This directive takes effect on October 26, 2022.This directive replaces the Directive on Personal Information Requests and Correction of Personal Information dated July 13, 2022.This directive is issued pursuant to paragraph 71(1)(d) of the Privacy Act and as specified in section 2.2 of the Policy on Privacy Protection.In addition to the objectives indicated in section 3.1 of the Policy on Privacy Protection, the objective of this directive is to establish consistent practices and procedures for processing requests from individuals to access their personal information or for the correction of their personal information that is under the control of government institutions and has been used, is used or is available for use for administrative purposes.The expected results indicated in section 3 of the Policy on Privacy Protection apply to this directive.Heads of government institutions or their delegates are responsible for:

Exercising discretion

Exercising discretion in a fair, reasonable and impartial manner after: Considering the purpose of the Act, which is, in part, to provide individuals with a right of access to their personal information, subject to limited and specific exemptions; and the right to request correction of their personal information; Considering all relevant factors for and against disclosure, the relevant provisions of the Act, as well as applicable jurisprudence;Consulting with government institutions, as necessary; andReviewing the information contained in records.

Privacy training

Ensuring that employees of government institutions and officials who have functional or delegated responsibility for the administration of the Act receive training as outlined in Appendix B: Mandatory Procedures for Privacy Training.Documenting the completion of training in accordance with Appendix B: Mandatory Procedures for Privacy Training.

Eligibility of the requester

Establishing procedures to: Confirm the identity of the requester so that privacy will not be breached; andConfirm the authority of an individual to make a request on behalf of another individual.

Informal processing

Determining whether it is appropriate to respond to a personal information request on an informal basis, recognizing that the Act is intended to complement existing procedures for obtaining personal information held by government. Proceeding with treating a request informally only upon receipt of written consent from the requester who has been informed that only formal requests are subject to the provisions of the Privacy Act, including legislative timelines and the right to complain.

Acknowledging requests

Providing the requester with: Acknowledgement of receipt of the request; The legislative due date for the response; The contact information of the appropriate officer or office within the institution where questions and further clarifications may be addressed; Notification of the right to complain to the Privacy Commissioner; and,A copy of the Principles for Assisting Requesters or a link to the Principles online.

Duty to assist

Protecting the identity of the requester

Limiting the use or disclosure of information that could directly or indirectly lead to the identification of a requester to a need to know basis, unless otherwise authorized by the Act.

Interpretation and clarification of requests

Adopting a broad interpretation of a personal information request and communicating promptly with the requester when necessary to clarify the request. Assisting the requester in clarifying a request where it would result in the requester receiving more complete, accurate or timely access.Documenting the wording of a clarified request, as agreed by the requester, and the date of the revision when a request has been clarified or its wording altered.

Onsite examination

When a copy of the personal information cannot be made available, providing an appropriate location and time within the government institution for the requester to examine the records containing the personal information.

Language of access

Providing the personal information in the official language requested by the requester, including translating or interpreting the personal information when necessary to enable the individual to understand the information.

Accessible format for requesters

Providing the personal information in an accessible format requested by the requester including converting the records to the alternate format when necessary to enable the requester to understand the information when it would be reasonable to cause the personal information to be converted.

Processing of personal information requests and correction requests

Use of prescribed platforms

Receiving requests using the prescribed platforms listed in Appendix D: Prescribed Platforms for Receiving and Processing Personal Information Requests.Processing requests using the prescribed platforms, listed in Appendix D: Prescribed Platforms for Receiving and Processing Personal Information Requests, when platforms have been prescribed.

Tracking system

Establishing and maintaining an internal management system to keep track of: The processing of personal information requests and correction requests;Corrections or notations made; Complaints; Reports and recommendations from the Privacy Commissioner; and Reviews by the courts.

Documentation

Documenting the processing of requests by placing on file all documents that support decisions under the Privacy Act, including communications where factors considered when exercising discretion are discussed, recommendations are given, rationales are provided and decisions are made.

Control of the personal information

Determining, in a manner consistent with jurisprudence and considering any Treasury Board of Canada Secretariat (TBS) guidance, whether the personal information is under the control of the government institution.

Extension of the time limit

Assessing, without undue delay, each request received under the Act to determine if an extension is needed for processing the request.Providing a written explanation to the requester within 30 days of receipt of the request of the reasons for an extension should the personal information request take more than 30 days to fulfill. Notifying the requester of their right to complain to the Privacy Commissioner in respect of the extension of the time limit.Reporting on the number of and reasons for extensions in the institution’s annual report to Parliament.

Limiting inter-institutional consultations

Undertaking inter-institutional consultation only when: The processing institution requires more information for the proper exercise of discretion to withhold information; or The processing institution intends to disclose potentially sensitive information.Ensuring that consultation requests from other federal government institutions are processed with the same priority as personal information requests.

Exceptions to disclosure

Applying exemption and exclusion provisions in accordance with relevant jurisprudence and TBS guidance. Appendix C: Classification of Exemptions lists the exemptions and indicates whether they are based on a class test or an injury test, and whether they are discretionary or mandatory in nature.Citing all exemptions and exclusions invoked on the records on each page, unless doing so would reveal the exempted information or cause the injury upon which the exemption is based to materialize.Clearly identifying the redacted material in a manner that is evident on the individual record.

Giving access

Providing written notice to the requester of whether access is being granted.Providing access to the information or part thereof, or notifying the requester if access is refused. Notifying requesters of their right to complain to the Privacy Commissioner in respect of matters relating to personal information requests.

Requests for correction and notation of personal information

Establishing a process to ensure that any request for correction and any subsequent actions are made in accordance with the Privacy Regulations and are documented.Documenting any correction or notation made to personal information in a manner that ensures it will be retrieved and used whenever the original personal information is used for an administrative purpose. Notifying the individuals, and any public and private sector organizations that use the information for administrative purposes of any correction or notation made to the personal information.Notifying requesters of their right to complain to the Privacy Commissioner in respect of requests for correction of personal information.

Considering other means of making information accessible

Regularly reviewing the nature of requests received and assessing the feasibility of making frequently requested types of information available by other means.

Monitoring and reporting

Monitoring and reporting on the requirements of this directive as specified in the Policy on Privacy Protection.
Employees of government institutions are responsible for:

Informal access

Recommending to the head or the delegate, when appropriate, that information requested be disclosed informally.

Complete, accurate and timely responses

Making every reasonable effort to search, locate and retrieve the requested personal information under the control of the government institution. Ensuring searches for records are comprehensive and consider both the letter and the spirit of the request.Referring questions about whether the personal information is under the control of the government institution to Access to Information and Privacy (ATIP) officials with delegated authority for their determination. Advising ATIP officials at an early stage if a request cannot be responded to within the legislated 30-day timeframe. Making every reasonable effort to respond to requests within the timelines prescribed in the Act, including extensions taken in accordance with the Act.

Recommendations

Providing recommendations and contextual information to inform the head of the government institution, or their delegate, about possible exemptions or exclusions applicable to the personal information requested, taking into account the purpose of the Act.

Contracts and agreements

Establishing measures to support an individual’s right of access to their personal information when entering into contracts, arrangements and agreements.
The roles and responsibilities of government institutions with respect to this directive are identified in section 5 of the Policy on Privacy Protection. This directive applies as described in section 6 of the Policy on Privacy Protection.Legislation Related policy instruments Related guidance instruments and forms a Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries regarding any questions about this directive.Employees of federal institutions may contact their Access to Information and Privacy Coordinator regarding any questions about this directive.Access to Information and Privacy Coordinators may contact the Treasury Board of Canada Secretariat’s Privacy and Responsible Data Division regarding any questions about this directive.
class test (critère objectif)
A test that objectively identifies the categories of information or documents to which certain exemption provisions of the Privacy Act can be applied. The exemptions set out in the following sections of the Act are based on a class test: 18(2) 19(1), 22(1)(a), 22(2), 22.1, 22.2, 22.3, 22.4, 23, 24, 26, 27 and 27.1.
discretionary exemption (exception discrétionnaire)
An exemption provision of the Privacy Act that contains the phrase “may refuse to disclose.” The exemptions set out in the following sections of the Act are discretionary: 18(2), 20, 21, 22(1)(a), 22(1)(b), 22(1)(c), 23, 24(a), 24(b), 25, 27, 27.1 and 28.
every reasonable effort (tous les efforts raisonnables)
A level of effort that a fair and reasonable person would expect or would find acceptable.
informal request (demande informelle)
A request for personal information made to the ATIP office of a government institution that is not made or processed under the Act. There are no deadlines for responding. In addition, the requester has no statutory right of complaint to the Privacy Commissioner
injury test (critère subjectif)
A test to determine the reasonable expectation of probable harm that must be met for certain exemption provisions of the Privacy Act to apply. The following sections of the Act are based on an injury test: 20, 21, 22(1)(b), 22(1)(c), 25 and 28.
mandatory exemption (exception obligatoire)
An exemption provision of the Privacy Act that contains the phrase “shall refuse to disclose.” The exemptions set out in the following sections of the Act are mandatory: 19(1), 22(2), 22.1, 22.2, 22.3, 22.4 and 26.
privacy training (formation en protection des renseignements personnels)
All activities that serve to increase privacy awareness, including formal training, discussion groups, conferences, Access to Information and Privacy community meetings, shared learning among colleagues, on-the-job training, special projects, job shadowing and communications activities that promote learning in the areas identified in Appendix B of this directive.
tracking system (système de suivi)
An electronic or paper-based case management system used in ATIP offices to track personal information requests and requests for correction of personal information and document their processing.

Additional definitions are listed in Appendix A of the Policy on Privacy Protection.

This Appendix provides guidance related to training in the application of the Act that all employees of government institutions should receive.

Effective dateThese procedures take effect on October 26, 2022These procedures were previously set out in Appendix B: Privacy Awareness in the Directive on Personal Information Requests and Correction of Personal Information effective July 13, 2022.ProceduresThese procedures provide details on the requirements set out in section 4.1.2 of the Directive on Personal Information Requests and Correction of Personal Information. All employees of government institutions must receive training on their obligations under the Privacy Act and related Treasury Board policy instruments. The training must cover the following: The purpose of the Act;The applicable definitions;Employees’ responsibilities under the Act and the Policy on Privacy Protection and related directives, including the principles for assisting requesters;Delegation, exemption decisions and the exercise of discretion;Employees’ obligation to make every reasonable effort to locate and retrieve the requested personal information under the control of the government institution;The requirement to provide complete, accurate and timely responses;The complaint process and reviews by the courts;Sound privacy and security practices respecting the creation, collection, retention, security designation, validation, use, disclosure and disposition of personal information;The management of privacy breaches; andSpecific institutional policies, processes and protocols related to the administration of the Privacy Act, including policies on information management.All employees of government institutions who have functional or delegated responsibility for the administration of the Privacy Act and Privacy Regulations must receive training that covers the items listed above and in addition: The provisions concerning the extension of time limits; exemptions and exclusions; and the language, format and method of access;Public reporting requirements, including annual reports to Parliament; andThe role of the Privacy Commissioner, the Information Commissioner, and the Parliamentary Standing Committees in relation to the Act.

The table below lists all exemptions under the Privacy Act and indicates whether they are based on a class test or an injury test and whether they are mandatory or discretionary. The descriptions are paraphrased and should be used as a memory aid only. For more detail, please consult the relevant section of the Act.

ExemptionShort Description of the ExemptionsMandatoryDiscretionaryClassInjury
Subsection 18(2)Access may be refused as the personal information is contained in an exempt bank which consists predominantly of personal information described in section 21 or 22 of the Act. noyesyesno
Subsection 19(1)

Personal information that must be protected as it was obtained in confidence from:

  • the government of a foreign state
  • an international organization of states
  • the government of a province
  • a municipal or regional government
  • the Westbank First Nation council
  • the council of a First Nation defined in the First Nations Jurisdiction over Education in British Columbia Act.
yesno**yesno
Section 20Access may be refused as disclosure could be expected to be injurious to the Government of Canada’s conduct of federal-provincial affairs.noyesnoyes
Section 21Access may be refused as disclosure could be expected to be injurious to conduct of international affairs; the defence of Canada or any state allied or associated with Canada; or Canada’s efforts to detect, prevent or suppress subversive or hostile activities.noyesnoyes
Paragraph 22(1)(a)Access may be refused as personal information was obtained or prepared by an investigative body (as per regulation) in the course of an investigation regarding: detecting, preventing or suppressing crime, enforcing any law of Canada or a province; or activities suspected of constituting threats to Canada’s security as set out in the Canadian Security Intelligence Service Actnoyesyesno
Paragraph 22(1)(b)Access may be refused as disclosure could be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations.noyesnoyes
Paragraph 22(1)(c)Access may be refused as disclosure could be expected to be injurious to the security of penal institutions.noyesnoyes
Subsection 22(2)Personal information must be protected as it was obtained by the Royal Canadian Mounted Police while performing policing services for a province or municipality.yesnoyesno
Section 22.1*Personal information must be protected as it was obtained or created by Privacy Commissioner in the course of an investigation or in the course of a consultation with the Information Commissioner.yesnoyesno
Section 22.2*Personal information must be protected as it was obtained or created by Public Sector Integrity Commissioner in the course of an investigation of a disclosure or an investigation commenced under section 33 of the Public Servants Disclosure Protection Act (PSDPA).yesnoyesno
Section 22.3Personal information must be protected as it was created for the purpose of making a disclosure or in the course of an investigation into a disclosure under the PSDPA.yesnoyesno
Section 22.4*Personal information must be protected as it was obtained or created by the Secretariat of the National Security and Intelligent Committee of Parliamentarians or on its behalf in the course of fulfilling its mandate.yesnoyesno
Section 23Access may be refused to personal information obtained or prepared for the purpose of determining whether to grant security clearances. noyesyesno
Paragraph 24(a)Disclosure could disrupt the parole or statutory release of the requester as personal information was collected or obtained by the Correctional Service of Canada or the Parole Board of Canada while the individual who made the request was under sentence for an offence against any Act of Parliament.noyesyesno
Paragraph 24(b)Access may be refused to personal information obtained in confidence regarding corrections or parole.noyesyesno
Section 25Access may be refused as disclosure could reasonably be expected to threaten the safety of individuals.noyesnoyes
Section 26Access may be refused for personal information about another individual who is not the requester.  This information must be protected when the disclosure is prohibited under section 8 of the Act.yesno**yesno
Section 27Access may be refused to personal information subject to solicitor-client privilege or the professional secrecy of advocates and notaries.noyesyesno
Section 27.1Access may be refused to personal information subject to the privilege set out in section 16.1 of the Patent Act or section 51.13 of the Trade-marks Act.noyesyesno
Section 28Disclosure of the medical record relating to the physical or mental health of the individual could be contrary to the best interests of the individual. noyesnoyes

*The exemption can only be claimed by the government institutions named in the provision.

** Where discretion is authorized.

This Appendix provides details on the requirement set out in sections 4.1.15 and 4.1.16 of the Directive on Personal Information Requests and Correction of Personal Information.

Effective dateThis list was updated on October 26, 2022.This list was previously set out in Appendix D: Prescribed Platforms for Receiving and Processing Personal Information Requests in the Directive on Personal Information Requests and Correction of Personal Information dated July 13, 2022.Prescribed PlatformsReceiving requests The prescribed platform is TBS’s ATIP Online.Requests can be received in alternate formats such as email or paper.There is no prescribed platform for processing requests. However, enterprise approved solutions are available through established contracting vehicles for ATIP Request Processing Software Solutions.In order to request an exception from the prescribed platforms, government institutions must contact the Privacy and Responsible Data Division for further information.