Language selection

Government of Canada / Gouvernement du Canada

Search

Access to Information Implementation Notice 2023-02: Leveraging Access to Information to Promote Declassification and Downgrading of Government Records

1. Effective date

This implementation notice takes effect on December 11, 2023.

2. Authorities

This implementation notice is issued pursuant to paragraph 70(1)(c) of the Access to Information Act (the Act).

3. Purpose

This implementation notice provides guidance to government institutions on how they can leverage existing access to information (ATI) processes and training to promote the declassification or downgrading of the security category assigned to information resources.

4. Context

As part of regular business and in line with their responsibilities under the Treasury Board Directive on Security Management, government officials assign a security category (classified or protected) to records based on the degree of injury associated with the record being disclosed. These categories range from risks to an individual’s privacy and personal dignity to those related to Canada’s national interests and security. Security categorization is based on the risks that exist at the time they were applied and dictate how government officials handle and store the information.

An access request can be made for any record under the control of an institution, regardless of its security categorization. A decision to deny access to a record, or any part of it, must be based solely on the exemption or exclusion provisions of the Access to Information Act as they apply at the time of the request. A decision to deny access must not be based on security categorization, however recently it may have been assigned.

Classified or protected information may lose its sensitivity with the passage of time or after the occurrence of specific events. When it is determined that the expected injury of disclosing such information is reduced, the original record can be considered for declassification or downgrading.

Appendix E of the Directive on Security Management sets out Mandatory Procedures for Information Management Security Control. Subsection E.2.2.2.2:

  • requires institutions to keep the time frame for the protection of information as short as possible
  • allows government officials to downgrade the security category assigned to information resources, where appropriate, when the expected injury is reduced

In April 2022, the Information Commissioner of Canada tabled the Special Report to Parliament: The Challenges of Accessing Our Collective Memory. The report noted under “Barriers to transparency arise as a consequence of failing to declassify records” that:

  • highly classified records can be cumbersome to process under the Access to Information Act
  • security designation of records often contributes to overreliance on the use of exemptions in responses to access to information requests out of an abundance of caution
  • security designation of records also extends the time required to process access requests and to consult other institutions due to stringent security requirements that heavily encumber every step of the process
  • by declassifying records when it is reasonable to do so, institutions would allow easier access to information that is no longer sensitive, as declassified records can be more easily processed

On December 13, 2022, the Government of Canada tabled its Access to Information Review Report to Parliament. This report found that departments and agencies do not regularly assess their records for declassification, which can have performance impacts for access to information and downstream impacts on historical records transferred to Library and Archives Canada.

In line with accountabilities set out in the Directive on Security Management, offices of primary interest (OPIs) maintain the responsibility for the declassification or downgrading of the records for which they are holders. This implementation notice provides guidance on how Access to Information and Privacy (ATIP) offices can support the declassification or downgrading efforts led by their institution’s security and information management officials and relevant OPIs by prompting them to consider where records requested under the Access to Information Act are candidates for declassification and downgrading. The intent of this guidance is to enable ATIP offices to contribute to the overall integrity of their institution’s security of information systems as well as government transparency and accountability.

5. Guidance

Given that each institution is responsible for establishing its own procedures to review records that contain categorized information to be considered for declassification or downgrading, this implementation notice is limited to providing guidance on how ATIP offices can help prompt their institution’s processes.

5.1 Prompt during record retrieval in response to access to information requests

Categorized records that are candidates for declassification or downgrading can often be identified by OPIs as they review records in response to access to information requests. Reminding OPIs to consider whether records provided in response to an access to information request can be declassified or downgraded is one way ATIP offices can support existing institutional processes.

Institutions may consider adding text to recommendation forms to prompt OPIs to perform this review in line with their authorities and obligations under the Directive on Security Management and/or associated institutional policies (sample text is provided in Appendix A of this notice).

5.2 Prompt following full disclosure

After reviewing records to determine the applicability of exemptions and exclusions, institutions’ ATIP offices may consider returning responses packages where all records were fully disclosed to OPIs to support them in considering whether records can be declassified or downgraded. Communication of this nature aligns with best practices regarding regular communication with OPIs when processing records for disclosure (sample text is provided in Appendix B of this notice).

5.3 Prompt through access to information training

In the Directive on Access to Information Requests, subsection 4.1.2 requires that employees of government institutions and officials who have functional or delegated responsibility for the administration of the Act receive training in accordance with the directive’s Appendix B: Mandatory Procedures for Access to Information Training.

In accordance with subsection B.2.1.9 of Appendix B of the directive, this training should cover specific institutional policies and processes relating to the administration of the Act, including policies on information management. Institutions’ ATIP offices may consider, in collaboration with their security and information management officials, including reference to obligations under the Directive on Security Management and/or associated institutional policies and how these relate to access to information (suggested content is provided in Appendix C of this notice).

6. Application

This implementation notice applies to the government institutions as defined in section 3 of the Access to Information Act, including parent Crown corporations and any wholly owned subsidiary of these corporations. However, it does not apply to the Bank of Canada.

It is recognized that the Treasury Board Policy on Government Security and the Directive on Security Management apply directly only to departments as defined in section 2 and entities listed in Schedules IV and V of the Financial Administration Act, unless excluded by specific acts, regulations or orders in council.

Where institutions subject to the Access to Information Act are not governed by the Policy on Government Security and the Directive on Security Management, they are to refer to their institution’s relevant internal policies or directives.

7. References

Legislation

Related Treasury Board policy instruments

Other publications

8. Enquiries

Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries at questions@tbs-sct.gc.ca for information about this implementation notice.

Employees of federal institutions may contact their ATIP coordinator for information about this implementation notice.

Individuals from the institutional security group may contact the Security Policy Division at the Treasury Board of Canada Secretariat, by email at SEC@tbs-sct.gc.ca for interpretation of any aspect of the Directive on Security Management.

ATIP coordinators may contact the Treasury Board of Canada Secretariat’s Access to Information Policy and Performance Division at ippd-dpiprp@tbs-sct.gc.ca for information about this implementation notice.

Appendix A: Sample Language for Recommendation Forms

Reminder on declassification or downgrading

Records contained in this submission that are marked with a security category but are recommended for full disclosure may also be considered for declassification or downgrading as set out in the Treasury Board’s Directive on Security Management (and/or [institution’s name] [relevant internal policies/directives]).

In line with obligations set out in the [Directive on Security Management] and/or [relevant internal policies/directives], offices of primary interest maintain the responsibility for the declassification or downgrading of the records for which they are holders. Contact (institution’s security or information management officials) for guidance on initiating this process.

Appendix B: Sample language for Communication of Fully Disclosed Records

The following package(s) of records has/have been fully disclosed in response to a request under the Access to Information Act.

Records contained in the response package that are marked with a security category but that have been fully disclosed under the Access to Information Act may be considered for declassification or downgrading as set out in the Treasury Board’s Directive on Security Management (and/or [institution’s name] [relevant internal policies/directives]).

In line with obligations set out in the [Directive on Security Management] and/or [relevant internal policies/directives], OPIs maintain the responsibility for the declassification or downgrading of the records for which they are holders. Contact (institution’s security or information management officials) for guidance on initiating this process.

Appendix C: Proposed Content for Access to Information Training

Institution’s ATIP offices may wish to collaborate with their institution’s information management or security officials in developing relevant training material.

The following points outline content that institutions could consider including in their access to information training to encourage better understanding of the relationship between access to information and institution’s procedures for information management security control:

  • an access request can be made for any record under the control of an institution, regardless of its security categorization; information is withheld based on the application of exemptions under the Access to Information Act and not on its security categorization
  • as part of regular business, federal officials assign a security category to records based on the risks associated with the record being disclosed
  • security categorization is based on the risk of injury that exists at the time the categorization was applied and dictates how federal officials handle and store the information
  • classified or protected information may lose its sensitivity with the passage of time or after the occurrence of specific events
  • when it is determined that the expected injury of disclosing such information is reduced, the original record can be considered for declassification or downgrading
  • Appendix E of the Directive on Security Management (and/or [relevant internal policies/directives]) sets out mandatory procedures for information management security control and that include a requirement to:
    • define, document, implement and maintain security controls to meet institutional information management security requirements, in accordance with institutional practices
    • keeping the time frame for protection of information as short as possible and declassifying or downgrading the security category assigned to information resources where appropriate, when the expected injury is reduced
  • [reference to any relevant institutional policies, directives or procedures]

Page details

Date modified: