Archived - Privacy and Data Protection Guidelines - Review of Decisions

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Introduction

The Privacy Act provides for a two-tiered system of review of decisions made under the Act. The first stage is complaint to the Privacy Commissioner, an individual with the power of an ombudsman. The second stage is review by the Federal Court - Trial Division.

Review by the Privacy Commissioner

Subsection 29(1) of the Act provides that the following matters may be the subject of a complaint to the Privacy Commissioner:

  • use or disclosure of personal information otherwise than in accordance with sections 7 or 8;
  • denial of a request for access under subsection 12(1);
  • failure by an institution to accord rights relating to the correction or notation of personal information or to notify other institutions of such corrections or notations under subsection 12(2);
  • extension of time limits for response to a request under section 15;
  • the official language in which access is provided under subsection 17(2);
  • the amount of fees charged (there are presently no fees charged under the Privacy Act);
  • the index of personal information published in accordance with subsection 11(1); and
  • any other matter relating to the collection, retention and disposal; use or disclosure; or requesting or obtaining access to personal information under the control of government institutions.

As the list indicates, the Privacy Commissioner is empowered to receive complaints on issues ranging from the collection, use, disclosure, retention and disposal of personal information to the rights of access to personal information by individuals to whom it pertains.

Complaints may be brought by an applicant or his or her representative (see subsection 29[2]). In addition, the Privacy Commissioner may initiate an investigation into any of these matters, if satisfied that there are reasonable grounds for doing so. This means that the Privacy Commissioner is free to act without a complaint being lodged.

Normally, complaints to the Commissioner are required to be made in writing, but this requirement may be waived (see section 30). There is no time limit under the Privacy Act governing when a complaint to the Commissioner may be made.

Investigations

Subsection 34(1) of the Act provides that the Privacy Commissioner has the following powers in relation to carrying out investigations:

  • to summon persons and compel them to give evidence;
  • to compel the production of documents;
  • to administer oaths;
  • to receive evidence;
  • to enter premises occupied by a government institution;
  • to converse in private with any person in such premises; and
  • to examine or obtain copies of any personal information related to an investigation.

In accordance with subsection 34(2) of the Act, government institutions must provide for examination, at the Commissioner's request, any information recorded in any form, except a confidence of the Queen's Privy Council (i.e. Cabinet confidences; see Chapter 2-8). No access is provided to this type of information because section 70(1) of the Act excludes such information from the legislation.

Legal advice which is not in itself the subject of the request would not normally be included with the information provided to the Commissioner for examination, in order to preserve the solicitor-client privilege. On rare occasions the Commissioner , or persons working on behalf or under the direction of the Commissioner (usually an investigator), may request to examine this information. While the ultimate decision whether or not to release legal advice rests with the client institution, it is essential that legal advisors be consulted and that legal advice only be provided to the Commissioner or his or her representative on the express condition that the privilege is not being waived.

Prior to commencing an investigation, the Privacy Commissioner (or his or her delegate) must inform the head of the government institution concerned (or his or her delegate) of the intention to carry out an investigation and of the substance of the complaint (section 31). Subsection 33(2) ensures that government institutions will be given a reasonable opportunity to make representations to the Privacy Commissioner in the course of an investigation, as will the person who lodged the complaint. All investigations by the Commissioner must be conducted in private. No party is entitled, as a right, to be present during; to have access to; or to comment on representations made by another party involved in the complaint. Any person summoned to appear before the Privacy Commissioner is, at the Commissioner's discretion, entitled to receive witness fees and allowances similar to those permitted for attendance in the Federal Court (subsection 34[4]).

Evidence given by someone in the course of an investigation is not admissible as evidence against that person in a court or any other proceeding except in a prosecution for an offence under section 131 of the Criminal Code (perjury), in a prosecution for an offence under this Act, in a review before the Court under this Act or in an appeal resulting from such review (subsection 34[3]). Government employees must not impede an investigation by the Privacy Commissioner. Section 68 of the Act provides that such obstruction of the Commissioner or his or her delegate in the performance of duties and functions under this Act is an offence. Such an offence is subject, upon summary conviction, to a fine not to exceed $1,000.

Findings and recommendations

Subsection 35(1) of the Privacy Act provides that, when the Privacy Commissioner has determined that a complaint under the Act has merit, he or she must report the findings and any recommendations resulting from the investigation to the head of the government institution. This gives the head of the institution the opportunity to take any action they may deem appropriate in response to the findings or recommendations. The report may also ask the institution to notify the Commissioner within a specified period of time of any action taken or proposed to be taken to implement the recommendations contained in the report or, if no action is to be taken by the institution, the reasons for this decision.

Where an institution notifies the Privacy Commissioner of the intention to give access to personal information, access shall be given without delay. Similarly, if an institution notifies the Commissioner that it will comply with other recommendations, it shall carry out remedial action immediately.

In all instances, the Privacy Commissioner must report the findings of the investigation to the complainant. Where a time limit has been specified for an institution to report on compliance with recommendations resulting from an investigation, the Commissioner may not report to the complainant until the notification period has expired (subsection 35[2]).

The Privacy Commissioner has the powers of an ombudsman. That means that he or she can recommend that a complainant be given access to personal information, but cannot order the government institution to provide access. The Commissioner's power derives from a mandate to fully investigate a matter and to make recommendations which are fair and impartial for the resolution of a complaint. If the institution continues to refuse access following the Commissioner's recommendation that access be given, the Commissioner may advise the complainant to apply to the Federal Court for a review of the matter. Further, the Commissioner may, with the complainant's consent, apply for such a review, represent the complainant, or appear as a party to such a review. Moreover, the Commissioner can report to Parliament when the head of a government institution does not comply with his or her recommendations. This may be done in a special report at any time, when the Privacy Commissioner considers the matter involved to be of a sufficient or important nature (section 39). Otherwise it may be included in the annual report to Parliament required under section 38 of the Act.

Complaint to the Privacy Commissioner is the only level of appeal for all matters except the denial of access to requested personal information. Upon completion of the Commissioner's investigation, the complainant will be informed of their right to apply to the Federal Court - Trial Division for further review of the matter if they are still not satisfied that they have been given access to all of the personal information to which they are entitled.

Review of exempt banks by the Privacy Commissioner

Subsection 36(1) of the Act provides that the Privacy Commissioner may, at his or her discretion, carry out investigations of files contained in exempt personal information banks. Since section 18 of the Act permits government institutions to create exempt banks to protect certain types of sensitive personal information related to international affairs; defence; detection, prevention and suppression of subversive or hostile activities and law enforcement and investigations; the Privacy Commissioner is given the power to review the contents of such banks. Thus the Commissioner may determine if files which are contained in the exempt banks are properly classified.

Investigations of exempt banks follow the same procedure as investigations of complaints. That is, the head of the institution must be informed of the Commissioner's intention to investigate; investigations shall be carried out in private; and the Commissioner has all the powers of investigation given in section 34 of the Act. If, following such an investigation, the Commissioner concludes that any file should not be included in an exempt bank, he or she must report any findings or recommendations to the head of the institution controlling the bank. Where appropriate, the Commissioner may also set a specific time limit for action to be taken, a proposal made to implement the recommendations, or reasons given for not doing so [subsection 36(3)]. Findings concerning exempt banks and any response to particular recommendations made by an institution may be included in the Privacy Commissioner's annual report to Parliament. Where the matter is sufficiently urgent or important, a special report may be made [subsection 36(4)]. When the Commissioner receives no response in the specified time or is of the opinion that the response is inadequate, inappropriate or untimely, he or she may apply to the Federal Court. The Court can then review any file in the exempt bank for the purpose of determining whether the file should be removed from the bank (subsection 36[5] and section 43).

Review of compliance with sections 4 to 8 by the Privacy Commissioner

Subsection 37(1) of the Act provides that the Privacy Commissioner may, at his or her discretion, carry out investigations to ensure compliance with the requirements contained in sections 4 to 8 of the Act. These requirements concern the collection, use and disclosure, retention and disposal of personal information. This provision enables the Privacy Commissioner to review and report on the performance of government institutions in meeting the requirements of the Act and related government policy in regard to the gathering, handling and protection of personal information. Such monitoring is an essential part of ensuring the protection and privacy of personal information under the Privacy Act.

Investigations under subsection 37(1) generally follow the same procedures as investigations of complaints. If, as a result, the Privacy Commissioner is of the opinion that the government institution has not complied with any of the requirements contained in sections 4 to 8 of the Act, he or she will inform the head of the institution of his or her findings and recommendations. If the institution fails to take remedial action which, in the view of the Commissioner, is adequate, appropriate and timely, the Privacy Commissioner may communicate such a failure in a report to Parliament. This may be done in the annual report to Parliament or, if the matter is sufficiently urgent or important, in a special report.

Review by the Federal Court

When the Privacy Commissioner has reported his or her findings to the complainant, an individual who is of the opinion that they have not been given access to all of the personal information to which they are entitled has the right to apply to the Federal Court - Trial Division. It should be noted that the Act does not provide for review by the Court of matters other than denial of access (the sole exception is under subsection 16(3), when exceeding a time limit is deemed to be a denial of access). Normally, an applicant must make an appeal within 45 days after the results of the investigation by the Privacy Commissioner have been reported to him or her. An application to the Federal Court - Trial Division is heard and determined in a summary way.

With the consent of the individual, the Privacy Commissioner may also apply to the Federal Court for a review of a decision to refuse access. In addition, the Commissioner may appear as a party in any other case brought under the Act and he or she may represent any individual who has applied for review by the Court.

During proceedings under the Privacy Act, the Court has the power to examine any information recorded in any form except Cabinet confidences (as explained above, the Act does not apply to this type of record). To ensure the confidentiality of information which is the subject of proceedings before the Court and other sensitive information produced during such proceedings, the Court may conduct such hearings in private and receive representations ex parte (subsection 46[1]). If, in the opinion of the Court, evidence exists of an offence against any law of Canada or a province on the part of any officer or employee of a government institution, the Court may disclose such information to any appropriate authority (subsection 46(2)).

Under the Privacy Act, the burden of proof regarding a decision to refuse access to personal information always rests with the government institution (section 47). That is why it is imperative that institutions fully document the processing of requests for access and the decisions concerning the application of exemptions.

The type of review which the Court is authorized to conduct depends on the exemption which has been claimed. Where the denial of access is based on the following exemptions, the Court will determine whether the exemption claimed applies to the personal information under consideration:

  1. section 19 - personal information obtained in confidence from another government or international organization;
  2. paragraph 22(1)(a) - personal information respecting law enforcement collected or obtained by specified investigative bodies;
  3. subsection 22(2) - personal information obtained or prepared by the RCMP when performing its provincial policing role;
  4. section 23 - security clearances;
  5. paragraph 24(b) - reveal information about the individual originally obtained on a promise of confidentiality, express or implied;
  6. section 25 - personal information the release of which would threaten the safety of individuals;
  7. section 26 - information about another individual;
  8. section 27 - solicitor-client privilege;
  9. section 28 - medical information.

If the Court decides that the exemption applies to the information, it will not be released. If the Court decides that the exemption does not apply, the Court will order the head of the institution to release the information or make such other order as it deems appropriate (section 48).

If the denial of access is based on the following exemptions, the court is limited to a determination of whether or not the head of the institution had "reasonable grounds" for the decision to withhold the personal information:

  1. section 20 - injury to the conduct of federal-provincial affairs;
  2. section 21 - injury to international affairs, defence and security;
  3. paragraphs 22(1)(b) or (c) - injury to law enforcement, the conduct of investigations or the security of penal institutions;
  4. paragraph 24(a) - lead to a serious disruption of the individual's institutional, parole or mandatory supervision program.

In these cases, the Court can only order the head of the institution to release or make such other order as it deems appropriate where it finds that reasonable grounds for the decision to withhold do not exist. Otherwise, the decision of the head of the government institution will be upheld.

Order to remove file from exempt bank

Section 50 of the Act provides for Court review of files which the Privacy Commissioner considers to be improperly included in an exempt personal information bank under section 18. If the Court finds no reasonable grounds for including the file in the bank, the Court is empowered to order that the file be removed, or it may make another appropriate recommendation.