Archived - Privacy and Data Protection Guidelines - Right of Access to Personal Information

Subsection 12(1) of the Privacy Act provides every individual who is a Canadian citizen or a permanent resident within the meaning of the Immigration Act a right of access to personal information about themselves that is under the control of a government institution.

Extension Order No. 1 (see Chapter 4-1), which became effective June 23, 1983, extends the right of access to include all inmates within the meaning of the Penitentiary Act who are not Canadian citizens or permanent residents.

Extension Order No. 2 (see Chapter 4-1), which became effective April 13, 1989, extends the right of access to personal information to all individuals present in Canada to whom the right had not previously been extended. The term "present" denotes a physical presence in a geographic location. The appropriate meaning of the phrase "present in Canada" is, therefore, physically situated in the country. While the Order does not specify a minimum time period that a requestor must be present in Canada, requestors who are not Canadian citizens, permanent residents or inmates must be physically in the country both at the time they make their request for access and when access is provided.

Determining whether an individual is present in Canada is a question of fact. To assist in this determination a number of factors can be considered, such as the individual's address; the telephone number; the place of residence, work or education; or the postmark on the envelope containing the request. The status of a requestor may be determined from the information that is provided in the applicant identification section of the request form. If the form is incomplete or the information provided is inconclusive, the institution may contact the applicant to verify his or her physical presence.

Government institutions should provide individuals with informal access to their personal information whenever possible.

Where informal access to the requested personal information cannot be given, the requestor must be informed of his or her rights under the Privacy Act and of the manner in which such rights may be exercised.

The Policy on Privacy and Data Protection requires institutions to endeavour to assist individuals in obtaining access to their personal information and in exercising their rights under the Privacy Act (as set out in Chapter 3-2).

Section 13 of the Act and section 8 of the Regulations provide that an applicant has made a formal request for access to personal information when the application meets the following requirements:

• it is in writing, using the Personal Information Request Form; (see Chapter 3-5)
• it adequately identifies the individual submitting the request and includes that person's signed statement that he or she has a right of access to personal information under the Privacy Act;
• it has been addressed to or received by the official identified in Info Source as the contact person for the government institution listed in the Schedule to the Act as having control of the personal information in question; and
• it identifies each personal information bank that is the subject of the request or provides sufficient information in respect of each class of personal information so as to render the information reasonably retrievable by the government institution.

If the head of the institution is of the opinion that the application does not contain sufficient information on the location of the requested information, the institution should ask the applicant for additional detail before refusing the request. If a request for access cannot be processed because it is incomplete, government institutions shall, within 10 days of receipt of the request, inform the applicant of the steps required to complete the request. They shall also inform applicants of their right to complain to the Privacy Commissioner if they believe that sufficient information has already been provided to allow the request to be processed.

Although technically a complete request must be made on the Personal Information Request Form, institutions are encouraged to accept requests submitted either on the Access to Information Request Form or in a letter, if the request otherwise meets the requirements for a complete request. Any application fee erroneously submitted under the Access to Information Act would, of course, be returned.

The time allowed for processing a request for access to personal information is counted from the receipt of a complete request, with the day after receipt being counted as day one. In other words, if a request is received by the institution on January 1st, a response would have to be sent on or before January 31st.

The Policy on Privacy and Data Protection requires that government institutions assist individuals seeking to obtain access to their personal information who are unable to exercise their rights using regular procedures. For example, visually impaired individuals or illiterate individuals may require special assistance in completing the Access to Personal Information Request Form or in determining the appropriate information bank.

The Policy on Privacy and Data Protection requires that institutions have appropriate administrative controls in place to ensure against the disclosure of personal information to anyone who is not permitted access to it under the Privacy Act. For this reason, prior to disclosing information in response to a request under the Act, government institutions must ensure that the individual receiving the information has adequately identified himself or herself as the subject of the information, or as the agent of the subject individual. Where a rigorous verification of identity is necessary, the applicant may be required to be present when the information is disclosed (Privacy Regulations, section 8). If there is any doubt concerning the identity of the person seeking access, disclosure must not take place.

Where the rights of an applicant under the Act are exercised by an authorized representative, government institutions shall require that the representative provide adequate identification as well as verifiable, written authorization to act on behalf of the applicant.

The Policy on Privacy and Data Protection states that government institutions must record all administrative actions taken in processing requests for access, correction or notation under the Privacy Act whenever such actions are required by the Act or regulations. This must be done in such a manner as to account for all deliberations and decisions regarding the processing of such requests. It is important to remember that such documentation may be crucial as evidence during a review. A sample tracking document is provided in Chapter 3-5. The tracking document may also be useful in capturing the data required for the annual report to Parliament referred to in subsection 72(1) of the Act.

The documentation of actions taken and decisions made is subject to the same retention and disposal scheduling as the personal information to which they pertain.

The Act sets out specific time limits for processing requests and conditions under which the applicant must be notified. Under subsection 16(3) of the Act, where the institution fails to give access within the specified time limits, it is deemed to have refused access. Government institutions may wish to review requests with the applicant, especially when this could be helpful in interpreting the request, or in explaining any difficulties which may be encountered in processing the request. Good communication between institutions and requestors reduces the number of appeals.

The notification requirements prescribed by the Act are set out below. Model letters for notices are provided in Chapter 3-6.

The Act provides that government institutions shall, within 30 (thirty) calendar days of receipt of a complete request, give a written notice to the applicant concerning the following:

1. Excluded information: Whether any of the requested information is excluded from access under the Privacy Act (for an explanation of excluded information, see Chapter 2-8)
2. Method of access: When access is to be given, the institution shall provide a copy of the requested information or advise the applicant of the procedure to arrange to view the information according to the conditions specified in section 9 of the Regulations.
3. Extension: When the government institution requires more than the initial 30-day period, the notice must inform the requestor of the length of the extension and of his or her right to complain to the Privacy Commissioner about the extension. The Act provides three circumstances for extension of the time limit (as set out in section 15) which are:
   • if meeting the original time limit would unreasonably interfere with the operations of the government institution; or
   • if the consultations necessary to comply with the request cannot reasonably be completed within the original 30-day limit. (Consultation in the context of this provision refers to consultations undertaken with other government institutions, foreign governments, medical practitioners, etc., but not internal consultations.)
   • Note: In these circumstances, the time limit may be extended for a maximum of 30 days.
   • if additional time is necessary for translation purposes. (In such a case, the untranslated document should be released as soon as possible, to be followed by the translated document when it becomes available.) A reasonable period of time is allowed for translation of the document.
4. Exemptions: Pursuant to subsection 16(1) of the Act, when access to the requested information, or a part thereof, is refused, the notice must refer to the specific exemption applied, state that the information is contained in an exempt bank, state that the information does not exist, or, where the government institution does not indicate whether the information exists, cite the specific exemption which would reasonably be applied if the information existed. This notice must also inform the requestor of his or her right to complain to the Privacy Commissioner.

In accordance with the privacy policy, government institutions must ensure that any decision to give or refuse access is made by an official with the properly delegated authority and that the written exemption notification to the requestor is signed by someone to whom this authority has been properly delegated (refer to the definitions in Chapter 2-1).

Whereas paragraph 16(1)(b) of the Act requires that a notice of exemption state the "specific provision" of the Act on which the refusal was based, the policy on Privacy and Data Protection requires that government institutions specify in their response to the requestor the subsection or paragraph of the Act upon which each exemption is based, except where to do so would reveal exempted information or cause the injury upon which the exemption is based. Government institutions are also required to indicate the exemptions in a manner which allows the applicant to relate the particular exemptions to specific documents or portions of documents which have been withheld, except where to do so would reveal exempted information or cause the injury upon which the exemption is based.

Where the information may be withheld under more than one exemption, the institution should cite all applicable exemptions and should be prepared to defend the use of all exemptions cited. It is worth noting that during the review process the Court has held that an institution cannot rely on exemptions which were not identified in the notice of refusal. (Neil Anderson Davidson v. The Solicitor General of Canada [1987] 3. F.C. 15, D.L.R. (4th) 533, 9 F.T.R. 295, 35 C.C.C. (3d) 84; affirmed by F.C.A. [1989] 2 F.C. 342). In other words, you can't change your mind about the applicable exemptions once you get to court. It's worth taking the time to get it right the first time.

The privacy policy requires that government institutions, to the greatest extent possible, explain to applicants the reasons for which their requests for any action under the Privacy Act have been refused, and their rights of appeal.

The privacy policy also requires that government institutions make a reasonable effort to explain technical or complex personal information to the applicant, and shall inform individuals of their right under the Privacy Act to request a correction or notation of their personal information. When the individual is incapable of reading printed information (possibly because of a vision impairment or a lack of reading skills), the institution should endeavour to find alternate means for informing the individual of the institution's response to his or her request and the content of the accessed record.

Subsection 16(2) of the Act provides that an institution may, but is not required to, indicate whether personal information exists. Refusal to indicate the existence of information is reserved for situations where acknowledging the existence of the information could in itself disclose exemptible information to the requestor. This provision is intended for use in relation to security and law enforcement.

In these circumstances, paragraph 16(1)(b) requires that the refusal notice to the requestor indicate the provision on which refusal of access to the information could be based if the information existed.

Exemption application procedures

An underlying principle in applying most exemption criteria is the balancing of the right of access to personal information against the potential injury from disclosure of that information. The bases for applying exemption criteria are discussed in Chapter 2-9.

Under the guidance of the Privacy Co-ordinator, government institutions are required by the Privacy policy to review all requested personal information. This review is carried out for the purpose of identifying and severing any portions of the information which are excluded from the provisions of the Act or which must be exempted, and for making a decision concerning disclosure of any information which may be exempted. All requested personal information which is neither excluded nor exempted must be released.

In large institutions or de-centralized institutions, the requested material may be reviewed under the guidance of a divisional or regional Privacy Co-ordinator.

The Privacy policy further requires that government institutions ensure that due regard is given to the injury or detrimental effect on the interest specified in the exemption when discretion to disclose information is provided.

In responding to requests for information to which access has previously been sought, government institutions should note that the decision on disclosure may be altered with the passage of time or changed circumstances.

Government institutions should assess each request on its own merits, allowing precedents to serve only as guidance in making the determination whether to disclose the requested information. Documents classified or designated under the government security classification system should receive more careful preliminary examination. However, the fact that a document is classified or designated does not mean that it is automatically exempt. Each document must still be reviewed in relation to the exemption provisions of the legislation. It may, in fact, be necessary to remove or downgrade the security classification or designation of information which is disclosed in response to a request for access.

At the initial review stage, the information may be screened for medical information which may be subject to exemption under section 28 and therefore require review by a medical practitioner.

Before deciding to either disclose or exempt personal information from disclosure, it is the responsibility of the Privacy Co-ordinator to ensure that any necessary consultation with other government departments has taken place.

In accordance with the Privacy policy, government institutions must consult with:

• External Affairs Canada before determining to exempt or disclose any personal information that could reasonably be expected to be injurious to the conduct of international affairs;
• National Defence before determining to exempt or disclose any personal information that could reasonably be expected to be injurious to the defence of Canada or any state allied or associated with Canada;
• the government institution having the primary interest (i.e. the Department of the Solicitor General, the R.C.M.P., the Canadian Security Intelligence Service, National Defence or External Affairs) before determining to exempt or disclose any personal information that could reasonably be expected to be injurious to the detection, prevention, or suppression of crime or of activities suspected of constituting threats to the security of Canada within the meaning of the CSIS Act;
• the investigative body or other government institution with primary interest in the law being enforced or investigation being undertaken before determining to exempt or disclose personal information on the basis of injury to the enforcement of a law of Canada or a province or the conduct of lawful investigations. In a case where the security of penal institutions is involved, government institutions must consult with the Correctional Service of Canada;
• the investigative body that provided the information before determining to exempt or disclose personal information regarding a security clearance; and
• the supplying institution before determining to exempt or disclose personal information the disclosure of which could affect the safety of individuals.

Government institutions should also consult with supplying institutions before determining to exempt or disclose personal information where the supplying institution retains an interest in the information.

The policy requires that these consultations be undertaken with or initiated through either the Privacy Co-ordinator or the official in that institution with delegated authority to exempt or disclose the information.

If the consulted government institution recommends application of an exemption, it should supply the government institution processing the request with a written argument for application of the exemption. Final responsibility for the application of the exemption rests with the processing institution. Even where consultation is mandatory, timely response to access requests is the responsibility of the processing institution.

The results of the exemption review, any consultation reports and, where necessary, any opinion rendered by the institution's legal advisor, form the basis for the decision whether or not to apply an exemption. The policy requires that a decision to apply an exemption be made by an officer who has been delegated such authority by the head of the institution.

The principle of severability should be applied to information released in response to a request for access to personal information. The guidelines on severability can be found in 4.3 of Chapter 2-9.

Pursuant to subsection 16(2), the government institution is not required to indicate whether exempted personal information exists. This provision was included to cover those situations where the denial or confirmation of the existence of information could result in the injury anticipated by the exemption. This is most likely to occur in the law enforcement area, and this provision should only be employed when necessary for the protection of such information. Suggested wording for the notification of refusal may be found in Chapter 3-6.

Subsection 17(1) of the Privacy Act requires that where an individual is given access to personal information, the government institution shall, subject to the Regulations, either permit the individual to examine the original information or provide the individual with a copy thereof. Government institutions should strive to provide access by the method requested by the applicant whenever possible.

Pursuant to section 9 of the Regulations, government institutions are required to ensure that the time arranged for examination of original documents is convenient for the individual as well as for the institution. They are also required to provide reasonable facilities for the examination. Because of the sensitive nature of personal information, the facilities provided for the requestor to examine the information should be sufficiently private to allow undisturbed examination while ensuring adequate security.

When the personal information being examined is of a complex or technical nature, the institution should endeavour to have an officer of the institution who understands the information available to answer any questions the requestor may have. Pursuant to section 14 of the Regulations, special provision may be made for certain types of sensitive medical information. Under this provision, individuals may be required by the head of the institution to examine their information in the presence of a duly qualified medical practitioner or psychologist who may explain or clarify the information.

Subsection 17(2) of the Act provides that, when access to personal information is given and the applicant requests that access be given in a particular official language, as declared in the Official Languages Act:

1. access shall be given in that language, if the personal information under the control of the government institution already exists in that language; and
2. where the personal information does not exist in that language, the government institution that has control of the information shall cause it to be translated or interpreted for the individual if the translation or interpretation is considered to be necessary to enable the individual to understand the information.

Pursuant to paragraph 15(b), the initial time limit for responding to a request for access may be extended by the government institution for a reasonable period of time necessary for translation purposes. In the case of lengthy records, interpretation (i.e. oral translation) may be considered as an alternative. An extension of the time limits for translation purposes is subject to the notification procedures described in section 6 of Chapter 2-6.

The policy on Privacy and Data Protection requires that where personal information to be disclosed to an individual with a sensory disability already exists in more than one alternative format acceptable to the individual, access be given in the alternative format they prefer.

When deciding whether or not to convert requested information to an alternative format for a sensory disabled requestor, there are two questions: Is the conversion necessary to enable the individual to exercise his or her right of access under the Act? and is the conversion reasonable?