Canadian Government Releases Guidance on Privacy Practices for Personal Information That Is Publicly Available Online

On August 1, 2023, the Government of Canada published its “Privacy Implementation Notice 2023-03: Guidance pertaining to the collection, use, retention and disclosure of personal information that is publicly available online” (the Notice) pursuant to paragraph 71(1)(d) of the Privacy Act.

The Notice is directed towards government institutions as defined in Section 3 of the Privacy Act (excluding the Bank of Canada), which may collect, use, retain, and disclose publicly available personal information for various purposes, including public communications, research, law enforcement, and administrative activities. Accordingly, the Notice provides guidance to these institutions for fulfilling their requirements under the Privacy Act and related policy instruments. As part of this guidance, the following key considerations are addressed as they pertain to personal information made available online:

• Limiting Collection. Even in cases where personal information is publicly available online, government institutions must limit their collection of this information to what is directly related to and necessary for the institution’s programs or activities.
• Use of Third-Party Service or Data Providers. Federal government institutions retain ultimate responsibility for the management of personal information that is publicly available online; such responsibilities continue to apply when obtaining personal information from third parties by request, subscription, or purchase.
• Use and Disclosure. Personal information that ceases to be publicly available immediately becomes subject to the use and disclosure requirements of Sections 7 and 8 of the Privacy Act.  Therefore, institutions will need to verify, where possible, “if the information to be disclosed is identical to that which is in the public domain at the exact time of disclosure” [emphasis in original].

Additionally, the Notice sets out important practices for government institutions to safeguard privacy when managing personal information that is publicly available online, including:

• developing a clear process for authorizing the collection of such information and specifying the level of authorization required, relative to the degree of invasiveness of the collection;
• assessing privacy implications using Privacy Impact Assessments and/or privacy protocols where appropriate; and
• using privacy preserving techniques, such as de-identification and data minimization.

Summary By: Steffi Tran