0003965
Privacy Act, R.S.C., 1985, c. P-21
Office of the Privacy Commissioner of Canada
Statutes (Bills or Acts)
Free
Canada Privacy Act
Privacy Act, R.S.C., 1985, c. P-21
Not Defined
The document as a whole was last reviewed and released on 2024-08-21T00:00:00-0700.
0003965
Free
Office of the Privacy Commissioner of Canada
Statutes (Bills or Acts)
Canada Privacy Act
Privacy Act, R.S.C., 1985, c. P-21
Not Defined
The document as a whole was last reviewed and released on 2024-08-21T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Privacy Act, R.S.C., 1985, c. P-21 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Privacy Act, R.S.C., 1985, c. P-21 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Acquisition or sale of facilities, technology, and services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
| Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain a product or service pricing program. CC ID 13676 [The head of a government institution that provides the services may charge a fee for those services. The fee is not to exceed the cost of providing the service. § 73.1 (4) The head of a government institution that provides the services may charge a fee for those services. The fee is not to exceed the cost of providing the service. § 73.1 (4)] | Establish/Maintain Documentation | Preventive | |
| Review and update controls to ensure the timeliness and accuracy of the market prices. CC ID 13688 | Process or Activity | Corrective | |
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 [Every year the head of every government institution shall prepare a report on the administration of this Act within the institution during the period beginning on April 1 of the preceding year and ending on March 31 of the current year. § 72 (1)] | Establish/Maintain Documentation | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 | Communicate | Preventive | |
| Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance. CC ID 12370 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance. CC ID 12371 | Establish/Maintain Documentation | Preventive | |
| Include a Statement of Compliance in the tactical Information Technology plan. CC ID 06842 | Actionable Reports or Measurements | Preventive | |
| Include the verification method in the Statement of Compliance. CC ID 16820 | Actionable Reports or Measurements | Preventive | |
| Include the statutory bodies having jurisdiction over privacy rights violations in the Statement of Compliance. CC ID 12369 | Establish/Maintain Documentation | Preventive | |
| Include a description of the awareness and training program in the Statement of Compliance. CC ID 16817 | Actionable Reports or Measurements | Preventive | |
| Include contact information for the handling of requests and issues in the Statement of Compliance. CC ID 16816 | Actionable Reports or Measurements | Preventive | |
| Include a description of the organization's privacy policy in the Statement of Compliance. CC ID 12362 | Establish/Maintain Documentation | Preventive | |
| Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 | Actionable Reports or Measurements | Preventive | |
| Include the outcomes of privacy rights violation complaints received in the Statement of Compliance. CC ID 12534 | Establish/Maintain Documentation | Preventive | |
| Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175 [Where personal information in a personal information bank under the control of a government institution is used or disclosed for a use consistent with the purpose for which the information was obtained or compiled by the institution but the use is not included in the statement of consistent uses set forth pursuant to subparagraph 11(1)(a)(iv) in the index referred to in section 11, the head of the government institution shall ensure that the use is included in the next statement of consistent uses set forth in the index. § 9 (4)(b)] | Establish/Maintain Documentation | Preventive | |
| Include dispute resolution quality measures in the Statement of Compliance. CC ID 12533 | Establish/Maintain Documentation | Preventive | |
| Include the type of privacy rights violation complaints received in the Statement of Compliance. CC ID 12532 | Establish/Maintain Documentation | Preventive | |
| Include the number of privacy rights violation complaints received in the Statement of Compliance. CC ID 12530 | Establish/Maintain Documentation | Preventive | |
| Include the organization's fax number in the Statement of Compliance. CC ID 12361 | Establish/Maintain Documentation | Preventive | |
| Include the organization's telephone number in the Statement of Compliance. CC ID 12360 | Establish/Maintain Documentation | Preventive | |
| Include the organization's e-mail address in the Statement of Compliance. CC ID 12359 | Establish/Maintain Documentation | Preventive | |
| Include the organization's name in the Statement of Compliance. CC ID 12351 | Establish/Maintain Documentation | Preventive | |
| Include the organization's mailing address in the Statement of Compliance. CC ID 12358 | Establish/Maintain Documentation | Preventive | |
| Describe how the organization processes personal data in the Statement of Compliance. CC ID 12377 | Establish/Maintain Documentation | Preventive | |
| Approve and sign the Statement of Compliance. CC ID 12392 | Establish/Maintain Documentation | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Establish Roles | Preventive | |
| Assign and staff all roles appropriately. CC ID 00784 | Testing | Detective | |
| Delegate authority for specific processes, as necessary. CC ID 06780 [The head of a government institution may, by order, delegate any of their powers, duties or functions under this Act to one or more officers or employees of that institution. § 73 (1) The head of a government institution may, for the purposes of subsection 73.1(1), by order, delegate any of their powers, duties or functions under this Act to one or more officers or employees of another government institution. § 73 (2)] | Behavior | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Communicate | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 [The head of a government institution that receives the services shall provide a copy of the agreement to the Privacy Commissioner and the designated Minister as soon as possible after the agreement is entered into. The head of the institution shall also notify the Commissioner and the designated Minister of any material change to that agreement. § 73.1 (3) The head of every government institution shall provide a copy of the report to the designated Minister immediately after it is laid before both Houses. § 72 (4)] | Communicate | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Communicate | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Establish/Maintain Documentation | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Establish/Maintain Documentation | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Establish/Maintain Documentation | Preventive | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Process or Activity | Preventive | |
| Establish, implement, and maintain a financial management program. CC ID 13228 [The head of the institution that charges the fee may spend the revenues that are received from the provision of the services for any purpose of that institution. If the head of the institution spends the revenues, he or she must do so in the fiscal year in which they are received or, unless an appropriation Act provides otherwise, in the next fiscal year. § 73.1 (5)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Establish/Maintain Documentation | Preventive | |
| Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Communicate | Preventive | |
| Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Business Processes | Preventive | |
| Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Business Processes | Preventive | |
| Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Business Processes | Preventive | |
| Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Investigate | Detective | |
| Attach the required information to each funds transfer. CC ID 16756 | Business Processes | Preventive | |
| Verify all required information is attached to each funds transfer. CC ID 16755 | Business Processes | Detective | |
| Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Business Processes | Preventive | |
| Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Testing | Preventive | |
| Include communication protocols in the financial management program. CC ID 16763 | Establish/Maintain Documentation | Preventive | |
| Include ongoing monitoring in the financial management program. CC ID 16762 | Process or Activity | Preventive | |
| Employ tools to manage settlement and funding flows. CC ID 16743 | Process or Activity | Preventive | |
| Refrain from setting up anonymous financial accounts. CC ID 16721 | Business Processes | Preventive | |
| Identify and maintain positions in financial accounts. CC ID 16751 | Business Processes | Preventive | |
| Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Establish/Maintain Documentation | Preventive | |
| Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Process or Activity | Preventive | |
| Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Establish/Maintain Documentation | Preventive | |
| Document the rationale for the amount of financial resources being held. CC ID 16688 | Establish/Maintain Documentation | Preventive | |
| Supplement financial resources, as necessary. CC ID 16685 | Business Processes | Preventive | |
| Establish, implement, and maintain collateral procedures. CC ID 16653 | Establish/Maintain Documentation | Preventive | |
| Include the use of appropriate models in the collateral procedures. CC ID 16687 | Establish/Maintain Documentation | Preventive | |
| Define the collateral requirements in the collateral procedures. CC ID 16686 | Establish/Maintain Documentation | Preventive | |
| Test the collateral requirements for appropriateness. CC ID 16681 | Testing | Preventive | |
| Limit the types of assets accepted as collateral. CC ID 16602 | Business Processes | Preventive | |
| Avoid the use of concentrated holdings of assets. CC ID 16651 | Business Processes | Preventive | |
| Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Testing | Preventive | |
| Include stress scenarios in the stress test plan. CC ID 16659 | Testing | Preventive | |
| Analyze the effectiveness of the stress test plan. CC ID 16657 | Process or Activity | Detective | |
| Perform stress testing in accordance with the stress test plan. CC ID 16652 | Testing | Preventive | |
| Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Communicate | Preventive | |
| Identify and document the financial resources available for use. CC ID 16643 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain credit loss procedures. CC ID 16683 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a securities trading program. CC ID 16626 | Business Processes | Preventive | |
| Include fairness and equitability standards in the securities trading program. CC ID 16690 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the securities trading program. CC ID 16689 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Establish/Maintain Documentation | Preventive | |
| Include performance guarantees in the capital restoration plan. CC ID 16616 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 | Establish/Maintain Documentation | Preventive | |
| Include required information in the capital restoration plan. CC ID 16609 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain valuation procedures. CC ID 16634 | Establish/Maintain Documentation | Preventive | |
| Include investment information in approval requests for investments. CC ID 16590 | Business Processes | Preventive | |
| Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain lending policies. CC ID 16608 | Establish/Maintain Documentation | Preventive | |
| Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Process or Activity | Preventive | |
| Include the requirements for risk assessments in the lending policy. CC ID 16730 | Establish/Maintain Documentation | Preventive | |
| Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Establish/Maintain Documentation | Preventive | |
| Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Establish/Maintain Documentation | Preventive | |
| Include pricing structures in the lending policy. CC ID 16724 | Establish/Maintain Documentation | Preventive | |
| Include monitoring requirements in the lending policy. CC ID 16710 | Establish/Maintain Documentation | Preventive | |
| Include loan origination procedures in the lending policy. CC ID 16709 | Establish/Maintain Documentation | Preventive | |
| Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Establish/Maintain Documentation | Preventive | |
| Include loan requirements in the lending policy. CC ID 16706 | Establish/Maintain Documentation | Preventive | |
| Include appraisals and evaluations in the lending policy. CC ID 16705 | Establish/Maintain Documentation | Preventive | |
| Include terms and conditions in the lending policy. CC ID 16695 | Establish/Maintain Documentation | Preventive | |
| Include the scope and distribution of loans in the lending policy. CC ID 16693 | Establish/Maintain Documentation | Preventive | |
| Include geographic areas in the lending policy. CC ID 16691 | Establish/Maintain Documentation | Preventive | |
| Include underwriting guidelines in the lending policy. CC ID 16619 | Establish/Maintain Documentation | Preventive | |
| Include credit review in the underwriting guidelines. CC ID 16765 | Establish/Maintain Documentation | Preventive | |
| Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Establish/Maintain Documentation | Preventive | |
| Include documentation requirements in the lending policy. CC ID 16617 | Establish/Maintain Documentation | Preventive | |
| Include the purpose of the loan in the loan documentation. CC ID 16747 | Establish/Maintain Documentation | Preventive | |
| Include the source of repayment in the loan documentation. CC ID 16746 | Establish/Maintain Documentation | Preventive | |
| Include approval requirements in the lending policy. CC ID 16615 | Establish/Maintain Documentation | Preventive | |
| Include reporting requirements in the lending policy. CC ID 16614 | Establish/Maintain Documentation | Preventive | |
| Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Establish/Maintain Documentation | Preventive | |
| Include loan administration procedures in the lending policy. CC ID 16610 | Establish/Maintain Documentation | Preventive | |
| Include loan participation agreements in the loan administration procedures. CC ID 16745 | Establish/Maintain Documentation | Preventive | |
| Include termination procedures in the loan participation agreement. CC ID 16753 | Establish/Maintain Documentation | Preventive | |
| Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Establish/Maintain Documentation | Preventive | |
| Include servicing agreements in the loan administration procedures. CC ID 16744 | Establish/Maintain Documentation | Preventive | |
| Include claims processing in the loan administration procedures. CC ID 16742 | Establish/Maintain Documentation | Preventive | |
| Include forbearance management in the loan administration procedures. CC ID 16741 | Establish/Maintain Documentation | Preventive | |
| Include foreclosure management in the loan administration procedures. CC ID 16740 | Establish/Maintain Documentation | Preventive | |
| Include delinquency management in the loan administration procedures. CC ID 16739 | Establish/Maintain Documentation | Preventive | |
| Include customer due diligence in the loan administration procedures. CC ID 16736 | Process or Activity | Preventive | |
| Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Establish/Maintain Documentation | Preventive | |
| Include loan closing in the loan administration procedures. CC ID 16734 | Establish/Maintain Documentation | Preventive | |
| Include payoff statements in the loan administration procedures. CC ID 16733 | Establish/Maintain Documentation | Preventive | |
| Include payment processing in the loan administration procedures. CC ID 16732 | Establish/Maintain Documentation | Preventive | |
| Include loan reviews in the loan administration procedures. CC ID 16703 | Establish/Maintain Documentation | Preventive | |
| Include collections in the loan administration procedures. CC ID 16701 | Establish/Maintain Documentation | Preventive | |
| Include collateral inspections in the loan administration procedures. CC ID 16699 | Establish/Maintain Documentation | Preventive | |
| Include disbursements in the loan administration procedures. CC ID 16697 | Establish/Maintain Documentation | Preventive | |
| Review and approve lending policies. CC ID 16607 | Business Processes | Preventive | |
| Establish, implement, and maintain a dividend policy. CC ID 16569 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the dividend policy. CC ID 16570 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain margin systems. CC ID 16601 | Business Processes | Preventive | |
| Include valuation models in the margin system. CC ID 16663 | Data and Information Management | Preventive | |
| Include procedures for collecting price data in the margin system. CC ID 16662 | Data and Information Management | Preventive | |
| Include reliable sources for price data in the margin system. CC ID 16661 | Data and Information Management | Preventive | |
| Validate the margin system on a regular basis. CC ID 16660 | Testing | Detective | |
| Assess the properties of the margin model used in the margin system. CC ID 16658 | Process or Activity | Detective | |
| Monitor the performance of the margin system. CC ID 16655 | Monitor and Evaluate Occurrences | Detective | |
| Analyze the performance of the margin system. CC ID 16654 | Process or Activity | Detective | |
| Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Business Processes | Preventive | |
| Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Establish/Maintain Documentation | Preventive | |
| Determine the amount of assets to be held in escrow. CC ID 16575 | Investigate | Detective | |
| Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Communicate | Preventive | |
| Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Establish/Maintain Documentation | Preventive | |
| Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Establish/Maintain Documentation | Preventive | |
| Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Establish/Maintain Documentation | Preventive | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Data and Information Management | Preventive | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Data and Information Management | Preventive | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Data and Information Management | Preventive | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Data and Information Management | Preventive | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Data and Information Management | Preventive | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Data and Information Management | Preventive | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Data and Information Management | Preventive | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Data and Information Management | Preventive | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Data and Information Management | Preventive | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Data and Information Management | Preventive | |
| Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Establish/Maintain Documentation | Preventive | |
| Include the call date in the securities transaction notification. CC ID 16680 | Establish/Maintain Documentation | Preventive | |
| Include service charges and commissions in the securities transaction notification. CC ID 16702 | Establish/Maintain Documentation | Preventive | |
| Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Establish/Maintain Documentation | Preventive | |
| Include the call price in the securities transaction notification. CC ID 16678 | Establish/Maintain Documentation | Preventive | |
| Include debits and credits in the securities transaction notification. CC ID 16677 | Establish/Maintain Documentation | Preventive | |
| Include transactions in the securities transaction notification. CC ID 16676 | Establish/Maintain Documentation | Preventive | |
| Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Establish/Maintain Documentation | Preventive | |
| Include yield information in the securities transaction notification. CC ID 16673 | Establish/Maintain Documentation | Preventive | |
| Include redemption information in the securities transaction notification. CC ID 16672 | Establish/Maintain Documentation | Preventive | |
| Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Establish/Maintain Documentation | Preventive | |
| Include the type of call in the securities transaction notification. CC ID 16668 | Establish/Maintain Documentation | Preventive | |
| Include an account statement in the securities transaction notification. CC ID 16666 | Establish/Maintain Documentation | Preventive | |
| Include the yield to maturity in the securities transaction notification. CC ID 16665 | Establish/Maintain Documentation | Preventive | |
| Include the execution price in the securities transaction notification. CC ID 16664 | Establish/Maintain Documentation | Preventive | |
| Include the organization's role in the securities transaction notification. CC ID 16646 | Establish/Maintain Documentation | Preventive | |
| Include the name of the broker in the securities transaction notification. CC ID 16647 | Establish/Maintain Documentation | Preventive | |
| Include the name of the customer in the securities transaction notification. CC ID 16625 | Establish/Maintain Documentation | Preventive | |
| Include the organization's name in the securities transaction notification. CC ID 16624 | Establish/Maintain Documentation | Preventive | |
| Include confirmations in the securities transaction notification. CC ID 16623 | Establish/Maintain Documentation | Preventive | |
| Include remunerations in the securities transaction notification. CC ID 16622 | Establish/Maintain Documentation | Preventive | |
| Include requested information in the securities transaction notification. CC ID 16641 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Communicate | Preventive | |
| Include the execution date in the securities transaction notification. CC ID 16620 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain financial reports. CC ID 14770 | Establish/Maintain Documentation | Preventive | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Establish/Maintain Documentation | Preventive | |
| Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Establish/Maintain Documentation | Preventive | |
| Include the business need justification for lost value in the financial report. CC ID 15588 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Communicate | Preventive | |
| Include financial statements in the financial report, as necessary. CC ID 14775 | Establish/Maintain Documentation | Preventive | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Establish/Maintain Documentation | Preventive | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Establish/Maintain Documentation | Preventive | |
| Include material contingencies in the financial statement. CC ID 16596 | Establish/Maintain Documentation | Preventive | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Establish/Maintain Documentation | Preventive | |
| Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Establish/Maintain Documentation | Preventive | |
| Include assets and liabilities in the call report. CC ID 16729 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Communicate | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [Subject to this Act, every individual who is a Canadian citizen or a permanent resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act has a right to and shall, on request, be given access to any other personal information about the individual under the control of a government institution with respect to which the individual is able to provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution. § 12 (1)(b)] | Data and Information Management | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Business Processes | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Business Processes | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Process or Activity | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Process or Activity | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Data and Information Management | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Establish/Maintain Documentation | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [{personal information} {make available} The head of a government institution shall retain a copy of every request received by the government institution under paragraph (2)(e) for such period of time as may be prescribed by regulation, shall keep a record of any information disclosed pursuant to the request for such period of time as may be prescribed by regulation and shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner. § 8 (4)] | Establish/Maintain Documentation | Preventive | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Establish/Maintain Documentation | Preventive | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 [The head of a government institution shall retain a record of any use by the institution of personal information contained in a personal information bank or any use or purpose for which that information is disclosed by the institution where the use or purpose is not included in the statements of uses and purposes set forth pursuant to subparagraph 11(1)(a)(iv) and subsection 11(2) in the index referred to in section 11, and shall attach the record to the personal information. § 9 (1)] | Establish/Maintain Documentation | Preventive | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Establish/Maintain Documentation | Preventive | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Establish/Maintain Documentation | Preventive | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Establish/Maintain Documentation | Preventive | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Establish/Maintain Documentation | Preventive | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Establish/Maintain Documentation | Preventive | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [{personal information} {make available} The head of a government institution shall retain a copy of every request received by the government institution under paragraph (2)(e) for such period of time as may be prescribed by regulation, shall keep a record of any information disclosed pursuant to the request for such period of time as may be prescribed by regulation and shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner. § 8 (4)] | Communicate | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Notify the supervisory authority. CC ID 00472 [The head of a government institution shall notify the Privacy Commissioner in writing of any disclosure of personal information under paragraph (2)(m) prior to the disclosure where reasonably practicable or in any other case forthwith on the disclosure, and the Privacy Commissioner may, if the Commissioner deems it appropriate, notify the individual to whom the information relates of the disclosure. § 8 (5) Where personal information in a personal information bank under the control of a government institution is used or disclosed for a use consistent with the purpose for which the information was obtained or compiled by the institution but the use is not included in the statement of consistent uses set forth pursuant to subparagraph 11(1)(a)(iv) in the index referred to in section 11, the head of the government institution shall forthwith notify the Privacy Commissioner of the use for which the information was used or disclosed; and § 9 (4)(a) The head of a government institution that receives the services shall provide a copy of the agreement to the Privacy Commissioner and the designated Minister as soon as possible after the agreement is entered into. The head of the institution shall also notify the Commissioner and the designated Minister of any material change to that agreement. § 73.1 (3)] | Behavior | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Establish/Maintain Documentation | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 [{require} Subject to subsection (5), no new personal information bank shall be established and no existing personal information banks shall be substantially modified without approval of the designated Minister or otherwise than in accordance with any term or condition on which such approval is given. § 71 (4)] | Communicate | Preventive | |
| Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Despite any other Act of Parliament, any privilege under the law of evidence, solicitor-client privilege or the professional secrecy of advocates and notaries and litigation privilege, and subject to subsection (2.1), the Privacy Commissioner may, during the investigation of any complaint under this Act, examine any information recorded in any form under the control of a government institution, other than a confidence of the Queen's Privy Council for Canada to which subsection 70(1) applies, and no information that the Commissioner may examine under this subsection may be withheld from the Commissioner on any grounds. § 34 (2) Despite any other Act of Parliament, any privilege under the law of evidence, solicitor-client privilege or the professional secrecy of advocates and notaries and litigation privilege, the Court may, in the course of any proceedings before it arising from an application under section 41, 42 or 43, examine any information recorded in any form under the control of a government institution, other than a confidence of the Queen's Privy Council for Canada to which subsection 70(1) applies, and no information that the Court may examine under this section may be withheld from the Court on any grounds. § 45] | Process or Activity | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Communicate | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Communicate | Corrective | |
| Cooperate with Data Protection Authorities. CC ID 06870 [{do not} No person shall obstruct the Privacy Commissioner or any person acting on behalf or under the direction of the Commissioner in the performance of the Commissioner's duties and functions under this Act. § 68 (1)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Establish/Maintain Documentation | Preventive | |
| Notify the data subject of the collection purpose. CC ID 00095 [A government institution shall inform any individual from whom the institution collects personal information about the individual of the purpose for which the information is being collected. § 5 (2)] | Behavior | Preventive | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Data and Information Management | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 | Establish/Maintain Documentation | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 [A request for access to personal information under paragraph 12(1)(b) shall be made in writing to the government institution that has control of the information and shall provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution. § 13 (2) A request for access to personal information under paragraph 12(1)(a) shall be made in writing to the government institution that has control of the personal information bank that contains the information and shall identify the bank. § 13 (1)] | Establish/Maintain Documentation | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Business Processes | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 [Where access to personal information is requested under subsection 12(1), the head of the government institution to which the request is made shall, subject to section 15, within thirty days after the request is received, give written notice to the individual who made the request as to whether or not access to the information or a part thereof will be given; and § 14 (a)] | Behavior | Preventive | |
| Respond to data access requests in an official language. CC ID 17176 [Where access to personal information is to be given under this Act and the individual to whom access is to be given requests that access be given in a particular one of the official languages of Canada, access shall be given in that language, if the personal information already exists under the control of a government institution in that language; and § 17 (2)(a)] | Communicate | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Data and Information Management | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Data and Information Management | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Behavior | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Behavior | Detective | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Business Processes | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Process or Activity | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 [Where access to personal information is requested under subsection 12(1), the head of the government institution to which the request is made shall, subject to section 15, within thirty days after the request is received, if access is to be given, give the individual who made the request access to the information or the part thereof. § 14 (b) Subject to this Act, every individual who is a Canadian citizen or a permanent resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act has a right to and shall, on request, be given access to any personal information about the individual contained in a personal information bank; and § 12 (1)(a) Subject to any regulations made under paragraph 77(1)(o), where an individual is to be given access to personal information requested under subsection 12(1), the government institution shall permit the individual to examine the information in accordance with the regulations; or § 17 (1)(a) Subject to any regulations made under paragraph 77(1)(o), where an individual is to be given access to personal information requested under subsection 12(1), the government institution shall provide the individual with a copy thereof. § 17 (1)(b)] | Establish/Maintain Documentation | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Data and Information Management | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to request correction of the personal information where the individual believes there is an error or omission therein; § 12 (2)(a)] | Establish/Maintain Documentation | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 [The head of a government institution shall retain a record of any use by the institution of personal information contained in a personal information bank or any use or purpose for which that information is disclosed by the institution where the use or purpose is not included in the statements of uses and purposes set forth pursuant to subparagraph 11(1)(a)(iv) and subsection 11(2) in the index referred to in section 11, and shall attach the record to the personal information. § 9 (1) The head of a government institution shall retain a record of any use by the institution of personal information contained in a personal information bank or any use or purpose for which that information is disclosed by the institution where the use or purpose is not included in the statements of uses and purposes set forth pursuant to subparagraph 11(1)(a)(iv) and subsection 11(2) in the index referred to in section 11, and shall attach the record to the personal information. § 9 (1) The head of a government institution shall cause to be included in personal information banks all personal information under the control of the government institution that is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual. § 10 (1)(b)] | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Establish/Maintain Documentation | Preventive | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Records Management | Preventive | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Records Management | Preventive | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Records Management | Preventive | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Records Management | Preventive | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Records Management | Preventive | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 [The head of a government institution shall cause to be included in personal information banks all personal information under the control of the government institution that has been used, is being used or is available for use for an administrative purpose; or § 10 (1)(a)] | Records Management | Preventive | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Records Management | Preventive | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Records Management | Preventive | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Records Management | Preventive | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Records Management | Preventive | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Records Management | Preventive | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Records Management | Preventive | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Records Management | Preventive | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Records Management | Preventive | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Records Management | Preventive | |
| Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537 [Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except for a purpose for which the information may be disclosed to the institution under subsection 8(2). § 7 (b)] | Data and Information Management | Preventive | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Process or Activity | Preventive | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Data and Information Management | Preventive | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Data and Information Management | Preventive | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Data and Information Management | Preventive | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Data and Information Management | Preventive | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Data and Information Management | Preventive | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Data and Information Management | Preventive | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Data and Information Management | Preventive | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Data and Information Management | Preventive | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is needed by law. CC ID 13577 | Data and Information Management | Preventive | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Data and Information Management | Preventive | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Data and Information Management | Preventive | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 [Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; or § 7 (a)] | Data and Information Management | Preventive | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Data and Information Management | Preventive | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Data and Information Management | Preventive | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Data and Information Management | Preventive | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Data and Information Management | Preventive | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Data and Information Management | Preventive | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Data and Information Management | Preventive | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 [Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section. § 8 (1)] | Data and Information Management | Preventive | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Establish/Maintain Documentation | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Establish/Maintain Documentation | Preventive | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure; § 8 (2)(b)] | Communicate | Preventive | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; § 8 (2)(a)] | Data and Information Management | Preventive | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to a member of Parliament for the purpose of assisting the individual to whom the information relates in resolving a problem; § 8 (2)(g)] | Data and Information Management | Preventive | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to officers or employees of the institution for internal audit purposes, or to the office of the Comptroller General or any other person or body specified in the regulations for audit purposes; § 8 (2)(h)] | Data and Information Management | Preventive | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to any person or body for research or statistical purposes if the head of the government institution is satisfied that the purpose for which the information is disclosed cannot reasonably be accomplished unless the information is provided in a form that would identify the individual to whom it relates, and § 8 (2)(j)(i) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to any person or body for research or statistical purposes if the head of the government institution obtains from the person or body a written undertaking that no subsequent disclosure of the information will be made in a form that could reasonably be expected to identify the individual to whom it relates; § 8 (2)(j)(ii) Subject to any other Act of Parliament, personal information under the custody or control of the Library and Archives of Canada that has been transferred there by a government institution for historical or archival purposes may be disclosed in accordance with the regulations to any person or body for research or statistical purposes. § 8 (3)] | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for any purpose where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or § 8 (2)(m)(i)] | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to the Library and Archives of Canada for archival purposes; § 8 (2)(i)] | Data and Information Management | Preventive | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for any purpose where, in the opinion of the head of the institution, disclosure would clearly benefit the individual to whom the information relates. § 8 (2)(m)(ii) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to any aboriginal government, association of aboriginal people, Indian band, government institution or part thereof, or to any person acting on behalf of such government, association, band, institution or part thereof, for the purpose of researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada; § 8 (2)(k)] | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for the purpose of complying with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information or for the purpose of complying with rules of court relating to the production of information; § 8 (2)(c) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to the Attorney General of Canada for use in legal proceedings involving the Crown in right of Canada or the Government of Canada; § 8 (2)(d) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to an investigative body specified in the regulations, on the written request of the body, for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation, if the request specifies the purpose and describes the information to be disclosed; § 8 (2)(e)] | Data and Information Management | Preventive | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Establish/Maintain Documentation | Detective | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for the purpose of administering or enforcing any law or carrying out a lawful investigation, under an agreement or arrangement between the Government of Canada or any of its institutions and any of the following entities or any of their institutions: § 8 (2)(f)] | Data and Information Management | Preventive | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Data and Information Management | Preventive | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to any government institution for the purpose of locating an individual in order to collect a debt owing to Her Majesty in right of Canada by that individual or make a payment owing to that individual by Her Majesty in right of Canada; and § 8 (2)(l)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [Personal information that has been used by a government institution for an administrative purpose shall be retained by the institution for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information. § 6 (1)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [A government institution shall dispose of personal information under the control of the institution in accordance with the regulations and in accordance with any directives or guidelines issued by the designated minister in relation to the disposal of that information. § 6 (3)] | Establish/Maintain Documentation | Preventive | |
| Capture personal data removal requests. CC ID 13507 | Communicate | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Records Management | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Process or Activity | Preventive | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except § 7] | Data and Information Management | Preventive | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Data and Information Management | Preventive | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Data and Information Management | Preventive | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Data and Information Management | Preventive | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Data and Information Management | Preventive | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Behavior | Preventive | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Data and Information Management | Preventive | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Data and Information Management | Preventive | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Data and Information Management | Preventive | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Data and Information Management | Preventive | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Establish/Maintain Documentation | Preventive | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Data and Information Management | Preventive | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Data and Information Management | Preventive | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Data and Information Management | Preventive | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Data and Information Management | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [The head of a government institution may disclose any personal information requested under subsection 12(1) that was obtained from any government, organization or institution described in subsection (1) if the government, organization or institution from which the information was obtained makes the information public. § 19 (2)(b)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Communicate | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Data and Information Management | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Data and Information Management | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Communicate | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 | Establish/Maintain Documentation | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Data and Information Management | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [Where the head of a government institution refuses to give access to any personal information requested under subsection 12(1), the head of the institution shall state in the notice given under paragraph 14(a) that the personal information does not exist, or § 16 (1)(a)] | Data and Information Management | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was collected or obtained by the Correctional Service of Canada or the Parole Board of Canada while the individual who made the request was under sentence for an offence against any Act of Parliament, if the disclosure could reasonably be expected to reveal information about the individual originally obtained on a promise of confidentiality, express or implied. § 24 (b)] | Data and Information Management | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the conduct of international affairs, the defence of Canada or any state allied or associated with Canada, as defined in subsection 15(2) of the Access to Information Act, or the efforts of Canada toward detecting, preventing or suppressing subversive or hostile activities, as defined in subsection 15(2) of the Access to Information Act, including, without restricting the generality of the foregoing, any such information listed in paragraphs 15(1)(a) to (i) of the Access to Information Act. § 21] | Data and Information Management | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 [{solicitor} {client} The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that is subject to solicitor-client privilege or the professional secrecy of advocates and notaries or to litigation privilege. § 27] | Data and Information Management | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that is subject to the privilege set out in section 16.1 of the Patent Act or section 51.13 of the Trademarks Act. § 27.1] | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to threaten the safety of individuals. § 25 The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that relates to the physical or mental health of the individual who requested it where the examination of the information by the individual would be contrary to the best interests of the individual. § 28] | Data and Information Management | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations, including, without restricting the generality of the foregoing, any such information that would reveal the identity of a confidential source of information, or § 22 (1)(b)(ii) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by an investigative body specified in the regulations for the purpose of determining whether to grant security clearances if disclosure of the information could reasonably be expected to reveal the identity of the individual who furnished the investigative body with the information. § 23 ¶ 1 {other individual} The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) about an individual other than the individual who made the request, and shall refuse to disclose such information where the disclosure is prohibited under section 8. § 26] | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Data and Information Management | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Data and Information Management | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Data and Information Management | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the conduct by the Government of Canada of federal-provincial affairs. § 20 The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the security of penal institutions. § 22 (1)(c)] | Data and Information Management | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by any government institution, or part of any government institution, that is an investigative body specified in the regulations in the course of lawful investigations pertaining to the detection, prevention or suppression of crime, the enforcement of any law of Canada or a province, or activities suspected of constituting threats to the security of Canada within the meaning of the Canadian Security Intelligence Service Act, if the information came into existence less than twenty years prior to the request; § 22 (1)(a) ¶ 1 The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations, including, without restricting the generality of the foregoing, any such information § 22 (1)(b) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations, including, without restricting the generality of the foregoing, any such information relating to the existence or nature of a particular investigation, § 22 (1)(b)(i) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations, including, without restricting the generality of the foregoing, any such information that was obtained or prepared in the course of an investigation; or § 22 (1)(b)(iii) The head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by the Royal Canadian Mounted Police while performing policing services for a province or municipality pursuant to an arrangement made under section 20 of the Royal Canadian Mounted Police Act, where the Government of Canada has, on the request of the province or municipality, agreed not to disclose such information. § 22 (2) The head of a government institution shall refuse to disclose personal information requested under subsection 12(1) that was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act. § 22.3 The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was collected or obtained by the Correctional Service of Canada or the Parole Board of Canada while the individual who made the request was under sentence for an offence against any Act of Parliament, if the disclosure could reasonably be expected to lead to a serious disruption of the individual's institutional, parole or statutory release program; or § 24 (a)] | Data and Information Management | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that is contained in a personal information bank designated as an exempt bank under subsection (1). § 18 (2) {other individual} The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) about an individual other than the individual who made the request, and shall refuse to disclose such information where the disclosure is prohibited under section 8. § 26] | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by an investigative body specified in the regulations for the purpose of determining whether to grant security clearances required by the Government of Canada or a government institution in respect of individuals employed by or performing services for the Government of Canada or a government institution, individuals employed by or performing services for a person or body performing services for the Government of Canada or a government institution, individuals seeking to be so employed or seeking to perform those services, or § 23 (a) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by an investigative body specified in the regulations for the purpose of determining whether to grant security clearances required by the government of a province or a foreign state or an institution thereof, § 23 (b)] | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Data and Information Management | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 [Where the head of a government institution refuses to give access to any personal information requested under subsection 12(1), the head of the institution shall state in the notice given under paragraph 14(a) the specific provision of this Act on which the refusal was based or the provision on which a refusal could reasonably be expected to be based if the information existed, § 16 (1)(b)] | Communicate | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 [Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the government of a foreign state or an institution thereof; § 19 (1)(a) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from an international organization of states or an institution thereof; § 19 (1)(b) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the government of a province or an institution thereof; § 19 (1)(c) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from a municipal or regional government established by or pursuant to an Act of the legislature of a province or an institution of such a government; § 19 (1)(d) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the council, as defined in the Westbank First Nation Self-Government Agreement given effect by the Westbank First Nation Self-Government Act; § 19 (1)(e) {aboriginal} Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the Whitecap Dakota Government, as defined in section 2 of the Self-Government Treaty Recognizing the Whitecap Dakota Nation / Wapaha Ska Dakota Oyate Act; § 19 (1)(e.1) {aboriginal} Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the council of a participating First Nation as defined in subsection 2(1) of the First Nations Jurisdiction over Education in British Columbia Act; or § 19 (1)(f) {aboriginal} Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from a First Nation Government or the Anishinabek Nation Government, as defined in section 2 of the Anishinabek Nation Governance Agreement Act, or an Anishinaabe Institution, within the meaning of section 1.1 of the Agreement, as defined in section 2 of that Act. § 19 (1)(g)] | Process or Activity | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Data and Information Management | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Data and Information Management | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Communicate | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 [Where, pursuant to a request under paragraph (1)(b), the head of a government institution gives notice to the Privacy Commissioner that access to personal information will be given to a complainant, the head of the institution shall give the complainant access to the information forthwith on giving the notice. § 35 (4)] | Data and Information Management | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{extend} {time limit} {request} {personal information} by giving notice of the extension and the length of the extension to the individual who made the request within thirty days after the request is received, which notice shall contain a statement that the individual has a right to make a complaint to the Privacy Commissioner about the extension. § 15 ¶ 1] | Communicate | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Data and Information Management | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 [{personal information} The head of a government institution may extend the time limit set out in section 14 in respect of a request for a maximum of thirty days if consultations are necessary to comply with the request that cannot reasonably be completed within the original time limit, or § 15 (a)(ii) The head of a government institution may extend the time limit set out in section 14 in respect of a request for such period of time as is reasonable, if additional time is necessary for translation purposes or for the purposes of converting the personal information into an alternative format, § 15 (b)] | Data and Information Management | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 [{personal information} The head of a government institution may extend the time limit set out in section 14 in respect of a request for a maximum of thirty days if meeting the original time limit would unreasonably interfere with the operations of the government institution, or § 15 (a)(i)] | Data and Information Management | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 | Data and Information Management | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 | Data and Information Management | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 [Where access to personal information is to be given under this Act and the individual to whom access is to be given has a sensory disability and requests that access be given in an alternative format, access shall be given in an alternative format if the personal information already exists under the control of a government institution in an alternative format that is acceptable to the individual; or § 17 (3)(a) Where access to personal information is to be given under this Act and the individual to whom access is to be given has a sensory disability and requests that access be given in an alternative format, access shall be given in an alternative format if the head of the government institution that has control of the personal information considers the giving of access in an alternative format to be necessary to enable the individual to exercise the individual's right of access under this Act and considers it reasonable to cause the personal information to be converted. § 17 (3)(b)] | Data and Information Management | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Data and Information Management | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Data and Information Management | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Data and Information Management | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 [{refrain from collecting} No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution. § 4] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
| Use personal data for specified purposes. CC ID 11831 | Data and Information Management | Preventive | |
| Post the collection purpose. CC ID 00101 | Establish/Maintain Documentation | Preventive | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Data and Information Management | Preventive | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Establish/Maintain Documentation | Preventive | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 | Data and Information Management | Preventive | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Data and Information Management | Preventive | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Data and Information Management | Preventive | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Behavior | Preventive | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Data and Information Management | Preventive | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Data and Information Management | Preventive | |
| Establish and maintain a personal data definition. CC ID 00028 [For the purposes of this Act, a record retained under subsection (1) shall be deemed to form part of the personal information to which it is attached. § 9 (3)] | Establish/Maintain Documentation | Preventive | |
| Include an individual's name in the personal data definition. CC ID 04710 | Data and Information Management | Preventive | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Data and Information Management | Preventive | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Data and Information Management | Preventive | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Data and Information Management | Preventive | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Data and Information Management | Preventive | |
| Include the number of children in the personal data definition. CC ID 13759 | Establish/Maintain Documentation | Preventive | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Establish/Maintain Documentation | Preventive | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Data and Information Management | Preventive | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Data and Information Management | Preventive | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Data and Information Management | Preventive | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Data and Information Management | Preventive | |
| Include an individual's address in the personal data definition. CC ID 04687 | Data and Information Management | Preventive | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Data and Information Management | Preventive | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Data and Information Management | Preventive | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Establish/Maintain Documentation | Preventive | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Establish/Maintain Documentation | Preventive | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Data and Information Management | Preventive | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Establish/Maintain Documentation | Preventive | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Data and Information Management | Preventive | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Data and Information Management | Preventive | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Establish/Maintain Documentation | Preventive | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Data and Information Management | Preventive | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Data and Information Management | Preventive | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Data and Information Management | Preventive | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Data and Information Management | Preventive | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Establish/Maintain Documentation | Preventive | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Data and Information Management | Preventive | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Data and Information Management | Preventive | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Data and Information Management | Preventive | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Data and Information Management | Preventive | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Data and Information Management | Preventive | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Data and Information Management | Preventive | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Data and Information Management | Preventive | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Data and Information Management | Preventive | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Data and Information Management | Preventive | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Data and Information Management | Preventive | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Data and Information Management | Preventive | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Data and Information Management | Preventive | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Data and Information Management | Preventive | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Data and Information Management | Preventive | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Data and Information Management | Preventive | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Data and Information Management | Preventive | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Data and Information Management | Preventive | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Data and Information Management | Preventive | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Data and Information Management | Preventive | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Data and Information Management | Preventive | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Data and Information Management | Preventive | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Data and Information Management | Preventive | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Data and Information Management | Preventive | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Data and Information Management | Preventive | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Data and Information Management | Preventive | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Data and Information Management | Preventive | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Data and Information Management | Preventive | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Data and Information Management | Preventive | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Data and Information Management | Preventive | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Data and Information Management | Preventive | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Data and Information Management | Preventive | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Data and Information Management | Preventive | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Establish/Maintain Documentation | Preventive | |
| Define specially restricted data. CC ID 00037 | Data and Information Management | Preventive | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Data and Information Management | Preventive | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Data and Information Management | Preventive | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Data and Information Management | Preventive | |
| Implement a nondiscrimination principle. CC ID 00081 | Data and Information Management | Preventive | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Data and Information Management | Preventive | |
| Preserve each individual's right to human dignity. CC ID 00082 | Data and Information Management | Preventive | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Data and Information Management | Preventive | |
| Employ a random number generator to create authenticators. CC ID 13782 | Technical Security | Preventive | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Data and Information Management | Preventive | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Behavior | Preventive | |
| Manage health data collection. CC ID 00050 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Data and Information Management | Preventive | |
| Remove personal data before disclosing health data. CC ID 00055 | Data and Information Management | Preventive | |
| Give special attention to collecting children's data. CC ID 00038 | Data and Information Management | Preventive | |
| Use simple understandable language to collect information from children. CC ID 00039 | Behavior | Preventive | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Establish/Maintain Documentation | Preventive | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Establish/Maintain Documentation | Preventive | |
| Collect personal data directly from the data subject. CC ID 00011 [A government institution shall, wherever possible, collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates except where the individual authorizes otherwise or where personal information may be disclosed to the institution under subsection 8(2). § 5 (1)] | Data and Information Management | Preventive | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Data and Information Management | Preventive | |
| Provide unlinkability for users and resources. CC ID 04550 | Data and Information Management | Preventive | |
| Provide unobservability of users and resources. CC ID 04551 | Technical Security | Preventive | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Investigate | Detective | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Data and Information Management | Preventive | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Data and Information Management | Preventive | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Data and Information Management | Preventive | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Data and Information Management | Preventive | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Data and Information Management | Preventive | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Data and Information Management | Preventive | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Data and Information Management | Preventive | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Data and Information Management | Preventive | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Data and Information Management | Preventive | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Data and Information Management | Preventive | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Data and Information Management | Preventive | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Data and Information Management | Preventive | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when needed by law. CC ID 00020 | Data and Information Management | Preventive | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Data and Information Management | Preventive | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Data and Information Management | Preventive | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 | Data and Information Management | Preventive | |
| Collect restricted data in a proper information framework. CC ID 00009 | Data and Information Management | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Data and Information Management | Preventive | |
| Collect restricted data when required by law. CC ID 00031 | Data and Information Management | Preventive | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Data and Information Management | Preventive | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Data and Information Management | Preventive | |
| Collect restricted data for legal purposes. CC ID 00036 | Data and Information Management | Preventive | |
| Validate the business need for maintaining collected restricted data. CC ID 17090 | Data and Information Management | Preventive | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Investigate | Detective | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Communicate | Preventive | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Establish/Maintain Documentation | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 | Data and Information Management | Corrective | |
| File privacy rights violation complaints in writing. CC ID 00477 [A complaint under this Act shall be made to the Privacy Commissioner in writing unless the Commissioner authorizes otherwise. § 30] | Establish/Maintain Documentation | Corrective | |
| Include supporting documentation in the privacy rights violation complaint. CC ID 16997 | Establish/Maintain Documentation | Preventive | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Establish/Maintain Documentation | Corrective | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Establish/Maintain Documentation | Preventive | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [{extend} {time limit} {request} {personal information} by giving notice of the extension and the length of the extension to the individual who made the request within thirty days after the request is received, which notice shall contain a statement that the individual has a right to make a complaint to the Privacy Commissioner about the extension. § 15 ¶ 1 {refuse} {request for personal information} and shall state in the notice that the individual who made the request has a right to make a complaint to the Privacy Commissioner about the refusal. § 16 (1) ¶ 1] | Behavior | Corrective | |
| Change or destroy any personal data that is incorrect. CC ID 00462 [Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to require that any person or body to whom that information has been disclosed for use for an administrative purpose within two years prior to the time a correction is requested or a notation is required under this subsection in respect of that information where the disclosure is to a government institution, the institution make the correction or notation on any copy of the information under its control. § 12 (2)(c)(ii)] | Data and Information Management | Corrective | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Behavior | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Data and Information Management | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Data and Information Management | Corrective | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 | Establish/Maintain Documentation | Preventive | |
| Notify individuals of their right to challenge personal data. CC ID 00457 | Data and Information Management | Preventive | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to require that any person or body to whom that information has been disclosed for use for an administrative purpose within two years prior to the time a correction is requested or a notation is required under this subsection in respect of that information be notified of the correction or notation, and § 12 (2)(c)(i)] | Behavior | Corrective | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Establish/Maintain Documentation | Preventive | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 [Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to require that a notation be attached to the information reflecting any correction requested but not made; and § 12 (2)(b) Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to require that any person or body to whom that information has been disclosed for use for an administrative purpose within two years prior to the time a correction is requested or a notation is required under this subsection in respect of that information where the disclosure is to a government institution, the institution make the correction or notation on any copy of the information under its control. § 12 (2)(c)(ii)] | Establish/Maintain Documentation | Preventive | |
| Define the organization's liability based on the applicable law. CC ID 00504 [In any proceedings before the Court arising from an application under section 41, 42 or 43, the burden of establishing that the head of a government institution is authorized to refuse to disclose personal information requested under subsection 12(1) or that a file should be included in a personal information bank designated as an exempt bank under section 18 shall be on the government institution concerned. § 47 {be liable} Every person who contravenes this section is guilty of an offence and liable on summary conviction to a fine not exceeding one thousand dollars. § 68 (2)] | Establish/Maintain Documentation | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Data and Information Management | Preventive | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Establish/Maintain Documentation | Preventive | |
| Check the accuracy of restricted data. CC ID 00088 [{be accurate} {be up to date} {be complete} A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible. § 6 (2)] | Data and Information Management | Preventive | |
| Record restricted data correctly. CC ID 00089 | Testing | Detective | |
| Check that restricted data is complete. CC ID 00090 [{be accurate} {be up to date} {be complete} A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible. § 6 (2)] | Data and Information Management | Preventive | |
| Keep restricted data up-to-date and valid. CC ID 00091 [{be accurate} {be up to date} {be complete} A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible. § 6 (2)] | Data and Information Management | Preventive | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a translation management program. CC ID 14316 [Where access to personal information is to be given under this Act and the individual to whom access is to be given requests that access be given in a particular one of the official languages of Canada, where the personal information does not exist in that language, the head of the government institution that has control of the personal information shall cause it to be translated or interpreted for the individual if the head of the institution considers a translation or interpretation to be necessary to enable the individual to understand the information. § 17 (2)(b)] | Establish/Maintain Documentation | Preventive | |
| Translate graphic materials, as necessary. CC ID 14324 | Process or Activity | Detective | |
| Include translation standards in the translation management program. CC ID 16251 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [{personal information} {make available} The head of a government institution shall retain a copy of every request received by the government institution under paragraph (2)(e) for such period of time as may be prescribed by regulation, shall keep a record of any information disclosed pursuant to the request for such period of time as may be prescribed by regulation and shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner. § 8 (4)] | Records Management | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [A government institution may provide services under subsection (1) to another government institution only if it enters into an agreement in writing with the other government institution in respect of those services before it provides the services. § 73.1 (2)] | Process or Activity | Detective | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Acquisition/Sale of Assets or Services | Preventive | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Establish/Maintain Documentation | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Establish/Maintain Documentation | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Establish/Maintain Documentation | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Establish/Maintain Documentation | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Establish/Maintain Documentation | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Establish/Maintain Documentation | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Business Processes | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Establish/Maintain Documentation | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Establish/Maintain Documentation | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Establish/Maintain Documentation | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Establish/Maintain Documentation | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Establish/Maintain Documentation | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Establish/Maintain Documentation | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Establish/Maintain Documentation | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 | Establish/Maintain Documentation | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Establish/Maintain Documentation | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Establish/Maintain Documentation | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Establish/Maintain Documentation | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Establish/Maintain Documentation | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Establish/Maintain Documentation | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Establish/Maintain Documentation | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Establish/Maintain Documentation | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Establish/Maintain Documentation | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Establish/Maintain Documentation | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Establish/Maintain Documentation | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Establish/Maintain Documentation | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 | Acquisition/Sale of Assets or Services | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Establish/Maintain Documentation | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Establish/Maintain Documentation | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Establish/Maintain Documentation | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Establish/Maintain Documentation | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Establish/Maintain Documentation | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Establish/Maintain Documentation | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Testing | Detective | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Testing | Detective | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
| Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Systems Continuity | Preventive | |
| Review third party recovery plans. CC ID 17123 | Systems Continuity | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Business Processes | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [A government institution may provide services related to any power, duty or function conferred or imposed on the head of a government institution under this Act to another government institution that is presided over by the same Minister or that is under the responsibility of the same Minister and may receive such services from any other such government institution. § 73.1 (1)] | Process or Activity | Preventive | |
| Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Establish/Maintain Documentation | Detective | |
| Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Establish Roles | Preventive | |
| Approve all Service Level Agreements. CC ID 00843 | Establish/Maintain Documentation | Detective | |
| Track all chargeable items in Service Level Agreements. CC ID 11616 | Business Processes | Detective | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Establish/Maintain Documentation | Detective | |
| Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Business Processes | Corrective | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [The personal information that the head of a government institution provides to the head of another government institution for the purpose of the other institution providing the services referred to in subsection 73.1(1) is not under the control of that other institution. § 73.2] | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Communicate | Preventive | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Establish/Maintain Documentation | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Establish/Maintain Documentation | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Business Processes | Preventive | |
| Provide products or services per customer requests. CC ID 08893 [A government institution may provide services related to any power, duty or function conferred or imposed on the head of a government institution under this Act to another government institution that is presided over by the same Minister or that is under the responsibility of the same Minister and may receive such services from any other such government institution. § 73.1 (1)] | Business Processes | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include a Statement of Compliance in the tactical Information Technology plan. CC ID 06842 | Audits and risk management | Preventive | |
| Include the verification method in the Statement of Compliance. CC ID 16820 | Audits and risk management | Preventive | |
| Include a description of the awareness and training program in the Statement of Compliance. CC ID 16817 | Audits and risk management | Preventive | |
| Include contact information for the handling of requests and issues in the Statement of Compliance. CC ID 16816 | Audits and risk management | Preventive | |
| Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 | Audits and risk management | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Delegate authority for specific processes, as necessary. CC ID 06780 [The head of a government institution may, by order, delegate any of their powers, duties or functions under this Act to one or more officers or employees of that institution. § 73 (1) The head of a government institution may, for the purposes of subsection 73.1(1), by order, delegate any of their powers, duties or functions under this Act to one or more officers or employees of another government institution. § 73 (2)] | Human Resources management | Preventive | |
| Notify the supervisory authority. CC ID 00472 [The head of a government institution shall notify the Privacy Commissioner in writing of any disclosure of personal information under paragraph (2)(m) prior to the disclosure where reasonably practicable or in any other case forthwith on the disclosure, and the Privacy Commissioner may, if the Commissioner deems it appropriate, notify the individual to whom the information relates of the disclosure. § 8 (5) Where personal information in a personal information bank under the control of a government institution is used or disclosed for a use consistent with the purpose for which the information was obtained or compiled by the institution but the use is not included in the statement of consistent uses set forth pursuant to subparagraph 11(1)(a)(iv) in the index referred to in section 11, the head of the government institution shall forthwith notify the Privacy Commissioner of the use for which the information was used or disclosed; and § 9 (4)(a) The head of a government institution that receives the services shall provide a copy of the agreement to the Privacy Commissioner and the designated Minister as soon as possible after the agreement is entered into. The head of the institution shall also notify the Commissioner and the designated Minister of any material change to that agreement. § 73.1 (3)] | Privacy protection for information and data | Preventive | |
| Notify the data subject of the collection purpose. CC ID 00095 [A government institution shall inform any individual from whom the institution collects personal information about the individual of the purpose for which the information is being collected. § 5 (2)] | Privacy protection for information and data | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 [Where access to personal information is requested under subsection 12(1), the head of the government institution to which the request is made shall, subject to section 15, within thirty days after the request is received, give written notice to the individual who made the request as to whether or not access to the information or a part thereof will be given; and § 14 (a)] | Privacy protection for information and data | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Detective | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Preventive | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Preventive | |
| Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Preventive | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [{extend} {time limit} {request} {personal information} by giving notice of the extension and the length of the extension to the individual who made the request within thirty days after the request is received, which notice shall contain a statement that the individual has a right to make a complaint to the Privacy Commissioner about the extension. § 15 ¶ 1 {refuse} {request for personal information} and shall state in the notice that the individual who made the request has a right to make a complaint to the Privacy Commissioner about the refusal. § 16 (1) ¶ 1] | Privacy protection for information and data | Corrective | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Corrective | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to require that any person or body to whom that information has been disclosed for use for an administrative purpose within two years prior to the time a correction is requested or a notation is required under this subsection in respect of that information be notified of the correction or notation, and § 12 (2)(c)(i)] | Privacy protection for information and data | Corrective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
| Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Preventive | |
| Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Preventive | |
| Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Preventive | |
| Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Preventive | |
| Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Preventive | |
| Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Preventive | |
| Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Preventive | |
| Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Preventive | |
| Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Preventive | |
| Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Preventive | |
| Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Preventive | |
| Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Preventive | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Third Party and supply chain oversight | Preventive | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Preventive | |
| Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Detective | |
| Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Third Party and supply chain oversight | Corrective | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Preventive | |
| Provide products or services per customer requests. CC ID 08893 [A government institution may provide services related to any power, duty or function conferred or imposed on the head of a government institution under this Act to another government institution that is presided over by the same Minister or that is under the responsibility of the same Minister and may receive such services from any other such government institution. § 73.1 (1)] | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 [The head of a government institution that receives the services shall provide a copy of the agreement to the Privacy Commissioner and the designated Minister as soon as possible after the agreement is entered into. The head of the institution shall also notify the Commissioner and the designated Minister of any material change to that agreement. § 73.1 (3) The head of every government institution shall provide a copy of the report to the designated Minister immediately after it is laid before both Houses. § 72 (4)] | Leadership and high level objectives | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Preventive | |
| Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 | Audits and risk management | Preventive | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [{personal information} {make available} The head of a government institution shall retain a copy of every request received by the government institution under paragraph (2)(e) for such period of time as may be prescribed by regulation, shall keep a record of any information disclosed pursuant to the request for such period of time as may be prescribed by regulation and shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner. § 8 (4)] | Privacy protection for information and data | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 [{require} Subject to subsection (5), no new personal information bank shall be established and no existing personal information banks shall be substantially modified without approval of the designated Minister or otherwise than in accordance with any term or condition on which such approval is given. § 71 (4)] | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Corrective | |
| Respond to data access requests in an official language. CC ID 17176 [Where access to personal information is to be given under this Act and the individual to whom access is to be given requests that access be given in a particular one of the official languages of Canada, access shall be given in that language, if the personal information already exists under the control of a government institution in that language; and § 17 (2)(a)] | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure; § 8 (2)(b)] | Privacy protection for information and data | Preventive | |
| Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 [Where the head of a government institution refuses to give access to any personal information requested under subsection 12(1), the head of the institution shall state in the notice given under paragraph 14(a) the specific provision of this Act on which the refusal was based or the provision on which a refusal could reasonably be expected to be based if the information existed, § 16 (1)(b)] | Privacy protection for information and data | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{extend} {time limit} {request} {personal information} by giving notice of the extension and the length of the extension to the individual who made the request within thirty days after the request is received, which notice shall contain a statement that the individual has a right to make a complaint to the Privacy Commissioner about the extension. § 15 ¶ 1] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Preventive | |
| Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Preventive | |
| Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Preventive | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Preventive | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Preventive | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Preventive | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Preventive | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Preventive | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Preventive | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Preventive | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Preventive | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Preventive | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [Subject to this Act, every individual who is a Canadian citizen or a permanent resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act has a right to and shall, on request, be given access to any other personal information about the individual under the control of a government institution with respect to which the individual is able to provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution. § 12 (1)(b)] | Privacy protection for information and data | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Preventive | |
| Cooperate with Data Protection Authorities. CC ID 06870 [{do not} No person shall obstruct the Privacy Commissioner or any person acting on behalf or under the direction of the Commissioner in the performance of the Commissioner's duties and functions under this Act. § 68 (1)] | Privacy protection for information and data | Preventive | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Preventive | |
| Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537 [Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except for a purpose for which the information may be disclosed to the institution under subsection 8(2). § 7 (b)] | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is needed by law. CC ID 13577 | Privacy protection for information and data | Preventive | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 [Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; or § 7 (a)] | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Preventive | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 [Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section. § 8 (1)] | Privacy protection for information and data | Preventive | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; § 8 (2)(a)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to a member of Parliament for the purpose of assisting the individual to whom the information relates in resolving a problem; § 8 (2)(g)] | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to officers or employees of the institution for internal audit purposes, or to the office of the Comptroller General or any other person or body specified in the regulations for audit purposes; § 8 (2)(h)] | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to any person or body for research or statistical purposes if the head of the government institution is satisfied that the purpose for which the information is disclosed cannot reasonably be accomplished unless the information is provided in a form that would identify the individual to whom it relates, and § 8 (2)(j)(i) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to any person or body for research or statistical purposes if the head of the government institution obtains from the person or body a written undertaking that no subsequent disclosure of the information will be made in a form that could reasonably be expected to identify the individual to whom it relates; § 8 (2)(j)(ii) Subject to any other Act of Parliament, personal information under the custody or control of the Library and Archives of Canada that has been transferred there by a government institution for historical or archival purposes may be disclosed in accordance with the regulations to any person or body for research or statistical purposes. § 8 (3)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for any purpose where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or § 8 (2)(m)(i)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to the Library and Archives of Canada for archival purposes; § 8 (2)(i)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for any purpose where, in the opinion of the head of the institution, disclosure would clearly benefit the individual to whom the information relates. § 8 (2)(m)(ii) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to any aboriginal government, association of aboriginal people, Indian band, government institution or part thereof, or to any person acting on behalf of such government, association, band, institution or part thereof, for the purpose of researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada; § 8 (2)(k)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for the purpose of complying with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information or for the purpose of complying with rules of court relating to the production of information; § 8 (2)(c) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to the Attorney General of Canada for use in legal proceedings involving the Crown in right of Canada or the Government of Canada; § 8 (2)(d) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to an investigative body specified in the regulations, on the written request of the body, for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation, if the request specifies the purpose and describes the information to be disclosed; § 8 (2)(e)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for the purpose of administering or enforcing any law or carrying out a lawful investigation, under an agreement or arrangement between the Government of Canada or any of its institutions and any of the following entities or any of their institutions: § 8 (2)(f)] | Privacy protection for information and data | Preventive | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to any government institution for the purpose of locating an individual in order to collect a debt owing to Her Majesty in right of Canada by that individual or make a payment owing to that individual by Her Majesty in right of Canada; and § 8 (2)(l)] | Privacy protection for information and data | Preventive | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except § 7] | Privacy protection for information and data | Preventive | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Preventive | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Preventive | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Preventive | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Preventive | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Preventive | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [Where the head of a government institution refuses to give access to any personal information requested under subsection 12(1), the head of the institution shall state in the notice given under paragraph 14(a) that the personal information does not exist, or § 16 (1)(a)] | Privacy protection for information and data | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was collected or obtained by the Correctional Service of Canada or the Parole Board of Canada while the individual who made the request was under sentence for an offence against any Act of Parliament, if the disclosure could reasonably be expected to reveal information about the individual originally obtained on a promise of confidentiality, express or implied. § 24 (b)] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the conduct of international affairs, the defence of Canada or any state allied or associated with Canada, as defined in subsection 15(2) of the Access to Information Act, or the efforts of Canada toward detecting, preventing or suppressing subversive or hostile activities, as defined in subsection 15(2) of the Access to Information Act, including, without restricting the generality of the foregoing, any such information listed in paragraphs 15(1)(a) to (i) of the Access to Information Act. § 21] | Privacy protection for information and data | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 [{solicitor} {client} The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that is subject to solicitor-client privilege or the professional secrecy of advocates and notaries or to litigation privilege. § 27] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that is subject to the privilege set out in section 16.1 of the Patent Act or section 51.13 of the Trademarks Act. § 27.1] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to threaten the safety of individuals. § 25 The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that relates to the physical or mental health of the individual who requested it where the examination of the information by the individual would be contrary to the best interests of the individual. § 28] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations, including, without restricting the generality of the foregoing, any such information that would reveal the identity of a confidential source of information, or § 22 (1)(b)(ii) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by an investigative body specified in the regulations for the purpose of determining whether to grant security clearances if disclosure of the information could reasonably be expected to reveal the identity of the individual who furnished the investigative body with the information. § 23 ¶ 1 {other individual} The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) about an individual other than the individual who made the request, and shall refuse to disclose such information where the disclosure is prohibited under section 8. § 26] | Privacy protection for information and data | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the conduct by the Government of Canada of federal-provincial affairs. § 20 The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the security of penal institutions. § 22 (1)(c)] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by any government institution, or part of any government institution, that is an investigative body specified in the regulations in the course of lawful investigations pertaining to the detection, prevention or suppression of crime, the enforcement of any law of Canada or a province, or activities suspected of constituting threats to the security of Canada within the meaning of the Canadian Security Intelligence Service Act, if the information came into existence less than twenty years prior to the request; § 22 (1)(a) ¶ 1 The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations, including, without restricting the generality of the foregoing, any such information § 22 (1)(b) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations, including, without restricting the generality of the foregoing, any such information relating to the existence or nature of a particular investigation, § 22 (1)(b)(i) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations, including, without restricting the generality of the foregoing, any such information that was obtained or prepared in the course of an investigation; or § 22 (1)(b)(iii) The head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by the Royal Canadian Mounted Police while performing policing services for a province or municipality pursuant to an arrangement made under section 20 of the Royal Canadian Mounted Police Act, where the Government of Canada has, on the request of the province or municipality, agreed not to disclose such information. § 22 (2) The head of a government institution shall refuse to disclose personal information requested under subsection 12(1) that was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act. § 22.3 The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was collected or obtained by the Correctional Service of Canada or the Parole Board of Canada while the individual who made the request was under sentence for an offence against any Act of Parliament, if the disclosure could reasonably be expected to lead to a serious disruption of the individual's institutional, parole or statutory release program; or § 24 (a)] | Privacy protection for information and data | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that is contained in a personal information bank designated as an exempt bank under subsection (1). § 18 (2) {other individual} The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) about an individual other than the individual who made the request, and shall refuse to disclose such information where the disclosure is prohibited under section 8. § 26] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by an investigative body specified in the regulations for the purpose of determining whether to grant security clearances required by the Government of Canada or a government institution in respect of individuals employed by or performing services for the Government of Canada or a government institution, individuals employed by or performing services for a person or body performing services for the Government of Canada or a government institution, individuals seeking to be so employed or seeking to perform those services, or § 23 (a) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by an investigative body specified in the regulations for the purpose of determining whether to grant security clearances required by the government of a province or a foreign state or an institution thereof, § 23 (b)] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 [Where, pursuant to a request under paragraph (1)(b), the head of a government institution gives notice to the Privacy Commissioner that access to personal information will be given to a complainant, the head of the institution shall give the complainant access to the information forthwith on giving the notice. § 35 (4)] | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 [{personal information} The head of a government institution may extend the time limit set out in section 14 in respect of a request for a maximum of thirty days if consultations are necessary to comply with the request that cannot reasonably be completed within the original time limit, or § 15 (a)(ii) The head of a government institution may extend the time limit set out in section 14 in respect of a request for such period of time as is reasonable, if additional time is necessary for translation purposes or for the purposes of converting the personal information into an alternative format, § 15 (b)] | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 [{personal information} The head of a government institution may extend the time limit set out in section 14 in respect of a request for a maximum of thirty days if meeting the original time limit would unreasonably interfere with the operations of the government institution, or § 15 (a)(i)] | Privacy protection for information and data | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 [Where access to personal information is to be given under this Act and the individual to whom access is to be given has a sensory disability and requests that access be given in an alternative format, access shall be given in an alternative format if the personal information already exists under the control of a government institution in an alternative format that is acceptable to the individual; or § 17 (3)(a) Where access to personal information is to be given under this Act and the individual to whom access is to be given has a sensory disability and requests that access be given in an alternative format, access shall be given in an alternative format if the head of the government institution that has control of the personal information considers the giving of access in an alternative format to be necessary to enable the individual to exercise the individual's right of access under this Act and considers it reasonable to cause the personal information to be converted. § 17 (3)(b)] | Privacy protection for information and data | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Preventive | |
| Use personal data for specified purposes. CC ID 11831 | Privacy protection for information and data | Preventive | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Preventive | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Preventive | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Preventive | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Preventive | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Preventive | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Preventive | |
| Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Preventive | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Preventive | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Preventive | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Preventive | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Preventive | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Preventive | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Preventive | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Preventive | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Preventive | |
| Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Preventive | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Preventive | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Preventive | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Preventive | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Preventive | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Preventive | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Preventive | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Preventive | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Preventive | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Preventive | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Preventive | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Preventive | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Preventive | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Preventive | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Preventive | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Preventive | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Preventive | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Preventive | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Preventive | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Preventive | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Preventive | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Preventive | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Preventive | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Preventive | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Preventive | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Preventive | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Preventive | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Preventive | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Preventive | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Preventive | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Preventive | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Preventive | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Preventive | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Preventive | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Preventive | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Preventive | |
| Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Preventive | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Preventive | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Preventive | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Preventive | |
| Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Preventive | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Preventive | |
| Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Preventive | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Preventive | |
| Manage health data collection. CC ID 00050 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Preventive | |
| Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Preventive | |
| Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Preventive | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Preventive | |
| Collect personal data directly from the data subject. CC ID 00011 [A government institution shall, wherever possible, collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates except where the individual authorizes otherwise or where personal information may be disclosed to the institution under subsection 8(2). § 5 (1)] | Privacy protection for information and data | Preventive | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Preventive | |
| Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Preventive | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Preventive | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when needed by law. CC ID 00020 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Preventive | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 | Privacy protection for information and data | Preventive | |
| Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Preventive | |
| Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Preventive | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Preventive | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Preventive | |
| Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Preventive | |
| Validate the business need for maintaining collected restricted data. CC ID 17090 | Privacy protection for information and data | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 | Privacy protection for information and data | Corrective | |
| Change or destroy any personal data that is incorrect. CC ID 00462 [Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to require that any person or body to whom that information has been disclosed for use for an administrative purpose within two years prior to the time a correction is requested or a notation is required under this subsection in respect of that information where the disclosure is to a government institution, the institution make the correction or notation on any copy of the information under its control. § 12 (2)(c)(ii)] | Privacy protection for information and data | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Corrective | |
| Notify individuals of their right to challenge personal data. CC ID 00457 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Preventive | |
| Check the accuracy of restricted data. CC ID 00088 [{be accurate} {be up to date} {be complete} A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible. § 6 (2)] | Privacy protection for information and data | Preventive | |
| Check that restricted data is complete. CC ID 00090 [{be accurate} {be up to date} {be complete} A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible. § 6 (2)] | Privacy protection for information and data | Preventive | |
| Keep restricted data up-to-date and valid. CC ID 00091 [{be accurate} {be up to date} {be complete} A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible. § 6 (2)] | Privacy protection for information and data | Preventive | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Detective | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
| Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a financial management program. CC ID 13228 [The head of the institution that charges the fee may spend the revenues that are received from the provision of the services for any purpose of that institution. If the head of the institution spends the revenues, he or she must do so in the fiscal year in which they are received or, unless an appropriation Act provides otherwise, in the next fiscal year. § 73.1 (5)] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Preventive | |
| Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Preventive | |
| Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Leadership and high level objectives | Preventive | |
| Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Preventive | |
| Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Preventive | |
| Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Preventive | |
| Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Preventive | |
| Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Preventive | |
| Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Preventive | |
| Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Preventive | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Preventive | |
| Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Preventive | |
| Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Preventive | |
| Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Preventive | |
| Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Preventive | |
| Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Preventive | |
| Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Preventive | |
| Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Preventive | |
| Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Preventive | |
| Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Preventive | |
| Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Preventive | |
| Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Preventive | |
| Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Preventive | |
| Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Preventive | |
| Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Preventive | |
| Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Preventive | |
| Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Preventive | |
| Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Preventive | |
| Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Preventive | |
| Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Preventive | |
| Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Preventive | |
| Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Preventive | |
| Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Preventive | |
| Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Preventive | |
| Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Preventive | |
| Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Preventive | |
| Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Preventive | |
| Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Preventive | |
| Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Preventive | |
| Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Preventive | |
| Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Preventive | |
| Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Preventive | |
| Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Preventive | |
| Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Preventive | |
| Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Preventive | |
| Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Preventive | |
| Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Preventive | |
| Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Preventive | |
| Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Preventive | |
| Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Preventive | |
| Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Leadership and high level objectives | Preventive | |
| Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Preventive | |
| Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Preventive | |
| Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Preventive | |
| Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Preventive | |
| Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Preventive | |
| Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Preventive | |
| Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Preventive | |
| Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Preventive | |
| Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Preventive | |
| Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Preventive | |
| Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Preventive | |
| Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Preventive | |
| Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Preventive | |
| Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Preventive | |
| Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Preventive | |
| Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Preventive | |
| Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Preventive | |
| Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Preventive | |
| Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Preventive | |
| Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Preventive | |
| Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Preventive | |
| Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Preventive | |
| Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Preventive | |
| Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Preventive | |
| Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Preventive | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Preventive | |
| Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Preventive | |
| Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Preventive | |
| Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Preventive | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Preventive | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Preventive | |
| Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Preventive | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Preventive | |
| Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Preventive | |
| Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 [Every year the head of every government institution shall prepare a report on the administration of this Act within the institution during the period beginning on April 1 of the preceding year and ending on March 31 of the current year. § 72 (1)] | Audits and risk management | Preventive | |
| Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance. CC ID 12370 | Audits and risk management | Preventive | |
| Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance. CC ID 12371 | Audits and risk management | Preventive | |
| Include the statutory bodies having jurisdiction over privacy rights violations in the Statement of Compliance. CC ID 12369 | Audits and risk management | Preventive | |
| Include a description of the organization's privacy policy in the Statement of Compliance. CC ID 12362 | Audits and risk management | Preventive | |
| Include the outcomes of privacy rights violation complaints received in the Statement of Compliance. CC ID 12534 | Audits and risk management | Preventive | |
| Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175 [Where personal information in a personal information bank under the control of a government institution is used or disclosed for a use consistent with the purpose for which the information was obtained or compiled by the institution but the use is not included in the statement of consistent uses set forth pursuant to subparagraph 11(1)(a)(iv) in the index referred to in section 11, the head of the government institution shall ensure that the use is included in the next statement of consistent uses set forth in the index. § 9 (4)(b)] | Audits and risk management | Preventive | |
| Include dispute resolution quality measures in the Statement of Compliance. CC ID 12533 | Audits and risk management | Preventive | |
| Include the type of privacy rights violation complaints received in the Statement of Compliance. CC ID 12532 | Audits and risk management | Preventive | |
| Include the number of privacy rights violation complaints received in the Statement of Compliance. CC ID 12530 | Audits and risk management | Preventive | |
| Include the organization's fax number in the Statement of Compliance. CC ID 12361 | Audits and risk management | Preventive | |
| Include the organization's telephone number in the Statement of Compliance. CC ID 12360 | Audits and risk management | Preventive | |
| Include the organization's e-mail address in the Statement of Compliance. CC ID 12359 | Audits and risk management | Preventive | |
| Include the organization's name in the Statement of Compliance. CC ID 12351 | Audits and risk management | Preventive | |
| Include the organization's mailing address in the Statement of Compliance. CC ID 12358 | Audits and risk management | Preventive | |
| Describe how the organization processes personal data in the Statement of Compliance. CC ID 12377 | Audits and risk management | Preventive | |
| Approve and sign the Statement of Compliance. CC ID 12392 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a translation management program. CC ID 14316 [Where access to personal information is to be given under this Act and the individual to whom access is to be given requests that access be given in a particular one of the official languages of Canada, where the personal information does not exist in that language, the head of the government institution that has control of the personal information shall cause it to be translated or interpreted for the individual if the head of the institution considers a translation or interpretation to be necessary to enable the individual to understand the information. § 17 (2)(b)] | Records management | Preventive | |
| Include translation standards in the translation management program. CC ID 16251 | Records management | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain a product or service pricing program. CC ID 13676 [The head of a government institution that provides the services may charge a fee for those services. The fee is not to exceed the cost of providing the service. § 73.1 (4) The head of a government institution that provides the services may charge a fee for those services. The fee is not to exceed the cost of providing the service. § 73.1 (4)] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [{personal information} {make available} The head of a government institution shall retain a copy of every request received by the government institution under paragraph (2)(e) for such period of time as may be prescribed by regulation, shall keep a record of any information disclosed pursuant to the request for such period of time as may be prescribed by regulation and shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner. § 8 (4)] | Privacy protection for information and data | Preventive | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Preventive | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Preventive | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 | Privacy protection for information and data | Preventive | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Privacy protection for information and data | Preventive | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 [The head of a government institution shall retain a record of any use by the institution of personal information contained in a personal information bank or any use or purpose for which that information is disclosed by the institution where the use or purpose is not included in the statements of uses and purposes set forth pursuant to subparagraph 11(1)(a)(iv) and subsection 11(2) in the index referred to in section 11, and shall attach the record to the personal information. § 9 (1)] | Privacy protection for information and data | Preventive | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Preventive | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Preventive | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Preventive | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Preventive | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Preventive | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Preventive | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 | Privacy protection for information and data | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 [A request for access to personal information under paragraph 12(1)(b) shall be made in writing to the government institution that has control of the information and shall provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution. § 13 (2) A request for access to personal information under paragraph 12(1)(a) shall be made in writing to the government institution that has control of the personal information bank that contains the information and shall identify the bank. § 13 (1)] | Privacy protection for information and data | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 [Where access to personal information is requested under subsection 12(1), the head of the government institution to which the request is made shall, subject to section 15, within thirty days after the request is received, if access is to be given, give the individual who made the request access to the information or the part thereof. § 14 (b) Subject to this Act, every individual who is a Canadian citizen or a permanent resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act has a right to and shall, on request, be given access to any personal information about the individual contained in a personal information bank; and § 12 (1)(a) Subject to any regulations made under paragraph 77(1)(o), where an individual is to be given access to personal information requested under subsection 12(1), the government institution shall permit the individual to examine the information in accordance with the regulations; or § 17 (1)(a) Subject to any regulations made under paragraph 77(1)(o), where an individual is to be given access to personal information requested under subsection 12(1), the government institution shall provide the individual with a copy thereof. § 17 (1)(b)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to request correction of the personal information where the individual believes there is an error or omission therein; § 12 (2)(a)] | Privacy protection for information and data | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 [The head of a government institution shall retain a record of any use by the institution of personal information contained in a personal information bank or any use or purpose for which that information is disclosed by the institution where the use or purpose is not included in the statements of uses and purposes set forth pursuant to subparagraph 11(1)(a)(iv) and subsection 11(2) in the index referred to in section 11, and shall attach the record to the personal information. § 9 (1) The head of a government institution shall retain a record of any use by the institution of personal information contained in a personal information bank or any use or purpose for which that information is disclosed by the institution where the use or purpose is not included in the statements of uses and purposes set forth pursuant to subparagraph 11(1)(a)(iv) and subsection 11(2) in the index referred to in section 11, and shall attach the record to the personal information. § 9 (1) The head of a government institution shall cause to be included in personal information banks all personal information under the control of the government institution that is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual. § 10 (1)(b)] | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Preventive | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [Personal information that has been used by a government institution for an administrative purpose shall be retained by the institution for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information. § 6 (1)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [A government institution shall dispose of personal information under the control of the institution in accordance with the regulations and in accordance with any directives or guidelines issued by the designated minister in relation to the disposal of that information. § 6 (3)] | Privacy protection for information and data | Preventive | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [The head of a government institution may disclose any personal information requested under subsection 12(1) that was obtained from any government, organization or institution described in subsection (1) if the government, organization or institution from which the information was obtained makes the information public. § 19 (2)(b)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 | Privacy protection for information and data | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 [{refrain from collecting} No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution. § 4] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
| Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Preventive | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Preventive | |
| Establish and maintain a personal data definition. CC ID 00028 [For the purposes of this Act, a record retained under subsection (1) shall be deemed to form part of the personal information to which it is attached. § 9 (3)] | Privacy protection for information and data | Preventive | |
| Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Preventive | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Preventive | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Preventive | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Preventive | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Preventive | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Preventive | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Preventive | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Preventive | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Preventive | |
| File privacy rights violation complaints in writing. CC ID 00477 [A complaint under this Act shall be made to the Privacy Commissioner in writing unless the Commissioner authorizes otherwise. § 30] | Privacy protection for information and data | Corrective | |
| Include supporting documentation in the privacy rights violation complaint. CC ID 16997 | Privacy protection for information and data | Preventive | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Corrective | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 | Privacy protection for information and data | Preventive | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Privacy protection for information and data | Preventive | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 [Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to require that a notation be attached to the information reflecting any correction requested but not made; and § 12 (2)(b) Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to require that any person or body to whom that information has been disclosed for use for an administrative purpose within two years prior to the time a correction is requested or a notation is required under this subsection in respect of that information where the disclosure is to a government institution, the institution make the correction or notation on any copy of the information under its control. § 12 (2)(c)(ii)] | Privacy protection for information and data | Preventive | |
| Define the organization's liability based on the applicable law. CC ID 00504 [In any proceedings before the Court arising from an application under section 41, 42 or 43, the burden of establishing that the head of a government institution is authorized to refuse to disclose personal information requested under subsection 12(1) or that a file should be included in a personal information bank designated as an exempt bank under section 18 shall be on the government institution concerned. § 47 {be liable} Every person who contravenes this section is guilty of an offence and liable on summary conviction to a fine not exceeding one thousand dollars. § 68 (2)] | Privacy protection for information and data | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Preventive | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Preventive | |
| Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Third Party and supply chain oversight | Detective | |
| Approve all Service Level Agreements. CC ID 00843 | Third Party and supply chain oversight | Detective | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Detective | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [The personal information that the head of a government institution provides to the head of another government institution for the purpose of the other institution providing the services referred to in subsection 73.1(1) is not under the control of that other institution. § 73.2] | Third Party and supply chain oversight | Detective | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Detective | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Detective | |
| Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Detective | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Detective | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Detective | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Detective | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Leadership and high level objectives | Preventive | |
| Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Preventive | |
| Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Preventive | |
| Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Detective | |
| Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Preventive | |
| Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Preventive | |
| Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Detective | |
| Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Detective | |
| Translate graphic materials, as necessary. CC ID 14324 | Records management | Detective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive | |
| Review and update controls to ensure the timeliness and accuracy of the market prices. CC ID 13688 | Acquisition or sale of facilities, technology, and services | Corrective | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Despite any other Act of Parliament, any privilege under the law of evidence, solicitor-client privilege or the professional secrecy of advocates and notaries and litigation privilege, and subject to subsection (2.1), the Privacy Commissioner may, during the investigation of any complaint under this Act, examine any information recorded in any form under the control of a government institution, other than a confidence of the Queen's Privy Council for Canada to which subsection 70(1) applies, and no information that the Commissioner may examine under this subsection may be withheld from the Commissioner on any grounds. § 34 (2) Despite any other Act of Parliament, any privilege under the law of evidence, solicitor-client privilege or the professional secrecy of advocates and notaries and litigation privilege, the Court may, in the course of any proceedings before it arising from an application under section 41, 42 or 43, examine any information recorded in any form under the control of a government institution, other than a confidence of the Queen's Privy Council for Canada to which subsection 70(1) applies, and no information that the Court may examine under this section may be withheld from the Court on any grounds. § 45] | Privacy protection for information and data | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 [Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the government of a foreign state or an institution thereof; § 19 (1)(a) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from an international organization of states or an institution thereof; § 19 (1)(b) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the government of a province or an institution thereof; § 19 (1)(c) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from a municipal or regional government established by or pursuant to an Act of the legislature of a province or an institution of such a government; § 19 (1)(d) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the council, as defined in the Westbank First Nation Self-Government Agreement given effect by the Westbank First Nation Self-Government Act; § 19 (1)(e) {aboriginal} Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the Whitecap Dakota Government, as defined in section 2 of the Self-Government Treaty Recognizing the Whitecap Dakota Nation / Wapaha Ska Dakota Oyate Act; § 19 (1)(e.1) {aboriginal} Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the council of a participating First Nation as defined in subsection 2(1) of the First Nations Jurisdiction over Education in British Columbia Act; or § 19 (1)(f) {aboriginal} Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from a First Nation Government or the Anishinabek Nation Government, as defined in section 2 of the Anishinabek Nation Governance Agreement Act, or an Anishinaabe Institution, within the meaning of section 1.1 of the Agreement, as defined in section 2 of that Act. § 19 (1)(g)] | Privacy protection for information and data | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [A government institution may provide services under subsection (1) to another government institution only if it enters into an agreement in writing with the other government institution in respect of those services before it provides the services. § 73.1 (2)] | Third Party and supply chain oversight | Detective | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [A government institution may provide services related to any power, duty or function conferred or imposed on the head of a government institution under this Act to another government institution that is presided over by the same Minister or that is under the responsibility of the same Minister and may receive such services from any other such government institution. § 73.1 (1)] | Third Party and supply chain oversight | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Retain records in accordance with applicable requirements. CC ID 00968 [{personal information} {make available} The head of a government institution shall retain a copy of every request received by the government institution under paragraph (2)(e) for such period of time as may be prescribed by regulation, shall keep a record of any information disclosed pursuant to the request for such period of time as may be prescribed by regulation and shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner. § 8 (4)] | Records management | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Preventive | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Preventive | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Preventive | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Preventive | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Preventive | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 [The head of a government institution shall cause to be included in personal information banks all personal information under the control of the government institution that has been used, is being used or is available for use for an administrative purpose; or § 10 (1)(a)] | Privacy protection for information and data | Preventive | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Preventive | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Preventive | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Preventive | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Preventive | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Preventive | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Preventive | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Preventive | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Preventive | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Privacy protection for information and data | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Preventive | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Detective | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Preventive | |
| Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Preventive | |
| Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Preventive | |
| Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Preventive | |
| Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Preventive | |
| Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Detective | |
| Assign and staff all roles appropriately. CC ID 00784 | Human Resources management | Detective | |
| Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Detective | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Detective | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Review and update controls to ensure the timeliness and accuracy of the market prices. CC ID 13688 | Acquisition or sale of facilities, technology, and services | Process or Activity | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Communicate | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 | Privacy protection for information and data | Data and Information Management | |
| File privacy rights violation complaints in writing. CC ID 00477 [A complaint under this Act shall be made to the Privacy Commissioner in writing unless the Commissioner authorizes otherwise. § 30] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [{extend} {time limit} {request} {personal information} by giving notice of the extension and the length of the extension to the individual who made the request within thirty days after the request is received, which notice shall contain a statement that the individual has a right to make a complaint to the Privacy Commissioner about the extension. § 15 ¶ 1 {refuse} {request for personal information} and shall state in the notice that the individual who made the request has a right to make a complaint to the Privacy Commissioner about the refusal. § 16 (1) ¶ 1] | Privacy protection for information and data | Behavior | |
| Change or destroy any personal data that is incorrect. CC ID 00462 [Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to require that any person or body to whom that information has been disclosed for use for an administrative purpose within two years prior to the time a correction is requested or a notation is required under this subsection in respect of that information where the disclosure is to a government institution, the institution make the correction or notation on any copy of the information under its control. § 12 (2)(c)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Behavior | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Data and Information Management | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to require that any person or body to whom that information has been disclosed for use for an administrative purpose within two years prior to the time a correction is requested or a notation is required under this subsection in respect of that information be notified of the correction or notation, and § 12 (2)(c)(i)] | Privacy protection for information and data | Behavior | |
| Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Third Party and supply chain oversight | Business Processes | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Investigate | |
| Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Business Processes | |
| Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Process or Activity | |
| Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Testing | |
| Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Process or Activity | |
| Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Process or Activity | |
| Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Investigate | |
| Assign and staff all roles appropriately. CC ID 00784 | Human Resources management | Testing | |
| Translate graphic materials, as necessary. CC ID 14324 | Records management | Process or Activity | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Behavior | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Behavior | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Investigate | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Investigate | |
| Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Testing | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [A government institution may provide services under subsection (1) to another government institution only if it enters into an agreement in writing with the other government institution in respect of those services before it provides the services. § 73.1 (2)] | Third Party and supply chain oversight | Process or Activity | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Testing | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Testing | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Systems Continuity | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Data and Information Management | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing | |
| Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Approve all Service Level Agreements. CC ID 00843 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Business Processes | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Process or Activity | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [The personal information that the head of a government institution provides to the head of another government institution for the purpose of the other institution providing the services referred to in subsection 73.1(1) is not under the control of that other institution. § 73.2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Communicate | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 [The head of a government institution that receives the services shall provide a copy of the agreement to the Privacy Commissioner and the designated Minister as soon as possible after the agreement is entered into. The head of the institution shall also notify the Commissioner and the designated Minister of any material change to that agreement. § 73.1 (3) The head of every government institution shall provide a copy of the report to the designated Minister immediately after it is laid before both Houses. § 72 (4)] | Leadership and high level objectives | Communicate | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Communicate | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain a financial management program. CC ID 13228 [The head of the institution that charges the fee may spend the revenues that are received from the provision of the services for any purpose of that institution. If the head of the institution spends the revenues, he or she must do so in the fiscal year in which they are received or, unless an appropriation Act provides otherwise, in the next fiscal year. § 73.1 (5)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Communicate | |
| Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Business Processes | |
| Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Business Processes | |
| Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Business Processes | |
| Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Business Processes | |
| Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Testing | |
| Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Process or Activity | |
| Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Process or Activity | |
| Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Business Processes | |
| Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Testing | |
| Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Business Processes | |
| Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Testing | |
| Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Testing | |
| Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Testing | |
| Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Communicate | |
| Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Business Processes | |
| Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Process or Activity | |
| Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Process or Activity | |
| Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Business Processes | |
| Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Data and Information Management | |
| Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Data and Information Management | |
| Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Data and Information Management | |
| Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Data and Information Management | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Data and Information Management | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Data and Information Management | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Data and Information Management | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Data and Information Management | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Data and Information Management | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Data and Information Management | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Data and Information Management | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Data and Information Management | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Data and Information Management | |
| Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Communicate | |
| Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Communicate | |
| Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 [Every year the head of every government institution shall prepare a report on the administration of this Act within the institution during the period beginning on April 1 of the preceding year and ending on March 31 of the current year. § 72 (1)] | Audits and risk management | Establish/Maintain Documentation | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 | Audits and risk management | Communicate | |
| Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance. CC ID 12370 | Audits and risk management | Establish/Maintain Documentation | |
| Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance. CC ID 12371 | Audits and risk management | Establish/Maintain Documentation | |
| Include a Statement of Compliance in the tactical Information Technology plan. CC ID 06842 | Audits and risk management | Actionable Reports or Measurements | |
| Include the verification method in the Statement of Compliance. CC ID 16820 | Audits and risk management | Actionable Reports or Measurements | |
| Include the statutory bodies having jurisdiction over privacy rights violations in the Statement of Compliance. CC ID 12369 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the awareness and training program in the Statement of Compliance. CC ID 16817 | Audits and risk management | Actionable Reports or Measurements | |
| Include contact information for the handling of requests and issues in the Statement of Compliance. CC ID 16816 | Audits and risk management | Actionable Reports or Measurements | |
| Include a description of the organization's privacy policy in the Statement of Compliance. CC ID 12362 | Audits and risk management | Establish/Maintain Documentation | |
| Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 | Audits and risk management | Actionable Reports or Measurements | |
| Include the outcomes of privacy rights violation complaints received in the Statement of Compliance. CC ID 12534 | Audits and risk management | Establish/Maintain Documentation | |
| Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175 [Where personal information in a personal information bank under the control of a government institution is used or disclosed for a use consistent with the purpose for which the information was obtained or compiled by the institution but the use is not included in the statement of consistent uses set forth pursuant to subparagraph 11(1)(a)(iv) in the index referred to in section 11, the head of the government institution shall ensure that the use is included in the next statement of consistent uses set forth in the index. § 9 (4)(b)] | Audits and risk management | Establish/Maintain Documentation | |
| Include dispute resolution quality measures in the Statement of Compliance. CC ID 12533 | Audits and risk management | Establish/Maintain Documentation | |
| Include the type of privacy rights violation complaints received in the Statement of Compliance. CC ID 12532 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of privacy rights violation complaints received in the Statement of Compliance. CC ID 12530 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's fax number in the Statement of Compliance. CC ID 12361 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's telephone number in the Statement of Compliance. CC ID 12360 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's e-mail address in the Statement of Compliance. CC ID 12359 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's name in the Statement of Compliance. CC ID 12351 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's mailing address in the Statement of Compliance. CC ID 12358 | Audits and risk management | Establish/Maintain Documentation | |
| Describe how the organization processes personal data in the Statement of Compliance. CC ID 12377 | Audits and risk management | Establish/Maintain Documentation | |
| Approve and sign the Statement of Compliance. CC ID 12392 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Establish Roles | |
| Delegate authority for specific processes, as necessary. CC ID 06780 [The head of a government institution may, by order, delegate any of their powers, duties or functions under this Act to one or more officers or employees of that institution. § 73 (1) The head of a government institution may, for the purposes of subsection 73.1(1), by order, delegate any of their powers, duties or functions under this Act to one or more officers or employees of another government institution. § 73 (2)] | Human Resources management | Behavior | |
| Establish, implement, and maintain a translation management program. CC ID 14316 [Where access to personal information is to be given under this Act and the individual to whom access is to be given requests that access be given in a particular one of the official languages of Canada, where the personal information does not exist in that language, the head of the government institution that has control of the personal information shall cause it to be translated or interpreted for the individual if the head of the institution considers a translation or interpretation to be necessary to enable the individual to understand the information. § 17 (2)(b)] | Records management | Establish/Maintain Documentation | |
| Include translation standards in the translation management program. CC ID 16251 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 [{personal information} {make available} The head of a government institution shall retain a copy of every request received by the government institution under paragraph (2)(e) for such period of time as may be prescribed by regulation, shall keep a record of any information disclosed pursuant to the request for such period of time as may be prescribed by regulation and shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner. § 8 (4)] | Records management | Records Management | |
| Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain a product or service pricing program. CC ID 13676 [The head of a government institution that provides the services may charge a fee for those services. The fee is not to exceed the cost of providing the service. § 73.1 (4) The head of a government institution that provides the services may charge a fee for those services. The fee is not to exceed the cost of providing the service. § 73.1 (4)] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [Subject to this Act, every individual who is a Canadian citizen or a permanent resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act has a right to and shall, on request, be given access to any other personal information about the individual under the control of a government institution with respect to which the individual is able to provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution. § 12 (1)(b)] | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Business Processes | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Business Processes | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [{personal information} {make available} The head of a government institution shall retain a copy of every request received by the government institution under paragraph (2)(e) for such period of time as may be prescribed by regulation, shall keep a record of any information disclosed pursuant to the request for such period of time as may be prescribed by regulation and shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner. § 8 (4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 [The head of a government institution shall retain a record of any use by the institution of personal information contained in a personal information bank or any use or purpose for which that information is disclosed by the institution where the use or purpose is not included in the statements of uses and purposes set forth pursuant to subparagraph 11(1)(a)(iv) and subsection 11(2) in the index referred to in section 11, and shall attach the record to the personal information. § 9 (1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [{personal information} {make available} The head of a government institution shall retain a copy of every request received by the government institution under paragraph (2)(e) for such period of time as may be prescribed by regulation, shall keep a record of any information disclosed pursuant to the request for such period of time as may be prescribed by regulation and shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner. § 8 (4)] | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Notify the supervisory authority. CC ID 00472 [The head of a government institution shall notify the Privacy Commissioner in writing of any disclosure of personal information under paragraph (2)(m) prior to the disclosure where reasonably practicable or in any other case forthwith on the disclosure, and the Privacy Commissioner may, if the Commissioner deems it appropriate, notify the individual to whom the information relates of the disclosure. § 8 (5) Where personal information in a personal information bank under the control of a government institution is used or disclosed for a use consistent with the purpose for which the information was obtained or compiled by the institution but the use is not included in the statement of consistent uses set forth pursuant to subparagraph 11(1)(a)(iv) in the index referred to in section 11, the head of the government institution shall forthwith notify the Privacy Commissioner of the use for which the information was used or disclosed; and § 9 (4)(a) The head of a government institution that receives the services shall provide a copy of the agreement to the Privacy Commissioner and the designated Minister as soon as possible after the agreement is entered into. The head of the institution shall also notify the Commissioner and the designated Minister of any material change to that agreement. § 73.1 (3)] | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
| Submit approval applications to the supervisory authority. CC ID 16627 [{require} Subject to subsection (5), no new personal information bank shall be established and no existing personal information banks shall be substantially modified without approval of the designated Minister or otherwise than in accordance with any term or condition on which such approval is given. § 71 (4)] | Privacy protection for information and data | Communicate | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Despite any other Act of Parliament, any privilege under the law of evidence, solicitor-client privilege or the professional secrecy of advocates and notaries and litigation privilege, and subject to subsection (2.1), the Privacy Commissioner may, during the investigation of any complaint under this Act, examine any information recorded in any form under the control of a government institution, other than a confidence of the Queen's Privy Council for Canada to which subsection 70(1) applies, and no information that the Commissioner may examine under this subsection may be withheld from the Commissioner on any grounds. § 34 (2) Despite any other Act of Parliament, any privilege under the law of evidence, solicitor-client privilege or the professional secrecy of advocates and notaries and litigation privilege, the Court may, in the course of any proceedings before it arising from an application under section 41, 42 or 43, examine any information recorded in any form under the control of a government institution, other than a confidence of the Queen's Privy Council for Canada to which subsection 70(1) applies, and no information that the Court may examine under this section may be withheld from the Court on any grounds. § 45] | Privacy protection for information and data | Process or Activity | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Communicate | |
| Cooperate with Data Protection Authorities. CC ID 06870 [{do not} No person shall obstruct the Privacy Commissioner or any person acting on behalf or under the direction of the Commissioner in the performance of the Commissioner's duties and functions under this Act. § 68 (1)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data subject of the collection purpose. CC ID 00095 [A government institution shall inform any individual from whom the institution collects personal information about the individual of the purpose for which the information is being collected. § 5 (2)] | Privacy protection for information and data | Behavior | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain data access procedures. CC ID 00414 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 [A request for access to personal information under paragraph 12(1)(b) shall be made in writing to the government institution that has control of the information and shall provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution. § 13 (2) A request for access to personal information under paragraph 12(1)(a) shall be made in writing to the government institution that has control of the personal information bank that contains the information and shall identify the bank. § 13 (1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Business Processes | |
| Respond to data access requests in a timely manner. CC ID 00421 [Where access to personal information is requested under subsection 12(1), the head of the government institution to which the request is made shall, subject to section 15, within thirty days after the request is received, give written notice to the individual who made the request as to whether or not access to the information or a part thereof will be given; and § 14 (a)] | Privacy protection for information and data | Behavior | |
| Respond to data access requests in an official language. CC ID 17176 [Where access to personal information is to be given under this Act and the individual to whom access is to be given requests that access be given in a particular one of the official languages of Canada, access shall be given in that language, if the personal information already exists under the control of a government institution in that language; and § 17 (2)(a)] | Privacy protection for information and data | Communicate | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Data and Information Management | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Data and Information Management | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Business Processes | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Process or Activity | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 [Where access to personal information is requested under subsection 12(1), the head of the government institution to which the request is made shall, subject to section 15, within thirty days after the request is received, if access is to be given, give the individual who made the request access to the information or the part thereof. § 14 (b) Subject to this Act, every individual who is a Canadian citizen or a permanent resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act has a right to and shall, on request, be given access to any personal information about the individual contained in a personal information bank; and § 12 (1)(a) Subject to any regulations made under paragraph 77(1)(o), where an individual is to be given access to personal information requested under subsection 12(1), the government institution shall permit the individual to examine the information in accordance with the regulations; or § 17 (1)(a) Subject to any regulations made under paragraph 77(1)(o), where an individual is to be given access to personal information requested under subsection 12(1), the government institution shall provide the individual with a copy thereof. § 17 (1)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to request correction of the personal information where the individual believes there is an error or omission therein; § 12 (2)(a)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 [The head of a government institution shall retain a record of any use by the institution of personal information contained in a personal information bank or any use or purpose for which that information is disclosed by the institution where the use or purpose is not included in the statements of uses and purposes set forth pursuant to subparagraph 11(1)(a)(iv) and subsection 11(2) in the index referred to in section 11, and shall attach the record to the personal information. § 9 (1) The head of a government institution shall retain a record of any use by the institution of personal information contained in a personal information bank or any use or purpose for which that information is disclosed by the institution where the use or purpose is not included in the statements of uses and purposes set forth pursuant to subparagraph 11(1)(a)(iv) and subsection 11(2) in the index referred to in section 11, and shall attach the record to the personal information. § 9 (1) The head of a government institution shall cause to be included in personal information banks all personal information under the control of the government institution that is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual. § 10 (1)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Records Management | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Records Management | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Records Management | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Records Management | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Records Management | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 [The head of a government institution shall cause to be included in personal information banks all personal information under the control of the government institution that has been used, is being used or is available for use for an administrative purpose; or § 10 (1)(a)] | Privacy protection for information and data | Records Management | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Records Management | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Records Management | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Records Management | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Records Management | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Records Management | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Records Management | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Records Management | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Records Management | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Records Management | |
| Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537 [Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except for a purpose for which the information may be disclosed to the institution under subsection 8(2). § 7 (b)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Privacy protection for information and data | Process or Activity | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is needed by law. CC ID 13577 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 [Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; or § 7 (a)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 [Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section. § 8 (1)] | Privacy protection for information and data | Data and Information Management | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure; § 8 (2)(b)] | Privacy protection for information and data | Communicate | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; § 8 (2)(a)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to a member of Parliament for the purpose of assisting the individual to whom the information relates in resolving a problem; § 8 (2)(g)] | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to officers or employees of the institution for internal audit purposes, or to the office of the Comptroller General or any other person or body specified in the regulations for audit purposes; § 8 (2)(h)] | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to any person or body for research or statistical purposes if the head of the government institution is satisfied that the purpose for which the information is disclosed cannot reasonably be accomplished unless the information is provided in a form that would identify the individual to whom it relates, and § 8 (2)(j)(i) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to any person or body for research or statistical purposes if the head of the government institution obtains from the person or body a written undertaking that no subsequent disclosure of the information will be made in a form that could reasonably be expected to identify the individual to whom it relates; § 8 (2)(j)(ii) Subject to any other Act of Parliament, personal information under the custody or control of the Library and Archives of Canada that has been transferred there by a government institution for historical or archival purposes may be disclosed in accordance with the regulations to any person or body for research or statistical purposes. § 8 (3)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for any purpose where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or § 8 (2)(m)(i)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to the Library and Archives of Canada for archival purposes; § 8 (2)(i)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for any purpose where, in the opinion of the head of the institution, disclosure would clearly benefit the individual to whom the information relates. § 8 (2)(m)(ii) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to any aboriginal government, association of aboriginal people, Indian band, government institution or part thereof, or to any person acting on behalf of such government, association, band, institution or part thereof, for the purpose of researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada; § 8 (2)(k)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for the purpose of complying with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information or for the purpose of complying with rules of court relating to the production of information; § 8 (2)(c) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to the Attorney General of Canada for use in legal proceedings involving the Crown in right of Canada or the Government of Canada; § 8 (2)(d) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to an investigative body specified in the regulations, on the written request of the body, for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation, if the request specifies the purpose and describes the information to be disclosed; § 8 (2)(e)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed for the purpose of administering or enforcing any law or carrying out a lawful investigation, under an agreement or arrangement between the Government of Canada or any of its institutions and any of the following entities or any of their institutions: § 8 (2)(f)] | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 [Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed to any government institution for the purpose of locating an individual in order to collect a debt owing to Her Majesty in right of Canada by that individual or make a payment owing to that individual by Her Majesty in right of Canada; and § 8 (2)(l)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [Personal information that has been used by a government institution for an administrative purpose shall be retained by the institution for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information. § 6 (1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [A government institution shall dispose of personal information under the control of the institution in accordance with the regulations and in accordance with any directives or guidelines issued by the designated minister in relation to the disposal of that information. § 6 (3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Communicate | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Privacy protection for information and data | Records Management | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Process or Activity | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except § 7] | Privacy protection for information and data | Data and Information Management | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Data and Information Management | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Data and Information Management | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Behavior | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Data and Information Management | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Data and Information Management | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Data and Information Management | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Data and Information Management | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Data and Information Management | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Data and Information Management | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [The head of a government institution may disclose any personal information requested under subsection 12(1) that was obtained from any government, organization or institution described in subsection (1) if the government, organization or institution from which the information was obtained makes the information public. § 19 (2)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Privacy protection for information and data | Communicate | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Data and Information Management | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Data and Information Management | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [Where the head of a government institution refuses to give access to any personal information requested under subsection 12(1), the head of the institution shall state in the notice given under paragraph 14(a) that the personal information does not exist, or § 16 (1)(a)] | Privacy protection for information and data | Data and Information Management | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was collected or obtained by the Correctional Service of Canada or the Parole Board of Canada while the individual who made the request was under sentence for an offence against any Act of Parliament, if the disclosure could reasonably be expected to reveal information about the individual originally obtained on a promise of confidentiality, express or implied. § 24 (b)] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the conduct of international affairs, the defence of Canada or any state allied or associated with Canada, as defined in subsection 15(2) of the Access to Information Act, or the efforts of Canada toward detecting, preventing or suppressing subversive or hostile activities, as defined in subsection 15(2) of the Access to Information Act, including, without restricting the generality of the foregoing, any such information listed in paragraphs 15(1)(a) to (i) of the Access to Information Act. § 21] | Privacy protection for information and data | Data and Information Management | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 [{solicitor} {client} The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that is subject to solicitor-client privilege or the professional secrecy of advocates and notaries or to litigation privilege. § 27] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that is subject to the privilege set out in section 16.1 of the Patent Act or section 51.13 of the Trademarks Act. § 27.1] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to threaten the safety of individuals. § 25 The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that relates to the physical or mental health of the individual who requested it where the examination of the information by the individual would be contrary to the best interests of the individual. § 28] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations, including, without restricting the generality of the foregoing, any such information that would reveal the identity of a confidential source of information, or § 22 (1)(b)(ii) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by an investigative body specified in the regulations for the purpose of determining whether to grant security clearances if disclosure of the information could reasonably be expected to reveal the identity of the individual who furnished the investigative body with the information. § 23 ¶ 1 {other individual} The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) about an individual other than the individual who made the request, and shall refuse to disclose such information where the disclosure is prohibited under section 8. § 26] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Data and Information Management | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the conduct by the Government of Canada of federal-provincial affairs. § 20 The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the security of penal institutions. § 22 (1)(c)] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by any government institution, or part of any government institution, that is an investigative body specified in the regulations in the course of lawful investigations pertaining to the detection, prevention or suppression of crime, the enforcement of any law of Canada or a province, or activities suspected of constituting threats to the security of Canada within the meaning of the Canadian Security Intelligence Service Act, if the information came into existence less than twenty years prior to the request; § 22 (1)(a) ¶ 1 The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations, including, without restricting the generality of the foregoing, any such information § 22 (1)(b) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations, including, without restricting the generality of the foregoing, any such information relating to the existence or nature of a particular investigation, § 22 (1)(b)(i) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations, including, without restricting the generality of the foregoing, any such information that was obtained or prepared in the course of an investigation; or § 22 (1)(b)(iii) The head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by the Royal Canadian Mounted Police while performing policing services for a province or municipality pursuant to an arrangement made under section 20 of the Royal Canadian Mounted Police Act, where the Government of Canada has, on the request of the province or municipality, agreed not to disclose such information. § 22 (2) The head of a government institution shall refuse to disclose personal information requested under subsection 12(1) that was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act. § 22.3 The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was collected or obtained by the Correctional Service of Canada or the Parole Board of Canada while the individual who made the request was under sentence for an offence against any Act of Parliament, if the disclosure could reasonably be expected to lead to a serious disruption of the individual's institutional, parole or statutory release program; or § 24 (a)] | Privacy protection for information and data | Data and Information Management | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that is contained in a personal information bank designated as an exempt bank under subsection (1). § 18 (2) {other individual} The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) about an individual other than the individual who made the request, and shall refuse to disclose such information where the disclosure is prohibited under section 8. § 26] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 [The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by an investigative body specified in the regulations for the purpose of determining whether to grant security clearances required by the Government of Canada or a government institution in respect of individuals employed by or performing services for the Government of Canada or a government institution, individuals employed by or performing services for a person or body performing services for the Government of Canada or a government institution, individuals seeking to be so employed or seeking to perform those services, or § 23 (a) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that was obtained or prepared by an investigative body specified in the regulations for the purpose of determining whether to grant security clearances required by the government of a province or a foreign state or an institution thereof, § 23 (b)] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Data and Information Management | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Data and Information Management | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 [Where the head of a government institution refuses to give access to any personal information requested under subsection 12(1), the head of the institution shall state in the notice given under paragraph 14(a) the specific provision of this Act on which the refusal was based or the provision on which a refusal could reasonably be expected to be based if the information existed, § 16 (1)(b)] | Privacy protection for information and data | Communicate | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 [Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the government of a foreign state or an institution thereof; § 19 (1)(a) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from an international organization of states or an institution thereof; § 19 (1)(b) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the government of a province or an institution thereof; § 19 (1)(c) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from a municipal or regional government established by or pursuant to an Act of the legislature of a province or an institution of such a government; § 19 (1)(d) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the council, as defined in the Westbank First Nation Self-Government Agreement given effect by the Westbank First Nation Self-Government Act; § 19 (1)(e) {aboriginal} Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the Whitecap Dakota Government, as defined in section 2 of the Self-Government Treaty Recognizing the Whitecap Dakota Nation / Wapaha Ska Dakota Oyate Act; § 19 (1)(e.1) {aboriginal} Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from the council of a participating First Nation as defined in subsection 2(1) of the First Nations Jurisdiction over Education in British Columbia Act; or § 19 (1)(f) {aboriginal} Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from a First Nation Government or the Anishinabek Nation Government, as defined in section 2 of the Anishinabek Nation Governance Agreement Act, or an Anishinaabe Institution, within the meaning of section 1.1 of the Agreement, as defined in section 2 of that Act. § 19 (1)(g)] | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Data and Information Management | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Data and Information Management | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Communicate | |
| Provide data or records in a reasonable time frame. CC ID 00429 [Where, pursuant to a request under paragraph (1)(b), the head of a government institution gives notice to the Privacy Commissioner that access to personal information will be given to a complainant, the head of the institution shall give the complainant access to the information forthwith on giving the notice. § 35 (4)] | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{extend} {time limit} {request} {personal information} by giving notice of the extension and the length of the extension to the individual who made the request within thirty days after the request is received, which notice shall contain a statement that the individual has a right to make a complaint to the Privacy Commissioner about the extension. § 15 ¶ 1] | Privacy protection for information and data | Communicate | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 [{personal information} The head of a government institution may extend the time limit set out in section 14 in respect of a request for a maximum of thirty days if consultations are necessary to comply with the request that cannot reasonably be completed within the original time limit, or § 15 (a)(ii) The head of a government institution may extend the time limit set out in section 14 in respect of a request for such period of time as is reasonable, if additional time is necessary for translation purposes or for the purposes of converting the personal information into an alternative format, § 15 (b)] | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 [{personal information} The head of a government institution may extend the time limit set out in section 14 in respect of a request for a maximum of thirty days if meeting the original time limit would unreasonably interfere with the operations of the government institution, or § 15 (a)(i)] | Privacy protection for information and data | Data and Information Management | |
| Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Data and Information Management | |
| Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Data and Information Management | |
| Provide personal data in a form that is intelligible. CC ID 00432 [Where access to personal information is to be given under this Act and the individual to whom access is to be given has a sensory disability and requests that access be given in an alternative format, access shall be given in an alternative format if the personal information already exists under the control of a government institution in an alternative format that is acceptable to the individual; or § 17 (3)(a) Where access to personal information is to be given under this Act and the individual to whom access is to be given has a sensory disability and requests that access be given in an alternative format, access shall be given in an alternative format if the head of the government institution that has control of the personal information considers the giving of access in an alternative format to be necessary to enable the individual to exercise the individual's right of access under this Act and considers it reasonable to cause the personal information to be converted. § 17 (3)(b)] | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Data and Information Management | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Data and Information Management | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 [{refrain from collecting} No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution. § 4] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use personal data for specified purposes. CC ID 11831 | Privacy protection for information and data | Data and Information Management | |
| Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Data and Information Management | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Data and Information Management | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Data and Information Management | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Behavior | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Data and Information Management | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain a personal data definition. CC ID 00028 [For the purposes of this Act, a record retained under subsection (1) shall be deemed to form part of the personal information to which it is attached. § 9 (3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Data and Information Management | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Data and Information Management | |
| Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Data and Information Management | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Data and Information Management | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Data and Information Management | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Data and Information Management | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Data and Information Management | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Data and Information Management | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Data and Information Management | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Data and Information Management | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Data and Information Management | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Data and Information Management | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Data and Information Management | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Data and Information Management | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Data and Information Management | |
| Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Data and Information Management | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Data and Information Management | |
| Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Data and Information Management | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Data and Information Management | |
| Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Technical Security | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Behavior | |
| Manage health data collection. CC ID 00050 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Data and Information Management | |
| Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Data and Information Management | |
| Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Data and Information Management | |
| Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Behavior | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Collect personal data directly from the data subject. CC ID 00011 [A government institution shall, wherever possible, collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates except where the individual authorizes otherwise or where personal information may be disclosed to the institution under subsection 8(2). § 5 (1)] | Privacy protection for information and data | Data and Information Management | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Data and Information Management | |
| Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Data and Information Management | |
| Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Technical Security | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when needed by law. CC ID 00020 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Data and Information Management | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Data and Information Management | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Data and Information Management | |
| Validate the business need for maintaining collected restricted data. CC ID 17090 | Privacy protection for information and data | Data and Information Management | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Communicate | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
| Include supporting documentation in the privacy rights violation complaint. CC ID 16997 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify individuals of their right to challenge personal data. CC ID 00457 | Privacy protection for information and data | Data and Information Management | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 [Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to require that a notation be attached to the information reflecting any correction requested but not made; and § 12 (2)(b) Every individual who is given access under paragraph (1)(a) to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to require that any person or body to whom that information has been disclosed for use for an administrative purpose within two years prior to the time a correction is requested or a notation is required under this subsection in respect of that information where the disclosure is to a government institution, the institution make the correction or notation on any copy of the information under its control. § 12 (2)(c)(ii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the organization's liability based on the applicable law. CC ID 00504 [In any proceedings before the Court arising from an application under section 41, 42 or 43, the burden of establishing that the head of a government institution is authorized to refuse to disclose personal information requested under subsection 12(1) or that a file should be included in a personal information bank designated as an exempt bank under section 18 shall be on the government institution concerned. § 47 {be liable} Every person who contravenes this section is guilty of an offence and liable on summary conviction to a fine not exceeding one thousand dollars. § 68 (2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Check the accuracy of restricted data. CC ID 00088 [{be accurate} {be up to date} {be complete} A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible. § 6 (2)] | Privacy protection for information and data | Data and Information Management | |
| Check that restricted data is complete. CC ID 00090 [{be accurate} {be up to date} {be complete} A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible. § 6 (2)] | Privacy protection for information and data | Data and Information Management | |
| Keep restricted data up-to-date and valid. CC ID 00091 [{be accurate} {be up to date} {be complete} A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible. § 6 (2)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Third Party and supply chain oversight | Business Processes | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Systems Continuity | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Business Processes | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [A government institution may provide services related to any power, duty or function conferred or imposed on the head of a government institution under this Act to another government institution that is presided over by the same Minister or that is under the responsibility of the same Minister and may receive such services from any other such government institution. § 73.1 (1)] | Third Party and supply chain oversight | Process or Activity | |
| Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Establish Roles | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Communicate | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Business Processes | |
| Provide products or services per customer requests. CC ID 08893 [A government institution may provide services related to any power, duty or function conferred or imposed on the head of a government institution under this Act to another government institution that is presided over by the same Minister or that is under the responsibility of the same Minister and may receive such services from any other such government institution. § 73.1 (1)] | Third Party and supply chain oversight | Business Processes | |