Directive on Privacy Requests and Correction of Personal Information

Alternate Formats

1. Effective date

1.1 This directive takes effect on April 1, 2010.

2. Application

2.1 This directive applies to the government institutions defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.

2.2 This directive does not apply to the Bank of Canada.

2.3 This directive does not apply to information that is excluded under the Privacy Act.

3. Context

3.1 Under the Privacy Act, individuals have the right to access their personal information and the right to request correction or have a notation added to any recorded personal information that is under the control of a government institution. This also includes the assurance that other individuals or organizations that use the information for an administrative purpose are informed of the correction or notation. Individuals have a right to know what personal information government institutions collect and to ensure that such information is accurate and complete. The right to access and the right to request correction may be limited under certain conditions. The Privacy Act establishes that heads of government institutions are responsible for responding to requests for access to personal information and for its correction.

3.2 The Policy on Privacy Protection establishes that heads (or their delegates) are responsible for ensuring that the Privacy Act and the Privacy Regulations are administered through consistent practices and procedures and that requests for access to personal information are met with timely, complete and accurate responses. Those responsibilities involve validating the identity of the requester and protecting that identity to the extent possible, developing procedures to process the requests, providing access to personal information and exercising discretion. Heads (or their delegates) are also responsible for any request for correction of personal information and for ensuring that it is processed in accordance with the Privacy Regulations. Government institutions promote the principles of openness and transparency by facilitating informal access to personal information wherever feasible and by respecting both the spirit and requirements of the Privacy Act, Privacy Regulations and related policy instruments.

3.3 This directive sets out the requirements for responding to privacy requests and requests for correction of personal information under the Privacy Act.

3.4 This directive is issued pursuant to paragraph 71(1)(d) of the Privacy Act.

3.5 This directive is to be read in conjunction with the Privacy Act, the Privacy Regulations and the Policy on Privacy Protection.  

4. Definitions

4.1 The definitions to be used in the interpretation of this directive are attached in Appendix A. Additional definitions are provided in Appendix A of the Policy on Privacy Protection.

5. Directive statement

5.1.1 To establish consistent practices and procedures for processing requests for access to or correction of personal information that is under the control of government institutions and has been used, is used or is available for use for administrative purposes.

5.2.1 Effective, well-coordinated and proactive administration of the Privacy Act within government institutions.

5.2.2 Complete, accurate and timely responses to privacy requests and correction of personal information made under the Privacy Act.

6. Requirements

6.1 Heads of government institutions are responsible for:

Principles for delegation under the Privacy Act

6.1.1 Respecting the following principles when delegating any powers, duties or functions under the Privacy Act:

  • Heads can only designate officers and employees of their government institution in the delegation order—consultants or employees of other government institutions or from the private sector cannot be named in the delegation order;
  • Powers, duties and functions are delegated to positions identified by title, not to individuals identified by name;
  • Persons with delegated authorities are to be well informed of their responsibilities;
  • Powers, duties and functions that have been delegated cannot be further delegated, though employees and consultants may perform tasks in support of delegates' responsibilities; and
  • The delegation order is to be reviewed when circumstances surrounding the delegation have changed. A delegation order remains in force until such time as it is reviewed and revised by the head of the institution.

Privacy awareness

6.1.2 Ensuring that delegates receive privacy training in the areas outlined in Appendix B of this directive.

6.2 Heads of government institutions or their delegates are responsible for:

Discretion

6.2.1 Exercising discretion in a fair, reasonable and impartial manner after completing the following steps:

  • Consideration of the Act's intent, which is to provide individuals with the right of access to their personal information, and of its limited and specific exemptions;
  • Consideration of the Act's relevant provisions as well as applicable jurisprudence;
  • Consultation with government institutions, as necessary, for the processing and disclosure of personal information;
  • Review of the personal information; and
  • Consideration, in a fair and unbiased manner, of relevant factors.

Note: The above considerations apply to all provisions of the Act for which the head or the delegate exercises discretion.

Privacy awareness

6.2.2 Ensuring that employees of government institutions and officials who have functional responsibility for the administration of the Privacy Act receive privacy training in the areas outlined in Appendix B of this directive.

Identity of the requester

6.2.3 Establishing procedures to validate the following:

  • The identity of the requester;
  • The authority of an individual making a request on behalf of another individual; and
  • The requester's Canadian citizenship, status as a permanent resident or presence in Canada.

Duty to assist

Protection of the requester's identity

6.2.4 Limiting, on a need-to-know basis, the disclosure of information that could directly or indirectly lead to the identification of a requester, unless the requester consents.

Principles for assisting requesters

6.2.5 Implementing and communicating the principles for assisting requesters identified in Appendix C of this directive. 

Informal processing

6.2.6 Determining whether it is appropriate to process the privacy request on an informal basis. If so, offering the requester the possibility of treating the request informally and explaining that only formal requests are subject to the provisions of the Privacy Act.

Processing of privacy requests and correction requests 

Tracking system 

6.2.7 Establishing and maintaining an internal management system to keep track of privacy requests and correction requests and to document notations when required. This includes documenting the resolution of privacy complaints and reviews by the courts.

Documentation

6.2.8 Documenting the processing of requests by placing on file all created and received paper and electronic documents that supported decisions under the Privacy Act, including communications where recommendations were given or decisions were made.

Revised requests

6.2.9 Documenting, when a request has been clarified or its wording altered, the wording of the revised request and the date of the revision in the tracking system.

Notification of right to complain

6.2.10  Ensuring that requesters are notified of their right to complain to the Privacy Commissioner of Canada for all matters relating to the request, collection and handling of personal information.

Application of exemptions

6.2.11  Invoking applicable exemptions by properly applying the provisions of the Privacy Act. As defined in Appendix A and listed in Appendix D of this directive, exemptions are based either on a class test or an injury test and are either discretionary or mandatory in nature.

Citation of exemptions

6.2.12  Citing all exemptions invoked on the records containing the personal information, unless doing so would reveal the exempted information or cause the injury upon which the exemption is based.

Mandatory consultations

6.2.13  Consulting with the appropriate institutions in all instances involving the application of sections 21, 22 and 23 of the Privacy Act, as specified in Appendix E of this directive.

Requests for correction and notation of personal information

6.2.14 Establishing a process to ensure that any request for correction and any subsequent actions are made in accordance with the Privacy Regulations and are documented.

6.2.15  Inscribing any correction or notation made to personal information in a manner that ensures it will be retrieved and used whenever the original personal information is used for an administrative purpose. This also involves notifying the individuals and public and private sector organizations that use the information for administrative purposes of any correction or notation made to the personal information.

6.3 Employees of government institutions are responsible for:

Informal access

6.3.1 Recommending to the head or the delegate, as appropriate, that the requested information be disclosed informally.

Search of records

6.3.2 Making every reasonable effort to search records under the control of the government institution to identify and locate the personal information that is responsive to the request.

Recommendations

6.3.3 Providing valid and request-related recommendations on the disclosure of personal information.

6.4 Monitoring and reporting requirements

6.4.1 The monitoring and reporting requirements of this directive are set out in Subsection 6.3 of the Policy on Privacy Protection.

7. Consequences

7.1 The consequences for non-compliance with this directive are identified in Section 7 of the Policy on Privacy Protection.

8. Roles and responsibilities of government institutions

8.1 Roles and responsibilities are outlined in Section 8 of the Policy on Privacy Protection.

10. Enquiries

10.1 Please direct inquiries about this directive to your institution's access to information and privacy (ATIP) coordinator. For interpretation of this directive, the ATIP coordinator is to contact:

Information and Privacy Policy Division
Chief Information Officer Branch
Treasury Board Secretariat
219 Laurier Avenue West
Ottawa ON K1A 0R5

E-mail: ippd-dpiprp@tbs-sct.gc.ca
Telephone: 613- 946-4945
Fax: 613-952-7287


Appendix A — Definitions

Class test (critère objectif)
Is a test that objectively identifies the categories of information or documents to which certain exemption provisions of the Privacy Act can be applied. The following exemptions are based on a class test: 19(1), 22(1)(a), 22(2), 22.1, 22.2, 22.3, 23, 24(b), 26 and 27.
Discretionary exemption (exception discrétionnaire)
Is an exemption provision of the Privacy Act that contains the phrase "may refuse to disclose." The following exemptions are discretionary: 20, 21, 22(1)(a), 22(1)(b), 22(1)(c), 23, 24(a), 24(b), 25, 27 and 28.
Every reasonable effort (tous les efforts raisonnables)
Means a level of effort that a fair and reasonable person would expect or would find acceptable.
Injury test (critère subjectif)
Is a test to determine the reasonable expectation of probable harm to be met for certain exemption provisions of the Privacy Act to be applied. The following exemptions are based on an injury test: 20, 21, 22(1)(b), 22(1)(c), 24(a), 25 and 28.
Mandatory exemption (exception obligatoire)
Is an exemption provision of the Privacy Act that contains the phrase "shall refuse to disclose." The following exemptions are mandatory: 19(1), 22(2), 22.1, 22.2, 22.3 and 26.
Privacy training (formation en PRP)
Refers to all activities that serve to increase privacy awareness, including formal training, research, discussion groups, conferences, ATIP community meetings, shared learning among colleagues, on-the-job training, special projects, job shadowing as well as communications activities that promote learning in the areas identified in Appendix B of this directive.
Tracking system (système de suivi)
Is an electronic or paper-based case management system used in ATIP offices to track access requests and document their processing.

Appendix B — Privacy awareness

Information for all employees

Ensuring that employees of the government institution receive privacy training in the following areas:

  • Application of the Privacy Act, including:
    • The purpose of the Act;
    • The applicable definitions;
    • Their responsibilities, including the principles for assisting requesters;
    • Delegation, exemption decisions and the exercise of discretion;
    • The requirement to provide complete, accurate and timely responses; and
    • The complaint process and reviews by the courts;
  • Sound privacy practices for the creation, collection, retention, validation, use, disclosure and disposition of personal information;
  • The requirements found in Treasury Board policy instruments related to the responsibilities described above; and
  • Specific institutional policies, processes and protocols related to the administration of the Privacy Act, including policies on management of information.

Information for privacy employees

Ensuring that officials who hold functional responsibility for the administration of the Privacy Act receive privacy training in the above-mentioned areas as well as in the following:

  • Application of the Privacy Act and Privacy Regulations, including:
    • The provisions concerning the extension of time limits, exemptions and exclusions, and the language, format and method of access;
    • Public reporting requirements, including annual reports to Parliament; and
    • Important court decisions; and
  • Information on the activities and operations of Standing Committees.

Appendix C — Principles for assisting requesters

The following principles for assisting requesters are to be communicated to the requester.

In processing your privacy request or correction request under the Privacy Act, we will:

  1. Process your request without regard to your identity.
  2. Offer reasonable assistance throughout the request process.
  3. Provide information on the Privacy Act, including information on the processing of your request and your right to complain to the Privacy Commissioner of Canada.
  4. Inform you as appropriate and without undue delay when your request needs to be clarified.
  5. Make every reasonable effort to locate and retrieve the requested personal information under the control of the government institution.
  6. Apply limited and specific exemptions to the requested personal information.
  7. Provide accurate and complete responses.
  8. Provide timely access to the requested personal information.
  9. Provide personal information in the format and official language requested, as appropriate.
  10. Provide an appropriate location within the government institution to examine the requested personal information.

Appendix D — Classification of exemptions

The following table lists all exemptions under the Privacy Act and indicates whether they are based on a class test or an injury test and whether they are mandatory or discretionary.

Exemption Mandatory Discretionary Class Injury
Subsection 18(2) no yes yes no
Subsection 19(1) yes no yes no
Section 20 no yes no yes
Section 21 no yes no yes
Paragraph 22(1)(a) no yes yes no
Paragraph 22(1)(b) no yes no yes
Paragraph 22(1)(c) no yes no yes
Subsection 22(2) yes no yes no
Section 22.1 yes no yes no
Section 22.2 yes no yes no
Section 22.3 yes no yes no
Section 23 no yes yes no
Subsection 24(a) no yes no yes
Subsection 24(b) no yes yes no
Section 25 no yes no yes
Section 26 yes no yes no
Section 27 no yes yes no
Section 28 no yes no yes

Appendix E — Mandatory consultations

The following chart lists the instances where consultation is mandatory and the government institutions to be consulted.

Exemptions Institutions
Section 21: International affairs and defence
International affairs Department of Foreign Affairs and International Trade
Defence of Canada or of any state allied or associated with Canada Department of National Defence
Detection, prevention or suppression of subversive or hostile activities Government institution with primary interest (i.e., Department of Public Safety and Emergency Preparedness, Royal Canadian Mounted Police, Canadian Security Intelligence Service, Department of National Defence or Department of Foreign Affairs and International Trade)
Section 22 : Law enforcement and investigation
Paragraph 22(1)(a) The investigative body that originally obtained or prepared the information
Paragraph 22(1)(b) The investigative body or other government institution with primary interest in the law being enforced or the investigation being undertaken
Paragraph 22(1)(c) Correctional Service of Canada
Section 23: Security clearances The investigative body that provided the information
Date Modified: