ATIP Implementation Notice 2022-01: Seeking an Exception to a Requirement of the TBS Access to Information or Privacy Policy Suite

1. Effective Date

This implementation notice takes effect on September 23, 2022.

2. Authorities

This implementation notice is issued pursuant to paragraph 70(1)(c) of the Access to Information Act and paragraph 71(1)(d) of the Privacy Act.

3. Purpose

This implementation notice provides guidance to federal institutions seeking an exception to Treasury Board of Canada Secretariat (TBS) policy requirements under either the Policy on Access to Information or the Policy on Privacy Protection or their underlying directives.

4. Context

An institution may seek an exception to a policy instrument where there is a need for an activity to temporarily be non-compliant with a policy instrument requirement. An exception is granted for a limited time, as the institution is expected to return to compliance with the respective requirement. Institutions may request an exception to mandatory TBS policy, directive, or standard requirements for various reasons.

The Policy on Access to Information and the Policy on Privacy Protection are issued by the President of the Treasury Board in their role as the Designated Minister for paragraph 70(1)(c) of the Access to Information Act (ATIA) and paragraph 71(1)(d) of the Privacy Act. The President may grant an exception to a requirement under these policies. The Secretary of the Treasury Board has the authority to issue and to grant exceptions to certain underlying instruments including directives, standards, and forms.

To seek an exception to one of the requirements of these TBS policy instruments, the head or the deputy head of the institution must request approval from the appropriate authority.

Of note, most other policy instruments are issued by the Treasury Board under the authority of the Financial Administration Act (FAA). Institutions that are subject to these Treasury Board policies, directives and standards may seek an exception to their requirements via a Treasury Board Submission.

5. Guidance

Exceptions to specific requirements are provided on a case-by-case basis. Program officials should work with the access to information and privacy authorities within their institution to determine which specific requirements of the policy instrument the activity must request an exception for.

Addressing the Request for an Exception

Depending on the nature of the exception to Access to Information or Privacy policy instruments, the request should be sent as follows.

• If the institution is seeking an exception to a requirement of the Policy on Access to Information, the Directive on Access to Information Requests or the Policy on Privacy Protection, the head of the institution must submit an exception request to the President of the Treasury Board.
• If the institution is seeking an exception to a requirement of a privacy Directive (Personal Information Requests and Correction of Personal Information, Privacy Impact Assessment, Privacy Practices or Social Insurance Number), the Deputy Minister or equivalent of the institution must submit an exception request to the Secretary of the Treasury Board.
• If the institution is seeking an exception to more than one instrument under the Access to Information or Privacy policy suites, they should combine the requests, and address them to the highest delegated level, either the President or the Secretary.

Contents of the Request

The letter should include the following:

• institution-specific details that sufficiently contextualize the need for the exception;
• any measures taken to address privacy or access concerns in absence of compliance with the requirement(s); and
• a specific timeframe for when the institution plans to return to compliance with the requirement.

If the exception relates to data elements that are not reflected in current Personal Information Banks (PIBs), add a statement that acknowledges that “Pursuant to subsection 9(4) of the Privacy Act, the Office of the Privacy Commissioner will also be notified of this new [collection or consistent use] of [details] by [date].”

To facilitate exception requests, please find in Annex A, a sample letter template for use when requesting an exception from the President or the Secretary to a policy instrument. Annex B contains a sample letter template specifically for exceptions to the Directive on Social Insurance Number and the timing of the Privacy Impact Assessment. Annex C contains a sample letter template for requesting an exception to the requirement to use the prescribed platforms for receiving ATIP requests.

The Secretary or President of the Treasury Board will endeavour to respond promptly to these requests. Please inform TBS officials of your upcoming request, so that we may engage on the request and facilitate a prompt reply. Please note, TBS may impose conditions on the approval, such as requiring updates in the institution’s Annual Report on the exception and progress on returning to compliance.

The requirements of the TBS policy instruments for which an exception was not sought continue to apply to the institution. As always, there continues to be a need to protect and manage personal information. This includes taking steps to ensure privacy risks are identified and mitigated. Institutions are reminded that PIB registration and publication are obligatory under the Privacy Act. Therefore, in the event an exception is granted, a core Privacy Impact Assessment (PIA) should still be completed as soon as is feasible. By extension, this means that TBS will not register a PIB without an associated PIA, even if an exception is granted.

Similarly, enabling the right of access to information and to request personal information should also be prioritized. If, for example, an exception is sought for the use of a prescribed platform in receiving or processing requests, institutions should understand that this exception must be tied to specific and substantiated operational requirements and include a plan to return to compliance as soon as possible.

Treasury Board Submission Implications

In some cases, the institution may wish to seek an exception to an Access to Information or Privacy policy instrument and an exception from a Treasury Board instrument issued under the FAA, such as the Directive on Management of Procurement. In this case, the institution will need to submit a request for an exception to the Access to Information or Privacy instruments, as well as an exception through a Treasury Board Submission. When developing the Treasury Board Submission, ensure that:

• the institution seeks an exception (through the process outlined above) to the Policy on Access to Information or the Policy on Privacy Protection prior to finalizing the Treasury Board submission, and
• the institution documents in the body of the Treasury Board submission, if the exception request was granted and any pertinent details.

For more information on writing a Treasury Board submission, see Guidance for Drafters of Treasury Board Submissions.

6. Application

This implementation notice applies to the government institutions as defined in sections 3 of the Privacy Act and the Access to Information Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.

This implementation notice does not apply to the Bank of Canada.

7. References

8. Enquiries

Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information about this implementation notice.

Employees of federal institutions may contact their Access to Information and Privacy coordinator for information about this implementation notice.

ATIP coordinators may contact the Treasury Board of Canada Secretariat’s Access to Information Policy and Performance Division and the Privacy and Data Protection Division for information about this implementation notice.

Annex A: Sample Exception Request Letter Template

PROTECTED B
[CONFIDENCE OF THE KING’S PRIVY COUNCIL (if a TB Submission is referenced)]

[Name of Secretary or President]
[Secretary or President] of the Treasury Board of Canada
Treasury Board of Canada Secretariat
90 Elgin Street, Floor 8
Ottawa ON K1A 0R5

Dear Colleague:

The [name of institution] is seeking to implement [name of activity]. [Brief explanation of the activity and the urgency].

I am seeking your approval to grant an exception to [number of the policy suite requirement] of the [Policy or Directive name] to enable [details of the desired exception outcome]. (For example: to implement an initiative prior to completing a Privacy Impact Assessment (PIA) and registering the accompanying Personal Information Bank (PIB)).

[Provide: 1) a rationale for why the exception is required and 2) a timeframe for returning to compliance]. (For example: Given the pressing and urgent nature of this activity, a PIA is not feasible at this time. The [institution] is seeking an exception to this requirement of the Directive and commits to submitting a PIA by [date].)

[Outline steps being taken to mitigate risks].

(As needed: Pursuant to subsection 9(4) of the Privacy Act, the Office of the Privacy Commissioner will also be notified of this new [collection or consistent use] by [date].)

This exception will allow the [institution] to move forward with [details].

I appreciate your consideration in the matter.

Yours sincerely,

[Head or Deputy head] signature block

Annex B: Sample Exception Request Letter Template Regarding Directive on the Social Insurance Number

PROTECTED B
CONFIDENCE OF THE KING’S PRIVY COUNCIL

Graham Flack
Secretary of the Treasury Board of Canada
Treasury Board of Canada Secretariat
90 Elgin Street, Floor 8
Ottawa ON K1A 0R5

Dear Colleague:

The [name of institution]] will be seeking approval of a Treasury Board Submission for the funding to [details of the submission].

As part of this initiative, I am seeking your approval to grant an exception to a requirement of the Directive on Social Insurance Number (the Directive) and grant authority for the [program] to use the Social Insurance Number (SIN) prior to the completion of a Privacy Impact Assessment (PIA).

The Directive requires that before seeking the approval of Treasury Board for a new collection and use of the SIN, a completed PIA be submitted to Treasury Board of Canada Secretariat and the Office of the Privacy Commissioner.

Given the pressing and urgent nature of this initiative, a PIA is not feasible at this time. The [institution] is seeking an exception to this requirement of the Directive and commits to completing a PIA by [date]. Pursuant to subsection 9(4) of the Privacy Act, the Office of the Privacy Commissioner will also be notified of this new [collection or consistent use] of the SIN in advance of the completed PIA.

This exception will allow the [institution] to move forward with [details].

I appreciate your consideration in the matter.

Yours sincerely,

Deputy head signature block

Annex C: Sample Exception Request Letter Template Regarding Requirement to use the ATIP Online Request Service

PROTECTED B

Mona Fortier
President of the Treasury Board of Canada
Treasury Board of Canada Secretariat
90 Elgin Street, Floor 8
Ottawa ON K1A 0R5

Dear Colleague:

I am seeking your approval to grant an exception to 4.3.9.1 of the Policy on Access to Information; 4.2.20.1 of the Policy on Privacy Protection; 4.1.16 of the Directive on Access to Information Requests; and 4.1.15 of the Directive on Personal Information Requests and Correction of Personal Information to enable [details of the desired exception outcome]. (For example, to implement required business process changes or the necessity of planned functionality to be available before implementing ATIP online.)

[Provide: 1) a rationale for why the exception is required and 2) a timeframe for returning to compliance].

[Outline steps being taken to mitigate risks].

This exception will allow the [institution] to move forward with [details].

I appreciate your consideration in the matter.

Yours sincerely,

Head signature block