Privacy and data protection policy

Version 1.0, August 10th, 2015
Adopted

1. Objectives
2. Definitions
3. Scope
4. Inventory
5. Policy statement
6. Implementation and revision

1 - Objectives

In the course of its operation, Compute Canada stores, transmits and uses personal and confidential data. This policy aims to inform all relevant parties of the Compute Canada commitment to protect the information collected and of the policies that apply to such information.

This policy is established in accordance with the law and in consideration of policies and protective measures in force in the partner academic institutions and any other Compute Canada stakeholders.

2 - Definitions

• Information System: any system that can store, transmit or process information and which is governed or regulated by Compute Canada.
• Information: any information or data transmitted, stored or processed by an Information System.
• Personal Information: any Information that identifies an individual or a set of Information that identifies an individual. The name of a physical person is not personal information, except where it appears with other Information concerning the individual or when its mere mention would reveal personal information about that person.
• Sensitive Information: any Information whose disclosure may cause harm to Compute Canada, a Compute Canada stakeholder, a User or to any Partner, individual or entity concerned by this Information.
• Public Information: any Information that is neither Personal Information nor Sensitive Information.
• User: any individual with access to Information or to an Information System.
• Owner: a User that stores, creates or is responsible for some Information. The Owner is also the data curator.
• CC Team Member: any individual employed by, bound to or working on behalf of Compute Canada.
• Partner: funding agency or member institution operating services or an Information System on behalf of Compute Canada.

3 - Scope

All Information is covered by this policy. The Information as well as Personal Information and Sensitive Information present at Compute Canada can be divided into three categories:

• Information collected by Compute Canada;
• Information collected by a third party organization and shared with Compute Canada;
• Information stored, transmitted or processed by a User on an Information System.

Personal Information collected by Compute Canada is that which is necessary for the pursuit of its duties or the fulfillment of a mandate under its responsibility. It is mandatory to provide them, with the exception of certain information for which collection is optional and identified as such.

Compute Canada or a CC Team Member may have to ask a User to disclose Personal Information about another individual. Compute Canada then assumes the User has obtained the consent of that individual. It is the User's responsibility to seek any required consent.

4 - Inventory

4.1 Personal Information collected by Compute Canada

Any Personal Information collected by Compute Canada must be inventoried. The inventory must contain:

• the nature, origin and justification for the need of that information;
• the lifecycle and expiration for the data, including the schedule and mechanism for disposal;
• a list of individuals or groups of individuals having access to the information;
• the information System(s) on which data will reside;
• the identity of the data curator.

Personal Information collected by a third party organization and to which Compute Canada has access will be considered the same as Personal Information collected by Compute Canada for the purpose of this policy. Additional policies or measures requested by the third party organization could also be in force.

4.2 Personal Information owned or curated by a User

Any Personal Information processed or stored by a User must be declared. This declaration must include the following elements:

• the identity of the data Owner;
• a list of Users having access to the data;
• the data lifecycle and expiration, including the schedule and mechanism for disposal;
• the Information System used and description of the security and privacy measure or requirements that apply.

5 - Policy statement

5.1 Policies for Information and Personal Information Collected by Compute Canada

Policies in force for Information and Personal Information collected by Compute Canada are:

1. Only Personal Information essential to the operation of Compute Canada, required as part of our mandate or under our obligations to our partners is collected. It is mandatory for the User to provide it to Compute Canada, with the exception of certain Information for which disclosure is optional and identified as such.
2. Some Personal Information or Sensitive Information will be shared with partner organizations. The information shared will be identified as such at collection time and consent will be requested at collection time or prior to sharing.
3. When collecting Personal Information, Compute Canada will obtain consent from the individual and keep proof of that authorization. This consent will include a provision for the use or the sharing of the information with Compute Canada partners where applicable.
4. Compute Canada commits to use Personal Information for the sole purpose agreed to by the individual at the time of collection. Any other use of this information requires prior consent of the individual.
5. Compute Canada undertakes to destroy any Personal Information that has reached its end of life.
6. Compute Canada undertake not to disclose any Sensitive Information or Personal Information without the consent of the individual concerned, except, where necessary, when required by law or subject to the conditions given and authorised by the data classification guideline.
7. Any Personal Information or Sensitive Information collected by Compute Canada will be kept in a secure environment. Any transmission of such information will also be secured with the appropriate procedures.
8. Access to Personal Information and Sensitive Information is restricted to CC Team Members who have a legitimate need for the information.
9. Compute Canada controls access to Sensitive Information and Personal Information, regularly verifies the integrity of the data, and monitor for unauthorized access to this data regularly.
10. In the event of unauthorized disclosure of Personal Information, the individuals concerned will be notified.
11. Upon request, Compute Canada will provide a list of Personal Information in its custody and related to the individual making the request, unless there is a legal justification for not doing so. The list will be provided after the verification of the requester's identity.

5.2 Policies for Information and Personal Information in Users custody

Policies in force for Information and Personal Information that a User stores, use or transmit on an Information System are:

12. Any User that stores or processes Personal Information on an Information System must declare the presence of such data. This declaration must include the elements listed in section 4.2.
13. Not every Information System is appropriate to store, process or transmit Personal Information. Users must use an appropriate Information System for Personal information. CC Team Members can provide guidance with the selection of the appropriate Information System and on the security methods and procedures that apply.
14. All Personal Information that is stored or processed on an Information System must be declared to Compute Canada. Any undeclared Personal Information will be considered by Compute Canada as any other Information in User custody.
15. All Personal Information declared must include a lifecycle. Upon data end of life, Compute Canada or any authorized CC Team Member will contact the Owner to confirm or where necessary to arrange destruction of the expired Personal Information. Upon failure to answer within a reasonable period, Compute Canada reserves the right to permanently delete the data in accordance with the lifecycle declaration made by the Owner.
16. Any request to access Personal Information will be transmitted to the Owner. No access will be granted by Compute Canada, except where required by law, where the Owner demonstrates the legality of such access or where the requester is the individual concerned by the information and no legal justification prevents disclosure.
17. Any unauthorized access to Personal Information will be reported to the Owner.
18. The Owner must respond in a timely fashion to requests for access.
19. Compute Canada and CC Team Members will not access data in User custody except with the consent of the User, where required by law or subject to the conditions given and authorized by the data classification guideline. Compute Canada reserves the right to access such data to Investigate or to preserve Information and Information System integrity. These accesses will be monitored, temporary, minimized and limited to the scope and timeframe of the investigation.
20. The User is solely responsible and respondent for compliance with laws and regulations concerning the information in their custody. The User's home institution rules and procedures for data protection and privacy might apply and it is the User's responsibility to undertake any action required to comply.
21. Compute Canada will provide the Users with rules, procedures and mechanisms for a reasonable level of security for Information in their custody on an Information System.

6 - Implementation and revision

This Policy is adopted and enters into force on the date of its adoption. It will be review by the Compute Canada Security Council once a year or at any time deemed necessary.