CPATA will be closed on Monday, May 22 for Victoria Day.

Board Policy 6 – Privacy

Table of Contents

NAME OF POLICY

Board Policy No. 6 – Privacy

APPLICABLE SECTIONS OF THE ACT, BY-LAWS AND REGULATIONS and/or PURPOSE

Privacy Act

Privacy Act Regulations

CPATA Act, Regulations and by-laws

APPROVED BY

EFFECTIVE

REVIEWED

REVISED

Board

October 30, 2021

 

 

In this policy:

  1. “administrative purpose” means the use of information about an individual in a
    decision-making process that directly affects that individual. This includes all uses of
    personal information for confirming identity (authentication and verification
    purposes) and for determining eligibility of individuals for government programs.
  2. “agent” means an individual registered with the College as a Patent Agent or
    Trademark Agent
  3. “Board” means the Board of Directors of the College of Patent Agents and
    Trademark Agents (“the College”). The Board consists of nine directors, five
    appointed under s. 13 of the CPATA Act and four elected.
  4. “CIPO” means the Canadian Intellectual Property Office.
  5. “the College” means the College of Patent Agents and Trademark Agents.
  6. “CPATA Act” means the College of Patent Agents and Trademark Agents Act.
  7. “non-administrative purpose” means the use of personal information for a purpose
    that is not related to any decision-making process that directly affects the individual.
    This includes the use of personal information for research, statistical, audit and
    evaluation purposes.
  8. “OPC” means the Office of the Privacy Commissioner of Canada.
  9. “patent agent” means an individual who holds either a patent agent licence or a
    patent agent in training licence.
  10. “personal Information” means information about an identifiable individual that is
    recorded in any form. As defined in section 3 of the Privacy Act:
    • “information about
      an identifiable individual that is recorded in any form including, without restricting
      the generality of the foregoing,
    • information relating to the race, national or ethnic origin, colour, religion, age
      or marital status of the individual;
    • information relating to the education or the medical, criminal or employment
      history of the individual or information relating to financial transactions in
      which the individual has been involved;
    • any identifying number, symbol or other particular assigned to the individual;
    • the address, fingerprints or blood type of the individual;
    • the personal opinions or views of the individual except where they are about
      another individual or about a proposal for a grant, an award or a prize to be
      made to another individual by a government institution or a part of a
      government institution specified in the regulations;
    • correspondence sent to a government institution by the individual that is
      implicitly or explicitly of a private or confidential nature, and replies to such
      correspondence that would reveal the contents of the original
      correspondence;
    • the views or opinions of another individual about the individual;
    • the views or opinions of another individual about a proposal for a grant, an
      award or a prize to be made to the individual by an institution or a part of an
      institution referred to in paragraph (e), but excluding the name of the other
      individual where it appears with the views or opinions of the other individual;
      and
    • the name of the individual where it appears with other personal information
      relating to the individual or where the disclosure of the name itself would
      reveal information about the individual.”
  11. “personal information bank” means a description of personal information that is
    organized and retrievable by a person’s name or by an identifying number, symbol
    or other particular assigned to that person. The personal information described in the
    personal information bank has been used, is being used, or is available for an
    administrative purpose and is under the control of a government institution.
    Institution-specific personal information banks are specific to the College; standard
    personal information banks are those containing personal information for a common
    internal service (e.g., accounts payable, receivable, access to information requests).
  12. “PIA” means Privacy Impact Assessment, which is a due diligence exercise that: (i)
    identifies and addresses potential risks to the privacy of individuals’ personal
    information that may arise during the implementation of a system, project, program
    or activity of the College or a change thereto; and helps to support the
    College’s compliance with this policy, the Privacy Act and the CPATA Act.
  13. “privacy breach” means the unauthorized collection, use or disclosure of personal
    information. Such activity is “unauthorized” if it occurs in contravention of the Privacy
    Act. A breach may be the result of inadvertent errors or of malicious actions by
    employees, agents, contractors, third parties, partners in information-sharing
    agreements, or intruders.
  14. “Privacy notice” means a notification, electronic or otherwise, to individuals
    about: the purpose for which personal information is collected (i.e., principally how
    the information is intended to be used); the authority for such collection; and the
    contact information for an individual within the College who can answer questions
    about the collection. A privacy notice should provide a reference to the College’s
    Privacy Statement where more information about the
    College’s information practices may be found.
  15. “Privacy Officer” means the individual designated by the Chief Executive Officer
    (CEO) or head of the College under section 73(1) of the Privacy Act.
  16. ”Privacy Statement” means a publicly available statement that explains the personal
    information the College collects, uses, discloses, stores, and protects in compliance
    with applicable legislation, and how individuals may exercise their privacy rights with
    respect to their personal information held by the College.
  17. “service provider” means an organization, business or individual that provides
    services to the College (e.g., IT, consulting, advisory services) and is not an employee
    of the College.
  18. “TBS” means the Treasury Board of Canada Secretariat. TBS provides advice and
    makes recommendations to the Treasury Board committee of ministers on how the
    government spends money on programs and services, how it is regulated and how it
    is managed.
  19. “trademark agent” means an individual who holds either a trademark agent licence
    or a trademark agent in training licence.

1. POLICY OBJECTIVES

  • The College complies with the Privacy Act and applicable TBS policies and directives
    governing personal information in its custody or control; and
  • All individuals working with, for or on behalf of the College are accountable for
    respecting the privacy rights of individuals, in accordance with the Federal Privacy
    Act and TBS policies whenever they are collecting, using, disclosing, storing or
    disposing of personal information in carrying out their duties.

2. SCOPE

This policy applies to these individuals when acting for or on behalf of the College with
respect to personal information in the custody or under the control of the College:

  • The College Board;
  • Individuals employed by the College on a permanent, temporary, part-time, or
    contract basis;
  • Members of the Investigations Committee, Discipline Committee, and Registration
    Committee; and
  • All service providers of the College to the extent that they collect, access, use,
    process or store personal information on behalf of the College as part of their duties.

3. POLICY STATEMENT

Personal information in the College’s custody or under its control is only created, collected,
retained, used, disclosed and disposed of in a manner that respects and complies with the
Privacy Act and its Regulations and aligns with TBS privacy policies and directives. The
College upholds the privacy rights of individuals whose personal information is controlled by
the College, in accordance with these requirements.

4. PROCEDURES

4.1 Accountability for Personal Information

  • The College is accountable for personal information in its custody and under its
    control. The College has developed, implemented and maintains, a Privacy
    Management Program to facilitate meeting its privacy obligations, adhering to
    privacy principles, and managing privacy risks over time.
  • The College’s accountability extends to personal information that is collected, used
    (e.g., handled or processed), accessed, disclosed, stored or disposed on its behalf
    by service providers. The College uses contractual or other means to hold service
    providers accountable for complying with the College’s obligations.
  • The CEO of the College has designated a Privacy Officer under section s. 73(1) of
    the Privacy Act with the powers, duties, and functions to make sure the College’s
    complies with privacy legislation, through the College’s Privacy Management
    Program.  
  • Individuals subject to this policy must:  
    • formally acknowledge (in writing) upon hire or contract signing they have
      reviewed, understand and agree to comply with the College’s privacy
      policies, and annually confirm this agreement;
    • complete the required privacy training within the first month of their
      employment or contract, and any additional privacy training required
      thereafter; and
    • adhere to this Privacy Policy and supporting privacy procedures
      when collecting, using, disclosing, storing, handling and retaining personal
      information.
  • The Privacy Officer will facilitate privacy training for individuals and periodically
    review and update the privacy training based on significant changes to privacy
    legislation, best practices, or risks impacting the College.

4.2 Privacy Impact Assessments

  • In accordance with the TBS Directive on Privacy Impact Assessments, the
    College will complete a PIA (using the template in Annex C of the TBS Directive
    on Privacy Impact Assessments) for a program or activity in the following
    circumstances:
    • when personal information is used for or is intended to be used as part of a
      decision-making process that directly affects the individual; and
    • upon substantial modifications to existing programs or activities where
      personal information is used or intended to be used for an administrative
      purpose.
  • The requirement for a PIA will be incorporated as a component of the College’s
    project management, IT planning, and new business process development.
  • The College will notify the Privacy Commissioner of any planned initiatives
    (legislation, regulations, by-laws, policies, or programs) that could relate to the
    Privacy Act or to any of its provisions, or that may impact on the privacy of
    Canadians. This notification is to take place at a stage to permit the
    Commissioner to review and discuss the issues involved.
    • The Privacy Officer will work with the Office of the Privacy Commissioner
      to implement any recommendations or conduct any subsequent
      consultations throughout the development of the PIA.
  • Completed PIAs must:
    • be reviewed to determine compliance with applicable privacy
      legislation and this policy;
    • be approved by the CEO;
    • be provided to the TBS and the OPC; and
    • be summarized and made available on the College website in
      accordance with the TBS Directive on Privacy Impact Assessments.

4.3 Consent

  • The College obtains written or verbal consent1 from an individual under the following circumstances:
    • Before the indirect collection of personal information, unless seeking consent would result in collecting inaccurate information, would defeat the purpose of collection or would prejudice the use of the information collected;
      • for example, the College will generally collect personal information about an Agent from a complainant for the purpose of investigating the Agent without consent, as obtaining consent would prejudice the use of the information.
    • Before using or disclosing personal information for a purpose or purposes that are not consistent with the purposes for which the information was originally obtained or compiled;
    • Before disposing of personal information unless such disposition is expressly authorized by legislation, or the two-year minimum retention period established by the Privacy Act Regulations has passed; and
    • If it intends to disclose a complaint received by the College or any privileged or confidential information obtained in the course of an investigation or proceeding. In this case, written consent will be sought of all persons whose rights or interests may reasonably be affected.
Obtaining an individual’s consent to a collection of personal information does not replace or establish authority for the collection of that information under the Privacy Act; rather the College will seek to collect only personal information that is directly related to and demonstrably necessary for the College’s regulatory activities2 (see section 4.4 for more information on collection).

4.4 Collection of Personal Information

  • Personal information may only be collected or created (e.g., issuing a licence
    number, or placing limitations on a licence is creating personal information) if:
    • the personal information is directly related to a regulatory activity of the
      College; and
    • the collection of the personal information is necessary for the College to meet
      its statutory purposes and its regulatory objectives.
  • In determining whether the personal information is directly related to a regulatory
    activity, the College’s powers, and duties under the CPATA Act, Regulations, by-laws
    and policies requiring or authorizing the collection of personal information should be
    consulted. The College’s policies provide direction and guidance on the necessity of
    personal information to accomplish the College’s objectives. Before collecting or
    creating new personal information, the College will:
    • Identify the personal information to be collected;
    • Identify the purpose(s) for collecting each type of personal information;
    • Post a privacy notice (see section 4.5);
    • Identify each element of personal information to be included in a Personal
      Information Bank (PIB); and
    • Collect only as much personal information needed to accomplish the
      identified purpose(s).
  • The College collects or creates personal information intended to be used for an
    administrative purpose directly from the individual to whom it relates except:
    • When the individual authorizes the College to collect the personal
      information from another source;
    • When the personal information is collected for a purpose for which the
      personal information may be disclosed to the College under subsection 8(2);
    • When collecting the personal information directly from the individual might
      result in the collection of inaccurate information; or
    • When collecting the personal information directly from the individual might
      defeat the purpose or prejudice the use for which the personal information is
      being collected. For example, the College will generally indirectly collect
      personal information about an Agent from a complainant for the purpose of
      investigating the Agent rather than directly from the Agent as direct
      collection would likely defeat the purpose or prejudice the use of the
      personal information.

4.5 Privacy Notice

  • At a location where it is likely to come to a reader’s attention, the College provides
    an up to date a privacy notice before personal information is collected from
    individuals.
  • The notice is adapted for either written or verbal communication, as required.
  • The content of the notice includes:
    • The purpose and authority for the collection;
    • Any uses or disclosures that are consistent with the original purpose of
      collection;
    • Any legal or administrative consequences for refusing to provide the
      information;
    • The individual’s rights of access and correct personal information under the
      Privacy Act;
    • Reference to the applicable PIB, as described in InfoSource; and
    • The right to file a complaint to the Privacy Commissioner of Canada
      regarding the College’s handling of the individual’s personal information.

4.6 Use of Personal Information

  • Personal information may only be used:
    • For the purpose for which the information was obtained or compiled by the
      College or for a use consistent with that purpose; or
    • For a purpose for which the information may be disclosed to the College
      under subsection 8(2) of the Privacy Act. This includes any purpose in
      accordance with any Act of Parliament or a regulation made thereunder
      that authorizes its disclosure.
  • Individuals subject to this policy must:
    • Only use the minimum amount of personal information required for the
      immediate, valid purpose identified; and
    • Access personal information only on a need-to-know basis. Individuals are only
      permitted to access and use personal information when it is necessary to carry
      out their role within the College.

4.7 Disclosure of Personal Information

  • Personal information will not be disclosed unless consent of the individual is obtained,
    or if the disclosure is otherwise permitted or required under the Privacy Act or under
    the CPATA Act.
  • For further clarity, and notwithstanding anything else to the contrary contained
    herein, personal information may be disclosed for the following purposes:
    • Maintaining the Registers of Patent Agents and Trademark Agents;
    • complying with a subpoena, warrant or court order;
    • if there is a risk of harm and the disclosure is in accordance with section
      65(2)(e) of the CPATA Act;
    • For the purpose of adhering to the Privacy Act where, in the opinion of the
      CEO:
      • the public interest in disclosure clearly outweighs any invasion of
        privacy that could result from the disclosure, or
      • disclosure would clearly benefit the individual to whom the information
        relates; and
    • With the written consent of the individual to whom the information relates
      (such as disclosure to an intersectional regulator (e.g., provincial law society).
  • Everyone subject to this policy must:
    • Only disclose the minimum amount of personal information required to meet
      the valid purpose identified; and
    • Consult with the Privacy Officer before disclosing any personal information
      outside of what is required for their role.

4.8 Retention and Disposition of Personal Information

  • Personal information is retained for the period needed to fulfill the identified and
    authorized purposes, or to comply with a legal requirement, in compliance with the
    College’s Records Retention Schedule and the Library and Archives Canada Act;
  • Personal information used for an administrative purpose is retained for a minimum of
    two years unless the individual authorizes the disposal; and
  • Personal information no longer required to be retained according to the College’s
    Records Retention Schedule, will be securely destroyed, erased or de-identified such
    that contents are unreadable.

4.9 Accuracy

  •  The College takes reasonable steps to confirm that the personal information is
    accurate, complete, and up to date as is necessary for the purposes for which it is to
    be used, and to minimize the possibility that inaccurate or incomplete information
    may be used to make a decision that directly affects an individual.
  • The College has documented procedures allowing individuals to request a
    correction of their personal information where the individual believes there has been
    an error or omission, in accordance with the College’s Access to and Correction of
    Personal Information Procedure.

4.10 Safeguarding Personal Information

  • The College is accountable to protect personal information in its custody and under
    its control against such risks as unauthorized access, collection, use, disclosure, or
    disposal using reasonable security arrangements. The security arrangements include
    a combination of technical, administrative, and physical safeguards. The
    reasonableness of the security arrangements takes into consideration factors such as
    the sensitivity, amount, distribution, format and the method of storage of the
    information to be protected.
  • When disclosing personal information, the College will implement reasonable
    safeguards before the information is shared.
  • The College requires access to personal information to be role-based and limited to
    the minimum amount of information needed for the authorized purpose(s).
  • The College monitors access to and use of personal information to provide timely
    identification of inappropriate or unauthorized access to or handling of personal
    information through such means as auditing.
  • The College requires service providers to adhere to the College’s legal obligations
    related to handling and safeguarding of personal information and service providers
    are required to comply with this privacy policy.
  • College contracts with service providers that access, use or otherwise handle or
    store person information on the College’s behalf include provisions to address:
    • obligations of the service provider acting on behalf of the College under
      applicable legislation and policies;
    • control over the personal information;
    • limitations on collection, use, disclosure, and retention of personal
      information;
    • secure disposition of the personal information;
    • administrative, technical and physical safeguards; and
    • providing the College with the right to review, assess, audit, or verify
      compliance with the service providers contractual obligations (as described
      above).

4.11 Privacy Breach

  • The College has published a Privacy Breach Management Protocol to be
    followed for all known or suspected privacy breaches to provide for an effective and
    timely response to privacy breaches, in accordance with legal requirements.
  • Individuals subject to this policy must immediately report any actual or suspected
    breach of privacy to the Privacy Officer.
  • If the Privacy Officer becomes aware of a Privacy Breach, the Privacy Officer must
    notify the CEO.

4.12 Openness

  • The College’s practices for managing personal information are available to
    individuals, including members of the public and agents, through the College’s
    Privacy Statements on its website. The Privacy Statements will be
    reviewed periodically and updated as needed based on changes in how the
    College collects, uses, discloses, or protects personal information.

4.13 Individual Access

  • Individuals may request access to their personal information and may examine or will
    receive a copy of their personal information maintained by the College, subject to
    exceptions in the Privacy Act, by making a request to the College Privacy Officer in
    writing.
  • The College has published an Access to and Correction of Personal Information
    Procedure compliance with the Privacy Act and TBS policies.
  • Requests for access to personal information will be processed in accordance with the
    College’s Procedure.
  • Any requests for access to personal information must be immediately referred to the
    Privacy Officer.

4.14 Privacy Inquiries

  • The College has published a Privacy Inquiries Procedure in compliance with the
    Privacy Act and TBS policies.
  • All privacy inquiries (including privacy complaints) must be investigated by the
    College in accordance with its Privacy Inquiries Procedure.
  • Upon receipt of a privacy inquiry, anyone subject to this policy must immediately
    refer the inquiry to the College’s Privacy Officer.

4.15 Personal Information Bank (PIB)

  • The College has registered one PIB with the TBS related to Agent personal information.
  • The College stores personal information in several standard PIBs including:
    • Access to Information Act and Privacy Act Requests PSU 901
    • Employee Personnel Record PSE 901
    • Security Incidents and Privacy Breaches PSU 939
  • The College will notify TBS of changes to PIBs and, where these changes are
    substantial, will provide TBS a privacy impact assessment as required by the
    Directive on Privacy Impact Assessments.
  • The Privacy Commissioner of Canada will be notified if the College plans to use
    personal information for a new, consistent use not already identified in the relevant
    PIB.

5. POLICY GUIDELINES

To support the administration of this policy, the College may develop additional written procedures to provide guidance in specific areas, in alignment with the direction of this policy and the Privacy Management Program.


If written procedures or guidelines differ from this policy, this policy prevails

6. ROLES AND RESPONSIBILITIES

a) Employees

All employees are required to:

  • Sign the College Confidentially Agreement, upon hire or upon contract signing and
    prior to accessing personal information, that they have reviewed, understand and
    agree to comply with this Privacy Policy and any supporting privacy policies and
    procedures when collecting, using, accessing, storing, handling, retaining, or
    disposing or personal information;
  • Respect the privacy rights of individuals and protect personal information, as
    required under this policy; and
  • Complete the College’s privacy training within the first month of employment with
    the College, and any additional training as may be required thereafter, as outlined
    in the College’s Privacy Management Program and/or as directed by the CEO.

b) Chief Executive Officer (CEO)

 In addition to the duties outlines above, the CEO is accountable to:

  • Delegate appropriate authority under the Privacy Act to the College’s Privacy
    Officer;
  • Review and approve the College Privacy Policy and its Privacy Statement(s) and
    any significant changes, and recommend approval to the Board;
  • Implement and oversee compliance with this policy and the Privacy Management
    Program within the College and report to the College’s Board;
  • Recommend approval of the Privacy Policy and Privacy Statements to the Board;
  • Make available the College’s information practices to the public; and
  • Approve agreements and contracts related to service providers’ handling or
    personal information

c) Board of Directors

The Board is responsible to:

  • Approve the College Privacy Policy, and Privacy Statements;
  • Know and understand their obligations under this policy;
  • Complete privacy training;
  • Acknowledge the Board Code of Conduct, including the obligations to maintain
    confidentiality of all information (including personal information) received or
    reviewed during their time on the Board; and
  • Receive and review periodic reports on the status of the Privacy Management
    Program and significant privacy risks as part of their role in overseeing organizational
    governance and risk.

d) Privacy Officer

The Privacy Officer is responsible to, in addition to the responsibilities of an employee:

  • Provide advice and guidance to employees with respect to the management of
    personal information within the College;
  • Monitor, assess and report to the CEO and through the CEO to the Board on the
    College’s progress in implementing the Privacy Management Program;
  • Maintain and update the Privacy Management Program (including the
    organization’s policies, procedures, training and other privacy controls) as needed
    based on:
    • Changes in the College’s legal or regulatory framework;
    • The outcome of PIAs, audits, or other privacy or security risk assessments;
    • Recommendations arising from privacy breach or complaints investigations;
      and
    • Emerging privacy risks and best practices.
  • Identify the need for new or updated PIBs;
  • Lead the process to complete or update PIAs as necessary, where required under
    this policy;
  • Identify and assess privacy risks associated with projects, programs and services;
  • Lead the College’s response to privacy breaches, complaints and access/correction
    requests, ensuring compliance with Privacy Act;
  • Prepare annual reports for TBS and OPC under the Privacy Act and TBS policies; and
  • Monitor the College’s response to privacy risks to mitigate them in an effective and
    timely manner.

7. COMPLIANCE AND MONITORING

  • The College Privacy Officer with the support from the CEO, monitors
    compliance with this policy.
  • In the College’s Annual Report to the Minister under the CPATA Act, a report on
    compliance with this policy will be included.
  • Non-compliance with this policy may be subject to disciplinary action, including
    termination of employment or contract.

REFERENCES AND RELATED DOCUMENTS

  • Federal Privacy Act and Regulations
  • College of Patent Agents and Trademark Agents Act, Regulations and By-laws
  • TBS Directive on Privacy Practices
  • TBS Policy on Privacy Protection
  • Patent Act
  • Trademark Act
  • Library and Archives of Canada Act
  • Standard on Privacy and Web Analytics

CONTACTS FOR ADDITIONAL INFORMATION

Name: Andres Diaz

Phone: (514)562-7017

Email: priv@cpata-cabamc.ca

1 The nature and extent of verbal consent is recorded and a memo noting the consent is filed

2 Information required to support the College’s regulatory activities must meet the TBS policy requirements of being
‘demonstrably necessary’