Personal Information Request (PIR) Manual

The Personal Information Request Manual is intended as a reference tool to help ATIP Professionals interpret and administer the provisions of the Privacy Act (the Act) and the Privacy Regulations (the Regulations) that relate to requests to access personal information, and to meet the corresponding requirements outlined in TBS privacy policy instruments relating to the Act and Regulations.

Chapters of the new Manual will be published as they are completed. ATIP coordinators may direct any questions or comments about the Manual to the Privacy and Responsible Data Division.

On this page

  • Foreword

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    The Personal Information Request Manual (the Manual) was created by the Treasury Board of Canada Secretariat’s (TBS’s) Privacy and Responsible Data Division. It replaces the (archived) sections of the Treasury Board Manual: Privacy and Data Protection Guidelines that related to access to personal information.

    This Manual is intended as a reference tool to help Access to Information (ATI) and Privacy professionals interpret and administer the provisions of the Privacy Act (the Act) and the Privacy Regulations (the Regulations) that relate to requests to access personal information, and to meet the corresponding requirements outlined in TBS privacy policy instruments relating to the Act and Regulations.

    The Act provides individuals with the right of access to their own personal information under the control of a government institution, and with a right to request correction of their personal information. [The Act also sets out the obligations of government institutions regarding the collection, use, disclosure, retention and disposal of personal information they hold. For further information on these obligations, please see the Privacy Practices Manual (TBD).]

    Chapters of the Manual will be published as they are completed. This Manual is evergreen and may be amended as the subjects it covers evolve. As such, we invite you to consult the Manual regularly. Although not intended to provide an exhaustive account of approaches and situations, it is our hope that it will prove to be a valuable reference tool for the administration of the Privacy Act.

    The Manual is only available electronically on the Treasury Board of Canada Secretariat’s website.

    If you have any questions about the Manual, contact your institution’s ATIP Coordinator. If an interpretation of the Manual is needed, the ATIP Coordinator may email TBS’s  Privacy and Responsible Data Division.

    The information in this Manual provides general guidance to government institutions concerning the administration of the Act as it relates to access to personal information. Consult with your institution’s legal services unit for any legal advice relating to the interpretation of the Act.

  • Chapter 1 – Introduction

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    1.1 The Act

    The Privacy Act (the Act) came into force on July 1, 1983. The Act is legislation of general application, which means that it generally applies, unless another act clearly says otherwise. As recognized in Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, the Act is of a quasi-constitutional nature. Quasi-constitutional acts express fundamental values and generally override other inconsistent laws.

    Section 2 of the Act states that the law’s purpose is “to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.”

    The Act applies to personal information as defined in section 3 of the legislation. This Manual provides guidance on the elements of the Act that relate to an individual’s right to request access to, and subsequently to request the correction of, personal information about themselves.

    1.2 Government institutions subject to the Act

    All government institutions listed in the Schedule of the Privacy Act and all parent Crown corporations and wholly owned subsidiaries of such corporations, within the meaning of section 83 of the Financial Administration Act, are subject to the provisions of the Privacy Act. Those institutions are also subject to the Policy on Privacy Protection and related policy instruments.

    1.3 Policy Instruments

    Paragraph 71(1)(d) of the Act requires the President of the Treasury Board, as designated Minister, to have prepared directives and guidelines that concern the operation of the Act and its Regulations. Such directives and guidelines must be distributed to government institutions. Of note, subsection 71(2) of the Act requires that the Governor of the Bank of Canada fulfil this requirement for the Bank of Canada.

    TBS has released five policy instruments that contain mandatory requirements relating to the Act. These include one policy and four directives, namely, the Policy on Privacy Protection, the Directive on Privacy Impact Assessment, the Directive on Privacy Practices, the Directive on Social Insurance Number and the Directive on Personal Information Requests and Correction of Personal Information. The policy instruments that contain requirements pertaining to requests for access to and correction of personal information are the following:

    Implementation Notices provide guidance on the interpretation and application of the Access to Information Act, the Privacy Act and their related policy instruments.

    1.4 Objectives and Structure

    The Manual contains guidelines to help government institutions administer the legislation and meet policy requirements when fulfilling personal information requests. It is a detailed guide that explains the requirements of the Act, the Regulations and related policy instruments. It also contains policy advice, practical interpretations, and best practices. Where appropriate, relevant case law is cited, and excerpts are sometimes reproduced.

    As stated in the foreword, the Manual is designed to be amended as the subjects that it covers evolve to keep it up to date.

    [Guidance regarding the Directive on Privacy Practices, the Directive on Privacy Impact Assessment, and the Directive on Social Insurance Number is found primarily in the Privacy Practices Manual (TBD).]

  • Chapter 4 – Info Source

    Date updated: 2022-12-09
    ATI Manual Cross-reference

    4.1 Sources of Federal Government Information Published by Institutions

    All government institutions subject to the Access to Information Act (ATIA) and the Privacy Act publish an inventory of their information holdings as well as relevant details about personal information collections under their control, in accordance with subsection 5(1) of the ATIA and section 11 of the Privacy Act.

    The current designated repository, as defined by TBS per 4.2.15 of the Policy on Privacy Protection, is known as “Info Source.” Each institution must have a repository and update it annually, as per 4.3.22 of the Policy on Access to Information. TBS centrally indexes these pages to facilitate public access.

    These pages provide information about the functions, programs, activities, and related information holdings of government institutions, including an updated list of the institution’s personal information banks (PIBs), as per 4.2.15 of the Policy on Privacy Protection. A PIB does not actually contain personal information; rather, it describes personal information that is collected, used, or disclosed by the institution in relation to a particular function, program, or activity. The published PIB descriptions, and the descriptions of other classes of information held by the institution may assist individuals in exercising their rights under the Privacy Act to request access to their personal information or exercising their rights under the Access to Information Act to make a request for government records.

    All personal information held by an institution, in its official record keeping system or elsewhere under its control, must be described in these pages: either within a PIB description, or within a description of other classes of personal information held by the institution.

    Personal information held by an institution must be described in a PIB when an institution collects personal information which falls into one of two categories:

    1. Personal information has been used, is being used or is available for use for an administrative purpose, which the Privacy Act defines as being used in a decision-making process that directly affects that individual; or
    2. Personal information is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual. An identifying number could include the Social Insurance Number, Personal Record Identifier (PRI) or any other number. A particular assigned to an individual could include a home or other residential address.

    In accordance with section 11 of the Privacy Act, all PIB descriptions in the repository of information holdings (referred to in the Privacy Act as the “Personal Information Index”) must include the following:

    • the identification and a description of the bank, the registration number assigned to it by the designated Minister pursuant to paragraph 71(1)(b) and a description of the class of individuals to whom personal information contained in the bank relates,
    • the name of the government institution that has control of the bank,
    • the title and address of the appropriate officer to whom requests relating to personal information contained in the bank should be sent,
    • a statement of the purposes for which personal information in the bank was obtained or compiled and a statement of the uses consistent with those purposes for which the information is used or disclosed,
    • a statement of the retention and disposal standards applied to personal information in the bank, and
    • an indication, where applicable, that the bank was designated as an exempt bank by an order under section 18 and the provision of section 21 or 22 on the basis of which the order was made.

    Alternatively, if personal information is being collected, but does not fall into one of the two categories listed above, it must be accounted for in a class of personal information. Personal information may also be collected for non-administrative purposes, for instance, when institutions conduct research activities or statistical analyses. It may not be intended to be retrievable, whether by the name of an individual or by an identifying number, symbol of other particular assigned to an individual. A class of information must be published on the “Info Source” site and include:

    • a description of the class in sufficient detail to facilitate the right of access under this Act, and
    • the title and address of the appropriate officer for each government institution to whom requests relating to personal information within the class should be sent.

    In addition to the institution-specific PIBs and classes described above, there are two additional types of PIBs:

    1. Standard PIBs are created and maintained by the Privacy and Data Protection Division within TBS. They describe personal information that is contained in records of most government institutions to support common internal services. These include personal information relating to human resources management, travel, corporate communications and other administrative services.
    2. Central PIBs describe personal information that may be found in all, or several government institutions, and are maintained by a central federal government department or agency, such as the Public Service Commission, Public Services and Procurement Canada, or TBS. An example of a central PIB is TBS’ Entitlements and Deductions System PIB, TBS PCE 741, that captures pay and benefits data and is used for planning, implementing, evaluating and monitoring government policies.

    For additional information about PIBs or publishing requirements for “Info Source,” please refer to the following guidance:

    1. Info Source Online Publishing Requirements
    2. The Privacy Practices Manual (TBD).

    Individuals may file a complaint to the Privacy Commissioner relating to the Info Source publications.

    4.2 Sources of Federal Government Information Published by TBS

    Subsection 5(2) of the Access to Information Act requires that the designated Minister cause to be published, at least twice a year, a bulletin that updates the annual publication and provides other useful information about the Access to Information Act. In practice, the bulletin, which consists of two publications, also provides useful information on the Privacy Act.

    1. The Statistics on the Access to Information and Privacy Acts publication provides an annual compilation of statistical information about requests made under the Access to Information Act and the Privacy Act, as well as an historic perspective since the promulgation of both Acts. This is supported by requirements set out in 4.3.21 of the Policy on Access to Information and 4.2.34 of the Policy on Privacy Protection to provide TBS with a statistical report on the administration of the respective Acts within the institution.
    2. The Federal Court Decision Summaries publication is an annual summary of Federal Court, Federal Court of Appeal and Supreme Court of Canada cases related to both Acts.

    Subsection 5(4) of the Access to Information Act requires the designated Minister to ensure that the bulletin is made available throughout Canada in conformity with the principle that every person is entitled to reasonable access to the bulletin. This is achieved in practice by publishing the bulletin on TBS’s Access to information and privacy page.

  • Chapter 7 – Time limits

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    7.1 Statutory deadline

    Section 14 of the Privacy Act (the Act) requires the head of a government institution to respond to a personal information request made under subsection 12(1) within 30 days after the request is received, subject to section 15 of the Act. The head of a government institution must:

    • give the requester written notice as to whether or not access to the personal information or part thereof will be given; and
    • if access is to be given, give the requester the information or appropriate part thereof

    This is reiterated in subsections 4.1.29 and 4.1.30 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive).

    Subsection 4.2.22 of the Policy on Privacy Protection requires the head of a government institution or their delegate to ensure every reasonable effort is made to assist requesters in connection with the request, to provide complete, accurate, and timely responses to requests under the Act. Furthermore, 4.2.6 of the Directive requires employees of government institutions to make every reasonable effort to respond to requests within the timelines prescribed in the Act, including taking extensions in accordance with the Act. While these policy requirements do not amend the legislative timelines, they impose timely access to personal information.

    7.1.1 Calculation of statutory deadline

    The 30‑day timeline prescribed in section 14 of the Act are calendar days, as provided for in the Interpretation Act. The timeline is counted from the first day following receipt of a complete personal information request to the institution’s Access to Information and Privacy (ATIP) office. If the deadline falls on a weekend or on a holiday, the deadline for response, extension or other action becomes the next day, as per sections 26 and 35 of the Interpretation Act.

    When an extension is taken, the deadline is recalculated from the date of receipt of the request rather than from the original deadline.

    Example

    A request is received on November 23. The 30th day falls on Saturday, December 23. The next day that is not a holiday is December 27, which becomes the deadline, and the institution has 34 calendar days to process the request. When a 30‑day extension is taken, the new deadline is calculated from November 23 (30 + 30 days), and the 60th day falls on January 22 of the next calendar year.

    7.2 Extension of time limits

    The 30‑day time limit set in section 14 of the Privacy Act is subject to section 15 of the Act. In particular, paragraph 15(a) of the Act allows the head of a government institution to extend the original time limit by a maximum of 30 days under the following circumstances:

    • meeting the original time limit would unreasonably interfere with the operations of the government institution, or
    • consultations are necessary to comply with the request that cannot reasonably be completed within the original time limit

    In addition, paragraph 15(b) of the Act allows the head of a government institution to extend the time limit for such a period of time as is reasonable if additional time is necessary for the purposes of translating the information or converting the information into an accessible format.

    The institution is not required to consult or obtain the requester’s consent when deciding whether to extend the statutory deadline. The institution is required to examine the circumstances and context of each request.

    More than one extension may be taken, provided each extension is taken within the original 30‑day time limit and does not exceed the maximum time limit under paragraph 15(a) of 30 days.

    Unlike the process for extensions taken under Access to Information Act, the Office of the Privacy Commissioner (OPC) is not carbon copied in the extension notices.

    Example

    An institution takes an extension under subparagraph 15(a)(i) on day 7 when the office of primary interest informs the ATIP office that the request is for a large number of records and the search will require many days. A second extension is taken on day 15 to accommodate the translation of the material into the requester’s preferred language.

    As per subsection 4.2.5 of the Directive, employees of government institutions are required to advise ATIP officials at an early stage if a request cannot be responded to within the legislated 30‑day time frame. This is in coordination with the requirement in 4.1.20 of the Directive in which heads or their delegates are required to assess, without undue delay, each request received under the Act to determine if an extension is needed. ATIP officials may wish to communicate with the requester if they are advised by the program area that the request has a large volume of pages or requires consultations. There may be opportunities to narrow or clarify the scope of the request to facilitate processing. If the request requires clarification, it may be placed on hold. For more information on holds, please refer to Chapter 6.

    7.2.1 Reasons for extension

    a) Subparagraph 15(a)(i): unreasonable interference with operations

    Subparagraph 15(a)(i) of the Privacy Act provides for an extension if meeting the original time limit would unreasonably interfere with the operations of the government institution. Both the words “unreasonably” and “interfere” are terms that may be interpreted according to the circumstances and the context of each specific request.

    Generally, interference with the institution’s operations may be considered unreasonable if processing the request within 30 days would require the following:

    • a transfer of resources from institution’s operations to the ATIP office
    • monopolizing a significant portion of the resources of the office of primary interest to the detriment of its core functions, or
    • using such a high proportion of the resources of the ATIP office that it would have a significant negative impact on the processing of other requests.

    When completing their annual report to Parliament, an institution will need to classify their extension for reporting purposes under one or more of the following circumstances:

    • further review is required to determine whether information should be exempted under sections 18–28 of the Privacy Act (interwoven information)
    • there is a large volume of pages related to the request
    • the institution is experiencing a large volume of requests
    • the documents are difficult to obtain

    Institutions should document their justification for the extension and demonstrate that, in light of the circumstances, it would have been unreasonable to devote the time and resources necessary to meet the original time limit. Should there be a complaint, the OPC may consider whether an institution has adequately funded its ATIP office and the steps the institution took to address resource shortfalls when assessing the justification for the extension.

    Emergency situations

    There is no provision in the Act that allows the statutory time limits to be extended in emergencies, even in extraordinary situations that significantly interrupt operations. The impact of an emergency on the institution’s operations cannot be used as the sole basis for taking an extension under subparagraph 15(a)(i) of the Privacy Act. However, if fulfilling the request in the original time limit would unreasonably interfere with the operations of the government institution because the emergency already had an adverse effect on operations, an extension may be considered.

    b) Subparagraph 15(a)(ii): consultations necessary

    For the purposes of subparagraph 15(a)(ii) of the Act, “consultation” refers to consultations undertaken within a government institution, or with other government institutions or other levels of government. Although personal information requests do not regularly contain Cabinet confidences, such documents are an example of when an institution may need to extend the time limit for responding to a request.

    An extension under subparagraph 15(a)(ii) of the Act may also be justified when an institution must seek legal advice in order to resolve issues related to the processing of a request. However, extensions should not be taken to cover an institution’s routine approval process.

    It is also a best practice to obtain, where feasible, an agreed upon response time from the party consulted, whether an internal or external consultation when taking an extension under subparagraph 15(a)(ii) of the Act.

    When completing their annual report to Parliament, an institution will need to classify their extension for reporting purposes under one or more of the following circumstances:

    • Cabinet confidences
    • the request requires significant consultations with external organizations (such as third parties or provincial/territorial governments)
    • the request requires significant consultations within the institution or with other federal institutions
    c) Paragraph 15(b): translation and conversion

    An extension under paragraph 15(b) of the Act may be claimed if additional time is necessary for the purposes of translating the information or converting the information into an accessible format.

    7.2.2 Length of extension

    As noted above, paragraph 15(a) of the Act allows the head of a government institution to extend the initial period by a maximum of 30 days under select circumstances.

    Extensions should be based on the amount of work required to process a request and be for as short a time as possible. Their length should be assessed on a case-by-case basis wherein the volume and complexity of the information for that specific request is taken into consideration. This approach avoids determining the length of an extension based on only such predetermined factors, such as the average response time taken by an institution consulted in the past. They should also consider the ability to undertake multiple tasks in overlapping time frames, such as conducting consultations and reviewing the requested information. Applicable factors to consider in determining the length of an extension are provided in subsection 7.2.3 of this chapter.

    The Federal Court of Appeal has indicated that “it is not enough for a government institution to simply assert the existence of a statutory justification for an extension and claim an extension time of its choice. An effort must be made to demonstrate the link between the justification advanced and the length of the extension taken.”Footnote 1 While the Privacy Act was not directly in question in this decision, the provisions of the Access to Information Act at issue are nearly identical to those found in the Privacy Act and the findings remain relevant. In the case of subparagraph 15(a)(i), this means demonstrating that the work required to provide access within any materially lesser period of time than the one asserted would interfere with operations. The same type of rational linkage must be made when invoking subparagraph 15(a)(ii) with respect to necessary consultations. It is important to justify any extension taken regardless of length and to properly record those decisions on file.

    As provided for in paragraph 29(1)(d) of the Act, the Privacy Commissioner can receive complaints from individuals who consider the extension taken to be unreasonable. If the Privacy Commissioner, after an investigation, agrees and finds the extension is unreasonable, the complaint is considered well-founded.

    As per subsection 4.1.23 of the Directive, heads or their delegates must report on the number of and reasons for extensions in the institution’s annual report to Parliament. The Treasury Board of Canada Secretariat collects statistical data on the length of extensions for the following categories:

    • 1 to 15 days
    • 16 to 30 days
    • 31 days or greater

    Paragraph 15(b) of the Privacy Act refers to the extension of the time limit as “such period of time as is reasonable” for translation and conversion. In each case, the head of the institution or their delegated representative must exercise judgment, for the Act does not stipulate a specific time frame other than that it be “reasonable.” Accordingly, where additional time is required for translation or for converting the information into an accessible format, a reasonable period of time is allowed. Institutions should consider releasing the untranslated or unconverted personal information as soon as possible and advise the requester that the translated or converted version will be provided when available.

    Note that if the extension taken is not long enough and the institution does not complete the request within the extended time limit, the request is deemed to have been refused by virtue of subsection 16(3) of the Act. Information on deemed refusals is provided in subsection 7.3 of this chapter.

    7.2.3 Procedures

    The following is recommended when dealing with extensions:

    • Institutions should assess all requests as soon as possible after receiving them and, if necessary, give notice of a written explanation to the requester within 30 days of receipt of the request of the reasons for an extension.

    Subsection 4.1.20 of the Directive requires heads or their delegates to assess, without undue delay, each request received under the Act to determine if an extension is needed for processing the request. They are to be assisted by employees of government institutions, who are required by 4.2.5 of the Directive to advise ATIP officials at an early stage if a request cannot be responded to within the legislated 30‑day time frame.

    Factors that may be considered when deciding whether an extension is needed and the length of the extension include the following:

    • scope and complexity of the request
    • volume of personal information requested
    • number of files that must be searched to find the requested personal information and where the files are located, if not electronically
    • level of interference with the institution’s operations
    • number and complexity of consultations required with employees of the institution and external organizations, such as offices of primary interest, other institutions or other levels of government
    • whether additional consultations or notification may be required depending on the outcome of the consultations undertaken

    When extending under subparagraph 15(a)(ii) of the Act, it is a best practice to contact the institution, the individual or the organization being consulted to obtain an agreed-upon response time from that institution, individual or organization.

    If the personal information requested is of interest to another institution, organization or individual, consultations should be undertaken only if additional information is required to exercise discretion effectively or the processing institution intends to disclose potentially sensitive information, as per 4.1.24 of the Directive. As per 4.1.25 of the Directive, institutions are to ensure consultation requests from other federal government institutions are processed with the same priority as the personal information requests made to their own institution.

    An extension cannot be taken when more than 30 days have passed since the request was received.

    1. If access cannot be provided within the statutory time limit, the institution should inform the requester that the time limit cannot be met, indicate when access will be given, and advise the requester of the right to file a complaint with the Privacy Commissioner about the extension.
    2. When requests contain similar or related information and are made to more than one institution, the personal information should be carefully examined to ensure that if redactions are applied, they are done so consistently across all requests.
    3. Keep requests open until all consultations have been received and a formal notice, as discussed in subsection 7.2.4 of this chapter, has been provided to the requester.

    Example

    An institution holds personal information that is of interest to several institutions, such as personal information relating to a sensitive security issue under investigation that concerns Public Safety Canada, the Royal Canadian Mounted Police and the Canadian Security Intelligence Service. The request is 750 pages total.

    The institution informs the requester in writing that the request is extended for an additional 30 days under subparagraph 15(a)(i) – unreasonable interference with operations (large volume of pages), and subparagraph 15(a)(ii) – consultations necessary (consultations with other federal institutions) and provides the new legislative due date for the response.

    Prior requests may be used to inform the time required to complete the processing of the request. The institution may have some insights, for example, of how long it normally takes to complete this type of consultation with this specific institution or for this volume of records. That said, previous requests, if used, should not be the standalone deciding factor, but rather part of a set of assessment criteria that also considers the volume and complexity of the information at issue. In the scenario above, the institution needs additional processing time based on the volume of the request. The institution also needs to be provided with additional information from the consulting institutions on the status of the investigation and if the release of the information would be injurious to the conduct. Although the request is not identical, similar requests have taken the other institutions 20 days to complete, and the ATIP analyst assigned to the request confirmed the processing time in advance of sending the consultation. These 20 days, combined with large volume of pages, leads the ATIP analyst to believe that an additional 30 days are required to complete the request.

    7.2.4 Notice to the requester

    When, based on the factors identified in subsection 7.2.3 of this chapter, an institution extends the time limit, section 15 of the Privacy Act requires that the institution give written notice of the extension to the requester within the original 30‑day time period. To fulfill this requirement, the necessary elements for this notice are described in 4.1.20 to 4.1.23 of the Directive. Institutions should assess without undue delay all access requests received and if an extension is needed for processing a request, notify the applicant of the extension within 30 days of the request’s receipt.

    Model letters are available in Annex A of this Manual. If an institution chooses to develop their own letter, note that it must contain the following:

    If more than one extension is taken, the institution has the option to inform the requester in the same notice or under separate cover.

    Model written explanations for delays in fulfilling personal information requests

    The following model explanations are provided as a resource. Institutions are encouraged to use these model explanations as basis for correspondence with requesters, or to adapt them as appropriate. Even when using these model explanations, heads of institutions remain responsible for ensuring that any extension falls within the reasons specified in section 15 of the Act. The use of model explanations also does not impact the right of requesters to complain to the OPC.

    Circumstances Proposed written explanation Subsection of the Privacy Act

    Further review is required to determine whether information should be exempted under sections 18–28 of the Privacy Act.

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because the records containing your personal information also include other sensitive information. We will need to review the records to protect the privacy of others and to protect other information that cannot be released.

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    There is a large volume of pages related to the request

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request due to the volume of records associated with your request. We will need to locate, retrieve and review a large number of records.

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    The institution is experiencing a large volume of requests

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request due to the high volume of requests currently being processed by our institution.

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    The documents are difficult to obtain

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request as some of the records you requested are currently difficult to obtain because [records have been archived, records are in storage, records are not available electronically, records are stored in backup tapes, we will need to compile records from multiple locations, or your request covers a significant time period].

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    The request requires significant consultations with external organizations

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because we need to consult with external organizations such as provincial or territorial governments.

    This extension is in accordance with subparagraph 15(a)(ii) of the Privacy Act.

    15(a)(ii)

    The request requires significant consultations within the institution or with other federal institutions

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because we need to consult within our institution or with other federal institutions.

    This extension is in accordance with subparagraph 15(a)(ii) of the Privacy Act.

    15(a)(ii)

    The request requires translation or conversion

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because we need to translate the records you requested or convert the records into another format in order to facilitate your access to your personal information.

    This extension is in accordance with paragraph 15(b) of the Privacy Act.

    15(b)

    7.3 Deemed refusal

    Subsection 16(3) of the Privacy Act states that when a government institution fails to give access to personal information within the time limits set out in the Act (30 calendar days or the length of time taken under an extension), the institution is deemed to have refused access. This situation is commonly referred to as a deemed refusal.

    To clarify further, if no extension has been taken under section 15 of the Privacy Act and a response was not given, an institution is deemed to have refused access on the 31st day after a request was received (unless it falls on a weekend or a holiday). If an extension was taken, an institution is deemed to have refused access if it did not respond by the end of the extended deadline.

    When a request is in a deemed refusal state, the requester may file a complaint with the Privacy Commissioner about the refusal of access. On a parallel issue in the closely related Access to Information Act, the potential consequences of a deemed refusal were reviewed by the Federal Court of Appeal in the decision Canada (Information Commissioner) v. Canada (Minister of National Defence), Docket A-785-96. The Court found that once a request is deemed to have been refused, the Commissioner has the power to conduct an investigation to determine the merits of the refusal to provide access. The Court stated as follows:

    In the instant case, as soon as the institution failed to comply with the time limit, the Commissioner could have initiated his investigation as if there had been a true refusal. He does have powers to investigate, including, at the beginning of an investigation, the power to compel the institution to explain the reasons for its refusal.

    In the decision Statham v. Canadian Broadcasting Corporation, 2010 FCA 315, the Federal Court of Appeal confirmed that there is no distinction between a true refusal and a deemed refusal.

    In the decision Information Commissioner of Canada v. Canada (Minister of National Defence) 2015 FCA 56, the Federal Court of Appeal stated that the validity of an extension of time to respond to an access to information request may be judicially reviewed.

    When a request is in deemed refusal, the institution has not forfeited their right to refuse disclosure and must continue to process the request and provide a response to the requester. The decision Murchison v. Export Development Canada, 2009 FC 77, the Court found that the information did not have “to be disclosed merely because the institution failed to assert an exemption within the 30‑day period.”

    There is additional information on the effect of deemed refusals in Chapter 12 of this manual.

    While these decisions do not provide rulings directly on the Privacy Act, the findings are on the closely related Access to Information Act, and the provisions at issue are similar to those found in the Privacy Act on the same subject.

  • Chapter 8 – Request for correction and notation

    Date updated: 2023-09-20

    8.1 Request for correction and notation

    Subsection 12(2) of the Privacy Act (the Act) provides that an individual who has been given access under paragraph 12(1)(a) of the Act to personal information that has been used, is being used, or is available for use for an administrative purpose may request correction of the personal information where the individual believes there is an error or omission therein.

    Section 11 of the Regulations describes the procedures to be followed by the requester and government institutions, as explained in section 8.4 of this chapter.

    Information about requests to delete personal information can be found in the Privacy Practices Manual (to be published). Institutions may wish to consult with their records management officials for advice on information that must be retained or transferred to Library and Archives Canada and on what information may be destroyed.

    8.2 Policy Requirements

    8.2.1 Responsibilities of heads of government institutions or their delegates

    The responsibilities for heads of government institutions or their delegates concerning the correction and notation of personal information are as follows:

    • Under section 4.2.25 of the Policy on Privacy Protection, to establish effective processes and systems to respond to requests under the Act. This applies to both requests for access as well as requests for correction;
    • Under section 4.1.32 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive), to establish a process to ensure that any request for correction and any subsequent actions are made in accordance with the Privacy Regulations and are documented;
    • Under section 4.1.33 of the Directive, to document any correction or notation made to personal information in a manner that ensures it will be retrieved and used whenever the original personal information is used for an administrative purpose.
    • Under section 4.1.34 of the Directive, to notify the individuals, and any public and private sector organizations that use the information for administrative purposes of any correction or notation made to the personal information; and
    • Under section 4.1.35 of the Directive, to notify requesters of their right to complain to the Privacy Commissioner in respect of requests for correction of personal information.

    It is recommended that procedures for processing correction requests be made available to the public.

    8.2.2 Responsibilities of executives and senior officials

    The Directive on Privacy Practices assigns the following responsibilities related to the correction of personal information to executives and senior officials who manage programs or activities involving the creation, collection or handling of personal information:

    • Under section 4.2.10.5, to notify the individual whose personal information is collected directly of the right to request the correction of personal information under the Act;
    • Under section 4.2.19, to ensure that individuals are given the opportunity, whenever possible, to correct inaccurate personal information before any decision is made that could have an impact on them; and
    • Under section 4.2.28.3, to ensure, when personal information is transferred out of the control of a government institution as a result of the devolution or privatization of a program or activity, that rights of individuals to access and correct their personal information are maintained after the transfer.

    8.3 Decision to grant or refuse the request for correction

    The decision whether to grant or refuse a request for correction is made on a case-by-case basis.

    The request is usually granted when the personal information consists of factual information that was originally supplied by the individual concerned, or when the individual provides documentary evidence to support the correction.

    When the correction will affect an administrative decision concerning the individual (e.g., their eligibility for a benefit), documentary evidence provided to support the correction should be the same as the evidence required when the information was originally collected.

    As a general rule, a request for correction of an opinion is usually accepted if the requester was the source of the opinion and the opinion does not concern any other individual. In general, corrections are not made to opinions given by other individuals about the requester except where there are reasons to suspect the reliability of the source of the opinion, or the requester established that the original opinion was based on incorrect information. When this is not the case, the individual is informed of the difficulty in reassessing the validity of an opinion, and a notation is made giving the requester’s views on the matter.

    8.4 Procedures

    As mentioned previously, Section 11 of the Regulations describes the procedures to be followed by the requester and by government institutions, which this section outlines.

    8.4.1 Procedures to be followed by the requester

    Following receipt of their request under 12(1)(a), the requester must send a subsequent request for correction to the appropriate officer of the government institution that has control of the personal information. The requester may fill out a Record Correction Request Form (TBS/SCT 350-11) in respect of each personal information bank that contains the information to be corrected, or may send a signed letter that contains all information requested in the form. The requester should include copies of the documentary evidence that can be used to establish the validity of the requested correction, including citing the file number for the previously processed personal information request.

    8.4.2 Procedures to be followed by the government institution that received the request for correction

    When the request for correction is granted, the head of the government institution must, within 30 days of receiving the request:

    • Notify the requester that the correction has been made;
    • Notify any person or body to whom the information was disclosed within the two years preceding the date that the request for correction was received that the correction has been made; and
    • Notify the appropriate officer of any other government institution to which the information was disclosed within the two years preceding the date that the request for correction was received that the correction has been made, and that the officer is required to make the correction on every copy of the personal information under the control of that institution.

    The notice to the requester should include a list of the persons, bodies and government institutions that were notified of the correction made.

    When a request for correction is refused in whole or in part, the head of the government institution must, within 30 days of receiving the request:

    • Attach a notation to the personal information reflecting that a correction was requested but was refused in whole or in part;
    • Notify the requester that:
      • The request for correction was refused in whole or in part and give the reasons for the refusal;
      • A notation reflecting that a correction was requested and refused in whole or in part has been attached to the personal information; and
      • The requester has the right under the Act to make a complaint to the Privacy Commissioner;
    • Notify any person or body to whom the personal information was disclosed in the two years preceding the date that the request for correction was received that a notation has been attached to the personal information; and
    • Notify the appropriate officer of any other government institution to which the information was disclosed within the two years preceding the date that the request for correction was received that a notation has been attached to the personal information, and that the officer is required to attach such a notation to every copy of the personal information under the control of that institution.

    The notice to the requester should include a list of the persons, bodies and government institutions that have been notified of the attachment of the notation.

    8.4.3 Procedures to be followed by a government institution that receives a notice that a correction was made or refused in whole or in part

    When a government institution receives a notice from another government institution that a correction or notation has been made, the institution receiving the notice must correct or annotate every copy of the personal information under the control of the institution without delay.

    8.5 Incorporating corrections and notations

    In many cases, corrections can be made by changing the particular information within a record; notations can also be made by adding to the record. In circumstances where this is not possible (e.g., certain electronic records), the accepted method is to store the correction or notation in such a way that it is retrieved with the original information (e.g., a flag on an electronic file or a notice attached to a paper file). In all cases, corrections and notations must be stored in a manner that will ensure that they are retrieved and used whenever the original personal information is used for an administrative purpose.

    Institutions should incorporate corrections or notations in a way that will be seen and therefore used by the person having to make a decision about an individual. That includes notifying individuals and private or public organizations that use the information to make a decision on the individual concerned. In other words, whatever method is used, the correction or notation should be simple to retrieve.

  • Chapter 13 – Offences and Protection from Civil Proceedings or Prosecution

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    This chapter explains the offence of obstructing the Privacy Commissioner, the protection from civil proceedings or prosecutions, and the inadmissibility of evidence given during the complaint process.

    13.1 Section 68: obstructing the Privacy Commissioner

    Under section 68 of the Privacy Act (the Act), any person who obstructs the Privacy Commissioner or any person acting on behalf or under the direction of the Commissioner in the performance of the Commissioner’s duties and functions under the Act is guilty of an offence and liable, upon summary conviction, to a fine not to exceed $1,000. To date, no individual has been fined under section 68.

    13.2 Protection from civil proceedings or prosecution

    Notwithstanding any other Act of Parliament, under section 74 of the Act, the head of a government institution and any person acting on behalf or under the direction of the head are provided with protection from civil or criminal proceedings, and the Crown or any government institution are provided with protection from any proceedings, in relation to the following:

    • disclosure in good faith of any personal information pursuant to the Act
    • any consequences that flow from that disclosure, or
    • failure to give any notice required under the Act if reasonable care is taken to give the required notice.

    Section 74 was specifically considered in Gauthier v. Canada (Minister of Consumer and Corporate Affairs) (1992) 58 F.T.R. 161.Footnote 1 The Federal Court indicated that the Privacy Act was structured to provide a right of judicial review with respect to denials of access to information. However, it noted that “the [Privacy] Act expressly precludes the complainants starting a regular action for damages based on negligence.” In Canada v. John Doe, 2016 FCA 191, the Federal Court of Appeal noted that disclosures that are protected are those made under the Act. These would include a response to a personal information request. Section 74 does not necessarily apply to an action that is not based on the Act.

    Nevertheless, section 74 should not be taken to create an absolute immunity. Institutions should consult their own legal services for more information.

    13.3 Jurisdiction of the Court pursuant to section 41

    Section 41 of the Act engages the Federal Court in review de novoFootnote 2 for refusals to disclose personal information pursuant to subsection 12(1) of the Act. In order for an individual to avail themselves of this right, section 41 requires that a complaint first be made and investigated by the Privacy Commissioner. This was reiterated in Cumming v. Canada (Royal Mounted Police), 2020 FC 271. As was noted in the Federal Court decision Connolly v. Canada Post Corporation (2000), 197 FTR 161, aff’d 2002 FCA 50, the only remedy that the Federal Court can order is found at sections 48 and 49 of the Act and consists of ordering disclosure where it has been refused contrary to the Act.

    Other decisions of the Federal Court with a similar conclusion include Murdoch v. Royal Canadian Mounted Police, 2005 FC 420, Lavigne v. Canada (Canadian Human Rights Commission), 2011 FC 290, Frezza v. Canada (National Defence), 2014 FC 32, and Canada (Public Safety and Emergency Preparedness) v. Gregory, 2021 FCA 33.

    13.4 Inadmissibility of evidence given during the complaint process

    Subsection 34(3) of the Act provides that evidence given in the course of an investigation by an employee of a government institution or by any other person involved in the complaint is not admissible as evidence against the employee or person in a court or any other proceeding except in the following circumstances:

    • in a prosecution for an offence under section 131 of the Criminal Code (perjury) in respect of a statement made under the Act
    • in a prosecution for an offence under section 68 of the Act (obstruction)
    • in a review before the Federal Court under the Act, or in an appeal resulting from such review

    Although there is a presumption of truthfulness, employees can and will be called upon to demonstrate and justify their statements and evidence under oath in the above-mentioned circumstances. The institution’s legal services or other legal representation can help guide them through the proceedings.

    Evidence given in the course of an investigation by the Privacy Commissioner under the Act would not be admissible in any proceedings other than those listed above.

  • Chapter 14 – Monitoring and Reporting

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    14.1 Annual Reports

    Section 72 of the Privacy Act (the Act) requires the head of every government institution to prepare an annual report on the administration of the Act within their institution during the period between April 1 of the preceding year and ending on March 31 of the current year. The report must be tabled before the Senate and the House of Commons on any of the first 15 days on which that House is sitting after September 1 of the year in which the report is prepared.

    Institutions must prepare separate and distinct annual reports for the Access to Information Act and for the Privacy Act in accordance with the instructions issued annually by the Access to Information Policy and Performance Division of the Treasury Board of Canada Secretariat (TBS) as per 4.2.32 of the Policy on Privacy Protection (the Policy). However, both reports may be filed under the same cover.

    Annual reports are intended to ensure accountability for the actions and decisions of institutions in their administration of the Act. All annual reports are referred to the permanent committee designated by Parliament to review the administration of the Act. Institutions may be invited to appear before the committee to explain their performance in responding to personal information requests.

    Institutions must provide an electronic copy of their annual report in both official languages to TBS and the Privacy Commissioner, as required by section 4.2.33 of the Policy.

    The information contained in the reports is included in an aggregate report prepared by TBS that provides a government‑wide perspective on the administration of the Access to Information Act and the Privacy Act.

    Under Sections 38 and 39 of the Act, the Privacy Commissioner of Canada also prepares an Annual Report to Parliament on the activities of their office during that financial year and may make special reports to Parliament.

    14.2 Statistical Reports

    In addition, government institutions submit annual statistical reports on the administration of the Act and its supporting regulations to TBS. These statistical reports are also included in the annual report of the institution. Completed statistical reports (Form for the Statistical Report on the Access to Information Act (TBS/SCT 350-62) and Form for the Statistical Report on the Privacy Act (TBS/SCT 350-63)) must be included in each institution’s annual reports.

    Institutions must provide their statistical report with their annual report to TBS, as required by section 4.2.34 of the Policy.

    TBS establishes definitions and issues specific directions annually to institutions on how to compile the annual and statistical reports. Because of the unique experiences of institutions, no single format can serve the needs of all government institutions. Therefore, although the reporting requirements identified by TBS must be addressed, institutions may structure their annual and statistical reports as they deem appropriate and add information to reflect their particular accomplishments and challenges.

    To promote accessibility and transparency, institutions must publish their annual reports on their websites.

    14.3 Monitoring Policy Compliance

    Heads of institutions or their delegates are responsible for monitoring the institution’s compliance with the Policy and its supporting instruments, as per 4.2.29 of the Policy and 4.1.37 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive). Should they determine that there is a policy compliance issue, they must take appropriate remedial action to address the issue, as per 4.2.30 of the Policy, and advise TBS of any significant issues on a timely basis, as per 4.2.31 of the Policy.

    14.4 Monitoring for Frequently Requested Information

    While personal information requests should always be a means for an individual to access their personal information held by a government institution, there may be other avenues which could be made available to government program recipients. Heads of institution or their delegates are responsible for considering other means of making government information accessible. As per 4.2.28 of the Policy and 4.1.36 of the Directive, institutions should review the nature of requests received and assess the feasibility of making frequently requested types of information available by other means. This could include offering new client service portals or automated emails to applicants during the processing of applications. Effective communications could help to either reduce the number of personal information requests or refine the type of information that requesters seek.

Page details

Date modified: