Privacy Implementation Notice 2022-02: Identity Verification for Personal Information Requests

Legislation

• Financial Administration Act
• Official Languages Act
• Privacy Act
• Privacy Act Extension Order, No. 3
• Privacy Regulations

Related Treasury Board Policy Instruments

• Directive on Identity Management
• Directive on Personal Information Requests and Correction of Personal Information
• Directive on Service and Digital
• Directive on Social Insurance Number
• Policy on Government Security
• Policy on Privacy Protection
• Policy on Service and Digital

Other publications

• About identity verification requirements (PSPC)
• Assurance Level Requirement (TBS)
• GDPR on identity verification
• Guideline on Defining Authentication Requirements (TBS)
• Guideline on Identity Assurance (TBS)
• Methods to verify the identity of persons and entities (FINTRAC)
• Notary Services (GAC)
• Pre-boarding identification requirements (CBSA)
• Privacy Breach Management (TBS)
• Provincial definitions of a minor (IRCC)
• Taking Privacy into Account Before Making Contracting Decisions (TBS)
• Tools to help determine authentic documents (PSPC)

Step 1 - Categorize the type of requests received by the institution

Categorize the common types of requests received by your institution. One consideration is the information sought by the requesters. Examples include requests for a status update on a file, an immigration officer’s notes, or financial information in a tax return. The types of responsive records based on these requests may be more or less sensitive. Group similar requests based on the sensitivity of the types of responsive records.

Another consideration is whether the request originates from a domestic or an international requester. Domestic requesters have identity documents which should be familiar to the institution’s ATIP office. More importantly, if a privacy breach occurred, there would be an injury to the individual, but the reputational risk would likely be limited to Canada. If a privacy breach occurred with a foreign national’s information, not only would there be an injury to the individual, but diplomatic relations may also be impacted. Countries with whom Canada does not have close diplomatic relations may present a higher reputational risk should a privacy breach occur. Thus, this would add to the care which should be taken when disclosing information.

Step 2 - Analyze the level of sensitivity of the information requested

Perform a risk analysis of the level of sensitivity of the types of information that will be disclosed. TBS has developed a Credential Assurance Level Tool that can be used to assist in this regard.

It is recommended to work through the tool in a team so that the assurance level score is arrived at through consensus and discussion among team members. The tool will provide a score of the sensitivity of the information sought and the level of assurance required for adequate identity verification.

To ensure consistency across the federal government, if other federal institutions process similar requests, it is a best practice to share your analysis and the resulting procedures for similar requests.

Step 3 – Prescribe required identity documents or personal information from the requester

Based on the risk assessment, refer to the table in Annex B to determine how many pieces of identity and what types of identity document should be provided for each type of request.

If collecting photo ID, the document must indicate the requester’s name, date of birth and address, include a photo of the requester, as well as a unique identifying number. If the document is issued by a foreign government, it must be equivalent to a Canadian document. Documents issued by a municipal government, such as library cards or bus passes, are not acceptable.

The list of possible acceptable identity documents may be different for domestic and international requesters. Examples of possible acceptable identification documents or any identifying number assigned to the individual include:

• Passports
• Driver's licences or enhanced driver’s licences
• Provincial or territorial photo cards for non-drivers (excluding health cards)
• Certificates of Indian Status (status cards)
• Citizenship cards or national identity cards
• Permanent resident cards
• Nexus cards
• Record of landing forms/confirmation of permanent residence (IMM 5292)
• Immigration documents issued to foreign nationals present in Canada (e.g., work permit, study permit, refugee approved status)
• Birth certificates
• Personal record identifier (PRI) for current or former public servants

The Social Insurance Number is not an identity document but may be requested by specific institutions if the request seeks information about employment, government benefit programs and/or services and taxation purposes. (For additional information on the collection and use of the SIN, please refer to the Directive on Social Insurance Number.)

The Financial Transaction and Reports Analysis Centre of Canada (FINTRAC) provides more guidance on acceptable identity documents in their Methods to verify the identity of persons and entities.

If a requester’s identity has previously been verified within the institution as part of a different program or service, a file number or case number may have already been assigned to them. Institutions may wish to require this file number or unique identifier as part of a request: this will help to confirm the requester’s identity. This type of information is already identified in the Standard PIB: PSU 901 - Access to Information Act and Privacy Act Requests.

Step 4 – Advise requesters of required identity documents or personal information

Develop a procedure to request the identity information from the requester. Both the updated Personal Information Request form and ATIP Online Request Service (AORS) note that additional documents may be requested by institutions as part of identity verification, so requesters should be aware and ready to supply these.

Based on the assurance requirements for different classes of requests identified in step 3, institutions may wish to include the identity requirements in the acknowledgement letters that must be sent to requesters, as per 4.1.7.1 of the Directive on Personal Information Requests and Correction of Personal Information. While awaiting a response from a requester, it is a best practice to advise them that the request will not be processed until their identity can be confirmed. Thus, the legislative timelines for a response are preserved. If the requester does not reply by a reasonable deadline, their request may be considered abandoned, and the request closed.

AORS provides a Protected B security environment into which the above listed identity documents or personal information may be securely transferred to participating institutions. AORS connections are encrypted and adequately protect sensitive information. Individuals should be encouraged to use AORS, as emailing their identity information from their personal devices to the Government of Canada’s email environment brings with it a higher risk of compromise. Alternatively, postal mail is a secure non-digital alternative for sending copies of identity documents to the institution. Institutions may wish to include this advice in their acknowledgement letters.

Step 5 – Verify the authenticity of the documents collected

Verifying the identity of the individual making a request includes confirming the authenticity of the documents presented to ensure they are not counterfeit. Authenticity is defined in Public Services and Procurement Canada’s About identity verification requirements.

Procedures to determine the authenticity of a document, should include confirming that the document:

• Does not appear to have been tampered with or changed
• Does not contain grammatical and spelling mistakes
• Is consistent with the information contained in other documents provided
• Is legible and not handwritten

Procedures should include examining the security features and markers to determine if the document provided is authentic, valid and current. ATIP Offices may work with internal stakeholders to support this step. For example, some institutions may have document authenticity subject matter experts, others may reach out to their security experts, and others may have technological solutions that the ATIP Office can leverage. The issuing jurisdiction of the identity document has an interest in ensuring its documents are not misrepresented. Therefore, guidance on the security features of many domestic and international identity documents are available online for cross referencing. Commercial authenticity services are available for purchase.  See TBS’s guidance document: Taking Privacy into Account Before Making Contracting Decisions if considering this option.

If the document is not clear, or the markings cannot be observed, institutions may ask the requester for a notarized copy that is clearly legible.

Step 6 – Request a translation of identity documents that have been submitted in a language other than English or French

As per s. 22 of the Official Languages Act, federal institutions must ensure that any member of the public can communicate with and obtain available services in either of Canada’s official languages. If the identity documents are in neither English, nor French, the institution may request a translated notarized copy, along with a copy of the document in the other language. Canadian embassies provide notarial service in some countries.

While awaiting a response from a requester, it is a best practice to advise them that the request will not be processed until their identity can be confirmed. Thus, the legislative timelines for a response are preserved. If the requester does not reply by a reasonable deadline, their request may be considered abandoned, and the request closed.

Step 7 – Match the documents and information to the requester

Once the authenticity of the documents has been confirmed, institutions should ensure that the information in the documents is consistent with the information contained in the request form and other documents provided. As noted in step 3, if the institution has a file or case associated with the individual, the institution may be able to verify identity by linking the file or case number provided with information contained in the request.

For example, both the Canadian Border Services Agency (CBSA) and Immigration, Refugee and Citizenship Canada (IRCC) use a consistent Universal Client Identification (UCI) number which is assigned when their file was opened in the Global Case Management Software (GCMS). This unique identifier, and the data it refers to in GCMS, may be used to corroborate the identity of a requester with another piece of identity that contains the name, address, and birthdate of the requester. This method is not without risk, as it assumes that the person using the UCI is the same as the person who originally interacted with the Government of Canada.

If the institution has an email address on file for the individual, separate from what is contained in the request, an email could be sent to the individual notifying them that a request has been made for their information. The individual should be advised to contact the institution immediately if this is an error or not expected.

Where photo identification is included, the name and appearance of the requester must match the individual being identified. Scheduling a live video chat session is another means of determining whether the individual making the request matches the identity documents provided.  If pursuing video verification, institutions should consider encouraging individuals to protect their privacy by, for example, suggesting that they speak in front of a neutral background, or employing a background filter.

If an institution is unable to verify the identity of the requester, either because there is a mismatch between the individual and the documents or insufficient information is provided, the institution may ask for further information to verify identity. Questions related to the content of the file, such as the nature of the grant or visa applied for, can help confirm the identity of the individual.

While awaiting a response from a requester, it is a best practice to advise them that the request will not be processed until their identity can be confirmed. Thus, the legislative timelines for a response are preserved. If the requester does not reply by a reasonable deadline, their request may be considered abandoned, and the request closed.

Step 8 – Verify the identity of the requester when someone other than the individual to whom the information pertains is making the request under s. 10 of the Privacy Regulations

Step 9 – Send written notice and document denials based on identity

Document the results of the identity verification process and the reasons for any denials. For example, keep a record of the issues identified with the documents or any inconsistencies in information supplied.  The copies of the identity documents supplied by the requester need to be kept for two years, as per paragraph 4(1)(a) of the Privacy Regulations, unless the requester has given consent to their early disposal. All this information will be useful in the event of a complaint or an investigation into a possible breach.

If, even with further information, it is still not possible to confirm the identity of the individual, and the risk of a privacy breach is too great, the delegated head of the institution should deny the request per subsection 8(2) of the Privacy Regulations. In this case, institutions must provide a written notice to the individual that their request for access has been denied, the reason for the denial, and their right to complain to the Office of the Privacy Commissioner.

Step 10 – Evaluate the effectiveness of the identity verification procedures

Institutions should periodically review their procedures to confirm whether they remain appropriate to the types of requests they are receiving and the information they are disclosing. This is especially important given that a new population of requesters will begin to have access with the coming into force of the Privacy Act Extension Order, No. 3.

Definitions:

Foundational evidence of identity:

Evidence of identity that establishes core identity information such as given name(s), surname, date of birth, sex and place of birth. Examples include records of birth, immigration or citizenship from an authority with the necessary jurisdiction.

Supporting evidence of identity:

Evidence of identity that corroborates the foundational evidence of identity and assists in linking the identity information to an individual. It may also provide additional information such as a photo, signature or address. Examples include social insurance records; records of entitlement to travel, drive or obtain health insurance; and records of marriage, death or name change originating from a jurisdictional authority.