RÉSUMÉ: Les questions touchant l'information passent rapidement de l'arrière-plan au coeur même des préoccupations du public. Conscients de l'importance de questions, gouvernements et entreprises les ont placées au centre de leurs préoccupations. Le succès dans l'exécution de la mission des ministères repose sur des renseignements exacts et opportuns. Le gouvernement à développer plusieurs politiques dans le domaine de l'information: Fonds de renseignements; Communications; L'image de marque fédérale; Accés à l'information; Renseignements personnels; et Sécurité. Le défi consiste à appliquer ces ressources liées à l'information de façon novatrice en vue d'améliorer la prestation de programmes et de services au public, d'assurer un accès juste et équitable à l'information détenue par le gouvernement et d'accroître la productivité.
Government by its nature is an information-intensive endeavour. Vast amounts of information are required to deliver benefits such as pensions and unemployment insurance, and services related to health, safety and security. Complex information processing systems are needed to support programs such as mapping, taxation, scientific research, and economic statistics.
The information collected and created in such programs and services must be stored and protected, and in most cases, made available should access to it be requested. And along the way, communication must be maintained with the public about the work of the government and information products must be actively disseminated.
In response to these and other needs, the federal government has over the past several years, developed a comprehensive family of information policies:
The "circles chart" is often used by the Information, Communications and Security Division at Treasury Board Secretariat to illustrate the inter-related nature of the policies. For example, the document classification system set out in the Security Policy must be consistent with the legal authority to deny access contained in the Access to Information Act and Access to Information Policy. The Security Policy tells us what protective measures must be applied to protect personal information from disclosures which are not permitted under the Privacy Act and Privacy Policy.
The purpose of this article is to describe briefly each of these policies, leading the way to more detailed articles on specific issues in future issues of this journal.
The Treasury Board policy on Management of Government Information Holdings (MGIH) was issued in 1989. It represented the merging of a number of policy instruments that had been developing within the federal government for many years--some linking back as far as the Glassco Commission in 1963, and the Public Records Order of 1966. These policies included records management, information collection and public opinion research, micrographics, EDP records management and forms management.
The objective of the MGIH policy is to ensure the cost-effective and coordinated management of federal government information holdings. More specifically, departments are required to:
The framework for implementation of the MGIH Policy is the information life-cycle, set out in the policy as:
The planning stage involves assessing how to meet the information needs of the institution for operational, legislative and policy purposes. In keeping with that concept, institutions are to collect or create only information that relates to their mandate.
In the collection phase, the policy requirement to reduce the burden on the public comes into play, as does a requirement to ensure that information has not already been collected within government.
Anyone who has spent time in an organization of any size at all will recognize that in order to make the best use of information, it has to be organized. Consequently, the policy requires that institutions identify and describe their information holdings in a way that is most relevant to their operational needs. In organization, as well as in transmission and use, the linkages of the MGIH Policy to the access and privacy domain are strong. For example, the publication each year of InfoSource 4 by the Treasury Board Secretariat, in accordance with access and privacy legislation, relies on obtaining a description--albeit at a high level--of the information holdings of in excess of one hundred institutions across government.
The storage, protection and retention requirements are designed to ensure that while information is held it is protected. Further, institutions are required to maintain the information in media and locations that permit quick and easy access and retrieval by authorized users.
Finally, in the disposition stage of the life cycle, the requirements of the National Archives Act with respect to records, and the National Library Act with respect to published material, come into play. Key objectives of this stage are to ensure that information is only kept as long as it is needed, or as required by law, and that the corporate memory of the government is maintained.
The MGIH Policy shows signs of being the Cinderella of federal information policies. When it was first issued, it is probably fair to say that many institutions were overwhelmed by the cost and energy that would be required to implement it fully. And in 1989, there were still those who argued that information was unmanageable--you could manage data, or systems, or records, but information was too nebulous a commodity to declare as a corporate management function, and you might as well forget about it.
Well, times have changed. At the most senior levels of the public service, there is growing recognition of the need to manage information holdings as an integral part of delivering services effectively and efficiently. Areas of the policy that could not get attention a few years back are in the spotlight. For example the MGIH Policy is front and center in the government's efforts to reduce the information collection burden on business. The issue of how to ensure that we are treating our email properly has been discussed among deputy ministers.
The importance of managing the government's information holdings is now firmly established. The current challenge for policy makers in this area is to ensure that both policy and implementation continue to be relevant and helpful to those delivering government programs.
The federal government's first-ever Communications Policy, put into effect in 1988, was intended to improve the public policy process by encouraging departments and agencies to adopt practices and procedures that emphasize the importance of communicating with, and listening to, Canadians.
The Policy sets out three objectives:
The Policy was, all in all, a comprehensive management framework for one of the most fundamental functions of democratic society--government communications--and has been hailed as such, and emulated, by others in both the public and private sectors.
Well if it was so good in 1988 why is it today, not a decade later, undergoing review and revision?
The answer is both obvious and not so obvious.
First, a number of things have changed since the policy was approved by ministers almost seven years ago. Organizations and mandates have undergone change, and so too have various corporate requirements and general guidelines governing various aspects of communications.
Second, policy can only be assessed as good, bad or benign through regular "reality checks". Is it axiomatic that what was good policy in 1988 will be similarly effective and robust five or ten years later? Not in today's rapidly changing world.
Third, the environment in Canada has changed dramatically in recent years. Public dissatisfaction with, and distrust of, the political and bureaucratic processes dictate that the policy be reviewed to see how it can best contribute to an informed and involved citizenry. Our country's demographic mix is less and less homogeneous; increasingly communications need to deal with differing cultures, values, languages and interests.
Finally--and as a matter of exploding significance--there have been enormous strides made in technology and these have profound implications for communications.
Where once organizational communications flowed from "a few to the many", technology today allows far more people to communicate quickly and with increasing ease. Canadians can communicate as readily with government departments and agencies today, as those same organizations used to communicate one-way with them!
Technology is also bringing more and more choice to Canadians--they can decide what information they want and from where they intend to get it. The "sender-based" model of communications is gradually giving ground to a "receiver-based" society.
All of this, of course, has profound implications for the management (and managers) of the communications function. How do government departments and agencies ensure that technology aids and abets their communications efforts? How do principles of accessibility, affordability, openness and public participation work in a world in which faxes, Internet, WWW and gophers become the preferred communications vehicles for some Canadians, but not all ? Should the current policy be directive in what it says about technology and if so, what should it say ?
These are the kinds of questions that an advisory committee of experts from the public and private sectors will have to ask, and attempt to answer, as the 1988 policy is modernized.
At issue is not whether changes to the current policy will be made: the real question is whether the current review will result in a minor tune-up, or a major makeover.
Have you ever been reminded of Canada's role in space by seeing a picture of the word "Canada" on the famous robot space arm? Or of the federal role in transportation by glimpsing the unique red boxcars that carry wheat across the prairies? Or of our humanitarian efforts through packaging of food aid? Or in a relatively pedestrian application, have you ever found a government office by means of the signage that led you there?
If you have, then you have seen an important component of the Federal Identity Program (FIP).
A 1969 Task Force on Government Information reported in To Know and Be Known7 that the Canadian government was failing to make its presence known to Canadians, and that important federal programs were being carried out without public awareness of federal sponsorship. To make matters worse, federal government organizations did not project a uniform, clearly identifiable image as parts of the same government, and in many cases, their titles did not clearly distinguish public from private organizations, or federal from provincial.
As a result of the Task Force's findings, the Federal Identity Program was created in 1970, under the responsibility at that time of Information Canada. Today, the federal government has one coherent graphic identity with three corporate symbols--the Coat of Arms, the Canadian Flag, and the Canada Wordmark. As with most corporate identity programs, the Federal Identity Program is based on the use of corporate symbols together with organizational titles. The resulting corporate signatures, such as that of the Treasury Board Secretariat serve to identify Canadian federal institutions and their programs worldwide.
Following the demise of Information Canada in the mid-1970s, the Program became the responsibility of the Treasury Board of Canada. It was about that time that the Treasury Board approved the first policy guidelines for the program, which included use of the two official languages and a management system for development and implementation of the program.
The Federal Identity Program is one of the largest corporate identity programs ever undertaken by a national government. It encompasses some 20,000 facilities, 18,000 government vehicles, and the signature of more than one hundred federal institutions in all regions of Canada and abroad.
The Program's policy objectives are the following:
Staff of the Treasury Board Secretariat provide functional leadership for the program, and are responsible for coordinating its implementation across government. But each institution manages its own corporate identity within the framework of government-wide policy and standards. These standards are based on the use of plain, non-bureaucratic language, functional graphic design, and a systems approach to identifying government, its programs and services.
The standards prescribe such design elements as signature and wordmark, size, color and layout. They apply to stationary, forms, markings for vehicles, signage, advertising, published material in all media, multimedia productions and expositions, personnel identification (such as badges), certificates, awards and commemorative plaques, packaging and labeling, and identification of equipment such as all-terrain vehicles, small watercraft, construction and maintenance equipment, and railway hopper cars.
As with most corporate identity programs, the Federal Identity Program is planning for change. Technology has already had an impact on the program in that the FIP policy and our corporate symbols are now produced in electronic format. The increasing presence of the government in the electronic domain, whether on the World Wide Web, on a kiosk in a mall, or by other means has caused us to do some rapid thinking about the meaning of identity in that domain. On another front, the government's agenda on the environment has had an impact on FIP. The policy's guidelines include the use of recycled paper for most publications, and the use of earth-friendly inks without petroleum residues or alcohol.
Through means such as these, the Program remains a relevant and important element of federal information policy.
As noted earlier, modern governments collect, create, use, analyze, share, retain and dispose of vast quantities of information. In fact, collecting, manipulating, and storing information forms a significant activity of most government departments. Management of information is therefore crucial to the effective operation of the government. The federal government is the nation's largest single repository of information. Therefore its role as an information manager cannot be taken lightly.
In order to understand their government and its activities, Canadians need information about how the government operates and access to the information which is used in the decision-making processes. Providing access to the vast amounts of information held by the government not only facilitates participation in the decision-making process, it increases accountability for the government's decisions and actions.
In July of 1983 the Canadian federal government enacted the Access to Information Act9. As is stated in Section 2 of the Act, it is based on the principle that government information should be available to the public, that exceptions to the right of access should be limited and specific, and that decisions on the disclosure of government information should be reviewed independently of government.
The Act provides a legislative right of access to government information. But it also stipulates that it is intended to complement existing procedures for obtaining government information, not limit or replace them. In practice this means that submitting a formal Access to Information request should be a last resort, the ultimate legal step available to be used when all others have not been successful.
While recognizing that the Access to Information Act would be a powerful tool for obtaining information from heretofore cautious public servants, Parliament also realized that the right of access could not be absolute. Canada has always accepted the concept that in order to function effectively the ministers of the Crown need to be able to exchange ideas and proffer suggestions freely without concern for public disclosure or erosion of the collective responsibility. For this reason information contained in Cabinet confidences is not covered by the Act.
For very different reasons information which is published or which is library or museum material is also not covered by the Act. The supposition here is that such information is already available to the public through other means.
Within the Access to Information Act there is a framework of exemptions to the right of access. This framework is based on the concept that some information must be kept confidential by the government if it is to function effectively.
Some exemptions are mandatory, while others are discretionary. At the same time, exemptions are either based on a description of a class of exemptible information, or are based on a test of injury to a particular public interest. For example, the Act does not allow the disclosure of information received from other governments in confidence, while there is discretion to allow disclosure of information which could be injurious to the conduct of federal-provincial affairs. Other exemptions cover areas ranging from international affairs and national security to law enforcement to individuals' personal information, businesses' third party information, solicitor-client privilege and advice provided to Ministers.
The first level of review of decisions on access taken under the legislation is the Information Commissioner, a Parliamentary ombudsman with broad investigatory powers, but no power to compel departments to perform any action (or refrain from performing any action). The second level of review of disclosure decisions is the Federal Court, who may order an institution to reconsider a decision or order release of information.
In order for people to be able to exercise their rights under the Access to Information Act, they must first have some understanding of the structure of the government and the types of information it possesses. For this reason the Act requires the publication of a description of the organization and responsibilities of government institutions along with descriptions of the records they have under their control. As already mentioned, this requirement, which is carried out each year in InfoSource and other Treasury Board Secretariat publications, relates closely to the requirement for an inventory of information holdings contained in the policy on the Management of Government Information Holdings.
The Act is also closely connected to the portion of the Security Policy which deals with confidentiality of government information. Since the Act provides a framework for protecting information that Parliament views as sensitive, the same framework is used for making determinations of the protection level required for information under the Security Policy.
There are other connections. Since the Act is based on the benefit of an informed population and sets out procedures for responding to requests for government information, it is closely related to the government's Communications Policy. And since the exemption contained in the Act for personal information refers to the definition of personal information contained in the Privacy Act, and the access mechanisms are parallel, there is a close relationship between the two Acts and their supporting policies.
The challenge facing the Access to Information Act and its policy is to support departmental initiatives to improve public access to government information and to ensure that the Act and the policy evolve in a manner that keeps pace with information technology as it is implemented.
In order to perform the business of government, the Canadian federal government collects, retains, analyzes, uses, stores and disposes of vast amounts of information about its citizens. As the responsibilities of government have become more complex, the amount of information about individuals required to support government operations has increased. In some cases information is voluntarily provided, in others the government has the authority to compel individuals to provide information about themselves.
To give Canadians a sense of confidence that the personal information they entrust to the federal government will be treated with respect and will not be misused or improperly disclosed to others, the government enacted the Privacy Act11 in 1983.
The purpose of the Privacy Act is to both protect the privacy of individuals with respect to personal information about themselves held by a federal government institution and to provide individuals with a right of access to that information. The principles of fair information practices contained in the Act coincide with the principles contained in the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data12 of the Organization for Economic Co-operation and Development (OECD), to which Canada agreed in 1984.
The basic principle of the Privacy Act is that individuals should be able to exercise control over their personal information. Government institutions may not collect personal information unless the information is directly related to an operating program or activity of the institution. With few exceptions, individuals must be informed of the purpose for which their information is being collected and the information may only be used for the specified purpose unless the consent of the individual is obtained.
Government institutions are required to ensure that the information used in decision-making is accurate, complete and up-to-date and that the personal information they hold is properly protected from inadvertent loss, destruction or corruption or improper disclosure. Institutions must also respond to individuals' requests for correction of their information.
Similar to the requirements of the Access to Information Act, the Privacy Act requires that government institutions publish descriptions of the categories of the personal information they have, and a description of the procedures individuals can follow to obtain access to their information. The Privacy Act also has a framework of exemptions to the right of access, although not as many as in the Access to Information Act.
The Privacy Commissioner is responsible for investigating complaints under the Privacy Act, either in relation to the management of personal information by the federal government or in relation to a denial of individual access. The second level of review of disclosure decisions is the Federal Court, who may order an institution to reconsider a decision or order release of the information.
The Privacy Act parallels most aspects of the Access to Information Act in the access and the exemption provisions and in providing the public with an instrument for gaining information on the government's activities and for holding the government accountable for its actions.
The code of fair information practices contained in the Privacy Act parallel in many ways the principles of information management contained in the Management of Government Information Holdings Policy, requiring planning for collection and scheduling for retention and disposal.
Restrictions in the Privacy Act against improper use or disclosure of personal information and the definition of personal information contained in the Act are closely tied to the portion of the Security Policy which deals with the protection of personal information.
With expanding use of electronic information processing, a current challenge to data protection is the ease with which vast amounts of personal data can be collected, exchanged, compared and stored. A primary objective of the data protection policy is to ensure that possible impacts on privacy are assessed during the planning stage of initiatives to increase efficiency.
The Government Security Policy (GSP) is for some the policy area that seems initially to be an odd choice as one of the government's core information policies. But as we understand more thoroughly the value of the information held by government, the threats against that information, and the risks of those threats being realized, the place of security in any discussion of information policy seems essential. In fact, those who are following the progress of the Information Highway Advisory Council's work will recognize security as one of the key issues that the Council is exploring.
The GSP was first issued by Treasury Board in 1986. The policy was the result of an effort by the government to consolidate in one place the policies and practices that had evolved over time in a number of locations within government. The objective of the policy is to ensure that all classified and designated information or assets of the federal government are safeguarded in an appropriate manner. Without getting into too much detail here, it is important to understand the approach departments are expected to take in achieving this objective. The approach includes:
Classifying and designating information is important. It is a key determinant of the degree and type of protection that the information will receive. The security policy requires that information be classified if its unauthorized disclosure or compromise could reasonably be expected to cause injury to the national interest. Such information includes information on federal-provincial relations, international affairs, defence, the economic interests of Canada, Cabinet confidences, and information involving security and intelligence. As noted earlier, this is consistent with the disclosure exemptions in the Access to Information and Privacy Acts. Depending on the degree of potential injury to the public interest, classified documents are marked as "Confidential", "Secret", or "Top Secret".
The Policy also requires that other information that cannot be disclosed under the access and privacy legislation because of the possible injury to particular public or private interests be designated. This category includes such information as that concerning law enforcement investigations, the safety of individuals, medical records, personal information about federal employees such as performance appraisals. and business information of a third party. Such information is marked "Protected".
The Security Policy considers that the security domain includes confidentiality, availability and integrity. This means that when thinking about protecting information, it is not enough, for example, just to protect unauthorized individuals from seeing the information (confidentiality). It is equally important to ensure that the information remains accurate, complete and authentic (integrity) and can be used when needed (availability).
The systems approach to security means that the Policy does not depend on single element of security for protection. Instead it relies on a combination of security organization and administration, physical security (use of physical barriers, locks, and so on), information technology security (including encryption and disaster recovery), and personnel screening (the screening of employees to assess their reliability and loyalty). The Policy includes standards for each of these elements of security.
The risk management approach to security provides a means for departments to manage their security requirements in a cost-effective way. Rather than a prescriptive one-size-fits-all approach, risk management requires that departments determine the specific security needs for the information and assets under their control by assessing the relevant threats and risks. For example, how could sensitive information be lost or changed? What impact would this have on client confidence in the department's programs? Who would be affected and how? With a comprehensive threat and risk assessment in hand, a manager can then determine, with the advice of the security officer, the nature and scope of protective measures needed.
The Security Policy was most recently revised in November, 1994. The new policy takes into account the end of the Cold War and the change in the threats to Canada's national interest that have occurred, the increasing importance of information technology security, the inclusion of disaster recovery, within the broader topic of business resumption planning, and other factors.
A key challenge for departments now and in the future will be to maintain security as a management priority as pressures on departmental budgets increase.
This concludes what has been a very quick look at the core elements of federal information policy. As those familiar with this field are well aware, the article only scratches the surface. Within each policy area one could explore the key players, implementation issues, and current directions. Moreover, how does all of this fit with the government's information technology policy?
Information policy is growing in importance inside and outside of government. Growing as well is our understanding of the complex linkages--social, economic and administrative, inherent in this policy domain. At the federal level, we will continue to explore the best means of accomplishing the government's overall objectives through information policy that is relevant and useful.
[1] May be cited as/On peut citer comme suit:
Michael Nelson, "Federal Information Policy: An Introduction," Government Information in Canada/Information gouvernementale au Canada, Vol. 1, No. 3.1. (1995)
Michael Nelson Treasury Board of Canada, Secretariat L'Esplanade Laurier, East Tower 140 O'Connor Street Ottawa, Canada K1A 0R5 mnelson@hpb.hwc.ca[3] Treasury Board of Canada, Secretariat. Treasury Board Manual: Information and Administrative Management Component: Information Management: Part 3, Government Information Holdings: Chapter 3-1, Policy on the Management of Government Information Holdings (Catalogue no. BT52-6/6). Ottawa: 1994.
Conseil du Trésor du Canada, Secrétariat. Manuel du Conseil du Trésor: Module Gestion de l'information et gestion administrative: Gestion de l'information: Partie 3, Fonds de renseignements du gouvernement: Chapitre 3-1, Politique de gestion des fonds de renseignements du gouvernement (No. du catalogue BT52-6/6). Ottawa: 1994.
[4] Treasury Board of Canada, Secretariat. InfoSource: Sources of Federal Government Information. Ottawa (annual).
Conseil du Trésor du Canada, Secrétariat. InfoSource: sources de renseignements fédéraux. Ottawa (annuel).
[5] Treasury Board of Canada, Secretariat. Treasury Board Manual: Information and Administrative Management Component: Communications (Catalogue no. BT52-6/4), Chapter 1: Government Communications. Ottawa: 1991.
Conseil du Trésor du Canada, Secrétariat. Manuel du Conseil du Trésor: Module Gestion de l'information et gestion administrative: Communications (No. du catalogue BT52-6/6), Chapitre 1: Communications du gouvernement. Ottawa: 1991.
[6] Treasury Board of Canada, Secretariat. Treasury Board Manual: Information and Administrative Management Component: Communications (Catalogue no. BT52-6/4), Chapter 2: Federal Identity Program. Ottawa: 1991.
Conseil du Trésor du Canada, Secrétariat. Manuel du Conseil du Trésor: Module Gestion de l'information et gestion administrative: Communications (No. du catalogue BT52-6/6), Chapitre 2: Programme de coordination de l'image de marque. Ottawa: 1991.
[7] Canada. Task Force on Government Information. To Know and Be Known: The Report of the Task Force on Government Information. 2 v. Ottawa: Queen's Printer, 1969.
[8] Treasury Board of Canada, Secretariat. Treasury Board Manual: Information and Administrative Management Component: Access to Information (Catalogue no. BT52-6-10-1993). Ottawa: 1993.
Conseil du Trésor du Canada, Secrétariat. Manuel du Conseil du Trésor: Module Gestion de l'information et gestion administrative: Accès à l'information (No. du catalogue BT52-6-10-1993). Ottawa: 1993.
[9] Access to Information Act, Revised Statutes of Canada, 1985, c. A-1.
Loi sur l'accès à l'information, Lois révisées du Canada, 1985, c. A-1.
[10] Treasury Board of Canada, Secretariat. Treasury Board Manual: Information and Administrative Management Component: Privacy and Data Protection (Catalogue no. BT52-6-11-1993). Ottawa: 1993.
Conseil du Trésor du Canada, Secrétariat. Manuel du Conseil du Trésor: Module Gestion de l'information et gestion administrative: Protection des renseignements personnels (No. du catalogue BT52-6-11-1993). Ottawa: 1993.
[11] Privacy Act, Revised Statutes of Canada, 1985, c. P-21.
Loi sur la protection des renseignements personnels, Lois révisées du Canada, 1985, c. P-21.
[12] Organization for Economic Co-operation and Development. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Paris: OECD, 1981.
[13] Treasury Board of Canada, Secretariat. Treasury Board Manual: Information and Administrative Management Component: Security (Catalogue no. BT52-6/3-1994-1). Ottawa: 1994.
Conseil du Trésor du Canada, Secrétariat. Manuel du Conseil du Trésor: Module Gestion de l'information et gestion administrative: Sécurité (No. du catalogue BT52-6/3-1994-1). Ottawa: 1994.
