository of publications of GC and government and ministerial records that are of historical or archival value; facilitating the management of information by government institutions; coordinating the library services of government institutions; and supporting the development of the library a nd archival communities.(7) § Establishes the powers of the Librarian and Archivist for the attainment of LAC objects including: acquire publications and records or obtain the care, custody or control of them; take measures to catalogue, classify, identify, preserve and restore publications and records; compile and maintain information resources such as a national bibliography and a national union catalogue; provide information, consultation, research or lending services, and any other services to facilitate access to the documentary heritage; establish programs and encourage or organize any activities, including exhibitions, publications and performances, to make known and interpret the documentary heritage; enter into agreements with other libraries, archives or institutions in and outside Canada; advise government institutions concerning the management of information produced or used by them and provide services for that purpose; provide leadership and direction for library services of government institutions; provide professional, technical and financial support to those involved in the preservation and promotion of the documentary heritage and in providing access to it; and carry out such other functions as the Governor in Council may specify; may take a sampling from the Internet of the documentary material of interest to Canada that is accessible to the public without restriction through the Internet or any similar medium; (8,9) § Makes provision so that the Librarian and Archivist may obtain archival quality recordings or copies of recordings for preservation purposes and may reimburse the copy cost; may dispose of any publication or record under LAC control, if no longer necessary to retain it, subject to the terms and conditions under which the publication or record was acquired or obtained. (13) § Requires publishers of publications in Canada to send two copies of the publication to LAC within one week of publication, subject to regulations. For Legal Deposit purposes every version, edition or form of a publication shall be considered a distinct publication. (10) Publications, recordings, copies provided to the Librarian and Archivist belong to Her Majesty and form part of the collection of the Library and Archives of Canada (11) § Requires that no government or ministerial records shall be destroyed or disposed of without the

Date: 2006 -03-31 Draft: Version 6.2 Page 11

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

consent of the Librarian and Archivist (12) § Requires records of government institutions and ministerial records that are of archival importance to be transferred to the care and control of the Librarian and Archivist in accordance with an agreed schedule, terms and conditions. The Librarian and Archivist may specify the manner and time required for the transfer of government records at risk of serious damage or destruction and except as otherwise directed by the Governor in Council, shall have the care and control of all records of a government institution whose functions have ceased (13) § Makes provision that the Librarian and Archivist has access to government and ministerial records, notwithstanding anything in any other Act of Parliament. Consent by the PCO is required for access to confidences of the Queen's Privy Council. Consent from the responsible person in a government institution is required for access to a record of a government institution that is restricted under Schedule II of the Access to Information Act. (12,15)

Note: The LAC provides guidelines for the management of government records, such as Retention Guidelines for the Common Administrative Records of the Government of Canada. The Multi-Institutional Disposition Authorities (MIDA) provides generic authorities such as the authority for public servants to destroy transitory records.

Official Languages Act Provides for English and French as the official languages of Canada and makes provisions to ensure equality of status and equal rights and privileges as to their use in all federal institutions.

INFORMATION REQUIREMENTS:

§ Proceedings of Parliament will allow the right of debate in either official language, provide for simultaneous interpretation and provide official reports in both official languages. Part I § Legislative and other government instruments and the administration of justice will be available in both official languages, be simultaneously available and equally authoritative, subject to exceptions outlined in the Act (Parts II &III) § Any member of the public in Canada has the right to communicate with and receive available services fro m federal institutions in either official language, subject to location and nature of service. Federal institutions that report directly to Parliament must ensure the public can communicate with them and obtain available services from all of their offices or facilities in Canada or elsewhere in either official language. Services in the language of choice must be actively offered to the public. (Part IV 21-28) § Federal institutions must ensure that communications to the public and services provided by third parties on their behalf meet the same language requirements as if the service was offered by the federal institution itself.(Part IV 28) § English and French are the language of work in federal institutions and officers and employees have the right to use either language subject to the provisions outlined in the Act. The Act defines regions that are bilingual for language of work (the NCR, New Brunswick & parts of Ontario & Quebec) (Part V) § The government will provide equal opportunity for English and French speaking Canadians to obtain employment and promotion within federal institutions, & will ensure that the composition of the federal workforce tends to reflect that of the Canadian population (Part VI) § The government is committed to enhancing the vitalit y of official languages minority communities and fostering the full recognition and use of both English and French in Canadian society (Part VII) § Language requirements of positions must be objectively necessary to fulfill the functions of a position being staffed (Part XI 91) § The Treasury Board is responsible for official language policies, monitoring and auditing federal institutions

Date: 2006 -03-31 Draft: Version 6.2 Page 12

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

in respect of the policies, evaluating the effectiveness and efficiency of policies and programs relating to the official languages of Canada, and for submitting an annual report to Parliament on the status of programs relating to the official languages of Canada in the various federal institutions. (Part VIII 46-48) § The role of the Commissioner of Official Languages is established to ensure recognition of both official languages, conduct investigations on his own initiative, investigate complaints received relative to this Act, and to provide an annual and special reports to Parliament. (Part IX) Any person who has made a complaint to the Commissioner of Official Languages under Part II, IV, V, or Section 91may apply to the Federal court for remedy as outlined in the provisions of the Act (Part X)

Personal Information Protection and Electronic Documents Act To support and promote electronic commerce by protecting personal information that is collected, used, or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act, and the Statute Revision Act. Some federally regulated organizations not covered by the Privacy Act, such as parts of , are covered by this Act.

INFORMATION REQUIREMENTS:

PART 1 – PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR

Part I establishes rules to govern the collection, use, and disclosure of personal information by all federally regulated private sector organizations in the course of commercial activity.

PART 2 – ELECTRONIC DOCUMENTS

Part 2 provides for the use of electronic alternatives to record or communicate information or transactions, describes the characteristics of secure electronic signatures and the conditions under which electronic signatures can be used to authenticate business transactions and to provide evidence in legal proceedings.

Electronic Alternatives

§ Definitions - Provides definitions of data, electronic documents, electronic signature and secure electronic signature. (31) § Collection, Storage, etc - A department, branch, agency, etc. may use electronic means to create, collect, receive, store, transfer, distribute, publish or otherwise deal with documents or information whenever a federal law does not specify the manner of doing so. (33) § Electronic Payment - A payment that is required to be made to the Government of Canada may be made in electronic form in any manner specified by the Receiver General. (34) § Electronic Version of Statutory Form - If a provision of an Act of Parliament establishes a form, a non- electronic manner of filing a document, or a non-electronic manner of submitting information, the responsible authority may make regulations for an electronic form that is substantially the same as the non- electronic form, for filing of an electronic version of the form, and for submitting information using electronic means. Actions in accordance with the regulations are considered to be in equivalent to those set out in the Act. (35) § Manner of Filing - The authority under a federal law to issue, prescribe or in any other manner establish a form, or to establish the manner of filing a document or submitting information, includes the authority to issue, prescribe or establish an electronic form, or to establish an electronic manner of filing the document or submitting information, as the case may be. In this section, "filing" includes all manner of submitting, regardless of how it is designated (35) § Notarial Act - A reference in a provision of a federal law to a document recognized as a notarial act in the

Date: 2006 -03-31 Draft: Version 6.2 Page 13

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

province of Quebec is deemed to include an electronic version of the document if (a) the electronic version of the document is recognized as a notarial act under the laws of the province of Quebec; and (b) the federal law or the provision is listed in Schedule 2 or 3. (38) § Seals - A requirement under a provision of a federal law for a person's seal is satisfied by a secure electronic signature that identifies the secure electronic signature as the person's seal if the federal law or the provision is listed in Schedule 2 or 3. (39) § Provide Documents or Information - A provision of a federal law requiring a person to provide another person with a document or information, other than a provision referred to in any of sections 41 to 47, is satisfied by the provision of the document or information in electronic form if: (a) the federal law or the provision is listed in Schedule 2 or 3; (b) both persons have agreed to the document or information being provided in electronic form; and (c) the document or information in electronic form will be under the control of the person to whom it is provided and will be readable or perceivable so as to be usable for subsequent reference. (40) § In Writing - A requirement under a provision of a federal law for a document to be in writing is satisfied by an electronic document if (a) the federal law or the provision is listed in Schedule 2 or 3; and (b) the regulations respecting the application of this section to the provision have been complied with. (41) § Original - A requirement under a provision of a federal law for a document to be in its original form is satisfied by an electronic document if (a) the federal law or the provision is listed in Schedule 2 or 3; (b) the electronic document contains a secure electronic signature that was added when the electronic document was first generated in its final form and that can be used to verify that the electronic document has not been changed since that time; and (c) the regulations respecting the application of this section to the provision have been complied with. (42) § Copies - A requirement under a provision of a federal law for one or more copies of a document to be submitted is satisfied by the submission of an electronic document if (a) the federal law or the provision is listed in Schedule 2 or 3; and (b) the regulations respecting the application of this section to the provision have been complied with. (47) § Statement Under Oath - A statement required to be made under oath or solemn affirmation under a provision of a federal law may be made in electronic form if (a) the person who makes the statement signs it with that person's secure electronic signature; (b) the person before whom the statement was made, and who is authorized to take statements under oath or solemn affirmation, signs it with that person's secure electronic signature; (c) the federal law or the provision is listed in Schedule 2 or 3; and (d) the regulations respecting the application of this section to the provision have been complied with. (44) § Statement Declaring Truth - A statement required to be made under a provision of a federal law declaring or certifying that any information given by a person making the statement is true, accurate or complete may be made in electronic form if (a) the person signs it with that person's secure electronic signature; (b) the federal law or the provision is listed in Schedule 2 or 3; and (c) the regulations respecting the application of this section to the provision have been complied with. (45)

Electronic Signatures

§ Requirement for Signature - Subject to sections 44 to 46, a requirement under a provision of a federal law for a signature is satisfied by an electronic signature if (a) the federal law or the provision is listed in Schedule 2 or 3; and (b) the regulations respecting the application of this section to the provision have been complied with. (43) § Witnessed Signatures - A requirement under a provision of a federal law for a signature to be witnessed is satisfied with respect to an electronic document if (a) each signatory and each witness signs the electronic document with their secure electronic signature; (b) the federal law or the provision is listed in Schedule 2 or 3; and (c) the regulations respecting the application of this section to the provision have been complied with. (46) § Technology or Process- Subject to subsection (2), the Governor in Council may, on the recommendation of the Treasury Board, make regulations prescribing technologies or processes for the purpose of the definition

Date: 2006 -03-31 Draft: Version 6.2 Page 14

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

"secure electronic signature" in subsection 31(1). The Governor in Council may prescribe a technology or process only if the Governor in Council is satisfied that it can be proved that (a) the electronic signature resulting from the use by a person of the technology or process is unique to the person; (b) the use of the technology or process by a person to incorporate, attach or associate the person's electronic signature to an electronic document is under the sole control of the person; (c) the technology or process can be used to identify the person using the technology or process; and (d) the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document. (48.2) Effect of Amendment or Repeal - An amendment to or repeal of any provision of a regulation made under subsection (1) that has the effect of removing a prescribed technology or process from the regulation does not, by itself, affect the validity of any electronic signature resulting from the use of that technology or process while it was prescribed. (48.3)

Documents as Evidence or Proof

§ A provision of a federal law that provides that a certificate or other document signed by a minister or public officer is proof of any matter or thing, or is admissible in evidence, is, subject to the federal law, satisfied by an electronic version of the certificate or other document if the electronic version is signed by the minister or public officer with that person's secure electronic signature. (36)

Retention of Documents

§ A requirement under a provision of a federal law to retain a document for a specified period is satisfied, with respect to an electronic document, by the retention of the electronic document if (a) the electronic document is retained for the specified period in the format in which it was made, sent or received, or in a format that does not change the information contained in the electronic document that was originally made, sent or received; (b) the information in the electronic document will be readable or perceivable by any person who is entitled to have access to the electronic document or who is authorized to require the production of the electronic document; and (c) if the electronic document was sent or received, any information that identifies the origin and destination of the electronic document and the date and time when it was sent or received is also retained. (37)

Amendment of Schedules

§ Amendment of Schedules - For the purposes of sections 38 to 47, the responsible authority in respect of a provision of a federal law may, by order, amend Schedule 2 or 3 by adding or striking out a reference to that federal law or provision. (49) Effect of Striking Out Listed Provision - The striking out of a reference to a federal law or provision in Schedule 2 or 3 does not affect the validity of anything done in compliance with any regulation made under section 50 that relates to that federal law or provision while it was listed in that Schedule. (51)

Regulations

§ For the purposes of sections 41 to 47 (writing requirements, original documents, signatures, statements under other, statements declaring truth, witnessed signatures, copies), the responsible authority in respect of a provision of a federal law may make regulations respecting the application of those sections to the provision. (50.1) § Contents - Without restricting the generality of subsection (1), the regulations that may be made may include rules respecting any of the following: (a) the technology or process that must be used to make or send an electronic document; (b) the format of an electronic document; (c) the place where an electronic document is to be made or sent; (d) the time and circumstances when an electronic document is to be considered to be

Date: 2006 -03-31 Draft: Version 6.2 Page 15

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

sent or received and the place where it is considered to have been sent or received; (e) the technology or process to be used to make or verify an electronic signature and the manner in which it is to be used; and (f) any matter necessary for the purposes of the application of sections 41 to 47. (50.2) § Minimum Rules - Without restricting the generality of subsection (1), if a provision referred to in any of sections 41 to 47 requires a person to provide another person with a document or information, the rules set out in the regulations respecting the application of that section to the provision may be that (a) both persons have agreed to the document or information being provided in electronic form; and (b) the document or information in electronic form will be under the control of the person to whom it is provided and will be readable or perceivable so as to be usable for subsequent reference. (50.3) Incorporation by Reference - Regulations may incorporate by reference the standards or specifications of any government, person or organization, either as they read at a fixed time or as they are amended from time to time. (50.4)

PART 3 – AMENDS THE CANADA EVIDENCE ACT

Part 3 amends the Canada Evidence Act to provide for the admissibility of electronic documents, to establish legal admissibility for electronic signatures, and to recognize electronic publication of Notices, Acts, and other documents by the Queen's Printer.

PART 4 – AMENDS THE STATUTORY INSTRUMENTS ACT

SCHEDULE 1 – PRINCIPLES FOR THE PROTECTION OF PERSONAL INFORMATION

Outlines the principles set out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96.

Privacy Act and Regulations

To protect the privacy of individuals with respect to personal information held by a government institution and to provide individuals with a right of access to that information. Information requirements are summarized below and further detailed in the Appendix B mapping to the Framework for the Management of Information.

INFORMATION REQUIREMENTS:

§ Defines personal information and personal information bank for the purposes of this Act. (3,10) § Provides all individuals present in Canada with the right of access to personal information about them held by the government. (12) § Identifies information that is or may be exempt from access under this Act. (18-28, 69, 70) § Requires institutions to include in personal information banks all personal information under the control of the institution that has been used or will be used for administrative purposes, or is organized to permit retrieval in a manner that identifies an individual (except where the information has been transferred to the Liberian & Archivist of Canada). (10) § Requires publication of an index and description of all personal information banks and all classes of personal information under the control of a government institution and contact information for access requests. Personal information bank descriptions must include information relative to use of the personal information, retention and disposal standards, and if the bank has been designated as exempt. (11) § New personal banks may not be established or substantially modified without approval of the designated Minister. (71) § Makes provisions for the collection of personal information directly related to an operating government program or activity. Requires collection wherever possible from the individual to whom it relates, requires reasonable steps be taken to ensure personal information is accurate, up-to-date and complete, and makes

Date: 2006 -03-31 Draft: Version 6.2 Page 16

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

provisions for individuals to request corrections to government held information about them. (4, 5, 12) § Requires personal information used by a government institution for administrative purposes to be retained for two years (unless the individual consents to earlier disposal) and requires disposal of personal information in accordance with regulations, directives and guidelines. (6) § Requires personal information under the control of the government to be used only for purposes consistent with the purpose it was obtained or complied for (unless consented by the individuals to whom it pertains) and where the Act authorizes disclosure by the government. (7,8) § Makes provisions and identifies the process for providing individuals with access to personal information (or a copy) about them held by the government. Where reasonable, access is to be provided in the requested official language. Where reasonable, access may be provided in an alternate format (13-17) § Requires a record of disclosure be maintained for personal information disclosed without consent or for a purpose not included in the personal bank index. (8,9) § Makes provisions and identifies the process for making an access complaint and for independent investigation by the Privacy Commissioner. (29-35) § Makes provisions and identifies the process for complaint appeals and review by the federal court. (41-52) § Establishes the office and role of the Privacy Commissioner to ensure compliance with the Act, to investigate complaints, to carry out specials studies, and to review exempt banks. (6-40, 43, 53-65) § Requires the Privacy Commissioner to provide an annual report to Parliament and makes provisions for the Information Commissioner to provide special reports to Parliament. (38-40) § Requires the head of each government institution to submit an annual report to Parliament on administration of Act during the fiscal year. (72,75) § Makes provision to protect government employees acting in good faith from liability as it relates to this Act. (66,74) § Anyone obstructing the Privacy Commissioner or any person acting on his behalf in the performance of their duties under this Act is guilty as an offence and liable on conviction to a fine. (68) § Except for prosecution for perjury under the Criminal Code, prosecution for an offence under this Act or in a review before the Court under this act or an appeal therefrom, evidence given by a person in proceedings and evidence of the proceedings is inadmissible against that person in a court or in any other proceedings. (34) § Defines authority to make regulations and to designate responsibility within a government institution (71, 73,77)

Public Service Employment Act Establishes the Public Service Commission and identifies the principles and conditions governing the recruitment and appointment of personnel and other aspects of Public Service employment such as recourse, lay off, priority for appointment and political activity. Note: The New Public Service Employment Act (PSEA to come into force Fall 2005) Note: The Public Service Modernization Act (PSMA) November 2003. An Act to modernize employment and labour relations in the public service and to amend the Financial Administration Act and t he Canadian Centre for Management Development Act and to make consequential amendments to other Acts

INFORMATION RELATED REQUIREMENTS:

§ Departments must provide the Commission with the assistance, information and access to their offices required for the performance of their duties. The Commission may conduct investigations and audits on any matter within its jurisdiction. (7) § The Commission may make regulations respecting the disclosure of personal information obtained in the

Date: 2006 -03-31 Draft: Version 6.2 Page 17

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

course of an investigation, inquiry or procedure for appointment under this Act. (35 (2) f)

Security of Information Act Defines the offences related to the disclosure of information of a nature that is prejudiced to the safety or interests of Canada.

Note: Operational Standards for the Security of Information Act provides standards and guidance relating to complying with Section 8 & 4 of the Act - “special operational information” and persons permanently bound to secrecy.

INFORMATION REQUIREMENTS:

§ "Any purpose prejudicial to the safety or interests of Canada" is defined and includes 14 paragraphs. For example, it includes anything that impairs or threatens the capabilities of the Government of Canada in relation to security and intelligence (i), which would include disclosing a document that exposes a weakness in Canada's security or intelligence operations. It also includes impairing or threatening the capability of the Government of Canada to conduct diplomatic relations to conduct and manage international relations (l). It includes committing an offence against the laws of Canada or a province that is punishable by a maximum term of imprisonment of two years or more in order to advance a political, religious or ideological purpose (a). It includes committing, inside or outside Canada, a terrorist activity (b) (as defined in s. 83.01 of the Criminal Code). (3) § It is an offence for any person with a "secret official document" (these words are not defined), entrusted to him or her in confidence by any person holding office under Her Majesty to communicate the document to any person to whom he is not authorized to communicate the document, to use the document in a manner that is prejudicial to the safety or interests of Canada, retain the document when he has no right to retain it, and fails to take reasonable care of the document or information. (4) § It is an offence for any person to retain any "official" (undefined) document for any purpose prejudicial to the safety or interests of Canada when he has no right to retain it. (4 (4a)) § It is an offence for any person, for a purpose prejudicial to the safety or interests of Canada, to make a false statement in any declaration, application or document; or (i) to tamper with any passport or any military, police or official pass, permit, certificate or other document of a similar character. (5(1b)) § It is an offence to be in the neighbourhood of a prohibited place for a purpose prejudicial to the safety or interests of Canada, or to interfere with a peace officer in a prohibited place. A prohibited place is defined as (a) any work of defence belonging to or occupied or used by or on behalf of Her Majesty, (b) any place not belonging to Her Majesty where any munitions of war or any sketches, plans, models or documents relating thereto are being made, repaired, obtained or stored under contract with, or with any person on behalf of, Her Majesty or otherwise on behalf of Her Majesty, and (c) any place that is for the time being declared by order of the Governor in Council to be a prohibited place on the ground that information with respect thereto or damage thereto would be useful to a foreign power. (6, 7) § The Act permanently binds a variety of public servants to secrecy in respect of special operational information, which is defined to include information about the means on any vulnerabilities or weaknesses in respect of the means that Canada uses to covertly obtain or deal with information or in respect who has been the object of covert collecting of information. In addition, anyone who is personally served with notice that they are permanently bound to secrecy in respect of the above information the deputy head of the institution can designate a person as permanently bound to secrecy if the deputy head is of the opinion that the person had, has or will have authorized access to special operational information and it is in the interests of national security to designate the person. (8-15) § It is an offence for anyone who is permanently bound to secrecy to communicate or confirm information that, if it were true, would be special operational information. It is not relevant for the purposes of the prosecution whether the information is actually true. No person is guilty of the above offences if the

Date: 2006 -03-31 Draft: Version 6.2 Page 18

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

person establishes that he or she acted in the public interest. The public interest that must be shown must be a disclosure of an offence under an Act of Parliament that the person reasonably believes has been, is being or is about to be committed by a person in the purported performance of their functions with the Government of Canada. In those cases of disclosure, the person must have brought his or her concern and provided all relevant information to his or her deputy head or, if not reasonably practical in the circumstances, to the Deputy Attorney General of Canada. If there was no response within a reasonable time, the individual is required to present all relevant information to the Security Intelligence Review Committee or to the Communications Security Establishment Commissioner. The requirement to go SIRC or the CSE Commissioner does not apply if the communication or confirmation of the information was necessary to avoid grievous bodily harm or death. In addition, the public interest in disclosure must outweigh the public interest in non-disclosure. In considering whether the public interest applies, the court must consider whether the information disclosed was no more than necessary to disclose the offence, whether the person resorted to other reasonably accessible alternatives before making the disclosure and whether the person complied with any relevant guidelines, policies or laws that applied to the person, among other criteria. (13-15,17) § It is an offence for any person to communicate information to a foreign state, government or political faction whose stated purpose is to assume the role of government of a foreign state if the person is reckless as to whether the information is information that the Government of Canada or a province is taking measures to protect and harm to Canadian interests results. (16-18) § It is an offence for any person for the benefit of or in association with a foreign economic entity to fraudulently and without colour of right and to the detriment of Canada's economic interests communicates, obtains, alters or destroys a trade secret. (19) § It is an offence for any person for the benefit of or in association with a foreign state, government or political faction whose stated purpose is to assume the role of government of a foreign state to attempt to induce by threat or violence any person to do anything that is reasonably likely to harm Canadian interests. The offence occurs whether or not the threat or violence occurs in Canada. (20) § Harbouring or concealing a person likely to commit one of the above offences, doing things specifically directed towards the preparation or commission of any of the offences in ss. 16, 17, 19 or 20 (including obtain, retaining or gaining access to any information), asking a person to commit such offences, or possessing any device or software useful for concealing or surreptitiously communicating the content of information. (21-23) § Note: Under section 486 of the Criminal Code, the court may exclude all or any members of the public from the court room for all or part of the proceedings if the judge is of the opinion that doing so is in the interest of public morals, the maintenance of order or the proper administration of justice, or that doing so is necessary to prevent injury to international relations or national defence or national security.

Statistics Act Mandates collection, compilation, analysis, abstraction and publication of statistical information relating to the commercial, industrial, financial, social, economic and general activities and condition of the people of Canada. Note: February 1990 Order Designating the Minister of Industry, Science & Technology as Minister for the Purpose of the Statistics Act & for purposes of the Financial Administrative Act with respect to Statistics Canada

INFORMATION REQUIREMENTS:

§ Collect, compile, analyse, abstract and publish statistical information relating to the commercial, industrial, financial, social, economic and general activities and condition of the people of Canada. (3) § Collaborate with departments of government in the collection, compilation and publication of statistical information, including statistics derived from the activ ities of these departments. (3) § Take the census of the population of Canada and the census of agriculture of Canada. The Governor in Council shall prescribe the questions to be asked. (3, 19-21)

Date: 2006 -03-31 Draft: Version 6.2 Page 19

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Avoid duplication in the information collected by departments of government. (3) § The Minister may enter into any arrangement with the government of a province for purposes of this Act. In particular for execution by provincial officers of any power or duty conferred or imposed on any officer pursuant to the Act, collection by a department or provincial officer of any statistical or other information required for the purposes of the Act, and for supplying of statistical information to the Chief Statistician. (10)

§ With approval of the Governor in Council, the Minister may enter into an agreement with the government of a province for the exchange of information or transmission of information to a statistical agency of the province. This information may include replies to any specific statistical inquiries, replies to specific classes of information collected under this Act, and any tabulations and analyses based on the replies. The statistical agency of the province must have statutory authority to collect the information intended to be exchanged or transmitted, is prohibited from disclosing information as per section 17, and officers and employees of the statistical agency must be subject to statutory penalties for improper disclosure of information. (11) § The Minister may enter into an agreement with any department, municipal or other corporation for sharing of information collected from a respondent by Statistics Canada, the department or corporation on behalf of both of them and for the subsequent tabulation or publication based on that information. Information shared may include replies to original inquiries and supplementary information provided by a respondent. (12) § Respondents must be advised of any statistical agencies and other parties to which information they provide may be communicated. Where the respondent gives written objection to the sharing of the information, to the Chief Statistician, the information will not be shared with a department or corporation unless the department or corporation is authorized by law to require the respondent to provide that information. (11, 12) § Document and record custodians must provide access to the Chief Statistician for information sought under this act – to use or aid in its completion. (13) § Except for communicating information in accordance of this Act no person, other than a person employed or deemed employed under this Act, is permitted to examine any identifiable individual return. (17) § Information, except identified exceptions, will not be disclosed in a manner that identifies an individual person, business or organization. (17) § Except for prosecution under this Act, any return or copy made to Statistics Canada is privileged and may not be used as evidence in any proceedings. (18) Offences and Punishment

§ Every person, who after taking the oath set out in subsection 6(1) deserts from his duty, wilfully makes a false declaration, statement or return in the performance of his duties, obtains or seeks to obtain information they are not authorized to obtain, or contravenes the security provisions set out in section 17, is guilty of an offence and is liable to fine and imprisonment. (30) § Every person who without lawful excuse who refuses or neglects to answers questions or furnish information as required by this Act, or who wilfully answers falsely is guilty of an offence and liable on summary conviction to a fine not exceeding five hundred dollars or to imprisonment for a term not exceeding three months or both. (31) § Every person having the custody or charge of any documents or records that are maintained in any department or in any municipal office, corporation, business or organization, who refuses or neglects to grant access to any person authorized to obtain it under this act, or who in any way wilfully obstructs or seeks to obstruct execution of this Act is guilty of an offence and liable to fine and imprisonment. (32) § Every person who after taking the oath setout in subsection 6(1) misrepresents themselves in making an inquiry or discloses information to anyone not entitled to it under this Act or using the information for speculation or other personals reasons is guilty of an offence and liable to fine and imprisonment. (34,35)

Date: 2006 -03-31 Draft: Version 6.2 Page 20

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

2.3 Policies This section provides an overview of the government-wide policy that, in whole or in part, provides requirements for the management of information in the government of Canada. The purpose of each policy is identified and a list of management of information related policy requirements provided. In some cases, the information requirements are direct extractions and quotes. In other cases, they are a summarization of one or more policy requirements. This information is intended to be informative rather than official.

Access to Information Policy To ensure effective and consistent administration of the Access to Information Act and Regulations on a government-wide basis.

INFORMATION REQUIREMENTS:

§ Departments must designate an official to coordinate duties imposed by access legislation and maintain a current Delegation Order listing delegated information access responsibilities. § Departments must provide descriptions of their information holdings to TBS in accordance with government-wide standards. § Departments must maintain a system for processing requests that can account for all deliberations and decisions taken regarding each request. § Departments must ensure the requestor has right of access under the Act, review each record and consult with appropriate departments and government bodies to determine which portions, if any, may be exempt and severe these portions and release the rest. § Departments must participate in the Coordination of Access to Information Requests (CAIR) system and identify requests that may be interdepartmental in scope or involve government-wide legal or policy issues. § Departments must identify any information requested that may represent a confidence of the Queen’s Privy Council, consult with Legal counsel and the Privy Council Office to confirm whether it qualifies as a Cabinet confidence. A certificate to assure the qualification is to be provided to the Information Commissioner on request. § Applicants must be notified of the reason for any exemption in a way that allows them to relate the specified provisions to specific documents or sections of documents that have been withheld. § Decisions regarding disclosure of personal information, advice and recommendations, third party information and information in the public interest must be made in accordance with the provisions of the Access to Information Act and the Privacy Act. § The government will recover fees for work done in processing access to information requests, except where waiver of fees is in the public interest. § Where available, access to information for individuals with a sensory disability will be provided in the preferred format. Conversion to an alternate format may be provided where reasonable in terms of cost and utility. § Annual reports to Parliament by institutions will be used to monitor compliance with this policy.

Common Services Policy Common service organizations offer services to client departments to support responsive, cost-effective support for their program delivery. The government makes optional as many common services as possible, maintaining mandatory services only where there is an overriding reason.

INFORMATION REQUIREMENTS:

Date: 2006 -03-31 Draft: Version 6.2 Page 21

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Managers of common services should ensure they have relevant, timely and reliable information about the performance of their programs. § Where development of systems to support departmental administration is required, consideration should be given to developing shared information and support system solutions.

MANDATORY INFORMATION RELATED COMMON SERVICES:

Source Service Justice Legal affairs (adjudicating access & privacy complaints) TBS Information Technology Standards Program (TBITS) PWGSC Coordinates public opinion research, Gov’t advertising, exposition production Crown copyright administration; produce & publish the Canada Gazette, contracting for public opinion research & advertising announcements

Note: PWGSC manages the Depository Services Program on behalf of the federal government – this is not a common service, but a TB mandated Government-wide program

OPTIONAL INFORMATION RELATED COMMON SERVICES:

Source Service PWGSC IM &IM support systems, designing signage; telecommunication services & infostructure Cda - US DFAIT International telecommunications Statistics Canada Statistical services to departments Public Service Commission Non-statutory language training Canadian General Standards Bd Standards development Consulting and Audit Canada Information management services Translation Bureau Translation services

Communications Policy To ensure that communications across the Government of Canada are well coordinated, effectively management and responsive to the diverse information needs of the public.

INFORMATION REQUIREMENTS:

Informing and Communicating with the Public § Institutions must provide the public with open access to information about policies, programs, services and initiatives, subject to law and government policy. Information for public use must be disseminated or readily available in all regions of Canada using all forms of media practical, and the communication needs of Canadians travelling or residing abroad must be taken into account. Opportunities must be available for the public to provide feedback on major policies, programs, services and initiatives, and that such feedback is carefully considered in reviews or evaluations of same to help make improvements. Information about an institution’s mission, structure, programs and services must be provided to Public Works and Government Services Canada for public access through 1-800 O-Canada and the Canada Site portal. § Institutions must provide information free of charge when it is in their control, subject to criteria defined in the Communications Policy. § Information for the public, internal communications, and Parliament or any other official body must be in plain language - clear, relevant, objective, easy to understand and useful. § Institutions must develop plans and strategies for communicating risk to the public, effectively communicate

Date: 2006 -03-31 Draft: Version 6.2 Page 22

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

risk, foster open dialogue with the public on issues involving risk, facilitate the interactive exchange of information on risk and risk-related factors, and follow Treasury Board policy direction on risk management in the delivery of programs and service. § Plans, partnerships, responsibilities, tools and methods must be in place to allow government officials to communicate effectively and efficiently in both official languages during an emergency or crisis, providing accurate, relevant, and consistent information. Agreement among governments and their institutions regarding responsibility for communications must be clear and lead responsibility must be identified as part of the planning process. § Coordination between headquarters and regional operations in communication matters is essential and include Privy Council Office where coordination between multiple institutions is required. § Internal communication must be open and collaborative, both informing employees and listening to their ideas, concerns and suggestions. Information must be communicated to employees before or at the same time as to the public. § Institutions must maintain a capacity for technology innovation and new media, staying current with developments in communications practice and technology. As they adopt new means of to enhance public access, institutions must continue to reach, in a timely matter, citizens whose access to technology may be limited or who prefer to receive government information through more traditional means. § Institutions must maintain an active presence on the Internet to enable 24-hour electronic access to public programs, services and information. Internet communications must conform to government standards and policies. § Institutions must cultivate proactive relations with the media and promote public awareness and understanding of government policies, programs, service and initiatives. Institutions must respect the authority and resp onsibility of Parliament, whose members are entitled to learn about planned legislative initiatives before information about them is released to the media. § An institution’s senior management must designate managers and knowledgeable staff in head offices and in the regions to act as spokespersons, speaking in an official capacity on issues or subjects for which they have responsibility and expertise. § Institutions must identify opportunities to inform the public about significant initiatives or contributions of the Government of Canada. Public events and announcements, including news conferences, must be arranged from time to time for communication purposes.

Publications, Publishing and Productions

§ Publications and other communication materials must depict the diverse nature of Canadian society, respect the requirements of the Canadian Multiculturalism Act, and reflect and address the needs and interests of local and regional populations. § Institutions must facilitate public access to their publications as outlined in the Communications Policy. § Communication materials and published information in all formats must be well catalogued and securely maintained to ensure current as well as long-term accessibility. § Production, distribution, and evaluation of motion picture films, videotapes, television programs, and interactive videodiscs, CD ROMs and multimedia production must be contracted through Public Works and Government Services Canada. § Finished productions in film, video, CD and multimedia formats must be deposited with Library and Archives Canada. Official Languages

§ Communications must respect the equality of status of the two official languages as established in the Canadian Chart of Rights and Freedoms and given effect through the Official Languages Act and

Date: 2006 -03-31 Draft: Version 6.2 Page 23

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Regulations and policy. Institutions must abide by requirements of the Federal Identify Program concerning visual representation of the official languages in communications or information material § Official language requirements must be met for finished productions in film, video, CD and multimedia formats. Copyright

§ Institutions must comply with the copyright legislation and policies and ensure that the ownership rights associated with works subject to copyright are fully respected in all media applications. Institutions must manage the administration and licensing of Crown copyright in co-ordination with Public Works and Government Services Canada and comply with Treasury Board’s Common Services Policy and Policy on Title to Intellectual Property arising under Crown Procurement Contracts. Institutions must comply with the requirements of the Federal Identity Program with respect to Government of Canada symbols and identifiers protected under the Trade Marks Act. Federal Identity

§ Clear and consistent corporate identity is required including adherence to the Federal Identify Program (FIP), giving prominence to the official symbols of the GC, and adhering to the TB Common Look and Feel for the Internet: Standards and Guidelines. § Marketing material must conform to requirements of the Federal Identity Program and Treasury Board Common Look and Feel for the Internet: Standards and Guidelines. § Film, video and multimedia productions commissioned by institutions must comply with the Federal Identity Program and the Treasury Board Common Services and Contracting policies. § Communication or information materials prepared for consultative purposes comply with Federal Identity Program requirements. § Institutions must adopt a coherent and co-ordinate approach to their participation in fairs and exhibitions. Multiple institutions appearing at the same event must display a unified presence that promotes common themes and messages of the Government of Canada. Public Works and Government Services Canada co- ordinates the participation of institutions in fairs and exhibitions visited by the Canada Pavilion. Advertising and Sponsorships

§ Institutions may place advertisements or purchase advertising space or time in any medium to inform Canadians about their rights or responsibilities, about government policies, programs, services or initiatives, or about dangers or risks to public health, safety or the environment, in accordance with criteria defined in the Communications Policy. § Sponsorships must be compatible with the government and institution’s communication goals, be communicated in a manner fair and equitable to each party, and not be based on advertising private sector goods or services. Information Collection

§ Institutions must adhere to the requirements of the Treasury Board’s Contracting Policy and Common Services Policy when contracting public opinion research, coordinate activities with Public Works and Government Services Canada, and share research results with other GC departments, agencies, and the public that have an interest in the findings, subject to the Privacy Act. § Communication requirements must be taken into account in the planning, management and evaluation of consultation and citizen engagement activities. Institutions must inform Canadians about opportunities to participate in public consultation and citizen engagement. § To evaluate and address public needs and expectations, anticipate issues that may arise, and to formulate appropriate response strategies - institutions must routinely monitor and analyze the public environment as it relates to their policies, programs, services and initiatives using a variety of tools to assess the environment

Date: 2006 -03-31 Draft: Version 6.2 Page 24

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

in which operate, including citizen feedback, enquiry analysis media, monitoring and opinion research. Integration with Planning and Delivery Activities

§ Institutions must integrate communications into corporate management processes and procedures, collaborate with, and maintain working links between communications and other core functions. The communications function must be adequately resourced, ensure staff at all levels carry out their unique role and shared communication responsibilities, ensure coherence and consistency of information and messages across all channels, and collaborate with other institutions in communication activities that promote common government-wide messages and themes. § Institutions must integrate communication planning into their annual business planning process, prepare a corporate communications plan, and evaluate communications work as an integral part of business operations. § Communication requirements must be taken into account when planning, negotiating or implementing a partnering or collaborative arrangement as outlined in the Communications Policy. § Marketing must be integrated with the communications functions. § Memoranda to Cabinet and Treasury Board submissions (which concern significant investment of public funds, a major new policy, program, service, or initiative, or matters of potential sensitivity or concern to the public) must include a communication plan and resources dedicated to achieving communication goals and objectives. Training and Development

§ Institutions must provide managers and employees at all levels with Communications Policy orientation and training, and foster professional development among communications staff.

Electronic Authorization and Authentication Policy To ensure adequate control and protection of business transactions in electronic form through proper authorization and authentication. It is government policy that electronic business transactions must be properly authorized, validated and safeguarded against loss, alteration, duplication, substitution or destruction.

INFORMATION REQUIREMENTS:

§ Provides definitions for business transaction, electronic authorization, electronic authentication, confidentiality, data integrity, digital signature, encryption, and key management. § The integrity of electronic business transactions must be maintained at all times. § A digital signature must be used to authorize electronic business transactions. § The method used to generate the digital signature must employ both special knowledge (e.g. password) and physical possession of an object (e.g., diskette, token or card etc.). § For every system where a digital signature is used, a risk and threat analysis will determine whether a physical object must be used. For existing systems and systems under development, departments are allowed a period of two years starting from the effective date of this policy to complete the risk and threat analysis and meet the requirements of the policy. § When physical objects such as diskettes, tokens or cards are used, departments must ensure that every object holder is informed of his or her responsibilities and restrictions regarding the use of the objects and agrees to them. Physical objects are to be used as personal access devices which link an object with only one individual. § Electronic authorizations of electronic business transactions must be authenticated. § The electronic authentication process must effectively and positively identify the authorizer, in such a way

Date: 2006 -03-31 Draft: Version 6.2 Page 25

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

that he or she will not be able to credibly deny having authorized a transaction. § A complete audit trail of the electronic business transactions, including electronic authorization and authentication, must be maintained. § The integrity and confidentiality of the electronic authorization and authentication system and processes must be maintained at all times. § When required, the confidentiality of transactions will be ensured by encrypting part or all of the data or transaction. § Departments must perform a threat and risk assessment to evaluate the potential threats to the electronic business system as well as to the electronic authorization and authentication process and to determine the level of control required to minimize the risks, commensurate with costs. § Departments must establish policies and procedures that will ensure that an adequate level of control is maintained on all processes involving the electronic authorization and authentication of business data. § Departments must establish policies and procedures that will ensure that the distribution and communication of authorities and the delegation process itself, when in an electronic form, are protected by an approved digital signature and key management process. Encryption and key management processes for EAA must be endorsed or approved by CSE. Monitoring § Departments will conduct internal audits of their compliance with this policy and the efficiency of its implementation. § The Treasury Board Secretariat will monitor compliance with this policy through internal audit reports. In addition, the Treasury Board Secretariat will conduct, in consultation with departments, operational reviews to assess the effectiveness of the policy.

Evaluation Policy To ensure that the government has timely, strategically focused, objective and evidence-based information on the performance of its policies, programs and initiatives. Policy, program and initiative design must include clearly defined expected results and make provisions for management practices that include sound performance measurement, reporting and accountability.

INFORMATION REQUIREMENTS:

§ Department managers must manage for results and ensure that they have reliable, timely, objective and accessible information for decision-making and performance improvements. § Departments must establish an appropriate evaluation capacity and accountability practices. § Departments must provide TB with evaluation plans and early warning of major concerns.

Government PKI Policy To establish and manage the use of public key cryptography, as a component of the government's common information management and information technology infrastructure.

INFORMATION REQUIREMENTS:

§ Provides rules for establishing Certification Authorities; membership in the GC PKI and the GC PKI Policy Management Authority; cross-certification with Certification Authorities inside and outside of the government; and procurement of certification authority services from other departments and the private

Date: 2006 -03-31 Draft: Version 6.2 Page 26

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

sector. § Requires departments to have a repository associated with its Certification Authority and register it with the government registrar for repository services (Registrar of Repositories). § Requires departments to manage information created as part or in course of the performance of Certification Authority activities – including personal information about employees, external subscribers and relying parties – in accordance with government laws, such as, the Library and Archives Canada Act, the Access to Information Act and the Privacy Act. § Requires departments to keep a copy of employees’ private confidentiality keys for data recovery purposes; notify its employees that their private confidentiality keys are backed up; and notify employees when the department accesses their private confidentiality keys for business purposes. § Prohibits departments from backing up the private confidentiality keys of external subscribers without their consent; accessing or disclosing the private confidentiality keys of external subscribers except with their prior consent, or where required by law; or keeping a copy of private digital signature keys. § Departments must establish and communicate limits on liability for each assurance level of certificate that are no less than those indicated in the GC Certificate Policies. § Departments must adopt and comply with procedures and rules determining the allocation of financial responsibility and accountability for any losses, judgements, awards or settlements amo ng members of the GC Public Key Infrastructure. § Departments will audit compliance with the policy and the efficiency of its implementation. The Treasury Board Secretariat will monitor compliance through these internal audit reports. § Identifies circumstances where the President of the Treasury Board may make exemptions for aspects of this policy. § Establishes the roles and responsibilities of the President of the Treasury Board, the Policy Management Authority, the Communications Security Establishment, the Departmental Certification Authorities and the Local Registration Authorities for the management of the GC PKI infrastructure.

Government Security Policy To ensure the appropriate safeguarding of all sensitive information and assets of the federal government.

INFORMATION REQUIREMENTS:

§ Information that is reasonably likely to be exempted or excluded from access under provisions of the Access to Information Act and the Privacy Act must be designated or classified as confidential, secret, or top secret as identified in the Security Policy. § Material and information technology assets are to be classified and designated according to their confidentiality, integrity, availability and value. § Sensitive information and assets are to be safeguarded to at least the level of standards set out in the GSP and according to an assessment of related threats and risks. § Access to classified information and assets is to be limited to those whose duties require access and have the required level of security clearance. § Security reliability checks and assessments are to be conducted on employees consistent with the duration of employment, and information and assets to which they have access. § Security breaches are to be reported and investigated, and appropriate corrective action taken. § Departments must appoint a departmental security officer (DSO) responsible for department security in accordance with the policy.

Date: 2006 -03-31 Draft: Version 6.2 Page 27

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Learning, Training and Development Policy (Replaces Continuous Learning in the Public Service of Canada Policy and Training and Development Policy) The objective is to help build a skilled, well-trained and professional workforce; to strengthen organizational leadership; and to adopt leading-edge management practices to encourage innovation and continuous improvements in performance. The policy also supports employees at all levels -from front line employees to executives-by providing access to leading-edge training programs to ensure they are fully equipped to meet the challenges of their role and their ability to serve Canadians. INFORMATION REQUIREMENTS: The policy addresses specific training needs of three groups of employees: employees newly appointed to the "core public administration", new and existing managers at all levels, and functional specialists:

· new employees will have access to orientation training designed to ensure that they share a common understanding of their role (including their role in managing information) as public servants, as well as the values and ethics of the public service;

· specialists in financial management, internal audit, procurement, materiel management, real property, information management and human resources will have access to specialized training programs to support professional development and certification;

· newly appointed supervisors, managers and executives will have an opportunity to complete training on their legal responsibilities (including those related to managing information);

· existing managers and executives will use on-line self-assessment tools to assess their knowledge of legal responsibilities (including those related to managing information); and

· employees at all levels will be supported in their career growth and progression through learning plans that will allow them to acquire and maintain knowledge, skills and competencies related to their level and function.

Knowledge standards related to the policy provide the parameters for the exercise of due diligence in relation to the legal responsibilities of public servants, and establish the minimum common knowledge (including knowledge related to responsibilities for managing information) required by emp loyees regardless of their functions, location of work, organization or profession.

Management of Government Information Policy Institutions must manage information throughout its life cycle in a manner that supports the government’s activities, its delivery of information and services to citizens through a variety of service delivery channels, and the government’s commitment to openness, transparency and accountability in accordance with current legislation, regulations, and policies.

INFORMATION REQUIREMENTS:

Enhancing the Public Trust

§ Ensure the quality, consistency and availability of information across delivery channels to respect Canadian’s preferred means of accessing information and of communicating with government. § Organize information to provide clarity, context, and convenient access to relevant, comprehensive, and timely information and services.

Date: 2006 -03-31 Draft: Version 6.2 Page 28

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Re-use and share information to the greatest extent possible , in accordance with legal and policy obligations. § Document decisions and decision-making processes. § Preserve the integrity of information, particularity when it is used in collaborative endeavours with other federal government institutions, other governments, or non-governmental organizations. § Ensure the appropriate security, protection, and disposition of information. Include Management of Information Considerations in the Planning Cycle

§ Information management requirements are incorporated at an early stage in the development of new or modified government policies, programs, services, and technology -based systems. § Governance and accountability structures are in place for the management of information. § Opportunities for common infrastructures are maximized to optimize the interoperability of information management systems. Collect, Create, Receive and Capture Information

§ Support service delivery, informed policy and decision-making, and business, legal, and accountability requirements. § Ensure its relevance, reliability, and completeness. § Optimize its sharing and re-use, in accordance with policy and legal obligations. § Document decisions and decision-making processes to account for government operations, reconstruct the evolution of polices and programs, support the continuity of government and its decision-making, and allow for independent audit and review. § Reduce the response burden on the public by avoiding the unnecessary collection of information. Organize, Use, and Disseminate Information

§ Establishing a co-ordinated and comprehensive approach to describing the institution’s information. § Maintaining a current and comprehensive classification structure or structures, including metadata. § Providing users with timely and convenient access to information in accordance with legal and policy obligations. Maintain and Preserve Information

§ Ensure its usability, including the usability of encrypted information, over time and through technological change. § Ensure information of enduring value to the Government of Canada or to Canadians is available for current and future use. § Protect essential records. § Safeguard from improper disclosure, use, disposition or destruction, in accordance with legal and policy obligations. Dispose of Information

§ Adhering to departmental retention and disposition plans, the Library and Archives Canada -approved Records Disposition Authorities, and other legal and policy obligations to ensure the timely disposition of information that is no longer required by the institution. § Transferring to the Library and Archives Canada information designated as having historical value. § Transfer to Library and Archives Canada publications that federal libraries have declared surplus.

Date: 2006 -03-31 Draft: Version 6.2 Page 29

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Considering its transfer to non-government organizations, subject to legal and policy obligations. Training & Development

§ The senior executive responsible for implementing the policy must coordinate training and development of staff. Roles, Responsibilities & Accountabilities

· Describes the Management of Information roles, responsibilities and accountabilities for Institutional Deputy Heads; Senior Executives; all public service employees and Information Specialists; as well as TBS, LAC and Statistics Canada Monitoring

§ In accordance with the Treasury Board Evaluation and Internal Audit Policies, institutions should assess the risks associated with the management of valuable information resources and review their effectiveness in implementing and meeting the requirements of this policy. The Treasury Board Secretariat may require institutions to undertake a periodic audit of the implementation of this policy. § The Treasury Board Secretariat will use internal audit reports to monitor compliance with this policy, evaluate its effectiveness and its impact on institutions. § The Library and Archives Canada also have monitoring responsibilities with respect to this policy and will periodically communicate their findings to the Treasury Board Secretariat.

Management of Information Technology Policy To ensure that information technology is used as a strategic tool to support government priorities and program delivery, to increase productivity, and to enhance service to the public.

INFORMATION REQUIREMENTS:

§ Apply information technology to reduce the burden on respondents from whom information is collected. Capture information once, make it more easily accessible, complete transactions more quickly and accurately, support employees and reduce costs. § Ensure information technology allows services to be provided to the public in both official languages. § Departments must participate in setting government-wide directions for information management – in particular by informing TBS of their plans and long-term strategies and supporting the Secretariat's overall government-wide coordination and direction-setting role. § Implement approved government information and technology standards in accordance with TB criteria. § Common service organizations that have information management responsibilities must obtain advice, guidance and feedback on their objectives, strategies, plans and the quality of their services from their clients and coordinate their plans and services with those of departments and other common-service organizations. § Departments must develop information management plans that are tailored to their needs and are derived from and strongly support the department's missions and operational plans – refer to TB guidelines for Information Management plans.

Personnel Information Management Policy To ensure that the management and administration of human resources is supported with comple te, accurate and well managed information.

Date: 2006 -03-31 Draft: Version 6.2 Page 30

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

INFORMATION REQUIREMENTS:

§ Departments must have information that effectively and economically supports the execution of personnel management decisions and the day-to-day administration of employee pay, benefits and records, and that informs management in a timely and accurate manner about their human resources while protecting personal information as defined and provided for in the Privacy Act. § Departments must provide information to the central agencies in a timely manner, in particular the Treasury Board Secretariat and the Public Service Commission, about the management of human resources. § Departments must adhere to the information management and data administration standards established for service-wide personnel information. As a minimum, standards published in the Management of Government Information Policy and the Personnel Data Element Dictionary must be followed. § In response to concerns that the misuse of the SIN could threaten individual privacy, a decision was made to limit its collection and use in the federal government to those activities explicitly authorized by Cabinet. Federal government institutions are phasing out administrative use of the SIN. The Personal Record Identifier (PRI) was developed to identify federal government employees and associate an employee with his or her personal records in the federal Public Service. The PIR is used for internal administration within the federal government and is not given to outside organizations, such as unions, banks, and insurance companies. A separate identifier the Individual Agency Number (IAN) is assigned to employees and used to replace the SIN when dealing with remittance agencies. The policy appendices provide personal record identifier and Individual Agency Number guidelines.

Policy on the Use of Electronic Networks It is Treasury Board policy that authorized individuals use electronic networks to conduct the business of government, to communicate with public service employees and with the public, to gather information relevant to their duties, and to develop expertise in using such networks. Deputy Heads must put in place policies and practices that promote the appropriate use of electronic networks that are consistent with the Privacy Act, the Access to Information Act and the Charter of Rights and Freedoms.

INFORMATION REQUIREMENTS:

§ Departments must develop and implement an acceptable use policy that: (a) defines what is acceptable use within the department (e.g. personal use); and (b) informs employees how the department monitors the use of electronic networks. § Authorized uses of electronic networks must be defined and address unlawful and unacceptable conduct; responsibilities of authorized individuals when they are using electronic networks; the extent to which electronic networks may be used for personal objectives (the government is not obliged to allow use for personal objectives); disciplinary measures for illegal or unacceptable use; monitoring practices and authorization required. § Monitoring authorization and procedures for monitoring individual electronic mail and files (if the department reasonably suspects that an authorized individual is misusin g the network) must be defined. Guidelines for monitoring electronic networks (including information requirements) are included as Appendix E of the policy. § Individuals authorized to monitor individual network use must keep the monitored information confidential and only use it for authorized purposes. § Departments must consider privacy when designing their monitoring practices and procedures. § Departments are required to report suspected illegal activity to the appropriate law enforcement agency (unless their legal advisor advises that the matter is too minor). § Activity that can expose authorized individuals or the employer to civil liability if a Public Service employee

Date: 2006 -03-31 Draft: Version 6.2 Page 31

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

performs unlawful activity in the course of his or her employment includes disclosing or collection of sensitive data without authorization; defamation; and inaccurate information. § Appendix A provides a non-exhaustive list of unlawful activity, in terms of actions that may result in sanctions of different kinds in a court of law. § Appendix B provides a non-exhaustive list of activity that is not necessarily unlawful but which violates Treasury Board policies. § Appendix C identifies unacceptable activities relating to access of electronic networks provided by the government.

Privacy and Data Protection Policy The objectives of the Privacy and Data Protection Policy are to: 1) ensure the effective and consistent application of the provisions of the Privacy Act and the Privacy Regulations by government institutions; 2) ensure data- matching and data linkage of personal information for administrative purposes meet the requirements of that legislation; and 3) limit collection and use of the Social Insurance Number (SIN) for administrative purposes to those permitted by specific acts, regulations and programs and to establish conditions for its collection.

INFORMATION REQUIREMENTS:

Planning § Departments must advise the Privacy Commissioner at an early stage of any planned initiatives that relate to the Privacy Act or may impact the privacy of Canadians. Collection § Controls must be in place to limit collection of personal information to what is required for programs or activities. Note: The program or activity must have Parliamentary authority. § Individuals from whom information is being collected must be advised of the purpose, whether provision is voluntary or required by law, of the consequences of refusing to respond, of their rights of access and the registration number of the personal information bank in which the collected information will be contained. Social Insurance Number (SIN) § Institutions must limit the use of Social Insurance Numbers for administrative purposed to those authorized by statute or regulation and for administering pensions, income tax, health and social programs. § Not withhold any right, benefit or privilege nor impose any penalty because of an individual’s refusal to disclose the SIN except for purposes authorized by statute or regulation or otherwise authorized by Parliament. § Individuals must be informed of the purpose for collecting the SIN, the authority under which the number is required, and whether any right, benefit or privilege can be withheld or penalty imposed if the number is not disclosed. § When the SIN is included in any personal information bank, it must be indicated in the Info Source description along with the authority under which the number is collected and the purposes for its use cited in Info Source. Data Matching § Prior to initiating a data-matching program, institutions must assess the feasibility by analyzing the potential impact on the privacy of individuals and the costs and benefits of the data-matching program. § Data matching is the comparison of personal data obtained from different sources to make decisions about the person from whom the information was collected. A data-matching program must be approved only by the head of the government institution or an official specifically delegated this authority by the head. § Institutions must notify the Privacy Commissioner of a new matching program by providing him with a copy

Date: 2006 -03-31 Draft: Version 6.2 Page 32

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

of their assessment of the program at least 60 days before it is to begin. § All matching activities must be accounted for in Info Source. § Information generated by a matching program must be verified with original or additional authoritative sources before being used for administrative purposes. Accounting for Personal Information § Government institutions must account for and describe their holdings of personal information in accordance with the government-wide standards periodically issued by the Treasury Board Secretariat. Providing Access § Controls must be in place to ensure against the unauthorized disclosure of personal information, that privacy rights are considered where disclosure is discretionary, that a record of disclosure is maintained and that research privileges are withdrawn from any person or body improperly disclosing personal information. § Where the right of access to personal information is to be provided the institution must assist the individual in obtaining access to their personal information and satisfy themselves as to the identify of the individual requesting access and the individual’s right of access. § Where the right of access to personal information is to be provided the institution must keep a record of actions and decisions taken in processing the access request and any correction or notation under the Privacy Act. § Disclosure to an individual with a sensory disability will be provided in the preferred format where it is available. Conversion to an alternate format may be provided where reasonable in terms of cost and utility. Exemptions, Exempt Banks, & Coordination of Requests § Consultation with Legal Counsel and the Privy Council Office is required where information requested may be considered to be Confidences of the Queen's Privy Council § Requests for information must be reviewed to identify and sever any of the information that is exempt from disclosure. The requestor must be notified of the exemption applied, except where doing so would reveal exempted information or cause the injury which forms the basis of the exemption. § Departments will coordinate requests with other departments of offices of special interest where their input is required to determine if information in the request should be exempt. § Departments must consult with Treasury Board on any proposal for the establishment or revocation of an exempt bank. Requests for an exempt bank must be submitted to the designated Minister. Governance & Monitoring § Government institutions must appoint a Privacy Co-ordinator to coordinate activities related to the Privacy Act and maintain a current Delegation Order listing delegated privacy responsibilities. § The annual reports to Parliament required by the Privacy Act will be used to monitor compliance with this policy. § Compliance with the SIN and data-matching provisions will be monitored through the advance notification and public accounting requirements. § The Privacy Commissioner and internal audit groups will examine the institution’s success in meeting the requirements for privacy and data protection.

Privacy Impact Assessment Policy To ensure that privacy principles are taken into account when there are proposals for, and during the design, implementation and evolution of programs and services that raise privacy issues. The Privacy Impact Assessment Guidelines provide guidance to assist institutions in conducting assessments.

Date: 2006 -03-31 Draft: Version 6.2 Page 33

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

INFORMATION REQUIREMENTS:

§ Institutions must develop and maintain Privacy Impact Assessments to evaluate whether program and service delivery initiatives comply with privacy legislation and policy requirements and resolve privacy issues that may be of public concern. Institutions must examine their own program legislation, regulation and policies to determine specific or additional privacy, information management and other requirements governing the personal information under their control. § There are differences between the federal and provincial and private sector codes that must be taken into account when collaborating on cross-jurisdictional initiatives. Where programs and services involve cross-jurisdictional or cross-sectoral activities, the provisions of all federal legislation and policies must be respected. § Institutions must conduct Privacy Impact Assessments in the early stages of the design or redesign of programs and services that raise privacy issues. Detailed criteria to assist in determining when to conduct an assessment are contained in the Privacy Impact Assessment Guidelines. § Institutions must undertake data analysis to identify all personal information associated with business processes. § Institutions must undertake privacy analysis to ensure and document that privacy principles legislation and policies are adhered to and that privacy impacts and risks associated with program and service delivery activities have been resolved or mitigated. Assessments must address federal intra -departmental and inter-departmental initiatives, and initiatives involving other governments and the private sector. § Institutions must prepare a privacy impact analysis report to document their evaluation of the privacy risk, the implications of those risks and their discussion of possible remedies, options and recommendations to avoid or mitigate such risks. § Institutions must develop Privacy Impact Assessments within the context of the government-wide policies, guidelines, handbooks and checklists pertaining to sound project management, consistent with the Enhanced Management Framework. § Institutions seeking Preliminary Project Approval from Treasury Board pursuant to the Project Approval Policy must include the results of the Privacy Impact Assessment in the body of the submission or the project brief where applicable. Institutions seeking Effective Project Approval must provide a status report in the body of the submission or the project brief summarizing the actions taken or to be taken to avoid or mitigate any privacy risks. § Institutions must provide the Privacy Commissioner with a copy of the final Privacy Impact Assessment at a reasonably early stage prior to implementing the initiative, program or service. § Institutions must routinely make summaries of the results of their Privacy Impact Assessments available to the public through the internet and conventional publishing. Access to Information Act and Privacy Act and other considerations, such as cases where assessments could contain information that would render systems or security measures vulnerable, or refer to programs or services that have not been formally approved or announced, must be taken into account. § Institutions will assess their degree of compliance with this policy by means of internal audits, reviews, and evaluations. The Treasury Board Secretariat will monitor compliance through a variety of means, for example, the Annual Privacy Reports to Parliament may be used. The Privacy Commissioner with mo nitor compliance through the notification process.

Project Management Policy To ensure government projects have well defined scope and objectives, adhere to approval requirements, employ sound project management principles, are adequately resourced, and are managed in a manner sensitive to risk, complexity and economy of resources.

INFORMATION REQUIREMENTS:

Date: 2006 -03-31 Draft: Version 6.2 Page 34

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Requires submission of updated project information to appropriate authorities for significant changes beyond reporting established in the original or amended approvals. § Requires systematic approaches to define and manage the project, including implementation of a suitable database system to track key objective and numerical information for the project. § Risk assessments must be updated periodically to reflect additional information available. § Information on progress of significant projects must be provided to Treasury Board.

Risk Management Policy To safeguard the government’s property, interests, and certain interest of employees during the conduct of government business. It is government policy to identify, and reduce or eliminate risks to its property, interests and employees, to minimize and contain the costs and consequences in the event of harmful or damaging incidents arising from those risks, and to provide for adequate and timely compensation, restoration and recovery.

INFORMATION REQUIREMENTS:

§ Departments must identify the potential perils, factors and types of risk to which their assets, program activities and interests are exposed. The accompanying guidelines specifically identify information storage and transfer, such as record keeping, mail distribution, telecommunications, and electronic data as assets to be identified. § Departments must analyze and assess the risks identified, and design and implement cost-effective risk prevention, reduction or avoidance control measures. § Departments must plan and budget for containment, compensation, restoration and disaster recovery. § Departments must activate emergency organizations, systems, and contingency plans, and initiate recovery measures.

3. For further info The Department of Justice web site includes copies of government legislation. The Treasury Board Secretariat web site includes copies of horizontal government policies. 4. Author and date Author: Information Management Strategies Division Treasury Board Secretariat Date: 2006-03-31

Date: 2006 -03-31 Draft: Version 6.2 Page 35

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Annex A – Links to Legislation and Policies

The Following table provides to links to the legislation contained in this document. This legislation is available on the Department of Justice we b-site.

Table 1. Links to Legislation Legislation Link Access to Information Act & Regulations http://laws.justice.gc.ca/en/A-1/index.html Auditor General Act http://laws.justice.gc.ca/en/A-17/index.html Canada Evidence Act http://laws.justice.gc.ca/en/C-5/index.html Canadian Charter of Rights and Freedoms http://laws.justice.gc.ca/en/charter/ Canadian Security Intelligence Service Act http://laws.justice.gc.ca/en/C-23/index.html Copyright Act http://laws.justice.gc.ca/en/C-42/index.html Crown Liability and Proceedings Act http://laws.justice.gc.ca/en/C-50/index.html Emergency Preparedness Act http://laws.justice.gc.ca/en/E-4.6/index.html Financial Administration Act http://laws.justice.gc.ca/en/F-11/index.html Library and Archives of Canada Act http://laws.justice.gc.ca/en/L-7.7/index.html Official Languages Act http://laws.justice.gc.ca/en/O-3.01/index.html Personal Information Protection and Electronic http://laws.justice.gc.ca/en/P-8.6/index.html Documents Act Privacy Act & Regulations http://laws.justice.gc.ca/en/P-21/index.html Public Service Employment Act http://laws.justice.gc.ca/en/P-33/index.html Security of Information Act http://laws.justice.gc.ca/en/O-5/index.html Statistics Act http://laws.justice.gc.ca/en/S-19/index.html

Date: 2006--03-31 Draft: Version 6.2 Page: 36

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

The Following table provides to links to the policies contained in this document. These policies are is available on the Treasury Board Secretariat web-site.

Table 2. Links to Policies

Policy Effective Date Link Access to Information Policy 1993-12-01 http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_121/CHAP1_1_e.asp Common Services Policy 2005-05-16 http://www.tbs-sct.gc.ca/Pubs_pol/dcgpubs/TB_93/CSP_e.asp Communications Policy 2004-04-29 http://www.tbs-sct.gc.ca/Pubs_pol/sipubs/comm/comm_e.asp Electronic Authorization and Authentication 1996-05-15 http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/tbm_142/2-2_e.asp Policy Evaluation Policy 2001-04-01 http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/TBM_161/ep-pe1_e.asp Government PKI Management Policy 2004-04-26 http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/PKI/pki_e.asp Government Security Policy 2002-02-01 http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/gsp-psg_e.asp Learning, Training and Development (Replaces 2006-01-01 http://www.tbs-sct.gc.ca/pubs_pol/hrpubs/TB_856/ltd-afp_e.asp Continuous Learning in the Public Service of Canada Policy and Training and Development Policy) Management of Government Information Policy 2003-05-01 http://publiservice.tbs-sct.gc.ca/pubs_pol/ciopubs/TB_GIH/mgih-grdg_e.asp Management of Information Technology Policy 1995-07-04 http://www.tbs-sct.gc.ca/Pubs_pol/ciopubs/TB_IT/mit -gti_e.asp Personnel Information Management Policy 1994-04-20 http://www.tbs-sct.gc.ca/Pubs_pol/hrpubs/TB_85A/pim_e.asp Policy on the Use of Electronic Networks 1998-02-12 http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/TB_CP/uen_e.asp

Privacy and Data Protection Policy 1993-12-01 http://publiservice.tbs- sct.gc.ca/pubs_pol/gospubs/TBM_128/CHAP1_1_e.asp Privacy Impact Assessment Policy 2002-05-02 http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.asp Project Management Policy 1994-06-01 http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/TBM_122/CHAPT2-2_e.asp Risk Management Policy 2001-10-05 http://www.tbs- sct.gc.ca/pubs_pol/dcgpubs/RiskManagement/riskmanagpol_e.asp

Date: 2006--03-31 Draft: Version 6.2 Page: 37

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Annex B – Mapping of Legislation and Policies to the FMI

The following table maps legislation and polices to the Framework for the Management of Information legal and policy provisions, management related and life -cycle related components.

Table 3. Mapping of Legislation and Policies to the FMI

Legal and Policy Provisions Management Related Life-Cycle Related Common to All life-Cycle Phases

e,

bility Legislation and Policies Access to Information Privacy and Confidentiality Intellectual Property Security Lia Official Languages Communications Governance and Accountability Management Functions Competencies and Training Program/Service Delivery Considerations Technology Considerations Quality of Information Collect, Create, Receive, Capture Organize, Us Disseminate Maintain and Preserve Dispose Access to Information Act & Regulations X X X X X X X X X Access to Information Policy X X X X X X X Auditor General Act X X X Canada Evidence Act X X X X Canadian Charter of Rights and Freedoms X X X X X X Canadian Security Intelligence Service Act X X X X X X X X Common Services Policy X X X X X X Communications Policy X X X X X X X X X X X X Continuous Learning in the PS of Cda Policy X (Training and Development Policy) Copyright Act X X X Crown Liability and Proceedings Act X X X Electronic Authorization and Authentication Policy X X X X X X Emergency Preparedness Act X X X X Evaluation Policy X X

Date: 2006--03-31 Draft: Version 6.2 Page: 38

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Legal and Policy Provisions Management Related Life-Cycle Related Common to All life-Cycle Phases

e,

bility Legislation and Policies Access to Information Privacy and Confidentiality Intellectual Property Security Lia Official Languages Communications Governance and Accountability Management Functions Competencies and Training Program/Service Delivery Considerations Technology Considerations Quality of Information Collect, Create, Receive, Capture Organize, Us Disseminate Maintain and Preserve Dispose Financial Administration Act X X X X X X X X Government PKI Management Policy X X X X Government Security Policy X X X X X Library and Archives of Canada Act X X X X X X X X Management of Government Information Policy X X X X X X X X X X X X X Management of Information Technology Policy X X X X X X X Official Languages Act X X X X Personal Information Protection and Electronic X X X X X X X X Documents Act Personnel Information Management Policy X X X X X X Policy on the Use of Electronic Networks X X X X X X Privacy Act & Regulations X X X X X X X X X X Privacy and Data Protection Policy X X X X X X X X X Privacy Impact Assessment Policy X X X X X X Project Management Policy X X Public Service Employment Act X X X X Risk Management Policy X X X Security of Information Act X X X Statistics Act X X X X X X X X

Date: 2006--03-31 Draft: Version 6.2 Page: 39

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Annex C – Mapping of Legislation and Policies Provisions and Requirements to FMI Components

This appendix maps legislation and policies provisions and requirements to FMI components. Refer to the table of contents to assist with locating and hyper-linking to specific components and topics.

COMMON LEGAL/POLICY PROVISIONS

Access to Information

Definition of Government Records § Defines a record for the purposes of the Access to Information Act and extends this to include records that do not exist but can be produced from a Access to machine-readable record using computer hardware and software and technical expertise normally used by the government institution. The regulations Information stipulate computer-generated records need not be produced if doing so would unreasonably interfere with the operations of the institution. (3,4) Act § Provides a definition of government and ministerial records. The definition of record in both the Access to Information Act and the Library & Archives Library of Canada Act is very broad and includes electronic data. (2) &Archives of Canada Act

Duty to Docume nt § TB may make regulations for the effective administration of the public service, prescribe the manner and form in which accounts and records will be Financial kept, and request information or documents the TBS considers necessary for due performance of its duties. (9,10, 7,32,33,34,35,36) Administrati on Act § Finance must maintain books and records for any money borrowed and provide an accounting of all transactions on request. (52) § Departments must maintain adequate records for public property they are responsible for and comply with regulations of the Treasury Board governing the custody and control of public property. (62) § The Receiver General must keep records of public accounts and may request records, statements or other information from Ministers relative to the accounts. (63, 64, 65) § The Governor in Council may prescribe the documents to be submitted in connection with a notice of assignment (crown debts) and records be kept for monies received on behalf of the government but not duly paid over. (71, 79) § Crown corporations must keep books, records, systems and practices in a manner to provide reasonable assurance that: the assets of the corporation are safeguarded and controlled; the transactions of the corporation are in accordance with the Financial Administration Act, regulations and internal

Date: 2006--03-31 Draft: Version 6.2 Page: 40

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

directives; and the resources of the corporation are managed efficiently and effectively. (131) § Document decisions and decision-making processes. MGI Policy § Document decisions and decision-making processes to account for government operations, reconstruct the evolution of polices and programs, support the continuity of government and its decision-making, and allow for independent audit and review. § Ensure information of enduring value to the Government of Canada or to Canadians is available for current and future use. § A complete audit trail of electronic business transactions, including electronic authorization and authentication must be maintained. Electronic Authorizatio n and Authenticati on Policy § Where the right of access to personal information is to be provided the institution must keep a record of actions and decisions taken in processing the Privacy and access request and any correction or notation under the Privacy Act. Data Protection Policy Information Holdings Description § The designated Minister shall cause to be published (at least annually) a publication containing: a) a description of the organization and responsibilities Access to of each government institution, including details on the programs and functions of each division or branch; b) a description of all classes of records Information under the control of each government institution in sufficient detail to facilitate access to these records; c) a description of all manuals used by Act employees in carrying out programs and activities; and d) the title and address of the officer for each government institution to whom requests for access to records should be sent. An updating bulletin must be published at least twice each year. The publication and bulletins are to be made available throughout Canada. (5) § Departments must provide descriptions of their information holdings to TBS in accordance with government-wide standards. Access to Information Policy

Public Right of Access to Government Information § Provides Canadian citizens, permanent residents, and all individuals and corporations present in Canada (ATIA Extension Order No 1) with the right to Access to access records under the control of a government institution. (4) Information Act

Access Exemptions § Information Obtained in Confidence - The head of a government institution shall refuse to disclose information if it was obtained in confidence from: a) Access to the government of a foreign state or institution thereof; b) an international organization of states or institution thereof; c) the government of a province or Information an institution thereof; d) a municipal or regional government or an institution of such a government; or e) an aboriginal government. The Act defines Act Aboriginal government to mean only the Nisga’a government. This information may be disclosed with the consent of the government institution from whom the record was received or if the organization or institution from which it was obtained makes the information public. (13) § Responsibilities of Government- The head of a government institution may refuse to disclose any record requested if it would be injurious to federal- Date: 2006--03-31 Draft: Version 6.2 Page: 41

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

provincial affairs, international affairs or defence; it was obtained in the course of law enforcement or investigation; it relates to investigative techniques or plans for specific lawful investigations; the information could reasonably be expected to be injurious to enforcement of law or to the security of penal institutions; the information could reasonably be expected to facilitate the commission of an offence; the information was obtained or prepared by the RCMP while performing policing services for a province or municipality where the province or municipality so requests; the information could reasonably be expected to threaten the safety of individuals; or the information could reasonably be expected to prejudice the economic interests of Canada. (14-18) § Personal Information - The head of a government institution shall refuse to disclose any record that contains personal information as defined in the Privacy Act unless the individual to whom it relates consents to the disclosure, the information is publicly available, or the disclosure is in accordance with section 8 of the Privacy Act. (19) § Third Party Information - The head of a government institution shall refuse to disclose any record without the consent of the third party to whom the information relates that: contains trade secrets of the third party; contains confidential financial, commercial, scientific or technical information supplied by the third party and treated consistently in a confidential matter by a third party; information that could reasonably be expected to result in material financial loss or prejudice competitive position; or could reasonably be expected to interfere with contractual or other negotiations of the third party. Other than trade secrets, the government may disclose any of this information if it is in the public interest related to public health, safety or protection of the environment and the public interest in disclosure clearly outweighs in importance the impact to the third party. (20) § Product or Environmental Testing - Parts of records that contain results of product or environmental testing carried out by or on behalf of a government institution, shall be disclosed along with a written explanation of the methods used in conducting the tests unless: 1) the results are of preliminary testing conducted for the purpose of developing methods of testing; or 2) the testing was done a s a service to a person, group of persons or an organization other than a government institution for a fee. (20) § Operations of Government – The head of a government institution may refuse to disclose any record under this Act that contains: a) advice or recommendations developed by or for a government institution or Minister; b) an account of consultations or deliberations involving officers or employees of a government institution, a minister of the crown or staff of the minister; c) positions or plans developed for the purpose of negations; or d) plans relating to the management of personnel or the administration of a government institution that have not yet been put into operation. This does not apply to material prepared by a consultant. (21) § Testing Procedures and Audits – The head of a government institution may refuse to disclose any record that contains information relating to testing or auditing procedures or techniques or details of specific tests to be given or audits to be conducted, if the dis closure would prejudice the use or results of particular tests or audits. (22) § Solicitor-Client Privilege - The head of a government institution may refuse to disclose any record that contains information subject to solicitor-client privilege. (23) § Statutory Prohibitions – The head of a government institution shall refuse to disclose any record restricted by any statutory provision as outlined in schedule II of the Act. Any part of the record that does not contain restricted information and can be reasonably severed shall be disclosed, (24, Schedule II) § Notwithstanding any other provision of this Act, where a request is made for access to a record that the head of the institution is authorized to refuse disclosure under this Act by reason of information or other material contained in the record, the head of the institution shall disclose any part of the record that does not contain, and can reasonably be severed from any part that contains, any such information or material. (25) § Information to be Publis hed – The head of a government institution may refuse to disclose any record if he believes on reasonable grounds that it will be published within 90 days after the request is made or within such further period of time as may be necessary for printing or t ranslating it for printing. Date: 2006--03-31 Draft: Version 6.2 Page: 42

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

(26) § Limitation in Application - This Act does not apply to: published material or material available for purchase by the public; library or museum material preserved solely for public reference or exhibition purposes; to material placed in the Library and Archives of Canada, the National Gallery of Canada, the Canadian Museum of Civilization, the Canadian Museum of Nature or the National Museum of Science and Technology by or on behalf of persons or organizations other than government institutions. (68) § Limitation in Application - This Act does not apply to Confidences of the Queen’s Privy Council for Canada that are less than 20 years old. What and how they apply to “discussion papers” the purpose of which is to present background explanations, analyses of problems, or policy options to Council is currently before the courts. (69) § Schedule II includes exemptions specific to other Acts and must be considered if the information access request is for corresponding information. (Schedule II)

Requesting Access § Requests to access a record under this Act will be made in writing to the institution holding the information and will be responded to within 30 days of Access to request with a written notice in terms of whether access will be given in whole or in part. The request will contain sufficient detail to allow an Information experienced employee of the institution with a reasonable effort to identify the record. The regulations specify the request will be accompanied by the Act required application fee. (6,7) § The head of a government institution may transfer the request and if necessary the record to another government institution that has a greater interest in the record within 15 days of receiving the request. The request is deemed received by institution to which it was transferred on the date the original request was received. An institution has a greater interest in a record if the record was originally produced in or for the institution or if the institution was the first government institution to receive the record or a copy of it. The regulations stipulate the government institution may transfer a request to another government institution within 15 days of receipt on the condition that the other government institution consents to process the request in the time limit set for such a request. The regulations also stipulate that the request may not be transferred to a third government institution. (8) § The institution may extend the time limit for a reasonable period of time if meeting the request is for a large number of record or requires a search through a large number of records and it will unreasonably interfere with operations of the institution, where consultation is necessary that cannot reasonably be completed in the original time limit, or where notice of disclosure to a third party is required. (9) § Where access is denied, the notice will indicate either that the information does not exist or the provision of the Act under which access would be denied if the information existed, and advise the individual of their right to make a complaint to the Information Commissioner. The government institution may but is not required to indicate whether the record exists. (10) § A person who requests access under the Act may be required to pay a five-dollar application fee as prescribed by regulations at the time the request is made, a reproduction fee before copies are made and a conversion fee before the record is converted into an alternative format. Additional fees may be requested for every hour in excess of five hours that is reasonably required to search for the record or prepare any part of it before disclosure, or where a record is produced from a machine-readable record. The institution may require a reasonable proportion of the fee be paid as a deposit before the search or production of the record for disclosure. The regulations outline fees payable and the amount of the fees. (11) § Where a fee applies written notice of the amount required will be provided to the requestor along with an indication that they have the right to make a complaint to the Information Commissioner about the amount required. (11) § The head of the government institution to which the request is made may waive or refund the fee or any art of it. (11)

Date: 2006--03-31 Draft: Version 6.2 Page: 43

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Third Party Intervention - Where a government institution intends to disclose information that the head has reason to believe may contain trade secrets of a third party, confidential material of a third party, may result in loss to the third party, or impact third party contractual or other negotiations, the third party will be advised in a written notice within thirty days of receiving the access request (if they can be reasonably located). The notice shall include a statement indicating intent to disclose a record or part thereof, a description of the contents of the record, and a statement that the third party may, within twenty days after the notice is given, make representations to the head of the government institution as to why the record or part thereof should not be disclosed. The third party will be given opportunity for representation and the government institution shall decide within thirty days after the notice given whether or not to disclose the record or part thereof. Where the decision is to disclose the information the third party will receive a written notice of intent to disclose along with an indication that they have twenty days to make an application to the Federal Court to review the decision. A notice will be provided to the person who made the access request that access will be given within 20 days unless a review is requested. The head of a government institution may decide to disclose third party information based on a recommendation from the Information Commissioner fo llowing a complaint investigation. In this case, notice will be given to the person requesting access as well as to the third party. The third party notice will advise them of their right to request review by the Federal Court. (27-29) § Departments must maintain a system for processing requests that can account for all deliberations and decisions taken regarding each request. Access to Information § Departments must participate in the Coordination of Access to Information Requests (CAIR) system and identify requests that may be interdepartmental Policy in scope or involve government-wide legal or policy issues.

Verification of Access Rights § Departments must ensure the requestor has right of access under the Act, review each record and consult with appropriate departments and government Access to bodies to determine which portions, if any, may be exempt and severe these portions and release the rest. Information Policy § Departments must maintain a system for processing requests that can account for all deliberations and decisions taken regarding each request. § Departments must identify any information requested that may represent a confidence of the Queen’s Privy Council, consult with Legal counsel and the Privy Council Office to confirm whether is qualifies as a Cabinet confidence. A certificate to assure the qualification is to be provided to the Information Commissioner on request. § Decisions regarding disclosure of third party information, information in the public interest (e.g. safety and health), and advice and recommendations must be made in accordance with the provisions of the Act. § Applicants must be notified of the reason for any exemption in a way that allows them to relate the specified provisions to specific documents or sections of documents that have been withheld. § Consultation with Legal Counsel and the Privy Council Office is required where information requested may be considered to be Confidences of the Privacy and Queen's Privy Council Data Protection § Requests for information must be reviewed to identify and sever any of the information that is exempt from disclosure. The requestor must be notified Policy of the exemption applied, except where doing so would reveal exempted information or cause the injury, which forms the basis of the exemption. § Departments will coordinate requests with other departments of offices of special interest where their input is required to determine if information in the request should be exempt.

Providing Access § Where access is to be given, the individual will be permitted to examine the information, in accordance with regulations, or be provided with a copy. The Access to Date: 2006--03-31 Draft: Version 6.2 Page: 44

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

regulations stipulate that the individual must be informed: a) that the record may be examined in order to save reproduction costs; b) the individual may Information specify only certain parts of the record be reproduced; c) of the amount required to be paid as a deposit before the search or production of the record is Act undertaken or the record is prepared for disclosure; d) the estimated total cost of the search for the record and preparation for disclosure; and e) any amount required to be paid before access is given to the record including the cost of production or reproduction. (12) § The regulations stipulate the government institution may provide access to a record or part of it where the record is so lengthy that reproduction of the record would unreasonably interfere with operations of the institution; the record does not lend itself to reproduction; or copying it is prohibited under another Act of Parliament. The government institution may also determine that a person is to be given access to a copy of a record rather than a record where part of the record contains information that would not be disclosed; or the record is in a form that does not readily lend itself to examination. § The regulations stipulate that access will not be provided until the fee or portion required is paid and the government institution will provide reasonable facilities and set a time for the examination that is convenient both for the institution and the person. § Access will be provided if requested in one of the official languages of Canada within a reasonable period of time, if it is available in that language or if the head of the institution considers trans lation of the record to be in the public interest. (12) § Where the requestor has a sensory disability and requests information to be provided in an alternate format it will be given if it is available in the format or the head of the institution considers it necessary to exercise the individuals right of access and if it is reasonable to convert the record or part of it. (12) § Government institutions will provide facilities at the headquarters of the institution and at any such offices of the institution as are reasonably practicable where the public may inspect any manuals used by employees in administering or carrying out programs or activities of the institution that affect the public. Records or parts of records which the head of the institution is authorized to refuse disclosure do not have to be included. (71) § Applicants must be notified of the reason for any exemption in a way that allows them to relate the specified provisions to specific documents or Access to sections of documents that have been withheld. Information Policy § The government will recover fees for work done in processing access to information requests, except where waiver of fees is in the public interest. § Where available, access to information for individuals with a sensory disability will be provided in the preferred format. Conversion to an alternate format may be provided where reasonable in terms of cost and utility.

Complaints & Investigation § Individuals may make a written complaint to the Information Commissioner within one year of making a request: a) if they have been refused access to Access to a record requested under the act; b) if they consider the payment amount unreasonable; c) where time limits have been extended where they consider the Information extension unreasonable; d) if they have not been given access or within a reasonable time to records in the requested official language or an alternate Act form; e) in respect to any information index publication or bulletin; or f) in respect of any other matter relating to requesting or obtaining access to records under this Act. (30, 31) § Where the Information Commissioner feels there is reasonable grounds to investigate a matter relating to requesting or obtaining access to records under this Act, he may initiate a comp laint. (30) § Prior to an investigation the Information Commissioner will notify the head of the government institution concerned regarding the intention to carry out an investigation and the substance of the complaint. (32) § The government institution will notify the Information Commissioner of any third party that has been notified in respect of the request, or would have if

Date: 2006--03-31 Draft: Version 6.2 Page: 45

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

the institution had intended to disclose the record. (33) § Investigations are conducted in private and provide for representation by the person making the complaint, the head of the government institution that the complaint is launched against, and third parties whose disclosure rights are outlined in the Act, if they can be reasonably located. No one is entitled to be present or have a ccess to or to comment on representations made to the Commissioner by any other person. (35) § The Information Commissioner may: summon persons and compel them to give written or oral evidence on oath and compel them to produce documents and things deemed requisite to the investigation; enter any premises occupied by any government institution (satisfying security requirements), examine or obtain copies of or extracts from books or other records; converse in private with persons in any premises entered; and examine any information recorded in any form under the control of a government institution (notwithstanding any other Act of Parliament or any privilege under the law of evidence) containing any matter relevant to the investigation. (36) § Any person summoned to appear before the Information Commissioner is entitled to receive the like fees and allowances as if summoned to appear before the Federal Court. (36) § Any documents or thing provided will be returned by the Information Commissioner within 10 days of request by the Commissioner, but may be requested again by the Commissioner. (36) § Except for prosecution for perjury under the Criminal Code, in prosecution of an offence under this Act, or in a review or appeal before Court under this Act, evidence given by a person in proceedings under this Act and evidence of the existence of the proceedings is inadmissible against that person in a court or in any other proceedings. (36) § If the Information Commissioner finds a complaint well-founded, the Commissioner will provide the head of the government institution in control of the record with a report containing the findings and recommendations that the Commissioner considers appropriate. The Commissioner may request the government institution to notify him within a time specified of the action taken or proposed to be taken to implement the recommendations or the reason why no such action has been or is proposed to be taken. (37) § After investigating a complaint, the Information Commissioner will report the results to the complainant and any involved third party entitled. Where access is not to be given the Information Commissioner will inform the complainant of their right to apply to the Court for review. Where notice has been requested from a government institution in control of the record, the complainant will not be advised until the expiration of time period set for the notice. If the notice is not forth coming or is in the opinion of the Information Commission inadequate or inappropriate the report to the complainant may include comments as he thinks fit. (37) § If access is to be given the government institution will give access on giving the notice if no notice must be given to a third party, or if notice must be given to a third party within 20 days of third party notice (unless they request a review). (37) § In carrying out an investigation under this Act and in any report to Parliament the Information Commissioner and any person acting on his behalf or under his direction shall not disclose information: a) the head of a government institution would be authorized to refuse disclosure; or b) any information as to whether a records exists where the head of government institution refuses access and does not indicate whether it exists. (64)

Review by Federal Court § Any person refused access to a record requested under this Act may apply to the Court for review within 45 days of the results of an investigation by the Access to Information Commissioner. With the consent of the complainant the Information Commissioner may appear before Court on their behalf, or with leave Information of the Court appear as a party to any review applied for under this Act. (41, 42) Act § The government institution refusing access to a record will give written notification of the application for review to any third party who has been or Date: 2006--03-31 Draft: Version 6.2 Page: 46

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

would have been notified if access to the record would have been granted. (43) § A third party given notice of the governments intent to disclose information related to them may within twenty days after the notice is given apply to the Court for a review of the matter. The government institution will advise the access requestor of the application made by the third party. (44) § Any person making an application for review or is given notice of an application for review may appear as a party to the review. (42, 44) § The application will be heard in a summary way with the Court having access to any record to which this Act applies that is under the control of a government institution. The Court will take precautions to avoid disclosing information that the government institution would be authorized to refuse to disclose or does not have to indicate it exists. The Court may disclose to the appropriate authority information relating to the commission of an offence against any law of Canada or a province on the part of any officer or employee of a government institution. (45-47) § The burden to prove a record should not be disclosed lies with the government institution denying access. (48) § Where Court determines the government institution is not authorized or does not have reasonable grounds to refuse disclosure, they may order the government institution to disclose the record in full or part, subject to conditions deemed appropriate. Where they determine the record or part of a record should not be disclosed they will order the government institution not to disclose it. (50, 51) § The costs of and incidental to all proceedings will be in the discretion of the Court and may be awarded to an applicant where an application for review has raised an important new principle in relation to this Act. (53)

Reporting § The Information Commissioner will submit an annual report to Parliament and may at any time, make a special report to Parliament where the urgency Access to of a matter should not be deferred. Reports may include information related to an investigation only after the investigation has been completed. (38, 39) Information Act § Reports made by the Information Commissioner will be transmitted to the Speaker of the Senate and the Speaker of the House of Commons for tabling in those Houses. After transmission for tabling the reports will be referred to the committee designated or established by Parliament for review. (40) § The administration of this Act will be reviewed on a permanent basis by such committee of the House of Commons, of the Senate or both Houses as Parliament as may be designated or established by Parliament for that purpose. (75) § The head of every government institution shall submit an annual report to Parliament on the administration of the Act within the institution during the fiscal year. The report will be laid before each House of Parliament and then referred to a Parliamentary committee for review. (72,75) § The Audit or General shall report annually to the House of Commons and may make, in addition to any special reports made under subsection 8(1) and Auditor 19(2), not more than three additional reports in any year to the House of Commons on the work of his office and on whether, in carrying on the work of General Act his office, he received all the information and explanations he required. Each report shall call attention to anything he considers to be of significance and of a nature that should be brought to the attention of the House of Commons, including cases observed that: a) accounts have not been faithfully and properly maintained or public money has not been fully accounted for or paid, where so required by law, into the Consolidated Revenue Fund; (b) essential records have not been maintained or the rules and procedures applied have been insufficient to safeguard and control public property, to secure an effective check on the assessment, collection and proper allocation of the revenue and to ensure that expenditures have been made only as authorized; or (e) satisfactory procedures have not been established to measure and report the effectiveness’ of programs, where such procedures could appropriately and reasonably be implemented. (7)

Date: 2006--03-31 Draft: Version 6.2 Page: 47

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Government Access to Information § The Receiver General must keep records of public accounts and may request records, statements or other information from Ministers relative to the Financial accounts. (63,64,65) Administrati on Act § Departments must provide the Commission with the assistance, information and access to their offices required for the performance of their duties. The Public Commission may conduct investigations and audits on any matter within its jurisdiction. (7) Service Employment Act § The Auditor General is entitled to information, reports and explanations from departments and crown corporations necessary to fulfil his responsibilities Auditor and will identify in his annual report if required information was provided. (13, 14, 7) General Act · Acquire and preserve the documentary heritage; make that heritage known to Canadians and anyone with an interest and facilitate access to it. (7) Library & Archives of · Provide information, consultation, research or lending services to facilitate access to documentary heritage (8d) Canada Act · Notwithstanding anything in any other Act of Parliament, the Librarian &Archivist is to be given access to any records whose disposition the Librarian and Archivist has been asked to consent (12.4) Consent by the PCO is required for access to confidences of the Queen's Privy Council. (15) Consent from the responsible person in a government institution is required for access to a record of a government institution that is restricted under Schedule II of the Access to Information Act. (12.3) § Document and record custodians must provide access to the Chief Statistician for information sought under this act – to use or aid in its completion. (13) Statistics Act § Departments must provide information to the central agencies in a timely manner, in particular the Treasury Board Secretariat and the Public Service Personnel Commission, about the management of human resources. Information Managemen t Policy Refer to mapping section: Security Intelligence Gathering and Investigations Canadian Security Intelligence Service Act

Use of Records as Evidence or Proof § The register maintained (for securities management) is deemed a record, for the purpose of the Canada Evidence Act. (60 (3)) Financial Administrati § Books of accounts may be used as evidence in proceedings where money has been received on behalf of the government but has not been duly applied on Act or paid it over. (76,77) § A provision of a federal law that provides that a certificate or other document signed by a minister or public offic er is proof of any matter or thing, or is Personal admissible in evidence, is, subject to the federal law, satisfied by an electronic version of the certificate or other document if the electronic version is Information signed by the minister or public officer with that person's secure electronic signature. (36) Protection and Electronic Documents

Date: 2006--03-31 Draft: Version 6.2 Page: 48

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Act § Except for prosecution for perjury under the Criminal Code, prosecution for an offence under this Act or in a review before the Court under this Act or Privacy Act an appeal therefrom, evidence given by a person in proceedings and evidence of the proceedings is inadmissible against that person in a court or in any other proceedings. (34) § The types of documentary evidence that can be used in a legal proceeding are detailed. (19-23) Canada Evidence § Makes provisions for information (original or copies) to be accepted as a certified original in legal proceedings, and describes the conditions for Act admissibility into evidence are outlined. (24-30) § Provides rules for the admissibility of electronic documents in evidence including the use of any standard, procedure, usage or practice concerning the manner in which electronic documents are to be recorded or stored are defined. (31) § Makes provision for objection to disclosure of information before a court, person or body with jurisdiction to compel the production of information by certifying orally or in writing to the court, person, or body that the information should not be disclosed on the grounds of a specified public interest. Specifies the authority and timing for determining whether the information must be disclosed and for handling appeals that may arise from the disclosure determination. (37) § Where objection to disclosure of information is based on grounds that disclosure would be injurious to international relations or national defence or security, the objection may be determined only by the Chief Justice of the Federal Court of other judge of that Court the Chief Justice may designate to hear such applications. Objection hearings and appeals will be heard in camera, may include representations ex parte by the person who made the objection or requested the appeal, and may at the request of that person, be heard and determined in the National Capital Region. (38) § A minister of the Crown or the Clerk of the Privy Council may object to disclosure of information, on grounds that the information constitutes a confidence of the Queen’s Privy Council for Canada, before a court, person, or body with jurisdiction to compel the production of information. Disclosure of the information shall be refused without examination or hearing of the information by the court, person or body. A definition of a confidence of the Queen’s Privy Council for Canada is included. (39) § Except for prosecution under this Act, any return or copy made to Statistics Canada is privileged and may not be used as evidence in any proceedings. Statistics Act (18) § A witness who testifies in any proceedings has the right not to have any discriminating evidence so given used to incriminate that witness in any other Canadian proceedings, except in a prosecution for perjury or for the giving of contradictory evidence. (13) Charter of Rights and Freedoms

Privacy & Confidentiality

Definition of Personal Information § Defines personal information and personal information bank. (3,10) Privacy Act

Date: 2006--03-31 Draft: Version 6.2 Page: 49

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Personal Information Holdings Description § Institutions will include in personal information banks all personal information under the control of the institution that has been used or will be used for Privacy Act administrative purposes, or is organized to permit retrieval in a manner that identifies an individual (except where the information has been transferred to theLibrarian & Archivist). (10) § The designated Minister will cause to be published at least annually an index of:. 1) All personal information banks including: the identification and description, registration number and a description of the class of individuals to whom personal information contained in the bank relates; the name of the government institution that has control of the bank; the title and address of the appropriate officer to whom requests relating to personal information contained in the bank should be sent; a statement of the purposes for which the personal information in the bank was obtained or complied; a statement of uses consistent with those purposes for which the information is used or disclosed; a statement of the retention and disposal standards applied to the personal information bank; and an indication, where applicable, that the bank was designated as an exempt bank and the basis on which the order was made. 2) All classes of personal information under the control of a government institution that are not contained in personal information banks including: a description of the class in sufficient detail to facilitate right of access; and the title and address of the appropriate officer for each government institution to whom request relating to personal information within the class should be sent. (11) § The designated Minister will make the index available throughout Canada. (11) § The designated Minister shall keep under review the utilization of existing personal information banks and proposals for the creation of new banks, and shall make recommendations to government institutions with regards to personal information banks he feels are under-utlized or can be terminated. Review of personal banks may be delegated to the head of government institutions subject to the terms and conditions specified by the designated Minister. (71) § No new personal banks will be established or substantially modified without approval of the designated Minister. (71) § Government institutions must account for and describe their holdings of personal information in accordance with the government-wide standards Privacy and periodically issued by the Treasury Board Secretariat. Data Protection Policy Right of Access to Government Held Personal Information § All individuals present in Canada may request and be provided access to personal information about them held by the government where they can Privacy Act provide sufficiently specific information on its location so as to render it reasonably retrievable by the government institution. (12) § Every individual given access to personal information is entitled to request correction and have any person or body who has used the information within two years of the request be notified of the correction. (12)

Access Exemptions § The Governor in Council may designate, by order, as exempt certain personal information banks that contain files all of which consist predominately of Privacy Act personal information relating to international affairs and defence, law enforcement and investigation, or policing services. The order will identify the basis under which the bank is exempt. Government institutions do not have to disclose personal information in an exempt bank. (18) § The head of a government institution shall refuse to disclose personal information if it was obtained in confidence from: a) the government of a foreign state or an institution thereof; b) an international organization of states or an institution thereof; c) the government of a province or institution thereof; or

Date: 2006--03-31 Draft: Version 6.2 Page: 50

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

d) a municipal or regional government unless the government organization or institution consents to the disclosure or makes the information public. (19) § The head of a government institution may refuse to disclose personal information requested if; it could reasonably be expected to be injurious to federal- provincial, international affairs or defence; was lawfully obtained in the course of law enforcement or investigation by a designated investigative body; was obtained or prepared for the purpose of determining whether to grant security clearance; was collected or obtained while the individual was under sentence for an offence and disclosure could reasonably be expected to cause harm; where disclosure could reasonably be expected to be injurious to the enforcement of a law or conduct of lawful investigations; where it could reasonably be expected to threaten the safety of individuals; where it is about an individual other than requestor; where it would violate solicitor-client privilege; or where it relates to the physical or mental health of the individual and examination of it would be contrary to their best interests. (20-28) § This Act does not apply to: a) library or museum material preserved solely for public reference or exhibition purposes; or b) material placed in the Library & Archives of Canada, the National Gallery of Canada, the Canadian Museum of Civilization, the Canadian Museum of Nature of the National Museum of Science and Technology, by or on behalf of persons or organizations other than government institutions. (69.1) § This Act does no t apply for use or disclosure of personal information (sections 7 and 8) that is publicly available. (69.2) § This Act does not apply to confidences of the Queen’s Privy Council for Canada, which are less than 20 years old. This Act does not apply to discussion papers (the purpose of which are to present background explanations, analyses of problems or policy options to Council for consideration by Council in making decisions) where the decisions to which the discussion papers relate have been made public or if four years have passed since the decisions were made. (70) § The head of a government institution may refuse to disclose personal information requested if; it would be injurious to federal-provincial, international affairs or defence; was lawfully obtained in the course of law enforcement or investigation; was obtained or prepared for the purpose of determining whether to grant security clearance; was collected or obtained while the individual was under sentence for an offence and would cause harm; where it would threaten the safety of individuals; where it is about an individual other than requestor; where it would violate solicitor-client privilege; or where it relates to Privacy and Data Protection Policy § The Act does not apply to: library or museum material preserved solely for public reference; material placed in the Library & Archives of Canada, the National gallery of Canada, the Canadian Museum of Civilization, the Canadian Museum of Nature or the National Museum of Science and Technology - by or on behalf of persons or organizations other than government institutions; personal information that is publicly available; and to confidences of the Queen’s Privy Council of Canada. (69-70) § Consultation with Legal Counsel and the Privy Council Office is required where information requested may be considered to be Confidences of the Privacy and Queen's Privy Council. Data Protection § Requests for information must be reviewed to identify and sever any of the information that is exempt from disclosure. The requestor must be notified Policy of the exemption applied, except where doing so would reveal exempted information or cause the injury which forms the basis of the exemption. § Departments will coordinate requests with other departments of offices of special interest where their input is required to determine if information in the request should be exempt. § Departments must consult with Treasury Board on any proposal for the establishment or revocation of an exempt bank. Requests for an exempt bank must be submitted to the designated Minister.

Privacy Impact Assessment § Institutions must develop and maintain Privacy Impact Assessments to evaluate whether program and service delivery initiatives comply with privacy Privacy Date: 2006--03-31 Draft: Version 6.2 Page: 51

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

legislation and policy requirements and resolve privacy issues that may be of public concern. Institutions must examine their own program legislation, Impact regulation and policies to determine specific or additional privacy, information management and other requirements governing the personal information Assessment under their control. Policy § There are differences between the federal and provincial and private sector codes that must be taken into account when collaborating on cross- jurisdictional initiatives. Where programs and services involve cross-jurisdictional or cross-sectoral activities, the provisions of all federal legislation and policies must be respected. § Institutions must conduct Privacy Impact Assessments in the early stages of the design or redesign of programs and services that raise privacy issues. Detailed criteria to assist in determining when to conduct an assessment are contained in the Privacy Impact Assessment Guidelines. § Institutions must undertake data analysis to identify all personal information associated with business processes. § Institutions must undertake privacy analysis to ensure and document that privacy principles legislation and policies are adhered to and that privacy impacts and risks associated with program and service delivery activities have been resolved or mitigated. Assessments must address federal intra - departmental and inter-departmental initiatives, and initiatives involving other governments and the private sector. § Institutions must prepare a privacy impact analysis report to document their evaluation of the privacy risk, the implications of those risks and their discussion of possible remedies, options and recommendations to avoid or mitigate such risks. § Institutions must develop Privacy Impact Assessments within the context of the government-wide policies, guidelines, handbooks and checklists pertaining to sound project management, consistent with the Enhanced Management Framework. § Institutions seeking Preliminary Project Approval from Treasury Board pursuant to the Project Approval Policy must include the results of the Privacy Impact Assessment in the body of the submission or the project brief where applicable. Institutions seeking Effective Project Approval must provide a status report in the body of the submission or the project brief summarizing the actions taken or to be taken to avoid or mitigate any privacy risks. § Institutions must provide the Privacy Commissioner with a copy of the final Privacy Impact Assessment at a reasonably early stage prior to implementing the initiative, program or service. § Institutions must routinely make summaries of the results of their Privacy Impact Assessments available to the public through the internet and conventional publishing. Access to Information Act and Privacy Act and other considerations, such as cases where assessments could contain information that would render systems or security measures vulnerable, or refer to programs or services that have not been formally approved or announced, must be taken into account.

Collection of Personal Information § Personal information can only be collected where it relates directly to an operating government program or activity. Note: 1) The Act has a “stove-pipe” Privacy Act nature with information being collected program by program and not shared between programs even within departments, subject to allowable disclosure as outlined in section 8 of the Act. 2) Treasury Board policy requires the program or activity to have Parliamentary authorization. (4) § Information must be collected wherever possible from the individual to whom it relates except where the individual authorizes otherwise or where provisions under this Act exist for the information to be disclosed to the government institution without consent. Individuals must be informed of the purpose for its collection. Exemptions apply where collection from the individual may result in inaccurate information, defeat the purpose, or prejudice its use. (5) § Reasonable steps must be taken to ensure personal information used for administrative purposes is accurate, up-to-date and complete as possible. (5)

Date: 2006--03-31 Draft: Version 6.2 Page: 52

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Individuals may request corrections where they believe there is an error or omission and require 1) there be a notation attached to the information reflecting any correction requested but not made; 2) any person or body to whom the information has been provided for use within two years prior to the time a correction is requested or annotation required be notified of the correction or notation and where the disclosure is to a government institution, the institution make the correction or notation on any copy of the information under its control. (12) § Controls must be in place to limit collection of personal information to what is required for programs or activities. Note: The program or activity must Privacy and have Parliamentary authority. Data Protection § Individuals from whom information is being collected must be advised of the purpose, whether provision is voluntary or required by law, of the Policy consequences of refusing to respond, of their rights of access and the registra tion number of the personal information bank in which the collected information will be contained.

Use of the Social Insurance Number § Institutions must limit the use of Social Insurance Numbers for administrative purposed to those authorized by statute or regulation and for Privacy and administering pensions, income tax, health and social programs. Data Protection § Not withhold any right, benefit or privilege nor impose any penalty because of an individual’s refusal to disclose the SIN except for purposes authorized Policy by statute or regulation or otherwise authorized by Parliament. § Individuals must be informed of the purpose for collecting the SIN, the authority under which the number is required, and whether any right, benefit or privilege can be withheld or penalty imposed if the number is not disclosed. § When the SIN is included in any personal information bank, it must be indicated in the Info Source description along with the authority under which the number is collected and the purposes for its use cited in Info Source. § In response to concerns that the misuse of the SIN could threaten individual privacy, a decision was made to limit its collection and use in the federal Personnel government to those activities explicitly authorized by Cabinet. Federal government institutions are phasing out administrative use of the SIN. The Information Personal Record Identifier (PRI) was developed to identify federal government employees and associate an employee with his or her personal records in Management the federal Public Service. The PIR is used for internal administration within the federal government and is not given to outside organizations, such as Policy unions, banks, and insurance companies. A separate identifier the Individual Agency Number (IAN) is assigned to employees and used to replace the SIN when dealing with remittance agencies. The policy appendices provide personal record identifier and Individual Agency Number guidelines.

Data-Matching Programs § Prior to initiating a data-matching program, institutions must assess the feasibility by analyzing the potential impact on the privacy of individuals and the Privacy and costs and benefits of the data-matching program. Data Protection § Data matching is the comparison of personal data obtained from different sources to make decisions about the person from whom the information was Policy collected. A data-matching program must be approved only by the head of the government institution or an official specifically delegated this authority by the head. § Institutions must notify the Privacy Commissioner of a new matching program by providing him with a copy of their assessment of the program at least 60 days before it is to begin. § All matching activities must be accounted for in Info Source.

Date: 2006--03-31 Draft: Version 6.2 Page: 53

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Information generated by a matching program must be verified with original or additional authoritative sources before being used for administrative purposes.

Requesting Access § Requests for access to personal information will be made in writing to the institution holding the information and will be responded to within 30 days of Privacy Act request with a written notice in terms of whether access will be given in whole or in part. The requestor must provide sufficient information on the location of the information to render it reasonably retrievable by the government institution. (13,14) § The institution may extend the time limit for 30 days if meeting it will unreasonably interfere with operations of the institution, where consultation is necessary, or where translation is deemed necessary under subsection 17(2) of the Privacy Act. In giving notice of extension, an individual will be advised of their right to make a complaint to the Privacy Commissioner. (15) § Where access is denied the notice will indicate either the personal information does not exist or the provision of the Act under which access would be denied if the information existed, and advise the individual of their right to make a complaint to the Privacy Commissioner. The government institution may but is not required to indicate whether the personal information exists. (16) § Where the government institution fails to provide access within the time limits set out, they will be deemed as having refused access. (16)

Providing Access § Where access is to be given, the individual will be permitted to examine the information, in accordance with regulations, or be provided with a copy. Privacy Act (17) § Access will be provided if requested in one of the official languages of Canada, if it is available in that language or if the head of the institution considers translation or interpretation necessary to enable the individual to understand the information. (17) § Where the requestor has a sensory disability and requests information to be provided in an alternate format it will be given if it is available in the format or the head of the institution considers it necessary to exercise the individuals right of access and if it is reasonable to convert the personal information. (17) § Controls must be in place to ensure against the unauthorized disclosure of personal information, that privacy rights are considered where disclosure is Privacy and discretionary, that a record of disclosure is maintained and that research privileges are withdrawn from any person or body improperly disclosing Data personal information. Protection Policy § Where the right of access to personal information is to be provided the institution must assist the individual in obtaining access to their personal information and satisfy themselves as to the identify of the individual requesting access and the individual’s right of access. § Where the right of access to personal information is to be provided the institution must keep a record of actions and decisions taken in processing the access request and any correction or notation under the Privacy Act. § Disclosure to an individual with a sensory disability will be provided in the preferred format where it is available. Conversion to an alternate format may be provided where reasonable in terms of cost and utility.

Disclosure of Personal Information § Personal information under the control of the government will not be used without the consent of the individuals to whom it relates except for the Privacy Act

Date: 2006--03-31 Draft: Version 6.2 Page: 54

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

purpose it was obtained or compiled for or for a use consistent with that purpose or where the Act authorizes disclosure by the government institution. and (7) Regulations § A government institution has the discretion to disclose personal information without consent within the following circumstances: a) for the purpose for which it was obtained or compiled or for a use consistent with that purpose; b) for a purpose in accordance with an Act of Parliament or regulation that authorizes its disclosure; c) for complying with a subpoena or warrant issued by a court, person or body with jurisdiction to compel the information or for complying with rules of court; d) to the Attorney General of Canada for use in government legal proceedings; e) on written request describing the purpose and information, fro m an to an investigative body specified in regulations for enforcing the law of Canada or province or for carrying out a lawful investigation; f) under agreement with another government or organization for the purpose of administering or enforcing any law or carrying out a lawful investigation; g) to a member of Parliament to assist the individual to whom the information relates in resolving a problem; h) for use in internal audit, to the Office of the Comptroller General or any other person or body specific in the regulations for audit purposes; i) to the National Archives of Canada for archival purposes; j) to any person or body for research or statistical purposes if the head of the government institution is satisfied that the purpose for which the information is disclosed cannot reasonably be accomplished unless the information is provided in a form that would identify the person to whom it relates and obtains from the person or body a written undertaking that no subsequent disclosure of the information will be made in a way that could reasonably be expected to identify the individual to whom it relates; k) to any aboriginal government, association of aboriginal people, Indian band, government institution or person working on their behalf for the purpose of researching or validating the claims, disputes or grievance of any of the aboriginal peoples of Canada; l) to any government institution for the purpose of locating an individual in order to collect a debt owing to the government or make a payment owing to the individual by the government; and m) for any purpose in the opinion of the head of the institution where the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure or the disclosure would clearly benefit the individual to whom the individual relates. (8) § Subject to any other Act of Parliament, personal information under the custody or control of the Library & Archives of Canada that has been transferred by a government institution for archival or historical purposes may be disclosed in accordance with the regulations to any person or body for research or statistical purposes. (8) § Personal information that has been transferred to the Library & Archives of Canada by a government institution for arc hival or historical purposes may be disclosed to any person or body for research or statistical purposes where; a) the information is of a nature that disclosure would not constitute an unwarranted invasion of privacy to the individual to whom the information relates; b) the disclosure is in accordance with section 8 of the Act; c) 110 years have elapsed following the birth of the individual to whom the information relates; d) in cases where the information was obtained through the taking of a census or survey, 92 years have elapsed following the census or survey containing the information. (Regulations 6) § A copy of every request and the information disclosed without consent for enforcing the law or lawful investigation will be retained for a period prescribed by regulation and will be made available to the Privacy Commissioner on request. (8) § The government institution will notify the Privacy Commissioner in writing of any disclosure of personal information disclosed without consent for public interest or benefit of the individual, prior to disclosure where reasonable in other case on the disclosure. The Privacy Commission may notify the individual to whom the information relates if deemed appropriate. (8) § Government institutions will retain a record of any use or disclosure of personal information contained in a personal information bank for a use or purpose not included in the published personal information index. The record will be attached to the record to the personal information, except where the purpose is to enforce the law or for lawful investigation, and the record will be deemed to form part of the personal information to which it is attached. (9) § Where personal information in a personal information bank is used or disclosed for a use consistent with the purpose for which it was obtained or compiled, but the use is not included in the personal bank index, the head of the institution will notify the Privacy Commission and will include the use Date: 2006--03-31 Draft: Version 6.2 Page: 55

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

in the next published index. (9) § Departments must advise the Privacy Commissioner at an early stage of any planned initiatives that relate to the Privacy Act or may impact the privacy Privacy and of Canadians. Data Protection Policy § Respondents must be advised of any statistical agencies and other parties to which information they provide may be communicated. Where the Statistics Act respondent gives written objection to the sharing of the information, to the Chief Statistician, the information will not be shared with a department or corporation unless the department or corporation is authorized by law to require the respondent to provide that information. (11, 12) § Except for communicating information in accordance of this Act no person, other than a person employed or deemed employed under this Act, is permitted to examine any identifiable individual return. (17) § Information, except identified exceptions, will not be disclosed in a manner that identifies an individual person, business or organization. (17) § The Commission may make regulations respecting the disclosure of personal information obtained in the course of an investigation, inquiry or procedure Public for appointment under this Act. (35 (2)f) Service Employment Act Retention of Personal Information § Personal information pertaining to an individual that has been used by a government institution for an administrative purpose must be retained by the Privacy Act institution for at least two years following the last used unless the individual consents to disposal. Where a request for access to the information has been received, it shall be retained until such time as the individual has had opportunity to exercise all of his rights under the Act. (6, Regulations 4) § Where a request for access to personal information is received, a copy of every request received and a record of any information disclosed will be retained for a period of at least two years following the date on which the access request was received by the institution. (Regulations 7) § Where personal information is under the control of a government institution at a post abroad, the head of the post or senior officer in charge may order the destruction of information in an emergency in order to prevent removal of the information from control of the institution. (Regulations 4) § Government institutions will dispose of personal information in accordance with regulations, directives or guidelines issued by the designated Minister in relation to its disposal. (6)

Complaints & Investigation § Individuals or a person working on their behalf with their consent may make a written complaint to the Privacy Commissioner in respect to their right of Privacy Act access for personal information requests and government compliance with the legislation. Where the Privacy Commissioner is satisfied there are reasonable grounds to investigate a matter under this Act, the Commissioner may initiate a complaint. (29-30) § The Privacy Commissioner may initiate investigations related to matters of collection, retention or disposal of personal information by a government institution, disclosure, requesting or obtaining access. (29) § Before commencing an investigation of a complaint the Privacy Commissioner will notify the head of the institution involved of the substance of the complaint. (31) § Subject to this Act the Privacy Commissioner may determine the procedure for the performance of any duty or function of the Commissioner under this Date: 2006--03-31 Draft: Version 6.2 Page: 56

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Act. (32) § Investigations are conducted in private and provide for representation by the person making the complaint and the head of the government institution that the complaint is launched against. No one is entitled to be present or have access to or to comment on representations made to the Commissioner by any other person. (33) § The Privacy Commissioner may: summon persons and compel them to give written or oral evidence on oath and compel them to produce documents and things deemed requisite to the investigation; enter any premises occupied by any government institution (satisfying security requirements), examine or obtain copies of or extracts from books or other records; converse in private with persons in any premises entered; and examine any information recorded in any form under the control of a government institution (other than confidences of the Queen’s Privy Council) containing any matter relevant to the investigation. At the discretion of the Privacy Commissioner any person summoned to appear is entitled to receive the like fees and allowances as if summoned to appear before the Federal Court. Any documents or thing provided will be returned by the Privacy Commissioner within 10 days of request by the Commissioner, but may be requested again by the Commissioner. (34) § If the Privacy Commissioner finds a complaint well-founded, the Commissioner will provide the head of the government institution in control of the personal information with a report containing the findings and recommendations that the Commissioner considers appropriate. The Commissioner may request the government institution to notify him within a time specified the action taken or proposed to be taken to implement the recommendations or the reason why no such action has been or is proposed to be taken. (35) § After investigating a complaint the Privacy Commissioner will report the results to the compla inant and where access is not to be given the Privacy Commissioner will inform the complainant of their right to apply to the Court for review. Where notice has been requested form a government institution, the complainant will not be advised until the exp iration of time within which the notice is to be given to the Commissioner. If the notice is not forth coming or is in the opinion of the Privacy Commission inadequate or inappropriate the report to the complainant may include comments as he thinks fit. (35) § In carrying out an investigation under this Act and in any report to Parliament the Privacy Commissioner an any person acting on his behalf or under his direction shall not disclose information: a) the head of a government institution would be authorized to refuse disclosure; or b) any information as to whether a records exists where the head of government institution refuses access and does not indicate whether it exists. (65)

Review by Federal Court § Any person who has been refused access to a record requested under this Act may apply to the Court for review within 45 days of the results of an Privacy Act investigation by the Information Commissioner. With the consent of the complainant the Information Commissioner may appear before Court on their behalf, or with leave of the Court appear a s a party to any review applied for under this Act. (41-42) § The Privacy Commissioner may apply to the Court for review of any file contained in a personal information bank designated as an exempt bank. If on revie w the Court determines the information bank should not be exempt it will order the head of the institution that has control of the bank to remove the file from the bank. (43,50) § The application will be heard in a summary way. Notwithstanding any other Act of Parliament or any privilege under the law, the Court has access to any record to which this Act applies that is under the control of a government institution, other than a confidence of the Queen ‘s Privy Council. The Court will take precautions to avoid disclosing information that the government institution would be authorized to refuse to disclose or does not have to indicate if it exists. The Court may disclose to the appropriate authority information relating to the commission of an offence against any law of Canada or a province on the part of any officer or employee of a government institution. (44-46)

Date: 2006--03-31 Draft: Version 6.2 Page: 57

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ The burden to prove a record should not be disclosed lies with the government institution denying access. (47) § Where Court determines the government institution is not authorized or does not have reasonable grounds to refuse disclosure of the personal information they may order the government institution to disclose the personal information, subject to conditions deemed appropriate. (48,49,) § The costs of and incidental to all proceedings will be in the discretion of the Court and may be awarded to an applicant where an application for review has raised an important new principle in relation to this Act. (52)

Review and Audit by the Privacy Commissioner § The Privacy Commissioner may carry out investigations of files contained in personal exempt banks, make recommendations to the head of institutions Privacy Act in control of the banks, and request they provide notice of their intent to action recommendations. Where no notice is received in the specified timeframe or the Privacy Commissioner feels the response inadequate or inappropriate, he may make an application for review by the Federal Court. (36) § The Privacy Commissioner may carry out investigation of government institution compliance with the legislation, provide the head of institutions with a report containing findings and recommendations, and may include the report in a report made to Parliament. (37) § The designated Minister will review the use of personal banks, make recommendations as to their disposition, provide guidelines as required, and publish annually an index of all personal information (held in banks and otherwise) under the control of the government. (11, 71,72)

Reporting § The Privacy Commissioner will make an annual report to Parliament on the activities of his office during the year and may also at any time make a Privacy Act special report to Parliament on any matter within the scope of powers, duties and functions of the Commissioner where the matter is of an urgent nature. (38,39) § Reports made by the Privacy Commissioner will be transmitted to the Speaker of the Senate and the Speaker of the House of Commons for tabling in those Houses. After transmission for tabling the reports will be referred to the committee designated or established by Parliament for review. (40) § Reports made by and notices received by the Privacy Commissioner on reviews of exempt banks may be included in the annual report made to Parliament. (36) § Requires the head of each government institution to prepare an annual report for Parliament on their administration of this Act to be laid before both houses and referred to a Parliamentary committee for review. (72,75)

Intellectual Property

Intellectual Property Rights § Copyright in relation to a work means the sole right to produce or reproduce it or any substantial part of it, in any material form, to perform, or to Copyright publish it. Subject to the Copyright Act the author is the first owner of the copyright. (3) Act § Unless a specific ownership agreement is in place any work prepared or published by or under the direction of the government, belongs to the

Date: 2006--03-31 Draft: Version 6.2 Page: 58

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

government and shall continue to belong for the remainder of the calendar year of first publication and for a period of fifty years following the end of that calendar year. (12) § Institutions must comply with the copyright legislation and policies and ensure that the ownership rights associated with works subject to copyright are Communicat fully respected in all media applications. Institutions must manage the administration and licensing of Crown copyright in co-ordination with Public ions Policy Works and Government Services Canada and comply with Treasury Board’s Common Services Policy and Policy on Title to Intellectual Property Arising under Crown Procurement Contracts. Institutions must comply with the requirements of the Federal Identity Program with respect to Government of Canada symbols and identifiers protected under the Trade Marks Act. § All books, papers, accounts and documents kept or used by any officer or person who is or has been employed in the collection or management of Financial revenue belong to the government. (82) Administrati on Act Copyright Infringement § The Act sets limits on copyright and identifies acts and conditions that represent fair dealing of copyrighted works that do not constitute copyright Copyright infringement. (29-32.2) Act § It is an infringement for any person, without the consent of the copyright to sell or rent out; distribute to such an extent as to affect prejudicially the owner of the copyright; or by way of trade distribute, expose or offer for sale or rental, or exhibit in public. (27) § Where a copyright has been infringed, the owner of the copyright is entitled to remedies by way of injunction, damages, accounts, delivery up and other measures that may be conferred by law for the infringement of right. (34)

Security Security provisions are outlined in terms of security classification and access rules; authentication of electronic documents; required personnel security levels; information protections; and personal security.

Freedom and Security Rights § Provides for freedom of thought, belief, opinion, religion, freedom of association, and expression, including freedom of the press and other media of Canadian communication. (2) Charter of Rights and § Everyone has the right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principles of Freedoms fundamental justice. (7) § Everyone has the right to be secure against unreasonable search or seizure. (8) § Everyone has the right on arrest or detention to be informed promptly of the reasons, to retain and instruct counsel without delay and to be information of that right; and to have the validity of the detention determined by way of habeas corpus and to be released if the detention is not lawful. (10) § Any person charged with an offence has the right to be informed without unreasonable delay of the specific offence and not to be compelled to be a

Date: 2006--03-31 Draft: Version 6.2 Page: 59

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

witness in proceedings against that person in respect of offence. (11 a, c)

Asset Classification and Threat Assessment § Information that is reasonably likely to be exempted or excluded from access under provisions of the Access to Information Act and the Privacy Act must Government be designated or classified as confidential, secret, or top secret as identified in the Security Policy. Security Policy § Material and information technology assets are to be classified and designated according to their confidentiality, integrity, availability and value. § Departments must perform a threat and risk assessment to evaluate the potential threats to the electronic business system as well as to the electronic Electronic authorization and authentication process and to determine the level of control required to minimize the risks, commensurate with costs. Authorizatio n and Authenticati on Policy Personnel Security Checks & Considerations § Security reliability checks and assessments are to be conducted on employees consistent with the duration of employment, and information and assets to Government which they have access. Security Policy § When physical objects such as diskettes, tokens or cards are used, departments must ensure that every object holder is informed of his or her Electronic responsibilities and restrictions regarding the use of the objects and agrees to them. Physical objects are to be used as personal access devices which link Authorizatio an object with only one individual. n and Authenticati on Policy § The Act permanently binds a variety of public servants (specifically identified in the Act)to secrecy in respect of special operational information, which Security of is defined to include information about the means on any vulnerabilities or weaknesses in respect of the means that Canada uses to covertly obtain or Information deal with information or in respect who has been the object of covert collecting of information. In addition, anyone who is personally served with Act notice that they are permanently bound to secrecy in respect of the above information the deputy head of the institution can designate a person as permanently bound to secrecy if the deputy head is of the opinion that the person had, has or will have authorized access to special operational information and it is in the interests of national security to designate the person. (8-15)

Security Intelligence Gathering and Investigations § The Service shall collect, by investigation or otherwise, to the extent that is strictly necessary, and analyse and retain information and intelligence Canadian respecting activities that may be on reasonable grounds be suspected of constituting threats to the security of Canada. (12) Security Intelligence § The Service may conduct investigations to provide security assessments to departments of the GC. With approval from the Minister may enter into an Service Act arrangement with the government or department of a province or any police force in a province (with the approval of the Minister responsible for policing the province) to provide security assessments. With approval of the Minister and after consultation by the Minister with the Minister of Foreign Affairs, enter into an arrangement with the government of a foreign state or an international organization of states to provide security assessments. (13,15) § The Service may conduct investigations and advise any minister of the Crown on matters relating to the security of Canada or provide any minister of the Crown with information relating to security matters or criminal activity that is relevant to exercise of any power or performance of any duty or

Date: 2006--03-31 Draft: Version 6.2 Page: 60

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

function by that Minister under the Citizenship Act or the Immigration Act. (14,15) § In relation to the defence of Canada or the conduct of the international affairs of Canada, the Service may assist the Minister of National Defence or the Minister of Foreign Affairs, within Canada, collect information or intelligence relating to the capabilities, intentions or activities of any foreign state or group of foreign state or person other than a Canadian citizen, permanent resident (within the meaning of the Immigration Act) or corporation incorporated by or under an Act of Parliament of the legislature of a province. Personal consent in writ ing of the Minister and the Minister of National Defence or Minister of Foreign Affairs is required. (16) § With approval of the Minister, the Service may enter into arrangement or cooperate with any department of the Government of Canada, the government or department of a province, any police force in a province (with approval of the Minister responsible for policing in the province) or, after consultation by the Minister with the Minister of Foreign Affairs, the government of a foreign station or internatio nal organization of states. (17) § Where there is reasonable grounds to believe that a warrant is required to enable the Service to investigate a threat to the security of Canada or to perform its role in collecting information or intelligence relating to the defence of Canada or the conduct of the international affairs of Canada, a warrant may be issued for a specified period of time allowing the Service: to intercept communications; to enter any place or open or obtain access to any thing; to a search for, remove or return, or examine, take extracts from or make copies of or record in any manner the information, record, document or thing; or to install, maintain or remove any thing. (21)

Information Protection and Confidentiality § Sensitive information and assets are to be safeguarded to at least the level of standards set out in the GSP and according to an assessment of related Government threats and risks. Security Policy § Access to classified information and assets is to be limited to those whose duties require access and have the required level of security clearance. § Security breaches are to be reported and investigated, and appropriate corrective action taken. § Refer to Personal Information Offences and Liability under Liability Security of Information Act § The integrity of electronic business transactions must be maintained at all times. Electronic Authorizatio § A complete audit trail of the electronic business transactions, including electronic authorization and authentication, must be maintained. n and § When required, the confidentiality of transactions will be ensured by encrypting part or all of the data or transaction. Authenticati on Policy § Ensure the appropriate security, protection, and disposition of information. MGI Policy § Protect essential records. § Safeguard from improper disclosure, use, disposition or destruction, in accordance with legal and policy obligations. § No person shall disclose information obtained or to which they had access through performing their duties and functions under this Act, except as Canadian authorized by the Act. (18,19) Security Intelligence Service Act

Date: 2006--03-31 Draft: Version 6.2 Page: 61

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Electronic Authentication and Authorization § Provides definitions for business transaction, electronic authorization, electronic authentication, confidentiality, data integrity, digital signature, Electronic encryption and key management. Authorizatio n and § Departments must establish policies and procedures that will ensure that an adequate level of control is maintained on all processes involving the Authenticati electronic authorization and authentication of business data. on Policy § Departments must establish policies and procedures that will ensure that the distribution and communication of authorities and the delegation process itself, when in an electronic form, are protected by an approved digital signature and key management process. Encryption and key management processes for EAA must be endorsed or approved by CSE. § A digital signature must be used to authorize electronic business transactions. § The method used to generate the digital signature must employ both special knowledge (e.g. password) and physical possession of an object (e.g., diskette, token or card etc.). § For every system where a digital signature is used, a risk and threat analysis will determine whether a physical object must be used. For existing systems and systems under development, departments are allowed a period of two years starting from the effective date of this policy to complete the risk and threat analysis and meet the requirements of the policy. § Electronic authorizations of electronic business transactions must be authenticated. § The electronic authentication process must effectively and positively identify the authorizer, in such a way that he or she will not be able to credibly deny having authorized a transaction. § The integrity and confidentiality of the electronic authorization and authentication system and processes must be maintained at all times.

Access Authority Management § Provides rules for establishing Certification Authorities; membership in the GC PKI and the GC PKI Policy Management Authority; cross-certification Government with Certification Authorities inside and outside of the government; and procurement of certification authority services from other departments and the PKI private sector. Management Policy § Requires departments to have a repository associated with its Certification Authority and register it with the government registrar for repository services (Registrar of Repositories). § Requires departments to manage information created as part or in course of the performance of Certification Authority activities – including personal information about employees, external subscribers and relying parties – in accordance with government laws, such as, the Li brary & Archives of Canada Act, the Access to Information Act and the Privacy Act. § Requires departments to keep a copy of employees’ private confidentiality keys for data recovery purposes; notify its employees that their private confidentiality keys are backed up; and notify employees when the department accesses their private confidentiality keys for business purposes. § Prohibits departments from backing up the private confidentiality keys of external subscribers without their consent; accessing or disclosing the private confidentiality keys of external subscribers except with their prior consent, or where required by law; or keeping a copy of private digital signature keys.

Date: 2006--03-31 Draft: Version 6.2 Page: 62

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Monitoring Electronic Networks Refer to Monitoring Electronic Networks under Technology Considerations Policy on the Use of Electronic Networks

Liability

Government Liability § No civil or criminal proceedings lie against the Information Commission or against any person acting on his behalf or under his direction for anything Access to done, reported or said in good faith in the course of the exercise or performance of their duty under this Act. (66) Information Act § For the purposes of any law relating to libel or slander: a) anything said or information supplied or any document or thing produced in good faith in the course of an investigation by or on behalf of the Information Commissioner under this Act is privileged; and b) any report made in good faith by the Information Commissioner under this Act and any fair and accurate account of the report made in good faith in a newspaper or any other periodical publication or in a broadcast is privileged. (66) § Notwithstanding any other Act of Parliament, no civil or criminal proceedings lie against the Crown, head of a government institution or any person acting under their direction or on their behalf for the disclosure in good faith of any record or part of pursuant to this Act, for any consequences that flow from that disclosure, or for failure to give any notice required if reasonable care is taken to give the required notice. (74) § Provides sanctions (a fine up to $10,000 and imprisonment up to two years) against any person who destroys, falsifies, or conceals government information in an attempt to deny right of access to information or obstructs the Information Commissioner in the performance of his duties and functions. (67) § No civil or criminal proceedings lie against the Privacy Commissioner or against any person acting on his behalf or under his direction for anything Privacy Act done, reported or said in good faith in the course of the exercise or performance of their duty under this Act. (67) § For the purposes of any law relating to libel or slander: a), anything said or information supplied or any document or thing produced in good faith in the course of an investigation or on behalf of the Privacy Commissioner under this Act is privileged; and b) any report made in good faith by the Privacy Commissioner under this Act and any fair and accurate account of the report made in good faith in a newspaper or any other periodical publication or in a broadcast is privileged. (67) § Notwithstanding any other Act of Parliament, no civil or criminal proceedings lie against the Crown, head of a government institution or any person acting under their direction or on their behalf for the disclosure in good faith of any record or part of pursuant to this Act, for any consequences that flow from that disclosure, or for failure to give any notice required if reasonable care is taken to give the required notice. (74) § Any person obstructing the Privacy Commissioner or any person acting on his behalf in the performance of their duties under this Act is guilty of an offence and liable on conviction to a fine. (68) § The government is liable in tort for damages for which, if it were a private person of full age and capacity, it would be liable in respect of activities Crown

Date: 2006--03-31 Draft: Version 6.2 Page: 63

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

committed by a servant of the Crown or in respect of a breach of duty attaching to the ownership, occupation, possession or control of property. (3) Liability and Proceedings § Unless lawfully made or where consent is given - where a government employee intercepts, uses or discloses the existence or content of private Act communication of radio-based telephone communication, or any part of the substance, the Crown is liable for all loss or damage caused and for punitive damages in an amount not exceeding five thousand dollars, to each person who incurred that loss or damage. (17,18) § The use of disclosure of any communication intercepted under this Act is exempt for the provisions of section 18 of the Crown Liability and Proceedings Canadian Act and Part VI of the Criminal Code. (25,26) Security Intelligence Service Act § Activity that can expose authorized individuals or the employer to civil liability if a Public Service employee performs unlawful activity in the course of Policy on his or her employment includes disclosing or collection of sensitive data without authorization; defamation; and inaccurate information. the Use of Electronic Networks § Every person, who after taking the oath set out in subsection 6(1) deserts from his duty, wilfully makes a false declaration, statement or return in the Statistics Act performance of his duties, obtains or seeks to obtain information they are not authorized to obtain, or contravenes the security provisions set out in section 17, is guilty of an offence and is liable to fine and imprisonment. (30) § Every person having the custody or charge of any documents or records that are maintained in any department or in any municipal office, corporation, business or organization, who refuses or neglects to grant access to any person authorized to obtain it under this Act, or who in any way wilfully obstructs or seeks to obstruct execution of this Act is guilty of an offence and liable to fine and imprisonment. (32) § Every person who after taking the oath set-out in subsection 5(1) misrepresents themselves in making an inquiry or discloses information to anyone not entitled to it under this Act or using the information for speculation or other personals reasons is guilty of an offence and liable to fine and imprisonment. (34,35)

Limitations on Government Liability § Notwithstanding any other Act of Parliament, no civil or criminal proceedings lie against the Crown or any government institution or any person acting Privacy Act under their direction or on their behalf for the disclosure in good faith of any personal information pursuant to this Act if reasonable care is taken to give the required notice. (74) § Departments must establish and communicate limits on liability for each assurance level of certificate that are no less than those indicated in the GC Government Certificate Policies. PKI Managemen § Departments must adopt and comply with procedures and rules determining the allocation of financial responsibility and accountability for any losses, t Policy judgements, awards or settlements among members of the GC Public Key Infrastructure.

Personal Information Offences and Liability § Every person who without lawful excuse who refuses or neglects to answers questions or furnish information as required by this Act, or who wilfully Statistics Act answers falsely is guilty of an offence and liable on summary conviction to a fine not exceeding five hundred dollars or to imprisonment for a term not exceeding three months or both. (31) § "Any purpose prejudicial to the safety or interests of Canada" is defined and includes 14 paragraphs. For example, it includes anything that impairs or Security of threatens the capabilities of the Government of Canada in Information Date: 2006--03-31 Draft: Version 6.2 Page: 64

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

relation to security and intelligence (i), which would include disclosing a document that exposes a weakness in Canada's security or intelligence Act operations. It also includes impairing or threatening the capability of the Government of Canada to conduct diplomatic relations to conduct and manage international relations (l). It includes committing an offence against the laws of Canada or a province that is punishable by a maximum term of imprisonment of two years or more in order to advance a political, religious or ideological purpose (a). It includes committing, inside or outside Canada, a terrorist activity (b) (as defined in s. 83.01 of the Criminal Code). (3) § It is an offence for any person with a "secret official document" (these words are not defined), entrusted to him or her in confidence by any person holding office under Her Majesty to communicate the document to any person to whom he is not authorized to communicate the document, to use the document in a manner that is prejudicial to the safety or interests of Canada, retain the document when he has no right to retain it, and fails to take reasonable care of the document or information. (4) § It is an offence for any person to retain any "official" (undefined) document for any purpose prejudicial to the safety or interests of Canada when he has no right to retain it. (4:4a) § It is an offence for any person, for a purpose prejudicial to the safety or interests of Canada, to make a false statement in any declaration, application or document; or (i) to tamper with any passport or any military, police or official pass, permit, certificate or other document of a similar character. (5:1b) § It is an offence to be in the neighbourhood of a prohibited place for a purpose prejudicial to the safety or interests of Canada, or to interfere with a peace officer in a prohibited place. A prohibited place is defined as (a) any work of defence belonging to or occupied or used by or on behalf of Her Majesty, (b) a ny place not belonging to Her Majesty where any munitions of war or any sketches, plans, models or documents relating thereto are being made, repaired, obtained or stored under contract with, or with any person on behalf of, Her Majesty or otherwise on behalf of Her Majesty, and (c) any place that is for the time being declared by order of the Governor in Council to be a prohibited place on the ground that information with respect thereto or damage thereto would be useful to a foreign power. (6-7) § The Act permanently binds a variety of public servants to secrecy in respect of special operational information. It is an offence for anyone who is permanently bound to secrecy to communicate or confirm information that, if it were true, would be special operational information. It is not relevant for the purposes of the prosecution whether the information is actually true. No person is guilty of the above offences if the person establishes that he or she acted in the public interest. The public interest that must be shown must be a disclosure of an offence under an Act of Parliament that the person reasonably believes has been, is being or is about to be committed by a person in the purported performance of their functions with the Government of Canada. In those cases of disclosure, the person must have brought his or her concern and provided all relevant information to his or her deputy head or, if not reasonably practical in the circumstances, to the Deputy Attorney General of Canada. If there was no response within a reasonable time, the individual is required to present all relevant information to the Security Intelligence Review Committee or to the Communications Security Establishment Commissioner. The requirement to go SIRC or the CSE Commissioner does not apply if the communication or confirmation of the information was necessary to avoid grievous bodily harm or death. In addition, the public interest in disclosure must outweigh the public interest in non- disclosure. In considering whether the public interest applies, the court must consider whether the information disclosed was no more than necessary to disclose the offence, whether the person resorted to other reasonably accessible alternatives before making the disclosure and whether the person complied with any relevant guidelines, policies or laws that applied to the person, among other criteria. (13-15,17) § It is an offence for any person to communicate information to a foreign state, government or political faction whose stated purpose is to assume the role of government of a foreign state if the person is reckless as to whether the information is information that the Government of Canada or a province is taking measures to protect and harm to Canadian interests results. (16-18) § It is an offence for any person for the benefit of or in association with a foreign economic entity to fraudulently and without colour of right and to the

Date: 2006--03-31 Draft: Version 6.2 Page: 65

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

detriment of Canada's economic interests communicates, obtains, alters or destroys a trade secret. (19) § It is an offence for any person for the benefit of or in association with a foreign state, government or political faction whose stated purpose is to assume the role of government of a foreign state to attempt to induce by threat or violence any person to do anything that is reasonably likely to harm Canadian interests. The offence occurs whether or not the threat or violence occurs in Canada. (20) § Harbouring or concealing a person likely to commit one of the above offences, doing things specifically directed towards the preparation or commission of any of the offences in ss. 16, 17, 19 or 20 (including obtain, retaining or gaining access to any information), asking a person to commit such offences, or possessing any device or software useful for concealing or surreptitiously communicating the content of information. (21 -23) § Note: Under section 486 of the Criminal Code, the court may exclude all or any members of the public from the court room for all or part of the proceedings if the judge is of the opinion that doing so is in the interest of public morals, the maintenance of order or the proper administration of justice, or that doing so is necessary to prevent injury to international relations or national defence or national security. Refer to Authorized Use of Electronic Networks under Technology Considerations. Policy on the Use of Electronic Networks

Official Languages

Equality of Status § Equality of status and equal rights and privileges of English and French as to their use in all institutions of the Parliament and Government of Canada, Canadian including printed and published materials. (16-18) Charter of Rights and § The Canadian public has the right to communicate with and receive available services from any head or central office of an institution of the Parliament Freedoms or government of Canada in English or French - and has the same right with respect to any other office of any such institutions - where there is a significant demand for service in that language and communication in the language is reasonable given the nature of the office. (20) § Proceedings of parliament will allow the right of debate in either official language, provide for simultaneous interpretation and provide official reports in Official both official languages. (4) Languages Act § Legislative and other government instruments and the administration of justice will be available in both official languages, have equal prominence, be simultaneously available and equally authoritative, subject to exceptions outlined in the Act. (5-20) § Any member of the public in Canada has the right to communicate with and receive available services form federal institutions in either official language, subject to location and nature of service. Federal institutions that report directly to Parliament must ensure the public can communicate with them and obtain available services from all of its offices or facilities in Canada or elsewhere in either official language. The availability of services in the language of choice must be actively offered to the public. (21-24) § Federal institutions must ensure that communications to the public and services provided on their behalf meet the same language requirements as if the service was offered by the federal institution itself. (25)

Date: 2006--03-31 Draft: Version 6.2 Page: 66

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Where there is a duty to use of both official languages, it applies to oral and written communication and in respect of any documents or activities that relate to the communications or services. (27-33) § English and French are the language of work in federal institutions and officers and employees have the right to use either language subject to the provisions outlined in the Act. (34-38) § The government will provide equal opportunity for English and French speaking Canadians and advance the use of both languages in society. (41-45) § Communications must respect the equality of status of the two official languages as established in the Canadian Chart of Rights and Freedoms and Communicat given effect through the Official Languages Act and Regulations and policy. Institutions must abide by requirements of the Federal Identify Program ions Policy concerning visual representation of the official languages in communications or information material. § Official language requirements must be met for finished productions in film, video, CD and multimedia formats. § Ensure information technology allows services to be provided to the public in both official languages. MIT Policy

Communications

Informing and Communicating with the Public § Institutions must provide the public with open access to information about policies, programs, services and initiatives, subject to law and government Communicat policy. Information for public use must be disseminated or readily available in all regions of Canada using all forms of media practical, and the ions Policy communication needs of Canadians travelling or residing abroad must be taken into account. Opportunities must be available for the public to provide feedback on major policies, programs, services and initiatives, and include such feedback carefully considered to help make improvements. Information about an institution’s mission, structure, programs and services must be provided to Public Works and Government Services Canada for public access through 1-800 O-Canada and the Canada Site portal. § Institutions must maintain an active presence on the Internet to enable 24-hour electronic access to public programs, services and information. Internet communications must conform to government standards and policies. § Institutions must maintain a capacity for technology innovation and new media, staying current with developments in communications practice and technology. As they adopt new means of to enhance public access, institutions must continue to reach, in a timely matter, citizens whose access to technology may be limited or who prefer to receive government information through more traditional means. § Information for the public, internal communications, and Parliament or any other official body must be in plain language - clear, relevant, objective, easy to understand and useful. § Institutions must provide information free of charge when it is in their control, subject to criteria defined in the Communications Policy. § Institutions must develop plans and strategies for communicating risk to the public, effectively communicate risk, foster open dialogue with the public on issues involving risk, facilitate the interactive exchange of information on risk and risk-related factors, and follow Treasury Board policy direction on risk management in the delivery of programs a nd service.

Date: 2006--03-31 Draft: Version 6.2 Page: 67

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Plans, partnerships, responsibilities, tools and methods must be in place to allow government officials to communicate effectively and efficiently in both official languages during an emergency or crisis, providing accurate, relevant, and consistent information. Agreement among governments and their institutions regarding responsibility for communications must be clear and lead responsibility must be identified as part of the planning process. § Coordination between headquarters and regional operations in communication matters is essential and include Privy Council Office where coordination between multiple institutions is required. § Institutions must cultivate proactive relations with the media and promote public awareness and understanding of government policies, programs, service and initiatives. Institutions must respect the authority and responsibility of Parliament, whose members are entitled to learn about planned legislative initiatives before information about them is released to the media. § Institutions must identify opportunities to inform the public about significant initiatives or contributions of the Government of Canada. Public events and announcements, including news conferences, must be arranged from time to time for communication p urposes. § An institution’s senior management must designate managers and knowledgeable staff in head offices and in the regions to act as spokespersons, speaking in an official capacity on issues or subjects for which they have responsibility and expertise. § Internal communication must be open and collaborative, both informing employees and listening to their ideas, concerns and suggestions. Information must be communicated to employees before or at the same time as to the public.

Publications, Publishing and Productions § Publications and other communication materials must depict the diverse nature of Canadian society, respect the requirements of the Canadian Communicat Multiculturalism Act, and reflect and address the needs and interests of local and regional populations. ions Policy § Institutions must facilitate public access to their publications as outlined in the Communications Policy. § Communication materials and published information in all formats must be well catalogued and securely maintained to ensure current as well as long- term accessibility. § Production, distribution, and evaluation of motion picture films, videotapes, television programs, and interactive videodiscs, CD ROMs and multimedia production must be contracted through Public Works and Government Services Canada. § Finished productions in film, video, CD and multimedia formats must be deposited with the National Library of Canada.

Official Languages Refer to mapping section on Official Languages Communic ations Policy

Copyright Refer to mapping under of Intellectual Property Rights under Intellectual Property. Communicat ions Policy Federal Identify § Clear and consistent corporate identify is required including adherence to the Federal Identify Program (FIP), giving prominence to the official symbols Communicat

Date: 2006--03-31 Draft: Version 6.2 Page: 68

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

of the GC, and adhering to the TB Common Look and Feel for the Internet: Standards and Guidelines. ions Policy § Marketing material must conform to requirements of the Federal Identity Program and Treasury Board Common Look and Feel for the Internet: Standards and Guidelines. § Film, video and multimedia productions commissioned by institutions must comply with the Federal Identify Program the Treasury Board Common Services and Contracting policies. § Communication or information materials prepared for consultative purposes comply with Federal Identity Program requirements. § Institutions must adopt a coherent and co-ordinate approach to their participation in fairs and exhibitions. Multiple institutions appearing at the same event must display a unified presence that promotes common themes and messages of the Government of Canada. Public Works and Government Services Canada co-ordinates the participation of institutions in fairs and exhibitions visited by the Canada Pavilion.

Advertising and Sponsorships § Institutions may place advertisements or purchase advertising space or time in any medium to inform Canadians about their rights or responsibilities, Communicat about government policies, programs, services or initiatives, or about dangers or risks to public health, safety or the environment, in accordance with ions Policy criteria defined in the Communications Policy. § Sponsorships must be compatible with the government and institution’s communication goals, be communicated in a manner fair and equitable to each party, and not be based on advertising private sector goods or services.

Information Collection Refer to mapping for Collect, Create, Receive and Capture under Delivery Considerations Communicat ions Policy Integration with Planning and Delivery Activities § Institutions must integrate communications into corporate management processes and procedures, collaborate with, and maintain working links between Communicat communications and other core functions. The communications function must be adequately resourced, ensure staff at all levels carry out their unique ions Policy role and shared communication responsibilities, ensure coherence and consistency of information and messages across all channels, and collaborate with other institutions in communication activities that promote common government-wide messages and themes. § Institutions must integrate communication planning into their annual business planning process, prepare a corporate communications plan, and evaluate communications work as an integral part of business operations. § Communication requirements must be taken into account when planning, negotiating or implementing a partnering or collaborative arrangement as outlined in the Communications Policy. § Marketing must be integrated with the communications functions. § Memoranda to Cabinet and Treasury Board submissions (which concern significant investment of public funds, a major new policy, program, service, or initiative, or matters of potential sensitivity or concern to the public) must include a communication plan and resources dedicated to achieving communication goals and objectives.

Date: 2006--03-31 Draft: Version 6.2 Page: 69

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Training and Development § Institutions must provide managers and employees at all levels with Communications Policy orientation and training, and foster professional Communicat development among communications staff. ions Policy

MANAGEMENT RELATED GUIDELINES

Governance and Accountability

Access to Information § The Act establishes the role of the Information Commissioner to ensure compliance with the Act, investigate information access related issues and Access to investigate complaints from individuals regarding this Act or refusal to disclose information to them. (54-60) Informatio n Act § The Information Commissioner and every person working on his behalf or under his direction must satisfy any applicable security requirements, take an oath of secrecy, and not disclose any information that comes to their knowledge in the performance of their duties. Disclosure of information may be authorized where it is necessary to carry out an investigation under this Act, establish grounds for findings and recommendations contained in any report under this Act, or in the course of a prosecution for an offence under this Act. (61- 63) § The Governor in Council may make regulations: a) prescribing limitations in respect of records that can be produced from machine readable records for the purpose of access; b) prescribing the procedure for making and responding to a request; c) prescribing the purpose and conditions under which a request may be transferred from one government institution to another; d) prescribing fees and their calculation; e) prescribing the manner or place in which access to a record or thereof shall be given; f) specifying investigative bodes of the purpose of paragraph 16(1)(a); g) specifying classes of investigations; and h) prescribing procedures for examining or obtaining copies of records for investigation. (77) § The Governor in Council may, by order, amend the Schedule identifying government institutions to which the Act applies. (77) § The head of a government institution may, by order, designate one or more officers or employees of that institution to exercise or perform any of the powers, duties or functions of the head of the institution under this Act. (73) § Departments must designate an official to coordinate duties imposed by access legislation and maintain a current Delegation Order listing delegated Access to information access responsibilities. Informatio n Policy § Annual reports to Parliament by institutions will be used to monitor compliance with this policy.

Privacy & Information Protection § Appoints a Privacy commissioner responsible to Parliament for ensuring compliance with this Act, to investigate complaints, to carry out special studies, Privacy Act to review exempt banks, and to report annually and as required (for urgent matters) to Parliament. (36-40, 43,53-60)

Date: 2006--03-31 Draft: Version 6.2 Page: 70

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Requires the Privacy Commissioner and every person working on his behalf or under his direction to satisfy any applicable security requirements, take an oath of secrecy, and not disclose any information that comes to their knowledge in the performance of their duties. Disclosure of information may be authorized where it is necessary to carry out an investigation under this Act, establish grounds for findings and recommendations contained in any report under this Act, or in the course of a prosecution for an offence under this Act. (62-64) § The designated Minister shall: a) cause to be kept under re view the manner in which personal information banks are maintained and managed to ensure compliance with the Act and regulations; b) have a registration number assigned to each personal information bank; c) prescribe forms that may be required for the operation of this Act and regulations; d) prepare and distribute to government institutions directives and guidelines concerning the operation of this Act and regulations; and e) prescribe the form of and what information should be included in reports made by government institutions to Parliament. (71) § The head of a government institution may by order designate to one or more officers or employees of the institution to exercise or perform any of the powers, duties or functions of the head of the institution un der this Act. (73) § The Governor in Council may make regulations prescribing procedures, fees, and classifications under this Act. (77) § The Governor in Council may by order amend the Schedule identifying government institutions to which the Act applies. (77) § The Privacy Commissioner and internal audit groups are responsible to examine the success of departments in meeting privacy and data protection Privacy requirements. and Data Protection § Government institutions must appoint a Privacy Co-ordinator to coordinate activities related to the Privacy Act and maintain a current Delegation Order Policy listing delegated privacy responsibilities. § The annual reports to Parliament required by the Privacy Act will be used to monitor compliance with this policy. § Compliance with the SIN and data-matching provisions will be monitored through the advance notification and public accounting requirements. § The Privacy Commissioner and internal audit groups will examine the institution’s success in meeting the requirements for privacy and data protection. § Institutions will assess their degree of compliance with this policy by means of internal audits, reviews, and evaluations. The Treasury Board Secretariat Privacy will monitor compliance through a variety of means, for example, the Annual Privacy Reports to Parliament may be used. The Privacy Commissioner Impact with monitor compliance through the notification process. Assessment Policy § Departments will conduct audits of their compliance with this policy and the efficiency of its implementation. Electronic Authorizati § The Treasury Board Secretariat will monitor compliance with this policy through internal audit reports. In addition, the Treasury Board Secretariat will on and conduct, in consultation with departments, operational reviews to assess the effectiveness of the policy. Authenticat ion Policy § Establishes the roles and responsibilities of the President of the Treasury Board, the Policy Management Authority, the Communications Security Governmen Establishment, the Departmental Certification Authorities and the Local Registration Authorities for the management of the GC PKI infrastructure. t PKI Policy § Identifies circumstances where the president of the Treasury Board may make exemptions for aspects of this policy. § Departments will audit compliance with the policy and the efficiency of its implementation. Treasury Board Secretariat will monitor compliance through these internal audit reports.

Date: 2006--03-31 Draft: Version 6.2 Page: 71

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ The Commission may make regulations respecting the disclosure of personal information obtained in the course of an investigation, inquiry or procedure Public for appointment under this Act. (35 (2)f) Service Employmen t Act

Electronic Alternatives § For the purposes of sections 41 to 47 (writing requirements, original documents, signatures, statements under other, statements declaring truth, witnessed Personal signatures, copies), the responsible authority in respect of a provision of a federal law may make regulations respecting the application of those sections Informatio to the provision. (50.1) n Protection § Contents - Without restricting the generality of subsection (1), the regulations that may be made may include rules respecting any of the following: (a) and the technology or process that must be used to make or send an electronic document; (b) the format of an electronic document; (c) the place where an Electronic electronic document is to be made or sent; (d) the time and circumstances when an electronic document is to be considered to be sent or received and the Documents place where it is considered to have been sent or received; (e) the technology or process to be used to make or verify an electronic signature and the Act manner in which it is to be used; and (f) any matter necessary for the purposes of the application of sections 41 to 47. (50.2) § Minimum Rules - Without restricting the generality of subsection (1), if a provision referred to in any of sections 41 to 47 requires a person to provide another person with a document or information, the rules set out in the regulations respecting the application of that section to the provision may be that (a) both persons have agreed to the document or information being provided in electronic form; and (b) the document or information in electronic form will be under the control of the person to whom it is provided and will be readable or perceivable so as to be usable for subsequent reference. (50.3) § Incorporation by Reference - Regulations may incorporate by reference the standards or specifications of any government, person or organization, either as they read at a fixed time or as they are amended from time to time. (50.4)

Management of Information § The Librarian and Archivist may do anything conducive to the attainment of LAC objectives including - acquire publications and records or obtain the Library & care, custody or control of them; take measures to catalogue, classify, identify, preserve and restore publications and records; compile and maintain Archives of information resources such as a national bibliography and a national union catalogue; provide information, consultation, research or lending services, Canada Act and any other services to facilitate access to the documentary heritage; establish programs and encourage or organize any activities, including exhibitions, publications and performances, to make known and interpret the documentary heritage; enter into agreements with other libraries, archives or institutions in and outside Canada; advise government institutions concerning the management of information produced or used by them and provide services for that purpose; provide leadership and direction for library services of government institutions; provide professional, technical and financial support to those involved in the preservation and promotion of the documentary heritage and in providing access to it; (8,) § Facilitate the management of information by government institutions; coordinate the library services of government institutions; and support the Library & development of the library and archival communities (7) Archives of Canada Act § In accordance with the Treasury Board Evaluation and Internal Audit Policies, institutions should assess the risks associated with the management of MGI Policy valuable information resources and review their effectiveness in implementing and meeting the requirements of this policy. The Treasury Board Secretariat may require institutions to undertake a periodic audit of the implementation of this policy. § The Treasury Board Secretariat will use internal audit reports to monitor compliance with this policy, evaluate its effectiveness and its impact on institutions.

Date: 2006--03-31 Draft: Version 6.2 Page: 72

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ The Library & Archives of Canada also have monitoring responsibilities with respect to this policy and will periodically communicate their findings to the Treasury Board Secretariat.

Official Languages § The role of the Commissioner of Official Languages is established to ensure recognition of both official languages, conduct investigations on his own Official initiative, investigate complaints received relative to this Act, and to provide an annual and special reports to Parliament. Any person who has made a Languages complaint to the Commissioner of Official Languages may apply to the Federal court for remedy as outlined in the provisions of the Act. (49-81) Act § The Treasury Board is responsible for official language policies, monitoring and auditing federal institutions in respect of the policies, evaluating the effectiveness and efficiency of policies and programs relating to the official languages of Canada, and for submitting an annual report to Parliament on the status of programs relating to the official languages of Canada in the various federal institutions. (46-48)

Security § An Inspector General (reporting to the Solicitor General) is appointed to monitor the Service and is entitled to have access to any information under the Canadian control of the Service that relates to the performance of his duties and functions. (31) Security Intelligence § A Security Intelligence Review Committee (reporting to Parliament) is established to review the performance of the Service and conduct investigations Service Act and will have access to any information required to perform these functions and address complaints. (34,38, 39, 40, 41) § Departments must appoint a departmental security officer (DSO) responsible for department security in accordance with the policy. Governmen t Security Policy § Ministers are responsible for the development and implementation of civil emergency contingencies and plans within their area of accountability. (5,7) Emergency Preparedne ss Act Government Operations § The Governor in Council may on recommendation of the Minister of the Environment, make regulations prescribing the form in which sustainable Auditor development strategies are to be prepared and the information required to be contained in them. (24) General Act

Management Functions

Monitor and Report § Department managers must manage for results and ensure that they have reliable, timely, objective and accessible information for decision-making and Evaluation performance improvements. Policy § Departments must establish an appropriate evaluation capacity and accountability practices.

Date: 2006--03-31 Draft: Version 6.2 Page: 73

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Departments must provide TB with evaluation plans and early warning of major concerns. § Managers of common services should ensure they have relevant, timely and reliable information about the performance of their programs. Common Services Policy Risk Management § Departments must identify the potential perils, factors and types of risk to which their assets, program activities and interests are exposed. The Risk accompanying guidelines specifically identify information storage and transfer, such as record keeping, mail distribution, telecommunications, and Management electronic data as assets to be identified. Policy § Departments must analyze and assess the risks identified, and design and implement cost-effective risk prevention, reduction or avoidance control measures. § Departments must plan and budget for containment, compensation, restoration and disaster recovery. § Departments must activate emergency organizations, systems, and contingency plans, and initiate recovery measures.

Audit § The Auditor General will audit government financial statements to ensure accordance with government accounting principles. (6) Auditor General Act Coordination with Other Organizations § Collaborate with departments of government in the collection, compilation and publication of statistical information, including statistics derived from the Statistics Act activities of those departments. (3) § Departments must participate in setting government-wide directions for information management – in particular by informing TBS of their plans and MIT Policy long-term strategies and supporting the Secretariat's overall government-wide coordination and direction-setting role. § Preserve the integrity of information, particularity when it is used in collaborative endeavours with other federal government institutions, other MGI Policy governments, or non-governmental organizations.

Competencies & Training

Employee Training § Treasury Board may determine the human resource requirements of the public service, provide for their allocation and effective utilization, determine Financial training requirements and terms, and provide for the classification of positions and employees. Note: this provides for a competent public service with Administrati the required knowledge and skills to effectively manage government information. (11) on Act § The senior executive responsible for implementing the policy must coordinate training and development of staff. MGI Policy

Date: 2006--03-31 Draft: Version 6.2 Page: 74

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ While staff should normally be recruited with the knowledge and skills required to perform their duties, training must be provided to meet current or Learning, future job requirements. Training and Developmen § Managers must determine training needs and authorize participation in training. t Policy § Managers must provide the training they consider necessary to maintain an effective and efficient work force and to accommodate specific human (Continuous resource management objectives such as employment equity. Learning in the Public Service of Cda Policy and Training &Developm ent Policy § Institutions must provide managers and employees at all levels with Communications Policy orientation and training, foster professional development Communicat among communications staff. ions Policy

Program/Service Delivery Considerations

Plan § Departments must develop information management plans that are tailored to their needs and are derived from and strongly support the department's MIT Policy missions and operational plans – refer to TB guidelines for Information Management plans. § Common service organizations that have information management responsibilities must obtain advice, guidance and feedback on their objectives, strategies, plans and the quality of their services from their clients and coordinate their plans and services with those of departments and other common-service organizations. § Information is included as a standard object of expenditure against which budgetary estimates are distributed. It includes three main categories of Appropriati expenditure – advertising services; publishing, printing and exposition services; and public relations and public affairs services. on Acts § Identifies and funds department business lines - including the Treasury Board Information Management and Information Technology business line with a goal to provide strategic direction and leadership in leveraging information management and information technology to improve public access to government services and to meet Public Service renewal objectives. § Information management requirements are incorporated at an early stage in the development of new or modified government policies, programs, services, MGI Policy and technology-based systems. § Governance and accountability structures are in place for the management of information.

Date: 2006--03-31 Draft: Version 6.2 Page: 75

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Opportunities for common infrastructures are maximized to optimize the interoperability of information management systems. § Departments must advise the Privacy Commissioner at an early stage of any planned initiatives that relate to the Privacy Act or may impact the privacy of Privacy and Canadians. Data Protection Policy § Refer to Privacy Impact Assessment under Privacy & Confidentiality Privacy Impact Assessment Policy § Ministers are responsible for the development and implementation of civil emergency contingencies and plans within their area of accountability. (5,7) Emergencies Preparednes s Act § Where development of systems to support departmental administration is required, consideration should be given to developing shared information and Common support system solutions. Services Policy § PWGSC provides optional management of information management systems.

Collect, Create, Receive and Capture § Collect, compile, analyse, abstract and publish statistical information relating to the commercial, industrial, financial, social, economic and general activities Statistics and condition of the people of Canada. (3) Act § Collaborate with departments of government in the collection, compilation and publication of statistical information, including statistics derived from the activities of these departments. (3) § Take the census of the population of Canada and the census of agriculture of Canada. The Governor in Council shall prescribe the questions to be asked. (3, 19-21) § Avoid duplication in the information collected by departments of government. (3) § The Minister may enter into any arrangement with the government of a province for purposes of this Act. In particular for execution by provincial officers of any power or duty conferred or imposed on any officer pursuant to the Act, collection by a department or provincial officer of any statistical or other information required for the purposes of the Act, and for supplying of statistical information to the Chief Statistician. (10) § Acquire publications and records or obtain the care, custody or control of them; (8a) Library & Archives of § Take measures to catalogue, classify, identify, preserve and restore publications and records; (8b) Canada Act § Compile and maintain information resources such as a national bibliography and a national union catalogue; (8c) § Enter into agreements with other libraries, archives or institutions in and outside Canada; (8f) § No personal information will be collected by a government institution unless it related directly to an operating program or activity of the institution. (4) Privacy Act § Personal information, wherever possible, will be collected from the individual to whom it relates except where the individual authorizes otherwise.

Date: 2006--03-31 Draft: Version 6.2 Page: 76

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Individuals from whom personal information is collected will be informed of the purpose for which it is being collected. (5) § Exemptions to collection rules apply where they may result in the collection of inaccurate information defeat the purpose or prejudice the use. (5) § Reasonable steps must be taken to ensure personal information used for administrative purposes is accurate, up-to-date and complete as possible. (6) § Depart ments must have information that effectively and economically supports the execution of personnel management decisions and the day-to-day Personnel administration of employee pay, benefits and records, and that informs management in a timely and accurate manner about their human resources while Information protecting personal information as defined and provided for in the Privacy Act. Manageme nt Policy Refer to Collection of Personal Information; Use of Social Insurance Number; and Data Matching Programs under Privacy and Confidentiality Privacy and Data Protection Policy Refer to Use of Social Insurance Number under Privacy and Confidentiality Personnel Information Manageme nt Policy § Finished productions in film, video, CD and multimedia formats must be deposited with the National Library of Canada. Communica tions Policy § Institutions must adhere to the requirements of the Treasury Board’s Contracting Policy and Common Services Policy when contracting public opinion Communica research, coordinate activities with Public Works and Government Services Canada, and share research results with other GC departments, agencies, and the tions Policy public that have an interest in the findings, subject to the Privacy Act. § Communication requirements must be taken into account in the planning, management and evaluation of consultation and citizen engagement activities. Institutions must inform Canadians about opportunities to participate in public consultation and citizen engagement and ensure communication or information materials prepared for consultative purposes comply with Federal Identity Program requirements. § To evaluate and address public needs and expectations, anticipate issues that may arise, and to formulate appropriate response strategies - institutions must routinely monitor and analyze the public environment as it relates to their policies, programs, services and initiatives using a variety of tools to assess the environment in which operate, including citizen feedback, enquiry analysis media, monitoring and opinion research. § Apply information technology to reduce the burden on respondents from whom information is collected.- capture once, make information more easily MIT Policy accessible, complete transactions more quickly and accurately, support employees and reduce costs. § Collect, create, receive and capture information in ways that support service delivery, informed policy and decision-making, and business, legal, and MGI Policy accountability requirements. § Collect, create, receive and capture information in ways that ensure its relevance, reliability, and completeness. § Collect, create, receive and capture information in ways that optimize its sharing and re-use, in accordance with policy and legal obligations. § Collect, create, receive and capture information in ways that document decisions and decision-making processes to account for government operations, reconstruct the evolution of polices and programs, support the continuity of government and its decision-making, and allow for independent audit and review.

Date: 2006--03-31 Draft: Version 6.2 Page: 77

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

§ Collect, create, receive and capture information in ways that reduce the response burden on the public by avoiding the unnecessary collection of information.

Organize, Use and Disseminate § Departments must adhere to the information management and data administration standards established for service-wide personnel information. As a Personnel minimum, standards published in the Management of Government Information Policy and the Personnel Data Element Dictionary must be followed. Information Manageme nt Policy § Departments must adhere to TBS TBITS standards. Common Services Policy § Organize information to provide clarity, context, and convenient access to relevant, comprehensive, and timely information and services. MGI Policy § Re-use and share information to the greatest extent possible, in accordance with legal and policy obligations. § Establishing a co-ordinated and comprehensive approach to describing the institution’s information. § Maintaining a current and comprehensive classification structure or structures, including metadata. § Providing users with timely and convenient access to information in accordance with legal and policy obligations. § With approval of the Governor in Council, the Minister may enter into an agreement with the g overnment of a province for the exchange of information or Statistics transmission of information to a statistical agency of the province. This information may include replies to any specific statistical inquiries, replies to specific Act classes of information collected under this Act, and any tabulations and analyses based on the replies. The statistical agency of the province must have statutory authority to collect the information intended to be exchanged or transmitted, is prohibited from disclosing information as per section 17, and officers and employees of the statistical agency must be subject to statutory penalties for improper disclosure of information. (11) § The Minister may enter into an agreement with any department, municipal or other corporation for sharing of information collected from a respondent by Statistics Canada, the department or corporation on behalf of both of them and for the subsequent tabulation or publication based on that information. Information shared may include replies to original inquiries and supplementary information provided by a respondent. (12) § Respondents must be advised of any statistical agencies and other parties to which information they provide may be communicated. Where the respondent gives written objection to the sharing of the information, to the Chief Statistician, the information will not be shared with a department or corporation unless the department or corporation is authorized by law to require the respondent to provide that information. (11, 12) § Where development of systems to support departmental administration is required, consideration should be given to developing shared information and Common support system solutions. Services Policy § Departments must provide information to the central agencies in a timely manner, in particular the Treasury Board Secretariat and the Public Service Personnel Commission, about the management of human resources. Information Manageme nt Policy Maintain and Preserve § Personal information used by the government will be retained for a period as prescribed by regulations to provide individuals to whom it pertains a Privacy Act

Date: 2006--03-31 Draft: Version 6.2 Page: 78

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

reasonable opportunity to access it. (6) § Advise government institutions concerning the management of information produced or used by them and provide services for that purpose;(8g) Library & Archives of § Provide leadership and direction for library services of government institutions; (8h) provide professional, technical and financial support to those involved Canada Act in the preservation and promotion of the documentary heritage and in providing access to it;(8i) § May take a sampling from the Internet of the documentary material of interest to Canada that is accessible to the public without restriction through the Internet or any similar medium; (8.2) § May obtain archival quality recordings or copies of recordings for preservation purposes and may reimburse the copy cost; (11) may dispose of any publication or record under LAC control, if no longer necessary to retain it, subject to the terms and conditions under which the publication or record was acquired or obtained. (9) § Care and control of all records of a government institution whose functions have ceased; (13.4) § May specify the manner and time required for the transfer of government records at risk of serious damage or destruction. (13.3) § Subject to the regulations, the publisher who makes a publication available in Canada shall, at the publisher’s own expense, provide two copies of the publication to the Librarian and Archivist – who shall acknowledge their receipt. (10) § The Preservation of Essential Records, A guide for governments, organizations, institutions and businesses provides guidelines for essential records within Emergencies the context of emergency preparedness and business resumption planning as follows: Preparednes s Act § An essential records program is mandatory for federal institutions. § An essential record is an information holding that is considered to be vital to the operations of an organization. The determination of what is vital is a management decision. § Vital information should be preserved so that operations can be maintained or resumed if they've been disrupted. § The methods of preserving and recovering essential records should be a matter of organizational policy and be defined in the records management policy, the emergency preparedness plans and the EDP policy of every organization. § Recovery will be aided by a business resumption plan that includes the ready availability of the organization's essential records. § Ensure its usability, including the usability of encrypted information, over time and through technological change. MGI Policy § Ensure information of enduring value to the Government of Canada or to Canadians is available for current and future use. § Protect essential records. § Safeguard from improper disclosure, use, disposition or destruction, in accordance with legal and policy obligations.

Retention & Disposal of Information § Personal information will be disposed in accordance with regulations, directives or guidelines issued by the designated minister in relation to the disposal of Privacy Act information. (6) § The Librarian and Archivist may dispose of any publication or record under his or her control, including by destruction, if he or she considers that it is no Library &

Date: 2006--03-31 Draft: Version 6.2 Page: 79

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

longer necessary to retain it . Any such disposition is subject to the terms and conditions under which the publication or record has been acquired or Archives of obtained. (9) Canada Act § No government or ministerial record, whether or not it is surplus property of a government institution, shall be disposed of, including by being destroyed, without the written consent of the Librarian and Archivist or of a person to whom the Librarian and Archivist has, in writing delegated the power to give consents. (12) § All publications that have become surplus to the requirements of a department shall be placed in the care and control of the Librarian. & Archivist (16) § A requirement under a provision of a federal law to retain a document for a specified period is satisfied, with respect to an electronic document, by the Personal retention of the electronic document if (a) the electronic document is retained for the specified period in the format in which it was made, sent or received, or Information in a format that does not change the information contained in the electronic document that was originally made, sent or received; (b) the information in the Protection electronic document will be readable or perceivable by any person who is entitled to have access to the electronic document or who is authorized to require and the production of the electronic document; and (c) if the electronic document was sent or received, any information that identifies the origin and destination Electronic of the electronic document and the date and time when it was sent or received is also retained. (37) Documents Act § Adhering to departmental retention and disposition plans, the Library and Archives Canada -approved Records Disposition Authorities, and other legal and MGI Policy policy obligations to ensure the timely disposition of information that is no longer required by the institution. § Transferring to the Library & Archives of Canada information designated as having historical value. § Transfer to Library and Archives Canada publications that federal libraries have declared surplus. § Considering its transfer to non-government organizations, subject to legal and policy obligations.

Preservation (Long Term) § LAC to be the permanent repository of publications of GC and government and ministerial records that are of historical or archival value; (7c) Library & Archives of § Records of government institutions and ministerial records that are of archival importance will be transferred to the care and control of the Archivist in Canada Act accordance with an agreed schedule. (13.1) § Subject to the regulations, the publisher who makes a publication available in Canada shall, at the publisher’s own expense, provide two copies of the publication to the Librarian and Archivist – who shall acknowledge their receipt. (10)

Project Requirements § Requires submission of updated project information to appropriate authorities for significant changes beyond reporting established in the original or Project amended approvals. Manageme nt Policy § Requires systematic approaches to define and manage the project, including implementation of a suitable database system to track key objective and numerical information for the project. § Risk assessments must be updated periodically to reflect additional information available. § Information on progress of significant projects must be provided to Treasury Board. § Institutions seeking Preliminary Project Approval from Treasury Board pursuant to the Project Approval Policy must include the results of the Privacy Privacy

Date: 2006--03-31 Draft: Version 6.2 Page: 80

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

Impact Assessment in the body of the submission or the project brief where applicable. Institutions seeking Effective Project Approval must provide a status Impact report in the body of the submission or the project brief summarizing the actions taken or to be taken to avoid or mitigate any privacy risks. Assessment Policy

Technology Considerations

Technology Impact § Implement approved government information and technology standards in accordance with TB criteria. MIT Policy § Apply information technology to reduce the burden on respondents from whom information is collected.- capture once, make information more easily accessible, complete transactions more quickly and accurately, support employees and reduce costs. § Ensure information technology allows services to be provided to the public in both official languages.

Electronic Alternatives Sets out the legislative scheme by which requirements in federal statutes and regulations that contemplate the use of paper or do not expressly permit the use Personal of electronic technology may be administered or complied with in the electronic environment. Part II provides for the use of electronic alternatives to record Information or communicate information or transactions, describes the characteristics of secure electronic signatures and the conditions under which electronic signatures Protection can be used to authenticate business transactions and to provide evidence in legal proceedings and Electronic § Definitions - Provides definitions of data, electronic documents, electronic signature and secure electronic signature. (31) Documents § Collection, Storage, etc - A department, branch, agency, etc. may use electronic means to create, collect, receive, store, transfer, distribute, publish or Act otherwise deal with documents or information whenever a federal law does not specify the manner of doing so. (33) § Electronic Payment - A payment that is required to be made to the Government of Canada may be made in electronic form in any manner specified by the Receiver General. (34) § Electronic Version of Statutory Form - If a provision of an Act of Parliament establishes a form, a non-electronic manner of filing a document, or a non- electronic manner of submitting information, the responsible authority may make regulations for an electronic form that is substantially the same as the non-electronic form, for filing of an electronic version of the form, and for submitting information using electronic means. Actions in accordance with the regulations are considered to be in equivalent to those set out in the Act. (35) § Manner of Filing- The authority under a federal law to issue, prescribe or in any other manner establish a form, or to establish the manner of filing a document or submitting information, includes the authority to issue, prescribe or establish an electronic form, or to establish an electronic manner of filing the document or submitting information, as the case may be. In this section, "filing" includes all manner of submitting, regardless of how it is designated (35) § Notarial Act - A reference in a provision of a federal law to a document recognized as a notarial act in the province of Quebec is deemed to include an electronic version of the document if (a) the electronic version of the document is recognized as a notarial act under the laws of the province of Quebec;

Date: 2006--03-31 Draft: Version 6.2 Page: 81

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

and (b) the federal law or the provision is listed in Schedule 2 or 3. (38) § Seals - A requirement under a provision of a federal law for a person's seal is satisfied by a secure electronic signature that identifies the secure electronic signature as the person's seal if the federal law or the provision is listed in Schedule 2 or 3. (39) § Provide Documents or Information - A provision of a federal law requiring a person to provide another person with a document or information, other than a provision referred to in any of sections 41 to 47, is satisfied by the provision of the document or information in electronic form if: (a) the federal law or the provision is listed in Schedule 2 or 3; (b) both persons have agreed to the document or information being provided in electronic form; and (c) the document or information in electronic form will be under the control of the person to whom it is provided and will be readable or perceivable so as to be usable for subsequent reference. (40) § In Writing - A requirement under a provision of a federal law for a document to be in writing is satisfied by an electronic document if (a) the federal law or the provision is listed in Schedule 2 or 3; and (b) the regulations respecting the application of this section to the provision have been complied with. (41) § Original - A requirement under a provision of a federal law for a document to be in its original form is satisfied by an electronic document if (a) the federal law or the provision is listed in Schedule 2 or 3; (b) the electronic document contains a secure electronic signature that was added when the electronic document was first generated in its final form and that can be used to verify that the electronic document has not been changed since that time; and (c) the regulations respecting the application of this section to the provision have been complied with. (42) § Copies - A requirement under a provision of a federal law for one or more copies of a document to be submitted is satisfied by the submission of an electronic document if (a) the federal law or the provision is listed in Schedule 2 or 3; and (b) the regulations respecting the application of this section to the provision have been complied with. (47) § Statement Under Oath - A statement required to be made under oath or solemn affirmation under a provision of a federal law may be made in electronic form if (a) the person who makes the statement signs it with that person's secure electronic signature; (b) the person before whom the statement was made, and who is authorized to take statements under oath or solemn affirmation, signs it with that person's secure electronic signature; (c) the federal law or the provision is listed in Schedule 2 or 3; and (d) the regulations respecting the application of this section to the provision have been complied with. (44) § Statement Declaring Truth - A statement required to be made under a provision of a federal law declaring or certifying that any information given by a person making the statement is true, accurate or complete may be made in electronic form if (a) the person signs it with that person's secure electronic signature; (b) the federal law or the provision is listed in Schedule 2 or 3; and (c) the regulations respecting the application of this section to the provision have been complied with. (45)

Electronic Signatures Part III amends the Canada Evidence Act to provide for the admissibility of electronic documents, to establish legal admissibilit y for electronic signatures, Personal and to recognize electronic publication of Notices, Acts, and other documents by the Queen's Printer. Information Protection § Requirement for Signature - Subject to sections 44 to 46, a requirement under a provision of a federal law for a signature is satisfied by an electronic and signature if (a) the federal law or the provision is listed in Schedule 2 or 3; and (b) the regulations respecting the application of this section to the Electronic provision have been complied with. (43) Documents § Witnessed Signatures - A requirement under a provision of a federal law for a signature to be witnessed is satisfied with respect to an electronic Act document if (a) each signatory and each witness signs the electronic document with their secure electronic signature; (b) the federal law or the provision

Date: 2006--03-31 Draft: Version 6.2 Page: 82

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

is listed in Schedule 2 or 3; and (c) the regulations respecting the application of this section to the provision have been complied with. (46) § Technology or Process - Subject to subsection (2), the Governor in Council may, on the recommendation of the Treasury Board, make regulations prescribing technologies or processes for the purpose of the definition "secure electronic signature" in subsection 31(1). The Governor in Council may prescribe a technology or process only if the Governor in Council is satisfied that it can be proved that (a) the electronic signature resulting from the use by a person of the technology or process is unique to the person; (b) the use of the technology or process by a person to incorporate, attach or associate the person's electronic signature to an electronic document is under the sole control of the person; (c) the technology or process can be used to identify the person using the technology or process; and (d) the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document. (48.2) § Effect of Amendment or Repeal - An amendment to or repeal of any provision of a regulation made under subsection (1) that has the effect of removing a prescribed technology or process from the regulation does not, by itself, affect the validity of any electronic signature resulting from the use of that technology or process while it was prescribed. (48.3)

Authorized Use of Electronic Networks § Departments must develop and implement an acceptable use policy that: (a) defines what is acceptable use within the department (e.g. personal use); and Policy on (b) informs employees how the department monitors the use of electronic networks. the Use of Electronic § Authorized uses of electronic networks must be defined and address unlawful and unacceptable conduct; responsibilities of authorized individuals when Networks they are using electronic networks; the extent to which electronic networks may be used for personal objectives (the government is not obliged to allow use for personal objectives); disciplinary measures for illegal or unacceptable use; monitoring practices and authorization required. § Activity that can expose authorized individuals, the employer to civil liability if a Public Service employee performs unlawful activity in the course of his, or her employment includes disclosing or collection of sensitive data without authorization; defamation; and inaccurate information. § Appendix A provides a non-exhaustive list of unlawful activity, in terms of actions that may result in sanctions of different kinds in a court of law. The list includes child pornography; copyright infringement; defamation; hacking and other crimes related to computer security (e.g. unlawful access, spreading viruses, destroying or altering data, interfering with other's lawful use of data and computers); harassment; hate propaganda; interception of private communications or electronic mail; obscenity; disclosing sensitive or personal information without authorization; use of public money without proper authorization; and various other offences under the Criminal Code and other statutes. § Appendix B provides a non-exhaustive list of activity that is not necessarily unlawful but which violates Treasury Board policies. The list includes sending classified or designated information on unsecured networks unless encrypted; accessing without authorization, sensitive information held by the government; attempting to defeat information technology security features; causing congestion and disruption of networks and systems; sending abusive, sexist or racist messages; using the government's electronic networks for private business, personal gain or profit or political activity, making excessive public criticism of governmental policy; representing personal opinions as those of the department or disregarding public statement policy; failing to provide employees and other authorized individuals with notice of electronic monitoring and auditing practise; providing access to systems, networks or applications used to process sensitive information before personnel are properly security screened; failing to revoke system access rights to personnel when they leave the department; unauthorized removal or installation of hardware or software on government owned informatics devices or electronic networks. § Appendix C identifies unacceptable activities relating to access of electronic networks provided by the government. Authorized individuals cannot use government electronic networks to access or download web sites or files, or send or received electron mail messages or other types of communications

Date: 2006--03-31 Draft: Version 6.2 Page: 83

Framework For the Management of Information Overview of, and Links to Legislation, Regulations and Policies

the incite hatred against identifiable groups or whose main focus is pornography, nudity and sexual acts (however, authorized individuals may access such information for valid work-related purposes). Individuals must ensure that others do not think that statements they express in personal messages are related to their employment duties or approved by the government.

Monitoring Electronic Networks § Departments must consider privacy when designing their monitoring practices and procedures. Policy on the Use of § Monitoring authorization and procedures for monitoring individual electronic mail and files(if the department reasonably suspects that an authorized Electronic individual is misusing the network) must be defined. Gu idelines for monitoring electronic networks (including information requirements) are included Networks as Appendix E of the policy. § Individuals authorized to monitor individual network use must keep the monitored information confidential and only use it for authorized purposes. § Departments are required to report suspected illegal activity to the appropriate law enforcement agency (unless their legal advisor advises that the matter is too minor).

Quality of Information

Quality Control § The integrity of electronic business transactions must be maintained at all times. Electronic Authorizatio § The integrity and confidentiality of the electronic authorization and authentication system and processes must be maintained at all times. n and § Departments must establish policies and procedures that will ensure that an adequate level of control is maintained on all processes involving the Authenticati electronic authorization and authentication of business data. on Policy § Ensure the quality, consistency and availability of information across delivery channels to respect Canadian’s preferred means of accessing information MGI Policy and of communicating with government. § Preserve the integrity of information, particularity when it is used in collaborative endeavours with other federal government institutions, other governments, or non-governmental organizations. § Collect, create, receive and capture information in ways that ensure its relevance, reliability, and completeness.

Date: 2006--03-31 Draft: Version 6.2 Page: 84