Privacy Implementation Notice 2022-02: Identity Verification for Personal Information Requests

1. Effective Date

This implementation notice takes effect on October 17, 2022. It replaces the notice published on May 25, 2022.

2. Authorities

This implementation notice is issued pursuant to paragraph 71(1)(d) of the Privacy Act.

3. Purpose

This implementation notice provides direction to Access to Information and Privacy (ATIP) coordinators on the requirement set out in s.4.1.4 of the Directive on Personal Information Requests and Correction of Personal Information that institutions must establish procedures to validate the identity of a requester. Failure to properly verify the identity of a requester could lead to the release of personal information to an unauthorized individual or organization, which would constitute a privacy breach.

It also provides direction on the requirements 4.1.1 through 4.1.6 set out in the Directive on Identity Management. This Directive defines how programs and services, such as ATIP services, manage identity in a manner that mitigates risks, while protecting program integrity and enabling trusted citizen-centred service delivery. It also ensures identity is managed consistently within the Government of Canada. The Directive on Identity Management applies to institutions described in section 6 of the Policy on Government Security, namely all institutions in Schedule I, I.1, IV and V of the Financial Administration Act. Heads of institutions, or their delegates, which are not subject the Directive on Identity Management should nonetheless consider these requirements as best practices and follow them where possible.

4. Context

Subsection 12(1) of the Privacy Act gives Canadian citizens, permanent residents and individuals present in Canada a right of access to personal information held by government institutions. As of July 13, 2022 when the Privacy Act Extension Order, No. 3 comes into force, that right of access will be extended to all individuals outside Canada to whom that right has not been extended previously. As per section 8 of the Privacy Act, personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with the provisions in subsection 8(2) of the Act. Furthermore, subsection 8(2) of the Privacy Regulations states that an individual making a request for access to personal information must provide adequate identification to the government institution before access to that information is provided. Therefore, institutions responding to personal information requests should be reasonably assured of the identity of the person requesting, so that personal information is only disclosed to that individual. Subsection 8(2) of the Regulations goes on to note that individuals may be required to present themselves in person.

When the Privacy Act was written, physical documents were the predominant method of evidence of identity for Government of Canada programs and services. In the past, an individual may have had to provide hard copies of original identity documents and appear in person for identity verification. As digital delivery methods become more prevalent, digital representations of identity are increasingly accepted as alternatives to physical documents. This is especially true with respect to foreign requesters where the individual may not be readily able to present themselves at a Government of Canada location. Ensuring that digital identity documentation is adequately verified is imperative to mitigate the risk of privacy breaches, while delivering government services.

There are many approaches to identity verification. Some programs or services require a high degree of certainty with regards to the identity of the individual because of the sensitivity of the information being shared. Other programs may take a risk-based approach, recognizing that time and resources required for absolute certainty of identity may not be necessary, given that identity may already have been established due to previous dealings with the government institution.

Assessing the type of personal information being requested of the institution and the impact of a possible breach of this information is a way to assess the risks associated with delivering ATIP services. For example, responsive records that include bank account details, medical records, or sensitive law enforcement documents are of more significance than the business title and email address of an individual. The Directive on Identity Management and its tools create a framework for determining what is adequate identification given these risks.

5. Guidance

Institutions must ensure adequate identification is provided and uphold the legal requirements to protect personal information when providing the right of access. Where the sensitivity of the requested information is relatively low and the identity is reasonably assured as per the Directive on Identity Management, institutions should facilitate the right of access. However, as the sensitivity of the information and the potential injury to the individual increases, the standard for adequate identity verification rises and preventing breaches should be prioritized.

Each institution is responsible for establishing its own procedures to validate the identity of the requesters. Annex A provides guidance on steps to consider in establishing these procedures. Annex A’s focus is on the procedure in general, not identity verification for a specific request. Treasury Board of Canada Secretariat’s (TBS) Cyber Security team has also developed a Guideline on Identity Assurance, a Guideline on Defining Authentication Requirements, and a tool to determine Assurance Level Requirement. They support the requirements within the Directive on Identity Management.

Annex B provides a chart articulating the sensitivity of information and the commensurate level of assurance required for its release. It is taken from the Guideline on Identity Assurance.

6. Application

This implementation notice applies to the government institutions as defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations. However, it does not apply to the Bank of Canada.

7. References

Legislation

Related Treasury Board Policy Instruments

Other publications

8. Enquiries

Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information about this implementation notice.

Employees of federal institutions may contact their Access to Information and Privacy (ATIP) coordinator for information about this implementation notice.

ATIP coordinators may contact the Treasury Board of Canada Secretariat's Privacy and Data Protection Division for information about this implementation notice.

Annex A: Establishing procedures to verify requesters’ identity

Step 1 - Categorize the type of requests received by the institution

Categorize the common types of requests received by your institution. One consideration is the information sought by the requesters. Examples include requests for a status update on a file, an immigration officer’s notes, or financial information in a tax return. The types of responsive records based on these requests may be more or less sensitive. Group similar requests based on the sensitivity of the types of responsive records.

Another consideration is whether the request originates from a domestic or an international requester. Domestic requesters have identity documents which should be familiar to the institution’s ATIP office. More importantly, if a privacy breach occurred, there would be an injury to the individual, but the reputational risk would likely be limited to Canada. If a privacy breach occurred with a foreign national’s information, not only would there be an injury to the individual, but diplomatic relations may also be impacted. Countries with whom Canada does not have close diplomatic relations may present a higher reputational risk should a privacy breach occur. Thus, this would add to the care which should be taken when disclosing information.

Step 2 - Analyze the level of sensitivity of the information requested

Perform a risk analysis of the level of sensitivity of the types of information that will be disclosed. TBS has developed a Credential Assurance Level Tool that can be used to assist in this regard.

It is recommended to work through the tool in a team so that the assurance level score is arrived at through consensus and discussion among team members. The tool will provide a score of the sensitivity of the information sought and the level of assurance required for adequate identity verification.

To ensure consistency across the federal government, if other federal institutions process similar requests, it is a best practice to share your analysis and the resulting procedures for similar requests.

Step 3 – Prescribe required identity documents or personal information from the requester

Based on the risk assessment, refer to the table in Annex B to determine how many pieces of identity and what types of identity document should be provided for each type of request.

If collecting photo ID, the document must indicate the requester’s name, date of birth and address, include a photo of the requester, as well as a unique identifying number. If the document is issued by a foreign government, it must be equivalent to a Canadian document. Documents issued by a municipal government, such as library cards or bus passes, are not acceptable.

The list of possible acceptable identity documents may be different for domestic and international requesters. Examples of possible acceptable identification documents or any identifying number assigned to the individual include:

  • Passports
  • Driver's licences or enhanced driver’s licences
  • Provincial or territorial photo cards for non-drivers (excluding health cards)
  • Certificates of Indian Status (status cards)
  • Citizenship cards or national identity cards
  • Permanent resident cards
  • Nexus cards
  • Record of landing forms/confirmation of permanent residence (IMM 5292)
  • Immigration documents issued to foreign nationals present in Canada (e.g., work permit, study permit, refugee approved status)
  • Birth certificates
  • Personal record identifier (PRI) for current or former public servants

The Social Insurance Number is not an identity document but may be requested by specific institutions if the request seeks information about employment, government benefit programs and/or services and taxation purposes. (For additional information on the collection and use of the SIN, please refer to the Directive on Social Insurance Number.)

The Financial Transaction and Reports Analysis Centre of Canada (FINTRAC) provides more guidance on acceptable identity documents in their Methods to verify the identity of persons and entities.

If a requester’s identity has previously been verified within the institution as part of a different program or service, a file number or case number may have already been assigned to them. Institutions may wish to require this file number or unique identifier as part of a request: this will help to confirm the requester’s identity. This type of information is already identified in the Standard PIB: PSU 901 - Access to Information Act and Privacy Act Requests.

Step 4 – Advise requesters of required identity documents or personal information

Develop a procedure to request the identity information from the requester. Both the updated Personal Information Request form and ATIP Online Request Service (AORS) note that additional documents may be requested by institutions as part of identity verification, so requesters should be aware and ready to supply these.

Based on the assurance requirements for different classes of requests identified in step 3, institutions may wish to include the identity requirements in the acknowledgement letters that must be sent to requesters, as per 4.1.7.1 of the Directive on Personal Information Requests and Correction of Personal Information. While awaiting a response from a requester, it is a best practice to advise them that the request will not be processed until their identity can be confirmed. Thus, the legislative timelines for a response are preserved. If the requester does not reply by a reasonable deadline, their request may be considered abandoned, and the request closed.

AORS provides a Protected B security environment into which the above listed identity documents or personal information may be securely transferred to participating institutions. AORS connections are encrypted and adequately protect sensitive information. Individuals should be encouraged to use AORS, as emailing their identity information from their personal devices to the Government of Canada’s email environment brings with it a higher risk of compromise. Alternatively, postal mail is a secure non-digital alternative for sending copies of identity documents to the institution. Institutions may wish to include this advice in their acknowledgement letters.

Step 5 – Verify the authenticity of the documents collected

Verifying the identity of the individual making a request includes confirming the authenticity of the documents presented to ensure they are not counterfeit. Authenticity is defined in Public Services and Procurement Canada’s About identity verification requirements.

Procedures to determine the authenticity of a document, should include confirming that the document:

  • Does not appear to have been tampered with or changed
  • Does not contain grammatical and spelling mistakes
  • Is consistent with the information contained in other documents provided
  • Is legible and not handwritten

Procedures should include examining the security features and markers to determine if the document provided is authentic, valid and current. ATIP Offices may work with internal stakeholders to support this step. For example, some institutions may have document authenticity subject matter experts, others may reach out to their security experts, and others may have technological solutions that the ATIP Office can leverage. The issuing jurisdiction of the identity document has an interest in ensuring its documents are not misrepresented. Therefore, guidance on the security features of many domestic and international identity documents are available online for cross referencing. Commercial authenticity services are available for purchase.  See TBS’s guidance document: Taking Privacy into Account Before Making Contracting Decisions if considering this option.

If the document is not clear, or the markings cannot be observed, institutions may ask the requester for a notarized copy that is clearly legible.

Step 6 – Request a translation of identity documents that have been submitted in a language other than English or French

As per s. 22 of the Official Languages Act, federal institutions must ensure that any member of the public can communicate with and obtain available services in either of Canada’s official languages. If the identity documents are in neither English, nor French, the institution may request a translated notarized copy, along with a copy of the document in the other language. Canadian embassies provide notarial service in some countries.

While awaiting a response from a requester, it is a best practice to advise them that the request will not be processed until their identity can be confirmed. Thus, the legislative timelines for a response are preserved. If the requester does not reply by a reasonable deadline, their request may be considered abandoned, and the request closed.

Step 7 – Match the documents and information to the requester

Once the authenticity of the documents has been confirmed, institutions should ensure that the information in the documents is consistent with the information contained in the request form and other documents provided. As noted in step 3, if the institution has a file or case associated with the individual, the institution may be able to verify identity by linking the file or case number provided with information contained in the request.

For example, both the Canadian Border Services Agency (CBSA) and Immigration, Refugee and Citizenship Canada (IRCC) use a consistent Universal Client Identification (UCI) number which is assigned when their file was opened in the Global Case Management Software (GCMS). This unique identifier, and the data it refers to in GCMS, may be used to corroborate the identity of a requester with another piece of identity that contains the name, address, and birthdate of the requester. This method is not without risk, as it assumes that the person using the UCI is the same as the person who originally interacted with the Government of Canada.

If the institution has an email address on file for the individual, separate from what is contained in the request, an email could be sent to the individual notifying them that a request has been made for their information. The individual should be advised to contact the institution immediately if this is an error or not expected.

Where photo identification is included, the name and appearance of the requester must match the individual being identified. Scheduling a live video chat session is another means of determining whether the individual making the request matches the identity documents provided.  If pursuing video verification, institutions should consider encouraging individuals to protect their privacy by, for example, suggesting that they speak in front of a neutral background, or employing a background filter.

If an institution is unable to verify the identity of the requester, either because there is a mismatch between the individual and the documents or insufficient information is provided, the institution may ask for further information to verify identity. Questions related to the content of the file, such as the nature of the grant or visa applied for, can help confirm the identity of the individual.

While awaiting a response from a requester, it is a best practice to advise them that the request will not be processed until their identity can be confirmed. Thus, the legislative timelines for a response are preserved. If the requester does not reply by a reasonable deadline, their request may be considered abandoned, and the request closed.

Step 8 – Verify the identity of the requester when someone other than the individual to whom the information pertains is making the request under s. 10 of the Privacy Regulations

Example 1: A parent or guardian is requesting the personal information of a minor.

If the request is for a minor (see IRCC’s Provincial definitions of a minor), the institution must verify the identity of the requesting parent or guardian and record their information. If the institution has email addresses on file for the requesting parent or guardian, as well as any non-requesting parent(s) or guardian(s), depending on the nature of the information, consider notifying all parties that a request has been made for the minor’s information. Concerned parties should be advised to contact the institution immediately if the request was made in error or not expected. In addition to validating the identity of the requester, institutions also must confirm the requester has the legal authority to make such a request on behalf of the minor.

Example 2: A lawyer or other professional is requesting the personal information on behalf of another individual

If the request is coming from an individual other than the individual to whom the information pertains, the institution must verify both the identity of the requester and the individual, as well as the validity of the authorization of the individual to have that third party make the request on their behalf. The level of validation of identity and document authentication should be dependent on the level of sensitivity of the requested information, as described earlier in this PIN. Institutions must ensure that the third party has the authorization of the individual to whom the information pertains. If it is common in an institution to have a third party make a request on behalf of another individual, the institution may prescribe forms to ensure the authorization is valid.

Step 9 – Send written notice and document denials based on identity

Document the results of the identity verification process and the reasons for any denials. For example, keep a record of the issues identified with the documents or any inconsistencies in information supplied.  The copies of the identity documents supplied by the requester need to be kept for two years, as per paragraph 4(1)(a) of the Privacy Regulations, unless the requester has given consent to their early disposal. All this information will be useful in the event of a complaint or an investigation into a possible breach.

If, even with further information, it is still not possible to confirm the identity of the individual, and the risk of a privacy breach is too great, the delegated head of the institution should deny the request per subsection 8(2) of the Privacy Regulations. In this case, institutions must provide a written notice to the individual that their request for access has been denied, the reason for the denial, and their right to complain to the Office of the Privacy Commissioner.

Step 10 – Evaluate the effectiveness of the identity verification procedures

Institutions should periodically review their procedures to confirm whether they remain appropriate to the types of requests they are receiving and the information they are disclosing. This is especially important given that a new population of requesters will begin to have access with the coming into force of the Privacy Act Extension Order, No. 3.

Annex B: Assurance Level Guidelines for Evidence of Identity

From the Guideline on Identity Assurance

Requirement Level 1 Level 2 Level 3 Level 4
Uniqueness

Define identity information

Define context

Define identity information

Define context

Define identity information

Define context

Define identity information

Define context

Evidence of Identity

No restriction on what is provided as evidence

One instance of evidence of identity

Two instances of evidence of identity

(At least one must be foundational evidence of identity)

Three instances of evidence of identity

(At least one must be foundational evidence of identity)

Accuracy of Identity Information

Acceptance of self-assertion of identity information by an individual

Identity information acceptably matches assertion by an individual and evidence of identity

and

Confirmation that evidence of identity originates from appropriate authority

Identity information acceptably matches assertion by an individual and all instances of evidence of identity

and

Confirmation of the foundational evidence of identity using authoritative source

and

Confirmation that supporting evidence of identity originates from appropriate authority, using authoritative source

or inspection by trained examiner

Identity information acceptably matches assertion by an individual and all instances of evidence of identity

and

Confirmation of the foundational evidence of identity using authoritative source

and

Confirmation that supporting evidence of identity originates from appropriate authority, using authoritative source

or inspection by trained examiner

Linkage of Identity Information to Individual

No requirement

No requirement

At least one of the following:

  1. Knowledge-based confirmation
  2. Biological or behavioural characteristic confirmation
  3. Trusted referee confirmation
  4. Physical possession confirmation

At least three of the following:

  1. Knowledge-based confirmation
  2. Biological or behavioural characteristic confirmation
  3. Trusted referee confirmation
  4. Physical possession confirmation

Definitions:

Foundational evidence of identity:
Evidence of identity that establishes core identity information such as given name(s), surname, date of birth, sex and place of birth. Examples include records of birth, immigration or citizenship from an authority with the necessary jurisdiction.
Supporting evidence of identity:
Evidence of identity that corroborates the foundational evidence of identity and assists in linking the identity information to an individual. It may also provide additional information such as a photo, signature or address. Examples include social insurance records; records of entitlement to travel, drive or obtain health insurance; and records of marriage, death or name change originating from a jurisdictional authority.

Page details

Date modified: