RECIPIENT GUIDE TO YOUR CONTRIBUTION AGREEMENT WITH IMMIGRATION, REFUGEES AND CITIZENSHIP CANADA. Settlement and Resettlement Assistance Programs

Transcription

1 RECIPIENT GUIDE TO YOUR CONTRIBUTION AGREEMENT WITH IMMIGRATION, REFUGEES AND CITIZENSHIP CANADA Settlement and Resettlement Assistance Programs September 2016

2 TABLE OF CONTENTS 1. Introduction and Role of the IRCC Program Officer 3 2. Your Contribution Agreement, Schedules and Forms Contribution Agreement Schedule 1 Statement of Planned Activities and Intended Results Schedule 2 - Description of Eligible Costs Schedule 3 - Terms of Payment Schedule 4 Supplementary Terms and Conditions Forecast of Cash Flow Form Legal History Form Direct Deposits - Receiving Payments from IRCC 7 3. Reporting Settlement and Resettlement Assistance Programs Direct Services Annual Performance Project Report (APPR) and Narrative Reporting Annual Performance Report for Community Partnerships Financial Claim Reporting Setting up Access to icare 9 4. Monitors and Compliance Audits Managing Changes in Your Contribution Agreement Amendments Changes Which Will Require Written Notification from the Recipient to IRCC Changes Which Will Require Written Approval from IRCC Amendment Internal Management Systems and Procedures Privacy and Security Privacy Legislation Privacy Breach For Recipients Providing Pre-Arrival Services Retention and Disposition Retention Disposition 14 ANNEX A SAMPLE: DRAFTING YOUR DETAILED BUDGET ANNEX B KEY BUDGET TERMS ANNEX C SAMPLE: FORECAST OF CASH FLOW FOR ADVANCE PAYMENTS ANNEX D PRIVACY BREACHES GUIDANCE FOR FUNDING RECIPIENTS

3 1. INTRODUCTION The Recipient Guide is intended for applicants who have been notified by the Department of Immigration, Refugees and Citizenship Canada (IRCC) of our intention to undertake negotiations towards a Contribution Agreement (CA) under the Settlement Program or the Resettlement Assistance Program. The document contains important information about conditions for funding and your obligations under the agreement. Please be sure to read this document alongside the Funding Guidelines which you used to submit your application. Should you have any questions regarding the content of this document, the IRCC Program Officer assigned to your CA will be available to provide clarifications. Role of the IRCC Program Officer The Program Officer is the primary point of contact between the Department and recipients of funding. Throughout the management of the contribution agreement, from negotiation to the closing of the agreement, the Program Officer communicates with the recipient, monitors implementation of the project, and reviews reporting in relation to performance and funding. 3

4 2. YOUR CONTRIBUTION AGREEMENT, SCHEDULES AND FORMS 2.1 Contribution Agreement The contribution agreement includes standard clauses and schedules that relate to your specific project. The clauses set out the conditions for funding, so please be sure to read your agreement carefully and seek clarification where necessary. Your contribution agreement s functions include: specifying the maximum federal contribution payable and what costs are eligible; specifying the required frequency for submission of progress reports and claims; outlining your obligations throughout the agreement, including adherence to Official Language requirements, the need for proper internal controls and security measures to protect personal information; specifiying the requirements you must follow if you contract for products or services related to the agreement; and explaining how to maintain and dispose of capital assets purchased under the agreement. The contribution agreement takes effect only after it has been signed by both parties, i.e. by the recipient and the Department. It takes precedence over all other documents pertaining to the project when determining the obligations of either party. 2.2 Schedule 1 Statement of Planned Activities and Intended Results Schedule 1 describes the objectives of your project and related activities, outputs, and outcomes. It also specifies your reporting requirements further outlined in section 3 of this guide. Reporting for icare (Immigration Contribution Agreement Reporting Environment) is addressed in Schedule 4. Remember, you must submit an annual financial statement (audited, where feasible), 6 months from the end of the agreement s fiscal year. 2.3 Schedule 2 Description of Eligible Costs Schedule 2 summarizes your project budget, broken down by cost category (program delivery, administration and, if applicable, capital). For more information on eligible costs and restrictions, refer to clauses 2.3 and 3.3 of the contribution agreement and Annexes D and H of the Funding Guidelines. During the negotiation process you will be asked to provide more detailed budget information (see Annex B) further to what was included with your original application. This budget document is important for finalizing the negotiation of your CA and for submitting your reports in order to receive payments. Your Program Officer will review this information with you. Further to clause 9.0 of the CA, and throughout the life-cycle of the agreement, you are required to use a fair process if and when you are contracting for products or services with third-parties. 4

5 2.4 Schedule 3 Terms of Payment There are two types of payments issued at IRCC: Reimbursements (progress payments) issued to you upon receipt of a claim for reimbursement of expenditures; Advance payments issued to you prior to expenditures being incurred for project activities, based on your cash flow forecast requirements. For reimbursements, you will be submitting claims for reimbursement of costs based on the itemized list of expenses identified on Schedule 2. Claims are submitted monthly, quarterly or semi-annually as determined in your CA. The department will also not cover any expenditure incurred before the CA comes into effect i.e. before it has been signed by both parties. It is important to note that IRCC will not pay claims or reimburse other expenditures submitted after the final claims for the project have been processed. You must request advance payments, which are only granted if they are essential to the achievement of project objectives. You must demonstrate that: Your current working capital is not sufficient to provide the necessary cash flows to carry out the services; Other sources of funds are not sufficient to allow you to deliver the services in advance of reimbursement for expenditures incurred and; Advance payments are necessary and essential for achieving project objectives. Where these conditions are met and you wish to receive an advance, the appropriate clauses will be included in Schedule 3. For all agreements, a holdback amount - as determined and indicated by your Program Officer - will be retained by IRCC. It is usually an amount between 5 to 15% of your total project budget. The holdback will be released as a final payment on receipt and approval by the Department of the final claims for eligible costs and deliverables, including any supporting documents that were requested. 2.5 Schedule 4 Supplementary Terms and Conditions Any additional clauses relevant to your agreement will be included in Schedule 4, as deemed appropriate by your Program Officer. 2.6 Forecast of Cash Flow Form Throughout the life-cycle of your contribution agreement, you are responsible for completing and updating the Forecast of Cash Flow form (see Annex C). The Forecast of Cash Flow form is a financial management tool used to show projected and actual monthly expenditures by fiscal year of the agreement and can be submitted electronically via a scanned copy. It helps to determine if expenditures are in line with forecasts during the project period. 5

6 When completing the form, please identify whether the costs are forecasts or actuals. The information will be broken down by the standard line items for Program Delivery and Capital expenses in aligning with Schedule 2 expenses. Administrative costs should be calculated based on the Program Delivery total and the rate negotiated with IRCC and specified in Schedule 2. A drop down menu above the signature block on the Forecast of Cash Flow form permits you to confirm that you are requesting advance payments (see Section 3.3 of the form). Your Program Officer determines whether you meet the requirements for advances. Approval for advances is detailed in Schedule 3 when the negotiations are completed. The Forecast of Cash Flow must be signed by the individual(s) with designated financial signing authority for your organization (i.e., not just the IRCC-funded project). This will be in accordance with your organization s protocols. As the project proceeds, there may be changes to your cash flow projections. A new Forecast of Cash Flow is normally required when there are variations greater than +/- 15% between the forecasted amount and the claimed amount in a reporting period. Further details on this may be indicated in Schedule 1 of your CA. IRCC may also request an updated Forecast of Cash Flow at various intervals during your CA. If you anticipate significant budget lapses, where you foresee that you may not spend the funds committed to your project, please inform your Program Officer as soon as possible so that adjustments may be made. As per article 5.1 of the contribution agreement, please remember to disclose to IRCC all confirmed or potential sources of funding, including any in-kind donations which relate to activities or eligible costs for your project. This should be provided to IRCC through the Forecast of Cash Flow form, prior to beginning project activities, as well as within 30 days of any change to funding sources. 2.7 Legal History Form As part of its risk-based approach in managing its Grants and Contributions programs, IRCC requires that each recipient provide information pertaining to current legal proceedings as well as any that occurred over the past three years against the recipient, (individual or organization), board members, as well employees discharging responsibilities on behalf of the recipient. Such action should not be interpreted as being restricted to dealings with IRCC. Please note this request for information does not include the collection of information on potential legal proceedings and/or personal legal proceedings against employees or Board members where the legal proceeding is not in relation to your organization s operations. Your Program Officer will provide you with a copy of this form and answer any further questions. Once fully completed and signed by a duly authorized representative of your organization, such as the Chairperson of the Board of Directors, Executive Director, or Solicitor, the form is to be returned to your Program Officer. Please note that delays or failure to complete and return this form will affect the timing of or may prevent finalizing your CA with IRCC. 6

7 2.8 Direct Deposit Receiving Payments from IRCC All new projects must be setup to receive payments via direct deposit. Your Program Officer will explain the steps required to set up direct deposits. For recipients located overseas, direct deposits and wire transfers vary from country to country. You should review the method of payment and related elements with your Program Officer. All IRCC payments are made in Canadian currency. 3. REPORTING Whether you are managing a direct or indirect project under the Settlement or Resettlement Assistance Program, you are expected to report on progress to ensure that the objectives, outputs and outcomes outlined in your contribution agreement are met within the negotiated timeframes. Please note that funding claims are processed once IRCC has approved your icare and narrative reports. 3.1 Settlement and Resettlement Assistance Programs Direct Services IRCC collects information on newcomer clients and services provided by service provider organizations through the Immigration Contribution Agreement Reporting Environment (icare). You are required to enter client and service data into the appropriate icare module(s) in accordance with the services set out in your contribution agreement. icare modules for service providers operating in Canada include: Needs Assessment and Referral Services (NARS); Information and Orientation (I&O); Employment-related Services (ER); Community Connections (CC); Language Assessment (LA); Language Training (LT); Waitlist; Resettlement Assistance Program (RAP). Support Services delivered in connection with the above services are recorded within the related service delivery module. New icare modules for Pre-Arrival Settlement services provided overseas were launched in 2015 for: Pre-Arrival Settlement services which include: NARS, I&O, ER and CC; Narrative and Annual Project Performance Report (APPR); 7

8 3.2 Annual Project Performance Report (APPR) and Narrative Reporting The Narrative Reporting/APPR module within icare serves two purposes: 1. To collect narrative information from you to support the claims process within timeframes agreed to with your Program Officer (e.g., monthly or quarterly); 2. To collect annual project performance information to support the Performance Measurement Framework strategy for IRCC s Settlement Program. If you are providing direct Settlement services and have access to icare, you are required to submit narrative reports through icare each time you submit a payment claim to IRCC. The period of time covered by the narrative report should match the period of time covered by the payment claim. Your Program Officer will be reviewing the narrative reports you enter in the system. If additional information is required, the Program Officer will communicate this to you through this system. The report will be returned to you for your review and response. Once the final IRCC review has been completed, your Program Officer will certify that the narrative report is in accordance with the contribution agreement. Many of the questions on the narrative report have been aligned with the questions on the APPR in order to reduce your year-end reporting requirements. The APPR is due no later than May 31 (60 days after the end of the fiscal year) for each fiscal year of funding. The narrative report/appr module is not applicable to resettlement services nor indirect services (except community partnerships). For these types of projects, you will be submitting your narrative reports and annual reports directly to your Program Officer. Please discuss reporting requirements with your Program Officer. 3.3 Annual Performance Report for Community Partnerships (APRCP) The Annual Performance Report for Community Partnerships (APRCP), is a component of the performance management strategy for the Settlement Program. It is intended for recipients providing indirect services through community partnerships (e.g., Local Immigration Partnerships). If you deliver indirect services through community partnerships, you will be required to complete the APRCP by the end of May of each fiscal year. Your Program Officer will provide you with the report template indicating the type of information that you must track throughout the project to report on outcomes and deliverables. Your Program Officer will also provide a copy of the guide and glossary to assist you when completing the form. 8

9 3.4 Financial Claim Reporting All recipients will be filing their claims electronically through the same Partner Portal where you submitted your application for funding. You will no longer need to submit paper copies. The Partner Portal will allow you to see information on your current agreement. Additional functionalities include the ability to generate, view and track the progress of your electronic claim for reimbursement. If you submitted your original application through the electronic Partner Portal, you will already have an account. If you do not currently have an account, please contact your designated Program Officer or contact for assistance. 3.5 Setting Up Access to icare The personal information collected about individual clients and the subsequent report in icare must be safeguarded at all times to maintain privacy obligations. Before your contribution agreement can be finalized and access to icare granted, your administrative, physical and IT environments must meet IRCC s security and privacy requirements, including criminal record checks for staff who have access to personal information about clients. During the negotiation process, your Program Officer will: 1. Provide you with a copy of Privacy and Security Requirements for Funding Recipients. You must complete Appendix A - icare Minimum Security Requirements (MSR) Checklist and submit to your Program Officer during negotiations. Once you have an icare account, you must also submit the MSR through icare when access is initiated by the signing authority of your organization. You must meet these minimum requirements before you collect personal client information. 2. Inform you about the requirement to distribute a copy of the Gathering Information pamphlet that explains the purpose and privacy implications of collecting personal information (clause 7.2 of the CA) to all clients. Copies can be accessed under the Resources tab in icare and is available in seventeen languages. 3. Questions pertaining to icare can be addressed to icare Help Desk ( ). 9

10 4. MONITORS AND COMPLIANCE AUDITS Monitoring refers to a formal project review by your Program Officer or other authorized IRCC staff, to ensure success of the project and compliance with the obligations, performance objectives and deliverables stated in your Contribution Agreement. Monitors include reviewing project activities and finances in order to ensure that you are meeting the terms and conditions of your agreement, public funds are expended for the intended purpose and expenditures claimed are eligible and allowable. Your Program Officer will inform you about the expected frequency and types of monitoring (e.g. financial and/or activity) that will take place for your project. IRCC may also contract a third party to undertake a compliance audit (also referred to as Recipient Audit). A compliance audit is an independent assessment to provide assurance of your adherence to the terms of a CA. Compliance audits may address any or all financial as well as non-financial aspects of the CA and are intended to support monitoring and overall management and documentation of a CA. Your Program Officer will inform you, should a compliance audit be required for your project. 10

11 5. MANAGING CHANGES IN YOUR CONTRIBUTION AGREEMENT - AMENDMENTS The type of action required to make a change in your CA depends on the type of change. Some changes can be made by you without prior written approval from IRCC. Others require written approval from IRCC, while more substantial changes will require an amendment. With the exception of the changes outlined below in 5.1 (that the recipients can make without prior written approval from IRCC), it is expected that recipients will notify the Department in writing with respect to all proposed adjustments to the CA. Depending upon the extent and significance of the change(s), your Program Officer will advise you if prior written approval or an amendment to the CA is required. Please find below, a summary of the allowed flexibilities and restrictions on changes related to the contribution agreement. These requirements are set out in clause 3.3 of the CA and your Program officer can further explain to you. 5.1 Changes that Will Require Written Notification from the Recipient to IRCC There are two scenarios where you may reallocate eligible costs without prior written approval from IRCC. However, your Program Officer must be notified in writing (via , letter, facsimile or signed cash flow) following such a reallocation. You can reallocate costs from the Capital cost category to the Program Delivery category, when the sum of all transfers is less than 5% of the Capital cost category's original fiscal year budget, to a maximum of $50,000. When the amount allocated in the Program Delivery category changes, it may impact the administrative flat rate and associated percentage and dollar value. Please discuss with your Program Officer on how to apply the conversion formula in these circumstances. You can reallocate costs between existing line items within the same cost category, when the sum of all transfers is less than 5% of the cost category s original fiscal year budget, to a maximum of $50, Changes that Will Require Written Approval Required from IRCC Anything above the thresholds (5% to a maximum of $50,000). All reallocations from the Program Delivery category to the Capital cost category. Reductions to the total CA value up to 5% of the current fiscal year CA value, to a maximum of $50,000. This also requires endorsement of your designated signing authority and the submission of a revised Forecast of Cash Flow. For the Resettlement Program, changes to temporary accommodation, food or incidentals per person rates as set out in Schedule 2 require prior written approval from IRCC. 11

12 5.3 Amendment An amendment is a formal change or an addition to the terms of your Contribution Agreement with IRCC. It requires revisions to the original CA documents and signatures from all authorized signatories attesting and agreeing to the changes. The following types of changes will require a formal amendment to the CA. Increases to the total CA value; The inclusion of new line items or cost categories; Changes in fiscal year allocations; Changes to the funding period (e.g., extension of the time covered); Changes to Schedule 1 of the CA, with the exception of administrative changes such as typos and clarifications; Reductions exceeding 5% or $50,000 of the current fiscal year CA value; Changes to the terms of the agreement (e.g., inclusion of new clauses, modifications to terms in Schedule 4, etc.) Throughout the implementation of your Contribution Agreement, your Program Officer will notify you of any other situations which may require an amendment. 6. INTERNAL MANAGEMENT SYSTEMS AND PROCEDURES Internal controls refer to a framework designed and implemented by an organization to provide reasonable assurance that project objectives will be achieved. These controls ensure an organization s business is conducted in an orderly manner, where assets and resources are safeguarded, data are complete and accurate, and policies and plans are in place and followed. The Department recommends the active implementation of internal controls by recipients. You are required to keep separate and accurate financial records for the project in accordance with generally accepted accounting principles and business practices, of: (i) all assets and liabilities held, (ii) all revenues from all sources and, (iii) all expenses incurred and paid out in connection with the contribution agreement. 12

13 7. PRIVACY AND SECURITY This Section provides guidance on the privacy and security obligations that you must meet. These are further described under Section 7.0 of the CA. Please review this section and related CA articles carefully and contact your Program Officer should you have any questions. Please note: these obligations also apply to any contracts with third parties related to your CA. 7.1 Privacy Legislation When collecting or maintaining personal information for work related to obligations within your contribution agreement, you are required to respect federal privacy and access legislation and related provisions. Two pieces of legislation are particularly relevant in this context. The Privacy Act relates to an individual s right to access and correct personal information held by the Government of Canada. While the Privacy Act applies mainly to federal government institutions such as IRCC, its provisions are further extended to organizations that receive funding and collect information under a CA with IRCC. The Personal Information and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. Additional information on Canadian privacy laws can be found on the Office of the Privacy Commissioner s Fact Sheet: Privacy Legislation in Canada. 7.2 Privacy Breach A privacy breach involves improper or unauthorized collection, use, disclosure, retention and/or disposal of personal information. In the event that you experience a privacy breach or suspect that one has occurred, you are required to immediately notify your Program Officer. You will also need to inform the affected client(s) in the event that personal information is compromised through loss, theft or otherwise. Please refer to Annex D, Privacy Breaches Guidance for Funding Recipients for more details. 7.3 For Recipients Providing Pre-Arrival Services Recipients providing services overseas will also need to comply with the laws of the countries where services are being provided. You must take reasonable steps to protect personal information from unauthorized uses and disclosures to ensure such information is properly safeguarded at all times. Your Program Officer may request further details on ensuring compliance with this requirement. If you feel that a conflict has developed between your contractual privacy obligations and the laws of the foreign country you are operating in, please notify your Program Officer as soon as possible. 13

14 8. RETENTION AND DISPOSITION Clause 6.0 of your CA indicates some obligations for the retention and disposition of information with respect to your project. Documents pertaining to the activities and deliverables of a funded project, both financial and non-financial, must be retained during the entire term of the agreement and for seven years afterwards, except in the case of protected personal information (also referred to as Protected B information). This applies equally to all information formats, e.g., paper and electronic records. With respect to protected personal client information collected in accordance with obligations under your CA, you must maintain, retain and dispose of records in accordance with the federal Privacy Act, provincial/territorial privacy and access to information legislation and/or the PIPEDA. This also applies to any third party with whom you have contracted and will be involved in delivering the IRCC-funded project. 8.1 Retention You should only retain protected personal client information that has been entered into icare (or other IRCC approved system) for only as long as the client continues to receive services. If a client is no longer receiving services from your organization, you should immediately dispose of his/her information in a secure manner. Where personal client information will not be entered into icare (e.g., pilot project participant information, workshop participant surveys, language assessment details, etc.), you should retain it for no more than two years after the agreement under which the client last received services has been closed. This two year period before client records are to be disposed will allow such records to be available where the client continues to receive services under succeeding agreements. If you are required to retain the protected information beyond either of the above retention periods for purposes outside of IRCC-funded activities, for example services provided to clients through other funders, all IRCC-specific client identification information, such as a GCMS number, must be removed from the record. 8.2 Disposition Once the required retention period for client records is complete, the records must be disposed of using the appropriate method for the type of information that has been retained. This includes the storage media in which it has been retained. There are different disposal requirements for Protected B information depending on the type of storage media used. For example, electronic devices and assets with hard drives containing protected personal client information must be overwritten using IRCC s approved disk erasure software. Please notify your Program Officer to confirm disposition of protected information, once completed. 14

15 ANNEX A SAMPLE: Drafting Your Detailed Budget 15

16 Annex A continued 16

17 ANNEX B Budget Key Terms Administrative Expenses: Operating expenses that an organization incurs but which are not directly tied to a specific project or activity. Examples of administrative costs include: administrative-type salary and professional services (e.g., executive director, bookkeeper, clerical support, legal services, audit fees), bank charges, security costs, rent and associated costs related to space for corporate activities, office supplies, printing and photocopying, Internet access, etc. Audited Financial Statements: Independent audit performed by auditors to provide an opinion on an organization s financial statements. It is different from a compliance audit in that it does not indicate if the costs claimed by the recipient are in compliance with a particular CA. Cost Categories: A cost category is a group of line items within a project (or programming) budget. The approved cost categories for the Settlement and Resettlement Programs are administration (flat rate), Program Delivery and Capital costs. Flat Rate: is the total percentage of your budget (up to 15%) of the Program Delivery cost category which is allocated under the Administrative category. This percentage amount is negotiated, and once approved and agreed upon by both parties, it will represent the amount in the budget which will not need to be reported in detail for payment claims. These represent costs not directly related to project outputs, but necessary for the continued operations in order for the project to be realized. Holdback: The holdback is the portion of the total contribution funding that is withheld at the end of the project until all obligations, specified in Schedule 1 of the CA are fulfilled. The holdback may be 5%, 10% or 15% of the overall project budget. The Program Officer will inform you of the holdback percentage, usually specified in Schedule 3 of the CA. 17

18 In-Kind Contributions: Resources provided by either the recipient or another organization that are integral to the operation of the proposed project/activity (e.g. use of space, equipment, salary) and do not require any reimbursement for their use. In-kind contributions are not eligible for reimbursement. Line Item: Refers to the program s eligible expenditures displayed in the drop-down menus in Schedule 2 of the CA. The line items are grouped under cost categories. Within the Program Delivery cost category, there is a drop down list of 17 line items (e.g. salaries, wages and benefits, training and professional development, etc.) and two line items within the Capital cost category (capital expenditures and eligible GST/HST). Program Delivery: Program delivery costs include all costs directly related to the delivery of the program/activity offered by an organization. Examples include salaries and wages for language instructors, rent for classrooms, computer labs for students, materials for training. Value for Money: The extent to which a program demonstrates relevance and performance. Relevance is achieved by addressing a demonstrable need, being appropriate to the department and being responsive to the needs of Canadians and newcomers. Performance is achieved by using taxpayer resources well, producing program outputs in an affordable manner, and achieving outcomes consistent with program objectives. 18

19 ANNEX C Example Forecast of Cash Flow for Advance Payments Indicate whether Forecast (F) or Actual (A) Standard line items Note: GST/HST specified in both cost categories The initial payment with a quarterly advance in this case would be the sum of the first three months ($371,450). Dropdown displays prompt for recipient to request and sign for advance payments. 19

20 ANNEX D Privacy Breaches Guidance for Funding Recipients The purpose of this document is to provide guidance to IRCC s funding recipients for situations when a privacy breach involving personal information is suspected or has occurred. What is a Privacy Breach? A privacy breach involves improper or unauthorized collection, use, disclosure, retention and/or disposal of personal information. A breach may be the result of inadvertent errors or malicious actions by employees, third parties, partners in information-sharing agreements or intruders. Potential Causes of Privacy Breaches The following are examples of situations that could result in the disclosure of or access to personal information by unauthorized parties. The theft, loss or disappearance of equipment or devices containing personal information. The sale or disposal of equipment or devices containing personal information without a total purging of the item prior to its sale or disposal. The transfer of equipment or devices without adequate security measures. The use of equipment or devices to transport/store personal information outside the office for tele-work or off-site work arrangements without adequate security measures. The inappropriate use of electronic devices to transmit personal information, including telecommunication devices. Intrusions that result in unauthorized access to personal information. Low level of privacy awareness among staff, contractors or other third parties that handle personal information. Inadequate security and access controls for information in hard copy or electronic format, onsite or off-site. The absence of or inadequate provisions to protect privacy in contracts or in informationsharing agreements involving personal information. Insufficient measures to control access and editing rights to personal information. This may result in wrongful access to and the possible tampering of records containing personal information. How to Respond to a Privacy Breach In the event that a privacy breach is suspected or has occurred, immediately notify the IRCC officer managing your agreement. Refer to the security document for any information collection system being used for IRCC s CA, e.g. the icare Security Requirements for Service Provider Organizations document, and take the actions identified therein. You may be required to work with IRCC staff to investigate and provide as much specific and detailed information as possible to fully explain the breach. You shall refer to the applicable privacy law for your jurisdiction, e.g. municipal, provincial, to determine if there are any additional reporting requirements with respect to breaches of privacy. Information on responding to privacy breaches can be found from the appropriate provincial/territorial agency or the Personal Information Protection and Electronic Documents Act (PIPEDA). You may also find information dealing with privacy breaches at the Office of the Privacy Commissioner of Canada (OPC). If you have collected personal information from clients overseas, please note that you must also adhere to the privacy laws of that country. 20