Symbol of the Government of Canada

Important Notices

Official Languages

The National Do Not Call List (DNCL) respects the Official Languages Act and the relevant Treasury Board Secretariat policies and is committed to ensuring all information and services on this site are available in both English and French. However, visitors should be aware that some information from external sources that are not subject to the Official Languages Act is only provided as a convenience and is available only in the language in which it was provided.

Hyperlinking Notice

Visitors to this site should also be aware that information offered by non-Government of Canada sites to which the National DNCL links is not subject to the Privacy Act or the Official Languages Act and may not be accessible to persons with disabilities. The information offered may be available only in the language(s) used by the sites in question, and visitors should research the privacy policies of the sites before providing personal information.

Copyright/Permission to Reproduce

Materials on this Web site were produced and/or compiled by the National DNCL Operator for the purpose of providing Canadians with direct access to information about the National DNCL.

The material on this site is covered by the provisions of the Copyright Act, by Canadian laws, policies, regulations and international agreements. Such provisions serve to identify the information source and, in specific instances, to prohibit reproduction of materials without written permission.

Reproduction of Government Symbols

The official symbols of the Government of Canada, including the "Canada" wordmark, the Arms of Canada, and the flag symbol may not be reproduced, whether for commercial or non-commercial purposes, without written authorization. Request for authorization from the Treasury Board Secretariat may be addressed to:

information@fip-pcim.gc.ca
Federal Identity Program
Treasury Board of Canada Secretariat
300 Laurier Avenue West
Ottawa, Canada K1A 0R5

Third Party Information Notice

Some of the information and services found on this Web site have been provided by external sources. The Government of Canada and the National DNCL Operator are not responsible for the accuracy, reliability or currency of the information or services provided by external sources. Users wishing to rely upon this information or services should consult directly with the appropriate source.

Official Web Sites

This Web site (www.lnnte-dncl.gc.ca) is the official Web site of the National DNCL. It provides the official procedures and information necessary for Consumers, Telemarketers and Clients of telemarketers to participate and comply with the Unsolicited Telecommunications Rules framework and the National DNCL.

Impostor Web sites may attempt to mislead members of the public into thinking that they are official sites of National DNCL. These Web sites may attempt to charge you for services that are otherwise free to Consumers on the National DNCL Web site. They may also attempt to charge Consumers for services that you may never receive or request that you pay their fees in cash by mail or by making deposits to personal bank accounts. These methods are contrary to the official procedures for the National DNCL. Sending any personal or biographical information to impostor or non-official Web sites could also result in identity theft or fraud.

 

Privacy & Confidentiality Statement

Purpose

The National Do Not Call List (DNCL) Operator is committed to respecting the privacy and confidentiality of the information provided by persons and organizations when using the National DNCL.

The National DNCL Operator is responsible for carrying out specific functions in relation to the National DNCL and the Unsolicited Telecommunications Rules. These functions include: (i) registering residential, wireless, fax or VoIP telephone number(s) to reduce the number of telemarketing calls or faxes to such numbers; (ii) de-registering residential, wireless, fax or VoIP telephone number(s) when consumers no longer wish to benefit from the National DNCL; (iii) collecting information about complaints relating to telemarketing calls; and (iv) managing registrations, subscriptions and access to the contents of the National DNCL by telemarketers and their clients.

This Privacy and Confidentiality Statement applies to the National DNCL Operator, including its employees, agents and subcontractors; the Canadian Radio-television and Telecommunications Commission (CRTC); and/or its Complaints Investigator Delegate. This Privacy and Confidentiality Statement is meant to inform persons and organizations about the purposes for collecting personal and confidential information as well as the way such information is subsequently used and disclosed.

Canadian Consumers

Personal information will be collected, used and disclosed by the National DNCL Operator in order to register, verify and de-register residential, wireless, fax or VoIP telephone number(s) on the National DNCL. The numbers registered by consumers on the National DNCL will be disclosed to telemarketers and clients of telemarketers and other subscribers to the National DNCL to prevent telemarketing calls to those numbers. The numbers may also be disclosed, on a confidential basis, by telemarketers and clients of telemarketers and other subscribers to the National DNCL to another person involved in supplying the subscriber with services to enable compliance with the National DNCL Rules.

In addition, personal information will be collected, used and disclosed by the National DNCL Operator, the CRTC and/or its Complaints Investigator Delegate in order to investigate complaints regarding violations of the Unsolicited Telecommunications Rules, to administer and enforce these rules, and for audit and quality assurance purposes. Personal information may also be disclosed to Canadian and/or foreign law enforcement agencies for the purpose of administering or enforcing any law or carrying out a lawful investigation.

 

What information do we collect, use and disclose?

The following list contains the types of information that is collected from an individual:

  • Information Collected for Number Registration, De-Registration and Verification is retained for 2 years after the registration expires
    • Residential, wireless, fax or VoIP telephone number(s)
  • Information Collected for Complaint Investigation and Statistical Tracking is retained for a maximum of 5 years after the closure of any potential investigation.
    • Nature of the complaint
    • Details of the complaint including: the date of the telemarketing call, the telephone number called, indication that the telephone number called is a residence or business number, indication that the complaint is related to a fax, the telemarketer’s company name and/or telephone number, and, if known, the description of the product or service the call was about, other relevant details about the call volunteered by the complainant, and the telemarketer’s agent’s name.
    • Contact information and language preference so that a complainant may be contacted in the event additional information is required during an investigation. Contact information includes: name, phone number and e-mail address or mailing address. Contact information is retained for a maximum of 5 years after the closure of any potential investigation.
 

Telemarketers, Clients of Telemarketers and other Subscribers

The National DNCL Operator collects, uses, and discloses information related to telemarketers, clients of telemarketers, and other persons and organizations in order to: (i) enable subscription to the National DNCL; (ii) facilitate and manage the registration of telemarketers, or clients of telemarketers, or other persons or organizations with the National DNCL Operator; (iii) give access to the contents of the National DNCL; and (iv) support other activities specifically identified at the time the information is collected. In addition, information of persons and organizations will be collected to allow for the receipt of technical assistance from the National DNCL Operator.

Information will be collected by the National DNCL Operator pursuant to Telecom Decision 2008-6-1 and subsequent decisions and will be used by, and disclosed to, the CRTC and/or its Complaints Investigator Delegate, as the CRTC may determine from time to time in its sole discretion.  Information collected by the National DNCL Operator will be protected in accordance with applicable privacy laws and will be used and disclosed by the National DNCL Operator, the CRTC, and/or its Complaints Investigator Delegate (as the case may be) to administer and enforce the Unsolicited Telecommunications Rules (including the National DNCL Rules), as amended by the CRTC from time to time. Information may also be disclosed to Canadian and/or foreign law enforcement agencies for the purpose of administering or enforcing any law or carrying out a lawful investigation.

What information do we collect, use and disclose?

The following list contains the types of information that may be collected from telemarketers, clients of telemarketers and other persons and organizations. Information is retained for a period of three years from the date of expiry of the last registration period, or last transaction, whichever is later:

  • Information Collected for Registration
    • Business legal name
    • Business Operating Name
    • Parent company name
    • Business address
    • Business Telephone Number
    • Business website (optional)
    • Industry
    • Number of employees
    • Number of telemarketing agents
    • Telemarketer Function (description of organization’s telemarketing activities)
    • Name(s) and telephone number(s) used and displayed while making telemarketing calls
    • Account Manager contact information, including name of responsible person(s) and contact information for account and subscription management
  • Information Collected for Subscription to the National DNCL (if applicable)
    • Type of subscription required: download or query
    • Payment type: credit card or electronic funds transfer
    • Payment transaction information, including credit card numbers and expiry dates or financial institution and bank account information that will be collected by third-party payment transaction processors in order to process payment transactions. Information provided to payment transaction processors may be disclosed to payment processors, financial institutions or other third parties only when such parties require the information to process payment transactions.
 

Security

Please note that the National DNCL Operator monitors access to the National DNCL Web site to ensure efficiency of its operations and identify unauthorized access. In doing so, the National DNCL Operator records the Internet Protocol (IP) address of computers contacting the National DNCL Web site, the date and time contact was made and the pages visited. The National DNCL Operator does not attempt to link these IP addresses with the identity of individuals visiting the National DNCL Web site unless an attempt to damage the National DNCL Web site or unauthorized access has been detected.

The National DNCL Operator does not automatically gather any personal information, such as the name, phone number, e-mail address, or street address of persons visiting the National DNCL Web site. Information is collected only when it is submitted. Information submitted to the National DNCL Web site during online transactions is encoded using 128-bit SSL (secure socket layer) encryption.

The National DNCL Operator will collect non-identifying or statistical information for audit purposes, for use in maximizing effectiveness.

Unless specifically noted otherwise, neither electronic systems nor e-mail are secure information transmission methods, therefore it is not recommended that sensitive personal information be transmitted electronically.

Session Cookies

Per-session cookies are used on some portions of the National DNCL Web site to store information within a session. During a visit to the National DNCL Web site, the visitor’s browser exchanges information with the National DNCL Web server. Per-session cookies facilitate this exchange by reminding the server which computer is making the request. A cookie is a computer (text) file that is sent to a visitor's Web browser, by a Web server, in order to remember certain pieces of information. The cookie is automatically terminated when you navigate to another site. A session cookie will not damage your computer, divulge private information, or compromise your security. For information on enabling cookies please refer to your browser help documentation.

Privacy Rights

The National DNCL Operator adheres to the Privacy Act and the Personal Information Protection and Electronic Documents Act.

Privacy laws also give individuals the right to access and/or correct their personal information under the custody and control of the National DNCL Operator.

Section 10(1) of the Privacy Act requires the inclusion of all personal information under the control of a government institution in a Personal Information Bank (PIB). The CRTC has registered a PIB with Treasury Board Secretariat for the information collected as part of the National DNCL system. This PIB number is 20091520. In the current version of Infosource, the Related Record Number (Class of Records) is CRT TEL 265. In the version of Infosource for 2010, the Related Record Number for National DNCL Personal Information will be CRT PPU 075.

Contact

If you have any questions or would like to discuss any matters relating to privacy or access or use of your information, please contact:

National DNCL Access and Privacy Coordinator:
Toll-free: 1-866-791-6601
TTY device: 1-888-362-5889
E-mail: privacy@req.lnnte-dncl.gc.ca

CRTC Access and Privacy Coordinator:
Telephone: 819-997-4274
TTY device: 819-994-0423
Toll-free: 1-877-249-2782
E-mail: aiprp-atip@crtc.gc.ca
Website: http://www.crtc.gc.ca

Other Contacts:

Office of the Information Commissioner of Canada:

*For more information about your right to access, consult Info Source or
http://www.oic-ci.gc.ca/eng/

Telephone: 613-995-2410
Toll-Free: 1-800-267-0441
Fax: 613-947-7294

Office of the Privacy Commissioner of Canada:

*For more information on privacy issues, the Privacy Act or the Personal Information Protection and Electronic Documents Act, please contact the Office of the Privacy Commissioner of Canada:

http://www.privcom.gc.ca/
Toll-free: 1-800-282-1376
Phone: 613-995-8210
Fax: 613-947-6850
TTY device: 613-992-9190


National DNCL Privacy Impact Assessment Summary

Introduction

In June 2006, Parliament amended the Telecommunications Act to grant the CRTC the powers required to establish a National Do Not Call List (DNCL or NDNCL) and to delegate such powers to a national operator (National DNCL Operator or Operator). The purpose of the National DNCL is to give consumers a choice about whether to receive telemarketing calls. Organizations that make non-exempt telemarketing calls are not allowed to call phone numbers registered on the National DNCL.

Benefits of the National Do Not Call List (DNCL)

The National DNCL provides Canadian consumers a means with which to register their telephone, cellular or fax numbers in order to prevent unsolicited telemarketing calls. Registration on the National DNCL is available via a bilingual website, TTY devices, or by telephone via an interactive voice response (IVR) interface. All numbers will remain registered on the National DNCL for a period of 6 years from date of registration.

For telemarketing firms and/or their clients, the National DNCL provides the ability to register as a telemarketer and to pay for a subscription to National DNCL. This enables telemarketers to download a copy of the National DNCL database to ensure their compliance with the National DNCL legislation.

Report Objective

The objective of the PIA is to assess the risks associated with the operation of the National DNCL by the National DNCL Operator. The report identifies potential risks and highlights mitigation strategies based on legislative obligations and best practices with respect to the protection of privacy.

A detailed Privacy Impact Assessment (PIA) was undertaken by Bell Canada's Privacy Centre of Excellence in the summer and fall of 2008 to address privacy issues and ensure that the National DNCL service complied with privacy requirements, including the Privacy Act and related policies. The PIA set out several recommendations with a view to mitigate privacy risks. Bell Canada (selected through tender by the CRTC as the National DNCL Operator), and the CRTC have agreed with all the recommendations and have already implemented measures to manage the risks, or are in the process of doing so. The CRTC has since informed the Office of the Privacy Commissioner (OPC) of additional privacy measures that have been implemented, including an automated Telemarketer Identity Verification process.

This PIA summary captures the privacy-related impacts of the National DNCL by focusing on the collection, use and disclosure of personal information by the National DNCL Operator.

Description

In carrying out its obligations, the National DNCL Operator fulfills a number of roles and responsibilities in administering the National DNCL, including:

  • Operating and maintaining a system for consumers to register their numbers;
  • Operating and maintaining a registration and subscription system for telemarketers;
  • Operating and maintaining a complaint filing and assessment system;
  • Assessing whether a violation of the National DNCL Rules has occurred and forwarding all complaints to the CRTC for investigation;
  • Maintaining all records related to complaints for 2 years from the date that they are received; and
  • Maintaining all records related to telemarketer registration data for 5 years from the date of expiry of the last registration period or last transaction, whichever is later.

The CRTC operates and maintains a Complaints Investigation Management (CIM) system that manages all complaints received from the Operator and manages the investigation process for the complaints. The CRTC maintains all records related to complaints for 5 years from the date that they were received from the Operator, or for 5 years from the date an investigation was closed. The CRTC also retains telemarketer registration data for 5 years from the date the telemarketer database Extract Report was received from the Operator.

Data Analysis

The different types of personal information collected or used during the various stages of the National DNCL operation are as follows:

Data Analysis
Description of personal information cluster Collected via Type of format (e.g. paper, electronic) Used by or disclosed to Purpose of collection Storage and retention schedule
Consumer number (i.e. home telephone, cellular, VoIP or fax). National DNCL Operator live agent, IVR system, website, or fax. Electronic, paper faxes.

A copy of the National DNCL database is transmitted electronically to telemarketers upon successful registration and payment of a subscription fee.
National DNCL Operator.

All telemarketers or clients of telemarketers who have registered and subscribed to the National DNCL.

CRTC, as an individual number identified within a complaint, transmitted electronically from the National DNCL Operator.
Operator: To operate the National DNCL to mitigate unsolicited telemarketing calls.

CRTC: CRTC Investigators use the DNCL "verify number" feature to determine whether a number has been registered (the full DNCL is not disclosed to the CRTC).
Operator:
Montreal, QC.
As outlined in the record retention policy:
* Two years from registration expiration date (registration expires after 6 years + 31 days)
* Two years from date of de-registration, if consumer de-registers their number prior to the normal 6-year registration period.
Complaint information (nature of complaint, details of complaint, date of complaint). National DNCL Operator live agent, website or fax. Electronic. Paper faxes. CRTC.

Telemarketers or clients of telemarketers who are the subject of complaints.
CRTC: To investigate the complaint in accordance with the Unsolicited Telecommunications Rules.
Telemarketers: During some investigations, CRTC may require that the telemarketer confirm call was placed to complainant's number
Operator:
Montreal, QC.
As outlined in the record retention policy:
* 2 years after date complaint was lodged by complainant
CRTC:
complaint information management (CIM) system. Gatineau, QC.
As outlined in the record retention policy:
* 5 years after CIM creation date or 5 years after close of investigation
Consumer contact information (i.e. name, address, contact telephone number, e-mail address).

National DNCL Operator live agent, website, fax. Electronic. Paper faxes. CRTC (or possibly in future, the CRTC's Complaints Investigator Delegate)

Canadian and/or foreign law enforcement agencies.
To contact consumers for additional information related to a complaint; to investigate complaints about violations of the Unsolicited Telecommunications Rules; to administer and enforce rules or laws.
To carry out a lawful investigation
Operator:Montreal, QC.
As outlined in the record retention policy:
* 2 years after date complaint was lodged by complainant
CRTC:
complaint information management (CIM) system. Gatineau, QC.
As outlined in the record retention policy.
* 5 years after CIM creation date or 5 years after close of investigation
Telemarketer's Business registration and subscription information

Note: Privacy Impact only applies if registrant is a sole-proprietorship and conducting business under their own name.
National DNCL Operator website. Electronic. National DNCL Operator.

Telemarketers / clients of telemarketers who have registered and subscribed to the National DNCL. Only a telemarketer's own data is accessible to each telemarketer.

CRTC.
To allow telemarketers / clients of telemarketers to register and manage their registration information.
To permit subscription purchases and manage subscriptions.
To allow CRTC to investigate complaints and resolve telemarketer issues.
Operator:
Montreal, QC.
As outlined in the record retention policy:
* 5 years from the date of expiry of last registration period or last transaction, whichever is later.
CRTC
complaint information management (CIM) system. Gatineau, QC.
As outlined in the record retention policy.
* 5 years from the date the telemarketer database Extract Report received from Operator.

Privacy Risk Management

Privacy risks raised in the Privacy Impact Assessment are the following (since many of the risks are currently under mitigation, a status is also reported):

Privacy Risk Management
Identified Privacy Risk Level Status
All NDNCL functional areas should be informed of the accountability for privacy. They should know who to contact in response to a breach of personal information. Low Developed a privacy bulletin to distribute to all National DNCL Operator teams.
All privacy documentation has been made accessible to all agents of the National DNCL Operator.
All NDNCL incident response activities and concerns should be coordinated with the CRTC (i.e. an incident response protocol should be provided). Low The CRTC has provided the National DNCL Operator with all privacy requirements and these have been reviewed with Operator to ensure understanding.
National DNCL Operator agents should be separated from other non-DNCL agents to reduce risk of unauthorized disclosures. Low Controls are in place to ensure adequate measures exist to safeguard NDNCL Operator agent material from other agents, including the following:
  • Installation of signs indicating "NDNCL personnel only";
  • Monitors situated away from casual viewing;
  • Use of screen savers;
  • Minimizing screen for visits by non-NDNCL personnel;
  • Refresher training on operational procedures concerning security, sensitive discussions;
  • Ensuring no hardcopies of personal information are left on display;
  • Ensuring any documentation containing personal information is locked in a secure container; and
  • Ensuring printers are not shared with any other groups.
The National DNCL Operator should ensure that privacy adherence is followed by all third parties and is enshrined in contracts with these entities. Low Where third parties may handle personal information for the National DNCL Operator, there are contractual agreements which have been reviewed to ensure adherence to applicable privacy law.
The National DNCL Operator should require that breaches of personal information be reported internally and to the CRTC immediately. Low A National DNCL Operator privacy breach protocol (based on the CRTC's protocol) has been developed.
The National DNCL Operator should ensure that all domains receive a privacy incident management response protocol. Low All domains working on the National DNCL initiative have a copy of the incident management response protocol.
The National DNCL Operator should ensure that all agents involved with personal information handling in relation to the National DNCL have been trained on their privacy obligations. Low All relevant National DNCL agents receive privacy training once a year. The manager of each domain is responsible for ensuring team privacy training remains current.
The National DNCL Operator should ensure that whenever personal information is used for statistical, reporting and planning purposes that it be truncated or de-identified so that it is not identifiable to an individual. Low The National DNCL Operator does not use personal information for planning, forecasting or statistical information. Reports that contain identifying information are those related to consumer complaints, the purposes for which are identified in the Privacy Statement.
All National DNCL Operator agents should be aware of the specific purposes for which consent has been given to ensure they do not extend the consent that has been granted. Low This message is included in annual privacy refresher training.
The National DNCL Privacy Statement should be updated by a designated individual over time, particularly if changes are made to personal information collection, use and/or disclosure. Low The National DNCL Web Site includes a link to an updated Privacy & Confidentiality Statement.
The National DNCL should update its website to provide notification regarding withdrawal of consent for complaints. Low The National DNCL web site provides contact information for the CRTC including a telephone number and directions for withdrawing a complaint if a consumer wishes to do so.
The National DNCL agents providing support to consumers should be provided a script to inform consumers of their inability to withdraw consent for the investigation for their complaint. Low A script has been provided. The CRTC's Client Services team can be contacted by Consumers wishing to withdraw a complaint.
The National DNCL should review any free-form text boxes to ensure that collection of any personal information is neither onerous nor unwarranted. This review should lead to a notification near the entry to assist the consumer to determine relevancy. Low Website wording to discourage onerous or unneeded personal data at the time of entry into the free-form text box has been added.
The National DNCL Operator should ensure that all new purposes for collecting personal information are identified over time and formally documented as assessed. Low Future functional specification updates will take into consideration personal information requirements and assessments.
The National DNCL Operator should coordinate with the CRTC to develop an appropriate data retention and destruction policy and schedule. Low The CRTC has provided the National DNCL Operator with a detailed record retention and destruction policy. The Operator will be implementing this policy in a future release, scheduled for IIQ2010.
The National DNCL Operator agents should ensure verification of personal information occurs when interacting with consumers. Low This is included in existing procedures.
The National DNCL Operator, in conjunction with the CRTC, must clarify a formalized process to communicate and streamline access to information and privacy (ATIP) requests. Low ATIP requests are directed to the National DNCL Operator's Senior Counsel-Regulatory Law or directly to the CRTC ATIP Coordinator.
The National DNCL Operator must ensure that all disclosures of personal information to third parties are tracked. Low All disclosures of personal information to third parties are tracked.
The National DNCL Operator must align with its privacy ombudsman and legal team who deal with privacy matters to determine what role they will play with the National DNCL and what level of engagement is necessary to resolve privacy matters. Low This is being done on an as needed basis. The National DNCL Operator privacy prime engages its privacy primes for matters requiring support. Privacy matters are also referred to the CRTC and its Privacy Co-ordinator.
The output should be incorporated into the incident response protocol. Low The National DNCL Operator contacts are included in the National DNCL Privacy Prime's operating procedures.
The National DNCL Operator must determine the approach for incident tracking and monitoring. Low This is included in the Privacy Breach Protocol.
The National DNCL Operator must abide by the CRTC's requirements regarding reporting privacy incident and/or complaints. Low This is included in the Privacy Breach Protocol.
The National DNCL Operator must ensure that its Privacy Officer has support and guidance for response to incidents. Low This is being done on an-as needed basis. The National DNCL Operator privacy prime engages key privacy primes for matters requiring support. Privacy matters are also referred to the CRTC and its Privacy Co-ordinator.

Conclusion

The privacy impact assessment revealed a number of privacy risks; however, these risks have been mitigated with the implementation of the recommendations in the Privacy Risk Action Plan as set out in the PIA. The Office of the Privacy Commissioner (OPC) reviewed the PIA and in April 2009 identified some further privacy risks to the CRTC. These risks have been or are in the process of being addressed. Furthermore, the implementation of some mitigation processes is ongoing. The CRTC has since informed the OPC of additional privacy measures that have been or will be implemented imminently.