Data protection rules require that personal data used for administrative purposes be retained for at least two years. There may be other conservation obligations. B, for example, if a person files a request for information under either the Access to Information Act or the Data Protection Act, the information can only be disposed of if the person has had the opportunity to exercise all of his or her rights under that law. Section 11 of the Data Protection Act states that the description of the personal databases contained in Info Source contains a statement on the consistent uses for which the information can be used or disclosed. Article 9 (4) of the Act requires institutions to notify the Federal Data Protection Commissioner when personal data is used or disclosed in a manner consistent with the purpose or purposes for which the information was obtained or collected, but which is not included in source information. This subsection also requires the institution to ensure that the consistent use of the bank`s corresponding description for personal information is added to Info Source. The Data Protection Act does not explicitly apply to the Social Security number and does not create specific rules for collection, use and disclosure in relation to other types of personal data. However, like any other identification number, the social security number is covered by the definition of personal data under the Data Protection Act. According to the collection, Section 7 of the Data Protection Act allows for the use of personal data by a federal government institution: when, at the time of the collection of additional personal data, consent to the additional use or disclosure is obtained, state institutions should generally provide sufficient information about the intended use or disclosure to enable the individual to make an informed decision to accept or refuse.
This information should generally contain a description of the specific information concerned, the use or disclosure for which consent is sought, and a statement that the refusal to consent to such use or disclosure does not affect the person or cause any negative impact on the person as part of the primary administrative purpose of the information collection. In cases where it is not appropriate or reasonably feasible to obtain the individual`s consent, the Canadian government institution may conduct a risk assessment or data breach test to balance the individual`s expectations, the nature of the personal data involved and the potential consequences of individual disclosure and the public interest in disclosure. The directive also provides for institutions to establish a data protection protocol for the collection, use or disclosure of personal data for non-administrative purposes, including research, statistics, audit and evaluation. Such a protocol could be used in non-administrative information-sharing initiatives between federal institutions or programs of the same institution and other jurisdictions within and outside Canada. Under the Data Protection Directive, officials of state institutions must define the practices of managing and protecting personal data under their control to ensure that the data protection law is managed consistently and fairly.