Table of Contents
NAME OF POLICY | Board Policy No. 6 – Privacy | ||
APPLICABLE SECTIONS OF THE ACT, BY-LAWS AND REGULATIONS and/or PURPOSE | Privacy Act Privacy Act Regulations CPATA Act, Regulations and by-laws | ||
APPROVED BY | EFFECTIVE | REVIEWED | REVISED |
Board | October 30, 2021 |
|
|
In this policy:
- “administrative purpose” means the use of information about an individual in a
decision-making process that directly affects that individual. This includes all uses of
personal information for confirming identity (authentication and verification
purposes) and for determining eligibility of individuals for government programs. - “agent” means an individual registered with the College as a Patent Agent or
Trademark Agent - “Board” means the Board of Directors of the College of Patent Agents and
Trademark Agents (“the College”). The Board consists of nine directors, five
appointed under s. 13 of the CPATA Act and four elected. - “CIPO” means the Canadian Intellectual Property Office.
- “the College” means the College of Patent Agents and Trademark Agents.
- “CPATA Act” means the College of Patent Agents and Trademark Agents Act.
- “non-administrative purpose” means the use of personal information for a purpose
that is not related to any decision-making process that directly affects the individual.
This includes the use of personal information for research, statistical, audit and
evaluation purposes. - “OPC” means the Office of the Privacy Commissioner of Canada.
- “patent agent” means an individual who holds either a patent agent licence or a
patent agent in training licence. - “personal Information” means information about an identifiable individual that is
recorded in any form. As defined in section 3 of the Privacy Act:- “information about
an identifiable individual that is recorded in any form including, without restricting
the generality of the foregoing, - information relating to the race, national or ethnic origin, colour, religion, age
or marital status of the individual; - information relating to the education or the medical, criminal or employment
history of the individual or information relating to financial transactions in
which the individual has been involved; - any identifying number, symbol or other particular assigned to the individual;
- the address, fingerprints or blood type of the individual;
- the personal opinions or views of the individual except where they are about
another individual or about a proposal for a grant, an award or a prize to be
made to another individual by a government institution or a part of a
government institution specified in the regulations; - correspondence sent to a government institution by the individual that is
implicitly or explicitly of a private or confidential nature, and replies to such
correspondence that would reveal the contents of the original
correspondence; - the views or opinions of another individual about the individual;
- the views or opinions of another individual about a proposal for a grant, an
award or a prize to be made to the individual by an institution or a part of an
institution referred to in paragraph (e), but excluding the name of the other
individual where it appears with the views or opinions of the other individual;
and - the name of the individual where it appears with other personal information
relating to the individual or where the disclosure of the name itself would
reveal information about the individual.”
- “information about
- “personal information bank” means a description of personal information that is
organized and retrievable by a person’s name or by an identifying number, symbol
or other particular assigned to that person. The personal information described in the
personal information bank has been used, is being used, or is available for an
administrative purpose and is under the control of a government institution.
Institution-specific personal information banks are specific to the College; standard
personal information banks are those containing personal information for a common
internal service (e.g., accounts payable, receivable, access to information requests). - “PIA” means Privacy Impact Assessment, which is a due diligence exercise that: (i)
identifies and addresses potential risks to the privacy of individuals’ personal
information that may arise during the implementation of a system, project, program
or activity of the College or a change thereto; and helps to support the
College’s compliance with this policy, the Privacy Act and the CPATA Act. - “privacy breach” means the unauthorized collection, use or disclosure of personal
information. Such activity is “unauthorized” if it occurs in contravention of the Privacy
Act. A breach may be the result of inadvertent errors or of malicious actions by
employees, agents, contractors, third parties, partners in information-sharing
agreements, or intruders. - “Privacy notice” means a notification, electronic or otherwise, to individuals
about: the purpose for which personal information is collected (i.e., principally how
the information is intended to be used); the authority for such collection; and the
contact information for an individual within the College who can answer questions
about the collection. A privacy notice should provide a reference to the College’s
Privacy Statement where more information about the
College’s information practices may be found. - “Privacy Officer” means the individual designated by the Chief Executive Officer
(CEO) or head of the College under section 73(1) of the Privacy Act. - ”Privacy Statement” means a publicly available statement that explains the personal
information the College collects, uses, discloses, stores, and protects in compliance
with applicable legislation, and how individuals may exercise their privacy rights with
respect to their personal information held by the College. - “service provider” means an organization, business or individual that provides
services to the College (e.g., IT, consulting, advisory services) and is not an employee
of the College. - “TBS” means the Treasury Board of Canada Secretariat. TBS provides advice and
makes recommendations to the Treasury Board committee of ministers on how the
government spends money on programs and services, how it is regulated and how it
is managed. - “trademark agent” means an individual who holds either a trademark agent licence
or a trademark agent in training licence.
1. POLICY OBJECTIVES
- The College complies with the Privacy Act and applicable TBS policies and directives
governing personal information in its custody or control; and - All individuals working with, for or on behalf of the College are accountable for
respecting the privacy rights of individuals, in accordance with the Federal Privacy
Act and TBS policies whenever they are collecting, using, disclosing, storing or
disposing of personal information in carrying out their duties.
2. SCOPE
This policy applies to these individuals when acting for or on behalf of the College with
respect to personal information in the custody or under the control of the College:
- The College Board;
- Individuals employed by the College on a permanent, temporary, part-time, or
contract basis; - Members of the Investigations Committee, Discipline Committee, and Registration
Committee; and - All service providers of the College to the extent that they collect, access, use,
process or store personal information on behalf of the College as part of their duties.
3. POLICY STATEMENT
Personal information in the College’s custody or under its control is only created, collected,
retained, used, disclosed and disposed of in a manner that respects and complies with the
Privacy Act and its Regulations and aligns with TBS privacy policies and directives. The
College upholds the privacy rights of individuals whose personal information is controlled by
the College, in accordance with these requirements.
4. PROCEDURES
4.1 Accountability for Personal Information
- The College is accountable for personal information in its custody and under its
control. The College has developed, implemented and maintains, a Privacy
Management Program to facilitate meeting its privacy obligations, adhering to
privacy principles, and managing privacy risks over time. - The College’s accountability extends to personal information that is collected, used
(e.g., handled or processed), accessed, disclosed, stored or disposed on its behalf
by service providers. The College uses contractual or other means to hold service
providers accountable for complying with the College’s obligations. - The CEO of the College has designated a Privacy Officer under section s. 73(1) of
the Privacy Act with the powers, duties, and functions to make sure the College’s
complies with privacy legislation, through the College’s Privacy Management
Program. - Individuals subject to this policy must:
- formally acknowledge (in writing) upon hire or contract signing they have
reviewed, understand and agree to comply with the College’s privacy
policies, and annually confirm this agreement; - complete the required privacy training within the first month of their
employment or contract, and any additional privacy training required
thereafter; and - adhere to this Privacy Policy and supporting privacy procedures
when collecting, using, disclosing, storing, handling and retaining personal
information.
- formally acknowledge (in writing) upon hire or contract signing they have
- The Privacy Officer will facilitate privacy training for individuals and periodically
review and update the privacy training based on significant changes to privacy
legislation, best practices, or risks impacting the College.
4.2 Privacy Impact Assessments
- In accordance with the TBS Directive on Privacy Impact Assessments, the
College will complete a PIA (using the template in Annex C of the TBS Directive
on Privacy Impact Assessments) for a program or activity in the following
circumstances:- when personal information is used for or is intended to be used as part of a
decision-making process that directly affects the individual; and - upon substantial modifications to existing programs or activities where
personal information is used or intended to be used for an administrative
purpose.
- when personal information is used for or is intended to be used as part of a
- The requirement for a PIA will be incorporated as a component of the College’s
project management, IT planning, and new business process development. - The College will notify the Privacy Commissioner of any planned initiatives
(legislation, regulations, by-laws, policies, or programs) that could relate to the
Privacy Act or to any of its provisions, or that may impact on the privacy of
Canadians. This notification is to take place at a stage to permit the
Commissioner to review and discuss the issues involved.- The Privacy Officer will work with the Office of the Privacy Commissioner
to implement any recommendations or conduct any subsequent
consultations throughout the development of the PIA.
- The Privacy Officer will work with the Office of the Privacy Commissioner
- Completed PIAs must:
- be reviewed to determine compliance with applicable privacy
legislation and this policy; - be approved by the CEO;
- be provided to the TBS and the OPC; and
- be summarized and made available on the College website in
accordance with the TBS Directive on Privacy Impact Assessments.
- be reviewed to determine compliance with applicable privacy
4.3 Consent
- The College obtains written or verbal consent1 from an individual under the
following circumstances:
- Before the indirect collection of personal information, unless seeking
consent would result in collecting inaccurate information, would defeat
the purpose of collection or would prejudice the use of the information
collected;
- for example, the College will generally collect personal information about an Agent from a complainant for the purpose of investigating the Agent without consent, as obtaining consent would prejudice the use of the information.
- Before using or disclosing personal information for a purpose or purposes that are not consistent with the purposes for which the information was originally obtained or compiled;
- Before disposing of personal information unless such disposition is expressly authorized by legislation, or the two-year minimum retention period established by the Privacy Act Regulations has passed; and
- If it intends to disclose a complaint received by the College or any privileged or confidential information obtained in the course of an investigation or proceeding. In this case, written consent will be sought of all persons whose rights or interests may reasonably be affected.
- Before the indirect collection of personal information, unless seeking
consent would result in collecting inaccurate information, would defeat
the purpose of collection or would prejudice the use of the information
collected;
4.4 Collection of Personal Information
- Personal information may only be collected or created (e.g., issuing a licence
number, or placing limitations on a licence is creating personal information) if:- the personal information is directly related to a regulatory activity of the
College; and - the collection of the personal information is necessary for the College to meet
its statutory purposes and its regulatory objectives.
- the personal information is directly related to a regulatory activity of the
- In determining whether the personal information is directly related to a regulatory
activity, the College’s powers, and duties under the CPATA Act, Regulations, by-laws
and policies requiring or authorizing the collection of personal information should be
consulted. The College’s policies provide direction and guidance on the necessity of
personal information to accomplish the College’s objectives. Before collecting or
creating new personal information, the College will:- Identify the personal information to be collected;
- Identify the purpose(s) for collecting each type of personal information;
- Post a privacy notice (see section 4.5);
- Identify each element of personal information to be included in a Personal
Information Bank (PIB); and - Collect only as much personal information needed to accomplish the
identified purpose(s).
- The College collects or creates personal information intended to be used for an
administrative purpose directly from the individual to whom it relates except:- When the individual authorizes the College to collect the personal
information from another source; - When the personal information is collected for a purpose for which the
personal information may be disclosed to the College under subsection 8(2); - When collecting the personal information directly from the individual might
result in the collection of inaccurate information; or - When collecting the personal information directly from the individual might
defeat the purpose or prejudice the use for which the personal information is
being collected. For example, the College will generally indirectly collect
personal information about an Agent from a complainant for the purpose of
investigating the Agent rather than directly from the Agent as direct
collection would likely defeat the purpose or prejudice the use of the
personal information.
- When the individual authorizes the College to collect the personal
4.5 Privacy Notice
- At a location where it is likely to come to a reader’s attention, the College provides
an up to date a privacy notice before personal information is collected from
individuals. - The notice is adapted for either written or verbal communication, as required.
- The content of the notice includes:
- The purpose and authority for the collection;
- Any uses or disclosures that are consistent with the original purpose of
collection; - Any legal or administrative consequences for refusing to provide the
information; - The individual’s rights of access and correct personal information under the
Privacy Act; - Reference to the applicable PIB, as described in InfoSource; and
- The right to file a complaint to the Privacy Commissioner of Canada
regarding the College’s handling of the individual’s personal information.
4.6 Use of Personal Information
- Personal information may only be used:
- For the purpose for which the information was obtained or compiled by the
College or for a use consistent with that purpose; or - For a purpose for which the information may be disclosed to the College
under subsection 8(2) of the Privacy Act. This includes any purpose in
accordance with any Act of Parliament or a regulation made thereunder
that authorizes its disclosure.
- For the purpose for which the information was obtained or compiled by the
- Individuals subject to this policy must:
- Only use the minimum amount of personal information required for the
immediate, valid purpose identified; and - Access personal information only on a need-to-know basis. Individuals are only
permitted to access and use personal information when it is necessary to carry
out their role within the College.
- Only use the minimum amount of personal information required for the
4.7 Disclosure of Personal Information
- Personal information will not be disclosed unless consent of the individual is obtained,
or if the disclosure is otherwise permitted or required under the Privacy Act or under
the CPATA Act. - For further clarity, and notwithstanding anything else to the contrary contained
herein, personal information may be disclosed for the following purposes:- Maintaining the Registers of Patent Agents and Trademark Agents;
- complying with a subpoena, warrant or court order;
- if there is a risk of harm and the disclosure is in accordance with section
65(2)(e) of the CPATA Act; - For the purpose of adhering to the Privacy Act where, in the opinion of the
CEO:- the public interest in disclosure clearly outweighs any invasion of
privacy that could result from the disclosure, or - disclosure would clearly benefit the individual to whom the information
relates; and
- the public interest in disclosure clearly outweighs any invasion of
- With the written consent of the individual to whom the information relates
(such as disclosure to an intersectional regulator (e.g., provincial law society).
- Everyone subject to this policy must:
- Only disclose the minimum amount of personal information required to meet
the valid purpose identified; and - Consult with the Privacy Officer before disclosing any personal information
outside of what is required for their role.
- Only disclose the minimum amount of personal information required to meet
4.8 Retention and Disposition of Personal Information
- Personal information is retained for the period needed to fulfill the identified and
authorized purposes, or to comply with a legal requirement, in compliance with the
College’s Records Retention Schedule and the Library and Archives Canada Act; - Personal information used for an administrative purpose is retained for a minimum of
two years unless the individual authorizes the disposal; and - Personal information no longer required to be retained according to the College’s
Records Retention Schedule, will be securely destroyed, erased or de-identified such
that contents are unreadable.
4.9 Accuracy
- The College takes reasonable steps to confirm that the personal information is
accurate, complete, and up to date as is necessary for the purposes for which it is to
be used, and to minimize the possibility that inaccurate or incomplete information
may be used to make a decision that directly affects an individual. - The College has documented procedures allowing individuals to request a
correction of their personal information where the individual believes there has been
an error or omission, in accordance with the College’s Access to and Correction of
Personal Information Procedure.
4.10 Safeguarding Personal Information
- The College is accountable to protect personal information in its custody and under
its control against such risks as unauthorized access, collection, use, disclosure, or
disposal using reasonable security arrangements. The security arrangements include
a combination of technical, administrative, and physical safeguards. The
reasonableness of the security arrangements takes into consideration factors such as
the sensitivity, amount, distribution, format and the method of storage of the
information to be protected. - When disclosing personal information, the College will implement reasonable
safeguards before the information is shared. - The College requires access to personal information to be role-based and limited to
the minimum amount of information needed for the authorized purpose(s). - The College monitors access to and use of personal information to provide timely
identification of inappropriate or unauthorized access to or handling of personal
information through such means as auditing. - The College requires service providers to adhere to the College’s legal obligations
related to handling and safeguarding of personal information and service providers
are required to comply with this privacy policy. - College contracts with service providers that access, use or otherwise handle or
store person information on the College’s behalf include provisions to address:- obligations of the service provider acting on behalf of the College under
applicable legislation and policies; - control over the personal information;
- limitations on collection, use, disclosure, and retention of personal
information; - secure disposition of the personal information;
- administrative, technical and physical safeguards; and
- providing the College with the right to review, assess, audit, or verify
compliance with the service providers contractual obligations (as described
above).
- obligations of the service provider acting on behalf of the College under
4.11 Privacy Breach
- The College has published a Privacy Breach Management Protocol to be
followed for all known or suspected privacy breaches to provide for an effective and
timely response to privacy breaches, in accordance with legal requirements. - Individuals subject to this policy must immediately report any actual or suspected
breach of privacy to the Privacy Officer. - If the Privacy Officer becomes aware of a Privacy Breach, the Privacy Officer must
notify the CEO.
4.12 Openness
- The College’s practices for managing personal information are available to
individuals, including members of the public and agents, through the College’s
Privacy Statements on its website. The Privacy Statements will be
reviewed periodically and updated as needed based on changes in how the
College collects, uses, discloses, or protects personal information.
4.13 Individual Access
- Individuals may request access to their personal information and may examine or will
receive a copy of their personal information maintained by the College, subject to
exceptions in the Privacy Act, by making a request to the College Privacy Officer in
writing. - The College has published an Access to and Correction of Personal Information
Procedure compliance with the Privacy Act and TBS policies. - Requests for access to personal information will be processed in accordance with the
College’s Procedure. - Any requests for access to personal information must be immediately referred to the
Privacy Officer.
4.14 Privacy Inquiries
- The College has published a Privacy Inquiries Procedure in compliance with the
Privacy Act and TBS policies. - All privacy inquiries (including privacy complaints) must be investigated by the
College in accordance with its Privacy Inquiries Procedure. - Upon receipt of a privacy inquiry, anyone subject to this policy must immediately
refer the inquiry to the College’s Privacy Officer.
4.15 Personal Information Bank (PIB)
- The College has registered one PIB with the TBS related to Agent personal information.
- The College stores personal information in several standard PIBs including:
- Access to Information Act and Privacy Act Requests PSU 901
- Employee Personnel Record PSE 901
- Security Incidents and Privacy Breaches PSU 939
- The College will notify TBS of changes to PIBs and, where these changes are
substantial, will provide TBS a privacy impact assessment as required by the
Directive on Privacy Impact Assessments. - The Privacy Commissioner of Canada will be notified if the College plans to use
personal information for a new, consistent use not already identified in the relevant
PIB.
5. POLICY GUIDELINES
To support the administration of this policy, the College may develop additional written procedures to provide guidance in specific areas, in alignment with the direction of this policy and the Privacy Management Program.
If written procedures or guidelines differ from this policy, this policy prevails
6. ROLES AND RESPONSIBILITIES
a) Employees
All employees are required to:
- Sign the College Confidentially Agreement, upon hire or upon contract signing and
prior to accessing personal information, that they have reviewed, understand and
agree to comply with this Privacy Policy and any supporting privacy policies and
procedures when collecting, using, accessing, storing, handling, retaining, or
disposing or personal information; - Respect the privacy rights of individuals and protect personal information, as
required under this policy; and - Complete the College’s privacy training within the first month of employment with
the College, and any additional training as may be required thereafter, as outlined
in the College’s Privacy Management Program and/or as directed by the CEO.
b) Chief Executive Officer (CEO)
In addition to the duties outlines above, the CEO is accountable to:
- Delegate appropriate authority under the Privacy Act to the College’s Privacy
Officer; - Review and approve the College Privacy Policy and its Privacy Statement(s) and
any significant changes, and recommend approval to the Board; - Implement and oversee compliance with this policy and the Privacy Management
Program within the College and report to the College’s Board; - Recommend approval of the Privacy Policy and Privacy Statements to the Board;
- Make available the College’s information practices to the public; and
- Approve agreements and contracts related to service providers’ handling or
personal information
c) Board of Directors
The Board is responsible to:
- Approve the College Privacy Policy, and Privacy Statements;
- Know and understand their obligations under this policy;
- Complete privacy training;
- Acknowledge the Board Code of Conduct, including the obligations to maintain
confidentiality of all information (including personal information) received or
reviewed during their time on the Board; and - Receive and review periodic reports on the status of the Privacy Management
Program and significant privacy risks as part of their role in overseeing organizational
governance and risk.
d) Privacy Officer
The Privacy Officer is responsible to, in addition to the responsibilities of an employee:
- Provide advice and guidance to employees with respect to the management of
personal information within the College; - Monitor, assess and report to the CEO and through the CEO to the Board on the
College’s progress in implementing the Privacy Management Program; - Maintain and update the Privacy Management Program (including the
organization’s policies, procedures, training and other privacy controls) as needed
based on:- Changes in the College’s legal or regulatory framework;
- The outcome of PIAs, audits, or other privacy or security risk assessments;
- Recommendations arising from privacy breach or complaints investigations;
and - Emerging privacy risks and best practices.
- Identify the need for new or updated PIBs;
- Lead the process to complete or update PIAs as necessary, where required under
this policy; - Identify and assess privacy risks associated with projects, programs and services;
- Lead the College’s response to privacy breaches, complaints and access/correction
requests, ensuring compliance with Privacy Act; - Prepare annual reports for TBS and OPC under the Privacy Act and TBS policies; and
- Monitor the College’s response to privacy risks to mitigate them in an effective and
timely manner.
7. COMPLIANCE AND MONITORING
- The College Privacy Officer with the support from the CEO, monitors
compliance with this policy. - In the College’s Annual Report to the Minister under the CPATA Act, a report on
compliance with this policy will be included. - Non-compliance with this policy may be subject to disciplinary action, including
termination of employment or contract.
REFERENCES AND RELATED DOCUMENTS
- Federal Privacy Act and Regulations
- College of Patent Agents and Trademark Agents Act, Regulations and By-laws
- TBS Directive on Privacy Practices
- TBS Policy on Privacy Protection
- Patent Act
- Trademark Act
- Library and Archives of Canada Act
- Standard on Privacy and Web Analytics
CONTACTS FOR ADDITIONAL INFORMATION
1 The nature and extent of verbal consent is recorded and a memo noting the consent is filed
2 Information required to support the College’s regulatory activities must meet the TBS policy requirements of being
‘demonstrably necessary’