Statistics Canada's Privacy Framework (SCPF) is founded on the requirements of the Statistics Act and the Privacy Act. From these general legal requirements, a number of operational policies, directives and protocols are derived. These are predicated on specific organizational privacy issues, such as the role of consent, and pertain to particular aspects of Statistics Canada's operations.
Statistics Canada has as its mandate "to collect, compile, analyse, abstract and publish statistical information relating to commercial, industrial, financial, social, economic and general activities and condition of the people."Footnote 1 As a result of this unique mandate, Statistics Canada acquires large amounts of data that require additional vigilance in safeguarding the privacy and security of a person's or an organisation's confidential information. Statistics Canada has implemented policies and practices that enable Statistics Canada to keep Canadian's information confidential (unless conditions are met to disclose the information) and uphold the reputation of Statistics Canada.
In order to uphold Statistics Canada's obligation to maintain respondent confidentiality under subsection 17(1) of the Statistics Act and Statistics Canada's reputation for maintaining that confidentiality, the organisational framework for privacy is critical to ensure that every aspect of the organisation is protected under its umbrella. Statistics Canada's organisational responsibilities for privacy and security lie with the Departmental Privacy Officer (DPO) who is also the Privacy Coordinator at Statistics Canada and the Departmental Security Officer (DSO). The DPO is responsible for providing leadership on matters related to privacy to the various divisions within Statistics Canada to ensure that privacy is considered for all business decisions. The DSO is responsible for the development and administration of the security program at Statistics Canada and is the chair of the Security Coordination Committee at Statistics Canada.
Under the privacy and security umbrella, several operational areas have policies and protocols specific for their programs' needs. For example, Information Technology (IT) has implemented a Network Use Policy, an IT Security Policy, a Password Directive, and a practice regarding the use of USB keys to ensure continued privacy and security in the IT sphere in an increasingly digital world.
At the core of the requirements to maintain confidentiality within the Statistic Act, is the Oath of secrecy which all employees are required to take upon employment. The Oath of secrecy requires all employees to respect the confidentiality of all information received from respondents.Footnote 2 In addition to the Oath of secrecy, the organisation has implemented a policy that limits access to personal information to only those employees who have a need to know.
To ensure that all employees are aware of the comprehensive nature of the privacy and security practices and protocols, Statistics Canada engages in education and training programs for all employees. All new employees are required to participate in mandatory training on confidentiality and privacy. As well, Statistics Canada is an active participant in the Government of Canada's Security of Awareness Week.
None of the privacy and security initiatives at Statistics Canada are the responsibility of a single person or division. There is overlap among all privacy and security policies, directives and practices. The various operational areas consider privacy and security elements from different angles which forms an umbrella of privacy and security which is both comprehensive and sensitive to specific risks. In this way, privacy and security are not just top-down mandates at Statistics Canada: they are organization wide, operating unit specific and employee invested imperatives.