Design with privacy in mind for the collection, use and management of personal Information - ensure alignment with guidance from appropriate institutional ATIP Office with respect to interpretation and application of the Privacy Act and related policy instruments - assess initiatives to determine if personal information will be collected, used, disclosed, retained, shared, and disposed - only collect personal information if it directly relates to the operation of the programs or activities - notify individuals of the purpose for collection at the point of collection by including a privacy notice - personal information should be, wherever possible, collected directly from individuals but can be from other sources where permitted by the Privacy Act - personal information must be available to facilitate Canadians’ right of access to and correction of government records - design access controls into all processes and across all architectural layers from the earliest stages of design to limit the use and disclosure of personal information - design processes so personal information remains accurate, up‑to‑date and as complete as possible, and can be corrected if required - de‑identification techniques should be considered prior to sharing personal information - in collaboration with appropriate institutional ATIP Office, determine if a Privacy Impact Assessment (PIA) is required to identify and mitigate privacy risks for new or substantially modified programs that impact the privacy of individuals - establish procedures to identify and address privacy breaches so they can be reported quickly and responded to efficiently to appropriate institutional ATIP Office