Directive on Personal Information Requests and Correction of Personal Information

Provides direction to government institutions on how to respond to personal information requests.
Date modified: 2023-08-17

Supporting tools

Mandatory procedures:

More information

Topic:

Archives

This directive replaces:

View all inactive instruments
Print-friendly XML

Appendix B: Mandatory Procedures for Privacy Training

This Appendix provides guidance related to training in the application of the Act that all employees of government institutions should receive.

  • B.1Effective date
    • B.1.1These procedures take effect on October 26, 2022
    • B.1.2These procedures were previously set out in Appendix B: Privacy Awareness in the Directive on Personal Information Requests and Correction of Personal Information effective July 13, 2022.
  • B.2Procedures
    • B.2.1These procedures provide details on the requirements set out in section 4.1.2 of the Directive on Personal Information Requests and Correction of Personal Information. All employees of government institutions must receive training on their obligations under the Privacy Act and related Treasury Board policy instruments. The training must cover the following:
      • B.2.1.1The purpose of the Act;
      • B.2.1.2The applicable definitions;
      • B.2.1.3Employees’ responsibilities under the Act and the Policy on Privacy Protection and related directives, including the principles for assisting requesters;
      • B.2.1.4Delegation, exemption decisions and the exercise of discretion;
      • B.2.1.5Employees’ obligation to make every reasonable effort to locate and retrieve the requested personal information under the control of the government institution;
      • B.2.1.6The requirement to provide complete, accurate and timely responses;
      • B.2.1.7The complaint process and reviews by the courts;
      • B.2.1.8Sound privacy and security practices respecting the creation, collection, retention, security designation, validation, use, disclosure and disposition of personal information;
      • B.2.1.9The management of privacy breaches; and
      • B.2.1.10Specific institutional policies, processes and protocols related to the administration of the Privacy Act, including policies on information management.
    • B.2.2All employees of government institutions who have functional or delegated responsibility for the administration of the Privacy Act and Privacy Regulations must receive training that covers the items listed above and in addition:
      • B.2.1.1The provisions concerning the extension of time limits; exemptions and exclusions; and the language, format and method of access;
      • B.2.1.2Public reporting requirements, including annual reports to Parliament; and
      • B.2.1.3The role of the Privacy Commissioner, the Information Commissioner, and the Parliamentary Standing Committees in relation to the Act.
Date modified: