Directive on Personal Information Requests and Correction of Personal Information
Archives
This directive replaces:
- Personal Information Requests and Correction of Personal Information, Directive on [2022-07-13]
- Personal Information Requests and Correction of Personal Information, Directive on [2022-10-26]
1. Effective date
- 1.1This directive takes effect on October 26, 2022.
- 1.2This directive replaces the Directive on Personal Information Requests and Correction of Personal Information dated July 13, 2022.
2. Authorities
- 2.1This directive is issued pursuant to paragraph 71(1)(d) of the Privacy Act and as specified in section 2.2 of the Policy on Privacy Protection.
3. Objectives and expected results
- 3.1In addition to the objectives indicated in section 3.1 of the Policy on Privacy Protection, the objective of this directive is to establish consistent practices and procedures for processing requests from individuals to access their personal information or for the correction of their personal information that is under the control of government institutions and has been used, is used or is available for use for administrative purposes.
- 3.2The expected results indicated in section 3 of the Policy on Privacy Protection apply to this directive.
4. Requirements
- 4.1Heads of government institutions or their delegates are responsible for:
Exercising discretion
- 4.1.1Exercising discretion in a fair, reasonable and impartial manner after:
- 4.1.1.1Considering the purpose of the Act, which is, in part, to provide individuals with a right of access to their personal information, subject to limited and specific exemptions; and the right to request correction of their personal information;
- 4.1.1.2Considering all relevant factors for and against disclosure, the relevant provisions of the Act, as well as applicable jurisprudence;
- 4.1.1.3Consulting with government institutions, as necessary; and
- 4.1.1.4Reviewing the information contained in records.
Privacy training
- 4.1.2Ensuring that employees of government institutions and officials who have functional or delegated responsibility for the administration of the Act receive training as outlined in Appendix B: Mandatory Procedures for Privacy Training.
- 4.1.3Documenting the completion of training in accordance with Appendix B: Mandatory Procedures for Privacy Training.
Eligibility of the requester
- 4.1.4Establishing procedures to:
- 4.1.4.1Confirm the identity of the requester so that privacy will not be breached; and
- 4.1.4.2Confirm the authority of an individual to make a request on behalf of another individual.
Informal processing
- 4.1.5Determining whether it is appropriate to respond to a personal information request on an informal basis, recognizing that the Act is intended to complement existing procedures for obtaining personal information held by government.
- 4.1.6Proceeding with treating a request informally only upon receipt of written consent from the requester who has been informed that only formal requests are subject to the provisions of the Privacy Act, including legislative timelines and the right to complain.
Acknowledging requests
- 4.1.7Providing the requester with:
- 4.1.7.1Acknowledgement of receipt of the request;
- 4.1.7.2The legislative due date for the response;
- 4.1.7.3The contact information of the appropriate officer or office within the institution where questions and further clarifications may be addressed;
- 4.1.7.4Notification of the right to complain to the Privacy Commissioner; and,
- 4.1.7.5A copy of the Principles for Assisting Requesters or a link to the Principles online.
Duty to assist
Protecting the identity of the requester
- 4.1.8Limiting the use or disclosure of information that could directly or indirectly lead to the identification of a requester to a need to know basis, unless otherwise authorized by the Act.
Interpretation and clarification of requests
- 4.1.9Adopting a broad interpretation of a personal information request and communicating promptly with the requester when necessary to clarify the request.
- 4.1.10Assisting the requester in clarifying a request where it would result in the requester receiving more complete, accurate or timely access.
- 4.1.11Documenting the wording of a clarified request, as agreed by the requester, and the date of the revision when a request has been clarified or its wording altered.
Onsite examination
- 4.1.12When a copy of the personal information cannot be made available, providing an appropriate location and time within the government institution for the requester to examine the records containing the personal information.
Language of access
- 4.1.13Providing the personal information in the official language requested by the requester, including translating or interpreting the personal information when necessary to enable the individual to understand the information.
Accessible format for requesters
- 4.1.14Providing the personal information in an accessible format requested by the requester including converting the records to the alternate format when necessary to enable the requester to understand the information when it would be reasonable to cause the personal information to be converted.
Processing of personal information requests and correction requests
Use of prescribed platforms
- 4.1.15Receiving requests using the prescribed platforms listed in Appendix D: Prescribed Platforms for Receiving and Processing Personal Information Requests.
- 4.1.16Processing requests using the prescribed platforms, listed in Appendix D: Prescribed Platforms for Receiving and Processing Personal Information Requests, when platforms have been prescribed.
Tracking system
- 4.1.17Establishing and maintaining an internal management system to keep track of:
- 4.1.17.1The processing of personal information requests and correction requests;
- 4.1.17.2Corrections or notations made;
- 4.1.17.3Complaints;
- 4.1.17.4Reports and recommendations from the Privacy Commissioner; and
- 4.1.17.5Reviews by the courts.
Documentation
- 4.1.18Documenting the processing of requests by placing on file all documents that support decisions under the Privacy Act, including communications where factors considered when exercising discretion are discussed, recommendations are given, rationales are provided and decisions are made.
Control of the personal information
- 4.1.19Determining, in a manner consistent with jurisprudence and considering any Treasury Board of Canada Secretariat (TBS) guidance, whether the personal information is under the control of the government institution.
Extension of the time limit
- 4.1.20Assessing, without undue delay, each request received under the Act to determine if an extension is needed for processing the request.
- 4.1.21Providing a written explanation to the requester within 30 days of receipt of the request of the reasons for an extension should the personal information request take more than 30 days to fulfill.
- 4.1.22Notifying the requester of their right to complain to the Privacy Commissioner in respect of the extension of the time limit.
- 4.1.23Reporting on the number of and reasons for extensions in the institution’s annual report to Parliament.
Limiting inter-institutional consultations
- 4.1.24Undertaking inter-institutional consultation only when:
- 4.1.24.1The processing institution requires more information for the proper exercise of discretion to withhold information; or
- 4.1.24.2The processing institution intends to disclose potentially sensitive information.
- 4.1.25Ensuring that consultation requests from other federal government institutions are processed with the same priority as personal information requests.
Exceptions to disclosure
- 4.1.26Applying exemption and exclusion provisions in accordance with relevant jurisprudence and TBS guidance. Appendix C: Classification of Exemptions lists the exemptions and indicates whether they are based on a class test or an injury test, and whether they are discretionary or mandatory in nature.
- 4.1.27Citing all exemptions and exclusions invoked on the records on each page, unless doing so would reveal the exempted information or cause the injury upon which the exemption is based to materialize.
- 4.1.28Clearly identifying the redacted material in a manner that is evident on the individual record.
Giving access
- 4.1.29Providing written notice to the requester of whether access is being granted.
- 4.1.30Providing access to the information or part thereof, or notifying the requester if access is refused.
- 4.1.31Notifying requesters of their right to complain to the Privacy Commissioner in respect of matters relating to personal information requests.
Requests for correction and notation of personal information
- 4.1.32Establishing a process to ensure that any request for correction and any subsequent actions are made in accordance with the Privacy Regulations and are documented.
- 4.1.33Documenting any correction or notation made to personal information in a manner that ensures it will be retrieved and used whenever the original personal information is used for an administrative purpose.
- 4.1.34Notifying the individuals, and any public and private sector organizations that use the information for administrative purposes of any correction or notation made to the personal information.
- 4.1.35Notifying requesters of their right to complain to the Privacy Commissioner in respect of requests for correction of personal information.
Considering other means of making information accessible
- 4.1.36Regularly reviewing the nature of requests received and assessing the feasibility of making frequently requested types of information available by other means.
Monitoring and reporting
- 4.1.37Monitoring and reporting on the requirements of this directive as specified in the Policy on Privacy Protection.
- 4.1.1Exercising discretion in a fair, reasonable and impartial manner after:
- 4.2Employees of government institutions are responsible for:
Informal access
- 4.2.1Recommending to the head or the delegate, when appropriate, that information requested be disclosed informally.
Complete, accurate and timely responses
- 4.2.2Making every reasonable effort to search, locate and retrieve the requested personal information under the control of the government institution.
- 4.2.3Ensuring searches for records are comprehensive and consider both the letter and the spirit of the request.
- 4.2.4Referring questions about whether the personal information is under the control of the government institution to Access to Information and Privacy (ATIP) officials with delegated authority for their determination.
- 4.2.5Advising ATIP officials at an early stage if a request cannot be responded to within the legislated 30-day timeframe.
- 4.2.6Making every reasonable effort to respond to requests within the timelines prescribed in the Act, including extensions taken in accordance with the Act.
Recommendations
- 4.2.7Providing recommendations and contextual information to inform the head of the government institution, or their delegate, about possible exemptions or exclusions applicable to the personal information requested, taking into account the purpose of the Act.
Contracts and agreements
- 4.2.8Establishing measures to support an individual’s right of access to their personal information when entering into contracts, arrangements and agreements.
5. Roles of other government organizations
- 5.1The roles and responsibilities of government institutions with respect to this directive are identified in section 5 of the Policy on Privacy Protection.
6. Application
- 6.1This directive applies as described in section 6 of the Policy on Privacy Protection.
7. References
- 7.1Legislation
- Access to Information Act
- Access to Information Regulations
- Canada Evidence Act
- Canadian Charter of Rights and Freedoms
- Financial Administration Act
- Interpretation Act
- Library and Archives of Canada Act
- Official Languages Act
- Personal Information Protection and Electronic Documents Act
- Privacy Act
- Privacy Act Heads of Government Institutions Designation Order
- Privacy Regulations
- 7.2Related policy instruments
- Directive on Access to Information Requests
- Directive on Identity Management
- Directive on Privacy Impact Assessment
- Directive on Privacy Practices
- Directive on Service and Digital
- Directive on Social Insurance Number
- Policy on Access to Information
- Policy on Government Security
- Policy on People Management
- Policy on Privacy Protection
- Policy on Service and Digital
- 7.3Related guidance instruments and forms
- Access to Information and Privacy implementation notices
- Access to Information Manual
- Delegation under the Access to Information Act and the Privacy Act
- Info Source Online Publishing Requirements
- Principles for Assisting Requesters
- Privacy Breach Management Toolkit
- Treasury Board of Canada Secretariat Forms
8. Enquiries
- 8.1Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries regarding any questions about this directive.
- 8.2Employees of federal institutions may contact their Access to Information and Privacy Coordinator regarding any questions about this directive.
- 8.3Access to Information and Privacy Coordinators may contact the Treasury Board of Canada Secretariat’s Privacy and Responsible Data Division regarding any questions about this directive.
Appendix A: Definitions
- class test (critère objectif)
- A test that objectively identifies the categories of information or documents to which certain exemption provisions of the Privacy Act can be applied. The exemptions set out in the following sections of the Act are based on a class test: 18(2) 19(1), 22(1)(a), 22(2), 22.1, 22.2, 22.3, 22.4, 23, 24, 26, 27 and 27.1.
- discretionary exemption (exception discrétionnaire)
- An exemption provision of the Privacy Act that contains the phrase “may refuse to disclose.” The exemptions set out in the following sections of the Act are discretionary: 18(2), 20, 21, 22(1)(a), 22(1)(b), 22(1)(c), 23, 24(a), 24(b), 25, 27, 27.1 and 28.
- every reasonable effort (tous les efforts raisonnables)
- A level of effort that a fair and reasonable person would expect or would find acceptable.
- informal request (demande informelle)
- A request for personal information made to the ATIP office of a government institution that is not made or processed under the Act. There are no deadlines for responding. In addition, the requester has no statutory right of complaint to the Privacy Commissioner
- injury test (critère subjectif)
- A test to determine the reasonable expectation of probable harm that must be met for certain exemption provisions of the Privacy Act to apply. The following sections of the Act are based on an injury test: 20, 21, 22(1)(b), 22(1)(c), 25 and 28.
- mandatory exemption (exception obligatoire)
- An exemption provision of the Privacy Act that contains the phrase “shall refuse to disclose.” The exemptions set out in the following sections of the Act are mandatory: 19(1), 22(2), 22.1, 22.2, 22.3, 22.4 and 26.
- privacy training (formation en protection des renseignements personnels)
- All activities that serve to increase privacy awareness, including formal training, discussion groups, conferences, Access to Information and Privacy community meetings, shared learning among colleagues, on-the-job training, special projects, job shadowing and communications activities that promote learning in the areas identified in Appendix B of this directive.
- tracking system (système de suivi)
- An electronic or paper-based case management system used in ATIP offices to track personal information requests and requests for correction of personal information and document their processing.
Additional definitions are listed in Appendix A of the Policy on Privacy Protection.
Appendix B: Mandatory Procedures for Privacy Training
This Appendix provides guidance related to training in the application of the Act that all employees of government institutions should receive.
- B.1Effective date
- B.1.1These procedures take effect on October 26, 2022
- B.1.2These procedures were previously set out in Appendix B: Privacy Awareness in the Directive on Personal Information Requests and Correction of Personal Information effective July 13, 2022.
- B.2Procedures
- B.2.1These procedures provide details on the requirements set out in section 4.1.2 of the Directive on Personal Information Requests and Correction of Personal Information. All employees of government institutions must receive training on their obligations under the Privacy Act and related Treasury Board policy instruments. The training must cover the following:
- B.2.1.1The purpose of the Act;
- B.2.1.2The applicable definitions;
- B.2.1.3Employees’ responsibilities under the Act and the Policy on Privacy Protection and related directives, including the principles for assisting requesters;
- B.2.1.4Delegation, exemption decisions and the exercise of discretion;
- B.2.1.5Employees’ obligation to make every reasonable effort to locate and retrieve the requested personal information under the control of the government institution;
- B.2.1.6The requirement to provide complete, accurate and timely responses;
- B.2.1.7The complaint process and reviews by the courts;
- B.2.1.8Sound privacy and security practices respecting the creation, collection, retention, security designation, validation, use, disclosure and disposition of personal information;
- B.2.1.9The management of privacy breaches; and
- B.2.1.10Specific institutional policies, processes and protocols related to the administration of the Privacy Act, including policies on information management.
- B.2.2All employees of government institutions who have functional or delegated responsibility for the administration of the Privacy Act and Privacy Regulations must receive training that covers the items listed above and in addition:
- B.2.1.1The provisions concerning the extension of time limits; exemptions and exclusions; and the language, format and method of access;
- B.2.1.2Public reporting requirements, including annual reports to Parliament; and
- B.2.1.3The role of the Privacy Commissioner, the Information Commissioner, and the Parliamentary Standing Committees in relation to the Act.
- B.2.1These procedures provide details on the requirements set out in section 4.1.2 of the Directive on Personal Information Requests and Correction of Personal Information. All employees of government institutions must receive training on their obligations under the Privacy Act and related Treasury Board policy instruments. The training must cover the following:
Appendix C: Classification of Exemptions
The table below lists all exemptions under the Privacy Act and indicates whether they are based on a class test or an injury test and whether they are mandatory or discretionary. The descriptions are paraphrased and should be used as a memory aid only. For more detail, please consult the relevant section of the Act.
Exemption | Short Description of the Exemptions | Mandatory | Discretionary | Class | Injury |
---|---|---|---|---|---|
Subsection 18(2) | Access may be refused as the personal information is contained in an exempt bank which consists predominantly of personal information described in section 21 or 22 of the Act. | no | yes | yes | no |
Subsection 19(1) | Personal information that must be protected as it was obtained in confidence from:
|
yes | no** | yes | no |
Section 20 | Access may be refused as disclosure could be expected to be injurious to the Government of Canada’s conduct of federal-provincial affairs. | no | yes | no | yes |
Section 21 | Access may be refused as disclosure could be expected to be injurious to conduct of international affairs; the defence of Canada or any state allied or associated with Canada; or Canada’s efforts to detect, prevent or suppress subversive or hostile activities. | no | yes | no | yes |
Paragraph 22(1)(a) | Access may be refused as personal information was obtained or prepared by an investigative body (as per regulation) in the course of an investigation regarding: detecting, preventing or suppressing crime, enforcing any law of Canada or a province; or activities suspected of constituting threats to Canada’s security as set out in the Canadian Security Intelligence Service Act. | no | yes | yes | no |
Paragraph 22(1)(b) | Access may be refused as disclosure could be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations. | no | yes | no | yes |
Paragraph 22(1)(c) | Access may be refused as disclosure could be expected to be injurious to the security of penal institutions. | no | yes | no | yes |
Subsection 22(2) | Personal information must be protected as it was obtained by the Royal Canadian Mounted Police while performing policing services for a province or municipality. | yes | no | yes | no |
Section 22.1* | Personal information must be protected as it was obtained or created by Privacy Commissioner in the course of an investigation or in the course of a consultation with the Information Commissioner. | yes | no | yes | no |
Section 22.2* | Personal information must be protected as it was obtained or created by Public Sector Integrity Commissioner in the course of an investigation of a disclosure or an investigation commenced under section 33 of the Public Servants Disclosure Protection Act (PSDPA). | yes | no | yes | no |
Section 22.3 | Personal information must be protected as it was created for the purpose of making a disclosure or in the course of an investigation into a disclosure under the PSDPA. | yes | no | yes | no |
Section 22.4* | Personal information must be protected as it was obtained or created by the Secretariat of the National Security and Intelligent Committee of Parliamentarians or on its behalf in the course of fulfilling its mandate. | yes | no | yes | no |
Section 23 | Access may be refused to personal information obtained or prepared for the purpose of determining whether to grant security clearances. | no | yes | yes | no |
Paragraph 24(a) | Disclosure could disrupt the parole or statutory release of the requester as personal information was collected or obtained by the Correctional Service of Canada or the Parole Board of Canada while the individual who made the request was under sentence for an offence against any Act of Parliament. | no | yes | yes | no |
Paragraph 24(b) | Access may be refused to personal information obtained in confidence regarding corrections or parole. | no | yes | yes | no |
Section 25 | Access may be refused as disclosure could reasonably be expected to threaten the safety of individuals. | no | yes | no | yes |
Section 26 | Access may be refused for personal information about another individual who is not the requester. This information must be protected when the disclosure is prohibited under section 8 of the Act. | yes | no** | yes | no |
Section 27 | Access may be refused to personal information subject to solicitor-client privilege or the professional secrecy of advocates and notaries. | no | yes | yes | no |
Section 27.1 | Access may be refused to personal information subject to the privilege set out in section 16.1 of the Patent Act or section 51.13 of the Trade-marks Act. | no | yes | yes | no |
Section 28 | Disclosure of the medical record relating to the physical or mental health of the individual could be contrary to the best interests of the individual. | no | yes | no | yes |
*The exemption can only be claimed by the government institutions named in the provision.
** Where discretion is authorized.
Appendix D: Prescribed Platforms for Receiving and Processing Personal Information Requests
This Appendix provides details on the requirement set out in sections 4.1.15 and 4.1.16 of the Directive on Personal Information Requests and Correction of Personal Information.
- D.1Effective date
- D.1.1This list was updated on October 26, 2022.
- D.1.2This list was previously set out in Appendix D: Prescribed Platforms for Receiving and Processing Personal Information Requests in the Directive on Personal Information Requests and Correction of Personal Information dated July 13, 2022.
- D.2Prescribed Platforms
- D.2.1Receiving requests
- D.2.1.1The prescribed platform is TBS’s ATIP Online.
- D.2.1.2Requests can be received in alternate formats such as email or paper.
- D.2.2There is no prescribed platform for processing requests. However, enterprise approved solutions are available through established contracting vehicles for ATIP Request Processing Software Solutions.
- D.2.3In order to request an exception from the prescribed platforms, government institutions must contact the Privacy and Responsible Data Division for further information.
- D.2.1Receiving requests
© His Majesty the King in Right of Canada, represented by the President of the Treasury Board, 2018,
ISBN: 978-0-660-27527-7