Archived - Privacy and Data Protection Guidelines - Use and Disclosure of Personal Information
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
1. General principles
Sections 7 and 8 of the Privacy Act govern the use and disclosure of all personal information under the control of government institutions unless the personal information is excluded by virtue of being publicly available [subsection 69(2)] or by virtue of being a confidence of the Queen's Privy Council for Canada (section 70, refer to Chapter 2-8). These two sections together are often referred to as the Use and Disclosure Code.
Sections 7 and 8 do not take precedence over specific statutory prohibitions regulating the use and disclosure of personal information (e.g. section 241 of the Income Tax Act) but only apply where no other statutory provision exists. These sections permit the use and disclosure of personal information for the purposes specified in subsection 8(2), they do not constitute a right of access to or use of the information. It is left to the discretion of the government institution whether to proceed with a use or disclosure permitted by the legislation. Government policy requires that institutions recognize the general right to protection of privacy when considering a discretionary use or disclosure of personal information.
2. Use of personal information
Without the consent of the subject individual, government institutions may use personal information only for the purpose(s) for which the information was obtained or compiled; for uses consistent with that purpose; and for purposes for which information may be disclosed to them under subsection 8(2). This provision allows government institutions to use personal information for any purpose for which subsection 8(2) would allow the information to be disclosed to them.
3. Disclosure of personal information
Disclosure refers to the release of personal information by any method (e.g. transmission, provision of a copy, examination of the record) to any body or person.
The consent of the subject individual allows institutions to use or disclose personal information for any purpose consented to by the individual. In other words, the consent of the individual removes the need to find a provision for use or disclosure under sections 7 or 8.
Consent by an individual to the use or disclosure of personal information may be sought either at the time of collection of the information or subsequently, when a specific need arises.
4.1Consent at time of collection
When consent for additional use or disclosure is sought at the time the personal information is collected, institutions should provide sufficient information concerning the intended use or disclosure to allow individuals to make an informed decision to consent or refuse. Such information should include:
- a description of the specific information involved;
- a description of the use or disclosure for which consent is being sought; and
- a statement that refusal to consent to such use or disclosure will not prejudice the individual in any way or result in any adverse consequences for the individual in connection with the primary administrative purpose being served by the information collection.
The information collection form should also contain a consent/refusal statement with space for the signature of the individual or authorized representative and the date.
All uses or disclosures for which consent is sought at the time of collection of personal information must be included in the description of the relevant personal information bank in Info Source.
4.2 Consent subsequent to collection
Consent for use or disclosure subsequent to collection should be obtained in writing. Institutions should employ a form which covers the minimal requirements contained in Chapter 3-6, however individuals may always indicate their consent by a written authorization. In any case a government institution should consider that consent has been given only on receipt of a signed consent from the individual or their authorized representative specifying the permitted use or disclosure.
4.3 Consent by minors
Section 10 of the Privacy Regulations provides that rights or actions under the Privacy Act and its regulations, including the giving of consent, may be exercised on behalf of a minor by a person authorized by or pursuant to the laws of Canada or a province to manage the affairs of the minor.
This regulation does not prevent an institution from obtaining consent from individuals who have not attained the age of majority when such individuals have the ability to understand the matter for which consent is being sought and are able to appreciate the consequences of giving or refusing consent. In these circumstances consent should be sought from the minor. In situations where there is a reasonable uncertainty that these conditions exist, the institution should seek the consent of the parent or guardian who has legal custody of the minor. While the age of majority varies from province to province, age sixteen is usually the age at which minors could reasonably be expected to be capable of giving informed consent.
4.4 Consent by incompetents
Section 10 of the Privacy Regulations provides that rights or actions under the Privacy Act and its regulations, including the giving of consent, may be exercised on behalf of incompetent individuals by a person authorized by or pursuant to the laws of Canada or a province to manage the affairs of that person.
4.5 Consent on behalf of a deceased individual
Section 10 of the Privacy Regulations provides that rights or actions under the Privacy Act and its regulations, including the giving of consent, may be exercised on behalf of deceased persons by a person authorized by or pursuant to the laws of Canada or a province to administer the estate of the deceased, but only for the purposes of such administration.
Sections 7 and 8 of the Privacy Act do not apply to information concerning an individual who has been dead for more than twenty years. Consent for the use or disclosure of information pertaining to individuals who have been dead less than twenty years should be sought from the executor or administrator of the individual's estate, and then only for the purpose of administering the estate.
4.6 Consent by a representative of an individual
Section 10 of the Privacy Regulations provides that the rights or actions under the Privacy Act or its regulations, including the giving of consent, may be exercised on behalf of any individual, other than a minor, incompetent or deceased person, by any person authorized in writing by the individual to whom the information pertains. This provision allows representatives such as lawyers to act on behalf of individuals in the giving of consent. In order to ensure that personal information is not improperly used or disclosed, institutions should verify that the representative is empowered to act on behalf of the subject individual. Such verification may be in the form of a written authorization signed by the individual which empowers the representative to act on his or her behalf in matters under the Privacy Act, or, in the case of lawyers, may be written authorization for the lawyer to act in all matters involving the individual. The Appointment of Representative Form included in Chapter 3-5 may be used to aid in fulfilling this requirement, but its use is not mandatory.
5. Consistent use
Sections 7 and 8 of the Privacy Act provide that personal information may be used or disclosed by a government institution without the consent of the individual to whom it relates for a purpose directly related to the purpose(s) for which the information was obtained or compiled. Such related purposes are termed consistent uses. For a use or disclosure to be consistent, it must have a reasonable and direct connection to the original purpose(s) for which the information was obtained or compiled.
A test of whether a proposed use or disclosure is "consistent" may be whether it would be reasonable for the individual who provided the information to expect that it would be used in the proposed manner. This means that the original purpose and the proposed purpose are so closely related that the individual would expect that the information would be used for the consistent purpose, even if the use is not spelled out. As required by subsection 9(4) of the Act, once the consistent use is identified, it is added to the description of the uses of the information.
5.1 Accounting for consistent uses
Section 11 of the Privacy Act requires that the descriptions of personal information banks contained in Info Source include a statement of the consistent uses for which the information may be used or disclosed. Subsection 9(4) of the Act requires that institutions notify the Privacy Commissioner whenever personal information is used or disclosed in a manner consistent with the purpose(s) for which the information was obtained or compiled, but which consistent use is not included in Info Source. This subsection also requires that the institution ensure the consistent use is added to the personal information bank description.
6. Permissible disclosures of personal information
Subsection 8(2) of the Privacy Act describes the circumstances under which personal information under the control of a government institution may be disclosed without the consent of the individual to whom the information pertains. Such disclosures are discretionary and are subject to any other Act of Parliament.
6.1 Original purpose and consistent use
Paragraph 8(2)(a) provides that personal information may be disclosed for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose. This gives government institutions the discretion to disclose personal information where it is necessary to accomplish the purpose for which the information was obtained or compiled or for a use consistent with that purpose.
6.2 Act of Parliament or regulation
Paragraph 8(2)(b) provides that personal information may be disclosed for any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure. This paragraph encompasses all other authorities for the disclosure of personal information contained in federal statutes and regulations. Such authorities may be either specific, such as the authority in the Canada Elections Act for the posting of electors' names and addresses for public inspection, or broad, such as the authority in the Unemployment Insurance Act for disclosure of information as the Minister deems advisable. Where personal information has been disclosed under a broad statutory authority, the description of the relevant personal information bank should be amended to include:
- a reference to the statutory authority and/or regulation governing disclosure;
- a description of the type of information disclosed;
- the purpose of the disclosure;
- who has received the information; and
- any conditions respecting the use of the information.
Departments are reminded that, when developing legislation or regulations with privacy implications, consultation with the Office of the Privacy Commissioner must take place prior to submission of the appropriate documentation for approval by the Governor-in-Council or, where applicable, prior to the approval of ministerial regulations.
6.3 Subpoenas, warrants, court orders and rules of court
Paragraph 8(2)(c) provides that personal information may be disclosed for the purpose of complying with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information or for the purpose of complying with rules of court relating to the production of information. The person or body other than a court may include quasi-judicial bodies and commissions of inquiry.
Normally, government institutions will wish to comply with a subpoena or warrant. There are instances, however, when this will not be the case and, indeed, where it would not be proper to disclose the particular personal information involved. Government institutions should consult with their legal advisor when a subpoena or warrant is received, to ensure the validity of the subpoena or warrant and to determine the proper form of compliance. When responding to a subpoena, government institutions should supply only that information which is the subject of the subpoena, and should normally produce copies of the required records, unless the subpoena stipulates otherwise. When these copies do not become part of the court's records, the government institution should request their return, either for proper disposal or reintegration into its filing system.
6.4 Attorney General for use in legal proceedings
Paragraph 8(2)(d) provides that personal information may be disclosed to the Attorney General of Canada for use in legal proceedings involving the Crown in right of Canada or the Government of Canada. This covers those circumstances where personal information is required by the Attorney General in order to conduct a case before the courts or a quasi-judicial body in which the Government of Canada or the Crown in right of Canada is a party or is implicated.
6.5 Federal investigative bodies
Paragraph 8(2)(e) provides that personal information may be disclosed to an investigative body specified in the regulations on the written request of the body for the purpose of enforcing any law of Canada or any province or carrying out a lawful investigation. The request must specify the purpose and describe the information to be disclosed.
This provision does not grant investigative bodies a right of access to personal information. It leaves the disclosure decision to the discretion of the institution once the relevant criteria have been satisfied. Disclosure under this provision is strictly limited to those federal investigative bodies named in the Regulations (Schedule II). The policy requires that the authority to disclose information under this provision be restricted to senior officials. Personal information may only be disclosed under paragraph 8(2)(e) pursuant to a written request which may be made on the form entitled Request for Disclosure to Federal Investigative Bodies [TBC 350-56 (83/2); see an example in Chapter 3-5] or on letterhead, but must include the following:
- the name of the investigative body;
- the name of the individual who is the subject of the request, or some other personal identifier;
- a description of the requested information;
- the section of the federal or provincial statute under which the investigative activity is being undertaken; and
- the name, title and signature of the requesting member of the investigative body.
Due to the potential impact a disclosure under paragraph 8(2)(e) may have on personal privacy, institutions should develop internal directives governing the disclosure of personal information pursuant to a request under that paragraph of the Privacy Act. These internal directives should distinguish the various types of personal information (e.g. non-sensitive biographical data versus sensitive medical information) and establish guidelines governing the circumstances for disclosure of personal information to federal investigative bodies. Special attention should be paid to situations where personal information was collected under an express promise of confidentiality. Institutions should disclose this type of personal information only in exceptional circumstances, where the need for disclosure clearly outweighs the undertaking of confidentiality.
Subsection 9(2) provides that the requirement for a record of disclosures contained in subsection 9(1) does not apply to information disclosed under paragraph 8(2)(e).
6.6 Provinces, foreign states and international bodies
Paragraph 8(2)(f) provides that personal information may be disclosed under an agreement or arrangement between the Government of Canada or an institution thereof and the government of a province; the government of a foreign state; an international organization of states or an international organization established by the governments of states; or any institution of any such government or organization, for the purpose of administering or enforcing any law or carrying out a lawful investigation.
This provision accommodates practices whereby personal information is exchanged between federal police, security and investigative bodies and their counterparts, both domestically and internationally. Such disclosures aid in effective law enforcement and investigative activities and are necessary to the functioning of federal law enforcement agencies. This permits federal government institutions to disclose personal information to provincial or foreign governments or international organizations for the purpose of administering a statute as well as for the purpose of law enforcement. Examples of this type of disclosure include the federal-provincial exchange of information related to social assistance and the international exchange of information required to administer veterans' benefits. Institutions entering into such agreements should refer to section A.12 of the Security Volume.
All institutions involved in the disclosure of personal information to provincial or foreign governments or international organizations must, in accordance with subsection 9(1) and (3) of the Act, make provision for the filing and retention of a copy of all records pertaining to any disclosure made under such agreements or arrangements which are not included in the appropriate entries in Info Source.
6.7 Members of Parliament
Paragraph 8(2)(g) provides that personal information may be disclosed to a member of Parliament for the purpose of assisting the individual to whom the information relates in resolving a problem. The term "member of Parliament" includes both members of the House of Commons and the Senate. This provision is intended for use when a constituent has asked their M.P. for assistance, but may not have specifically provided consent for release of their personal information.
In situations where the personal information is of an extremely sensitive nature (e.g. a medical record), the institution may ask the member to submit a request for the information in writing. Where the member is acting on behalf of an agent for the individual, the institution may also seek the member's assistance in verifying that the agent is authorized to act on behalf of the individual.
In exceptional circumstances the government institution may choose to disclose to the member information that would be exempted from disclosure to the individual, in order to assist the member in understanding the circumstances surrounding the problem involving the individual. In such cases the member must first agree not to disclose the additional information to the individual without the permission of the head of the government institution.
Once Parliament has been dissolved prior to an election and until a new M.P. is sworn in, or once an M.P. has resigned, this provision may not be applied. At such times the personal information of an individual who has sought the assistance of a former M.P. may be provided to the former M.P. only with the express consent of the individual.
6.8 Audit purposes
Paragraph 8(2)(h) provides that personal information may be disclosed to officers or employees of the institution for internal audit purposes, or to the Office of the Comptroller General or any other person or body specified in the regulations for audit purposes.
No other persons or bodies were identified for inclusion in the Privacy Regulations. The Auditor General of Canada is not mentioned in this paragraph because disclosure to the Auditor General or a member of his or her office is specifically authorized under the Auditor General Act, therefore disclosure would be permissible under paragraph 8(2)(b).
Audit purposes include the conducting of an independent review and appraisal of the management practices and controls and of the financial accountability of particular operations and programs. Personal information may be disclosed pursuant to this provision for audit purposes only and not as part of any decision-making process concerning the individual to whom the information relates.
6.9 Archival purposes
Paragraph 8(2)(i) provides that personal information may be disclosed to the National Archives of Canada for archival purposes.
Disclosure for archival purposes includes not only the actual transfer of personal information to the control of the National Archives for archival and historical purposes, but also the examination by staff of the National Archives of personal information within government institutions in order to determine whether or not that information qualifies as an archival record and to establish appropriate retention and disposal standards for that information.
Subsection 8(3) provides for disclosure of personal information by the National Archives for research or statistical purposes. This provision is further discussed in 6.14.
6.10 Research or statistical purposes
Paragraph 8(2)(j) provides that personal information may be disclosed to any person or body for research or statistical purposes when the head of the government institution:
- is satisfied that the purpose for which the information is disclosed cannot reasonably be accomplished unless the information is provided in a form that would identify the individuals to whom it relates; and
- obtains from the person or body a written undertaking that no subsequent disclosure of the information will be made in a form that could reasonably be expected to identify the individual to whom it relates.
The Research Application and Undertaking Form which is described in Chapter 3-5 may be used to allow continued research and statistical analysis involving personal data, especially in medicine and the social sciences, while making researchers, statisticians and research or statistical bodies formally accountable for the protection of individual privacy when they are allowed to have access to such information.
When considering the use of this provision in relation to older information, reference should also be made to subsection 8(3) of the Privacy Act. This subsection relates to disclosure by the National Archives for research or statistical purposes, under certain conditions, of personal information that has been transferred to it for historical and archival purposes.
If a researcher or statistician to whom information has been provided under this section wishes to release it in a personally identifiable form, he or she must obtain the permission of the head of the government institution which provided the information. Permission to disclose the information may be given on the basis of a public interest, as provided in sub-paragraph 8(2)(m)(i), or if consent is obtained from the subject individuals.
When considering the discretion to disclose personal information under the research or statistical purposes provision, government institutions should take into account the sensitivity of the information and other factors set out in the invasion-of-privacy test (included in 6.13).
6.11 Native claims research
Paragraph 8(2)(k) provides that personal information may be disclosed to any association of aboriginal people, Indian band, government institution or part thereof, or to any person acting on behalf of any of these groups, for the purpose of researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada.
This permits the disclosure of personal information to researchers involved in the process of settling native claims. The term "aboriginal people" is intended to have the same meaning as in the Canadian Charter of Rights. Such information would be primarily contained in the records of the Department of Indian and Northern Affairs but may be found in any government institution. Personal information may be disclosed to an individual acting on behalf of an association of aboriginal people, Indian band or government institution upon presentation of a letter from any such group accrediting him or her as undertaking work researching or validating native claims on its behalf. Individuals accredited to undertake such research or validation but not employed by a government institution should fill out the Research Application and Undertaking Form mentioned in relation to the previous paragraph, and comply with its requirements.
In exercising discretion to disclose personal information under the native claim research provision, government institutions should take into account the sensitivity of the information and other factors set out in the invasion-of-privacy test.
6.12 Payment of a benefit and collection of a debt
Paragraph 8(2)(l) provides that personal information may be disclosed to any government institution for the purpose of locating an individual in order to collect a debt owing to Her Majesty in right of Canada by that individual or to make a payment owing to that individual by Her Majesty in right of Canada.
This provision facilitates the task of locating individuals for the purpose of collecting Crown debts or paying government benefits. This provision does not permit the disclosure of information for the purpose of determining whether a debt is owed, nor does it permit disclosure of any more information than is necessary to locate the individual. Government institutions will normally release the appropriate information to other institutions for the purpose of locating individuals owing Crown debts unless specifically prohibited from doing so. This provision does not override statutory prohibitions against the release of information, such as are contained in the Income Tax Act. In the case of payments owing to an individual, the intention is to expedite the payment of income tax refunds or other government cheques.
Government institutions requesting personal information under this paragraph should clearly specify the debt owing or the benefit which will be paid. The government institution which has been asked to disclose the information should consider the alternative of forwarding the cheque on behalf of the requesting institution, thereby eliminating the need for a disclosure.
6.13 Public interest
Paragraph 8(2)(m) provides that personal information may be disclosed for any purpose where, in the opinion of the head of an institution, (i) the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or (ii) disclosure would clearly benefit the individual to whom the information relates.
This provision is designed to deal with disclosure of personal information in situations which either cannot be readily foreseen or which are so specialized that they cannot be suitably covered in specific terms elsewhere in subsection 8(2). It is emphasized that this provision does not imply any right of access to personal information; rather, it only permits disclosure at the discretion of the head of the institution where the appropriate conditions are met. Furthermore, the provision is only a supplement to, and not a replacement for, paragraphs (a) to (l) of subsection 8(2). In any case, this sub-paragraph must be used with a good deal of restraint. Information should only be disclosed under this provision when it is apparent that there is a clear public interest in disclosure but no other release category under subsection 8(2) is applicable.
Subsection 8(5) requires that the Privacy Commissioner be informed of disclosures made under this provision. The Privacy Commissioner may, subject to the requirement not to disclose information for which an exemption has been claimed, decide to notify the individual concerned, or to initiate a complaint under subsections 29(1) and 29(3) or an investigation under section 37 of the Act.
Basis of the invasion-of-privacy test
There are three interrelated factors which should be taken into account in any invasion-of-privacy test. They are:
- Expectations of the individual The conditions which governed the collection of the personal information and the expectations of the individual to whom it relates are important criteria in any test. Was the information compiled or obtained under guarantees which preclude some or all types of disclosures? Or, on the other hand, can the information be considered to have been unsolicited or given freely or voluntarily with little expectation of it being maintained in total confidence? Has the individual himself or herself made a version of the information generally available to the public and thus waived the right to privacy in these circumstances?
- Sensitivity of the information It should be determined what type of information is involved in the request for a public interest disclosure. Is it obviously of a highly sensitive personal nature or does it appear to be fairly innocuous information? Is the information very current and for that reason more sensitive, or has the passage of time possibly reduced that sensitivity so that disclosure under specific circumstances would lead to no measurable injury to the individual's privacy? On the other hand, could disclosure of the information after a passage of time simply re-open old wounds?
- Probability of injury If the information is considered sensitive, can it be surmised that the particular disclosure carries with it the probability of causing measurable injury? Injury should be interpreted as any harm or embarrassment which will have direct negative effects on an individual's career, reputation, financial position, safety, health or well-being. As well, the head of an institution must consider if a disclosure of personal information will make that information available for a decision-making process by a government institution beyond that for which it is being disclosed.
Institutions may also have other factors unique to their own situations which should be added to an invasion-of-privacy test. For this reason, institutions are encouraged to develop guidelines on the application of the invasion-of-privacy test within their institution.
It is important to remember that public curiosity does not equate with public interest. The public interest to be balanced against the possible invasion of privacy can be evaluated on the basis of whether it is specific, current and probable (similar to the injury test described in 2.1.1 of Chapter 2-9). Where there is a possible invasion of privacy balanced against a public interest, consideration may be given to who would be receiving the information and whether any controls can be placed on further use or release.
Examples of situations in which there could be a public interest which outweighs the potential invasion of privacy in disclosure as outlined in sub-paragraph 8(2)(m)(i) include:
- health or medical emergencies, accidents, natural disasters or hostile or terrorist acts where one or more individual's lives and well-being depend on disclosure;
- disclosure of information to carry out an order of the court (e.g. enforcement of a custody order); and
- disclosure of information to either substantiate or correct a statement made publicly by the individual concerned. In these circumstances the individual would first have made public the information being substantiated or corrected.
Application to individuals who are deceased
Sub-paragraph 8(2)(m)(i) may be considered in relation to a request for disclosure of information relating to an individual who has been dead less than twenty years. Often there is a diminution of privacy concerns with the passage of time and such information can be disclosed. The head of the institution should weigh the sensitivity of the information against the public interest in disclosure to determine if an unwarranted invasion of privacy would occur if the information was released. Important factors to consider are:
- whether disclosure may cause financial injury to the immediate family of the deceased;
- whether disclosure may endanger the physical well-being of any of the family of the deceased;
- whether the head of the institution has any reason to believe that an immediate family member or ex-spouse does not want the information released;
- whether the information contains medical, psychological or social work case reports or data which it is reasonable to believe would prove harmful to familial relationships;
- whether the deceased had expressed or implied any wishes with regard to the information;
- whether disclosure may harm the reputation of the deceased (who cannot defend himself or herself).
This provision gives discretion to the head of an institution to ensure that personal information is not withheld from disclosure where the individual could clearly benefit from its release. The test in such circumstances is satisfied if the individual considers the release of the information of benefit to himself or herself. Some examples of situations where personal information may be released on the grounds of "benefit to the individual" are:
- disclosure to a doctor or hospital of an individual's blood type in an emergency when a transfusion is needed;
- disclosure to an airline of information to locate passengers' next of kin where an accident has occurred or to locate passengers when, for example, they have been exposed to food poisoning on a flight;
- disclosure of information to assist in determining the owner of lost or stolen property;
- notification of next of kin in case of an accident or disaster; and
- disclosure of information about an individual to immediate family members or an authorized representative of the individual such as a lawyer, under compassionate circumstances (e.g. information as to whether or not an individual has been arrested in another country).
Notification of Privacy Commissioner
Subsection 8(5) of the Privacy Act provides that the head of a government institution must notify the Privacy Commissioner of any disclosure of personal information under paragraph 8(2)(m) either prior to the disclosure or, if this is not practicable, at the time of disclosure. The Privacy Commissioner has discretion to notify the individual to whom the information relates of the disclosure if he deems such notification to be appropriate.
The provision acts as a check on unreasonable use of paragraph 8(2)(m). When notified of an intention to disclose, the Privacy Commissioner may decide to intervene and recommend against disclosure.
Notification of an individual by the Privacy Commissioner is, however, subject to the requirements of section 64 of the Privacy Act. This provision places the Privacy Commissioner under a duty not to disclose any information that is exempt under either the Access to Information Act or Privacy Act or any information which could confirm the existence of personal information where the head of a government institution, in refusing to disclose the information to the subject individual, has not indicated whether it exists.
Notification of the Privacy Commissioner under subsection 8(5) should include:
- the name and last known address(es) of the individual(s) involved;
- copies of the information and/or a description of the information being disclosed;
- the purpose of the disclosure and a statement as to why the public interest overrides privacy concerns in this instance, or how the disclosure would clearly benefit the individual; and
- the name and signature of the person authorizing the disclosure.
Delegation of 8(2)(m) authority
It is recommended that the authority to disclose personal information under paragraph 8(2)(m) be either retained by the head of the institution or delegated only to the most senior officials of the institution.
6.14 Disclosure by the National Archives
Subsection 8(3) of the Privacy Act provides that, subject to any other Act of Parliament, personal information that has been transferred to the control of the National Archives by a government institution for archival or historical purposes may be disclosed, in accordance with the regulations, to any person or body for research or statistical purposes.
Section 6 of the Privacy Regulations sets out the conditions for disclosure of archival or historical personal information for research or statistical purposes. Such information may be disclosed for these purposes where:
- the information is of such a nature that disclosure would not constitute an unwarranted invasion of privacy of the individual to whom the information pertains;
- the disclosure is in accordance with paragraphs 8(2)(j) or (k) of the Act;
- one hundred and ten years have elapsed following the birth of the subject individual; or
- in cases where the information was obtained through the taking of a census or survey, ninety-two years have elapsed following the taking of the census or survey containing the information.
This provision permits the disclosure of personal information in certain circumstances for research of an historical nature. It is similar to paragraph 8(2)(j), disclosure for research or statistical purposes, but this latter clause was thought too restrictive in regard to historical research to be conducted at the National Archives. The National Archives is, therefore, permitted to make personal information which it has collected for archival or historical purposes available for research or statistical purposes under the specific conditions set out in the Privacy Regulations. It should be noted that:
- subsection 8(3) does not create a right of access for third parties to personal information transferred to the National Archives for archival or historical purposes. Rather it permits that institution discretion to disclose such information under particular conditions to serve specific research or statistical purposes; and
- while paragraphs 8(2)(j) and (k) of the Privacy Act are mentioned specifically in section 6 of the Privacy Regulations as providing for permissive disclosures by the National Archives, all other provisions in section 8 of the Act apply equally to the National Archives. The National Archives is governed by the policy on Privacy and Data Protection and these guidelines.
Subsection 8(3) of the Privacy Act is subject to any other Act of Parliament. This means that where a federal statute forbids the disclosure of personal information (e.g. the Income Tax Act), it cannot be disclosed by the National Archives. The regulation prescribing the circumstances under which personal information of an archival or historical nature may be disclosed is based on a determination that disclosure of the information would not constitute an unwarranted invasion of the privacy of the subject individual. For example, sensitive medical, personnel or law enforcement records could contain information which, if disclosed, could constitute an unwarranted invasion of privacy. For additional guidance on this topic, see the invasion-of-privacy test in 6.13.
Since the National Archives assumes control over the personal information transferred to it for historical or archival purposes, discretion to determine those types of information the disclosure of which would not constitute an unwarranted invasion of privacy is given to the head of that institution. The National Archives should have publicly available guidelines on how such determinations are made (based on the invasion-of-privacy test), and the authority to make such determinations should be limited to senior officials of the National Archives. When a government institution is transferring personal information for archival or historical purposes, the National Archives should consult that organization for advice on records containing information which, if disclosed, could constitute an unwarranted invasion of privacy.
Disclosures under subsection 8(3) are subject to compliance review by the Privacy Commissioner under subsection 37(1) of the Act.
6.15 Information publicly available
Subsection 69(2) of the Privacy Act provides that the use and disclosure code contained in sections 7 and 8 of the Act does not apply to personal information which is publicly available.
This provision applies to information which has been published in any form or which constitutes or is part of a public record obtainable from another source. This provision is intended to cover situations where a government institution wishes to obtain information which is in the public domain from another government institution. For example, since Communications Canada allows public access to information concerning amateur radio operators, another government institution seeking that information would not be required to obtain the consent of the subject individuals for use of the information available to the public.
Although personal information which is publicly available is not protected by sections 7 and 8 of the Act, such information is still subject to all the remaining provisions of the Act. It must, therefore, be processed in response to a request by the subject individual under section 12.
7. Mailing lists and enclosures
Any individual's name and his or her home, business or mailing address or telephone number fall within the definition of personal information contained in paragraph 3(d) of the Privacy Act, and are therefore protected from improper use or disclosure. There are exceptions to this protection in the following paragraphs: regarding the business addresses and telephone numbers of public servants, 3(j); regarding the names and business addresses of contractors performing services for the federal government, 3(k); regarding information about an individual who has been dead for more than twenty years, 3(m); and regarding information that is publicly available, 69(2). Addresses of companies that do not include the names of individuals are not considered to be personal information.
Names and addresses that fall within the definition of personal information may not be disclosed or used for mailing list purposes unless:
- the addresses were collected for that purpose and the subject individuals were so informed;
- the individuals have consented to having this information on the mailing list;
- the use or disclosure of the information for mailing list purposes is authorized by an Act of Parliament or a regulation, as provided for in paragraph 8(2)(b) of the Act; or
- the use or disclosure may be justified under section 7 or one of the paragraphs of subsection 8(2) of the Privacy Act; notably paragraph 8(2)(a), Consistent Use, or sub-paragraphs 8(2)(m)(i), Public Interest, or 8(2)(m)(ii), Individual Benefit. It is government policy that these authorities for the use or disclosure of mailing lists will be used in exceptional circumstances only.
In circumstances where a cheque or information distribution system already exists within a particular program, there may be requests to enclose additional informational materials. Such enclosures do not usually require any disclosure of personal information, however consideration must be given to whether the proposed use of personal information would be in conformity with the provisions of the Privacy Act.
Information may only be included with regular program mailings when:
- the information to be enclosed is related to the program in such a manner as to qualify the enclosure as a consistent use under subsection 7(a);
- the distribution of the information with the regular mailing is authorized by an Act of Parliament or a regulation [under paragraph 8(2)(b)]; or
- the distribution of the information in this manner is justified under sub-paragraphs 8(2)(m)(i), Public Interest, or 8(2)(m)(ii), Individual Benefit. Paragraph 8(2)(m) should only be used where no other authorized disclosure provision under subsection 8(2) applies. Use of sub-paragraph 8(2)(m)(i) requires that the public interest clearly outweigh any possible invasion of privacy. The use of sub-paragraph 8(2)(m)(ii) requires that all of the individuals clearly benefit from the provision of the insert.
Disclosure of a mailing list should only be considered under exceptional circumstances, as this is the least desirable means of distributing information. Where the criteria for an enclosure have been satisfied, it is preferable to distribute the information with a regular program mailing than to initiate a separate mail-out just for the additional information. The best course of action would be to obtain consent from all of the recipients for the use of their information.
Departments that have mailing lists should consider developing assessment criteria and procedures for use in responding to requests for mailing lists or information enclosures. Departments should ensure that their personal information bank descriptions in Info Source identify all mailing list and enclosure activities related to their banks. Records of uses or disclosures not described in Info Source must be retained in accordance with subsection 9(1).
How a mailing list is used and whether an enclosure will accompany a government mail-out is decided by the department responsible for the mailing list. A department approving a consistent use of a mailing list or an enclosure would have to satisfy the requirements of subsection 9(4), while a department disclosing personal information under paragraph 8(2)(m) must satisfy the requirements of subsection 8(5).
8. Use of the Social Insurance Number
In its response to the parliamentary review of the Access to Information Act and the Privacy Act, the government committed itself to examining the use of the Social Insurance Number (SIN) within the government and putting limits on its use by the federal government. A policy on Data Matching and Control of the Social Insurance Number was issued in 1989, and has been incorporated into the current policy on Privacy and Data Protection. As required by the policy, government institutions must limit their uses of the SIN for administrative purposes to those authorized by statute or regulation and for administering pensions, income tax, health and social programs (as listed in Chapter 3-4).
In addition, government institutions must not withhold any right, benefit or privilege nor impose any penalty by reason of an individual's refusal to disclose the SIN to a government institution except for the purposes set out in Chapter 3-4 or as otherwise authorized by Parliament.
As a consequence, any institutions wishing to initiate a new use of the SIN would need to have the authorization for use of the SIN included in their legislation.
Data-matching is defined as the comparison of personal data obtained from different sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains. Data-matching is therefore a specialized activity involving the collection, use and disclosure of personal information. Included in the definition of data-matching is data linkage, also known as data profiling.
- Government institutions notify the Privacy Commissioner of a new matching program by providing him or her with a copy of their assessment of the program at least 60 days before the matching program is to begin.
- A data-matching program be approved only by the head of the government institution or an official specifically delegated this authority by the head.
- Government institutions subject information generated by a matching program to verification with original or additional authoritative sources before that information is used for an administrative purpose.
Chapter 2-5 provides further guidance on procedures for initiating data-matching programs.
10. Accounting for use and disclosure of personal information
10.1 General principles
The Use and Disclosure Code dealt with in section 1 is based on the principle that the right of an individual to privacy includes the right to control the use which is made of their personal information and, when exceptions to this principle exist, to know what use can be made of the information. Section 9, sub-paragraph 11(1)(a)(iv) and subsection 11(2) of the Privacy Act ensure that all uses and disclosures of personal information contained in personal information banks are recorded, accounted for and, where appropriate, described in an index of personal information (Info Source) so that an individual can determine what specific uses and disclosures of their personal information may occur.
10.2 Statement of purposes
Sub-paragraph 11(1)(a)(iv) of the Privacy Act provides that the Designated Minister shall cause to be published a statement of the purposes for which personal information in the bank was obtained or compiled and a statement of the uses which are consistent with such purposes for which the information is used and disclosed. This information must be published on a periodic basis not less frequently than once each year, as part of the index of personal information (Info Source).
This requirement to publish a statement of uses and a statement of consistent uses is the basis of accounting for use and disclosure of personal information which underlies the Use and Disclosure Code set out in sections 7 and 8 of the Act. This is the primary means by which the government notifies the public of how it uses the personal information under its control. In order to ensure the completeness of this notification process, government institutions are required to provide to the Designated Minister comprehensive statements of all of the purposes for which personal information under their control was obtained or compiled and similar statements of consistent uses for which information in each personal information bank may be used or disclosed. These statements form part of the personal information bank identification and description process required by section 11 of the Act.
It is a requirement of the Policy on Privacy and Data Protection that, when the Social Insurance Number is included in any personal information bank, the government institution must so indicate in the description of the bank provided for Info Source and must cite the authority under which the number is collected and the purposes for which it is used. The policy also requires that government institutions account for all data-matching activities in Info Source.
10.3 Routine uses not included as primary or consistent uses
Subsection 11(2) provides that the Designated Minister may include in the index of personal information a statement of any of the routine uses of personal information which were not included in the statement of primary uses or consistent uses made pursuant to sub-paragraph 11(1)(a)(iv).
This provision permits the Designated Minister to include in the personal information bank descriptions statements of routine uses of the personal information that do not fall within the categories of purpose of collection or consistent use. These would be disclosures of the information under subsection 8(2) of the Act which take place on a regular basis. (An example might be the provision under paragraph 8(2)(b) of family allowance information by National Health and Welfare to the Department of Indian and Northern Affairs to assist it in carrying out its programs.)
In accordance with subsection 9(1) of the Act (see 10.4 below), if no statement of a routine use is included in the information bank description in Info Source, the institution is required to record each such use on the individual's file. Including the statement of routine uses is, therefore, a far more efficient practice.
10.4 Retention of use and disclosure record
Subsection 9(1) of the Privacy Act provides that a government institution must retain a record of any use or disclosure of personal information contained in an information bank where the use or disclosure is not included in the statements published in the index of personal information (Info Source). In such cases, the institution shall attach the record of the use or disclosure to the personal information.
Subsection 9(3) of the Act provides that a record of use or disclosure described in subsection 9(1) shall be deemed to form part of the personal information to which it is attached.
The purpose of these two subsections is to ensure that any use made of personal information which is not listed in the Info Source can be traced by the individual to whom the information relates. By requiring that a record of such uses and disclosures be attached to and form a part of the personal information, it will be accessible with the information whenever a request for access is made, subject to any applicable exemptions. This provision also assists the Privacy Commissioner in reviewing the use and disclosure of personal information.
A record of use or disclosure pursuant to subsection 9(1) of the Privacy Act should include (i) the name and title of the person authorizing the use or disclosure; (ii) the name of the institution, person, organization or body receiving the information; (iii) a description of the use or purpose of disclosure; and (iv) a copy of the information disclosed, or a description in sufficient detail to allow a determination of exactly what information was used or disclosed.
Subsection 9(2) provides that subsection 9(1) does not apply in respect of disclosures under paragraph 8(2)(e). The requirement for recording these disclosures is contained in subsection 8(4) and is discussed in the section of the guidelines concerning disclosures under 8(2)(e) (see 6.5).
As for all personal information, records of disclosure must be retained for a minimum period of two years following the use or disclosure.
10.5 Consistent uses not previously accounted for
Subsection 9(4) of the Privacy Act provides that where personal information in a personal information bank is used or disclosed for a use consistent with the purpose for which the information was obtained or compiled, but the use is not included in the statement of consistent uses published in the index of personal information pursuant to sub-paragraph 11(1)(a)(iv), the head of a government institution shall:
- forthwith notify the Privacy Commissioner of the use for which the information was used or disclosed; and
- ensure that the use is included in the statement of consistent uses published in Info Source.
This provision is intended to deal with those exceptional circumstances where it is necessary for institutions to use or disclose personal information for a purpose which, while consistent with the purpose for which it was obtained or compiled, was not anticipated, and is therefore not reflected in Info Source. It permits the use or disclosure under paragraphs 7(a) or 8(2)(a) only where the Privacy Commissioner is immediately notified. Institutions are also required to amend the personal information bank description to include the new use. This amendment should be submitted to the Designated Minister for inclusion in Info Source.
11. Protection of personal information
In conformity with the Government Security Policy, institutions are responsible for designating personal information, as defined in section 3 of the Privacy Act (A.5.6(c) of the Security Manual). Institutions are also required to identify particularly sensitive personal information and apply the appropriate security measures based on a threat and risk assessment. Such an assessment may be based on the invasion-of-privacy test found in 6.13 of this chapter.