Archived [2022-07-13] - Directive on Personal Information Requests and Correction of Personal Information

Provides direction to government institutions on how to respond to personal information requests.
Date modified: 2022-07-14

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archives

This directive is replaced by:

View all inactive instruments
Print-friendly XML

1. Effective date

1.1 This directive takes effect on October 1, 2018.

1.2 This directive replaces the Directive on Privacy Requests and Correction of Personal Information dated April 1, 2010.

2. Authorities

2.1 This directive is issued pursuant to paragraph 71(1)(d) of the Privacy Act.

3. Objectives and expected results

3.1 The objective of this directive is to establish consistent practices and procedures for processing requests for access to or correction of personal information that is under the control of government institutions and has been used, is used or is available for use for administrative purposes.

3.2 The expected results of this directive are:

  • 3.2.1 Effective, well–coordinated and proactive administration of the Privacy Act within government institutions; and
  • 3.2.2 Complete, accurate and timely responses to personal information requests and correction of personal information made under the Privacy Act.

4. Requirements

4.1 Heads of government institutions are responsible for:

Principles for delegation under the Privacy Act

4.1.1 Respecting the following principles when delegating any powers, duties or functions under the Privacy Act:

  • 4.1.1.1. Heads can only designate officers and employees of their government institution in the delegation order: consultants or employees of other government institutions or from the private sector cannot be named in the delegation order;
  • 4.1.1.2. Powers, duties and functions are delegated to positions identified by title, not to individuals identified by name;
  • 4.1.1.3. Persons with delegated authorities are to be well informed of their responsibilities;
  • 4.1.1.4. Delegates cannot further delegate powers, duties and functions that have been delegated to them, although employees and consultants may perform tasks in support of delegates' responsibilities; and
  • 4.1.1.5. The delegation order is to be reviewed when circumstances surrounding the delegation have changed. A delegation order remains in force until such time as it is reviewed and revised by the head of the institution; and

Privacy awareness

4.1.2 Ensuring that delegates receive privacy training in the areas outlined in Appendix B of this directive.

4.2 Heads of government institutions or their delegates are responsible for:

Discretion

4.2.1 Exercising discretion in a fair, reasonable and impartial manner after:

  • 4.2.1.1. Considering the Act's intent, which is to provide individuals with the right of access to their personal information, and of its limited and specific exemptions;
  • 4.2.1.2. Considering the Act's relevant provisions as well as applicable jurisprudence;
  • 4.2.1.3. Consulting with government institutions, as necessary, for the processing and disclosure of personal information;
  • 4.2.1.4. Reviewing the personal information; and
  • 4.2.1.5. Considering, in a fair and unbiased manner, of relevant factors;

Privacy awareness

4.2.2 Ensuring that employees of government institutions and officials who have functional responsibility for the administration of the Privacy Act receive privacy training in the areas outlined in Appendix B of this directive;

Identity of the requester

4.2.3 Establishing procedures to validate the following:

  • 4.2.3.1. The identity of the requester;
  • 4.2.3.2. The authority of an individual making a request on behalf of another individual; and
  • 4.2.3.3. The requester's Canadian citizenship, status as a permanent resident or presence in Canada;

Duty to assist

Protection of the requester's identity

4.2.4 Limiting to a need-to-know basis the disclosure of information that could directly or indirectly lead to the identification of a requester, unless the requester consents;

Principles for assisting requesters

4.2.5 Implementing and communicating the principles for assisting requesters identified in Appendix C of this directive;

Informal processing

4.2.6 Determining whether it is appropriate to process the personal information request on an informal basis. If so, offering the requester the possibility of treating the request informally and explaining that only formal requests are subject to the provisions of the Privacy Act;

Written explanation for extensions

4.2.7 Providing a written explanation to the requester when a request for access to personal information takes more than 30 days to fulfill.

4.2.8 Reporting on the number of and reasons for extensions in the institution's annual report to Parliament.

Processing of privacy requests and correction requests

Tracking system

4.2.9 Establishing and maintaining an internal management system to keep track of personal information requests and correction requests and to document notations when required. This includes documenting the resolution of privacy complaints and reviews by the courts;

Documentation

4.2.10 Documenting the processing of requests by placing on file all created and received paper and electronic documents that supported decisions under the Privacy Act, including communications where recommendations were given or decisions were made;

Revised requests

4.2.11 Documenting, when a request has been clarified or its wording altered, the wording of the revised request and the date of the revision in the tracking system;

Notification of right to complain

4.2.12 Ensuring that requesters are notified of their right to complain to the Privacy Commissioner of Canada for all matters relating to the request, collection and handling of personal information;

Application of exemptions

4.2.13 Invoking applicable exemptions by properly applying the provisions of the Privacy Act. As defined in Appendix A and listed in Appendix D of this directive, exemptions are based either on a class test or an injury test and are either discretionary or mandatory in nature;

Citation of exemptions

4.2.14 Citing all exemptions invoked on the records containing the personal information, unless doing so would reveal the exempted information or cause the injury upon which the exemption is based;

Mandatory consultations

4.2.15 Consulting with the appropriate institutions in all instances involving the application of sections 21, 22 and 23 of the Privacy Act, as specified in Appendix E of this directive;

Requests for correction and notation of personal information

4.2.16 Establishing a process to ensure that any request for correction and any subsequent actions are made in accordance with the Privacy Regulations and are documented; and

4.2.17 Inscribing any correction or notation made to personal information in a manner that ensures it will be retrieved and used whenever the original personal information is used for an administrative purpose. This also involves notifying the individuals and public and private sector organizations that use the information for administrative purposes of any correction or notation made to the personal information.

Monitoring and Reporting

4.2.18 Monitoring and reporting on the requirements of this Directive as specified in the Policy on Privacy Protection.

4.3 Employees of government institutions are responsible for:

Informal access

4.3.1 Recommending to the head or the delegate, when appropriate, that the requested information be disclosed informally;

Search of records

4.3.2 Making every reasonable effort to search records under the control of the government institution to identify and locate the personal information that is responsive to the request; and

Recommendations

4.3.3 Providing valid and request-related recommendations on the disclosure of personal information.

5. Roles of other government organizations

5.1 The roles of other government organizations in relation to this directive are described in section 5 of the Policy on Privacy Protection.

6. Application

6.1 This directive applies to the government institutions defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.

6.2 This directive does not apply to the Bank of Canada.

6.3 This directive does not apply to information that is excluded under the Privacy Act.

7. References

8. Enquiries

8.1 Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information about this directive.

8.2 Employees of federal institutions may contact their Access to Information and Privacy (ATIP) coordinator for information about this directive.

8.3 ATIP coordinators may contact the Treasury Board of Canada Secretariat's Information and Privacy Policy Division for information about this directive.


Appendix A: Definitions

Class test (critère objectif)
A test that objectively identifies the categories of information or documents to which certain exemption provisions of the Privacy Act can be applied. The following sections of the Act provide for exemptions that are based on a class test: 19(1), 22(1)(a), 22(2), 22.1, 22.2, 22.3, 23, 24(b), 26 and 27.
Discretionary exemption (exception discrétionnaire)
An exemption provision of the Privacy Act that contains the phrase “may refuse to disclose.” The following sections of the Act provide for exemptions that are discretionary: 20, 21, 22(1)(a), 22(1)(b), 22(1)(c), 23, 24(a), 24(b), 25, 27 and 28.
Every reasonable effort (tous les efforts raisonnables)
A level of effort that a fair and reasonable person would expect or would find acceptable.
Injury test (critère subjectif)
A test to determine the reasonable expectation of probable harm that must be met for certain exemption provisions of the Privacy Act to apply. The following sections of the Act provide for exemptions that are based on an injury test: 20, 21, 22(1)(b), 22(1)(c), 24(a), 25 and 28.
Mandatory exemption (exception obligatoire)
An exemption provision of the Privacy Act that contains the phrase “shall refuse to disclose.” The following sections of the Act provide for exemptions that are mandatory: 19(1), 22(2), 22.1, 22.2, 22.3 and 26.
Privacy training (formation en PRP)
All activities that serve to increase privacy awareness, including formal training, research, discussion groups, conferences, ATIP community meetings, shared learning among colleagues, on-the-job training, special projects, job shadowing as well as communications activities that promote learning in the areas identified in Appendix B of this directive.
Tracking system (système de suivi)
An electronic or paper-based case management system used in ATIP offices to track access requests and document their processing.

Additional definitions are listed in Appendix A of the Policy on Privacy Protection.

Appendix B: Privacy awareness

Information for all employees

Ensuring that employees of the government institution receive training in the following areas:

  • Application of the Privacy Act, including:
    • The purpose of the Act;
    • The applicable definitions;
    • Their responsibilities, including the principles for assisting requesters;
    • Delegation, exemption decisions and the exercise of discretion;
    • The requirement to provide complete, accurate and timely responses; and
    • The complaint process and reviews by the courts;
  • Sound privacy practices for the creation, collection, retention, validation, use, disclosure and disposition of personal information;
  • The requirements found in Treasury Board policy instruments related to the responsibilities described above; and
  • Specific institutional policies, processes and protocols related to the administration of the Privacy Act, including policies on management of information.

Information for privacy employees

Ensuring that officials who hold functional responsibility for the administration of the Privacy Act receive training in the above-mentioned areas, as well as in the following:

  • Application of the Privacy Act and Privacy Regulations, including:
    • The provisions concerning the extension of time limits, exemptions and exclusions, and the language, format and method of access;
    • Public reporting requirements, including annual reports to Parliament; and
    • Important court decisions; and
  • Information on the activities and operations of Standing Committees.

Appendix C: Principles for assisting requesters

The following principles for assisting requesters are to be communicated to the requester.

In processing your privacy request or correction request under the Privacy Act, we will:

  1. Process your request without regard to your identity.
  2. Offer reasonable assistance throughout the request process.
  3. Provide information on the Privacy Act, including information on the processing of your request and your right to complain to the Privacy Commissioner of Canada.
  4. Inform you as appropriate and without undue delay when your request needs to be clarified.
  5. Make every reasonable effort to locate and retrieve the requested personal information under the control of the government institution.
  6. Apply limited and specific exemptions to the requested personal information.
  7. Provide accurate and complete responses.
  8. Provide timely access to the requested personal information and, when an extension is required, provide a written explanation for the delay to the requester.
  9. Provide personal information in the format and official language requested, as appropriate.
  10. Provide an appropriate location within the government institution to examine the requested personal information.

Appendix D: Classification of exemptions

The following table lists all exemptions under the Privacy Act and indicates whether they are based on a class test or an injury test and whether they are mandatory or discretionary.

Exemption Mandatory Discretionary Class Injury
Subsection 18(2) no yes yes no
Subsection 19(1) yes no yes no
Section 20 no yes no yes
Section 21 no yes no yes
Paragraph 22(1)(a) no yes yes no
Paragraph 22(1)(b) no yes no yes
Paragraph 22(1)(c) no yes no yes
Subsection 22(2) yes no yes no
Section 22.1 yes no yes no
Section 22.2 yes no yes no
Section 22.3 yes no yes no
Section 23 no yes yes no
Subsection 24(a) no yes no yes
Subsection 24(b) no yes yes no
Section 25 no yes no yes
Section 26 yes no yes no
Section 27 no yes yes no
Section 28 no yes no yes

Appendix E: Mandatory consultations

The following chart lists the instances where consultation is mandatory and the government institutions to be consulted.

Exemptions Institutions
Section 21: International affairs and defence
International affairs Global Affairs Canada
Defence of Canada or of any state allied or associated with Canada National Defence
Detection, prevention or suppression of subversive or hostile activities Government institution with primary interest: Public Safety Canada, Royal Canadian Mounted Police, Canadian Security Intelligence Service, National Defence or Global Affairs Canada
Section 22: Law enforcement and investigation
Paragraph 22(1)(a) The investigative body that originally obtained or prepared the information
Paragraph 22(1)(b) The investigative body or other government institution with primary interest in the law being enforced or the investigation being undertaken
Paragraph 22(1)(c) Correctional Service Canada
Section 23: Security clearances The investigative body that provided the information
Date modified: