Privacy Implementation Notice 2022–03: Requests for Accommodation

1. Effective date

This implementation notice takes effect on June 30, 2022.

2. Authorities

This Privacy Implementation Notice is issued pursuant to paragraph 71(1)(d) of the Privacy Act.

3. Application

This Privacy Implementation Notice applies to departments and other portions of the federal public administration as defined in section 6 of the Policy on People Management and listed in section 11 of the Financial Administration Act. These departments are subject to the Directive on Duty to Accommodate, to which this Privacy Implementation Notice relates.

4. Purpose

This Implementation Notice provides guidance to privacy officials to support them in providing privacy advice related to accommodation requests. It is important that the advice provided is consistent and aligns with the Privacy Act and all its related policies, as well as with any new guidance on the duty to accommodate.

5. Context

The federal public service strives to be an inclusive, barrier‑free workplace in which all persons have equal access to opportunities in the core public administration. To foster this, the public service aims to create a workplace in which employees are treated with dignity and respect in an inclusive, barrier‑free environment. When barriers cannot be removed, individuals are accommodated up to the point of undue hardship, taking into consideration issues of health, safety and cost. Requests for accommodation contain sensitive personal information and often raise privacy concerns. To address these, privacy officials must be aware of the requirements of the duty accommodate and be able to provide sound policy advice.

6. Guidance

Annex A provides questions and answers about how to consider privacy in the Duty to Accommodate process, which may help privacy officials formulate advice on the management of personal information for their institution.

7. References

Legislation

Related Treasury Board policy instruments

8. Enquiries

Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information about this Implementation Notice.

Employees of federal departments may contact their Access to Information and Privacy (ATIP) coordinator for information about this Implementation Notice.

ATIP coordinators may contact the Treasury Board of Canada Secretariat’s Privacy and Data Protection Division for information about this Implementation Notice.

Annex A: Questions and Answers – Requests for Accommodation

1. Do institutions have the legal authority to collect personal information to make decisions about accommodation requests? 

Yes, institutions have the legal authority to collect personal information to use in support of occupational health and safety activities, which include the duty to accommodate. This collection is described in the standard personal information bank PSE 907, Occupational Health and Safety. Any use or disclosure of personal information should align with the description in the personal information bank.

2. What needs to be considered from a privacy perspective when establishing an accommodation committee and review process? 

The following general considerations should be addressed:

3. Will an employee need to provide sensitive personal information when requesting accommodation?

Employees may choose to provide any information that they deem relevant to support their request for accommodation, which may include sensitive personal information. Managers must respect the privacy of medical information even in situations where an employee voluntarily shares this information.

Managers may need to request additional information from an employee. This request must focus on the functional limitations and safety issues at hand to determine the appropriate accommodation. The employer is not entitled to know the exact diagnosis or treatments prescribed. The word of a treating physician is sufficient to verify whether an employee requires an accommodation. Managers should not request any more information than what is required to make a decision.

4. Once employees have provided their personal information to their manager, how can that information be used? 

Personal information can be used only for the purpose for which it was collected, or for a use consistent with that purpose, as per section 7 of the Privacy Act. Personal information should not be shared within or outside of the institution with anyone who does not have a legitimate need to know the information, unless authorized by law.

5. Once employees have provided their personal information to their manager, how long should the information be kept?

As per section 4 of the Privacy Regulations, with some exceptions, personal information must be retained for a period of at least two years following the last time it was used for a decision-making purpose. Further questions about retention should be directed to your institution’s Information Management officials.

6. Will employees have access to their accommodation request and other related documentation?

Yes, employees have a right to access this information, subject to any exception in law, and subsequently to request correction to it. Decisions related to individuals, as well as information used to make these decisions, must be documented and stored in a way that would allow for the employee to exercise these rights if they chose. While managers may base their decisions on discussions, the outcomes of these discussions must be documented to support their decision. 

7. Once employees have provided their manager with their personal information, how should that information be protected?

Fostering employee trust through strong privacy protections is foundational to the success of this program. As per section 6.2.19 of the Directive on Privacy Practices, institutions must identify which positions or functions in the program or activity have a valid reason to access and handle personal information. Further, per section 6.2.20 of that Directive, institutions are to limit access to, and the use of, personal information by administrative, technical, and physical means. Measures should be taken for minimal intrusiveness that respect the highly sensitive nature of this information, such as: 

Any improper or unauthorized collection, use, disclosure, retention, or disposition of personal information is a privacy breach. It is important that employees involved in the accommodation request process are aware of your institution’s privacy breach management plans and their responsibilities in the event they suspect a breach has occurred.

In the event of a privacy breach related to this process, we recommend that institutions consider the breach as material based on the sensitivity of the information and the probable emotional/reputational impact to the individual. As a reminder, TBS’s Directive on Privacy Practices requires that institutions provide formal written notification to TBS and the Office of the Privacy Commissioner of Canada when they have identified a material breach.

8. In reporting any data, what considerations should be made to protect personal information, especially if there were few accommodation requests or decisions in our organization? 

Any reporting should be done using aggregate and de-identified data; however, caution should still be exercised with these datasets. De-identified accommodation requests may reveal the identity of the requester when presented in a small sample of individuals. Protecting the name of an individual may be insufficient if other identifying information is available. Privacy Implementation Notice 2020-03 provides guidance to institutions on measures to help protect privacy when releasing data about a small number of individuals, when the intention is not to release the identity of the individuals, in order to comply with the Privacy Act

That notice sets out:

9. At what level should documents containing personal information related to requests for accommodation be classified?

Any personal information collected in the context of a request for accommodation must be categorized and treated in accordance with its sensitivity. Generally speaking, as the compromise of such information could be expected to result in serious harm to the individual, it should be treated as Protected B. Your institutional Chief Security Officer can support you in ensuring that information is appropriately categorized and that protocols are established for the protection of this information are commensurate with its security categorization.

Page details

Date modified: