Rescinded [2021-04-01] - Data Matching

Preliminary assessment of the feasibility of a matching program is done by:

1. assessing the advantages of the proposed matching program against alternative control, management or enforcement approaches;
2. verifying that the matching program relates "directly to an operating program or activity of the institution" (Privacy Act, section 4);
3. examining the possibility of collecting the information "directly from the individual to whom it relates", or whether collection through data matching is permissible by virtue of one or more of the following conditions; the individual has authorized indirect collection, the institution could obtain the information from another source without the consent of the individual under subsection 8(2), or direct collection might "result in the collection of inaccurate information" or "defeat the purpose or prejudice the use for which information is collected" (Privacy Act, section 5);
4. determining whether it is necessary to notify individuals of the new use of their personal information, the justification for not notifying the individuals, or the best procedures for notification;
5. describing the means for ensuring that the information used in the matching program, as well as the information generated, is as "accurate, up-to-date and complete as possible" (Privacy Act, subsection 6[2]);
6. determining whether the consent of individuals to the use and/or disclosure of their personal information is required, the justification if consent is not required, and the procedures for obtaining any required consent;
7. setting the start and completion dates for the matching program and, where applicable, the schedule of any required periodic or continuing matching programs;
8. describing the results of any pilot projects designed to test the proposed matching programs. Whenever possible, matching institutions should test the programs to evaluate their effectiveness; and
9. determining the costs and the benefits of the proposed data matching program.

At this stage, the institution should also determine the procedures available to:

1. establish a retention and disposal schedule for information used and generated by the matching program, including the keys (i.e. program protocols used to establish the link between sets of personal information);
2. attach the record of any use and/or disclosure to the personal information where such use or disclosure is not described in Info Source;
3. notify the Privacy Commissioner if the matching program involves a use or disclosure considered to be a "consistent use" which is not described in Info Source;
4. review the consistent uses listed in Info Source to ascertain whether the personal information is described; and, if it is not, draft a statement for inclusion in Info Source; and
5. establish a personal information bank for the personal information generated as a result of the matching program.

The policy requires that an institution determine the costs of a matching program relative to its benefits. This analysis should not be in terms of the total cost, but should be in terms of the level of institutional resources, e.g. staff, equipment and materials, needed to perform a matching program and the amount of effort required to develop and implement it. The importance of the cost-benefit factor to the decision to proceed with a matching program will vary with the context.

It is suggested that the following projected or actual resource expenditures be examined:

A. Direct Costs

1. developing the matching program concept
2. conducting pre-approval inter- intra-institutional negotiations
3. obtaining legal analysis of compliance with the Privacy Act and other relevant legislation
4. preparing a comprehensive cost and benefit assessment
5. preparing the preliminary report
6. seeking institutional approvals
7. conducting post-approval inter- intra-institutional negotiations
8. completing agreements between the matching institution and the matching source
9. notifying the Privacy Commissioner of the proposal
10. notifying data subjects
11. implementing the program
    1. developing standardized formats
    2. establishing data control mechanisms
    3. providing adequate data security, retention and disposal standards
    4. providing or obtaining the records and conducting the match
12. verifying hits, i.e. the identification, through a matching program, of individuals
13. notifying the subjects of the hits
14. establishing data banks for the hits and raw hits files
15. conducting any enforcement activities, either legal or administrative
16. preparing the post-match evaluation report

B. Data Processing Costs

• computer time
• acquisition, design and maintenance of hardware and software

C. Telecommunications Costs

D. Travel Costs

E. Training Costs

F. Consultant and Contractor Costs

It is also suggested that the cost-benefit analysis quantify and document the following savings, as appropriate:

• funds recouped through voluntary repayments or formal collection action
• savings due to termination of ineligible benefits
• savings due to the denial of benefits that would otherwise have been approved
• savings due to the deterrent effect of the program
• savings relative to other methods of data collection or compilation

It may be appropriate in some instances to provide evidence of a substantive impact on society or the economy if the program is not implemented.

To allow for an external review of data matching programs before they are implemented, the policy requires that government institutions give the Privacy Commissioner advance notification of their intention to initiate a matching program. This is done by providing the Commissioner's office with the preliminary feasibility assessment at least 60 days before the matching is scheduled to begin. This ensures that the Office of the Privacy Commissioner is informed of new consistent uses and new data matches. The Privacy Commissioner may make recommendations to the head of the institution if, in his or her opinion, such uses or activities are not in accordance with the provisions of the Privacy Act.

The policy requires that the final approval for a data matching program must be given by the head of the institution undertaking the program or by an official specifically delegated under the Privacy Act for this purpose.

When an institution is frequently involved in matching activities, the head may establish an internal body, consisting of senior officials, to review proposed matching programs for compliance with this policy and to make recommendations to the head concerning matching programs for which the institution is either the matching institution or the matching source.

The Privacy Act requires that government institutions account publicly for the use and disclosure of personal information. The policy requires that matching institutions and/or matching sources must provide public notification of matching programs or their involvement in matching programs by describing them in Info Source. The Personal Information Bank Registration Form is provided for this purpose. When matching programs are approved, institutions should immediately amend their entries or create new entries in Info Source to reflect these activities.

Disclosure of personal information requested for matching purposes can only be made under the conditions set out in sections 7 and 8 of the Privacy Act.

It is recommended that the institution disclosing the information:

• request and review the preliminary assessment and any other available documentation on the proposed match to aid in making an informed judgement as to whether the proposed match meets its program obligations and the requirements of the Privacy Act;
• determine whether additional information or actions will be required for verification purposes and that such disclosure or actions are acceptable;
• ensure that when a disclosure is made for matching purposes, it is sanctioned by a written agreement signed by senior officials representing both the matching source and the matching institution. The agreement should include any further conditions which should apply;
• in accordance with paragraph 9(4)(a) of the Privacy Act, when disclosure is permitted, institutions must immediately notify the Privacy Commissioner of the use for which the information was disclosed. They must also amend any entries in Info Source to reflect the use of personal information in a matching program, in accordance with paragraph 9(4)(b) of the Privacy Act; and
• ensure that any contract involving a matching program stipulates that the contracted activities will be conducted in accordance with the provisions of the Privacy Act and this policy.

This policy requires that an institution subject information generated by a matching program to a verification process involving original or additional authoritative sources. This verification process is to be carried out before the information is used in a decision-making process that directly affects an individual. Furthermore, an individual should be given an opportunity to refute the information produced by a matching program before any administrative action concerning the individual is initiated.

Security

The requirements of the Security Policy of the Government of Canada apply to matching programs. Personal information and computer systems should be safeguarded from accidental and deliberate threats to confidentiality and integrity as it relates to authenticity, accuracy, currency and completeness. Security safeguards implemented by the matching institution should be at least equivalent to those of the matching source.

Retention and disposal

A matching institution is required by the Privacy Act to establish retention and disposal standards for personal information used and generated by a matching program. This requirement also includes keys used in matching programs. These standards are established through information retention and disposal schedules or agreements established by the National Archives.

Data matching (couplage de données) B is an activity that involves comparing personal data obtained from a variety of sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains. To this extent, data matching is a specialized activity involving the collection, use and disclosure of personal information which is subject to the various requirements of the Privacy Act.

Matching institution (institution de couplage) B is a government institution that is planning to conduct or is conducting a matching program.

Matching program (programme de couplage) B is a specific procedure that is developed and used to compare a set or sets of records containing personal information held by a matching institution with another set or sets of records held by a matching source. It incorporates all stages of the matching process, through acquisition to the disposal of data. This matching activity may or may not generate a new body of personal information. Data matching generally involves the use of computer rather than manual means, owing to the volume of data and the frequency of transactions. Included in the definition of data matching is data linkage, also known as data profiling. This form of data matching involves the use of a computer and personal data obtained from a variety of sources, including personal information banks, to merge and compare files on identifiable individuals or categories of individuals for administrative purposes. This linkage or profiling activity generates a new body of personal information.

Matching source (source de couplage) B is an organization that discloses personal information to an institution for the purposes of a matching program. A matching source may be within the matching institution, another government institution or any other organization.

Author/Information: 

Information and Privacy Policy
Chief Information Officer Branch
Treasury Board of Canada Secretariat
219 Laurier Avenue West, 14th Floor
Ottawa, Ontario, Canada
K1A 0R5
Email: ippd-dpirp@tbs-sct.gc.ca
Telephone: (613) 946-4945

Last Revision: December 1, 1993

Alternative Formats: This publication is available in alternative formats.