Archived - Privacy and Data Protection Guidelines - General
We will be updating our design to align with Canada.ca. The policies, directives, standards and guidelines will remain available during and after this update is complete.
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
The purpose of this section of the Privacy volume is to provide guidelines for the interpretation and application of the Act and the relevant regulations and policies. These guidelines are intended for use by public servants in their day-to-day administration of the Privacy Act, but may be a useful reference for others on the Privacy Act issues related to privacy.
The Privacy Act and Regulations and the policy on Privacy and Data Protection govern the collection, use, disclosure, correction, protection, retention and disposal of personal information, including informing the public about the government's collection and use of personal information, and providing individuals access to information about themselves. The underlying principle is that individuals have a basic right to control over their personal information; they have a right to know why their information is collected by the government, how it will be used, how long it will be kept and who will have access to it. The Privacy Act also provides individuals with a basic right of access to all of their personal information held by federal government institutions, subject only to the limited and specific exclusions and exemptions outlined in the Act. Decisions concerning the application of discretionary exemptions must be made in light of the basic right of access and the need for government to be accountable to the public for its handling of personal information. These guidelines provide guidance on balancing the principle of access with the need to protect those public and private interests expressed in the exclusion and exemption provisions of the legislation.
The Privacy Act was passed in June 1982 and proclaimed in force on July 1, 1983. All institutions listed in the schedule to the Act are subject to its provisions as well as to the provisions of the Privacy Regulations. All institutions listed in the schedule are also subject to the policy on Privacy and Data Protection, with the exception of the Bank of Canada (subsection 71(2)).
The Privacy Act is contained in Chapter 4-1. The Regulations and accompanying schedules are contained in Chapter 4-2.
Appendix - Definitions
Act (loi) - means the Privacy Act.
Applicant (requérant) - is an individual who has requested access to personal information about himself or herself, who has requested that a correction be made or a notation attached to personal information, or who is exercising his or her right under the Act to review by the Court. (requestor)
Complainant (plaignant) - is an individual who has submitted a complaint to the Privacy Commissioner under the Privacy Act.
Court (cour) - means the Federal Court B Trial Division.
Designated Minister (ministre désigné) - for the purposes of the Act is the President of the Treasury Board.
Excluded information (renseignements exclus) - is information to which the Act does not apply, and is described in Chapter 2-8.
Exemption (exception) - is a provision of the Act which either requires or allows the head of the institution to refuse to disclose information requested under the Act. Exemptions are discussed in Chapter 2-9.
Government institution (institution fédérale) - means any federal government department, ministry of state, body or office listed in the Schedule to the Act. Whenever the term "government institution" is used in these guidelines, responsibility for the action or decision lies with either the head of the institution or an employee of the institution delegated by the head to make such decisions.
Personal information bank (fichier de renseignements personnels) - means a collection or grouping of personal information under the control of a government institution which has been used, is being used or is available for use for an administrative purpose, or is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual.
Personal information (renseignements personnels) - is defined in section 3 of the Act. This definition, although lengthy, is not exhaustive, as indicated by the introductory phrase, "including, without restricting the generality of the foregoing", prior to the list of examples. Information which is not specifically mentioned in the list may still be included in the definition of personal information if it qualifies as "information about an identifiable individual". Additional examples of personal information would include information about an individual's sexual preference, income or political affiliation.
Paragraphs (j), (k), (l) and (m) of the definition place certain limitations on the definition of personal information for the purposes of the restrictions on use and disclosure contained in sections 7 and 8, the exemption provision contained in section 26, and the exemption contained in section 19 of the Access to Information Act. Therefore, information concerning the position or functions of a government employee (j); information about the services performed by an individual under contract for a government institution (k); information about a discretionary benefit of a financial nature (l); and information about an individual who has been deceased for more than twenty years (m) are not protected by the use and disclosure provisions of the Act.
The limitations in paragraphs (j), (k) and (l) reflect the principle that the government's accountability to the public means that the public should have access to certain information concerning the public service, government contracts for services and the government's granting of discretionary financial benefits. The exclusions in these paragraphs should be interpreted narrowly, bearing in mind the Act's purpose to protect privacy. Thus these paragraphs should be applied to factual information related to the position, the contract or the discretionary benefit only. Assessments of an individual's job performance, conflict of interest declarations, or reports of disciplinary actions relate to the individual, not to the position, and would therefore not be included in the exception. The granting of a license or permit has to be discretionary and must confer a direct financial benefit on the individual in order to be removed from the protection of the Act. The granting of a license or permit is not considered discretionary if everyone who satisfies a set of objective requirements is given the license or permit, or if those who will receive the license or permit are determined by some other objective means, such as a lottery system.
The limitation in paragraph (m) reflects the concept that the privacy interest declines with time after the death of an individual.
Under the control (relever de) - Personal information is considered to be under the control of a government institution when that institution is authorized to grant or deny access to it, to direct its use and, subject to the approval of the National Archivist, to dispose of it. Personal information which is in the possession or custody of an institution, whether at headquarters, regional, satellite or other office, either within or outside Canada, is presumed to be under its control unless there is strong evidence to the contrary.