DAOD 1002-6, Disclosure of Personal Information
Table of Contents
- Introduction
- Definitions
- Application, Objective and Expected Results
- General Provisions
- Disclosures of Personal Information with Consent
- Disclosures of Personal Information Without Consent – Subsection 8(2) of the Privacy Act
- Routine Disclosures of Personal Information
- Records of Disclosure
- Privacy Training and Awareness
- Compliance and Consequences
- Responsibilities
- References
1. Introduction
Date of Issue: 2019-04-18
Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).
Approval Authority: Corporate Secretary (Corp Sec)
Enquiries: Director Access to Information and Privacy (DAIP)
2. Definitions
consistent use (usage compatible)
A use that has a reasonable and direct connection to the original purpose(s) for which the information was obtained or compiled. This means that the original purpose and the proposed purpose are so closely related that the individual would expect that the information would be used for the consistent purpose, even if the use is not spelled out. (Policy on Privacy Protection, Treasury Board)
disclosure (divulgation)
The release of personal information by any method (e.g., transmission, provision of a copy, examination of a record) to any body or person. (Directive on Privacy Practices, Treasury Board)
Info Source (Info Source)
A series of annual Treasury Board Secretariat publications in which government institutions are required to describe their institutions, program responsibilities and information holdings, including personal information banks and classes of personal information. The descriptions are to contain sufficient clarity and detail to facilitate the exercise of the right of access under the Privacy Act. Data-matching activities, use of the social insurance number and all activities for which privacy impact assessments were conducted have to be cited in Info Source personal information banks, as applicable. The Info Source publications also provide contact information for government institutions as well as summaries of court cases and statistics on access requests. (Policy on Privacy Protection, Treasury Board)
personal information (renseignements personnels)
Means information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing,
(a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual,
(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
(c) any identifying number, symbol or other particular assigned to the individual,
(d) the address, fingerprints or blood type of the individual,
(e) the personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations,
(f) correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence,
(g) the views or opinions of another individual about the individual,
(h) the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution or a part of an institution referred to in paragraph (e), but excluding the name of the other individual where it appears with the views or opinions of the other individual, and
(i) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual,
but, for the purposes of sections 7, 8 and 26 and section 19 of the Access to Information Act, does not include
(j) information about an individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual including,
(i) the fact that the individual is or was an officer or employee of the government institution,
(ii) the title, business address and telephone number of the individual,
(iii) the classification, salary range and responsibilities of the position held by the individual,
(iv) the name of the individual on a document prepared by the individual in the course of employment, and
(v) the personal opinions or views of the individual given in the course of employment,
(k) information about an individual who is or was performing services under contract for a government institution that relates to the services performed, including the terms of the contract, the name of the individual and the opinions or views of the individual given in the course of the performance of those services,
(l) information relating to any discretionary benefit of a financial nature, including the granting of a licence or permit, conferred on an individual, including the name of the individual and the exact nature of the benefit, and
(m) information about an individual who has been dead for more than twenty years.
(Section 3 of the Privacy Act)
personal information bank (fichier de renseignements personnels)
A description of personal information that is organized and retrievable by a person's name or by an identifying number, symbol or other particular assigned only to that person. The personal information described in the personal information bank has been used, is being used, or is available for an administrative purpose and is under the control of a government institution. (Policy on Privacy Protection, Treasury Board)
3. Application, Objective and Expected Results
Application
3.1 This DAOD applies in the context of personal information disclosures other than those made by an individual pursuant to a request for access under subsection 12(1) of the Privacy Act.
3.2 For direction regarding disclosures to individuals who have submitted a request for access to their own personal information, see DAOD 1002-1, Privacy Requests and Correction of Personal Information, for additional information.
Objective
3.3 The objective of this DAOD is to facilitate the implementation of consistent and sound privacy practices for the disclosure of personal information under the control of the DND and the CAF.
Expected Results
3.4 It is expected that by following the instructions in this DAOD and the Instruction on Disclosure of Personal Information that personal information under the control of the DND and CAF will only be disclosed in a manner that respects the Privacy Act, the Privacy Regulations, and applicable Treasury Board (TB) policies and directives.
4. General Provisions
4.1 Personal information under the control of the DND and the CAF must not be disclosed except in accordance with section 8 of the Privacy Act, which provides that:
- personal information may be disclosed with consent;
- personal information may be disclosed without consent but only for the purposes described in subsection 8(2); and
- statutory prohibitions against disclosure specified in other Acts of Parliament take precedence over permissible disclosures under the Privacy Act.
4.2 Administrative controls must be in place to ensure that personal information is not disclosed inappropriately or without authorization. See DAOD 1002-3, Personal Information Management, for additional information.
Exclusions from the Application of the Privacy Act
4.3 Pursuant to subsection 69(2) of the Privacy Act, a government institution is not restricted from using or disclosing personal information that is publicly available. If publicly available personal information has been legitimately collected by the DND and the CAF, the disclosure provisions described in section 8 of the Privacy Act do not apply to restrict the disclosure of such information.
4.4 Personal information that constitutes a confidence of the Queen’s Privy Council for Canada (a Cabinet confidence) is excluded from the application of the Privacy Act. The use and disclosure of such information is restricted to “authorized individuals” within the DND and the CAF. For additional information on “authorized individuals” and security measures required to protect Cabinet confidences from unauthorized disclosure or other forms of compromise, see the Privy Council Office Policy on the Security of Cabinet Confidences.
Exceptions to the "Personal Information" Definition
4.5 Paragraphs (j) to (m) of the "personal information" definition set out information that is not personal information for purposes of disclosure under section 8 of the Privacy Act. The "personal information" definition is set out in section 2 of this DAOD.
5. Disclosures of Personal Information with Consent
5.1 Consent is not required for the disclosure of personal information for the purpose for which the information was obtained or compiled, for a use consistent with that original purpose or for a purpose described in subsection 8(2) of Privacy Act.
5.2 Consent must be obtained from the individual to whom the personal information relates for all other disclosures.
5.3 When seeking consent for disclosure, consent must be obtained in writing and include sufficient information concerning the intended disclosure to allow the individual to make an informed decision on consent. See the Instruction on Personal Information Management for additional information.
6. Disclosures of Personal Information Without Consent – Subsection 8(2) of the Privacy Act
6.1 Subsection 8(2) of the Privacy Act sets out circumstances in which personal information under the control of the DND and the CAF may be disclosed without the consent of the individual. Subsection 8(2) applies only if no other statutory provision in any other Act of Parliament restricts the disclosure of the personal information.
6.2 Disclosures under subsection 8(2) are discretionary and do not constitute a right of access.
6.3 An individual’s general right to protection of privacy must be recognized when considering the discretion to disclose personal information. Additional criteria for consideration in the exercise of discretion are described in the Instruction on Disclosure of Personal Information.
6.4 Only the minimal amount of personal information required to fulfill the specific purpose may be disclosed.
6.5 If a permissible disclosure is not described in the relevant personal information bank (PIB), a record of disclosure must be retained so that it forms part of the individual’s personal information. This requirement does not apply to information disclosed under paragraph 8(2)(e) of the Privacy Act. See paragraphs 6.13 to 6.18 and section 8, Records of Disclosure, for additional information.
Disclosure for an Original Purpose or Consistent Use
6.6 The DND and the CAF are permitted by paragraph 8(2)(a) of the Privacy Act to disclose personal information if it is necessary to accomplish the purpose for which the information was originally obtained or compiled, or for a consistent use. For a disclosure to be for a consistent use, it must have a reasonable and direct connection to the original purpose.
6.7 Consistent uses must be described in the applicable PIB.
6.8 New consistent uses which are not described in the PIB must be referred to DAIP. DAIP must notify the Office of the Privacy Commissioner of Canada (OPC) and update the PIB in the Info Source – Sources of Federal Government and Employee Information to include the new consistent use.
Disclosure in Accordance with an Act of Parliament or Regulation
6.9 The DND and the CAF are permitted by paragraph 8(2)(b) of the Privacy Act to disclose personal information for any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure. This paragraph encompasses all authorities for the disclosure of personal information contained in federal statutes and regulations.
Disclosure for Compliance with a Subpoena, Warrant, Court Order or Rules of Court
6.10 The DND and the CAF are permitted by paragraph 8(2)(c) of the Privacy Act to disclose personal information for the purpose of complying with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information or for the purpose of complying with rules of court relating to the production of information. This includes federal quasi-judicial bodies and commissions of inquiry.
6.11 Legal services should be consulted prior to any disclosure to ensure the validity of the order and determine the proper form of compliance.
Disclosure to the Attorney General of Canada
6.12 The DND and the CAF are permitted by paragraph 8(2)(d) of the Privacy Act to disclose personal information to the Attorney General of Canada for use in legal proceedings involving the Crown in right of Canada (the Crown) or the Government of Canada.
Disclosure to a Federal Investigative Body
6.13 The DND and the CAF are permitted by paragraph 8(2)(e) of the Privacy Act to disclose personal information to an investigative body specified in the regulations made under the Privacy Act, on the written request of the body, for the purpose of enforcing any law of Canada, a province or territory, or carrying out a lawful investigation, if the request specifies the purpose and describes the information to be disclosed.
6.14 All disclosures pursuant to paragraph 8(2)(e) must be referred to DAIP as the delegate to authorize the release of the personal information. Requests must be made in writing, specify the purpose for which the information is required and describe the information to be disclosed.
6.15 For purposes of paragraph 8(2)(e), there are the following three DND and CAF investigative bodies that may request personal information:
- Boards of inquiry;
- Canadian Forces Military Police; and
- Canadian Forces National Counter-Intelligence Unit.
6.16 Requests for, and records of disclosures, pursuant to paragraph 8(2)(e) are managed in accordance with the standard PIB PSU 913, Disclosures to Investigative Bodies.
6.17 For reporting purposes, DAIP must retain:
- a copy of each request received; and
- a record of information disclosed pursuant to such a request.
6.18 DAIP must make these copies available to the OPC, as required.
Disclosure to a Province, Territory, Specific First Nation Councils, Foreign State or International Body for Administering or Enforcing any Law or Carrying Out a Lawful Investigation
6.19 For the purpose of administering or enforcing any law or carrying out a lawful investigation, the DND and the CAF are permitted by paragraph 8(2)(f) of the Privacy Act to disclose personal information under an agreement or arrangement between the Government of Canada or an institution thereof with:
- the government of a province or territory;
- certain First Nation councils as identified in paragraph 8(2)(f);
- the government of a foreign state;
- an international organization of states or an international organization established by the governments of states; or
- any institution of any such government or organization.
6.20 Disclosures under paragraph 8(2)(f) must only be made in accordance with a formal written agreement or arrangement. Written agreements for the disclosure of personal information under paragraph 8(2)(f) have been made between the Government of Canada and the governments of the provinces, the Yukon and the Northwest Territories.
Disclosure to a Member of Parliament
6.21 The DND and the CAF are permitted by paragraph 8(2)(g) of the Privacy Act to disclose personal information to a member of Parliament for the purpose of assisting an individual to whom the information relates with resolving a problem. The term “member of Parliament” includes members of the House of Commons and the Senate.
6.22 If Parliament has been dissolved prior to an election or a member of Parliament has resigned, this provision may not be applied until a new member of Parliament is sworn in.
Disclosure for Audit Purposes
6.23 The DND and the CAF are permitted by paragraph 8(2)(h) of the Privacy Act to disclose personal information to DND employees and CAF members for internal audit purposes, or to the Office of the Comptroller General or any other person or body specified in regulations made under the Privacy Act for audit purposes.
6.24 Disclosures to the Office of the Auditor General of Canada are specifically authorized pursuant to the Auditor General Act and are therefore permitted in accordance with paragraph 8(2)(b) of the Privacy Act.
Disclosure for Archival Purposes
6.25 The DND and the CAF are permitted by paragraph 8(2)(i) of the Privacy Act to disclose personal information to Library and Archives Canada (LAC) for archival purposes. Archival purposes include the transfer of personal information to LAC control, as well as LAC examination of personal information in government records to determine archival value and establish retention and disposal standards.
Disclosure for Research or Statistical Purposes
6.26 The DND and the CAF are permitted by paragraph 8(2)(j) of the Privacy Act to disclose personal information to any person or body for research or statistical purposes.
6.27 All disclosures pursuant to paragraph 8(2)(j) must be referred to DAIP as the delegate to authorize the disclosure of personal information. For personal information to be disclosed under this provision, DAIP must be:
- satisfied that the purpose for which the information is disclosed cannot reasonably be accomplished unless the information is provided in a form that would identify the individual to whom it relates; and
- provided with a written undertaking from the person or body that no subsequent disclosure of the information will be made in a form that could reasonably be expected to identify the individual to whom it relates.
Disclosure for First Nation Claims Research
6.28 The DND and the CAF are permitted by paragraph 8(2)(k) of the Privacy Act to disclose personal information to any Aboriginal government, association of Aboriginal people, Indian band, government institution or part thereof, or to any person acting on their behalf, for the purpose of researching or validating the claims, disputes or grievances of any of the Aboriginal peoples of Canada.
Disclosure for Payment of a Benefit or Collection of a Debt
6.29 The DND and the CAF are permitted by paragraph 8(2)(l) of the Privacy Act to disclose personal information to any government institution for the purpose of locating an individual in order to collect a debt owing to the Crown by that individual or making a payment owing to an individual by the Crown.
6.30 This provision does not permit the disclosure of information to determine whether a debt is owed, nor does it permit disclosure of any more information than is necessary to locate the individual.
Disclosure in the Public Interest
6.31 The DND and the CAF are permitted by paragraph 8(2)(m) of the Privacy Act to disclose personal information for any purpose if:
- the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure; or
- disclosure would clearly benefit the individual to whom the information relates.
6.32 All disclosures pursuant to paragraph 8(2)(m) must be referred to DAIP as the delegate to authorize the release of the personal information. DAIP must ensure that there is a clear public interest in the disclosure and that no other paragraph under subsection 8(2) applies.
6.33 Disclosure decisions must balance the public interest in disclosure against the threat to an individual’s privacy based on:
- the expectations of the individual;
- the sensitivity or nature of the personal information involved; and
- the probability of injury or consequence of disclosure for the individual.
7. Routine Disclosures of Personal Information
7.1 When personal information is to be disclosed by the DND and the CAF to an international, federal, provincial, territorial or municipal public sector organization, an information sharing agreement or arrangement that includes appropriate privacy protection clauses must be established.
7.2 When contracting with a private sector organization or individual, the DND and the CAF must ensure that appropriate privacy protection clauses are included in the contract or agreement.
7.3 Routine disclosures of personal information that are not for the purpose for which the information was obtained or compiled, or for a consistent use, such as regular disclosures pursuant to subsection 8(2) of the Privacy Act, may be included in the relevant PIB description. See DAOD 1002-3 for additional information.
7.4 If such routine disclosures of personal information are not described in the relevant PIB, each disclosure must be recorded on the individual’s file. See section 8, Records of Disclosure, for additional information.
8. Records of Disclosure
8.1 All disclosures of personal information must be accounted for in order to allow individuals to determine what specific disclosures of their personal information may occur or may have occurred.
8.2 Disclosures must either be described in the applicable PIB or documented in a record of disclosure as required under subsection 9(1) of the Privacy Act.
8.3 A record of disclosure must be prepared when personal information is disclosed for any purpose that is not described in a PIB. The record of disclosure must be attached to the individual’s personal information and is deemed to form part of the personal information to which it is attached. This record must be retained for a minimum of two years following the disclosure.
8.4 If the purpose for disclosure is a consistent purpose not described in the PIB, see paragraph 6.8 for additional requirements.
8.5 If personal information is disclosed to a federal investigative body under paragraph 8(2)(e) of the Privacy Act, see paragraph 6.17 for additional requirements.
8.6 A record of disclosure must contain:
- the purpose for the disclosure;
- the name and title of the official who authorized the disclosure;
- the date of the disclosure;
- the name, title and institution or organization of the official receiving the personal information; and
- a copy of the personal information disclosed or a description in sufficient detail to allow a determination of exactly what personal information was disclosed.
8.7 All records of disclosure must follow existing program record-keeping requirements for personal information disclosed for a purpose described in a PIB or with consent.
9. Privacy Training and Awareness
Appropriate Training
9.1 DAIP is responsible for ensuring that training and tools pertaining to the disclosure of personal information are available to DND employees and CAF members.
9.2 Level one advisors (L1s) must ensure that all DND employees and CAF members within their organizations who are responsible for the disclosure of personal information receive appropriate training.
10. Compliance and Consequences
Compliance
10.1 DND employees and CAF members must comply with the Privacy Act, the Privacy Regulations, this DAOD and the Instruction on Disclosure of Personal Information. Should clarification of these laws, policies or instructions be required, DND employees and CAF members may seek direction through their channel of communication or chain of command, as appropriate. Managers and military supervisors have the primary responsibility for and means of ensuring the compliance of their DND employees and CAF members with the Privacy Act, the Privacy Regulations, this DAOD and the Instruction on Disclosure of Personal Information.
Consequences of Non-Compliance
10.2 DND employees and CAF members are accountable to their respective managers and military supervisors for any failure to comply with the Privacy Act, the Privacy Regulations, this DAOD or the Instruction on Disclosure of Personal Information. Non-compliance may have consequences for both the DND and the CAF as institutions, and for DND employees and CAF members as individuals. Suspected non-compliance may be investigated. Managers and military supervisors must take or direct appropriate corrective measures if non-compliance has consequences for the DND or the CAF. The decision of an L1 or other senior official to take action or to intervene in a case of non-compliance, other than in respect of a decision under the Code of Service Discipline regarding a CAF member, will depend on the degree of risk based on the impact and likelihood of an adverse outcome resulting from the non-compliance and other circumstances of the case.
10.3 The nature and severity of the consequences resulting from non-compliance should be commensurate with the circumstances of the non-compliance and other relevant circumstances. Consequences of non-compliance may include one or more of the following:
- the ordering of the completion of appropriate learning, training or professional development;
- the entering of observations in individual performance evaluations;
- increased reporting and performance monitoring;
- the withdrawal of any authority provided under this DAOD to a DND employee or CAF member;
- the reporting of suspected offences to responsible law enforcement agencies;
- the application of specific consequences as set out in applicable laws, codes of conduct, and DND and CAF policies and instructions;
- other administrative action, including the imposition of disciplinary measures, for a DND employee;
- other administrative or disciplinary action, or both, for a CAF member; and
- the imposition of liability on the part of Her Majesty in right of Canada, DND employees and CAF members.
Note – In respect to the compliance of DND employees, see the TB Framework for the Management of Compliance for additional information.
11. Responsibilities
11.1 The following table identifies the responsibilities associated with this DAOD:
| The ... | is or are responsible for ... |
|---|---|
| Corp Sec |
|
| L1s |
|
| DAIP |
|
| DND employees and CAF members |
|
12. References
Acts, Regulations, Central Agency Policies and Policy DAOD
- Auditor General Act
- Privacy Act
- Privacy Regulations
- Framework for the Management of Compliance, Treasury Board
- Policy on Privacy Protection, Treasury Board
- Policy on the Security of Cabinet Confidences, Privy Council Office
- Directive on Privacy Practices, Treasury Board
- Guidance on Preparing Information Sharing Agreements Involving Personal Information, Treasury Board
- Taking Privacy into Account Before Making Contracting Decisions, Treasury Board
- DAOD 1002-0, Administration of the Privacy Act
Other References
- DAOD 1002-1, Requests under the Privacy Act for Personal Information
- DAOD 1002-3, Personal Information Management
- National Defence Security Orders and Directives
- CF H Svcs Gp Instruction 5020-20, Disclosure of Personal Health Information
- Instruction on Disclosure of Personal Information (draft)
- Instruction on Personal Information Management (draft)
- Info Source – Sources of Federal Government and Employee Information
Page details
- Date modified: