Protection of Personal Information

Bank of Canada Protection of Personal Information Policy

Policy Context

Context Description

In the course of its daily activities, the Bank of Canada may gather personal information from individuals, in order to provide services, make decisions and support its business operations, programs and activities.

This Policy was developed according to the requirements of, and in compliance with, the Privacy Act of Canada.

Principles

The Bank of Canada has long recognized and accepted its responsibility to protect the privacy of individuals who interact with the Bank through electronic or other means and to safeguard their personal information.

Policy Statement

The purpose of this policy is to outline the Bank’s commitment to protect personal information and manage this information with the utmost responsibility and care.

It governs the collection, use, and disclosure of all personal information of individuals who interact with the Bank, regardless of whether the information is held in paper, electronic or digital form.

Scope

This Policy applies to information collected by the Bank or on behalf of the Bank by service providers pursuant to a contract.

The Bank will identify the purposes for which personal information is collected at the time or before the information is collected. These purposes include but are not limited to manage:

  • applications for employment at the Bank of Canada
  • enquiries from the general public, including Access to Information and Privacy Act requests
  • registration for Bank hosted conferences
  • claims submitted related to unclaimed bank balances and mutilated bank notes
  • the administration of the Canada Savings Bond program
  • the logging of visitors to and the administration of the Bank of Canada’s website
  • the logging of visitors to the Bank of Canada’s premises
  • the registration for visits to the Bank of Canada Museum
  • surveys involving the general public
  • the security of Bank of Canada premises and Bank held information through various means, including CCTV surveillance
  • such other purposes as required by the Bank

All personal information collected by the Bank is listed in Personal Information Banks (PIBs) which are published in Info Source, an annual Treasury Board publication which describes the purpose for the collection, notes any consistent uses that may be made of the information and specifies the retention and disposal standards for the information collected.

The Bank reserves the right, in appropriate circumstances, to collect and hold information outside Canada.

Mandatory Policy Requirements

Limiting collection, use and disclosure of personal information

  • The Bank only collects personal information that relates directly to authorized programs or activities.
  • Wherever possible, personal information is collected directly from the individual to whom the information relates and individuals are informed of the purpose of the collection at the time of the collection.
  • The Bank only uses personal information or discloses it to third parties for the purpose for which the information was originally obtained or compiled, for a use consistent with that purpose or for a purpose permitted under the Privacy Act.
  • The consent of the individual in question must be obtained before his or her personal information is used or disclosed for any other purpose.
  • Any disclosure to third parties will be done pursuant to agreements setting out the requirements for use, safeguarding, retention and disposal of such information, or as required by law.

Safeguarding personal information

  • • Personal information, whatever its form, is classified according to the sensitivity of the information and is protected from unauthorized access, use, disclosure, removal, alteration and destruction in accordance with the Bank’s Corporate Security Policy and Operational Standard: Information Security.
  • • The Bank may use outside service providers or agents to collect and/or use personal information on its behalf. As part of the contractual agreements, these suppliers must protect personal information in a manner consistent with the privacy policies and practices established by the Bank and as obligated under the Privacy Act.

Retention and disposal of personal information

  • The Bank retains and disposes of personal information in accordance with the Bank’s Corporate Records Management Policy, which meets the requirements set out in applicable legislation (i.e. the Privacy Act, the Library and Archives Act).
  • Retention schedules for Personal Information held by the Bank are described in the Info Source publication.

Access to, and accuracy of, personal information

  • Upon request, the Bank shall provide an individual with timely access to his or her personal information contained in records under the control of the Bank. Individuals may also request correction to their personal information which is under the Bank’s control. Requests can be made in writing to the Bank’s Access to Information and Privacy Coordinator citing the Privacy Act.
  • The Bank may require sufficient information to allow it to confirm that the person making the request is authorized to receive the related information before granting access or making corrections.
  • Access will not be provided when the records contain information that would be exempt from access under the Privacy Act, such as containing personal information about other individuals. If access to personal information cannot be provided, the Bank shall provide the reasons for denying access.

Responding to privacy complaints

The Bank is committed to investigating and resolving all complaints related to privacy, confidentiality or its information-handling practices in the most thorough, prompt and confidential manner possible. Any individual who believes their privacy or access-related rights have been breached can submit a complaint in writing to the Bank’s Access to Information and Privacy Coordinator.

Alternatively, individuals may submit a complaint to the Office of the Privacy Commissioner of Canada, the nation’s ombudsman for addressing unresolved privacy complaints:

Office of the Privacy Commissioner of Canada
112 Kent St.
Place de Ville
Tower B 3rd Floor
Ottawa ON    K1A 1H3

1-800-282-1376

Privacy breaches

A privacy breach involves the improper or unauthorized collection, use, disclosure, retention and/or disposal of personal information. The Bank takes seriously any information or complaint pertaining to a breach of privacy. Any complaint, allegation or information regarding possible breaches of privacy are considered and assessed in a consistent manner, and investigated fairly and impartially in a manner commensurate with the nature of the alleged complaint.

Further Advice and Guidance

This section contains information on frequency of review, maintenance, and contact information should users have questions related to specific aspects of the policy.

Frequency of reviews and maintenance

Any updates and amendments to this policy and the effective date shall be determined by the General Counsel and Corporate Secretary and communicated on the Bank’s website.

Enquiries

See the Access to Information and Privacy section on the Bank’s website.

Appendices

Definitions

Personal Information:refers to information about an identifiable individual and includes but is not restricted to

  • race, national or ethnic origin, colour, religion, age or marital status
  • medical, educational, financial, employment and criminal history
  • address and identifying numbers assigned to the individual
  • correspondence with the Bank that is explicitly or implicitly of a private nature
  • the views or opinions of another individual about the individual
  • the name of an individual, where disclosure of the name itself would reveal information about the individual

Personal Information Banks (PIB): As defined in the Privacy Act, a Personal Information Bank refers to a privacy-sensitive records system containing personal information which: 1) has been used, is being used or is available for use in decision-making affecting individuals directly, and/or 2) is retrievable by personal identifier.

A Personal Information Bank listing in Info Source includes

  • a description of the type of records under Description
  • the reason for collecting the information under Purpose
  • the intended use or disclosure of the information under Consistent Uses
  • how long the information is kept under Retention and Disposal Standards