Language selection

Government of Canada / Gouvernement du Canada

Search

Personal Information Request (PIR) Manual

From: Treasury Board of Canada Secretariat

The Personal Information Request Manual is intended as a reference tool to help ATIP Professionals interpret and administer the provisions of the Privacy Act (the Act) and the Privacy Regulations (the Regulations) that relate to requests to access personal information, and to meet the corresponding requirements outlined in TBS privacy policy instruments relating to the Act and Regulations.

Chapters of the new Manual will be published as they are completed. ATIP coordinators may direct any questions or comments about the Manual to the Privacy and Responsible Data Division.

On this page

  • Foreword

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    The Personal Information Request Manual (the Manual) was created by the Treasury Board of Canada Secretariat’s (TBS’s) Privacy and Responsible Data Division. It replaces the (archived) sections of the Treasury Board Manual: Privacy and Data Protection Guidelines that related to access to personal information.

    This Manual is intended as a reference tool to help Access to Information (ATI) and Privacy professionals interpret and administer the provisions of the Privacy Act (the Act) and the Privacy Regulations (the Regulations) that relate to requests to access personal information, and to meet the corresponding requirements outlined in TBS privacy policy instruments relating to the Act and Regulations.

    The Act provides individuals with the right of access to their own personal information under the control of a government institution, and with a right to request correction of their personal information. [The Act also sets out the obligations of government institutions regarding the collection, use, disclosure, retention and disposal of personal information they hold. For further information on these obligations, please see the Privacy Practices Manual (TBD).]

    Chapters of the Manual will be published as they are completed. This Manual is evergreen and may be amended as the subjects it covers evolve. As such, we invite you to consult the Manual regularly. Although not intended to provide an exhaustive account of approaches and situations, it is our hope that it will prove to be a valuable reference tool for the administration of the Privacy Act.

    The Manual is only available electronically on the Treasury Board of Canada Secretariat’s website.

    If you have any questions about the Manual, contact your institution’s ATIP Coordinator. If an interpretation of the Manual is needed, the ATIP Coordinator may email TBS’s  Privacy and Responsible Data Division.

    The information in this Manual provides general guidance to government institutions concerning the administration of the Act as it relates to access to personal information. Consult with your institution’s legal services unit for any legal advice relating to the interpretation of the Act.

  • Chapter 1 – Introduction

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    1.1 The Act

    The Privacy Act (the Act) came into force on July 1, 1983. The Act is legislation of general application, which means that it generally applies, unless another act clearly says otherwise. As recognized in Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, the Act is of a quasi-constitutional nature. Quasi-constitutional acts express fundamental values and generally override other inconsistent laws.

    Section 2 of the Act states that the law’s purpose is “to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.”

    The Act applies to personal information as defined in section 3 of the legislation. This Manual provides guidance on the elements of the Act that relate to an individual’s right to request access to, and subsequently to request the correction of, personal information about themselves.

    Top of Page

    1.2 Government institutions subject to the Act

    All government institutions listed in the Schedule of the Privacy Act and all parent Crown corporations and wholly owned subsidiaries of such corporations, within the meaning of section 83 of the Financial Administration Act, are subject to the provisions of the Privacy Act. Those institutions are also subject to the Policy on Privacy Protection and related policy instruments.

    Top of Page

    1.3 Policy Instruments

    Paragraph 71(1)(d) of the Act requires the President of the Treasury Board, as designated Minister, to have prepared directives and guidelines that concern the operation of the Act and its Regulations. Such directives and guidelines must be distributed to government institutions. Of note, subsection 71(2) of the Act requires that the Governor of the Bank of Canada fulfil this requirement for the Bank of Canada.

    TBS has released five policy instruments that contain mandatory requirements relating to the Act. These include one policy and four directives, namely, the Policy on Privacy Protection, the Directive on Privacy Impact Assessment, the Directive on Privacy Practices, the Directive on Social Insurance Number and the Directive on Personal Information Requests and Correction of Personal Information. The policy instruments that contain requirements pertaining to requests for access to and correction of personal information are the following:

    Implementation Notices provide guidance on the interpretation and application of the Access to Information Act, the Privacy Act and their related policy instruments.

    Top of Page

    1.4 Objectives and Structure

    The Manual contains guidelines to help government institutions administer the legislation and meet policy requirements when fulfilling personal information requests. It is a detailed guide that explains the requirements of the Act, the Regulations and related policy instruments. It also contains policy advice, practical interpretations, and best practices. Where appropriate, relevant case law is cited, and excerpts are sometimes reproduced.

    As stated in the foreword, the Manual is designed to be amended as the subjects that it covers evolve to keep it up to date.

    [Guidance regarding the Directive on Privacy Practices, the Directive on Privacy Impact Assessment, and the Directive on Social Insurance Number is found primarily in the Privacy Practices Manual (TBD).]

    Top of Page

  • Chapter 2 - Roles and Responsibilities

    Date updated: 2024-01-12
    ATI Manual Cross-reference

    This chapter provides an overview of the roles and responsibilities of:

    • the designated ministers
    • the Treasury Board of Canada Secretariat (TBS) and the Department of Justice Canada
    • the Privy Council Office
    • the Access to Information and Privacy (ATIP) Coordinators
    • the Privacy Commissioner of Canada and the Office of the Privacy Commissioner of Canada (OPC)
    • the Federal Court, the Federal Court of Appeal and the Supreme Court of Canada
    • parliamentary committees

    This chapter also contains information for understanding the roles and responsibilities conferred by the Privacy Act (the Act) and policy instruments to heads of government institutions and their delegates, ATIP offices, employees, and other officials.

    2.1 Key players

    2.1.1 Designated Ministers

    Pursuant to the definition of “designated Minister”in section 3 of the Act, the Governor in Council has made regulations under the Act, Designating the Minister of Justice and the President of the Treasury Board as Ministers for Purposes of Certain Sections of the Act. Each designated minister is responsible for recommending amendments to their respective sections of the Act and the Privacy Regulations (the Regulations).

    The responsibilities of the designated ministers conferred by the Act are summarized below.

    Roles and responsibilities

    The Minister of Justice acts as the designated minister for the following:

    • designating the head of a government institution by order in council (paragraph (b) of the definition of “head”in section 3)
    • extending the right of access by order in council (subsection 12(3))
    • proposing regulations, in accordance with subsection 77(1), to the Governor in Council related to:
    • specifying government institutions or parts of government institutions for the purpose of paragraph (e) of the definition “personal information”in section 3 (paragraph (a))
    • specifying investigative bodies for the purposes of paragraph 8(2)(e) and sections 22 and 23 (paragraph (d))
    • specifying persons or bodies for the purpose of paragraph 8(2)(h)(paragraph (g))
    • specifying classes of investigations for the purpose of paragraph 22(3)(c) (paragraph (l))
    • adding, replacing or deleting government organizations from the Schedule of the Act (subsection 77(2))

    The President of the Treasury Board acts as the designated minister for all other purposes of the Act. Specifically, with respect to access to personal information:

    • as set out in subsection 71(1):
    • prescribing forms that may be required for the operation of the Act and the Regulations
    • ensuring that directives and guidelines are prepared and distributed concerning the operation of the Act
    • prescribing the form and content of reports to Parliament
    • providing services regarding the administration of the Act to government and the public (section 71.1)
    • proposing regulations, in accordance with subsection 77(1), to the Governor in Council related to:
    • retention period for requests received under paragraph 8(2)(e) and records of information disclosed pursuant to the requests (paragraph (b))
    • procedures to be followed in making and responding to requests for access to personal information (paragraph (h))
    • procedures to be followed for the correction of personal information (paragraph (i))
    • fees to be paid for being given access to personal information (paragraph (j)) (note: fees are not presently collected)
    • procedures to be followed by the Privacy Commissioner in examining or obtaining copies of records that have been exempt under paragraph 19(1)(a) or (b) or section 21 (paragraph (k))
    • the class of individuals who may act on behalf of others (paragraph (m))
    • disclosure of information regarding the physical or mental health of individuals to duly qualified medical practitioners or psychologists (paragraph (n))
    • disclosure of information to individuals regarding their physical or mental health (paragraph (o))

    To enhance the effective application of the Act and the regulations by government institutions and to facilitate statutory and regulatory compliance, the President of the Treasury Board issued the Policy on Privacy Protection (the Policy) pursuant to paragraph 71(1)(d) of the Act.

    The sole exception to paragraph 71(1)(d) relates to the Bank of Canada. As per subsection 71(2), the Governor of the Bank of Canada is responsible for the preparation and distribution of the directives and guidelines concerning the Act and its regulations in relation to the Bank of Canada.

    Top of Page

    2.1.2 The Treasury Board of Canada Secretariat (TBS)

    TBS issues direction and guidance to government institutions with respect to the administration of the Act and interpretation of the policy instruments. The Privacy and Responsible Data Division of TBS assists the President of the Treasury Board in carrying out their duties outlined below by developing policy instruments, guidance and tools, offering training, and providing advice and leadership to the ATI and Privacy communities.

    Section 5.2 of the Policy states that TBS is responsible for supporting the President of the Treasury Board with regard to handling personal information requests in the following ways:

    • issuing direction and guidance to government institutions with respect to the administration of the Act and interpretation of the policy and its supporting instruments
    • approving exceptions to any requirement contained in the policy or its supporting instruments; TBS must advise the OPC of any exceptions that are granted that could relate to the Act or to any of its provisions, or that may have an impact on the privacy of Canadians
    • prescribing forms and platforms to be used in the administration of the Act, as well as the form and content of the annual report to Parliament
    • publishing annually an index of personal information under the control of government institutions that is confirmed to be up to date; this practice has been decentralized and now falls to each institution to publish on their respective public websites
    • working with the Canada School of Public Service to integrate knowledge elements related to the Act and associated policy instruments into required training courses, programs and knowledge assessment instruments

    The monitoring and reporting responsibilities of TBS to support the administration of the Act are found in sections 5.2.4 and 5.2.5 of the Policy. They are:

    • regularly reviewing the policy, its related directives, mandatory procedures, standards, guidelines, forms and prescribed platforms to assess their continued effectiveness and accuracy; when substantiated by risk-analysis, TBS will also ensure that an evaluation is conducted
    • overseeing compliance with this policy and its supporting instruments across government institutions, leveraging existing reporting mechanisms as appropriate

    The consequences for non-compliance with the policy and its related instruments are found in section 7 of the Policy. They are:

    • for those government institutions that do not comply with the policy and its related instruments, there may be a requirement to provide additional information relating to the development and implementation of compliance strategies in their annual report to Parliament, or to TBS directly; this reporting may be in addition to other reporting requirements
    • TBS will work collaboratively with heads of institutions or their delegates to restore compliance
    • for those government institutions subject to the Management Accountability Framework (MAF), and to the extent that privacy protection is considered in the performance measurement indicators of the MAF, non-compliance with respect to the policy and its related instruments will be reported in the assessment prepared as part of the MAF process
    • on the basis of analysis of monitoring and information received, the President of the Treasury Board may make recommendations to the head of the government institution; these recommendations could include prescribing any additional reporting requirements, as outlined above.
    Top of Page

    2.1.3 The Department of Justice Canada

    The Department of Justice Canada supports the Minister of Justice in carrying out their duties under the Act. As part of its mandate under the Department of Justice Act, the Department of Justice Canada provides legal advice and services to the government and client departments and agencies, and represents the Crown in judicial reviews before the Federal Court, the Federal Court of Appeal and the Supreme Court of Canada. The Department of Justice Canada also provides legal advice on the application of section 70 of the Act, as explained in Chapter 11 [pending] of this manual. For their role with respect to the application of section 27 of the Act, see section 10.14 of this manual.

    Top of Page

    2.1.4 The Privy Council Office

    The Clerk of the Privy Council and Secretary to the Cabinet is responsible for ensuring the integrity of the Cabinet process and the stewardship of the documents that support this process. As custodian of confidences of the King’s Privy Council for Canada of the current and previous ministries, they are responsible for policies on the administration of these confidences and for the ultimate determination of what constitutes such confidences and must be consulted in a manner consistent with the guidance set out in Chapter 11 [pending] of this manual.

    Top of Page

    2.1.5 Access to Information and Privacy (ATIP) coordinator

    Each institution designates an official to serve as ATIP coordinator. This individual is responsible, on behalf of the head and deputy head of the institution, for ensuring compliance with the Act, Regulations and policy instruments. In many institutions, the head of an institution delegates some or all of their powers, duties and functions under the Act to the ATIP coordinator. As per 4.2.35 of the Policy, the head or their delegate must provide the contact information of the appropriate officer to receive personal information or correction requests, which will be then published on the prescribed contact list. In most cases this person is the ATIP coordinator.

    Top of Page

    2.1.6 The Privacy Commissioner of Canada

    The Privacy Commissioner (the Commissioner) is an Agent of Parliament who receives and independently investigates complaints from individuals regarding the handling of their personal information by federal government institutions and from requesters who believe that government institutions have not respected their rights of access under the Act.In addition, the Commissioner has the authority to conduct compliance reviews of the privacy practices of government institutions as the practices relate to the collection, creation, retention, accuracy, use, disclosure and disposal of personal information by government institutions subject to the Act.

    The Commissioner may self-initiate complaints when they are satisfied there are reasonable grounds to investigate a matter under the Act. The Commissioner reports findings and may make recommendationswith respect to any matter that has been investigated or reviewed. The Commissioner can also initiate or intervene in court proceedings.

    The Commissioner reports to Parliament on the activities of the OPC after each financial year. They may also make special reports to Parliament referring to and commenting on any matter within the scope of the powers, duties and functions of the Commissioner. The Commissioner is subject to strict confidentiality obligations. As such, they may only speak publicly about a complaint and the findings from an investigation following the tabling of the related report in Parliament.

    Chapter 12 [pending] of this manual provides additional information on the Commissioner’s role and the complaint process with respect to personal information requests.

    More information regarding the OPC can be found on its website, including its role with respect to both the Privacy Act and Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, and the work conducted by its Policy and Promotion Sector.

    Top of Page

    2.1.7 Review by the Canadian judicial system

    The Federal Court examines applications for court reviews submitted by requesters or the Privacy Commissioner regarding the non-disclosure of personal information in response to requests submitted pursuant to section 12 of the Act. Any party to a review may appeal to the Federal Court of Appeal and, ultimately, seek permission to appeal to the Supreme Court of Canada.

    Chapter 12 [pending] of this manual provides additional information on reviews by the Federal Court.

    Top of Page

    2.1.8 Parliamentary committees

    The House of Commons’ Standing Committee on Access to Information, Privacy and Ethics (the ETHI Committee) studies and reports on matters referred to it by the House of Commons or on topics the Committee itself chooses to examine.

    The ETHI Committee’s mandate is defined in paragraph 108(3)(h) of the Standing Orders of the House of Commons. Its responsibilities in relation to the Act include the following:

    • reviewing and reporting on the effectiveness, management and operations of the OPC and its operational and expenditure plans
    • reviewing and reporting on any federal legislation, regulation or standing order that impacts on privacy
    • proposing, promoting, monitoring and assessing initiatives that relate to privacy
    Top of Page

    2.2 Responsibilities of government institutions

    2.2.1 Heads of government institutions

    The head of every institution is responsible for carrying out their responsibilities set out in the Act, the regulations, the policy, and the related directives and standards within the institution, and holds responsibility for decisions made in this regard.

    For the purposes of the Act, the head of a government institution is the minister in the case of departments and ministries of state. For other government institutions subject to the Act, the head is the person designated by order in council. If no such person is designated, it is the chief executive officer of the institution, whatever their title. Examples include the President of the Treasury Board for TBS, the Minister of Health for Health Canada, the Master of the Royal Canadian Mint (President) and the President and Chief Executive Officer for certain Crown corporations such as the Canadian Broadcasting Corporation and Via Rail Canada Inc.

    The responsibilities of heads under the Act with regard to the handling of personal information requests are:

    The responsibilities of heads under the Regulations are as follows:

    • retain for a period of at least two years a copy of every request for access to personal information received and a record of any information disclosed pursuant to such a request (section 7)
    • when access to personal information is given by means of an opportunity to examine the information, provide reasonable facilities and set a convenient time for the examination (section 9)
    • respond to requests for correction of personal information (subsections 11(2) and 11(4))
    • authorize the disclosure of information relating to the physical or mental health of an individual (sections 13 and 14)

    Sections 4.1 and 4.2 of the Policy and section 4.1 of the Directive on Personal Information Requests and the Correction of Personal Information (the Directive) set out additional responsibilities of heads or their delegates with regard to the handling of personal information requests.

    Upon being named head of the institution, the head decides whether to delegate their powers, duties and functions under the Act pursuant to section 73. The head or the delegate makes final decisions. As mentioned in section 2.1.5 of this chapter, many heads of institutions delegate all their powers, duties and functions under the Act to the ATIP coordinator. 

    Section 2.3 of this chapter provides additional explanations on delegation.

    Top of Page

    2.2.2 The Access to Information and Privacy Office

    The main responsibilities of the ATIP Office for the handling of personal information requests are as follows:

    1. Processing personal information and correction requests: The ATIP Office responds to all requests received under the Act in accordance with the provisions of the Act and the Regulations, jurisprudence, and the policies and directives issued by the President of the Treasury Board. This processing requires the following:
      • exercising discretion in a fair, reasonable and impartial manner with respect to decisions made in the processing of requests and resolution of complaints
      • assisting requesters, including protecting their identity and only disclosing the name of the requester to those who have a need to know, clarifying requests as needed, and providing access in the format and language requested when it enables the requesters to exercise their right of access
      • establishing a procedure to confirm the identity of the requester, the authority of an individual to make a request on behalf of another, and the right of access under the Act (see the Privacy Implementation Notice 2022-02: Identity Verification for Personal Information Requests for more guidance)
      • establishing a procedure for providing complete, accurate and timely responses to personal information and correction requests
      • communicating with requesters to acknowledge receipt of requests, to advise them of their right to complain to the Commissioner and to clarify requests, as needed
      • developing and implementing institutional procedures and practices for the application of the Act
      • determining whether personal information is under the control of the government institution and therefore subject to a request for access
      • consulting program managers, senior management, legal advisors, TBS, the Department of Justice Canada (as applicable), the Privy Council Office, third parties and other government institutions as needed
      • making decisions regarding requests when this authority has been delegated to the ATIP coordinator or other employees of the ATIP Office
    2. Performing related duties: The ATIP Office performs other duties related to personal information and correction requests, including the following:
      • determining whether to treat a request informally and seeking the consent of the requester to treat it accordingly
      • responding to consultations from other government institutions
      • ensuring compliance with the requirements of the Act, the regulations and any other ATIP policy instrument issued by TBS
      • drafting reports and other documents required by central agencies
      • ensuring the training and development of ATIP personnel; the ATIP office must document the completed training of employees who have a functional or delegated responsibility for the administration of the Act or regulations
      • ensuring and documenting the training of all the institution’s employees on their obligations under the Act and policy suite
      • proactively taking steps to resolve complaints and privacy concerns of Canadians prior to engagement with the formal complaint process, and taking responsibility and steps for corrective action
      • participating in the resolution of complaints filed with the OPC and court reviews, which requires explaining the institution’s decisions concerning the application of the Act
      • contributing, with TBS, to the review of policy instruments related to the Act
    3. Providing facilities for the examination of information, in accordance with paragraph 9(a) of the Regulations.
    4. Providing advice and expertise to employees of the institution, including training and awareness sessions on the Act and employees’ responsibilities as per Appendix B of the Directive.
    5. Ensuring that contracts and agreements with private and public sector entities include measures to ensure the institution meets the requirements of the Act, the Policy on Privacy Protection and the Directive on Privacy Practices. Section 4.2.24.7 of the Directive on Privacy Practices requires contracts and agreements to include provisions that address the obligation to coordinate when there is a personal information request, while section 4.2.24.6 highlights the institution’s continued control of any personal information disclosed.
    6. Considering other means of making government information available by reviewing the nature of requests received and assessing the feasibility of making frequently requested types of information available by other means.
    7. Contributing to Info Source: The ATIP Office must prepare, publish or review as required at least once a year the institution’s chapter in Info Source, in accordance with the guidance document Info Source Online Publishing Requirements .
    8. Preparing the annual report to Parliament on the administration of this Act within the government institution, in accordance with paragraph 71(1)(e) and section 72 of the Act and providing a copy in each official language to TBS and the Privacy Commissioner once it has been tabled.
    9. Collecting statistics on institutional activities related to the administration of the Act and submitting annually a statistical report to TBS, in accordance with established requirements distributed by TBS.
    Top of Page

    2.2.3 Employees of the government institution

    The employees of government institutions play a key role in processing requests for personal information or corrections, providing relevant records, and making recommendations on their disclosure. To accomplish this, it is important that all employees manage their records effectively and meet the timelines established by the ATIP Office.

    Section 4.2 of the Directive on Personal Information Requests and Correction of Personal Information states that the following are responsibilities of employees of government institutions:

    • 4.2.1 Recommending to the head or the delegate, when appropriate, that information requested be disclosed informally
    • 4.2.2 Making every reasonable effort to search, locate and retrieve the requested personal information under the control of the government institution
    • 4.2.3 Ensuring searches for records are comprehensive and consider both the letter and the spirit of the request
    • 4.2.4 Referring questions about whether the personal information is under the control of the government institution to ATIP officials with delegated authority for their determination
    • 4.2.5 Advising ATIP officials at an early stage if a request cannot be responded to within the legislated 30-day timeframe
    • 4.2.6 Making every reasonable effort to respond to requests within the timelines prescribed in the Act, including extensions taken in accordance with the Act
    • 4.2.7 Providing recommendations and contextual information to inform the head of the government institutions, or their delegate, about possible exemptions or exclusions applicable to the personal information, taking into account the purpose of the Act
    • 4.2.8 Establish measures to support an individual’s right of access to their personal information when entering into contracts, arrangements and agreements

    The definitions of the terms “comprehensive search,”“control of records,”and “reasonable effort”are found in Chapter 3 [pending]. Guidance on how to meet these requirements are found in Chapters 5, 6, 9 and 10.

    Top of Page

    2.3 Delegation

    The following discussion of delegation is intended to be general in nature and does not cover all eventualities.

    2.3.1 Definitions

    Delegate

    The term “delegate”is defined in Appendix A of the Policy as “an officer or employee of a government institution or of another government institution within the same ministerial portfolio when there is a service-sharing agreement between the two government institutions, who has been delegated to exercise or perform the powers, duties and functions of the head of the institution under the Act.”

    Top of Page

    2.3.2 Relevant legislative provisions

    Section 73 of the Privacy Act

    Section 73 of the Act provides that the head of a government institution may, by order, delegate any of their powers, duties or functions under the Act to one or more officers or employees of that institution. More information on delegation orders can be found in section 2.3.12 of this chapter.

    Section 73.1 of the Privacy Act

    Section 73.1 provides for service sharing between institutions within the same ministerial portfolio, pursuant to a written agreement between the institutions regarding those services. The head of the institution receiving the services must provide a copy of the written agreement to the OPC and TBS as soon as possible after entering into the agreement. They must also be notified if there are any material changes to that agreement. As appropriate, the service providing institution may charge fees for the services, but these must not exceed the cost of providing the service. They would then have the spending authority for these funds received during the fiscal year they are received, unless an appropriation Act provides otherwise.

    If a written service-sharing agreement is established, the head of a government institution may delegate any of their powers, duties or functions under this Act to one or more officers or employees of another government institution.

    Subsection 24(2) of the Interpretation Act

    The courts have acknowledged that a minister is not expected to personally exercise all authorities conferred on that minister and that, in certain circumstances, departmental officials may act for their minister in exercising their statutory powers. This authority to act for a minister of the Crown has been formally codified and is reflected in subsection 24(2) of the Interpretation Act.

    Paragraph 24(2)(c) of the Interpretation Act states that a deputy minister can exercise the powers of the minister. Therefore, when no other officer or employee of the institution has been designated to act on behalf of the minister, it is not necessary for a minister to delegate to their deputy minister.

    If the minister does not sign a delegation order, paragraph 24(2)(d) of the Interpretation Act authorizes public service employees working within the institution to perform the duties outlined in the Privacy Act. In order to act for a minister, a person must:

    • be a public servant employed in the department or organization for which the minister is responsible
    • serve in a capacity within the department such that the person can reasonably be expected to exercise the power of the minister

    Note that exempt staff in a minister’s office, more commonly known as political staff, are not authorized to exercise the powers, duties and functions of the head of the institution.

    Where the head of the institution is a minister of the Crown who does not preside over the institution but is responsible for it, and in the absence of a delegation order, the minister must exercise personally the powers, duties and functions of the head of the institution.

    Subsection 24(4) of the Interpretation Act applies when the head of the institution is a public officer other than a minister of the Crown. Pursuant to that provision, the powers of the public officer may be exercised by their successors in the office or by a deputy. A deputy is generally an officer who serves in a position immediately below the public officer in the hierarchy and whose function is chiefly to support the public officer and assist in the exercise of their functions. A public officer usually has one deputy but, in some institutions, there may be more than one deputy.

    If there is a delegation order, subsections 24(2) and 24(4) of the Interpretation Act do not apply and officials cannot implicitly assume a right to act in the head’s name (see the decision Leahy v. Canada (Citizenship and Immigration) 2012 FCA 227, paragraph 84). Only the head or the delegate(s), acting within the scope of the delegation, may exercise the powers of the head of the institution.

    Top of Page

    2.3.3 Policy requirements

    The Policy on Privacy Protection requires the head of an institution to consider whether delegation is appropriate. The Policy specifies that, in cases where the head decides to delegate, a delegation order must be signed, and delegated officers or employees must be at an appropriate level to be able to fulfill the duty.

    In addition, section 4.1.2 of the Policy sets out the considerations that the head of an institution must respect when delegating. These considerations are as follows:

    • powers, duties and functions are:
      • delegated only to officers and employees of their government institution, or of another government institution within the same ministerial portfolio when there is a service-sharing agreement between the two government institutions
      • not delegated to consultants, members of a minister’s exempt staff, employees of other government institutions with which there is no service-sharing agreement, or to individuals from the private sector
      • delegated to positions identified by title, not to individuals identified by name
    • delegates understand that they are accountable for any decisions they make, but ultimate responsibility remains with the head of the government institution
    • delegates are at the appropriate level to be able to fulfill the duties of their delegated authorities and are well informed of their responsibilities
    • delegates cannot further delegate powers, duties and functions that have been delegated to them, although employees and consultants may perform tasks in support of delegates’ responsibilities
    • delegation orders are reviewed when the circumstances surrounding the delegations have changed; a delegation order remains in force until it is replaced
    Top of Page

    2.3.4 What can be delegated?

    Any of the powers, duties and functions assigned to the head of the institution under the Act may be delegated. The relevant provisions of the Act describing the powers, duties or functions that may be delegated are listed in Appendix B of the Policy.

    The responsibilities of the head of a federal institution include responding to requests made under the Act. Although not specifically mentioned in the Act, this necessarily implies that such requests be processed. Consulting other institutions and responding to consultations received from other federal institutions are essential parts of processing requests received under the Act. Therefore, when the head delegates the duty to respond to requests received under the Act, such delegation includes the duty to process the requests, to consult as required, and to respond to consultations received from other institutions.

    Top of Page

    2.3.5 Who can delegate?

    Only the head of a government institution, as defined in section 3 of the Act, is authorized to issue the delegation. For departments or ministries of state, the head is the minister. For other institutions, it is the person who has been designated to be the head of the institution by the Governor in Council or, if no such person is designated, the chief executive officer of the institution, whatever their title.

    In general, the head of an institution cannot delegate the power to delegate. However, where the head is a minister, the power may be exercised by their “deputy”pursuant to paragraph 24(2)(c) of the Interpretation Act.

    Top of Page

    2.3.6 Who can receive the delegation?

    The head of the institution can delegate to officers and employees of their institution under subsection 73(1). This means that consultants, ministerial staff or employees outside the institution cannot be designated in the delegation order. Under subsection 73(2) of the Act, the head of an institution can, by order, delegate to employees of another institution if the other institution is presided over by the same minister or falls under the responsibility of the same minister. A written agreement between both institutions is required prior to providing services to another institution.

    The Policy requires that the officers or employees be at the appropriate level, that is, that they be appointed to serve in a capacity appropriate to fulfilling the duty. Factors such as position and job description, hierarchical relationships and geographical location should be considered when assessing whether the person could reasonably be expected to exercise the powers within the institution.

    Top of Page

    2.3.7 Can powers, duties and functions that have been delegated be further delegated?

    As noted in subsection 4.1.2.4 of the Policy, powers, duties and functions that have been delegated cannot be further delegated. Tasks may nevertheless be performed by employees, officials or consultants in support of the powers, duties and functions that are the responsibilities of the delegates.

    Top of Page

    2.3.8 Who can exercise the powers, duties and functions?

    If there is no delegation order

    Subsection 24(2) of the Interpretation Act clarifies the power to act for ministers of the Crown. Its wording is as follows:

    “24(2) Words directing or empowering a minister of the Crown to do an act or thing, regardless of whether the act or thing is administrative, legislative or judicial, or otherwise applying to that minister as the holder of the office, include

    • “a. a minister acting for that minister or, if the office is vacant, a minister designated to act in the office by or under the authority of an order in council;
    • “b. the successors of that minister in the office;
    • “c. his or their deputy; and
    • “d. notwithstanding paragraph (c), a person appointed to serve, in the department or ministry of state over which the minister presides, in a capacity appropriate to the doing of the act or thing, or to the words so applying.”

    Where the head of the institution is a minister of the Crown presiding over a department or a ministry of state, in the absence of a delegation order a minister acting, a minister’s successor(s), the deputy minister, and officers or employees of the department are authorized, pursuant to paragraphs 24(2)(a) through (d) of the Interpretation Act, to make any decision delegated by statute to the minister, for and in the name of the minister.

    Where the head of the institution is a minister of the Crown who does not preside over the institution but is responsible for it and in the absence of a delegation order, the minister must exercise personally the powers, duties and functions of the head of the institution. For example, the Minister of Public Safety and Emergency Preparedness is the head of the Canada Border Services Agency but does not preside over the Agency.

    Where the head of the institution is a public officer other than a minister of the Crown and in the absence of a delegation order, the deputy is authorized to exercise the powers of the head pursuant to subsection 24(4) of the Interpretation Act.

    If there is a delegation order

    After an express delegation has been made, the specified powers may be exercised only by the head or by the delegate. When the delegate is absent or incapacitated and the delegation passes to another position, the person occupying that position may also make decisions. Similarly, a person occupying the position of the delegate on an interim basis may make decisions. No other officer or employee, from the deputy minister or deputy head to ATIP officials, has the legal authority to make decisions unless expressly stated in the delegation instrument.

    Even when a delegation has been issued, the head retains the power to make the decision and may do so as long as the delegate has not already communicated the decision to the requester. The head is not required to obtain input from the delegate before making a determination, although it is entirely appropriate to seek input from the delegate and other officials of the institution.

    Similarly, it is entirely appropriate for the authorized delegate to request input from other public service employees and consultants prior to making a decision. Consultation is not only legally permissible; it may also be administratively and practically necessary. The only limitation is that those consulted cannot be allowed to dictate the outcome of the exercise of statutory discretion, as that would amount to fettering of discretion. In the decision Do-Ky v. Canada (Minister of Foreign Affairs and International Trade) (T.D.) [1997] 2 F.C. 907, the Federal Court stated it is “not a fettering of discretion to seek advice from the government departments most knowledgeable and directly involved with the situation at hand. In fact, not to do so would be irresponsible. Provided that the individual who is responsible for exercising the discretion in fact turns [their] mind to the issues and weighs and considers all the facts, there is no fettering of discretion.”

    Processing the requests

    As mentioned above, the powers, duties and functions assigned to the head of the institution may be delegated only to officers and employees of the institution or if there is a service-sharing agreement in place, to employees of another government institution within the same ministerial portfolio. Tasks may nevertheless be performed by employees or officers in support of the powers, duties and functions that are the responsibilities of the delegates.

    Furthermore, nothing in the Act prevents a consultant or an employee from another institution from processing personal information requests if the following conditions are met:

    • contracts for consulting services contain confidentiality clauses to ensure that security obligations are met, as well as the requirements of the Act regarding the collection, use and disclosure of personal information
    • when employees from other institutions are mandated to process requests:
      • legislative or regulatory authority exists to allow one government institution to process personal information requests received by another institution
      • the disclosure of the personal information requests and related personal information complies with subsection 8(2) of the Act: such disclosure is a “consistent use”; if it is not already described in the relevant personal information bank, the institution is required to notify the Privacy Commissioner and amend the personal information bank as per subsection 9(4) of the Act
    Top of Page

    2.3.9 Can the head overturn decisions of the delegate?

    The statutory power of a head that has been validly delegated to an official may be exercised either by the head of the institution or by the delegate. When a delegate is tasked with the review of documents and the preparation of the response letter and presents them to the head for their approval and signature, it is the head who is making the decision, not the delegate. When the delegate approves the decision regarding the disclosure of the documents and signs the response letter in their own name, it is the delegate who makes the decision.

    Until a decision regarding access to personal information has been communicated to the requester, it may be revisited by the head or the delegate during the internal processing phase. However, once a delegate makes a valid determination or decision in the proper exercise of the delegated power and has communicated the decision to the requester, the head cannot re-examine the matter or substitute their decision for that of the delegate, unless there is a complaint or a decision by the Federal Court.

    Given the purpose of the Act, when a complaint has been made to the OPC or a request for judicial review presented to the Federal Court, decisions to give or refuse access to personal information may be revisited by the head or the delegate at any point until the completion of the Privacy Commissioner’s investigation or until the Federal Court renders its decision. If, for example, a delegate initially refused to give access to personal information during the processing of a request, the head can subsequently decide to release the information during the investigation of a complaint. More on Investigations and Reviews is found in Chapter 12 [pending].

    Top of Page

    2.3.10 Who has responsibility for decisions made under the Act?

    Once a delegation order is signed, delegates are accountable to the head of the institution for any decisions they make. Delegates exercise the powers in their own name because they are authorized to act. Ultimate responsibility, however, always rests with the head of the government institution.

    If there is no delegation order, accountability remains with the head of the institution. An officer or employee of the department who exercises powers under subsection 24(2) or subsection 24(4) of the Interpretation Act does so on behalf of the head.

    In both cases, public service employees should be clearly informed of their specific obligations with respect to the Privacy Act.

    Top of Page

    2.3.11 Validity of decisions made without proper delegation

    If someone does not properly hold the authority to exercise the powers and purports to do so, the resulting decisions may be challenged through judicial review proceedings and set aside.

    Decisions and statutory functions that are administrative in nature or that require very little discretion (for example, providing access in a particular official language or in an alternative format) may be made by a competent person without concern about legal challenge. Where the decision requires the exercise of some discretion, such as applying a discretionary exemption or not, only the person who has the proper authority may make the decision. A court may declare the decision invalid if it is made by someone who does not have the proper authority.

    Top of Page

    2.3.12 The delegation order

    After careful consideration, the head of the institution may decide to delegate any or all their powers, duties or functions under the Act to one or more officers or employees of the institution. In such cases, institutions are required by policy to have in place a current delegation order signed by the head of the institution that stipulates the responsibilities delegated to particular officials.

    Instructions issued pursuant to subsection 71(1) of the Act make it mandatory for institutions to include a copy of the signed delegation order in their annual report to Parliament. If there has been no delegation, a statement to that effect must be included in the annual report. If multiple delegation orders were in effect throughout the year, a copy of the order that was in effect on March 31 of the reporting year must be included.

    Signed delegation orders should be stored in a manner that allows them to be easily accessed and produced to confirm an officer’s authority to act under the Act.

    What the delegation order should contain

    When the head delegates responsibilities, they must specify in the delegation order what powers, duties and functions are delegated.

    The Policy requires the head to identify the delegates by position title, not by name, to allow greater flexibility. When delegation is to the position rather than a named individual, a new delegation is not required when a new appointee assumes the position or when someone is acting in the position. It is recommended that the delegation order also recognize another position to which delegation passes if the occupant of the original position is absent or incapacitated. For example, an order giving full delegation to the person holding the position of ATIP coordinator could stipulate that if they are absent or incapacitated for more than five working days, full delegation is given to the person holding the position of director general, assistant deputy minister or deputy minister.

    It is also recommended that delegated authority be given to more than one officer or employee who is responsible for resolving issues during the investigation of a complaint or a review by the Federal Court.

    The following questions should be considered when preparing a delegation order:

    • Has the correct person (that is, the head of the institution or, when the head is a minister, the deputy minister) delegated the power or duty in question?
    • Has the delegated authority been correctly and clearly described or identified in the delegation order?
    • Should full authority for the administration of the Act be delegated to the ATIP coordinator?
    • Should more than one person have delegation? Should deputy ministers and senior managers also be named in the delegation order?
    • Are functions delegated as far down within the ATIP Office as possible? For example, extensions and third-party notices can be delegated to ATIP officers as well as to the ATIP coordinator.
    • Does the delegation order give authority to more than one officer or employee to resolve issues with the Privacy Commissioner?
    • Do the delegates have sufficient knowledge of the Privacy Act and the Access to Information Act to properly exercise the delegated powers?

    The Privacy and Responsible Data Division’s website provides a fact sheet, Delegation Under the Access to Information Act and the Privacy Act, which contains examples of delegation orders.

    How long a delegation order remains in force

    A delegation order remains in force until such time as it is reviewed and revised by the head of the institution. If the delegation order specifies an individual, that individual’s departure or inability to act will render the order unusable unless another individual or position is also named. Therefore, to avoid this outcome, the Policy requires that the head identify the delegates by position or title and not by name.

    The delegation order remains in force even when a new head is appointed, be it during a writ period or following a federal election or by-election. The fact that a current head has not issued their own order is not critical because the appointment of a new head does not nullify the actions taken by their predecessor.

    When a delegation order should be reviewed

    While the delegation order remains in force upon the appointment of a new head, section 4.1.2.5 of the Policy requires that the delegation order be reviewed when circumstances surrounding the delegation have changed. It is recommended that the order be revised as soon as practicable to reflect the preferences of the new head.

    The requirement to review the delegation order may arise in other circumstances, such as changes in personnel, restructuring of the organization, transfers of programs or portions of programs, merging of institutions, and changes in the mandate of the institution. (Where institutions have been merged or where programs or portions of programs have been transferred, the authority for decisions under the Act rests with the new head.)

    If a new delegation order is required, it should be put in place as soon as possible in order to reduce any potential for disruption of the processing of requests.

    Summary
    If there is a delegation order If there is no delegation order

    The head can delegate to one or more officers and employees of their government institution or another government institution within the same ministerial portfolio when there is a service-sharing agreement between the two government institutions. Consultants, members of a minister’s exempt staff, or employees of other government institutions or from the private sector cannot be named in the delegation order.

    Not applicable

    Subsections 24(2) and 24(4) of the Interpretation Act do not apply.

    Subsection 24(2) of the Interpretation Act applies to departments and ministries of state. Subsection 24(4) of the Interpretation Act applies to other government institutions.

    Only the delegate(s) and the head may exercise the powers, duties and functions of the head.

    In the case of departments and ministries of state over which a minister of the Crown presides, the powers, duties and functions of the head may be performed by an officer or employee of the department or ministry of state, including the deputy minister, appointed to serve in a capacity appropriate to fulfilling the duty.

    In cases where the head of the institution is a minister of the Crown who does not preside over the institution, but is responsible for it, the minister must exercise personally the powers, duties and functions of the head of the institution.

    In the case of other government institutions, the deputy of the head may exercise the powers, duties and functions of the head.

    Exempt staff in a minister’s office are not authorized to exercise the powers, duties and functions of the head of the institution.

    Exempt staff in a minister’s office are not authorized to exercise the powers, duties and functions of the head of the institution.

    Tasks may be performed by employees, officers or consultants in support of the powers, duties and functions that are the responsibilities of the delegates and the head.

    Tasks may be performed by employees, officers or consultants in support of the powers, duties and functions that are the responsibilities of the head.

    Delegates exercise the powers in their own name.

    An officer or employee who exercises powers under subsection 24(2) or subsection 24(4) of the Interpretation Act does so on behalf of the head.

    Once a delegate makes a decision in the proper exercise of the delegated power and has communicated the decision to the requester, the head cannot reassess the decision of the delegate. The head can revisit the decision during the investigation of a complaint or a review by the Federal Court.

    Once an officer or an employee has communicated the decision to the requester, the head cannot reassess the decision of the officer or employee. The head can revisit the decision during the investigation of a complaint or a review by the Federal Court.

    Delegates are accountable to the head of the institution for any decisions they make. Ultimate responsibility, however, always rests with the head of the government institution.

    Accountability remains with the head of the institution.
    Top of Page

    2.4 Service sharing

    In June 2019, the Privacy Act was amended by Bill C-58 to introduce the ability for institutions to share ATIP services between institutions within the same ministerial portfolio.

    Section 4.2.17 of the Policy requires that institutions ensure the requirements of section 73.1 of the Act are respected when entering into a service-sharing agreement.

    There are several key legal and policy considerations when establishing a service-sharing agreement between two institutions within the same ministerial portfolio:

    • Governance: ATIP offices often participate in departmental committees, and report to senior management and communications units. Consideration will need to be given to how governance will work when ATIP services are shared. Which committees will the ATIP office be accountable to? How will senior management and communications be engaged? How will competing priorities and approaches within institutions be resolved?
    • Human resources: Service sharing may assist institutions where one institution may have more resources dedicated to ATIP, including software or greater experience in processing requests.
    • Information technology: Distinct systems, or partitions within systems, may be necessary to ensure it is clear which institution has control of the records and information.
    • Financial: The Act allows for the institution providing the service to charge a fee that does not exceed the cost of the service. Allocation of funding and the tracking of costs per institution, including corporate costs such as human resources services, should be considered when establishing a service-sharing agreement.

    As per section 4.2.18 of the Policy, the head of the institution that receives the services must provide a copy of any new service-sharing agreement, and any material changes to an existing service-sharing agreement, to the President of the Treasury Board and to the Privacy Commissioner as soon as possible after entering into the agreement or after any material changes arise.

    Top of Page

  • Chapter 4 – Info Source

    Date updated: 2022-12-09
    ATI Manual Cross-reference

    4.1 Sources of Federal Government Information Published by Institutions

    All government institutions subject to the Access to Information Act (ATIA) and the Privacy Act publish an inventory of their information holdings as well as relevant details about personal information collections under their control, in accordance with subsection 5(1) of the ATIA and section 11 of the Privacy Act.

    The current designated repository, as defined by TBS per 4.2.15 of the Policy on Privacy Protection, is known as “Info Source.” Each institution must have a repository and update it annually, as per 4.3.22 of the Policy on Access to Information. TBS centrally indexes these pages to facilitate public access.

    These pages provide information about the functions, programs, activities, and related information holdings of government institutions, including an updated list of the institution’s personal information banks (PIBs), as per 4.2.15 of the Policy on Privacy Protection. A PIB does not actually contain personal information; rather, it describes personal information that is collected, used, or disclosed by the institution in relation to a particular function, program, or activity. The published PIB descriptions, and the descriptions of other classes of information held by the institution may assist individuals in exercising their rights under the Privacy Act to request access to their personal information or exercising their rights under the Access to Information Act to make a request for government records.

    All personal information held by an institution, in its official record keeping system or elsewhere under its control, must be described in these pages: either within a PIB description, or within a description of other classes of personal information held by the institution.

    Personal information held by an institution must be described in a PIB when an institution collects personal information which falls into one of two categories:

    1. Personal information has been used, is being used or is available for use for an administrative purpose, which the Privacy Act defines as being used in a decision-making process that directly affects that individual; or
    2. Personal information is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual. An identifying number could include the Social Insurance Number, Personal Record Identifier (PRI) or any other number. A particular assigned to an individual could include a home or other residential address.

    In accordance with section 11 of the Privacy Act, all PIB descriptions in the repository of information holdings (referred to in the Privacy Act as the “Personal Information Index”) must include the following:

    • the identification and a description of the bank, the registration number assigned to it by the designated Minister pursuant to paragraph 71(1)(b) and a description of the class of individuals to whom personal information contained in the bank relates,
    • the name of the government institution that has control of the bank,
    • the title and address of the appropriate officer to whom requests relating to personal information contained in the bank should be sent,
    • a statement of the purposes for which personal information in the bank was obtained or compiled and a statement of the uses consistent with those purposes for which the information is used or disclosed,
    • a statement of the retention and disposal standards applied to personal information in the bank, and
    • an indication, where applicable, that the bank was designated as an exempt bank by an order under section 18 and the provision of section 21 or 22 on the basis of which the order was made.

    Alternatively, if personal information is being collected, but does not fall into one of the two categories listed above, it must be accounted for in a class of personal information. Personal information may also be collected for non-administrative purposes, for instance, when institutions conduct research activities or statistical analyses. It may not be intended to be retrievable, whether by the name of an individual or by an identifying number, symbol of other particular assigned to an individual. A class of information must be published on the “Info Source” site and include:

    • a description of the class in sufficient detail to facilitate the right of access under this Act, and
    • the title and address of the appropriate officer for each government institution to whom requests relating to personal information within the class should be sent.

    In addition to the institution-specific PIBs and classes described above, there are two additional types of PIBs:

    1. Standard PIBs are created and maintained by the Privacy and Data Protection Division within TBS. They describe personal information that is contained in records of most government institutions to support common internal services. These include personal information relating to human resources management, travel, corporate communications and other administrative services.
    2. Central PIBs describe personal information that may be found in all, or several government institutions, and are maintained by a central federal government department or agency, such as the Public Service Commission, Public Services and Procurement Canada, or TBS. An example of a central PIB is TBS’ Entitlements and Deductions System PIB, TBS PCE 741, that captures pay and benefits data and is used for planning, implementing, evaluating and monitoring government policies.

    For additional information about PIBs or publishing requirements for “Info Source,” please refer to the following guidance:

    1. Info Source Online Publishing Requirements
    2. The Privacy Practices Manual (TBD).

    Individuals may file a complaint to the Privacy Commissioner relating to the Info Source publications.

    Top of Page

    4.2 Sources of Federal Government Information Published by TBS

    Subsection 5(2) of the Access to Information Act requires that the designated Minister cause to be published, at least twice a year, a bulletin that updates the annual publication and provides other useful information about the Access to Information Act. In practice, the bulletin, which consists of two publications, also provides useful information on the Privacy Act.

    1. The Statistics on the Access to Information and Privacy Acts publication provides an annual compilation of statistical information about requests made under the Access to Information Act and the Privacy Act, as well as an historic perspective since the promulgation of both Acts. This is supported by requirements set out in 4.3.21 of the Policy on Access to Information and 4.2.34 of the Policy on Privacy Protection to provide TBS with a statistical report on the administration of the respective Acts within the institution.
    2. The Federal Court Decision Summaries publication is an annual summary of Federal Court, Federal Court of Appeal and Supreme Court of Canada cases related to both Acts.

    Subsection 5(4) of the Access to Information Act requires the designated Minister to ensure that the bulletin is made available throughout Canada in conformity with the principle that every person is entitled to reasonable access to the bulletin. This is achieved in practice by publishing the bulletin on TBS’s Access to information and privacy page.

    Top of Page

  • Chapter 7 – Time limits

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    7.1 Statutory deadline

    Section 14 of the Privacy Act (the Act) requires the head of a government institution to respond to a personal information request made under subsection 12(1) within 30 days after the request is received, subject to section 15 of the Act. The head of a government institution must:

    • give the requester written notice as to whether or not access to the personal information or part thereof will be given; and
    • if access is to be given, give the requester the information or appropriate part thereof

    This is reiterated in subsections 4.1.29 and 4.1.30 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive).

    Subsection 4.2.22 of the Policy on Privacy Protection requires the head of a government institution or their delegate to ensure every reasonable effort is made to assist requesters in connection with the request, to provide complete, accurate, and timely responses to requests under the Act. Furthermore, 4.2.6 of the Directive requires employees of government institutions to make every reasonable effort to respond to requests within the timelines prescribed in the Act, including taking extensions in accordance with the Act. While these policy requirements do not amend the legislative timelines, they impose timely access to personal information.

    7.1.1 Calculation of statutory deadline

    The 30‑day timeline prescribed in section 14 of the Act are calendar days, as provided for in the Interpretation Act. The timeline is counted from the first day following receipt of a complete personal information request to the institution’s Access to Information and Privacy (ATIP) office. If the deadline falls on a weekend or on a holiday, the deadline for response, extension or other action becomes the next day, as per sections 26 and 35 of the Interpretation Act.

    When an extension is taken, the deadline is recalculated from the date of receipt of the request rather than from the original deadline.

    Example

    A request is received on November 23. The 30th day falls on Saturday, December 23. The next day that is not a holiday is December 27, which becomes the deadline, and the institution has 34 calendar days to process the request. When a 30‑day extension is taken, the new deadline is calculated from November 23 (30 + 30 days), and the 60th day falls on January 22 of the next calendar year.

    Top of Page

    7.2 Extension of time limits

    The 30‑day time limit set in section 14 of the Privacy Act is subject to section 15 of the Act. In particular, paragraph 15(a) of the Act allows the head of a government institution to extend the original time limit by a maximum of 30 days under the following circumstances:

    • meeting the original time limit would unreasonably interfere with the operations of the government institution, or
    • consultations are necessary to comply with the request that cannot reasonably be completed within the original time limit

    In addition, paragraph 15(b) of the Act allows the head of a government institution to extend the time limit for such a period of time as is reasonable if additional time is necessary for the purposes of translating the information or converting the information into an accessible format.

    The institution is not required to consult or obtain the requester’s consent when deciding whether to extend the statutory deadline. The institution is required to examine the circumstances and context of each request.

    More than one extension may be taken, provided each extension is taken within the original 30‑day time limit and does not exceed the maximum time limit under paragraph 15(a) of 30 days.

    Unlike the process for extensions taken under Access to Information Act, the Office of the Privacy Commissioner (OPC) is not carbon copied in the extension notices.

    Example

    An institution takes an extension under subparagraph 15(a)(i) on day 7 when the office of primary interest informs the ATIP office that the request is for a large number of records and the search will require many days. A second extension is taken on day 15 to accommodate the translation of the material into the requester’s preferred language.

    As per subsection 4.2.5 of the Directive, employees of government institutions are required to advise ATIP officials at an early stage if a request cannot be responded to within the legislated 30‑day time frame. This is in coordination with the requirement in 4.1.20 of the Directive in which heads or their delegates are required to assess, without undue delay, each request received under the Act to determine if an extension is needed. ATIP officials may wish to communicate with the requester if they are advised by the program area that the request has a large volume of pages or requires consultations. There may be opportunities to narrow or clarify the scope of the request to facilitate processing. If the request requires clarification, it may be placed on hold. For more information on holds, please refer to Chapter 6.

    7.2.1 Reasons for extension

    a) Subparagraph 15(a)(i): unreasonable interference with operations

    Subparagraph 15(a)(i) of the Privacy Act provides for an extension if meeting the original time limit would unreasonably interfere with the operations of the government institution. Both the words “unreasonably” and “interfere” are terms that may be interpreted according to the circumstances and the context of each specific request.

    Generally, interference with the institution’s operations may be considered unreasonable if processing the request within 30 days would require the following:

    • a transfer of resources from institution’s operations to the ATIP office
    • monopolizing a significant portion of the resources of the office of primary interest to the detriment of its core functions, or
    • using such a high proportion of the resources of the ATIP office that it would have a significant negative impact on the processing of other requests.

    When completing their annual report to Parliament, an institution will need to classify their extension for reporting purposes under one or more of the following circumstances:

    • further review is required to determine whether information should be exempted under sections 18–28 of the Privacy Act (interwoven information)
    • there is a large volume of pages related to the request
    • the institution is experiencing a large volume of requests
    • the documents are difficult to obtain

    Institutions should document their justification for the extension and demonstrate that, in light of the circumstances, it would have been unreasonable to devote the time and resources necessary to meet the original time limit. Should there be a complaint, the OPC may consider whether an institution has adequately funded its ATIP office and the steps the institution took to address resource shortfalls when assessing the justification for the extension.

    Emergency situations

    There is no provision in the Act that allows the statutory time limits to be extended in emergencies, even in extraordinary situations that significantly interrupt operations. The impact of an emergency on the institution’s operations cannot be used as the sole basis for taking an extension under subparagraph 15(a)(i) of the Privacy Act. However, if fulfilling the request in the original time limit would unreasonably interfere with the operations of the government institution because the emergency already had an adverse effect on operations, an extension may be considered.

    b) Subparagraph 15(a)(ii): consultations necessary

    For the purposes of subparagraph 15(a)(ii) of the Act, “consultation” refers to consultations undertaken within a government institution, or with other government institutions or other levels of government. Although personal information requests do not regularly contain Cabinet confidences, such documents are an example of when an institution may need to extend the time limit for responding to a request.

    An extension under subparagraph 15(a)(ii) of the Act may also be justified when an institution must seek legal advice in order to resolve issues related to the processing of a request. However, extensions should not be taken to cover an institution’s routine approval process.

    It is also a best practice to obtain, where feasible, an agreed upon response time from the party consulted, whether an internal or external consultation when taking an extension under subparagraph 15(a)(ii) of the Act.

    When completing their annual report to Parliament, an institution will need to classify their extension for reporting purposes under one or more of the following circumstances:

    • Cabinet confidences
    • the request requires significant consultations with external organizations (such as third parties or provincial/territorial governments)
    • the request requires significant consultations within the institution or with other federal institutions
    c) Paragraph 15(b): translation and conversion

    An extension under paragraph 15(b) of the Act may be claimed if additional time is necessary for the purposes of translating the information or converting the information into an accessible format.

    7.2.2 Length of extension

    As noted above, paragraph 15(a) of the Act allows the head of a government institution to extend the initial period by a maximum of 30 days under select circumstances.

    Extensions should be based on the amount of work required to process a request and be for as short a time as possible. Their length should be assessed on a case-by-case basis wherein the volume and complexity of the information for that specific request is taken into consideration. This approach avoids determining the length of an extension based on only such predetermined factors, such as the average response time taken by an institution consulted in the past. They should also consider the ability to undertake multiple tasks in overlapping time frames, such as conducting consultations and reviewing the requested information. Applicable factors to consider in determining the length of an extension are provided in subsection 7.2.3 of this chapter.

    The Federal Court of Appeal has indicated that “it is not enough for a government institution to simply assert the existence of a statutory justification for an extension and claim an extension time of its choice. An effort must be made to demonstrate the link between the justification advanced and the length of the extension taken.”Footnote 1 While the Privacy Act was not directly in question in this decision, the provisions of the Access to Information Act at issue are nearly identical to those found in the Privacy Act and the findings remain relevant. In the case of subparagraph 15(a)(i), this means demonstrating that the work required to provide access within any materially lesser period of time than the one asserted would interfere with operations. The same type of rational linkage must be made when invoking subparagraph 15(a)(ii) with respect to necessary consultations. It is important to justify any extension taken regardless of length and to properly record those decisions on file.

    As provided for in paragraph 29(1)(d) of the Act, the Privacy Commissioner can receive complaints from individuals who consider the extension taken to be unreasonable. If the Privacy Commissioner, after an investigation, agrees and finds the extension is unreasonable, the complaint is considered well-founded.

    As per subsection 4.1.23 of the Directive, heads or their delegates must report on the number of and reasons for extensions in the institution’s annual report to Parliament. The Treasury Board of Canada Secretariat collects statistical data on the length of extensions for the following categories:

    • 1 to 15 days
    • 16 to 30 days
    • 31 days or greater

    Paragraph 15(b) of the Privacy Act refers to the extension of the time limit as “such period of time as is reasonable” for translation and conversion. In each case, the head of the institution or their delegated representative must exercise judgment, for the Act does not stipulate a specific time frame other than that it be “reasonable.” Accordingly, where additional time is required for translation or for converting the information into an accessible format, a reasonable period of time is allowed. Institutions should consider releasing the untranslated or unconverted personal information as soon as possible and advise the requester that the translated or converted version will be provided when available.

    Note that if the extension taken is not long enough and the institution does not complete the request within the extended time limit, the request is deemed to have been refused by virtue of subsection 16(3) of the Act. Information on deemed refusals is provided in subsection 7.3 of this chapter.

    7.2.3 Procedures

    The following is recommended when dealing with extensions:

    • Institutions should assess all requests as soon as possible after receiving them and, if necessary, give notice of a written explanation to the requester within 30 days of receipt of the request of the reasons for an extension.

    Subsection 4.1.20 of the Directive requires heads or their delegates to assess, without undue delay, each request received under the Act to determine if an extension is needed for processing the request. They are to be assisted by employees of government institutions, who are required by 4.2.5 of the Directive to advise ATIP officials at an early stage if a request cannot be responded to within the legislated 30‑day time frame.

    Factors that may be considered when deciding whether an extension is needed and the length of the extension include the following:

    • scope and complexity of the request
    • volume of personal information requested
    • number of files that must be searched to find the requested personal information and where the files are located, if not electronically
    • level of interference with the institution’s operations
    • number and complexity of consultations required with employees of the institution and external organizations, such as offices of primary interest, other institutions or other levels of government
    • whether additional consultations or notification may be required depending on the outcome of the consultations undertaken

    When extending under subparagraph 15(a)(ii) of the Act, it is a best practice to contact the institution, the individual or the organization being consulted to obtain an agreed-upon response time from that institution, individual or organization.

    If the personal information requested is of interest to another institution, organization or individual, consultations should be undertaken only if additional information is required to exercise discretion effectively or the processing institution intends to disclose potentially sensitive information, as per 4.1.24 of the Directive. As per 4.1.25 of the Directive, institutions are to ensure consultation requests from other federal government institutions are processed with the same priority as the personal information requests made to their own institution.

    An extension cannot be taken when more than 30 days have passed since the request was received.

    1. If access cannot be provided within the statutory time limit, the institution should inform the requester that the time limit cannot be met, indicate when access will be given, and advise the requester of the right to file a complaint with the Privacy Commissioner about the extension.
    2. When requests contain similar or related information and are made to more than one institution, the personal information should be carefully examined to ensure that if redactions are applied, they are done so consistently across all requests.
    3. Keep requests open until all consultations have been received and a formal notice, as discussed in subsection 7.2.4 of this chapter, has been provided to the requester.

    Example

    An institution holds personal information that is of interest to several institutions, such as personal information relating to a sensitive security issue under investigation that concerns Public Safety Canada, the Royal Canadian Mounted Police and the Canadian Security Intelligence Service. The request is 750 pages total.

    The institution informs the requester in writing that the request is extended for an additional 30 days under subparagraph 15(a)(i) – unreasonable interference with operations (large volume of pages), and subparagraph 15(a)(ii) – consultations necessary (consultations with other federal institutions) and provides the new legislative due date for the response.

    Prior requests may be used to inform the time required to complete the processing of the request. The institution may have some insights, for example, of how long it normally takes to complete this type of consultation with this specific institution or for this volume of records. That said, previous requests, if used, should not be the standalone deciding factor, but rather part of a set of assessment criteria that also considers the volume and complexity of the information at issue. In the scenario above, the institution needs additional processing time based on the volume of the request. The institution also needs to be provided with additional information from the consulting institutions on the status of the investigation and if the release of the information would be injurious to the conduct. Although the request is not identical, similar requests have taken the other institutions 20 days to complete, and the ATIP analyst assigned to the request confirmed the processing time in advance of sending the consultation. These 20 days, combined with large volume of pages, leads the ATIP analyst to believe that an additional 30 days are required to complete the request.

    7.2.4 Notice to the requester

    When, based on the factors identified in subsection 7.2.3 of this chapter, an institution extends the time limit, section 15 of the Privacy Act requires that the institution give written notice of the extension to the requester within the original 30‑day time period. To fulfill this requirement, the necessary elements for this notice are described in 4.1.20 to 4.1.23 of the Directive. Institutions should assess without undue delay all access requests received and if an extension is needed for processing a request, notify the applicant of the extension within 30 days of the request’s receipt.

    Model letters are available in Annex A of this Manual. If an institution chooses to develop their own letter, note that it must contain the following:

    If more than one extension is taken, the institution has the option to inform the requester in the same notice or under separate cover.

    Model written explanations for delays in fulfilling personal information requests

    The following model explanations are provided as a resource. Institutions are encouraged to use these model explanations as basis for correspondence with requesters, or to adapt them as appropriate. Even when using these model explanations, heads of institutions remain responsible for ensuring that any extension falls within the reasons specified in section 15 of the Act. The use of model explanations also does not impact the right of requesters to complain to the OPC.

    Circumstances Proposed written explanation Subsection of the Privacy Act

    Further review is required to determine whether information should be exempted under sections 18–28 of the Privacy Act.

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because the records containing your personal information also include other sensitive information. We will need to review the records to protect the privacy of others and to protect other information that cannot be released.

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    There is a large volume of pages related to the request

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request due to the volume of records associated with your request. We will need to locate, retrieve and review a large number of records.

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    The institution is experiencing a large volume of requests

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request due to the high volume of requests currently being processed by our institution.

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    The documents are difficult to obtain

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request as some of the records you requested are currently difficult to obtain because [records have been archived, records are in storage, records are not available electronically, records are stored in backup tapes, we will need to compile records from multiple locations, or your request covers a significant time period].

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    The request requires significant consultations with external organizations

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because we need to consult with external organizations such as provincial or territorial governments.

    This extension is in accordance with subparagraph 15(a)(ii) of the Privacy Act.

    15(a)(ii)

    The request requires significant consultations within the institution or with other federal institutions

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because we need to consult within our institution or with other federal institutions.

    This extension is in accordance with subparagraph 15(a)(ii) of the Privacy Act.

    15(a)(ii)

    The request requires translation or conversion

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because we need to translate the records you requested or convert the records into another format in order to facilitate your access to your personal information.

    This extension is in accordance with paragraph 15(b) of the Privacy Act.

    15(b)
    Top of Page

    7.3 Deemed refusal

    Subsection 16(3) of the Privacy Act states that when a government institution fails to give access to personal information within the time limits set out in the Act (30 calendar days or the length of time taken under an extension), the institution is deemed to have refused access. This situation is commonly referred to as a deemed refusal.

    To clarify further, if no extension has been taken under section 15 of the Privacy Act and a response was not given, an institution is deemed to have refused access on the 31st day after a request was received (unless it falls on a weekend or a holiday). If an extension was taken, an institution is deemed to have refused access if it did not respond by the end of the extended deadline.

    When a request is in a deemed refusal state, the requester may file a complaint with the Privacy Commissioner about the refusal of access. On a parallel issue in the closely related Access to Information Act, the potential consequences of a deemed refusal were reviewed by the Federal Court of Appeal in the decision Canada (Information Commissioner) v. Canada (Minister of National Defence), Docket A-785-96. The Court found that once a request is deemed to have been refused, the Commissioner has the power to conduct an investigation to determine the merits of the refusal to provide access. The Court stated as follows:

    In the instant case, as soon as the institution failed to comply with the time limit, the Commissioner could have initiated his investigation as if there had been a true refusal. He does have powers to investigate, including, at the beginning of an investigation, the power to compel the institution to explain the reasons for its refusal.

    In the decision Statham v. Canadian Broadcasting Corporation, 2010 FCA 315, the Federal Court of Appeal confirmed that there is no distinction between a true refusal and a deemed refusal.

    In the decision Information Commissioner of Canada v. Canada (Minister of National Defence) 2015 FCA 56, the Federal Court of Appeal stated that the validity of an extension of time to respond to an access to information request may be judicially reviewed.

    When a request is in deemed refusal, the institution has not forfeited their right to refuse disclosure and must continue to process the request and provide a response to the requester. The decision Murchison v. Export Development Canada, 2009 FC 77, the Court found that the information did not have “to be disclosed merely because the institution failed to assert an exemption within the 30‑day period.”

    There is additional information on the effect of deemed refusals in Chapter 12 of this manual.

    While these decisions do not provide rulings directly on the Privacy Act, the findings are on the closely related Access to Information Act, and the provisions at issue are similar to those found in the Privacy Act on the same subject.

    Top of Page

  • Chapter 8 – Request for correction and notation

    Date updated: 2023-09-20

    8.1 Request for correction and notation

    Subsection 12(2) of the Privacy Act (the Act) provides that an individual who has been given access under paragraph 12(1)(a) of the Act to personal information that has been used, is being used, or is available for use for an administrative purpose may request correction of the personal information where the individual believes there is an error or omission therein.

    Section 11 of the Regulations describes the procedures to be followed by the requester and government institutions, as explained in section 8.4 of this chapter.

    Information about requests to delete personal information can be found in the Privacy Practices Manual (to be published). Institutions may wish to consult with their records management officials for advice on information that must be retained or transferred to Library and Archives Canada and on what information may be destroyed.

    Top of Page

    8.2 Policy Requirements

    8.2.1 Responsibilities of heads of government institutions or their delegates

    The responsibilities for heads of government institutions or their delegates concerning the correction and notation of personal information are as follows:

    • Under section 4.2.25 of the Policy on Privacy Protection, to establish effective processes and systems to respond to requests under the Act. This applies to both requests for access as well as requests for correction;
    • Under section 4.1.32 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive), to establish a process to ensure that any request for correction and any subsequent actions are made in accordance with the Privacy Regulations and are documented;
    • Under section 4.1.33 of the Directive, to document any correction or notation made to personal information in a manner that ensures it will be retrieved and used whenever the original personal information is used for an administrative purpose.
    • Under section 4.1.34 of the Directive, to notify the individuals, and any public and private sector organizations that use the information for administrative purposes of any correction or notation made to the personal information; and
    • Under section 4.1.35 of the Directive, to notify requesters of their right to complain to the Privacy Commissioner in respect of requests for correction of personal information.

    It is recommended that procedures for processing correction requests be made available to the public.

    8.2.2 Responsibilities of executives and senior officials

    The Directive on Privacy Practices assigns the following responsibilities related to the correction of personal information to executives and senior officials who manage programs or activities involving the creation, collection or handling of personal information:

    • Under section 4.2.10.5, to notify the individual whose personal information is collected directly of the right to request the correction of personal information under the Act;
    • Under section 4.2.19, to ensure that individuals are given the opportunity, whenever possible, to correct inaccurate personal information before any decision is made that could have an impact on them; and
    • Under section 4.2.28.3, to ensure, when personal information is transferred out of the control of a government institution as a result of the devolution or privatization of a program or activity, that rights of individuals to access and correct their personal information are maintained after the transfer.
    Top of Page

    8.3 Decision to grant or refuse the request for correction

    The decision whether to grant or refuse a request for correction is made on a case-by-case basis.

    The request is usually granted when the personal information consists of factual information that was originally supplied by the individual concerned, or when the individual provides documentary evidence to support the correction.

    When the correction will affect an administrative decision concerning the individual (e.g., their eligibility for a benefit), documentary evidence provided to support the correction should be the same as the evidence required when the information was originally collected.

    As a general rule, a request for correction of an opinion is usually accepted if the requester was the source of the opinion and the opinion does not concern any other individual. In general, corrections are not made to opinions given by other individuals about the requester except where there are reasons to suspect the reliability of the source of the opinion, or the requester established that the original opinion was based on incorrect information. When this is not the case, the individual is informed of the difficulty in reassessing the validity of an opinion, and a notation is made giving the requester’s views on the matter.

    Top of Page

    8.4 Procedures

    As mentioned previously, Section 11 of the Regulations describes the procedures to be followed by the requester and by government institutions, which this section outlines.

    8.4.1 Procedures to be followed by the requester

    Following receipt of their request under 12(1)(a), the requester must send a subsequent request for correction to the appropriate officer of the government institution that has control of the personal information. The requester may fill out a Record Correction Request Form (TBS/SCT 350-11) in respect of each personal information bank that contains the information to be corrected, or may send a signed letter that contains all information requested in the form. The requester should include copies of the documentary evidence that can be used to establish the validity of the requested correction, including citing the file number for the previously processed personal information request.

    8.4.2 Procedures to be followed by the government institution that received the request for correction

    When the request for correction is granted, the head of the government institution must, within 30 days of receiving the request:

    • Notify the requester that the correction has been made;
    • Notify any person or body to whom the information was disclosed within the two years preceding the date that the request for correction was received that the correction has been made; and
    • Notify the appropriate officer of any other government institution to which the information was disclosed within the two years preceding the date that the request for correction was received that the correction has been made, and that the officer is required to make the correction on every copy of the personal information under the control of that institution.

    The notice to the requester should include a list of the persons, bodies and government institutions that were notified of the correction made.

    When a request for correction is refused in whole or in part, the head of the government institution must, within 30 days of receiving the request:

    • Attach a notation to the personal information reflecting that a correction was requested but was refused in whole or in part;
    • Notify the requester that:
      • The request for correction was refused in whole or in part and give the reasons for the refusal;
      • A notation reflecting that a correction was requested and refused in whole or in part has been attached to the personal information; and
      • The requester has the right under the Act to make a complaint to the Privacy Commissioner;
    • Notify any person or body to whom the personal information was disclosed in the two years preceding the date that the request for correction was received that a notation has been attached to the personal information; and
    • Notify the appropriate officer of any other government institution to which the information was disclosed within the two years preceding the date that the request for correction was received that a notation has been attached to the personal information, and that the officer is required to attach such a notation to every copy of the personal information under the control of that institution.

    The notice to the requester should include a list of the persons, bodies and government institutions that have been notified of the attachment of the notation.

    8.4.3 Procedures to be followed by a government institution that receives a notice that a correction was made or refused in whole or in part

    When a government institution receives a notice from another government institution that a correction or notation has been made, the institution receiving the notice must correct or annotate every copy of the personal information under the control of the institution without delay.

    Top of Page

    8.5 Incorporating corrections and notations

    In many cases, corrections can be made by changing the particular information within a record; notations can also be made by adding to the record. In circumstances where this is not possible (e.g., certain electronic records), the accepted method is to store the correction or notation in such a way that it is retrieved with the original information (e.g., a flag on an electronic file or a notice attached to a paper file). In all cases, corrections and notations must be stored in a manner that will ensure that they are retrieved and used whenever the original personal information is used for an administrative purpose.

    Institutions should incorporate corrections or notations in a way that will be seen and therefore used by the person having to make a decision about an individual. That includes notifying individuals and private or public organizations that use the information to make a decision on the individual concerned. In other words, whatever method is used, the correction or notation should be simple to retrieve.

    Top of Page

  • Chapter 10 – Specific exemptions and section 33 of the Privacy Act

    Date updated: 2024-01-12
    ATI Manual Cross-reference

    Preamble

    This chapter covers the mandatory and discretionary exceptions to the right of access described in sections 18 to 28 of the Privacy Act. It also explains other grounds for refusing access to representations found in section 33 of the Privacy Act. Where appropriate, the most recent and relevant case law is cited, and excerpts are sometimes reproduced. When reviewing jurisprudence as part of their analysis, institutions may wish to consult their legal counsel. Please keep in mind that decisions of higher courts take precedence. For additional guidance on the general principles and nature of exemptions, please refer to Chapter 9 [pending]. TBS prepares annually a summary of key court decisions related to the Access to Information Act and the Privacy Act that may provide additional guidance on exemptions.

    Exception Title or description Mandatory Discretionary Class Injury
    Subsection 18(2) Exempt banks No Yes Yes No
    Subsection 19(1) Personal information obtained in confidence Yes Nochapter 10 table 1 note ** Yes No
    Section 20 Federal-provincial affairs No Yes No Yes
    Section 21 International affairs and defence No Yes No Yes
    Paragraph 22(1)(a) Law enforcement and investigation: personal information was obtained or prepared by an investigative body in the course of an investigation No Yes Yes No
    Paragraph 22(1)(b) Law enforcement and investigation: Injurious to the enforcement of law No Yes No Yes
    Paragraph 22(1)(c) Law enforcement and investigation: injurious to the security of penal institutions No Yes No Yes
    Subsection 22(2) Policing services for provinces or municipalities Yes No Yes No
    Section 22.1chapter 10 table 1 note * Information obtained by Privacy Commissioner Yes No Yes No
    Section 22.2chapter 10 table 1 note * Public Sector Integrity Commissioner Yes No Yes No
    Section 22.3 Public Servants Disclosure Protection Act Yes No Yes No
    Section 22.4chapter 10 table 1 note * Secretariat of National Security and Intelligent Committee of Parliamentarians Yes No Yes No
    Section 23 Security clearances No Yes Yes No
    Paragraph 24(a) Individual sentenced for an offence: disrupt the parole or statutory release No Yes Yes No
    Paragraph 24(b) Individual sentenced for an offence: information obtained in confidence No Yes Yes No
    Section 25 Safety of individuals No Yes No Yes
    Section 26 Information about another individual Yes Nochapter 10 table 1 note ** Yes No
    Section 27 Protected information: solicitors, advocates and notaries No Yes Yes No
    Section 27.1 Protected information: patents and trademarks No Yes Yes No
    Section 28 Medical record No Yes No Yes

    Chapter 10 Table 1 Notes

    Chapter 10 Table 1 Note 1

    The exemption can only be claimed by the government institutions named in the provision.

    Return to chapter 10 table 1 note * referrer

    Chapter 10 Table 1 Note 2

    Where discretion is authorized.

    Return to chapter 10 table 1 note ** referrer

    10.1 Section 18: Exempt banks

    10.1.1 Exemption of personal information contained in an exempt bank

    Subsection 18(1) of the Privacy Act (the Act) provides that the Governor in Council may, by order, designate as exempt certain personal information banks that contain files, all of which consist predominantly of personal information described in section 21 (international affairs and defence) or section 22 (law enforcement and investigation) of the Act.

    The term “predominantly”means that more than half the information in each file qualifies for exemption under section 21 or section 22.

    As of November 2023, there were four orders that designate exempt banks:

    Subsection 18(2) of the Act provides that a government institution may refuse to disclose any personal information that is contained in an exempt bank. This is a discretionary exemption based on a class test. Although personal information in an exempt bank will almost certainly be exempted, the head of the institution has the discretion to disclose.

    When a government institution discloses personal information contained in an exempt bank to another government institution, the other institution cannot claim subsection 18(2) to exempt that personal information unless it also has an exempt bank for that type of information. This does not mean that the other institution must automatically disclose the personal information pursuant to a request, but rather consider which other exemption provisions apply in place of 18(2).

    Top of Page

    10.1.2 Requirements of section 16 of the Privacy Act when applying section 18

    In some instances, an institution may wish to neither confirm nor deny the existence of a record by invoking subsection 16(2) of the Privacy Act.

    The Federal Court conducted a detailed and thorough analysis of the provisions of the Privacy Act and exempt information banks in Dzevad Cemerlic MD v. Canada (Solicitor General) 2003 FCT 133. The Court stated that section 18 does not give a government institution the power to adopt a policy of refusing to confirm or deny the existence of information in an exempt bank. In order to invoke such a policy, a government institution must rely on subsection 16(2). Adopting this type of policy is justified when revealing the existence or non-existence of information would in itself be an act of disclosure. Citing the decision Zanganeh v. Canada (Canadian Security Intelligence Service), [1989] 1 F.C. 244 (T.D.), and a similar position reaffirmed in Westerhaug v. Canadian Security Intelligence Service, 2009 FC 321, the Federal Court stated that another circumstance that would justify the adoption of this type of policy is where “the very acknowledgment of the existence of any information in the bank, whether or not such information exists, can—and certainly would—compromise the security of Canada by providing a referential insight, a chink in the armour of secrecy which the Canadian service must maintain[...].”The Court found that the Canadian Security Intelligence Service acted reasonably in adopting a uniform policy of neither confirming nor denying the existence of information in exempt bank 045. (Exempt bank 045, which is no longer in use, had contained information on individuals who are or were under investigation by the Canadian Security Intelligence Service on the suspicion that they have been involved in activities that constitute a threat to the security of Canada.)

    Care and consideration should be made to ensure that there is no acknowledgement of the existence of information while processing a request. A requester could infer the existence of information if, for example, the institution takes an extension for interference with operations (further review required to determine exemptions or large volume of pages) or to undertake consultations. In the case of Ternette v. Canada (Solicitor General) (T.D.), [1992] 2 FC 75, an inadvertent public admission of the existence of information necessitated a further review of material maintained in exempt bank and portions of personal information were released to the applicant.

    Top of Page

    10.2 Section 19: Personal information obtained in confidence

    10.2.1 Exemption of personal information obtained in confidence

    Subsection 19(1) is intended to protect the federal government’s ability to obtain personal information from other governments. It gives assurance to other levels of government that they will retain control over the disclosure of information they provide to the federal government on a confidential basis.

    Under this exemption, the head of a government institution must refuse to disclose any personal information obtained in confidence from the following, collectively referred to as the source listed in the exemption:

    “(a) the government of a foreign state or an institution thereof”

    Examples include the United States (a foreign state) and the Internal Revenue Service (an institution of the United States). The exemption does not include personal information obtained from constituent parts of foreign states, for example, the state of New York.

    “(b) an international organization of states or an institution thereof”

    An “international organization of states”means any organization with members representing and acting under the authority of the governments of two or more countries. Examples are the United Nations, the North Atlantic Treaty Organization (NATO) and the International Monetary Fund. Examples of institutions of an international organization of states are the United Nations Children’s Fund (UNICEF) and the World Health Organization, which are agencies of the United Nations.

    “(c) the government of a province or an institution thereof”

    This includes the governments of Canada’s 10 provinces and the three territories and their ministries, departments and agencies.

    “(d) a municipal or regional government established by or pursuant to an Act of the legislature of a province or an institution of such a government”

    This includes the governments of municipalities created by legislation and by regulations.

    “(e) the council, as defined in the Westbank First Nation Self-Government Agreement given effect by the Westbank First Nation Self-Government Act

    “(e.1) the Whitecap Dakota Government, as defined in section 2 of the Self-Government Treaty Recognizing the Whitecap Dakota Nation / Wapaha Ska Dakota Oyate Act

    “(f) the council of a participating First Nation as defined in subsection 2(1) of the First Nations Jurisdiction over Education in British Columbia Act.”

    “(g) a First Nation Government or the Anishinabek Nation Government, as defined in section 2 of the Anishinabek Nation Governance Agreement Act, or an Anishinaabe Institution, within the meaning of subsection 1.1 of the Agreement, as defined in section 2 of that Act.

    Top of Page

    10.2.2 Application

    Three requirements must be met for subsection 19(1) to apply:

    1) The personal information must have been obtained “in confidence.”

    The term “in confidence”is usually applied to information obtained on an understanding that it must remain confidential, that is, the information is not available for dissemination beyond those individuals within the government institution that have a need to know the information. Information may be obtained in confidence explicitly or implicitly.

    Information is “explicitly”provided in confidence when the government or governmental agency or organization providing the information expressly requests or indicates that the information must be kept confidential. The intention to provide information in confidence can be stated in the record, an agreement or a verbal request. Practically speaking, it is advisable to note within the written records of a verbal request.

    Information is “implicitly”provided in confidence when an intention that the information be treated as confidential can be implied from the circumstances in which it was provided, for example, from past practices followed with respect to such information, policies and so on.

    The Directive on Privacy Practices requires that when sharing personal information, government institutions must prepare an information sharing agreement to ensure appropriate privacy protections are in place. In other words, a written record of understanding between government parties outlines the terms and conditions under which the personal information is shared between the parties. To assist institutions in this regard, the Treasury Board of Canada Secretariat has published the Guidance on Preparing Information Sharing Agreements Involving Personal Information.

    Copies of personal information received in confidence by a government institution may be found in the files of one or more government institutions. All copies of the information supplied in confidence must be protected from disclosure.

    The following are examples of personal information obtained in confidence from a specified level of government:

    • personal information obtained by the Canadian Security Intelligence Service from municipal police forces
    • personal information from INTERPOL concerning individuals suspected of being a threat to the security of Canada

    2) The personal information must have been obtained “from” another government or an international organization of states or an institution thereof.

    3) The personal information must have been obtained from “another government or an international organization of states or an institution thereof.”

    For the information to be “obtained,”it must be acquired from one of the sources within the categories set out in paragraphs (a) through (g).

    It does not matter whether the record originates from the Government of Canada or from a body described in subsection 19(1) as long as the personal information it contains was supplied by a body described in subsection 19(1). Therefore, the exemption may be invoked when the disclosure of information in a record originating from the Government of Canada would reveal personal information received from a body described in subsection 19(1), for example, if a province gathered information from CBSA, combined it with its own information, and shared it with a government institution.

    Top of Page

    10.2.3 Time limitation

    There is no time limit for the application of subsection 19(1). In other words, the exemption applies irrespective of the age of the records.

    Top of Page

    10.2.4 Permissible disclosure

    Subsection 19(2) of the Act provides that the head of a government institution may disclose any personal information described in subsection 19(1) if the government, organization or institution from which the information was obtained:

    • (a) consents to the disclosure; or
    • (b) makes the information public.

    This subsection gives some flexibility to government institutions in dealing with requests for access to personal information given in confidence. In applying subsection 19(1), government institutions must consider the exercise of this discretion to disclose. In the decision Ruby v. Canada (Solicitor General) (C.A.), [2000] 3 FC 589, reviewed on other grounds in 2002 SCC 75, the Court of Appeal stated that to properly apply the exemption, the head of a government institution must make a reasonable effort to seek the consent of the foreign government that provided the information. That said, the Court added that it is not necessary for a government institution to seek consent if it is acting according to an established protocol that respects the spirit and the letter of the legislation. For example, there are factors for and against seeking consent later in this section that institutions may use to develop procedures or protocols.

    This interpretation of the exemption was further emphasized in Layoun v. Canada (Attorney General), 2014 FC 1041, at paragraphs 51 to 53. In this section 41 Application, the applicant had submitted a request for access to their personal information contained in his Preventive Security File. The respondent refused disclosure of most of the information based on the exemptions found in paragraphs 19(1)(c), 19(1)(d), 22(1)(a), 22(1)(c) and section 26 of the Privacy Act. The Court wrote, “The Federal Court of Appeal has held that seeking consent under that subsection is subject to practical considerations, and government institutions may make protocols to deal with the process of seeking consent.[...] Those protocols must respect the nature of the Privacy Act. The onus is only to make ‘reasonable efforts’ to seek consent.”The Court found that “the correspondence in the Respondent’s authorities from the Montreal Police Service indicates that consent to disclose the records would have been withheld if sought. Those considerations, along with concerns about security and safety, indicate that [Correctional Service Canada] reasonably exercised its discretion to refuse disclosure and it acted reasonably in not seeking the consent of the relevant third parties.”

    For institutions that regularly have information that is obtained in confidence from one of the sources within the categories set out in paragraphs (a) through (g), they may wish to develop internal procedures to establish common scenarios and build rationales to support their exercise in discretion under paragraph 19(2)(a).

    Factors for seeking consent may include:

    • the subject of the information obtained that has been made public
    • the age of the information
    • the routine nature of the personal information or if its context is not sensitive

    Factors against seeking consent may include:

    • international affairs:
      • the information was obtained from the source listed in the exemption but contains subject matter about another organization provided in confidence
      • the information was not obtained from the requester’s country of origin but rather it was provided by a different source listed in the exemption, such as NATO
      • there are international conventions in motion, such as the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters
      • the source does not have similar access or privacy legislations and therefore no infrastructure to accept consultations
    • Intelligence, defence and security:
      • the personal information relates to the commission of an offence
      • if released, the personal information may cause harm to the individual
      • may be related to extradition treaties

    However, even if the conditions set out in subsection 19(2) are met, an institution may still withhold personal information given in confidence by one of the sources within categories set out in paragraphs (a) through (g). This was confirmed in Do-Ky v. Canada (Minister of Foreign Affairs and External Trade) (T.D.), [1997] 2 FC 907, reviewed on other grounds in [1999] F.C.J. No. 673 (QL) (FCA) Docket A-200-97, where the Federal Court stated that subsection 13(2) of the Access to Information Act (ATIA) (which is equivalent to subsection 19(2) of the Privacy Act) does not require the release of records containing information that has been made public. Subsection 13(2) of the ATIA simply offers the possibility of disclosing documents that might otherwise be exempted by subsection 13(1). The Court cautioned: “In the general structure of the scheme however, if those documents are not to be released, the head of the government institution must be able to give reasons justifying the decision not to release.”

    The Court also made the following statements:

    the second-party government asked for confidentiality and Canada cannot breach the trust placed in it without suffering considerable harm to its reputation in the international community and ipso factoFootnote 1 to its international relations.[...]

    [...]once a state requests that diplomatic correspondence remain confidential there is no need for the Canadian government to assess the reasons of that country. It is sufficient if they have made the request of the Canadian government. Indeed, it would be a diplomatic lapse were the Canadian government to sit in judgement of the rationale of the foreign state except in the most extreme circumstances.

    Institutions may consider if section 21 (International affairs and defence) of the Act (subsection 10.4) also applies to information that is exempt pursuant to paragraphs 19(1)(a) and (b), and whether section 20 (Federal-provincial affairs) (subsection 10.3) also applies to information that is exempt pursuant to paragraph 19(1)(c).

    Top of Page

    10.3 Section 20: Federal-provincial affairs

    10.3.1 Exemption of personal information related to federal-provincial affairs

    Section 20 of the Actis a discretionary exemption based on an injury test that aims to protect the role of the federal government in its conduct of federal-provincial affairs. To invoke this exemption, a government institution should be convinced that the disclosure of specific personal information could reasonably be expected to be injurious to the conduct, by the federal government, of federal-provincial affairs.

    For the purposes of this exemption, the “Government of Canada”is not restricted to the definition of “government institution”found in section 3 of the Act.

    The broader term encapsulates both departments individually and collectively, in the sense that the release of information by one department could be injurious to the conduct for other departments in their role in federal-provincial affairs.

    The related paragraph 19(1)(c) of the Act exempts information provided in confidence from “the government of a province or an institution thereof.”This is understood to include the governments of Canada’s 10 provinces and the three territories and their ministries, departments and agencies. For section 20 to be applicable, the harm must be to the conduct of the affairs between the government and one or more those institutions listed, but not necessarily the province to which the information relates.

    As noted in subsection 10.2, paragraph 19(1)(c) protects as a class all personal information that a province has supplied in confidence to the federal government. The use of section 20 is restricted to specific personal information, the release of which could be harmful to the conduct, by the federal government, of federal-provincial affairs. Section 20 may apply to information created by the federal government or obtained from other sources, for example, from an agent or a consulting firm provided that the information relates to the conduct of federal-provincial affairs.

    In Information Commissioner v. Prime Minister of Canada, [1993] 1 F.C. 427, the Federal Court ruled that to invoke section 14, the equivalent exemption under the ATIA, the government institution had to meet the “reasonable expectation of probable harm”test and, as such, must be satisfied that releasing the specific information could be damaging or prejudicial to the conduct of, or the federal government’s role in, federal-provincial affairs. The Court held that the alleged harm must be more than speculative and more than possible; the head of the government institution must be able to show that probable or actual harm would result from the disclosure. In fact, to successfully invoke the exemption, the head of the government institution must establish a clear and direct linkage between the disclosure of specific information and the alleged harm. The harm should articulate how the release of the information would hurt or damage affairs, understood to mean matters such as formal negotiations, ongoing relationships and exchanges between government institutions and the provinces.

    It is rare that personal information will be related to federal-provincial affairs. However, any injury regarding federal-provincial affairs is most likely where the federal government is either about to commence or is in the midst of conducting specific negotiations, deliberations or consultations. There may, however, be some types of personal information that continue to be sensitive beyond these formal exchanges. The release of such information could jeopardize the position of the federal government in conducting federal-provincial affairs in the future or seriously affect its relations with one or more provincial governments. Personal information that continues to be sensitive should be protected until it its release can no longer reasonably be expected to cause injury.

    Top of Page

    10.3.2 Consultation

    Access to Information and Privacy (ATIP) offices should consult with the ATIP office of the Privy Council Office before disclosing information pertaining to federal-provincial affairs if they require more information for the proper exercise of discretion or if they intend to disclose sensitive information.

    Top of Page

    10.4 Section 21: International affairs and defence

    10.4.1 Exemption of personal information related to international affairs, defence and national security

    Section 21 of the Act is a discretionary exemption based on an injury test that is intended to protect three general public interest areas where the disclosure could reasonably be expected to be injurious to the following:

    1. The conduct of international affairs: This includes not only state-to-state affairs, but also commercial, cultural or scientific links established by citizens with counterparts in other countries.
    2. The defence of Canada or any state allied or associated with Canada: An “allied state”is one with which Canada has concluded formal alliances or treaties. An “associated state”is a state with which Canada may be linked for trade or other purposes outside the scope of a formal alliance.
    3. The detection, prevention or suppression of subversive or hostile activities: Thisexemption protects specific types of information pertaining to the security of Canada.

    These three general areas of public interest can be considered independently even though they are closely and intimately interrelated and frequently overlap.

    Top of Page

    10.4.2 Definitions

    Section 21 incorporates by reference subsections 15(1) and 15(2) of the ATIA, which are essential for interpreting and applying this exemption.

    Subsection 15(2) of the ATIA defines the terms “defence of Canada or any state allied or associated with Canada”and “subversive or hostile activities.”

    “Defence of Canada or any state allied or associated with Canada”includes, but is not limited to, the efforts of Canada and of foreign states toward the detection, prevention or suppression of activities of any foreign state directed toward an actual or potential attack or other act of aggression against Canada or any state allied or associated with Canada.

    The definition of “subversive or hostile activities”in the ATIA reads as follows:

    • (a) espionage against Canada or any state allied or associated with Canada,
    • (b) sabotage,
    • (c) activities directed toward the commission of terrorist acts, including hijacking, in or against Canada or foreign states,
    • (d) activities directed toward accomplishing government change within Canada or foreign states by the use of or encouragement of the use of force, violence or any criminal means,
    • (e) activities directed toward gathering information used for intelligence purposes that relates to Canada or any state allied or associated with Canada, and
    • (f) activities directed toward threatening the safety of Canadians, employees of the Government of Canada or property of the Government of Canada outside Canada.

    Two of the three public interests mentioned in the introductory paragraph of subsection 15(1) of the ATIA are defined in subsection 15(2). It is important to note that “defence of Canada or any state allied or associated with Canada”is defined non-exhaustively because of the use of the word “includes.”The definition, therefore, does not limit the exemption to the listed types of information. However, the phrase “subversive or hostile activities”is defined exhaustively because of the use of the word “means.”The exemption may be invoked only for the specific activities listed in the definition. Personal information pertaining to other security or intelligence activities, such as security screening, immigration and citizenship vetting, domestic vital points and security inspections, cannot be exempted under this provision unless the information relates to one of the activities outlined in paragraphs 15(2)(a) to (f) of the ATIA or if it is in section 21.

    Top of Page

    10.4.3 Types of information

    Section 21 refers to paragraphs 15(1)(a) to (i) of the ATIAto illustrate the specific types of information that are likely to be covered by the exemption. This list of examples illustrates only the types of information that could give rise to an injury to one of the three specified interests.

    Some of the examples set out in subparagraphs 15(1)(a) to (i) of the ATIA may not apply to personal information (for example, information on the quantity, characteristics, capabilities or deployment of weapons). This, however, does not mean that the disclosure of information about an identifiable individual may never cause the type of injury described in these paragraphs. It is conceivable, for instance, that the disclosure of the fact that an individual with known experience in a specialized field (that is, intelligence, counterterrorism, weapons) is engaged in activity may be sufficient to cause injury to one of the three interests protected by section 21. Care and consideration should be made when information that falls into subparagraphs 15(1)(a) to (i) of the ATIA is interwoven with the personal information requested.

    Paragraphs 15(1)(c) and 15(1)(d) of the ATIA have a higher likelihood of including information about individual persons and are most likely to apply under section 21 of the Privacy Act. They list the following types of information:

    • (c) [any information] relating to the characteristics, capabilities, performance, potential, deployment, functions or role of any defence establishment, of any military force, unit or personnel or of any organization or person responsible for the detection, prevention or suppression of subversive or hostile activities.

    Paragraph (c) deals with defence establishments, military and national security personnel. When examining if the personal information may be released, consideration can be made to the interactions with the establishments and other personnel. Although an individual may be responsible for a piece of equipment, for example, the location and safeguards for it would not be information that could be released. The exemption looks to protect the ability to defend or resist attack, and factual and contextual information could be used to harm or injury the defence of Canada or any state allied or associated with Canada.

    • (d) [any information] obtained or prepared for the purpose of intelligence relating to
      • the defence of Canada or any state allied or associated with Canada, or
      • the detection, prevention or suppression of subversive or hostile activities.

    Paragraph (d) deals with intelligence concerning defence and national security. Information “obtained or prepared for the purpose of intelligence” encompasses both the raw data collected and the refined product or analysis. Intelligence describes information gathered in a covert manner as part of the ongoing efforts to defend, detect, prevent or suppress subversive or hostile activities. The information can relate to an individual or groups of individuals or organizations. Although the information is likely not collected as part of a specific investigation, previous incidents that may result in charges being brought forward on individuals may draw out a need for surveillance. Within intelligence gathering, individuals who are suspected of espionage may be targeted. This is the practice of spying or using individuals to secretly collect and report information on activities and movements of another. Espionage can inform other subversive activities such as sabotage, causing deliberate damage to something; or terrorism, acts of serious violence or activities that incite fear that may be used to coerce government bodies or organization to take or cease certain actions.

    Top of Page

    10.4.4 Application

    The types of information listed in subsection 15(1) of the ATIA will not automatically be exempted under section 21 of the Privacy Act. For the exemption to apply to any category of information described in the provision, the head of a government institution must be able to demonstrate that there is a reasonable expectation of probable harm to one of the three specified public interests flowing from disclosure.

    When invoking section 21, it is not necessary to refer to the specific descriptive paragraph of subsection 15(1) of the ATIA. In the decision Canada (Information Commissioner) v. Canada (Minister of National Defence), [1990] 3 F.C. 22 , the Federal Court stated that “what is required, in the context of section 15, is that the requester be given notice as to whether the reason for refusal is because a disclosure would be (1) injurious to the conduct of international affairs or (2) injurious to the defence of Canada or any state allied or associated with Canada, or (3) injurious to the detection, prevention or suppression of subversive or hostile activities.”

    The following decisions concerning section 15 of the ATIA are helpful in applying section 21 of the Privacy Act.

    In the decision Al Yamani v. Canada (Minister of Citizenship and Immigration), [2000] 3 F.C. 433 (T.D.), the Federal Court characterized “subversive or hostile activities”as activities that “may or may not involve violence and that target Canada or any state allied or associated with Canada. It [the definition] does not distinguish between activities which would be considered subversive as opposed to hostile; rather it lumps together a broad mix of activities ranging from intelligence-gathering to terrorism.”

    In cases where a foreign state has expressed concern and wishes diplomatic notes or correspondence not to be released, this opposition alone is likely sufficient to justify the non-disclosure even when or if parts of the sought information have already been accessed by the requester. In the decision Do-Ky v. Canada (Minister of Foreign Affairs and External Trade), [1997] 2 F.C. 907 (T.D.), the Federal Court made the following statements:

    In assessing the injury to be expected on release of the notes it was proper for the Respondent to consider normal diplomatic practice as this would be the best standard by which to judge probable harm.

    There is no evidentiary burden on the Canadian government to establish that the diplomatic note sent to Canada is not public. The government is not, in these circumstances, asked to prove a negative premise.[...]

    The second-party government asked for confidentiality and Canada cannot breach the trust placed in it without suffering considerable harm to its reputation in the international community and ipso facto to its international relations.

    Once a state requests that diplomatic correspondence remain confidential there is no need for the Canadian government to assess the reasons of that country. It is sufficient if they have made the request of the Canadian government. Indeed, it would be a diplomatic lapse were the Canadian government to sit in judgement of the rationale of the foreign state except in the most extreme circumstances.

    That said, it is important to note that in the decision X v. Canada (Minister of National Defence), [1992] 58 F.T.R. 93 (F.C.T.D.), the Federal Court was of the view that it would be unreasonable to conclude that certain documents dated 1941 and 1942 and related to a time when Canada was engaged in a world war could reveal anything pertinent to the conduct of Canada’s international relations and its national defence 50 years after the fact.

    In the decision Attaran v. Canada (Foreign Affairs), 2011 FCA 182, the issue before the Court was whether the discretion under subsection 15(1) of the ATIA was exercised and, if so, whether the discretion was exercised reasonably. The Federal Court of Appeal held that the evidence before the Court must demonstrate that the decision maker exercised the discretion conferred under subsection 15(1). The burden of proof may fall to the government institution to establish that discretion was exercised in a reasonable manner, particularly in cases where the requester does not have access to the full records and part of the proceedings are in camera.Footnote 2 The Court examined what evidence would be needed to demonstrate that the decision maker exercised their discretion conferred under subsection 15(1). The Court made the following statement:

    Just as the absence of express evidence about the exercise of discretion is not determinative, the existence of a statement in a record that a discretion was exercised will not necessarily be determinative. In every case involving the discretionary aspect of section 15 of the Act, the reviewing court must examine the totality of the evidence to determine whether it is satisfied, on a balance of probabilities, that the decision-maker understood that there was a discretion to disclose and then exercised that discretion.

    The prior public disclosure of the information was identified as a relevant factor to be considered in the exercise of the discretion. Although this may not be true in all cases, the prior public disclosure of information provided an incentive for the exercise of discretion to release the information to the requester.

    Institutions may consider if section 19 (Personal information obtained in confidence) of the Act (subsection 10.2) would also apply to personal information that is exempt pursuant to the equivalent ATIA provision 15(1)(h).

    Top of Page

    10.4.5 Consultation

    It is no longer mandatory to consult the federal institution most concerned before deciding whether to disclose or exempt information under section 21. Section 4.1.24 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive) instructs institutions to carry out inter-institutional consultations only when the processing institution requires more information for the proper exercise of discretion to withhold or only when it intends to disclose potentially sensitive information. When necessary, institutions should consult:

    • Global Affairs Canada when determining whether to exempt or disclose any information that could reasonably be expected to be injurious to the conduct of international affairs;
    • National Defence when determining whether to exempt or disclose any information that could reasonably be expected to be injurious to the defence of Canada or any state allied or associated with Canada; or
    • the government institution having the primary interest, that is, the Canadian Security Intelligence Service, Global Affairs Canada, National Defence, Public Safety Canada or the Royal Canadian Mounted Police (RCMP) when determining whether to exempt or disclose any information that could reasonably be expected to be injurious to the detection, prevention or suppression of subversive or hostile activities.
    Top of Page

    10.5 Section 22: Law enforcement and investigation

    10.5.1 Exemption of personal information related to law enforcement, investigations and security of penal institutions

    Section 22 of the Act contains exemptions that aim to protect the following:

    • effective law enforcement, including criminal law enforcement;
    • the integrity and effectiveness of other types of investigative activities,Footnote 3 for example, ordinary administrative investigations under an Act of Parliament, investigations in regulatory areas, and air accident investigations; and
    • the security of penal institutions.

    Subsection 22(3) of the Act defines the term “investigation”for the purpose of paragraph 22(1)(b), discussed in further detail in subsection 10.5.6.

    Top of Page

    10.5.2 Paragraph 22(1)(a)

    Paragraph 22(1)(a) of the Act is a discretionary class test exemption that protects the integrity of investigations and, more specifically, personal information obtained or prepared in the course of a lawful investigation conducted by an investigative body specified in Schedule III of the Privacy Regulations. This information is protected with a class test because of the difficulty in applying an injury test exemption to law enforcement records when virtually all personal information is of a sensitive nature. ATIP offices may wish to confirm with their Offices of Primary Interest if any of their investigative activities fall within Schedule III. This can assist newer team members to easily recognize if 22(1)(a) or 22(1)(b) may be considered when analyzing records.

    Before the exemption can be claimed, the following three conditions must be met:

    1. The personal information was “obtained or prepared,”meaning it must have been acquired for use by an investigative body listed in Schedule III of the Privacy Regulations.

      This does not mean that only those government institutions or parts thereof that are investigative bodies listed in the applicable schedule may invoke the exemption. Other institutions may claim the exemption, provided that the record meets these conditions.

    2. The personal information was obtained or prepared in the course of a lawful investigation.

      In the decision Canada (Minister of Public Safety and Emergency Preparedness) v. Maydak, 2005 FCA 186, the Federal Court of Appeal held that the term “investigation”as it is used in paragraph 22(1)(a) must be given a broad meaning. “Investigation”should be read in its ordinary sense and includes “the action of investigating; the making of a search or inquiry; systematic examination; careful or minute research.”

      The added precision is that the investigation itself must be sanctioned or not forbidden by law. It does not, however, address the issue of the legality of techniques used in the course of a lawful investigation or the issue of whether evidence has been illegally obtained.

    3. The investigation pertains to:
      1. the detection, prevention or suppression of crime;
      2. the enforcement of any law of Canada or a province; or
      3. activities suspected of constituting threats to the security of Canada within the meaning of the Canadian Security Intelligence Service Act.

    Paragraph 22(1)(a) and its subparagraphs apply to personal information obtained in the course of investigations conducted under the Criminal Code or investigations of any other illicit activities prohibited under federal or provincial law, including municipal laws.

    Subparagraph 22(1)(a)(i) refers to crime and applies to investigations undertaken for the purposes of enforcing the Criminal Code.

    Subparagraph 22(1)(a)(ii) refers to investigations of activities prohibited under federal or provincial laws. These activities can include crimes, and so there is some overlap between subparagraphs 22(1)(a)(i) and (ii). The activities referred to in subparagraph 22(1)(a)(ii) are primarily those punishable as offences under federal or provincial law. The term “law of a province”includes municipal laws.

    Subparagraph 22(1)(a)(iii) refers to activities suspected of constituting threats to the security of Canada within the meaning of the Canadian Security Intelligence Service Act. The exemption is not limited to information collected by the Canadian Security Intelligence Service, but can be claimed by one of the other investigative bodies listed in Schedule III of the Privacy Regulations provided that the other criteria set out in paragraph 22(1)(a) are met.

    10.5.2.1 Time limitation on paragraph 22(1)(a)

    Paragraph 22(1)(a) applies only to records that came into existence less than 20 years prior to the request. This does not mean that records covered by this exemption must automatically be disclosed pursuant to a personal information request once they are 20 years old. Records that are more than 20 years old automatically fall outside the protection of paragraph 22(1)(a), so paragraph 22(1)(b) can be applied if the test set out in that paragraph is met and if there is still a need to protect them.

    In the decision Fontaine v. Royal Canadian Mounted Police, 2009 FCA 150, the Federal Court of Appeal stated that paragraph 16(1)(a) of the ATIA (which is equivalent to paragraph 22(1)(a) of the Privacy Act) indicated that the 20-year time limit is calculated from the date on which the personal information request is made and not from the date on which that request is subject to a subsequent final decision.

    10.5.2.2 Use of discretion on paragraph 22(1)(a)

    Despite its class nature, paragraph 22(1)(a) is a discretionary exemption. This flexibility is meant to temper the broad nature of the class test, and the head of the institution must exercise discretion in determining whether personal information that falls within the provision may nevertheless be disclosed. If, after balancing the reasons for release and the reasons against release, the head has reasonable cause to believe that the personal information should not be disclosed, they have the discretion to exempt this information. While not an injury-based exemption, institutions may wish to draw on the types of rationales built when protecting information under 22(1)(b) or under 16(1)(c) of the ATIA. For example, institutions can assess how releasing the personal information might be injurious to the enforcement of the law when weighing the factors for or against release, such as the precise methods of how information was obtained in the course of an investigation.

    10.5.2.3 Consultation on paragraph 22(1)(a)

    The exemption under paragraph 22(1)(a) follows the record. In other words, the exemption can be applied by an institution that is not an investigative body listed in the Privacy Regulations provided that the record was prepared by, or at one point came into the hands of, such an investigative body in the course of an investigation of an activity described in paragraph 22(1)(a). For example, Public Safety Canada can claim an exemption under paragraph 22(1)(a) for a report that it holds and that was originally prepared by the RCMP in the course of a narcotics investigation.

    It may be necessary for the processing institution to consult the investigative body that originally obtained or prepared the information when they require more information for the proper exercise of discretion when withholding the information or if they intend to disclose personal information. However, this consultation is not mandatory and should be limited only to circumstances where additional information about the investigation is required, or for additional context about what the individual requesting the personal information may already know.

    Top of Page

    10.5.3 Paragraph 22(1)(b)

    Paragraph 22(1)(b) of the Act is a discretionary exemption based on an injury test that aims to protect law enforcement and investigations. The paragraph provides that a government institution may refuse to disclose personal information that, if disclosed, could reasonably be expected to be injurious to the enforcement of any law of Canada or a province, or to the conduct of lawful investigations. Subparagraphs (i), (ii) and (iii) provide examples of the types of information to which this exemption may apply. The examples specify information:

    • (i) relating to the existence or nature of a particular investigation,
    • (ii) that would reveal the identity of a confidential source of information, or
    • (iii) that was obtained or prepared in the course of an investigation.

    The types of information cited in this provision are illustrative only, and other types of information can qualify for the exemption.

    This exemption may apply to information that is either:

    1. Injurious to the enforcement of any law of Canada or a province: This supplements the class test exemption for law enforcement information found in paragraph 22(1)(a). The exemption can apply to:
      • the enforcement of federal and provincial regulatory legislation prohibiting certain types of activities or behaviour, such as the enforcement of the Hazardous Products Act
      • other types of investigations, such as taxation audits conducted by the Canada Revenue Agency
      • the enforcement of civil law remedies for prohibited activities or behaviour, such as those under the Canadian Human Rights Act
      • personal information that was obtained or prepared outside a specific investigative process, for example, information on detecting tax frauds or on computer programs used in law enforcement
      • personal information that would qualify under paragraph 22(1)(a), except that it came into existence 20 or more years before the request
    2. Injurious to the enforcement of any federal or provincial law or the conduct of a lawful investigation: This protects the integrity and effectiveness of lawful investigations. Although there may be some overlap between the enforcement of any law and the conduct of lawful investigations, they should be treated distinctly, as there may be some information about the enforcement of a law that is not about a lawful investigation.

    Examples include the following:

    • investigations undertaken to determine the cause of an accident but not to lay charges or assess blame for the purposes of a civil remedy
    • investigations into whether a person with a criminal record should be granted a pardon
    • investigations of unacceptable use of electronic networks, harassment complaints or grievances

    Subparagraph 22(1)(b)(ii) may also be claimed to protect the identity of persons who provide confidential information to investigators, as well as information from which their identity could be determined. This applies if the disclosure could impair their candour or willingness to be forthcoming and adversely affect investigative processes. When applying this exemption, however, care must be taken to distinguish between a witness and a confidential source. An identity of a confidential source of information may be revealed, if, for example:

    • name, address, identifying characteristics are disclosed
    • the information lends itself to drawing accurate inferences about the identity of the individual
    • disclosure, in combination with other information, can reveal the identity of the individual

    The type of investigation to which this exemption can be applied is limited in two ways:

    1. The investigation must be lawful.This means that it must not be forbidden by or be contrary to law.
    2. The investigation must come within the definition of the term in subsection 22(3) of the Act. “Investigation”is more fully defined in subsection 10.5.6 of this chapter.

    Other types of activities not specifically authorized by federal law or undertaken for the purposes of administering or enforcing federal law and that are sometimes described as investigative in nature, such as program evaluations, internal audits and other such studies and analyses, would not qualify as investigations under subsection 22(3) and, therefore, could not be exempted under this provision.

    An investigation does not need to be presently ongoing for the exemption to apply. In Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, [2002] 2 S.C.R. 773, the Supreme Court of Canada held that paragraph 22(1)(b) should not be interpreted more narrowly than permitted by the language chosen by Parliament. The Court ruled the exemption to mean that the reasonable expectation of injury to future investigations is a ground for exempting information. The Court also emphasized that “there must be a clear and direct connection between the disclosure of specific information and the injury that is alleged.”The Court stated that “the sole objective of non-disclosure must not be to facilitate the work of the body in question; there must be professional experience that justifies non-disclosure.”

    The decision Canada (Privacy Commissioner) v. Canada (Labour Relations Board), [1996] 3 F.C. 609 (T.D.), affirmed in 2000 CanLII 15487 (FCA) examined the refusal to disclose personal information on the basis that the release of the information would be injurious to the conduct of a lawful investigation by linking the disclosure to the harm, as follows:

    the respondent met the burden placed upon it by paragraph 22(1)(b) and established that disclosure of the notes, by revealing the mental processes and ultimately, the decision-making processes of its members, would compromise its operations. The workings of the [Board] as an adjudicative tribunal called upon to dispose of substantive rights would be impeded to the point that a reasonable expectation of probable harm to the performance of its statutory functions under the Code would result from the requested disclosure. The regulated disclosure of hearing notes under the Privacy Act would take away from the [Board] a tool that is essential to the performance of its duty. If the notes are not exempt from disclosure, any “personal information” contained therein, including all expressions of opinions pertaining to litigants, lawyers and witnesses would, by law, have to be collated and retained in an information bank by the Board for at least two years. That prospect raised a reasonable expectation of probable harm to the performance by the Board of its duties under the Code.

    The decision also raised the issue of control, which is discussed further in Chapter 5 of this manual [pending].

    10.5.3.1 Consultation on paragraph 22(1)(b)

    It is not mandatory to consult the federal institution most concerned before deciding whether to disclose or exempt information under paragraph 22(1)(b). In fact, subsection 4.1.24 of the Directive instructs institutions to carry out inter-institutional consultations with respect to paragraph 22(1)(b) only when the processing institution requires more information for the proper exercise of discretion to withhold or only when it intends to disclose sensitive information.

    Where necessary, government institutions should consult with the investigative body or other government institution having primary interest in the law being enforced or the investigation being undertaken. The investigative body may also advise on any considerations into the applicability of subsection 12(1), where information is not personal in nature but relates instead to investigative techniques. Alternatively, institutions that consistently hold the portions of the personal information may choose to develop internal procedures to verify the status of an investigation to determine if release of the personal information would be injurious.

    10.5.4 Paragraph 22(1)(c)

    Paragraph 22(1)(c) is a discretionary exemption based on an injury test designed to protect information, the disclosure of which could reasonably be expected to be injurious to the security of penal institutions. Non-exhaustive examples are:

    • plans of penitentiaries that could be useful in an escape attempt
    • information that could be used to instigate a riot
    • information about the location of arms storage facilities within the penitentiary

    While the information above may not be personal, it may be interwoven with personal information. Careful analysis should be completed when reviewing records to ensure that that type of information is not released to the individual as part of their personal information request.

    Information should not be limited to only the facilities themselves but the interaction with and within the facilities. Careful consideration should be given to factual information about the facilities interwoven with information about the individual. Non-exhaustive examples include:

    • how and when shift changes are conducted could lend themselves to a greater understanding of when there is the greatest opportunity for escape
    • key exchanges
    • incidents of property destruction (for example, damage to doors or locking mechanisms)
    • intervention of an Emergency Response Team
    • external threats
    • storage closets and their contents
    • locations of cameras, including blind spots
    • building infrastructure (electrical panels, water pipes, gas)

    Institutions may consider if section 25 (Safety of individuals) of the Act (subsection 10.12) may also be applied when the above exemption is used to protect the safety of individuals, or if subsection 12(1) (Right of access) should also be applied to information that clearly falls outside the scope of being classified as personal information.

    10.5.4.1 Consultation on paragraph 22(1)(c)

    It is not mandatory to consult the federal institution most concerned before deciding whether to disclose or exempt personal information under this section. However, if an institution is considering disclosure, it is strongly recommended to consult with Correctional Service Canada, especially when the institution does not normally treat personal information that falls under this exemption. This institution can assist in providing rationales as to why some information may in fact be highly sensitive, such as how information can facilitate an escape or potentially be injurious to staff and inmates.

    Top of Page

    10.5.5 Subsection 22(2): policing services for provinces or municipalities

    For reference purposes only. This exemption would only be used for information that was created before corresponding provincial legislation was passed. Consider the use of subsection 22(1) for information obtained or prepared by the RCMP.

    Subsection 22(2) of the Act provides that a government institution shall refuse to disclose any personal information that was obtained or prepared by the RCMP while performing policing services for a province or a municipality pursuant to an arrangement made under section 20 of the Royal Canadian Mounted Police Act, where the Government of Canada has, on the request of the province or municipality, agreed not to disclose the information.

    This is a mandatory class exemption that protects information obtained or prepared, meaning it must have been acquired for use by the RCMP when performing its provincial or municipal policing role. In order for the exemption to be invoked, it is necessary that (1) the province or municipality request that the exemption be applied, and (2) the federal government agree to the request.

    Top of Page

    10.5.6 Subsection 22(3): definition of “investigation”

    Subsection 22(3) of the Act states that for purposes of paragraph 22(1)(b) “investigation”means an investigation that:

    • (a) pertains to the administration or enforcement of an Act of Parliament;
    • (b) is authorized by or pursuant to an Act of Parliament; or
    • (c) is within a class of investigation specified in the regulations.

    This definition limits the types of investigations for which the exemptions in paragraphs 22(1)(b) can be claimed to those specifically authorized by federal law or undertaken for the purposes of administering or enforcing federal law. The following are examples, of the types of investigations described in paragraph 22(1)(b):

    • 22(3)(a): investigation by the Parole Board of Canada to determine whether an individual should be granted a pardon under the Criminal Records Act
    • 22(3)(b): investigation of an appointment conducted by the Public Service Commission of Canada
    • 22(3)(a) and (b): investigation by safety officers under Part II of the Canada Labour Code

    Residual classes of investigations are provided for in paragraph 22(3)(c). Section 12 of the Privacy Regulations specifies that they are the classes of investigationslisted in Schedule V of the Regulations. An example is an investigation for the purpose of reviewing or updating a security clearance referred to in paragraph 23(a) or (b) of the Act that was granted to an individual.

    In the decision Sherman v. Canada (Minister of National Revenue), 2004 FC 1423, reviewed on other grounds in 2005 FCA 375, the Federal Court stated that “investigation”should be read in its ordinary sense to mean “the action of investigating; the making of a search or inquiry; systematic examination, careful or minute search,”undertaken with some guiding principle or aim in mind. In Canada (Minister of Public Safety and Emergency Preparedness) v. Maydak, 2005 FCA 186, it was further emphasized that regardless of the value, or lack thereof, of the information, what is key is that it was obtained through the act of investigating.

    Furthermore, as discussed in 10.5.3, an investigation can have already taken place, be current, or refer to the future. Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, [2002] 2 S.C.R. 773, explained that “there is nothing in s. 22(1)(b) that should be interpreted as restricting the scope of the word ‘investigation’ to investigations that are underway or are about to commence, or limiting the general meaning of that word to specific investigations.”The exemption looks to protect when disclosure could reasonably be expected to be injurious to the conduct of investigations and could not practically be limited to only the present.

    Finally, in the decision 3412229 Canada Inc. v. Canada (Revenue Agency), 2020 FC 1156, the Federal Court concluded that the term investigation encompassed tax audits. The information “consists of either audit techniques used by the CRA to identify or guide its auditors in applying s. 94.1 of the ITA [Income Tax Act] or a risk assessment tool used to evaluate and manage the risks of an ongoing audit.”The information fell into the two categories identified in 16(1)(c) of the ATIA (which is identical to paragraph 22(1)(b) of the Act).

    Top of Page

    10.6 Section 22.1: Information obtained by the Privacy Commissioner

    10.6.1 Exemption of personal information related to information obtained by the Privacy Commissioner

    Section 22.1 of the Act is a mandatory class exemption, intended to protect personal information obtained or created by the Privacy Commissioner or on their behalf. This collection or creation must occur in the course of an investigation conducted by, or under the authority of, the Commissioner. Alternatively, personal information could be obtained by the Commissioner during a consultation with the Information Commissioner under subsection 36(1.1) or section 36.2 of the ATIA.

    Only the Office of the Privacy Commissioner (OPC) may claim this exemption. Other government institutions cannot invoke section 22.1. However, another exemption may be applicable to the personal information requested.

    Section 22.1 recognizes that it is inappropriate for the Privacy Commissioner to disclose personal information that was obtained from institutions under investigation. The provision also protects personal information created by or on behalf of the Privacy Commissioner during investigations or consultations with the Information Commissioner to prevent interference with the Commissioner’s statutory duties, powers and functions.

    Personal information “obtained”during the investigation is acquired because the Commissioner had a need to do so based on their mandate. It comprises all personal information forwarded by the institution for the purposes of the investigation, including copies of the personal information relevant to the request that was processed and administrative documents created or obtained by the institution during the request’s processing. Copies of personal information can also include personal information from outside government (for example, from the public) sent to the OPC during the investigation (for example, testimonies, records and emails). It also includes the consultations that take place with the Information Commissioner under subsection 36(1.1) or section 36.2 of the ATIA.

    Personal information obtained by or on behalf of the Privacy Commissioner in the course of an investigation or consultation with the Information Commissioner continues to be protected pursuant to subsection 22.1(1), even after all proceedings related to the investigation have been concluded.

    In Carter v. Canada (Privacy Commissioner), 2019 FC 783, the Court upheld that certain redacted portions in response to the request fell within the scope of subsection 22.1(1), as the information was obtained from the National Defence, and as a result the OPC was not permitted to disclose it.

    Top of Page

    10.6.2 Limitation on exemption

    There is an important distinction to be made between “personal information obtained”and “personal information created”during the Commissioner’s investigations. Subsection 22.1(2) imposes a limitation for the protection of personal information created by or on behalf of the Privacy Commissioner. These may include the notes of the investigators or documents from experts performing work on behalf of the Commissioner, internal email, investigation reports, notes to file and letters of findings.

    As a result, subsection 22.1(1) can no longer be applied to personal information created by or on behalf of the Privacy Commissioner once the investigation and all related proceedings, if any, are concluded. The term “related proceedings”normally refers to reviews by the Federal Court of Canada, the Federal Court of Appeal and the Supreme Court of Canada.

    This does not mean that personal information covered by subsection 22.1(1) must automatically be disclosed by the OPC pursuant to a request under the Act once all proceedings are concluded. Rather, such personal information automatically falls outside the class test protection of subsection 22.1(1). If there are still grounds to protect them, other exemptions contained in the Act would continue to apply to all or parts of the personal information.

    Top of Page

    10.7 Section 22.2: Public Sector Integrity Commissioner

    10.7.1 Exemption of personal information related to information obtained by the Public Sector Integrity Commissioner

    Section 22.2 of the Act is a mandatory class exemption that can be used only by the Public Sector Integrity Commissioner (Integrity Commissioner). It requires the Integrity Commissioner to refuse to disclose any personal information obtained or created by them or on their behalf in the course of:

    • an investigation into a disclosure of wrongdoing made by a public servant under the Public Servants Disclosure Protection Act (PSDPA); or
    • an investigation initiated by the Integrity Commissioner under section 33 of the PSDPA as a result of information:
      • obtained in the course of another investigation of alleged wrongdoing; or
      • provided by a person who is not a public servant.

    For information to be “obtained or created,”it must be acquired or authored by the Integrity Commissioner or on their behalf because they had a need to do so based on their mandate. This includes personal information provided by the public servant making the disclosure, the person accused of wrongdoing, and a person who has met the conditions set out under section 33 of the PSDPA. This exception is meant to ensure that public servants and all persons involved in a disclosure process feel protected in reporting possible wrongdoing. They offer broad protection for personal information obtained and created in relation to a disclosure or a disclosure investigation, including the identity of the discloser and witnesses.

    Unlike paragraph 16.4(1)(b) of the ATIA, section 22.2 of the Privacy Act does not include a requirement to exempt information received by a conciliator in the course of attempting to achieve the settlement of a reprisal complaint filed under subsection 19.1(1) of the PSDPA. Therefore, such information may be disclosed in response to a request made under the Privacy Act unless another exemption applies.

    Because section 22.2 is a mandatory exemption, it must be applied to all personal information that falls within the class of records. The Integrity Commissioner must invoke the exemption even in cases where the personal information was previously disclosed during the investigative process, reported publicly under the PSDPA, published in the Integrity Commissioner’s reports to Parliament, or otherwise disclosed.

    There is no time limit respecting the application of section 22.2, and the exemption applies even after the completion of the investigation.

    Subject to sections 52 and 53 of the PSDPA, the public sector does not include the following: the Canadian Armed Forces, the Communications Security Establishment or the Canadian Security Intelligence Service. The PSDPA also does not apply to elected officials or their staff or employees of the House of Commons and the Senate.

    Top of Page

    10.8 Section 22.3: Public Servants Disclosure Protection Act (PSDPA)

    10.8.1 Exemption of personal information related to information created for disclosure under the PSDPA

    Section 22.3 of the Act is a mandatory class exemption that must be invoked by all government institutions. It requires the head of a government institution to refuse to disclose personal information created for the purpose of making a disclosure under the PSDPA or in the course of an investigation into a disclosure under the PSDPA. Section 22.3 of the Act is meant to ensure that public servants and all persons involved in a disclosure process feel protected in reporting possible wrongdoing. They offer broad protection for personal information created in relation to a disclosure or a disclosure investigation, including the identity of the discloser and witnesses.

    For this exemption to apply, the following five conditions must be met:

    1. A disclosure of wrongdoing was made or was considered. The PSDPA defines “protected disclosure”as a disclosure that is made in good faith by a public servant:
      • in accordance with the PSDPA;
      • in the course of a parliamentary proceeding;
      • in the course of a procedure established under any other Act of Parliament; or
      • when lawfully required to do so.
    2. The disclosure was made or is being prepared by a public servant. “Public servant”is defined in the PSDPA as every person employed in the public sector, every member of the RCMP and every chief executive.
    3. The alleged wrongdoing is in or relates to the public sector. “Public sector”is defined as the departments and bodies named in Schedules I to V of the Financial Administration Act and the Crown corporations and the other public bodies listed in Schedule 1 of the PSPDA. Subject to sections 52 and 53 of the PSDPA, the public sector, for the purposes of administering that Act, does not include the following: the Canadian Armed Forces, the Communications Security Establishment or the Canadian Security Intelligence Service. The PSDPA does not apply to elected officials or their staff or employees of the House of Commons and the Senate.
    4. The alleged wrongdoing relates to one of the following wrongdoings in or in relation to the public sector, as defined in section 8 of the PSDPA:
      • (a) a contravention of any Act of Parliament or of the legislature of a province, or of any regulations made under any such Act, other than a contravention of section 19 of the PSDPA;
      • (b) a misuse of public funds or a public asset;
      • (c) a gross mismanagement in the public sector;
      • (d) an act or omission that creates a substantial and specific danger to the life, health or safety of persons, or to the environment, other than a danger that is inherent in the performance of the duties or functions of a public servant;
      • (e) a serious breach of a code of conduct established under section 5 or 6 of the PSDPA; and
      • (f) knowingly directing or counselling a person to commit a wrongdoing set out in any of paragraphs (a) to (e).
    5. The information was created for the purpose of making the disclosure or in the course of an investigation into a disclosure.

    As mentioned above, the exemption must be claimed by all government institutions if the conditions described in the provision are met. Although the Canadian Forces, the Canadian Security Intelligence Service and the Communications Security Establishment are not subject to the PSPDA, they must invoke section 22.3 to exempt personal information obtained from other government institutions that was created for the purpose of making a disclosure under the PSDPA or in the course of an investigation into a disclosure under the PSDPA.

    Information that falls under section 22.3 is permanently protected and cannot be released in response to a request for access to personal information. In such circumstances, institutions must exempt all personal information related to a disclosure of alleged wrongdoing or an investigation made under the PSDPA, even in cases where the information was previously disclosed during the investigation process, reported publicly by the chief executive of the institution under paragraph 11(1)(c) of the PSDPA, published in the Integrity Commissioner’s reports to Parliament, or otherwise disclosed.

    It should be noted that information relating to reprisal complaints filed under subsection 19.1(1) of the PSDPA is not covered by this exemption and can be released by institutions unless other exemptions apply.

    There is no time limit or other constraint restricting the application of section 22.3.

    Top of Page

    10.8.2 Relationship with paragraph (g) of the definition of “personal information”

    Pursuant to paragraph (g) of the definition of “personal information”found in section 3 of the Act, “views or opinions of another individual about the individual”who is making the request, including allegations made about the individual, are considered to be the personal information of that individual. In most cases, such information would be released to the individual on request, subject to the exemption and exclusion provisions of the Privacy Act.

    Nevertheless, when such views or opinions form part of a disclosure of alleged wrongdoing or an investigation of a disclosure of alleged wrongdoing under section 33 of the PSDPA, all information related to the allegations, the disclosure of the alleged wrongdoing and the related investigation must be exempted in response to a request from the individual under the Privacy Act.

    As mentioned in the previous section, this protection does not apply to information relating to reprisal complaints filed under subsection 19.1(1) of the PSDPA.

    Top of Page

    10.9 Section 22.4: Secretariat of National Security and Intelligence Committee of Parliamentarians

    10.9.1 Exemption of personal information related to information obtained by the Secretariat of National Security and Intelligence Committee of Parliamentarians

    Section 22.4 of the Act is a mandatory class exemption that is intended to protect personal information obtained or created by the Secretariat of the National Security and Intelligence Committee of Parliamentarians (the Secretariat), or on their behalf in the course of assisting the National Security and Intelligence Committee of Parliamentarians (the Committee) in fulfilling its mandate.

    This section states that the Secretariat shall refuse to disclose personal information that was obtained from institutions under review. The provision also protects personal information created by or on behalf of the Secretariat or the Committee as part ofreviews to prevent interference with the Committee’s statutory duties, powers and functions.

    There is no time limit respecting the application of section 22.4, and the exemption applies even after the completion of the investigation. Even information created after the conclusion of a review is covered by this exemption.

    Only the Secretariat or the Committee may claim this exemption. Other government institutions cannot invoke section 22.4. However, another exemption may be applicable to the personal information requested.

    Top of Page

    10.10 Section 23: Security clearances

    10.10.1 Exemption of personal information related to information obtained for security clearances

    Section 23 of the Act is a discretionary exemption that contains a class test and consideration of whether disclosure could reveal the source of the information.

    This section provides that a government institution may refuse to disclose any personal information that was obtained or prepared by an investigative body specified in Schedule IV of the Regulations for the purpose of determining whether to grant security clearances, if disclosure of the information could reasonably be expected to reveal the identity of the individual who furnished the information to the body. “Obtained or prepared”means that the personal information must have been acquired for use by the investigative body. “Furnished”means that the individual “gave”the information to the body. As per paragraphs (a) and (b) of section 23, it applies to security clearances that are:

    • required by the Government of Canada or a government institution for:
      • individuals employed by the government or an institution;
      • individuals performing services for the government or an institution;
      • individuals employed by or performing services for a person or body performing services for the government or an institution; or
      • individuals seeking to be employed or seeking to perform services for the government or an institution; or
    • required by the government of a province or a foreign state or an institution thereof.

    The Privacy Regulations contain a list of investigative bodies to which section 23 of the Act applies. The inclusion of these specific bodies is intended to protect sources of information within the security clearance process of the Government of Canada, particularly when the information provided relates to subversive or hostile activities or organized crime.

    Paragraphs (a) and (b) of section 23 of the Act represent the class test components of this discretionary exemption. If the requested personal information falls within any of these classes, the class test is satisfied.

    The consideration of whether disclosure could reveal the source of the information applies to both the identity of the individual who furnished the information to the investigative body and the investigative body’s methods or other sources of information. The applicable threshold is that there must be a reasonable expectation of being able to identify the source.

    After a thorough analysis of these considerations, an institution should then exercise its discretion in releasing the information in question. This second stage of analysis should involve weighing the relevant public and private interests that would be affected by the information being disclosed.

    This exemption was considered in Dolan v. Canada (1993), 64 FTR 284,Footnote 4 where the Federal Court concluded that the protection afforded by section 23 applies to personal information collected about an individual who was seeking employment in a government institution, even if the individual had not yet been made a conditional offer of employment prior to the collection.

    Institutions may consider if paragraph 22(1)(b) (Law enforcement and investigations) of the Act (subsection 10.5.3) may also be applied to information that may not fit into the class of granting a security clearance, but is incidentally collected during this investigative process. Section 26 (Information about another individual) of the Act (subsection 10.13) may also be applied where information about other individuals is interwoven within the request.

    Top of Page

    10.10.2 Consultation

    Although it is no longer mandatory to consult the federal institution most concerned before deciding whether to disclose or exempt information under section 23, institutions may wish to consider consulting if they require additional information to demonstrate a reasonable expectation of probable harm if releasing the information. For example, the institution may need more information from the investigative body as to how the information found in the request would allow identification of the source and if that identification would likely cause injury to the source.

    Top of Page

    10.11 Section 24: Individuals sentenced for an offence

    10.11.1 Exemption of personal information related to individuals sentenced for an offence

    Section 24 of the Act provides that a government institution may refuse to disclose any personal information that was collected or obtained by Correctional Service Canada or the Parole Board of Canada while the individual was under sentence for an offence against any Act of Parliament if disclosure could reasonably be expected to:

    • (a) lead to a serious disruption of the individual’s institutional, parole or statutory release program; or
    • (b) reveal information about the individual originally obtained on a promise of confidentiality, express or implied.

    Like section 23 of the Act, paragraphs 24(a) and 24(b) are discretionary exemptions based on both a class test and a further consideration of whether disclosure could disrupt their release program or reveal the source of confidentially obtained information.

    The first stage of analysis involves a class test. As part of this test, institutions must examine whether the requested personal information was collected or obtained by Correctional Service Canada or the Parole Board of Canada while the individual who made the request was under a sentence for an offence violating an Act of Parliament. This factor must be present for the exemption to apply.

    If the class test is satisfied, institutions can then consider the second stage of analysis. Institutions must examine whether disclosure would lead to a serious disruption of the individual’s institutional, parole or statutory release program, or reveal information about the individual originally obtained on a promise of express or implied confidentiality. An example may be if an individual made a personal information request for records from the Parole Board of Canada in advance of a hearing. Some of the information contained within their file could be interpreted to suggest that parole would not be granted and may cause distress to the individual while still incarcerated or it give information as to who might have provided testimony against them.

    Paragraph 24(a) may still apply after the individual has been released from federal prison if the individual making the request is still incarcerated or remains under a parole or a mandatory supervision program. Meanwhile, the consideration of whether disclosure could reveal information obtained on a promise of confidentiality set out in paragraph 24(b) may continue to exist after the individual making the request has served their full sentence.

    The Federal Court of Canada examined the exemption in section 24 in Longaphy v. Canada (Solicitor General), [1992] F.C.J. No. 302, [1992] A.C.F. No. 302, 53 F.T.R. 147, 6 Admin. L.R. (2d) 54.Footnote 5 In that decision, the Courtagreed that an implicit promise of confidentiality could be sufficient to claim paragraph 24(b) because an inmate suspected of providing information about another inmate to the staff of the penitentiary may be subject to severe reprisals or even death by other inmates.

    Institutions must still exercise their discretion regarding whether to release the information in question. Given the sensitivity of the personal information that falls under section 24, it is recommended that government institutions consult Correctional Service Canada or the Parole Board of Canada if information is considered for release.

    Institutions may consider if subparagraph 22(1)(b)(ii) (Law enforcement and investigations) (subsection 10.5.3) and section 26 (Information about another individual) of the Act (subsection 10.13) may also be applied when the above exemption is used to protect the name of another individual other than the requester. Alternatively, 22(1)(b)(iii) (subsection 10.5.3) and 22(1)(c) (subsection 10.5.4) may be considered for information relating to investigations or the security of penal institutions.

    Top of Page

    10.12 Section 25: Safety of individuals

    10.12.1 Exemption of personal information related safety of individuals

    Section 25 of the Act is a discretionary exemption based on an injury test. A government institution may refuse access to the requested personal information if the disclosure could reasonably be expected to threaten the safety of one or more individuals.

    The phrase “threaten the safety of individuals”in section 25 is not defined in the Act and has not yet received judicial interpretation. Therefore, the terms are given their ordinary dictionary meaning:

    • “threaten,”in the context of section 25, means to expose to risk or harm; to be a menace or source of danger
    • “safety”means freedom from danger or hazard; exemption from hurt, injury or loss
    • “individual”means a human being

    The types of individual safety interests that could be threatened are relatively broad, covering an individual’s life, bodily integrity and psychological health.

    Psychological injury is more than the causing of distress. It implies that disclosure might lead to or exacerbate an existing mental illness or psychological disorder or cause a person to become suicidal. For example, the disclosure of police photographs of a gruesome murder scene may threaten the mental health of the deceased’s spouse who is already suffering from depression, even if the murder happened more than 20 years ago.

    Depending on the nature of the information requested, the fact that the person making the request suffers from a mental illness, such as post-traumatic stress disorder or depression, may have an impact on the assessment of risk to the safety of that individual. If the person requests access to their medical records, section 28 (subsection 10.16) may be applicable.

    Top of Page

    10.12.2 Application

    This exemption applies to any cases where there have been, or there appear to be, threats to an individual’s safety. Depending on the context, examples may include the following:

    • names and other information identifying government employees or officers associated with dangerous or highly controversial issues, such as organized crime, money laundering, gun control, child support obligations, garnishments, abortion, and animal testing or laboratory work
    • information supplied by or about informers in criminal, quasi-criminal and security areas
    • information about persons who provided information about prisoners
    • information about persons who may have witnessed an event or incident that is under further investigation
    • the identity of individuals that may be deployed in a location where it is already known that their safety is at risk and the release of the information would exacerbate that risk
    • the identity of an individual who provided information to the Government of Canada about the activities of a country that has a repressive regime
    • testimony of co-workers concerning an individual who has been harassing and threatening them with harm
    • information concerning the dismissal of the person making the request, such as the testimony of previous co-workers, where the requester has threatened or assaulted previous co-workers in the past

    The type of information protected under this exemption covers not only the name of the individual but any identifier or other kind of information that is likely, by its release, either by itself or by a “mosaic effect,”to threaten the safety of individuals.This could be information that either directly or indirectly reveals the identity, home address or other identifier of such an individual. This could also be information that would facilitate placing an individual in danger or to hazards. Consideration should be given for information about employees of a government institution, as this exemption could cover information that is not normally protected information, such as the name of the individual’s employer, place of employment, address of employment, or job title or their work and travel schedules and might otherwise customarily be released in ATIP requests. Consideration should be made especially for groups involved in controversial or dangerous work or environments where a risk to safety is already heightened. The exemption may also apply to publicly available information that can be matched with other data to reveal information that is likely, as described above, to threaten the safety of an individual, such as the time and place of meetings.

    Top of Page

    10.12.3 The applicable injury test

    The injury test to be met in section 25 is one of “reasonable expectation of probable harm.”The expectation of injury has to be more than speculative, and institutions must demonstrate that there is a reasonable basis for believing that disclosing the information will endanger an individual’s safety.

    The injury test might be satisfied with at least some evidence demonstrating that the likelihood is considerably more than mere speculation but somewhat less than “more likely than not”and that the safety of individuals is or will be threatened by the disclosure. This can be based upon incidents where aggressive behaviour was directed at a specific person or persons, the nature of an individual’s employment, or details of actual threats.

    Institutions may consider if section 26 (Information about another individual) of the Act (subsection 10.13) may also be applied where information about other individuals is interwoven within the request, and alternatively information may be denied access to under subsection 12(1) (Right of access) if the information does not belong to the requester.

    Paragraph 22(1)(b) (Law enforcement and investigations) of the Act (subsection 10.5.3) may also be considered if the requested information would reveal the identity of a confidential source of information and the release of the information may dually reasonably be expected to threaten the safety of one or more individuals and injurious to the conduct of a lawful investigation.

    Paragraph 24(1)(b) (Individuals sentenced for an offence) of the Act (subsection 10.11) may also be considered if the requested information may reveal information about another individual originally obtained on a promise of confidentiality, express or implied.

    Top of Page

    10.12.4 Consultation

    Before disclosing information supplied by another institution that could affect the safety of individuals, government institutions should consult with the supplying institution to ensure that the disclosure will not endanger the safety of the individuals involved.

    Top of Page

    10.13 Section 26: Information about another individual

    10.13.1 Exemption of personal information related to information about another individual

    Section 26 of the Act provides that a government institution may refuse to disclose any personal information about an individual other than the requester. It also provides that a government institution must refuse to disclose such information where the disclosure is prohibited under section 8 of the Act.

    Section 26 embodies the principle under the Actthat an individual has a right of access only to information about themself. However, there are many scenarios where that individual’s personal information is entwined inseparably with information about another individual (for example, information about spouses or partners in an immigration file, custody disputes, labour relations issues, views and opinions of another person). When this occurs, access to the personal information must be refused where the disclosure is not permitted under section 8 of the Act because the information about another individual is also personal information.

    Top of Page

    10.13.2 Application

    The application of section 26 of the Act requires three steps:

    1. Establish that the information falls within the definition of personal information found in section 3 of the Act that is related to both the requester and the other individual. Chapter 3 of this manual [pending] provides extensive information on the definition of personal information.

    The application of section 26 is relatively straightforward for many of the paragraphs in section 3. More thorough analysis will likely be required for the classes of personal information defined in the following paragraphs:

    • (e) the personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations,
    • (f) correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence,
    • (g) the views or opinions of another individual about the individual, and
    • (i) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual.

    In Canada (Information Commissioner) v. Canada (Minister of Citizenship and Immigration), 2002 FCA 270, known as the Pirie case, it was determined that the information in question was both the personal information of Mr. Pirie and the interviewees. After balancing the private interests of the interviewees, the private interests of Mr. Pirie and the public interest in disclosure and non-disclosure, the Court determined that Mr. Pirie’s interest in the information should prevail. Therefore, the names of the interviewees and the views and opinions they expressed about him were disclosed.

    2. Ensure that paragraphs 3(j), (j.1), (k), (l) and (m) of the definition of personal information do not apply and thus permit the disclosure of the personal information about the requester and the other individual involved.

    The exclusions should be interpreted narrowly. For example, a public servant’s name and title would customarily fall into the exclusion, but if their name and title are included as part of a list of successful candidates in a current staffing process, the information would now fit the definition set out in 3(i) and would be withheld under section 26. In Terry v. Canada (Minister of National Defence), [1994] T-845-94,Footnote 6 the Court relied upon the expressio unius est exclusio alterius (“the expression of one thing is the exclusion of the other”) rule of interpretation, which enunciates that in order to fall within that exception, the information requested must fall squarely within the 3(j) exception.

    For more information on the interplay between 3(i) and 3(j), please refer to Dagg v. Canada (Minister of Finance),[1997] 2 S.C.R. 403.

    Please also refer to Privacy Implementation Notice 2020-02: Definition of Personal Information – Ministerial Staff to assist in the application of 3(j.1).

    3. Exercise discretion as to whether the information may nonetheless be disclosed because:

    • The individuals involved have given their respective consent to the disclosure of their personal information;
    • The personal information about the requester and the other individual involved is publicly available; or
    • The personal information about the requester and the other individual can be disclosed pursuant to subsection 8(2) of the Act.

    The exercise of discretion is discussed below in 10.13.3

    Top of Page

    10.13.3 Discretion to disclose

    Institutions may choose to exercise discretion to prevent nonsensical situations where an institution would be exempting information already known to a requester.

    An example of this could be when non-sensitive, factual information about another individual that has either been supplied by the requester or is known to them (for example, family members’ addresses that appear on a security clearance form) and where releasing it would not reveal additional personal information about the other individual. Institutions should also be cognizant of their obligation to ensure the accuracy and currency of the personal information under subsection 6(2) of the Act. All such disclosures should, however, be made cautiously. The decisions in favour of disclosure should be documented in the processing file and would normally follow internal procedures where it is determined by the institution that this is an acceptable approach when processing personal information requests. Where the possibility of an invasion of privacy exists, institutions must exempt the information.

    Disclosure of personal information about an individual other than the requester is permitted if:

    • (a) the other individual gives their consent to the disclosure (subsection 8(1)); or
    • (b) the information is publicly available (subsection 69(2)); or
    • (c) the disclosure is authorized under subsection 8(2) of the Act and, according to section 26 of the Act, the head has considered the applicability of subparagraphs 8(2)(m)(i) and 8(2)(m)(ii).
    a) Disclosure under subsection 8(1): Consent

    An institution may disclose the personal information of another individual to the requester when the other individual has consented to the disclosure. Consent is to be provided in writing and documented in the ATIP processing file. Institutions should ensure that the individual providing their consent is aware of the personal information involved and to whom the information will be provided. In other words, the individual should be aware of exactly what personal information about themself will be disclosed and to whom by virtue of their consent. Any consent obtained would apply only to records being processed for a particular file and not to future requests. The Consent for a Personal Information Request Form was developed to enable an individual to proactively provide consent to the release of their information to a requester. However, it could be used to document consent at any point in the processing of a request.

    In Layoun v. Canada, 2014 FC 1041, the Federal Court examined 19(2) of the Act, which is another discretionary provision within the Act based on consent. It stated that seeking consent is subject to practical considerations, and it recommended that government institutions may develop internal procedures to follow when considering if and when consent should be sought. The Court outlined the procedures that must respect the nature of the Act. The onus is only to make “reasonable efforts”to seek consent. There must be consideration for the fact that a personal information request is in and of itself personal information. There may be circumstances where seeking consent would reveal information about the personal information request itself and the institution. There may also be circumstances where, in conjunction with other applicable exemptions, seeking consent may harm the particular public or private interest for which the exemption exists to protect.

    When developing internal procedures, the following scenarios can form part of the considerations for or against seeking consent:

    • if the information that was collected was routine in nature or is required by law to access a benefit or service
    • if the request pertains to a topic of a sensitive nature that would customarily be kept private or confidential
    • if there was a promise of confidentiality when the information was supplied by any or all individuals involved
    • if the information was collected as part of an investigation, or if there are administrative or legal consequences in the context of the requested material
    b) Disclosure under subsection 69(2): Publicly available

    Subsection 69(2) provides that sections 7 and 8 of the Act, which set parameters for the use and disclosure of personal information, do not apply to personal information that is publicly available. Although sections 7 and 8 do not apply when personal information is publicly available, all other provisions, such as sections 4 and 5 (collections) and 12 (right of access), continue to apply. Institutions should consider if it is the requested information or information found within the request that is publicly available as part of this discretionary exercise.

    Further consideration should be made as to both how the information was released to the public and the extent of the information released. Section 11.1 of this manual [pending] provides information on the meaning of the expression “publicly available.”

    c) Disclosure under subsection 8(2)

    Subsection 8(2) of the Act enumerates several circumstances where personal information may be disclosed without consent.

    As disclosure under paragraph 8(2)(m) and notice of disclosure under subsection 8(5) must be reported in all institutions’ annual reports, additional information on these provisions is included below. Note that 8(2)(e) disclosures must also be reported in the annual report but are less likely to be employed in personal information request processing.

    Paragraph 8(2)(m)

    This paragraph provides that personal information may be disclosed for any purpose where, in the opinion of the head of an institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or the disclosure would clearly benefit the individual to whom the information relates.

    This provision is designed to deal with disclosure of personal information in situations that either cannot be readily foreseen or that are so specialized that they cannot be suitably covered in specific terms elsewhere in subsection 8(2). This provision does not imply any right of access to personal information; rather, it only permits disclosure at the discretion of the head of the institution where the appropriate conditions are met. Furthermore, the provision is only a supplement to, and not a replacement for, paragraphs (a) to (l) of subsection 8(2). In any case, this paragraph must be used with a good deal of restraint. Information should only be disclosed under this provision when it is apparent that there is a clear public interest in disclosure that outweighs the invasion of privacy or that would clearly benefit the individual, but no other release category under subsection 8(2) is applicable.

    Subsection 8(5) requires that the Privacy Commissioner be informed of disclosures made under this provision. The Privacy Commissioner may, subject to the requirement not to disclose information for which an exemption has been claimed, decide to notify the individual concerned, or to initiate a complaint under subsections 29(1) and 29(3) or an investigation under section 37 of the Act.

    Subparagraph 8(2)(m)(i)

    The decision whether or not to disclose information under this subparagraph must balance the public interest in disclosure against the threat to an individual’s privacy. This balancing should be based on an invasion-of-privacy test, which weighs the expectations of the individual, the nature of the particular personal information involved, and the possible consequences of disclosure for the individual against the public interest in disclosure. This last item may be assessed in terms of the benefit to only the requester or to the public as a whole. There is no easy guide by which to determine whether or not a specific disclosure is in the public interest. The criteria must cover unique, one-time cases, as well as similar, recurring releases affecting a number of individuals. Beyond the request regime there are obvious emergency situations where the circumstances are urgent and unambiguous, the public interest in disclosure is clear and the threat to privacy is very slight. There are situations, too, where either because of the type of information involved or the passage of time, there is little, if any, threat to an individual’s privacy. In most situations, however, the public interest in disclosure is less immediately apparent. The invasion-of-privacy test is then more crucial in deciding exactly which types of information may be released.

    There are three interrelated factors that should be taken into account in any invasion-of-privacy test.

    They are:

    1. Expectations of the individual: The conditions that governed the collection of the personal information and the expectations of the individual to whom it relates are important criteria in any test. Was the information compiled or obtained under guarantees that preclude some or all types of disclosures? Or, on the other hand, can the information be considered to have been unsolicited or given freely or voluntarily with little expectation of it being maintained in total confidence? Has the individual themself made a version of the information generally available to the public and diminished its private nature in these circumstances? Alternatively, would the individual acknowledge that some of their information is already known to the person or persons it would be disclosed to?
    2. Sensitivity of the information: It should be determined what type of information is involved in the request for a public interest disclosure. Is it obviously of a highly sensitive personal nature or does it appear to be fairly innocuous information? For example, releasing a name may appear to be benign, but contextually might be very sensitive. Is the information very current and for that reason more sensitive, or has the passage of time possibly reduced that sensitivity so that disclosure under specific circumstances would lead to no measurable injury to the individual’s privacy? On the other hand, could disclosure of the information, even after a passage of time, continue to cause harm to the individual?
    3. Probability of injury: If the information is considered sensitive, can it be surmised that the particular disclosure carries with it the probability of causing measurable injury? Injury should be interpreted as any harm or embarrassment that will have direct negative effects on an individual’s career, reputation, financial position, safety, health or well-being. As well, the head of an institution must consider if a disclosure of personal information will make that information available for a decision-making process by a government institution beyond that for which it is being disclosed.

    Institutions may also have other factors unique to their own situations that should be added to an invasion-of-privacy test. For this reason, institutions are encouraged to develop guidelines on the application of the invasion-of-privacy test within their institution.

    It is important to remember that public curiosity does not equate with public interest. The public interest to be balanced against the possible invasion of privacy can be evaluated on the basis of whether it is specific, current and probable (similar to the injury test described in Chapter 9). Where there is a possible invasion of privacy balanced against a public interest, consideration may be given to who would be receiving the information and whether any controls can be placed on further use or release.

    Examples of situations in which there could be a public interest that outweighs the potential invasion of privacy in disclosure as outlined in subparagraph 8(2)(m)(i) include:

    • (i) health or medical emergencies, accidents, natural disasters or hostile or terrorist acts where one or more individual’s lives and well-being depend on disclosure;
    • (ii) disclosure of information to carry out an order of the court (for example, enforcement of a custody order); and
    • (iii) disclosure of information to either substantiate or correct a statement made publicly by the individual concerned. In these circumstances the individual would first have made public the information being substantiated or corrected.

    Application to individuals who are deceased

    Subparagraph 8(2)(m)(i) may be considered in relation to a request for disclosure of information relating to an individual who has been dead less than 20 years. Often there is a diminution of privacy concerns with the passage of time and such information can be disclosed. The head of the institution should weigh the sensitivity of the information against the public interest in disclosure to determine if an unwarranted invasion of privacy would occur if the information was released. Important factors to consider are:

    1. whether disclosure may cause financial injury to the immediate family of the deceased
    2. whether disclosure may endanger the physical well-being of any of the family of the deceased
    3. whether the head of the institution has any reason to believe that an immediate family member or ex-spouse does not want the information released
    4. whether the information contains medical, psychological or social work case reports or data that it is reasonable to believe would prove harmful to familial relationships
    5. whether the deceased had expressed or implied any wishes with regard to the information
    6. whether disclosure may harm the reputation of the deceased (who cannot defend themself)
    Subparagraph 8(2)(m)(ii)

    This provision gives discretion to the head of an institution to ensure that personal information is not withheld from disclosure where the individual could clearly benefit from its release. The institution may consider, as part of a discretionary exercise, the balance between the public interest in disclosure if it would benefit the individual against the privacy of the third party to which the personal information relates. Note that the term “benefit”may assist the individual, but the information disclosed may be distressing in nature. Some examples of situations where personal information may be released on the grounds of “benefit to the individual”are:

    • disclosure of information to assist in determining the owner of lost or stolen property
    • notification of next of kin in the case of an accident or disaster
    • disclosure of information about an individual to immediate family members or an authorized representative of the individual such as a lawyer, under compassionate circumstances (for example, information as to whether or not an individual has been arrested in another country)
    Subsection 8(5): Notice of disclosure under paragraph 8(2)(m)

    Subsection 8(5) of the Privacy Act provides that the head of a government institution must notify the Privacy Commissioner of any disclosure of personal information under paragraph 8(2)(m) either prior to the disclosure or, if this is not practicable, at the time of disclosure. This provision provides an additional level of oversight as these disclosures are on a case-by-case basis. The Privacy Commissioner has discretion to notify the individual to whom the information relates of the disclosure if they deem such notification to be appropriate. The Privacy Commissioner may also express an opinion about the disclosure and may make recommendations to the institution.

    Notification of an individual by the Privacy Commissioner is, however, subject to the requirements of section 65 of the Privacy Act. This provision places the Privacy Commissioner under a duty not to disclose any information that is exempt under either the Access to Information Act or Privacy Act or any information that could confirm the existence of personal information where the head of a government institution, in refusing to disclose the information to the subject individual, has not indicated whether it exists.

    The OPC has developed a central portal for all institutions to provide their notifications in a secure and efficient manner. The Public interest disclosure notification online submission portal is accessible to all institutions. By submitting notifications via the portal, institutions can be assured that they are providing all information that the OPC requires to assess the disclosure. The OPC may follow up with institutions who do not use the portal, when they need more information. Institutions should expect to provide the OPC with the following information:

    • the name(s) of the individual(s) involved
    • a description of what personal information elements were disclosed
    • to whom (be it an individual or government institution)
    • the purpose of the disclosure and a statement as to why the public interest overrides privacy concerns in this instance, or how the disclosure would clearly benefit the individual
    • the name and signature of the person authorizing the disclosure
    Delegation of 8(2)(m) authority

    It is recommended that the authority to disclose personal information under paragraph 8(2)(m) be either retained by the head of the institution or delegated only to the most senior officials of the institution.

    Top of Page

    10.14 Section 27: Protected information – solicitors, advocates and notaries

    Section 27 of the Act is a discretionary exemption based on a class test that protects information subject to solicitor-client privilege or its equivalent civil law concept, the professional secrecy of advocates and notaries (subsection 10.14.1), and to litigation privilege (subsection 10.14.2). For simplicity, we will use the term “privileges”to describe all these concepts. This provision incorporates the protection that exists in common law and in Quebec’s civil law for information to which the solicitor-client privilege attaches. It ensures that communications between a government institution and its solicitors, including litigation-related communications, are protected to the same extent as they are in the private sector.

    10.14.1 The solicitor-client privilege

    The solicitor-client privilege, also known as the legal advice privilege, protects communications between a lawyer and a client from being disclosed without the permission of the client. The purpose of this privilege is to protect and promote the confidential relationship between a lawyer and a client by facilitating full and frank communication when seeking and providing legal advice.

    Legal requirements

    The courts have identified three criteria that must be satisfied in order for a communication to be covered by solicitor-client privilege (sometimes called legal advice privilege). The communication must:

    1. be between a lawyer and a client
    2. entail the seeking or giving of legal advice
    3. be intended to be kept confidential by the parties

    1. The communication must be between a lawyer and a client.

    For the purpose of section 27 of the Act, a lawyer is understood as:

    • the Department of Justice Canada’s legal counsel;
    • private sector law practitioners appointed as legal agents of the Minister of Justice and Attorney General of Canada;
    • those in the legal service units of government institutions who are not represented by the Department of Justice; or
    • private sector lawyers retained by a government institution (for example, a law firm retained by a Crown corporation to give a legal opinion).

    For most government institutions, the client is “the Crown.”For operational purposes, however, the client is understood as the individual government institution, as defined at section 3 of the Act, in receipt of the legal services, and it also includes its agents. However, the exemption does need to consider that the larger government interest in the privilege should be taken into account.

    2. The communication must entail the seeking or giving of legal advice.

    The solicitor-client privilege only applies to communications that, by nature, are related to the seeking or giving of legal advice. When communicating, the lawyer must be acting as a professionally qualified practising lawyer and not in some other capacity. The privilege does not protect advice falling outside of the lawyer’s legal responsibilities, such as political, administrative, managerial or general policy advice except where the latter is so inextricably intertwined with the legal advice that its disclosure would reveal the legal advice.

    It is not necessary that the communications specifically request or offer legal advice, as long as it can be placed within the continuum of communication in which the lawyer tenders advice. The concept of the continuum of communications is described as “all communications between a client and a legal advisor directly related to the seeking, formulating or giving of legal advice or legal assistance fall under the protection of solicitor-client privilege,”and was recognized by the Federal Court of Canada in the decision Canadian Jewish Congress v. Canada (Minister of Employment and Immigration), (T.D.), [1996] 1 F.C. 268. It was further examined in Canada (Office of the Information Commissioner) v. Canada (Prime Minister), 2019 FCA 95. For example, information provided by the client to their legal advisor for the purpose of receiving legal advice is also protected by this privilege.

    In Canada (Public Safety and Emergency Preparedness) v. Canada (Information Commissioner), 2013 FCA 104, the Federal Court of Appeal clarified, “In determining where the protected continuum ends, one good question is whether a communication forms ‘part of that necessary exchange of information of which the object is the giving of legal advice’[...]. If so, it is within the protected continuum.”

    3. The communication must be intended to be kept confidential by the parties.

    The Supreme Court of Canada has confirmed that communications between client and lawyer, including the information they shared, are presumed to be confidential in nature.Footnote 7 Also, as a general rule, the confidentiality of a communication will be lost if it has been disclosed, either verbally or in writing, to individuals or organizations who are not part of the federal government. For exceptions to this rule, please consult with your legal services.

    If just one of the three elements is lacking, the solicitor-client privilege will not apply, for example:

    • the communication is not between a lawyer and their client;
    • the communication is prepared by a lawyer but provides only policy advice and not legal advice on an issue;
    • the lawyer is advising on administrative matters and not on legal matters; or
    • the communication has not been treated in a confidential manner by either the client or the counsel
    Rationale for the solicitor-client privilege

    The exemption in section 27 protects the interest of solicitor-client privilege by ensuring that legal advice can be obtained without concern of disclosure. If an individual cannot confide in a lawyer knowing that what is said will not be revealed, it will be difficult, if not impossible, for that individual to obtain proper legal advice based on candid discussion within the solicitor-client relationship.

    Duration

    “Once privileged, always privileged” is the general principle, unless the privilege has been waived. In other words, the solicitor-client privilege is permanent in duration: it is neither limited by the passage of time nor the end of the issue that required the legal advice.

    Examples of solicitor-client privilege

    The solicitor-client privilege applies to any document that:

    • passes between lawyer and client and that contains information necessary for the giving or seeking of legal advice
    • sets out the law and contains information about what the client should prudently and sensibly do in a particular legal context
    • does not make specific reference to legal advice but falls within the normal exchange of communications between a client and lawyer within which legal advice is sought
    • on its face, makes reference to legal advice
    • includes performing services related to a legal issue pertaining to the client for which the professional skills and knowledge of a lawyer are required, even if the services might not be regarded as the provision of legal advice in the ordinary sense
    Limits to the scope of solicitor-client privilege

    Communications that are criminal in themselves, intended to further criminal purposes and evidence of the claimant party’s abuse of process or similar blameworthy conduct are not privileged. There are other exclusions to privilege, such as full answer and defence, however, institutions should defer to their legal services as these are too complex to be included in this manual.

    Settlement privilege (also known as “without prejudice” privilege) is not part of solicitor-client privilege, and therefore records protected by settlement privilege may not be protected from disclosure in response to an access request under section 27. Institutions should seek advice from their legal services and consider if other relevant exemptions may apply or if the right of access should be granted.

    Severance and solicitor-client privileged records

    In the decision Blank v. Canada (Minister of the Environment), 2001 FCA 374, the Federal Court of Appeal ruled that solicitor-client privilege does not apply to “general identifying information”that appears in a legal opinion, and should generally be severed and disclosed in compliance with section 25 of the ATIA. This is true unless the general identifying information would reveal the nature of the confidential legal communication or would provide clues about the content of the privileged information. The court held, under the ATIA, that if a record is only partially exempted from disclosure, what is left and thus disclosed must be understandable on its own. Otherwise, the non-privileged information does not have to be disclosed.

    Although not a provision under the Privacy Act, the concept of severability is now a requirement under section 4.2.25.5 of the Policy on Privacy Protection.

    “General identifying information”can include:

    • the description of the document (for example, the “memorandum”heading and internal file identification)
    • the name, title and address of the person to whom the communication was directed
    • the subject line
    • generally innocuous opening and closing words of the communication
    • the signature block

    Additional guidance on the principle of severability can be found in Chapter 9 of this manual [pending].

    Top of Page

    10.14.2 Litigation Privilege

    The litigation privilege, also known as the lawyer’s brief privilege, provides a zone of privacy in relation to pending or apprehended litigation. It ensures that parties can prepare their respective cases for trial privately, without adversarial interference and without fear of premature disclosure.Footnote 8

    All communications made and documents created or obtained for the dominant purpose of litigation are protected under the litigation privilege. Contrary to the solicitor-client privilege, the litigation privilege extends to communications of a non-confidential nature, as well as to those between the lawyer and third parties, or between or among non-lawyers (for example, witnesses, experts, labour relations).

    Legal requirements

    There are two legal requirements for the litigation privilege to apply:

    1. the document is created or obtained for the dominant purpose of litigation
    2. the litigation was ongoing or was reasonably anticipated at the time the document was created

    1. The document is created or obtained for the dominant purpose of litigation

    The records must be created or obtained for the dominant purpose of reasonably anticipated litigation. Also, if a record was created, obtained or compiled for the dominant purpose of litigation, the fact that it may also be used for other purposes does not affect the application of litigation privilege.

    2. The litigation was ongoing or was reasonably apprehended at the time the communication was made.

    The communication must be produced while the litigation is ongoing, or while litigation is reasonably contemplated; the litigation cannot be a mere vague possibility. However, the litigation privilege does not require the commencement of a court action to apply. Rather, in Hamalainen v. Sippola, 1991 CanLII 440, and confirmed in Blank v. Canada (Minister of Justice), 2006 SCC 39, the Supreme Court of Canada noted that “litigation can be said to be reasonably contemplated when a reasonable person, with the same knowledge of the situation as one or both of the parties, would find it unlikely that the dispute will be resolved without it.”

    Rationale for the litigation privilege

    The litigation privilege provides a zone of privacy for the litigator in which they can prepare the client’s case without fear of disclosure before making their case in court.

    Duration

    Unlike the solicitor-client privilege, the litigation privilege is temporary and lasts until litigation sharing the same “juridical source”comes to an end, as set out in Blank v. Canada (Minister of Justice), 2006 SCC 39, [2006] 2 S.C.R. 319. In general, this means that the litigation privilege ceases with the conclusion of the litigation of which it was born.

    In the decision Blank v. Canada (Minister of Justice), 2006 SCC 39, [2006] 2 S.C.R. 319 (at paragraph 39), the Supreme Court of Canada enlarged the definition of litigation to allow the privilege to be maintained in separate proceedings, when they are “closely related.”They include:

    • separate proceedings that involve the same or related parties and that arise from the same or a related cause of action; or
    • proceedings that raise issues that are common to the initial action and that share its essential purpose.

    The Supreme Court of Canada also reiterated that even if communications are no longer protected by the litigation privilege, they could also fall within the solicitor-client privilege, in which case they would “remain clearly and forever privileged.”

    Indeed, the Supreme Court recognizes that in practice, the solicitor-client privilege and the litigation privilege often overlap.

    Examples of litigation privileged records

    Non-exhaustive examples of documents protected under litigation privilege include:

    • correspondence between a lawyer and the client(s)
    • communications between a lawyer and third parties (for example, witnesses or experts)
    • documents relevant to the issues pleaded in the lawsuit that were produced by the parties
    • lists of potential witnesses
    • witness statements
    • letters retaining experts or commenting on their reports
    • research memoranda and legal authorities
    • annotations on records written by the litigator or notes taken by the litigator during the proceedings
    Top of Page

    10.14.3 Distinctions between the two privileges

    To summarize:

    Solicitor-client privilege Litigation privilege
    Communication is usually between a lawyer and a client (unless extended under the continuum of communications). Communication can be between a solicitor and a client, a solicitor and third parties, or a litigant and third parties.
    Arises during the course of a solicitor-client relationship. Arises and operates even in the absence of a solicitor-client relationship and applies indiscriminately to all litigants (whether or not they are represented by counsel).
    Never ends (unless subject to waiver or covered by on exception). Principle of “once privileged, always privileged.” Comes to an end, absent closely related litigation, upon the termination of the litigation that gave rise to the privilege.
    Top of Page

    10.14.4 Exercise of discretion

    Under section 27 of the Act, the head of the government institution, or the head’s delegate, has discretion to refuse to disclose the requested personal information protected by solicitor-client privilege, the professional secrecy of advocates and notaries, or the litigation privilege.

    In exercising this discretion, two questions must be considered:

    1. Is the requested information caught by the exemption?
      As a class-based exemption, the information must simply fall within one of the above-mentioned privileges and meet its legal requirements to apply.
    2. Should the requested information be disclosed even though it falls within the scope of the exemption?
      Deciding to disclose solicitor-client privilege information should be done in consultation with the Department of Justice Canada and after weighing the public and private interests favouring disclosure against those favouring non-disclosure. There is a strong public interest in preserving the confidential nature of the solicitor-client privilege. Discretion must be exercised reasonably, in good faith, and considering only relevant considerations.

    Institutions need to balance the right to access personal information with the interest this exemption protects. However, unlike other exemptions, the age of the record would not be a determining factor for consideration in the exercise of discretion given that the solicitor-client privilege is permanent in duration. Further, in the decision Ontario (Public Safety and Security) v. Criminal Lawyers’ Association, 2010 SCC 23, the Supreme Court of Canada noted the solicitor-client privilege is a near-absolute protection in recognition of the high public interest in maintaining the confidentiality of the solicitor-client relationship. The Court noted that it was difficult to see how a public interest override could ever operate to require disclosure of a document protected by solicitor-client privilege.

    In the context of section 27, there is no requirement for the head of the government institution or their delegate to expressly provide reasons to refuse the disclosure of privileged information to the requester, or to demonstrate prejudice, should the privileged information be disclosed.

    In the decision Canada (Justice) v. Blank, 2007 FCA 87, the Federal Court of Appeal indicated that the permissive nature of section 23 of the ATIA, which is the equivalent of section 27 of the Privacy Act, reflects the fact that the solicitor-client privilege may be waived by or on behalf of the client. It can be assumed that, by asserting the solicitor-client privilege, the client or a party acting on the client’s behalf has decided that waiver would not be in the public interest. There is no legal duty on the part of the Minister to expressly explain why the privilege is not being waived to the requester. Institutions are required under 4.1.18 of the Directive to document internally the factors considered when exercising discretion is discussed, recommendations are given, rationales are provided, and decisions are made.

    Top of Page

    10.14.5 Waiver of the privilege

    The solicitor-client privilege, the professional secrecy of advocates and notaries, and the litigation privilege belong to the government institution in receipt of the legal services (the client). Consequently, the ability to waive these privileges also belongs to the government institutions.

    It is up to the institution to establish their own internal processes to determine who can waive those privileges within the organization and release privileged information in response to a personal information request. The internal processes must also cover the circumstances in which it is advisable to do so. Government institutions are encouraged to cover this topic in the delegation order signed by the head of a government under subsection 73(1) of the Act.

    That said, institutions are encouraged to consult their legal counsel before making such a determination.

    Disclosure that is required by law is not considered a waiver of the privilege. In certain instances, neither is inadvertent disclosure when actions are taken to mitigate the disclosure, where possible. See 10.14.6 for additional guidance as this relates to communications with the OPC.

    Waiver occurs when the client is aware of the existence of the privilege and voluntarily discloses the privileged information to a party outside the solicitor-client relationship. That said, the communication between departments or agencies of information protected by the privileges does not normally amount to waiver: the communication occurs within the government, which is the ultimate beneficiary of the privilege. Similarly, it is not a waiver of the solicitor-client privilege, nor the litigation privilege, when privileged information is shared between parties who have a “common interest.” For example, the privilege would not be lost if information was shared between the governments of Canada and British Columbia if they were both named in a lawsuit and had decided on a joint defence or strategy.

    Once waived, the privilege cannot be recovered, nor applied to any future personal information request. This means that the head of the institution, or their delegate, could no longer exercise discretion under section 27 of the Act and must release the information for which the privilege has been waived.

    Consultation

    In its broadest sense, the client is the Crown or the Government of Canada as a whole. Though a case may be of greater interest to one or more institutions, the government at large is the ultimate beneficiary of the privilege, and the disclosure of privileged information by one institution may have an impact on other institutions.

    This is why institutions should always consult their legal counsel, especially when they do not have sufficient information to determine whether:

    • the information is privileged; and
    • the disclosure could:
      • injure the government’s legal positions or actual or pending litigation;
      • impede the ability of government institutions to communicate fully and frankly with their legal advisors; or
      • lead to waiver of the solicitor-client privilege with regard to other related documents.

    Institutions whose legal counsel report to the Department of Justice Canada should consult the Access to Information and Privacy Office at the Department of Justice Canada if they require more information for the proper exercise of discretion to withhold, or if they intend to disclose records that contain privileged information. However, as per 4.1.24 of the Directive, institutions are not required to consult the Department of Justice Canada if they have sufficient information to effectively exercise their discretion and apply the privilege exemptions.

    Top of Page

    10.14.6 Communications with the Office of the Privacy Commissioner

    Disclosing privileged documents that are part of the subject matter of a personal information request to the OPC during the investigation of a complaint made under the Act does not amount to waiver, as per subsection 34(2.2) of the Act. Under subsection 34(2.1) of the Act, information withheld from a requester as privileged under section 27 should be provided to the OPC during an investigation, if requested.

    There are instances, however, where privileged information should not be communicated to the Privacy Commissioner. Legal advice that is not in itself the subject of the request but was obtained during the processing of the request or during the investigation of a complaint concerning the request should not be included with the information provided to the Privacy Commissioner for examination. In the decision Canada (Attorney General) v. Canada (Information Commissioner), 2005 FCA 199 (Mel Cappe), the Federal Court of Appeal ruled that legal advice prepared to advise a government institution as to how it should respond to a request for access to information cannot be examined by the Information Commissioner unless absolutely necessary for the Commissioner to complete their investigation with respect to that same request. Although this decision dealt with the ATIA, it would likely also apply to the Privacy Act.

    Top of Page

    10.15 Section 27.1: Protected information – patents and trademarks

    Section 27.1 of the Act is a discretionary exemption based on a class test that protects communications between patent agents or trademark agents and their clients. This section would typically be applied to “views or opinions of another individual about the individual”who is making the request, as per paragraph (g) of the definition of “personal information”found in section 3 of the Act.

    Communications with patent agents that are protected must meet the following conditions to be included in the class, as per subsection 16.1(1) of the Patent Act:

    • they are between the patent agent who holds a patent agent licence or patent agent in training licence, or an individual authorized to act on their behalf, and that individual’s client
    • they are intended to be confidential
    • they are made for the purpose of seeking or giving advice with respect to any matter relating to the protection of an invention

    Communications with trademark agents that are protected must meet the following conditions to be included in the class, as per section 51.13 of the Trademarks Act:

    • they are between the trademark agent, who holds a trademark agent licence or trademark agent in training licence, or an individual authorized to act on their behalf, and that individual’s client
    • they are intended to be confidential
    • they are made for the purpose of seeking or giving advice with respect to any matter relating to the protection of a trademark, a geographical indication or a mark referred to in subparagraphs 9(1)(e), (i), (i.1), (i.3), (n) or (n.1) of the Trademarks Act

    If just one of the three elements is lacking, the exemption cannot be applied.

    10.15.1 Rationale for the patent and trademarks privilege

    The interest protected by the patent and trademarks advice privilege is the interest of all persons to have full and ready access to advice on inventions, trademarks and so on without concern of disclosure. If an individual cannot confide in an agent knowing that what is said will not be revealed, it will be difficult, if not impossible, for that individual to obtain proper advice on their innovation based on candid discussion.

    Top of Page

    10.15.2 Duration

    The patent and trademark advice privilege is not limited by the passage of time, and the privilege does not end.

    Top of Page

    10.15.3 Exercise of discretion

    Section 27.1 of the Act gives the head of a government institution who receives a request for access to personal information the discretion to invoke the patent and trademarks privilege or not.

    There are two types of decisions to be made in relation to section 27.1:

    1. A factual decision: Is the requested information subject to patents or trademarks privilege? In other words, have the legal requirements explained above been met?
    2. A discretionary decision: Should the information nevertheless be disclosed?

    This requires a balancing of the reasons for non-release of privileged information against reasonable factors in favour of release, followed by an exercise of discretion one way or the other. For section 27.1 to apply, heads of institutions do not have to demonstrate prejudice; neither do they have to give reasons for the refusal to disclose.

    Top of Page

    10.16 Section 28: Medical record

    Section 28 of the Act provides that a government institution may refuse to disclose any personal information that relates to the physical or mental health of the individual requesting the information when that person’s examination of the information would be contrary to their best interests.

    This is a discretionary exemption based on an injury test. It is not intended to prevent individuals from having access to all medical records, but rather where the disclosure of the information would be contrary to the best interest, in terms of personal health, of the individual.

    Subsection 13(1) of the Privacy Regulations (the Regulations) permits the head of the government institution to obtain an opinion from a qualified medical practitioner or psychologist when applying this section. The institution may allow the individual to have the information examined by a medical practitioner or psychologist of their choosing, where the institution is satisfied that the person chosen is qualified to determine whether disclosure would be contrary to the applicant’s best interests.

    Subsection 13(2) of the Regulations precludes the reviewing medical practitioner or psychologist to disclose the personal information to any other person, except to a duly qualified medical practitioner or psychologist for the purposes of obtaining their opinion. Institutions should remind practitioners and psychologists of their obligations when personal information is forwarded to them requesting their professional opinion, and request that they return the information to the institution after the review has been completed.

    Section 14 of the Regulations provides that an individual who is given access to personal information relating to their physical or mental health may be required to examine the information in person and in the presence of a duly qualified medical practitioner or psychologist who may explain or clarify the information to the individual.

    The standard of proof that must be met by a government institution that wants to invoke this exemption should thus be the civil standard of the balance of probabilities, a higher standard than what is required for the Privacy Act’s other injury-based exemptions.

    In the decision Dzevad Cemerlic MD v. Canada (Solicitor General), 2003 FCT 133, the Federal Court stated that section 28 is discretionary and that two requirements must be met before a government institution can apply the exemption. The first is that the information in question relate to the physical or mental health of the individual who requested it. The second is that an assessment be made by the head of a government institution on whether the release of the requested information is in the best interests of the individual. It was the Court’s view that:

    A government institution bears a heavy onus in justifying an exemption under section 28. Unlike the other exemptions in the Act, which balance an individual’s right to personal information with the interests of others, section 28 involves a balancing of an individual’s right to personal information with his or her own best interests as determined by the head of a government institution. It hardly needs to be said that in our society individuals are generally entitled to decide what is in their own best interests. This entitlement should not be taken away lightly.

    The decision on best interests must ultimately be made by either the head of the government institution or their delegate, not the actual medical practitioner or psychologist. However, the practitioner or psychologist will play a valuable role in the process, as their opinion will be one of the factors that the head or designate will consider as they make a final determination.

    When considering the harm to an individual, the head of the institution should consider if the information has already been communicated to the individual, or if there is an intent to communicate to them in the future. While section 14 provides duly qualified medical practitioner or psychologist can be present to explain or clarify the information to the individual, this may not be sufficient in all cases. For example, if there is a recommendation on file that an individual not return to work, but the individual has not yet been so informed, the qualified medical practitioner or psychologist may not be able to speak to the ramifications of the recommendations as it relates their employment. The information ought to be communicated using an alternate and established channel that the institution has available for these types of scenarios.

    This exemption may also be relevant where an individual with a long and difficult history of mental instability might suffer grave mental or physical trauma if information about certain diagnoses were made available to them, or if a treatment plan is suggested, but has not yet been discussed with them.

    Institutions may consider if section 26 (Information about another individual) of the Act (subsection 10.13) may also be applied where information about other individuals is interwoven with individuals’ medical records. Section 25 (Safety of individuals) of the Act (subsection 10.12) may also be considered if the requested information may threaten the life, bodily integrity or psychological health of the individual. However, the application of this exemption may in of itself cause the harm to which it is trying to protect.

    Top of Page

    10.17 Other grounds for refusing access: subsection 33(1) of the Act – Protection of representations made to the Privacy Commissioner in the context of an investigation

    Subsection 33(1) requires that every investigation by the Privacy Commissioner of a complaint under the Privacy Act be conducted in private. Subsection 33(2) guarantees both the complainant and the head of the government institution concerned an opportunity to make representations. However, “no one is entitled as of right to be present during, to have access to or to comment on representations made to the Commissioner by any other person.”There are also additional provisions in sections 62 to 65 the Act that outline additional security, confidentiality and disclosure restrictions as they relate to the information received or obtained during an investigation under the Act.

    While section 33 does not fall within the headings of Exemptions or Exclusions in the Act, in Rubin v. Canada (Clerk of the Privy Council) (C.A.), [1994] 2 F.C. 707, confirmed on appeal to the Supreme Court of Canada in Rubin v. Canada (Clerk of the Privy Council), [1996] 1 S.C.R. 6, both Courts concluded that representations made by a government institution to the Information Commissioner in the course of an investigation and the responses from the Commissioner to the institution must be excluded from disclosure under section 35 of the ATIA if there is an access to information request. Such protection from disclosure exists not only for representations made in an ongoing investigation of the Commissioner, but also for representations made in respect of an investigation that has been completed. Section 35 of the ATIA affords the same parallel protections to the investigative process as section 33 of the Privacy Act, and both cases should be considered in building a rationale to support denying access to information pertaining to a complaint investigated by either Commissioner.

    Institutions can process information that would fall under section 33 of the Privacy Act as though it is a mandatory class exemption with no time limit to its protection. The following is a non-exhaustive list of examples of information that can be protected from disclosure under subsection 33(2) of the Act:

    • representations made by a government institution to the Commissioner, including documents attached to such representations
    • responses from the Commissioner’s office
    • references, in other documents, to representations provided to the Commissioner or references to responses received from the Commissioner during an investigation.

    In the rare cases that the information is addressed to all parties (complainant, the government institution concerned, and an investigator working for the OPC), institutions may consider releasing that information if it forms part of the request. However, if the information branches off into discussions that are only between the government institution concerned and the OPC, access should be denied.

    Throughout this manual, other exemptions have been introduced for consideration as institutions are permitted to invoke more than one exemption, as applicable. In this case, although it would seem logical to suggest a possible application of paragraph 22(1)(b), Rubin v. Canada (Clerk of the Privy Council) (C.A.), [1994] 2 F.C. 707 affirmed that if section 35 of ATIA is used to deny access, it is not necessary to invoke another exemption. Only the OPC, see section 10.6 of this manual) may apply an exemption, section 22.1, to personal information obtained or created by the Privacy Commissioner or on their behalf.

    A model letter has been developed to assist institutions in communicating the denial of access. While investigations are conducted in private, it is not necessary to “neither confirm nor deny”the existence of a record by invoking subsection 16(2) of the Act.

    Top of Page

  • Chapter 13 – Offences and Protection from Civil Proceedings or Prosecution

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    This chapter explains the offence of obstructing the Privacy Commissioner, the protection from civil proceedings or prosecutions, and the inadmissibility of evidence given during the complaint process.

    13.1 Section 68: obstructing the Privacy Commissioner

    Under section 68 of the Privacy Act (the Act), any person who obstructs the Privacy Commissioner or any person acting on behalf or under the direction of the Commissioner in the performance of the Commissioner’s duties and functions under the Act is guilty of an offence and liable, upon summary conviction, to a fine not to exceed $1,000. To date, no individual has been fined under section 68.

    Top of Page

    13.2 Protection from civil proceedings or prosecution

    Notwithstanding any other Act of Parliament, under section 74 of the Act, the head of a government institution and any person acting on behalf or under the direction of the head are provided with protection from civil or criminal proceedings, and the Crown or any government institution are provided with protection from any proceedings, in relation to the following:

    • disclosure in good faith of any personal information pursuant to the Act
    • any consequences that flow from that disclosure, or
    • failure to give any notice required under the Act if reasonable care is taken to give the required notice.

    Section 74 was specifically considered in Gauthier v. Canada (Minister of Consumer and Corporate Affairs) (1992) 58 F.T.R. 161.Footnote 1 The Federal Court indicated that the Privacy Act was structured to provide a right of judicial review with respect to denials of access to information. However, it noted that “the [Privacy] Act expressly precludes the complainants starting a regular action for damages based on negligence.” In Canada v. John Doe, 2016 FCA 191, the Federal Court of Appeal noted that disclosures that are protected are those made under the Act. These would include a response to a personal information request. Section 74 does not necessarily apply to an action that is not based on the Act.

    Nevertheless, section 74 should not be taken to create an absolute immunity. Institutions should consult their own legal services for more information.

    Top of Page

    13.3 Jurisdiction of the Court pursuant to section 41

    Section 41 of the Act engages the Federal Court in review de novoFootnote 2 for refusals to disclose personal information pursuant to subsection 12(1) of the Act. In order for an individual to avail themselves of this right, section 41 requires that a complaint first be made and investigated by the Privacy Commissioner. This was reiterated in Cumming v. Canada (Royal Mounted Police), 2020 FC 271. As was noted in the Federal Court decision Connolly v. Canada Post Corporation (2000), 197 FTR 161, aff’d 2002 FCA 50, the only remedy that the Federal Court can order is found at sections 48 and 49 of the Act and consists of ordering disclosure where it has been refused contrary to the Act.

    Other decisions of the Federal Court with a similar conclusion include Murdoch v. Royal Canadian Mounted Police, 2005 FC 420, Lavigne v. Canada (Canadian Human Rights Commission), 2011 FC 290, Frezza v. Canada (National Defence), 2014 FC 32, and Canada (Public Safety and Emergency Preparedness) v. Gregory, 2021 FCA 33.

    Top of Page

    13.4 Inadmissibility of evidence given during the complaint process

    Subsection 34(3) of the Act provides that evidence given in the course of an investigation by an employee of a government institution or by any other person involved in the complaint is not admissible as evidence against the employee or person in a court or any other proceeding except in the following circumstances:

    • in a prosecution for an offence under section 131 of the Criminal Code (perjury) in respect of a statement made under the Act
    • in a prosecution for an offence under section 68 of the Act (obstruction)
    • in a review before the Federal Court under the Act, or in an appeal resulting from such review

    Although there is a presumption of truthfulness, employees can and will be called upon to demonstrate and justify their statements and evidence under oath in the above-mentioned circumstances. The institution’s legal services or other legal representation can help guide them through the proceedings.

    Evidence given in the course of an investigation by the Privacy Commissioner under the Act would not be admissible in any proceedings other than those listed above.

    Top of Page

  • Chapter 14 – Monitoring and Reporting

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    14.1 Annual Reports

    Section 72 of the Privacy Act (the Act) requires the head of every government institution to prepare an annual report on the administration of the Act within their institution during the period between April 1 of the preceding year and ending on March 31 of the current year. The report must be tabled before the Senate and the House of Commons on any of the first 15 days on which that House is sitting after September 1 of the year in which the report is prepared.

    Institutions must prepare separate and distinct annual reports for the Access to Information Act and for the Privacy Act in accordance with the instructions issued annually by the Access to Information Policy and Performance Division of the Treasury Board of Canada Secretariat (TBS) as per 4.2.32 of the Policy on Privacy Protection (the Policy). However, both reports may be filed under the same cover.

    Annual reports are intended to ensure accountability for the actions and decisions of institutions in their administration of the Act. All annual reports are referred to the permanent committee designated by Parliament to review the administration of the Act. Institutions may be invited to appear before the committee to explain their performance in responding to personal information requests.

    Institutions must provide an electronic copy of their annual report in both official languages to TBS and the Privacy Commissioner, as required by section 4.2.33 of the Policy.

    The information contained in the reports is included in an aggregate report prepared by TBS that provides a government‑wide perspective on the administration of the Access to Information Act and the Privacy Act.

    Under Sections 38 and 39 of the Act, the Privacy Commissioner of Canada also prepares an Annual Report to Parliament on the activities of their office during that financial year and may make special reports to Parliament.

    Top of Page

    14.2 Statistical Reports

    In addition, government institutions submit annual statistical reports on the administration of the Act and its supporting regulations to TBS. These statistical reports are also included in the annual report of the institution. Completed statistical reports (Form for the Statistical Report on the Access to Information Act (TBS/SCT 350-62) and Form for the Statistical Report on the Privacy Act (TBS/SCT 350-63)) must be included in each institution’s annual reports.

    Institutions must provide their statistical report with their annual report to TBS, as required by section 4.2.34 of the Policy.

    TBS establishes definitions and issues specific directions annually to institutions on how to compile the annual and statistical reports. Because of the unique experiences of institutions, no single format can serve the needs of all government institutions. Therefore, although the reporting requirements identified by TBS must be addressed, institutions may structure their annual and statistical reports as they deem appropriate and add information to reflect their particular accomplishments and challenges.

    To promote accessibility and transparency, institutions must publish their annual reports on their websites.

    Top of Page

    14.3 Monitoring Policy Compliance

    Heads of institutions or their delegates are responsible for monitoring the institution’s compliance with the Policy and its supporting instruments, as per 4.2.29 of the Policy and 4.1.37 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive). Should they determine that there is a policy compliance issue, they must take appropriate remedial action to address the issue, as per 4.2.30 of the Policy, and advise TBS of any significant issues on a timely basis, as per 4.2.31 of the Policy.

    Top of Page

    14.4 Monitoring for Frequently Requested Information

    While personal information requests should always be a means for an individual to access their personal information held by a government institution, there may be other avenues which could be made available to government program recipients. Heads of institution or their delegates are responsible for considering other means of making government information accessible. As per 4.2.28 of the Policy and 4.1.36 of the Directive, institutions should review the nature of requests received and assess the feasibility of making frequently requested types of information available by other means. This could include offering new client service portals or automated emails to applicants during the processing of applications. Effective communications could help to either reduce the number of personal information requests or refine the type of information that requesters seek.

    Top of Page

Page details

Date modified: