Archived - Privacy and Data Protection Guidelines - Exemptions
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
1. General principles
An individual's right of access to their personal information as contained in the Privacy Act is limited by a number of exceptions specified in sections 18 through 28 of the legislation. These exceptions to the right of access are known as exemptions. Each exemption is intended to protect information relating to a particular public or private interest. These exemptions, when combined with the categories of excluded records outlined in sections 69 and 70 of the Act, form the only basis for refusing an individual access to their personal information.
The exemptions contained in the Privacy Act can be classified in two ways B according to whether the exemption is subject to an injury test or a class test, and according to whether the exemption is discretionary or mandatory.
2.1 Injury test or class test
2.1.1 The injury test
Exemptions based on an injury test provide for the denial of access to requested information if disclosure "could reasonably be expected to be injurious" to the interest specified in the exemption. "Injury" in this context means having a detrimental effect. The fact that the disclosure could result in an administrative change in a government institution is not sufficient to satisfy an injury test. It must be possible to identify an actual detrimental effect on the interest specified in the exemption.
Three general factors should be considered when evaluating potential injury. These factors are the degree to which the injury is:
- Specific: Is it possible to identify the detrimental effect with the actual party or interest which will suffer the injury, rather than as a vague, general harm?
- Current: Is the detrimental effect likely to occur at the time the exemption is claimed, or in the foreseeable future? Information which has been withheld in the past should be re-assessed when a new request is received to ensure that present or future injury is still a factor; and
- Probable: Is there a reasonable likelihood of the injury occurring? (The fact that an injury might possibly result is not enough.)
Cases may arise where there is a mosaic effect inherent in the disclosure. The requested information may not satisfy the injury test when it is considered in isolation. However where the information forms a segment of a larger picture, or is one of a series of requests which could reasonably be expected to be injurious to the interest specified in an exemption, the institution may exempt the information. An institution exempting information on the basis of a mosaic effect must be able to demonstrate that the cumulative effect of a series of disclosures related to the requested information could satisfy the injury test.
Some exemptions containing an injury test include an illustrative list of some types of information to which the exemption may apply. The fact that requested information is covered by the illustrative list does not automatically qualify the information for exemption. The refusal to disclose must still be based on the injury to the interest specified in the exemption.
Injury tests are contained in the exemptions in sections 20, 21, 22(1)(b) and (c), 24(a), 25 and 28.
2.1.2 The class test
Exemptions based on a class test provide for the denial of access to requested information which falls into the category described in the exemption. While the possibility of injury underlies this test as well, these exemptions describe the classes of information which, in the judgement of Parliament, are sufficiently sensitive that disclosure of any information in the class could have a detrimental effect. Thus, when information falls into a class of information specified in one of these exemptions there, is no requirement that injury be proved.
Class tests are contained in the exemptions in sections 19, 22(1)(a), 22(2), 23, 24(b), 26 and 27.
2.2 Discretionary or mandatory exemptions
2.2.1 Discretionary exemptions
Discretionary exemptions are introduced by the phrase "the head of a government institution may refuse to disclose...". When discretionary exemptions apply to requested personal information, the institution is legally entitled to refuse access. Discretionary exemptions provide the head of the institution with the option to disclose when there is no probable injury or when the interest in disclosure outweighs any possible injury, or to withhold information when there is a probable injury which outweighs the benefit of disclosure. When requested information qualifies for a discretionary exemption, the institution should consider both options before making a decision.
The majority of exemption provisions in the Act are discretionary. They are contained in sections 20, 21, 22(1), 23, 24, 25, 27, and 28.
2.2.2 Mandatory exemptions
Mandatory exemptions are introduced by the phrase "the head of a government institution shall refuse to disclose...". When requested personal information falls within a mandatory exemption, institutions normally must refuse to disclose the record. Sections 19 and 22(2) are examples of this type of exemption. In addition, section 19 includes provisions which change the exemption into a discretionary exemption, and section 26 is a hybrid exemption which is in part discretionary and in part mandatory.
3. Exempt banks
Section 18 of the Privacy Act provides for banks of personal information which are completely exempt from access. Exempt banks are discussed in detail in section 5.
4. Administration of exemption provisions
Exclusion from the coverage of the Act or exemption from disclosure by a specific section form the only basis for refusing an individual access to their personal information. Therefore, access must be given to all personal information requested by an individual under the Privacy Act except that which is either specifically exempted or excluded under a provision of the Act.
It is possible that a particular record or portion of a record may qualify for more than one exemption. In such cases, institutions should cite all applicable exemptions and should be prepared to defend the use of all exemptions cited. The manner of citing exemption provisions is discussed in section 6 of Chapter 2-6 regarding notices.
When a requestor is not satisfied with what they receive from a government institution in response to their request under the Privacy Act, they have a right of appeal to a two-tiered system of review. The first stage is a complaint to the Privacy Commissioner, an officer of Parliament with the powers of an ombudsman. The second is a review by the Federal Court B Trial Division, on questions of denial of access to information. A discussion of the roles and powers of the Commissioner and the Court are set out in Chapter 2-10.
Heads of government institutions should delegate the authority to apply exemptions under the Privacy Act according to the nature and volume of information requested. In order to avoid complaints or reversals and to adequately protect personal information from improper disclosure, only senior officials should be authorized under section 73 of the Act to make exemption decisions.
It is worth noting that requests for personal information made under the Privacy Act must be considered on their own merits. Existing procedures and sanctions for protecting government information do not apply where a request is made under the Act. In addition, a duly authorized official who discloses information in good faith pursuant to the Privacy Act will not be subject to prosecution under the Official Secrets Act. This is based both on the exoneration clause contained in section 74 of the Act and the fact that disclosure under the Privacy Act will be considered to be an authorized disclosure. (The Official Secrets Act only applies to unauthorized disclosures of information.)
Unlike the Access to Information Act, the Privacy Act contains no explicit provision for severability, however the concept is implicit in the wording of the exemptions themselves. The Privacy Act permits an exemption to be claimed only for that personal information which is actually exemptible. The principle is that when a document contains both exempt and non-exempt material, the individual is entitled to any non-exempt information if it can be severed from the exempt information.
Similarly, there may be both personal and non-personal information in a record. Although the Privacy Act creates a right of access only to personal information, as a matter of policy an individual should be provided any relevant non-personal information which would not be exempted if it were requested under the Access to Information Act. Unless there is a large amount of non-personal information, the requestor should not be asked to make a request under the Access to Information Act for the same material.
The principles which govern severability under the Access to Information Act should be followed when reviewing information under the Privacy Act. The basic principle is one of reasonable severability. This means that a record containing exempt personal information should not be exempted as a whole if the exempted information can reasonably be severed. Reasonable severability should not be established by the amount of review, preparation and production time needed to extract the exempt information. Rather it should be established by the intelligibility of the document once the exempt portions have been removed. Government institutions are obliged to disclose as much personal information as can reasonably be released by severing exempt information from a record. All doubts about the intelligibility of the remaining non-exempt information should be decided in favour of release to the applicant.
Under the Privacy Act a request cannot be transferred, as it can under the Access to Information Act, however institutions are required to consult with other institutions which have supplied the requested information or where the information relates to the activities of another institution. Requirements for consultation are discussed in detail in relation to the various exemptions. When consultation is required, the institution that received the request remains responsible for meeting the time limits and supporting any exemptions applied to requested information.
In all cases, the point of consultation shall be either the Privacy Co-ordinator or the official with the authority to make a decision to disclose or exempt particular information.
When consultation with a foreign government or institution is required, government institutions should normally co-ordinate such consultations through the Privacy Co-ordinator at the Department of External Affairs.
5. Exempt banks (section 18)
Subsection 18(1) of the Privacy Act provides that the Governor-in-Council may, by order, designate as exempt certain personal information banks that contain files, all of which consist predominantly of personal information described in sections 21 or 22 of the Act (international affairs and defence or law enforcement and investigation).
In order to qualify for designation as an exempt bank, the personal information bank must contain files, regardless of their physical form, each of which consist predominantly of information which could be exempted under sections 21 or 22 of the Act. "Predominantly" means that a preponderance, or more than half, of the information in each of the files must qualify for exemption. Clearly, the greater the proportion of exemptible information in a given file, the greater the likelihood it will qualify for inclusion in an exempt bank. The result is that very few banks may be designated as exempt banks, and that every file must be reviewed before it can be placed in an exempt bank. (This principle was articulated in / Ternette v. Solicitor General of Canada,  2 F.C. 486, 10 D.L.R. (4th) 587, 32 Alta. L.R. (2d) 310.)
Subsection 18(2) of the Privacy Act provides that a government institution may refuse to disclose any personal information that is contained in a personal information bank designated as an exempt bank under subsection 18(1). This is a discretionary exemption based on the class test of whether particular information forms part of an exempt bank. Usually information which is part of an exempt bank will be exempted from access. However, if the head of the institution is satisfied that no harm will result from the disclosure, there is discretion to disclose.
The exempt bank provision cannot be applied to information or a copy of information transferred from an exempt bank to another institution. The receiving institution must determine whether or not to apply an exemption to requested information.
Contents of an Exemption Order
Subsection 18(3) of the Privacy Act provides that an order made by the Governor-in-Council under subsection 18(1) to designate exempt banks shall specify:
- the section on the basis of which the order is made; and
- where the bank contains files which consist predominantly of personal information described in subparagraph 22(1)(a)(ii), the law concerned.
The policy requires that government institutions consult with Treasury Board on any proposal for the establishment or revocation of an exempt bank.
The policy also requires that government institutions submit to the Designated Minister any requests to designate exempt personal information banks, and that requests for exempt banks submitted to the Designated Minister include:
- a description of the information to be included in the exempt bank;
- the specific exemption provision under which the information requires protection. For exemption provision 22(1)(a)(ii), this includes the law concerned (e.g. the Income Tax Act). For any injury test exemption, a statement of the expected detrimental effect must be included;
- an explanation, including cost implications, of why the information should be placed in an exempt bank rather than being subject to review on a case-by-case basis;
- certification that all the files in the bank consist predominantly of personal information of the type described in sections 21 or 22 of the Privacy Act and that procedures are in place to ensure that files are reviewed on an ongoing basis;
- a draft Order in Council; and
- a draft Regulatory Impact Analysis Statement.
Review of Exempt Banks
Section 36 of the Privacy Act empowers the Privacy Commissioner to review files contained in an exempt bank and to recommend to the head of the institution the removal of any file which, in his opinion, does not meet the section 18 criteria. If the institution refuses to remove the file, the Privacy Commissioner can apply to the Federal Court for a review of the matter. The Federal Court may order the removal of the file from the exempt bank.
6. Information obtained in confidence (section 19)
Section 19 of the Privacy Act provides that a government institution shall refuse to disclose any personal information that was obtained "in confidence" from:
- the government of a foreign state or institution thereof;
- an international organization of states or an institution thereof;
- the government of a province or an institution thereof; or
- a municipal or regional government established by, or pursuant to, an Act of the legislature of a province or an institution of such a government.
This is a mandatory class exemption. The term "in confidence" means that the supplier does not wish the information to be disseminated beyond the institution to which it has been supplied. This exemption protects personal information provided in confidence by officials of other governments or international organizations and their institutions. The best means of supporting the application of this exemption is to have written notification from the supplier of the information that it is being provided in confidence. Wherever feasible, it is advisable that government institutions enter into agreements with those other governments, international organizations or their institutions with which they will be exchanging information, stipulating the information which is being exchanged in confidence.
Where the status of personal information provided to a government institution prior to the proclamation of the Act is in doubt, consultation should take place. The institution which originally obtained the information should consult the other government or international organization which provided the information to determine whether the information was provided in confidence and whether such confidential treatment is still required.
Copies of information received in confidence by one government institution may be found in the files of one or more other government institutions. Since this is a mandatory exemption, all copies of the information supplied in confidence must be protected from disclosure. To ensure such protection, government institutions receiving personal information in confidence shall ensure that the information is marked as to its status and source before copies are provided to other institutions. Government institutions which have received information marked as having been received in confidence by another institution should not disclose the information without first consulting the other institution as to whether the information is still considered to be confidential.
Subsection 19(2) of the Privacy Act provides that the head of a government institution may disclose personal information obtained in confidence from another government or an international organization if the government or organization from which the information was obtained:
- consents to the disclosure; or
- makes the information public.
This subsection permits some limited discretion in dealing with information received in confidence. When there is any doubt as to the continuing confidentiality of the information, the institution may contact the other government or organization in order to seek consent to release the information. When dealing with foreign governments or international organizations, such consultation should be co-ordinated through the Privacy Co-ordinator at the Department of External Affairs. Where the information has been used for an administrative purpose and it is not exempt under any other provision of the Act, government institutions should make an effort to obtain the consent of the government or organization from which the information was obtained to disclose it. If the government or organization which originally provided the information makes such information public, the government institution should consider releasing the information as well.
7. Federal-provincial affairs (section 20)
Section 20 of the Privacy Act provides that a government institution may refuse to disclose any personal information the disclosure of which could reasonably be expected to be injurious to the conduct by the Government of Canada of federal-provincial affairs.
This is a discretionary exemption based on an injury test. It is specifically aimed at protecting the federal government in its conduct of federal-provincial affairs. To invoke this exemption, a government institution should be convinced that the disclosure of specific personal information could reasonably be expected to be injurious to its conduct of, or its role in, federal-provincial affairs.
It is rare that personal information will be related to federal-provincial affairs. However, any injury in regard to federal-provincial affairs is most likely where the federal government is either about to commence or is in the midst of conducting specific negotiations, deliberations or consultations. There may, however, be some types of personal information which continue to be sensitive. The release of such information could jeopardize the position of the federal government in conducting federal-provincial affairs in the future, or seriously affect its relations with one or more provincial governments. Personal information which continues to be sensitive should be protected until there is no likely possibility of injury.
Institutions should consult with the Federal-Provincial Relations Office through the PCO/FPRO Privacy Co-ordinator before disclosing personal information relating to federal-provincial affairs. Only senior officials should have delegated authority to exempt or disclose records under this section.
8. International affairs and defence (section 21)
Section 21 of the Privacy Act provides that a government institution may refuse to disclose any personal information the disclosure of which could reasonably be expected to be injurious to the conduct of international affairs, the defence of Canada or any state allied or associated with Canada, or the detection, prevention or suppression of subversive or hostile activities.
This is a discretionary exemption based on an injury test as applied to three general public interest areas. Access to personal information may be denied if disclosure could reasonably be expected to be injurious to:
- "The conduct of international affairs": This includes not only state-to-state affairs, but also commercial, cultural or scientific links established by citizens with counterparts in other countries.
- "The defence of Canada or any state allied or associated with Canada": An "allied state" is one with which Canada has concluded formal alliances or treaties. An "associated state" is another state with which Canada may be linked for trade or other purposes outside the scope of a formal alliance.
- "The detection, prevention or suppression of subversive or hostile activities": This exemption protects specific types of personal information relating to the security of Canada.
Section 21 of the Act defines the terms "defence of Canada or any state allied or associated with Canada" and "subversive or hostile activities" as they are defined in subsection 15(2) of the Access to Information Act. These definitions are as follows:
"Defence of Canada or any state allied or associated with Canada" includes the efforts of Canada and of foreign states to detect, prevent or suppress the activities of any foreign state directed toward actual or potential attack or other acts of aggression against Canada or any state allied or associated with Canada.
"Subversive or hostile activities" means:
- espionage against Canada or any state allied with or associated with Canada;
- activities directed toward the commission of terrorist acts, including hijacking, in or against Canada or foreign states;
- activities directed toward accomplishing government change within Canada or foreign states by the use of or encouragement of the use of force, violence or any criminal means;
- activities directed toward gathering information used for intelligence purposes that relates to Canada or any state allied with or associated with Canada; and
- activities directed toward threatening the safety of Canadians, employees of the Government of Canada or property of the Government of Canada outside Canada.
It is important to note that "defence of Canada" is defined inclusively. It is defined in general terms, and the definition does not limit the type of information relating to defence which may qualify for the exemption. On the other hand, "subversive or hostile activities" are defined restrictively. This means that the definition is specific and comprehensive. The exemption may only be invoked for those activities listed in the definition. Personal information relating to other security or intelligence activities such as security screening, immigration and citizenship vetting, domestic vital points and security inspections may only be exempted under this provision where it relates to one of the activities outlined in paragraphs 15(2)(a) to (f) of the Access to Information Act.
Types of Information
Section 21 refers to paragraphs (a) through (i) of subsection 15(1) of the Access to Information Act for illustration of the specific types of personal information which are likely to be covered by the exemption. It is essential to remember that the types of information listed in these paragraphs cannot be exempted as a class, and that this is only an illustrative list, not an exhaustive list. Section 21 is an injury test exemption. For the exemption to be applied, the head of the government institution must be able to demonstrate that disclosure of the personal information requested could reasonably be expected to result in injury to one of the interests specified (i.e. "detection, prevention or suppression of subversive or hostile activities").
Most of the examples set out in paragraphs 15(1)(a) to (i) do not apply to personal information (e.g. information on the quantity, characteristics, capabilities or deployment of weapons, paragraph 15(1)(b)). A few paragraphs, however, relate directly to individuals [see paragraph 15(1)(c)]. Those which are most likely to be applicable under section 21 are:
- Paragraph 15(1)(c), any such personal information relating to the characteristics, capabilities, performance, potential, deployment, functions or role of any defence establishment, of any military force, unit or personnel or of any organization or person responsible for the detection, prevention or suppression of subversive or hostile activities. This provision deals with defence establishments and military and national security personnel; and
- Paragraph 15(1)(d), any such personal information
obtained or prepared for the purpose of intelligence relating to:
- the defence of Canada or any state allied or associated with Canada; or
- the detection, prevention or suppression of subversive or hostile activities.
This paragraph deals with intelligence concerning defence and national security. Information "obtained or prepared for the purpose of intelligence" encompasses both the raw data collected ("obtained") as well as the refined product or analysis ("prepared").
The Policy on Privacy and Data Protection requires that government institutions consult with:
- External Affairs Canada before determining to exempt or disclose any personal information that could reasonably be expected to be injurious to the conduct of international affairs;
- National Defence before determining to exempt or disclose any personal information that could reasonably be expected to be injurious to the defence of Canada or any state allied or associated with Canada; and/or
- the government institution having the primary interest (i.e. the Department of the Solicitor General, the R.C.M.P., the Canadian Security Intelligence Service, National Defence or External Affairs) before determining to exempt or disclose any personal information that could reasonably be expected to be injurious to the detection, prevention, or suppression of subversive or hostile activities.
9. Law enforcement, investigations and security of penal institutions (section 22)
Section 22 of the Privacy Act is intended to protect:
- effective law enforcement, including criminal law enforcement;
- the integrity and effectiveness of other types of investigative activities (e.g. investigations in regulatory areas and air accident investigations); and
- the security of penal institutions.
9.1 Paragraph 22(1)(a)
This paragraph provides that a government institution may refuse to disclose personal information obtained or prepared by any government institution, or part of a government institution, that is an investigative body specified in the regulations under the following circumstances. The record came into existence less than twenty years prior to the request. The information was obtained or prepared in the course of lawful investigations pertaining to:
- the detection, prevention or suppression of crime;
- the enforcement of any law of Canada or a province; or
- activities suspected of constituting threats to the security of Canada within the meaning of the Canadian Security Intelligence Service Act.
This is a discretionary class test exemption which protects the law enforcement records of police forces and investigative bodies akin to police forces, listed in Schedule III of the Privacy Regulations (see Chapter 4-2). This personal information is protected with a class test because of the difficulty in applying an injury test exemption to law enforcement records, since virtually all personal information in these records is of a sensitive nature and there is a large volume of requests in this area.
Three conditions must be met before the exemption can be claimed:
- The exemption can be claimed only where the personal information has been obtained or prepared by the limited number of investigative bodies listed in the regulations.
- The exemption can be applied only to personal information obtained or prepared by such an investigative body in the course of a lawful investigation. This means that the investigation must be authorized by or pursuant to a particular law. It is not sufficient to say that any investigation which is not unlawful is considered to be lawful. This does not, however, address the issue of the legality of techniques used during a lawful investigation. Nor does this address the issue of whether or not evidence has been legally obtained.
- The exemption applies only to personal information obtained or prepared
by such an investigative body in the course of lawful investigations
- the detection, prevention or suppression of crime;
- the enforcement of any law of Canada or a province; or
- activities suspected of constituting threats to the security of Canada within the meaning of the Canadian Security Intelligence Service Act.
This last provision limits the application of the exemption to personal information obtained during the conduct of investigations relating to crime or law enforcement. Subparagraph 22(1)(a)(i) refers basically to investigations for the purpose of enforcing the Criminal Code. Subparagraph 22(1)(a)(ii) refers to investigations directed toward activities which are prohibited under federal or provincial laws. These can, of course, include activities which are crimes, and thus there is possible overlap between subparagraphs 22(1)(a)(i) and (ii). It should be noted that the term "law of a province" includes municipal laws.
Paragraph 22(1)(a) applies only to personal information which is less than twenty years old. Once information is more than twenty years old, it cannot be protected by the application of 22(1)(a). However such information may still qualify for exemption under paragraph 22(1)(b), which applies to information the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations.
Use of discretion
Despite being applicable to a class of information, paragraph 22(1)(a) is a discretionary exemption. Government institutions should, therefore, consider the disclosure of personal information covered by this exemption if they are satisfied that no injury will result from the disclosure.
The exemption contained in paragraph 22(1)(a) is based on the origin of the information. The exemption therefore follows the information if it is disclosed to another government institution. The exemption may thus be applied by an institution which is not an investigative body listed in the regulations as long as the information was prepared by or obtained by such an investigative body in the course of an investigation relating to the detection, prevention or suppression of crime or the enforcement of any law of Canada or a province. An example would be information held by the Department of National Health and Welfare which was originally obtained by the RCMP during a narcotics investigation.
The policy requires that government institutions consult the investigative body which originally obtained or prepared the information prior to deciding whether to withhold or disclose personal information which falls into this class.
9.2 Paragraph 22(1)(b)
This paragraph provides that a government institution may refuse to disclose personal information the disclosure of which could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or to the conduct of lawful investigations. Examples of the types of information to which this exemption may apply are included in the Act. They are:
- personal information relating to the existence or nature of a particular investigation;
- personal information that would reveal the identity of a confidential source of information; or
- personal information that was obtained or prepared in the course of investigations.
The list of categories of information covered by this exemption is illustrative only. Other types of information may qualify for the exemption if they pass the injury test.
The injury test for paragraph 22(1)(b) includes:
Injury to the enforcement of any law of Canada or a province
This injury test exemption supplements the class test exemption for law enforcement information contained in paragraph 22(1)(a). This exemption may apply where injury to the enforcement of a law could be expected to result from disclosure of the information, but 22(1)(a) does not apply. (An example would be where the information came into existence more than twenty years prior to the request.) This exemption could apply to information concerning the enforcement of federal and provincial regulatory legislation prohibiting certain types of activities (An example would be information obtained or prepared by inspectors enforcing such legislation as the Hazardous Products Act) and information obtained during investigations such as taxation audits undertaken by Revenue Canada.
This exemption could also be applicable where the disclosure of information which was obtained outside the investigative process could reasonably be expected to be injurious to law enforcement (e.g. information relating to the detection of tax frauds).
Injury to the conduct of lawful investigations
This exemption protects the integrity and effectiveness of investigations which are not law enforcement investigations. An example might be investigations conducted to determine the cause of an accident, but not to lay charges or assess blame. Another example would be investigations into whether a person with a criminal record should be granted a pardon. This exemption is based on a test of injury to the conduct of the lawful investigation. Where it can be shown that the disclosure of the identity of confidential sources would adversely affect the investigative process, this exemption may be applied to withhold both the identity of the confidential sources and any other information from which their identity could be determined. When applying this exemption, however, care must be taken to distinguish between a witness and a confidential source.
As in paragraph 22(1)(a), this exemption can be applied only where there is a likelihood of injury to a lawful investigation. Subsection 22(3) defines "investigation" to mean an investigation that
- pertains to the administration or enforcement of an Act of Parliament;
- is authorized by or pursuant to an Act of Parliament; or
- is within a class of investigations specified in the regulations. (Schedule V of the Regulations)
This means that the investigation must be authorized by or pursuant to a particular law. It is not sufficient for an investigation to be not unlawful. As with other exemptions, it is the institution which judges whether the relationship between the law and the investigation is direct enough to support the application of this exemption.
Reviewing and Updating Security Clearances
Investigations undertaken by investigative bodies specified in Schedule IV of the Privacy Regulations (see Chapter 4-2) for the purposes of reviewing and updating security clearances are included under paragraph 22(3)(c). Where applicable, an exemption can be claimed under paragraph 22(1)(b), on the grounds of being injurious to the conduct of a lawful investigation. Such investigations are included among investigations under paragraph 22(3)(c) in section 12 of the Regulations because of an oversight in the wording of section 23, the main provision dealing with security clearance matters. When claiming an exemption under paragraph 22(1)(b) for personal information obtained during the course of such an investigation, government institutions must only exempt information which could reasonably be expected to reveal the identity of the informant who furnished the information to the investigative body as provided for in section 23 of the Act. This ensures that the scope of this exemption is equivalent to that of the section 23 exemption.
The policy requires that government institutions consult with the investigative body or other government institution with primary interest in the law being enforced or investigation being undertaken before determining to exempt or disclose personal information on the basis of injury to the enforcement of a law of Canada or a province or the conduct of lawful investigations.
9.3 Paragraph 22(1)(c)
Paragraph 22(1)(c) of the Act provides that a government institution may refuse to disclose personal information the disclosure of which could reasonably be expected to be injurious to the security of a penal institution.
This is a discretionary exemption based on an injury test designed to protect information relating to the security of penal institutions. One example would be information that which could be useful in an escape attempt. Another example would be information relating to the location of arms storage facilities in an institution.
Government institutions must consult with the Correctional Service of Canada before determining to exempt or disclose personal information on the basis of injury to the security of penal institutions.
9.4 Subsection 22(2) - RCMP Provincial and Municipal Policing Information
Subsection 22(2) provides that a government institution shall refuse to disclose any personal information that was obtained or prepared by the Royal Canadian Mounted Police while performing policing services for a province or a municipality pursuant to an arrangement made under section 20 of the Royal Canadian Mounted Police Act, where the Government of Canada has, on the request of the province or municipality, agreed not to disclose the information.
This is a mandatory class exemption to protect personal information obtained or prepared by the RCMP when performing its provincial or municipal policing role. It is included at the request of the provinces who contract with the federal government for provincial and municipal policing services by the RCMP. In order for this exemption to be invoked, it is necessary that:
- the province or municipality request that the exemption be applied; and
- the federal government agree to the request.
It should be noted that the exemption applies not only while such information is held by the RCMP for the provincial or municipal policing purposes. It also applies when the information is used by the RCMP for another purpose or is given to another government institution for their use. Where personal information has been obtained or prepared by the RCMP while performing a provincial or municipal policing function and the federal government has agreed not to disclose the information, the RCMP should indicate the origin of the information and the fact that this exemption applies, before sharing the information with another government institution.
9.5 Subsection 22(3) - Definition of Investigation
Subsection 22(3) of the Privacy Act provides that, for purposes of paragraph 22(1)(b), "investigation" means an investigation that:
- pertains to the administration or enforcement of an Act of Parliament;
- is authorized by or pursuant to an Act of Parliament; or
- is within a class of investigations specified in the Regulations.
The definition limits the types of investigations for which the exemptions in paragraph 22(1)(b) can be claimed. Included are only those investigations specifically authorized by federal law or undertaken for the purposes of administering or enforcing federal law. The vast majority of investigations to which the exemption can be applied are covered by paragraphs 22(3)(a) and (b). For example, an investigation by the Clemency Division of the National Parole Board to determine whether an individual should be granted a pardon under the Criminal Records Act would be covered by paragraph 22(3)(a). Investigations by safety officers under Part IV of the Canada Labour Code would be covered by both paragraphs 22(3)(a) and (b). Residual classes of investigations are provided for in paragraph 22(3)(c) and are listed in the Regulations (Schedule V). An example of this class of investigation is an ad hoc investigation into the loss of separation of aircraft by air traffic controllers.
Specification of exemption claim in section 22
When claiming any exemption under section 22, government institutions shall specify the subsection or paragraph upon which the claim is based.
10. Security clearances (section 23)
Section 23 of the Privacy Act provides that a government institution may refuse to disclose any personal information that was obtained or prepared by an investigative body specified in the regulations for the purpose of determining whether to grant security clearances:
- required by the Government of Canada or a government institution in
- individuals employed by the government or an institution;
- individuals performing services for the government or an institution;
- individuals employed by or performing services for a person or body performing services for the government or an institution; or
- individuals seeking to be so employed or seeking to perform such services, or;
- required by the government or a province or a foreign state or an institution thereof;
if disclosure of the information could reasonably be expected to reveal the identity of the individual who furnished the information to the investigative body.
This is a discretionary exemption designed to protect sources of information within the security clearance process of the Government of Canada. Information may be exempted under this provision if it was obtained or prepared by an investigative body specified in the Regulations (Schedule IV) and its disclosure could reasonably be expected to reveal the identity of the individual who supplied the information. This section does not protect all personal information collected or obtained in the security screening process (e.g. the report sent to government institutions). It is intended to protect sources of information, particularly when the information they have provided relates to subversive or hostile activities or organized crime. When considering whether or not to exercise the discretion provided by this section, the head of the institution should consider whether the information would allow identification of the source and if that identification would likely cause injury to the source.
The reference to the granting of security clearances implies that this section may only apply to investigations undertaken to issue, reissue or upgrade a clearance. It does not refer to an investigation undertaken to review or update an existing clearance. By virtue of paragraph 22(3)(c) such investigations are listed in Schedule V of the Regulations and are covered by paragraph 22(1)(b).
The policy requires that government institutions consult with the investigative body that provided the information before determining to exempt or disclose personal information regarding a security clearance.
11. Individuals sentenced for an offence (section 24)
Section 24 of the Privacy Act provides that a government institution may refuse to disclose any personal information that was collected or obtained by the Canadian Penitentiary Service, the National Parole Service or the National Parole Board while the individual was under sentence for an offence against any Act of Parliament if disclosure could reasonably be expected to:
- lead to a serious disruption of the individual's institutional, parole or mandatory supervision program; or
- reveal information about the individual originally obtained on a promise of confidentiality, express or implied.
This discretionary exemption pertains to personal information collected or obtained while the individual was under sentence and it continues to apply after the sentence has been completed. It can be based on either an injury test (i.e. lead to a serious disruption of...) or a class test (i.e. reveal information given in confidence). Before releasing personal information collected or obtained by the Canadian Penitentiary Service, the National Parole Service or the National Parole Board, government institutions should consult the appropriate institution to determine whether or not this exemption should be applied.
12. Safety of individuals (section 25)
Section 25 of the Privacy Act provides that a government institution may refuse to disclose any personal information the disclosure of which could reasonably be expected to threaten the safety of individuals.
This is a discretionary exemption. It permits a government institution to refuse access to personal information if it has reasonable grounds to expect that disclosure of the information could threaten the safety of an individual. This exemption will normally apply to information by or about informants. This includes individuals who provide information concerning criminal, subversive or hostile activities, but is not limited to that.
The policy requires that government institutions consult with the supplying institution before determining to exempt or disclose personal information when the disclosure could affect the safety of individuals.
13. Information about another individual (section 26)
Section 26 of the Privacy Act provides that a government institution may refuse to disclose any personal information about an individual other than the requestor. It also provides that a government institution shall refuse to disclose such information where the disclosure is prohibited under section 8 of the Act.
This provision embodies the principle under the Privacy Act that an individual has a right of access only to information about himself or herself. This exemption is clearly applicable where personal information about one individual is entwined inseparably with information about another individual (eg. information about a husband and wife in an immigration file). When this occurs, such information must not be disclosed unless some discretion is given the institution under section 8 of the Act. Discretion to disclose may be exercised if:
- the disclosure is authorized under subsection 8(2) of the Privacy Act;
- the other individual gives his or her consent to the disclosure; or
- the information is publicly available.
The discretion to disclose provided in this section is very limited. It is included so that a maximum amount of information may be made available to an applicant. This prevents nonsensical situations where an institution is exempting information already well known to an applicant. An example of this could be when non-sensitive, factual information about another individual has either been supplied by the applicant or is obviously well known to him or her (e.g. family members' addresses on a security clearance form). All such disclosures should, however, be made cautiously. The relationship between the individuals should be obvious and there should be no possibility of an unwarranted invasion of privacy. Where the possibility of an invasion of privacy exists, institutions must either sever the information about the other individual from the record or, where this is not possible, exempt the information.
For practical and administrative purposes, therefore, information about more than one individual should be separated within the personal information bank whenever possible.
This exemption does not cover the name of a source of information about an individual (e.g. the source of an opinion or critique of an individual's work), except in some specific cases. As provided in paragraphs 3(e) and (h) of the definition of personal information, the exemption covers the name of a referee or judge for a grant, award or prize for those institutions named in the Regulations (Schedule I). Except as provided in paragraphs 3(e) and (h) of the Act, the name of the source and the information or opinion about the individual cannot be exempted. Any other personal information about the source, (e.g. address, title, nationality, etc.), must be severed before the record is disclosed. The name of a source and his or her opinions may, of course, be withheld if they qualify for exemption on other grounds.
14. Solicitor-client privilege (section 27)
Section 27 of the Privacy Act provides that a government institution may refuse to disclose any personal information that is subject to solicitor-client privilege.
This is a discretionary exemption which allows the government institution to claim the same protection for communications with its solicitors as is allowed in the private sector. The privilege also extends to cover materials prepared by or for the solicitor expressly for the purpose of providing advice or presenting a case in court.
The decision to invoke solicitor-client privilege is the responsibility of the client institution, however institutions should consult their legal advisor prior to invoking solicitor-client privilege in order to determine if the information is in fact privileged. They should also consult their legal advisor prior to disclosing such information for advice as to whether the disclosure could injure the government's legal position, and advice as to whether waiving privilege for part of the information may result in an unintended waiver of privilege for all of the information. This exemption should be used when the disclosure of information could:
- circumvent the normal process of discovery in cases presently before the courts;
- prejudice the government's legal position in present or future litigation or negotiation; or
- impede the ability of government institutions to communicate fully and frankly with their legal advisors.
15. Medical records (section 28)
Section 28 of the Privacy Act provides that a government institution may refuse to disclose any personal information that relates to the physical or mental health of the individual requesting the information where the examination of the information would be contrary to the best interests of the individual.
This is a discretionary exemption. It is not intended to apply to all medical records. It is intended to apply only to that sensitive medical or mental health information the disclosure of which could be considered to be contrary to the best interests (in terms of personal health) of the individual. The decision on "best interests" must be made by a qualified medical practitioner or psychologist on the basis of knowledge about a particular disease, disorder, syndrome or condition and about the actual case involved. Sub-section 13(1) of the Regulations (see Chapter 4-2) permits, but does not require, an institution to obtain this decision from a medical practitioner or psychologist of the applicant's own choosing (with the applicant's consent). The institution will normally allow the individual to have the information examined by a medical practitioner or psychologist of his or her own choice, where the institution is satisfied that the person chosen is qualified to determine whether or not disclosure would be contrary to the applicant's best interests.
Sub-section 13(2) of the Regulations (Chapter 4-2) contains special provisions regarding the provision of medical information to medical practitioners and psychologists for additional opinions.
Section 14 of the Regulations provides that an individual who is given access to personal information relating to his physical or mental health may be required to examine the information in person and in the presence of a duly qualified medical practitioner or psychologist who may explain or clarify the information to the individual.