Reasons to Collect Information

PSOs should collect information if there are observed unequal outcomes for Indigenous, Black, and racialized persons, persistent complaints of systemic racial barriers, and/or widespread public perception of systemic racial barriers or bias within the organization.

Guidance in the OHRC policy and guidelines on racism and racial discrimination states that “data collection and analysis should be undertaken where an organization or institution has or ought to have reason to believe that discrimination, systemic barriers or the perpetuation of historical disadvantage may potentially exist.”

Assess and Plan

Standard 1. Assess and Plan for Compliance with the ARA, the Regulations and the Standards

PSOs must assess their objectives and priorities for the collection and use of personal information for the purpose of conducting analyses to identify and monitor systemic racism and racial disparities.

PSOs must sufficiently plan and prepare for complying with, and implementing the ARA, the regulations and the Standards with input from affected communities, stakeholders, and partners.

Rationale

Planning and preparation is an integral part of understanding the requirements of and ensuring compliance with the ARA, the regulations and the Standards.

Guidance

Assess what personal information is required, for the purpose of the ARA, to identify and monitor racial inequalities in outcomes and help promote racial equity and fair treatment in programs, services, and functions.

Before collecting, using or disclosing any personal information, organizations should consider the following (generally in the order given):

Community input:

Regularly engage with Indigenous, Black, and racialized communities, stakeholders, clients, and partners to understand their priorities, concerns, needs, and interests in collection, management, use and analysis of information.

Organizational objectives and priorities:

Identify clear organizational objectives for the collection and use of personal information under the ARA. In relation to matters required or authorized in the regulations, PSOs should scan the specific policies, practices, services, and/or programs to prioritize how to track and monitor potential systemic racial inequalities. (See OHRC Count me in! Guide).

The race-based personal information will always need to be combined with other information in order to determine the impact of race on outcomes. Organizations should consider the personal information they need to collect, or already lawfully collect for program purposes, that may also be used for the purpose of identifying and monitoring systemic racial inequalities.

Identifying organizational objectives should also include determining which performance measures should be tracked for the purposes of identifying and monitoring systemic racism and racial disparities, and/or measuring progress in advancing racial equity. PSOs should consider monitoring the outcomes of key decisions in a client’s interaction with a service or system (see Appendix A for an example).

Privacy Impact Assessment (PIA):

Conduct a PIA to identify privacy implications, risks and mitigation strategies. A useful resource is Planning for Success: Privacy Impact Assessment Guide, developed by the IPC.

Resources and Training:

Assess and review organizational resources, capacities, and competencies needed to collect, use, manage, de-identify, analyze, publish, and report information. This includes reviewing existing processes, information technology, and software capabilities, as well as assessing the expertise and skills needed to comply with the Standards. In most cases, training the employees, officers, consultants, and agents of the organization will be necessary to ensure the proper implementation of the Standards (see Standard 4).

Public Communication and Outreach:

Communicate the organization’s information-related objectives and plans to the public, affected communities, and clients. This includes external communications and processes for informing individuals of their privacy rights and the PSO’s policies and protocols.

Indigenous Interests in Data Governance

PSOs should consider the interests of Indigenous communities and organizations in exercising authority, control, and shared decision making in the collection, management, use and disclosure of information regarding Indigenous people and communities, consistent with relevant privacy legislation.

Indigenous data governance considerations vary between First Nations, Métis, and Inuit communities and organizations. There are common goals, including emphasis on the importance of engagement, transparency, and Indigenous ownership and control of information (including how it is collected, used, managed, analyzed, interpreted, and reported publicly).

Indigenous data governance principles aim to ensure that information collected from Indigenous communities is used to empower communities with knowledge and tools to work towards positive community outcomes.

Transparency is the focus in relationship building, proactive engagement, and strategic data governance partnerships with the government and/or other broader public service bodies, institutions, and agencies.

Data sharing agreements between PSOs and Indigenous communities and their representatives and partners can be an effective way to respect Indigenous interests in data governance, but such agreements must be undertaken in accordance with the requirements of the ARA and applicable privacy legislation.

Governance and Accountability

Standard 2. Establish Organizational Roles and Responsibilities

PSOs must establish clear accountability mechanisms and rules, with organizational roles and responsibilities, for all aspects of collection, management, use (including analysis), disclosure, and de-identification of personal information, and the public release and reporting of information. There must be at least one manager who is accountable for oversight and ensuring compliance with the ARA, the regulations and the Standards.

Rationale

Clear organizational roles and responsibilities help PSOs comply with the ARA, support transparency, and promote accountability for the proper management of personal information, as well as reporting for the purpose set out in the ARA, the regulations and the Standards.

Guidance

PSOs should work with their records and information management (RIM), privacy, and security professionals to ensure that the collection, use, disclosure, management, security, de-identification, and disposition of records containing personal information is done in accordance with the Standards, applicable privacy legislation, and the Archives and Recordkeeping Act, 2006, if applicable.

PSOs should implement governance and accountability practices such as:

  • Appoint a privacy point-person, such as a Privacy Officer or a senior official who has been delegated privacy responsibilities of the “Head” under FIPPA/MFIPPA, to ensure senior management commitment to privacy protection;
  • Establish reporting mechanisms for overall compliance activities, as well as for reporting privacy and security breaches;
  • Maintain a personal information inventory (know what personal information is held, its sensitivity, where it is held, and why it is collected, used, and disclosed); and
  • Implement a privacy management plan to comply with the Standards, including measures for monitoring, assessing and reviewing privacy and security policies, practices, and controls.

Standard 3. Third Party Service Providers Acting on Behalf of PSOs

PSOs are accountable for ARA-related activities undertaken by a third party service provider acting on their behalf. PSOs must ensure that third parties understand and comply with all requirements under the ARA, the regulations and the Standards.

Rationale

When a service or activity is outsourced, a PSO continues to be accountable for complying with the ARA and applicable privacy legislation. Ensuring that third parties understand and abide by all ARA requirements when acting on behalf of a PSO is necessary to protect privacy.

Guidance

Agreements with third parties should require compliance with privacy obligations in the ARA and any other applicable legislation, including the FIPPA and MFIPPA.

The agreements should require that third party service providers be familiar with the requirements of the ARA and the Standards, applicable privacy legislation, and other legislative obligations relating to collecting, using, disclosing, de-identifying, managing, disposing, and reporting information, as well as the PSO’s protocols for privacy breaches and management response to security incidents.

When contracting third party service providers that will have access to personal information or will be involved in collection, use (including analysis), and disclosure, consult with legal, procurement, records and information management, and privacy professionals to:

  • Assess the privacy and security risks and the sensitivity of the information involved;
  • Develop an information protection plan to ensure protection of access and privacy rights are key considerations in developing third-party agreements;
  • Carefully vet potential service providers to assess their knowledge and capabilities to meet the PSO’s defined privacy requirements in procurement and contracting; and
  • Audit and monitor the service provider’s activities for the duration of the agreement to ensure compliance.

Training and Supporting Resources

Standard 4. Training for Employees, Officers, Consultants and Agents to Perform their Duties

PSOs must provide relevant and effective training and supporting resources to their employees and officers who collect or have any access to personal information so that they clearly understand how to comply with the requirements of the ARA, the regulations and the Standards.

PSOs must ensure that their consultants and agents who collect or have any access to personal information have relevant and effective training and supporting resources so that they clearly understand how to comply with the requirements of the ARA, the regulations and the Standards.

Rationale

Training and supporting resources are essential for the proper application of the Standards.

Guidance

Employees, officers, consultants and agents of organizations should complete any necessary training before they begin their duties and should receive training regularly thereafter, as needed, to ensure ongoing compliance. In addition to establishing knowledge of how to protect personal information, training objectives should include building competencies and capacities in anti-racism and cultural safety.

Resources should reinforce learning and maintain knowledge, and should include relevant tools for applying skills and techniques.

Training and support resources should be periodically reviewed and evaluated so that they are relevant, effective, and delivered efficiently to relevant employees, officers, consultants, and agents.