On October 27, 2025, The Office of the Privacy Commissioner of  Canada (OPC) released a new Privacy Act Bulletin (the Bulletin), which outlines responsible practices for regulated federal government institutions to consider before, while, and after collecting personal information.

The Bulletin emphasizes the importance of building privacy considerations into every stage of a federal government institution’s technology, program or service. Doing so supports responsible innovation, increases public trust and ensures compliance with the Privacy Act. Accordingly, the Bulletin outlines the following steps federal government institutions may take with respect to collecting personal information:

Before Collecting Personal Information

  • Determine the legal authority for an initiative involving the collection of personal information.
  • Consider the impact on individuals’ right to privacy, particularly when collecting sensitive personal information.
  • Conduct a Privacy Impact Assessment (PIA) where required under the Treasury Board Secretariat (TBS) Directive on Privacy Practices.
  • Use Information Sharing Agreements and contracts with appropriate privacy-protective clauses when planning to share personal information or engaging third parties to collect personal information.

While Collecting Personal Information

  • Be transparent about the personal information being collected, why it is being collected, and how it will be used and shared.
  • Ensure that clear privacy notices are in place, as required under the TBS Directive on Privacy Practices.
  • Keep the institution’s Info Source chapter and Personal Information Banks up to date.
  • Publish summaries of PIAs on the institution’s website.

After Collecting Personal Information

  • Implement safeguards to protect personal information and mitigate the risk of breaches. 
  • In the event of a breach, ensure an appropriate response and adapt to address any shortcomings that led to the breach.
  • Report incidents to TBS and the OPC in accordance with regulatory requirements.

Institutions can also contact the TBS Privacy and Responsible Data Division and the OPC Promotion and Engagement Directorate for more in-depth advice.

Summary By: Victoria Di Felice

 

E-TIPS® ISSUE

25 11 12

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.

Victoria Di Felice
By Victoria Di Felice
November 11, 2025
Privacy