Privacy Implementation Notice 2022–03: Requests for Accommodation

1. Effective date

This implementation notice takes effect on June 30, 2022.

2. Authorities

This Privacy Implementation Notice is issued pursuant to paragraph 71(1)(d) of the Privacy Act.

3. Application

This Privacy Implementation Notice applies to departments and other portions of the federal public administration as defined in section 6 of the Policy on People Management and listed in section 11 of the Financial Administration Act. These departments are subject to the Directive on Duty to Accommodate, to which this Privacy Implementation Notice relates.

4. Purpose

This Implementation Notice provides guidance to privacy officials to support them in providing privacy advice related to accommodation requests. It is important that the advice provided is consistent and aligns with the Privacy Act and all its related policies, as well as with any new guidance on the duty to accommodate.

5. Context

The federal public service strives to be an inclusive, barrier‑free workplace in which all persons have equal access to opportunities in the core public administration. To foster this, the public service aims to create a workplace in which employees are treated with dignity and respect in an inclusive, barrier‑free environment. When barriers cannot be removed, individuals are accommodated up to the point of undue hardship, taking into consideration issues of health, safety and cost. Requests for accommodation contain sensitive personal information and often raise privacy concerns. To address these, privacy officials must be aware of the requirements of the duty accommodate and be able to provide sound policy advice.

6. Guidance

Annex A provides questions and answers about how to consider privacy in the Duty to Accommodate process, which may help privacy officials formulate advice on the management of personal information for their institution.

7. References

Legislation

• Financial Administration Act
• Privacy Act
• Privacy Regulations

Related Treasury Board policy instruments

• Directive on Privacy Practices
• Directive on the Duty to Accommodate
• Duty to Accommodate: A General Process for Managers
• Managing for Wellness – Disability Management Handbook for Managers in the Federal Public Service
• Obtaining Information from Health Care Practitioners in Cases of Employee Illness or Injury
• Policy on People Management
• Policy on Privacy Protection
• Privacy Implementation Notice 2020-03: Protecting privacy when releasing information about a small number of individuals

8. Enquiries

Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information about this Implementation Notice.

Employees of federal departments may contact their Access to Information and Privacy (ATIP) coordinator for information about this Implementation Notice.

ATIP coordinators may contact the Treasury Board of Canada Secretariat’s Privacy and Data Protection Division for information about this Implementation Notice.

Annex A: Questions and Answers – Requests for Accommodation

1. Do institutions have the legal authority to collect personal information to make decisions about accommodation requests? 

Yes, institutions have the legal authority to collect personal information to use in support of occupational health and safety activities, which include the duty to accommodate. This collection is described in the standard personal information bank PSE 907, Occupational Health and Safety. Any use or disclosure of personal information should align with the description in the personal information bank.

2. What needs to be considered from a privacy perspective when establishing an accommodation committee and review process? 

The following general considerations should be addressed:

• Members of the committee: Membership should be limited to those who have a “need to know” for the information. It is important that members of the committee understand their responsibilities in protecting the personal information to which they will have access. This includes limiting use and disclosure (as listed further below), and respecting the individual’s right to dignity, privacy and confidentiality. Also see question 7 below for more information on protecting personal information, including regarding breach reporting.
• De-identification of information: Where possible, when committee discussions involve the subject of individuals, those individuals should de-identified. Details that may identify individuals should not be included in the discussion when it is possible to omit them. You should work with Human Resources/Labour Relations experts to develop a process to de-identify information where possible.
  • Please note, individuals have the right of access to their own personal information. Where information has been de-identified for the purposes of discussion, it must be stored in way that will allow for the information to be retrieved should the employee request access to their own information.
• Documenting recommendations: The recommendations of a committee should be documented and should be available to the employee should they request access to, or correction of, their personal information. 
• Limiting use and disclosure: As per section 7 of the Privacy Act, personal information is only to be used for the purpose for which it was collected, a use consistent with that purpose, or other purposes set out in subsection 8(2) of the Privacy Act. As noted above, any use or disclosure of personal information should align with the description in the personal information bank PSE 907, Occupational Health and Safety.
• Work with your departmental legal services to provide specific and contextual advice.

3. Will an employee need to provide sensitive personal information when requesting accommodation?

Employees may choose to provide any information that they deem relevant to support their request for accommodation, which may include sensitive personal information. Managers must respect the privacy of medical information even in situations where an employee voluntarily shares this information.

Managers may need to request additional information from an employee. This request must focus on the functional limitations and safety issues at hand to determine the appropriate accommodation. The employer is not entitled to know the exact diagnosis or treatments prescribed. The word of a treating physician is sufficient to verify whether an employee requires an accommodation. Managers should not request any more information than what is required to make a decision.

4. Once employees have provided their personal information to their manager, how can that information be used? 

Personal information can be used only for the purpose for which it was collected, or for a use consistent with that purpose, as per section 7 of the Privacy Act. Personal information should not be shared within or outside of the institution with anyone who does not have a legitimate need to know the information, unless authorized by law.

5. Once employees have provided their personal information to their manager, how long should the information be kept?

As per section 4 of the Privacy Regulations, with some exceptions, personal information must be retained for a period of at least two years following the last time it was used for a decision-making purpose. Further questions about retention should be directed to your institution’s Information Management officials.

6. Will employees have access to their accommodation request and other related documentation?

Yes, employees have a right to access this information, subject to any exception in law, and subsequently to request correction to it. Decisions related to individuals, as well as information used to make these decisions, must be documented and stored in a way that would allow for the employee to exercise these rights if they chose. While managers may base their decisions on discussions, the outcomes of these discussions must be documented to support their decision. 

7. Once employees have provided their manager with their personal information, how should that information be protected?

Fostering employee trust through strong privacy protections is foundational to the success of this program. As per section 6.2.19 of the Directive on Privacy Practices, institutions must identify which positions or functions in the program or activity have a valid reason to access and handle personal information. Further, per section 6.2.20 of that Directive, institutions are to limit access to, and the use of, personal information by administrative, technical, and physical means. Measures should be taken for minimal intrusiveness that respect the highly sensitive nature of this information, such as: 

• if the information is stored electronically, ensuring that the electronic safeguards respect the security designation of the information (Protected B, in this case) and have commensurate controls in place, such as role-based access, and encryption that will limit access to the data.
• ensuring that employees involved in handling sensitive personal information are aware of their responsibilities to protect it.  
• only providing information pertaining to an accommodation request to individuals who have a need to know, such as their direct supervisor or a human resources representative. 
• ensuring the personal information is not inadvertently disclosed when reporting in aggregate on the implementation of the program.  

Any improper or unauthorized collection, use, disclosure, retention, or disposition of personal information is a privacy breach. It is important that employees involved in the accommodation request process are aware of your institution’s privacy breach management plans and their responsibilities in the event they suspect a breach has occurred.

In the event of a privacy breach related to this process, we recommend that institutions consider the breach as material based on the sensitivity of the information and the probable emotional/reputational impact to the individual. As a reminder, TBS’s Directive on Privacy Practices requires that institutions provide formal written notification to TBS and the Office of the Privacy Commissioner of Canada when they have identified a material breach.

8. In reporting any data, what considerations should be made to protect personal information, especially if there were few accommodation requests or decisions in our organization? 

Any reporting should be done using aggregate and de-identified data; however, caution should still be exercised with these datasets. De-identified accommodation requests may reveal the identity of the requester when presented in a small sample of individuals. Protecting the name of an individual may be insufficient if other identifying information is available. Privacy Implementation Notice 2020-03 provides guidance to institutions on measures to help protect privacy when releasing data about a small number of individuals, when the intention is not to release the identity of the individuals, in order to comply with the Privacy Act. 

That notice sets out:

• suggested measures to protect against re-identification 
• specific considerations when releasing information in response to access to information requests 
• considerations when information about government employees or ministerial staff is proposed for release 
• information sharing for administrative, research or statistical purposes 

9. At what level should documents containing personal information related to requests for accommodation be classified?

Any personal information collected in the context of a request for accommodation must be categorized and treated in accordance with its sensitivity. Generally speaking, as the compromise of such information could be expected to result in serious harm to the individual, it should be treated as Protected B. Your institutional Chief Security Officer can support you in ensuring that information is appropriately categorized and that protocols are established for the protection of this information are commensurate with its security categorization.